Overview

Which traffic inspection engine is used in HPE Aruba Networking IDPS?

HPE Aruba NetworkingIDPS Intrusion Detection and Prevention System (IDPS) monitors, detects, and prevents threats in the inbound and outbound traffic. Aruba IDPS provides an extra layer of protection that actively analyzes the network and takes actions on the traffic flows based on the defined rules. It inspects data packets, and if any threat is identified, acts real-time to prevent it. uses an open source traffic inspection engine to detect and prevent intrusion in the inbound and outbound traffic.

What is the performance of the traffic inspection engine?

The performance of the traffic inspection engine for TCP Transmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. Enterprise Mixed Throughput is Up to 920 Mbps in IPS Intrusion Prevention System. The IPS monitors a network for malicious activities such as security threats or policy violations. The main function of an IPS is to identify suspicious activity, log the information, attempt to block the activity, and report it. mode and up to 950 Mbps in IDS Intrusion Detection System. IDS monitors a network or systems for malicious activity or policy violations and reports its findings to the management system deployed in the network. mode.

Can I run the traffic inspection on a VPNC gateway in the Data Center?

HPE Aruba Networking Central version 2.5.3 and later support running Gateway IDS/IPS in 9012 as a VPNC Gateway, and can be run in the Data Center. To run HPE Aruba Networking 9012 gateway as a VPNC, ensure that the 9012 gateway has AOS 8.7.0.0-2.3.0.0 version installed and has all the required licenses and Gateway IDS/IPS enabled.

Can I perform Sandbox testing on Gateway IDS/IPS?

Sandbox testing can be performed on Gateway IDS/IPS.

What are the types of protocol streams that are inspected by the traffic inspection engine?

All types of protocol streams are inspected by the traffic inspection engine on a 5x ruleset type. For example, HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands., DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element., TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. , TFTP Trivial File Transfer Protocol. The TFTP is a software utility for transferring files from or to a remote host. , SMB Server Message Block or Small and Medium Business. Server Message Block operates as an application-layer network protocol mainly used for providing shared access to files, printers, serial ports, and for miscellaneous communications between the nodes on a network. , SSH Secure Shell. SSH is a network protocol that provides secure access to a remote device. , DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. , FILES, SMTP Simple Mail Transfer Protocol. SMTP is an Internet standard protocol for electronic mail transmission., SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention. , SIP Session Initiation Protocol. SIP is used for signaling and controlling multimedia communication session such as voice and video calls. , RFB, MQTT, RDP, and HTTP2.

Can I select protocol streams that can be inspected by the traffic inspection engine?

In the current release, the traffic inspection engine inspects all types of protocol streams. You can allow list the threat signatures or bypass inspection for large dataflows, if you do not want the threat signatures to be inspected by the traffic inspection engine.

How extensive is the signature pack and what types of vulnerabilities does it capture?

Gateway IDS/IPS includes rulesets with rules and each rule contains signatures for different types of threat categories. Gateway IDS/IPS includes three policies, namely lenient, moderate, and strict. The policies define rules to drop or allow packets that match a specific threat signature. The appendix provides description of some of the threat categories. For more information, see Threat Categories.

How are the events reported when there is an attack on my network?

When there is an attack on the network, the events are reported in the Gateway IDS/IPS dashboard and the Threats List. HPE Aruba Networking Central also allows you to configure notifications for IDS and IPS alerts. For more information, see Gateway Intrusion Detection and Prevention Dashboard and Gateway Alerts.

How do I quarantine the infected clients?

HPE Aruba Networking IDPS provides the option to send threat event data to a third-party Security Incident and Event Management (SIEM Security Incident and Event Management (SIEM) is a server where Aruba IDPS sends the threat data to perform advanced analysis and generate reports. SIEM provides a holistic picture of the security posture by aggregating and correlating data from disparate sources in the network.) server such as Splunk. The correlation and incident management sends a request to HPE Aruba Networking ClearPass Policy Manager ClearPass Policy Manager is a baseline platform for policy management, AAA, profiling, network access control, and reporting. With ClearPass Policy Manager, the network administrators can configure and manage secure network access that accommodates requirements across multiple locations and multivendor networks, regardless of device ownership and connection method. to move the infected client to quarantine. HPE Aruba Networking Central receives the notification delivery for all alerts through Webhooks configuration. For more information, see Gateway Alerts.

