Intrusion Detection/Prevention System (IDS/IPS)
Configuration > Overlays & Security > Security > Intrusion Detection/Prevention System (IDS/IPS)
The Intrusion Detection/Prevention System (IDS/IPS) can monitor traffic for potential threats and malicious activity and generates threat events based on preconfigured rules. Packets are copied and inspected against signatures downloaded to Orchestrator from Cloud Portal. Orchestrator sends appliances the signature file and any rules that have been added to the allow list. The IDS designates traffic for inspection using matching rules enabled in the zone-based firewall. The IPS protects traffic by matching a signature and then performing a configured action (alert, block, or allow).
Use the Intrusion Detection/Prevention System tab to view status or modify the IDS/IPS configuration for appliances selected in the appliance tree. The following information is displayed for selected appliances:
| Field | Description |
|---|---|
| Appliance | Name of the appliance. |
| Status | Indicates whether IDS/IPS is enabled on the selected appliance. |
| IDS/IPS State | Indicates the state of IDS/IPS on the EdgeConnect device. |
| Eligible | Indicates whether the device is eligible to enable IDS/IPS. For more information, seePrerequisites. |
| Licensed | Indicates whether the device is licensed to run IDS/IPS. |
| Signature Version | Identifies the signature ID running IDS/IPS. |
| Inspected pkts/sec (last 5 min) | Number of packets inspected in the previous five minutes. |
| Threats detected (last 5 min) | Number of threats detected in the previous five minutes. |
| IPS Flow Drops (Cumulative) | Number of dropped flows since IPS has been running. The flow drop count is cumulative and is added to the previous flow drop count. |
| Events | Click the info icon to see the most recent IDS/IPS events on the selected appliance. |
| Stats | Click the stats icon to see the following IDS/IPS statistics for the selected appliance: Packets per second sent to the IDS/IPS, IPS Flow Drops (Cumulative), Threats Detected, and Bits per second sent to the IDS/IPS. |
Prerequisites
Note the following requirements about using IDS/IPS:
IDS/IPS can be enabled only on appliances with a minimum of four cores and 16 GB of RAM.
IDS/IPS can be enabled only on appliances running ECOS 9.1.0.0 or later. Appliances running an earlier version of ECOS will not be displayed on the Intrusion Detection/Prevention System tab.
IDS/IPS is a licensed feature and can be enabled only on appliances that have been assigned the Advanced Security license (see help text on theConfiguration > Overlays & Security > Licensing > Licensestab).
NOTE:IDS/IPS alarms are logged in standard syslog format. You can configure a logging facility for IDS/IPS and remote log receiver to send logs to a third party for additional review and analytics (seeAdvanced Reporting and Analyticsbelow).
Apply IDS/IPS on Appliances
To turn on or turn off IDS/IPS on the appliances displayed in the table, clickApply IDS/IPS on Appliances.
The Apply IDS/IPS dialog box opens.
Apply or remove IDS/IPS:
To turn off IDS and IPS for all appliances, selectOff.
To enable IDS on the appliances, selectIDS Only.
To enable IPS on the appliances, selectIPS-Performant.
The proposed change in state, if any, is displayed for each appliance in the IDS/IPS State column.
To apply your changes, clickSave. Or, to close the dialog box without making any changes, clickCancel.
Associate Actions with IPS Signatures
By default, all rules included in the IDS/IPS Signatures list are enabled on all appliances where IPS is enabled, and the default action is to drop traffic when a rule is triggered. However, for certain traffic or in some specific cases, you might want to specify different actions the IPS takes.
To manage IPS rules and actions, clickIDS/IPS Signatures.
The IDS/IPS Signatures dialog box opens.
Use the search field at the top of the table to filter the list of rules. You can use the filters below the search bar to view rules by class, severity, or action.
Use the drop-down menu in the Action column to set the response for a rule:
Drop:Drop the traffic when a matching signature condition exists for the source, destination, or both.
Inspect:Continue the traffic flow to the destination, but inspect the traffic for any anomalies.
Allow:Pass the traffic from the source.
NOTE:Reset, quarantine, and packet logging actions will be available in a future release, but are not currently available.
To apply your changes, clickSave. Or, to close the dialog box without making any changes, clickCancel.
Specify Traffic to Be Inspected
您可以指定交通检查协议ing to source and destination zone, as well as specify detailed match criteria, using Firewall Zone Security Policies (Configuration > Overlays & Security > Security > Firewall Zone Security Policies).
With the addition of IDS/IPS, firewall actions have the following meanings:
allow:允许流量和不检查
deny:Deny traffic and do not inspect
inspect:Allow traffic and inspect
NOTE:No traffic will be inspected until rules with the inspect action are specified in the security policy.
For more information, see the following tabs in Orchestrator:
Templates (Security Policies): Configuration > Templates & Policies > Templates
Routing Segmentation: Configuration > Networking > Routing > Routing Segmentation (VRF)
Advanced Reporting and Analytics
For users who are using or trying Splunk, you can install the Aruba EdgeConnect Security App for Splunk application to enable advanced reporting and analytics using the IDS/IPS alarms forwarded from EdgeConnect appliances. Search Splunkbase for “EdgeConnect” or clickthis linkto search in your browser.
Follow the instructions provided to install and configure the application.