Intrusion Prevention System (IPS)

Aviatrix Controller 8.2 introduces Intrusion Prevention System (IPS) capabilities, extending beyond detection to active enforcement. IPS operates inline on the data path, enabling real-time threat prevention for workloads across multicloud environments.

Controller 8.2 introduces the following IPS capabilities:

  • Feature: IPS with inline enforcement

  • Profiles: Default and custom IPS Profiles supported

  • Custom Rulesets: Suricata-based, external feed integration

  • Automation: Full Terraform and API support

  • UI Update: IPS configuration under DCF

Key Features

  • Drop Traffic on Signature Match: IPS enforces inline live traffic for immediate protection

  • IPS Profiles: Define actions per signature severity (alert or drop). Built-in Default IPS Profile or custom profiles with user-defined rule feeds and signature ignoring

  • Custom Suricata Rulesets: Apply custom Suricata rule feeds for rapid response to emerging threats

  • Per-VPC Control: Apply IPS Profiles to specific VPCs to override defaults, or set custom IPS profiles as default. DCF Policy determines which traffic is inspected by IPS

  • Terraform and API Support: Full automation for IPS configuration and profile management

IPS Benefits

  • Immediate Enforcement: IPS works inline on the data path for real-time protection

  • Granular Control: Different IPS Profiles per VPC; ignore or customize signatures as needed

  • Custom Rulesets: Rapid response to emerging threats; tailor rules for unique environments

  • Compliance and Security Posture: Meets enterprise requirements for proactive threat prevention

  • Reduced Risk: Stops malicious traffic instantly

  • Operational Agility: Quick adaptation to new threats

  • Enterprise Readiness: Scalable, customizable security for multicloud environments

IPS Enforcement Flow

  1. Traffic Selection: DCF policy determines which flows are inspected

  2. Signature Matching: IPS evaluates traffic against Suricata rules

  3. Action Execution: Alert only (IDS mode) or Drop traffic (IPS mode)

  4. Logging and Reporting: Events logged with severity, signature ID, and action

Configure IPS

Configure IPS on Aviatrix CoPilot

To configure IPS on Aviatrix CoPilot, follow these steps:

  1. Go to Security > Distributed Cloud Firewall > IPS.

  2. Review the Default IPS Profile or create a Custom IPS Profile:

    Define drop actions based on the Severity levels of the Suricata rules. For example, if Major and higher is selected, any traffic that IPS inspects and triggers a Major or Critical severity level will be dropped.

  3. (Optional) Upload Custom Suricata Ruleset.

    Please refer to https://sidallocation.org/ for recommended signature ranges. "Local" signature rules should be in the range of 1000000-1999999 to avoid conflicts with well-known feeds.

  4. Assign IPS Profile to specific VPCs or set custom IPS profile as default

  5. Turn on Intrusion analysis and TLS decryption (for DPI) in DCF policy.

  6. You can validate the enforcement via CoPilot > Security > Distributed Cloud Firewall > Monitor > Intrusion Logs

Configure IPS Using Terraform

The following example demonstrates how to configure IPS using Terraform.

Upload a Custom IPS Rule Feed

resource "aviatrix_dcf_ips_rule_feed" "custom_feed" {
    feed_name = "tf_custom_feed_detection_rules"
    file_content = file("./malware_rules.rules")
}

Create an IPS Profile Using Uploaded Rule Feeds

resource "aviatrix_dcf_ips_profile" "ips_profile" {
    profile_name = "TF IPS Profile"
    rule_feeds {
        custom_feeds_ids  = [aviatrix_dcf_ips_rule_feed.custom_feed.uuid]
        external_feeds_ids = ["suricata-rules"]
        ignored_sids    = [100001, 100002]
    }
    intrusion_actions = {
        informational = "alert"
        minor     = "alert"
        major     = "alert_and_drop"
        critical   = "alert_and_drop"
    }
}

Assign IPS Profiles to a VPC

resource "aviatrix_dcf_ips_profile_vpc" "vpc_profile" {
    vpc_id = aviatrix_vpc.vpc_1.vpc_id
    dcf_ips_profiles = [ aviatrix_dcf_ips_profile.ips_profile.uuid ]
}

Best Practices

  • Start with Default IPS Profile in alert-only mode for baseline visibility

  • Gradually enable drop actions for critical and major severities

  • Regularly update custom rulesets from trusted threat intelligence sources

  • Apply stricter IPS Profiles to high-risk VPCs (for example, internet-facing workloads)

  • Integrate IPS logs with SIEM for centralized monitoring