Who provides the threat intelligence to the traffic inspection engine?

The HPE Aruba NetworkingIDPS receives threat intelligence from a third-party service provider to monitor the inbound and outbound traffic for any malicious activity. For more information, see https://www.proofpoint.com/us/products/advanced-threat-protection/et-intelligence.

How does HPE Aruba Networking IDPS work in conjunction with Zscaler Cloud Security Service for SD-Branch and AOS 10 Mobility Gateway?

Gateway IDS/IPS and Zscaler complement each other. Gateway IDS/IPS inspects network traffic on the Branch Gateway at the edge driven by policies from HPE Aruba Networking Central. Zscaler or other Cloud Security services route the traffic based on their policy, to the Cloud Security Point of Presence (POP) in the Cloud and traffic is inspected based on the policy defined in the admin console. Additionally, Cloud Security Services provide their own cloud native security services that may be used from across various environments.

How does the HPE Aruba Networking IDPS security solution work in conjunction with SD-Branch and AOS 10 Mobility Gateway?

The HPE Aruba NetworkingIDPS security solution is enabled on SD Branch Gateways. When IDPS is enabled, traffic in all directions, including east-west and north-south are inspected for any threat intrusion.

How is the HPE Aruba NetworkingIDPS security solution different from security solutions offered by other competitors?

The HPE Aruba NetworkingIDPS security solution prevents and protects the network from threat intrusions. It improves network security with features, such as full packet inspection, north-south and east-west inspection, allow listing, multi-dimensional threat metrics, threat intelligence, correlation and incident management, simplified configuration, and licensing.

What are the software and hardware requirements to implement IDPS?

For more information about the minimum supported software version and the recommended software version, see Preparing to add IDPS-Supported Gateways.

Can I evaluate the security features before using them in the production environment?

Yes, you can evaluate the IDPS security features using an Advance with Security evaluation license which expires after 90 days. It allows you to evaluate up to 10 devices with HPE Aruba Networking IDPS and advanced SD-Branch features on the IDPS-supported gateways.

What is the advantage of an IDPS-enabled gateway?

An IDPS-enabled gateway is entitled to security features. If you have IDPS-enabled gateway, you do not have to invest on another application to do the traffic inspection. It provides rich data that aids in monitoring such as CPU Central Processing Unit. A CPU is an electronic circuitry in a computer for processing instructions. memory statistics, engine state, any drop in the packets, and so on.

How does HPE Aruba Networking IDPS help in improving network security?

HPE Aruba Networking IDPS helps the administrator to monitor, detect, and prevent malicious events for traffic in east-west and north-south directions, generates a threat event, and records details about these events. All identified threats are logged and can be sent to external systems (like Splunk Cloud) for correlation analysis. It provides an extra layer of protection that actively analyzes the network and takes actions on your traffic flows based on pre-configured rules. For more information, see Gateway Alerts.

What deployments does IDPS support?

You can use IDPS in the following deployments:

  • SD-Branch deployments for branch gateway and VPNC personas

  • Branch HA Cluster

  • L3HA

  • Mobility gateway clustering

How many nodes does IDPS support in a cluster?

IDPS supports up to a 2-node cluster on mobility gateway persona.

How does HPE Aruba Networking Gateways handle anti-malware?

Antimalware is referred to zero-day attack and typically associated with sandboxing or Advanced Threat Prevention (ATP). Antimalware is not based on signatures, instead it is based on traffic usage patterns (similar to phishing and ransomware).

On Gateways, IDS/IPS inspect and prevents, kill-chain related, traffic usage pattern based threats. Unlike most other IDS/IPS systems, threat Intel of HPE Aruba Networking Central covers over 50 categories of signature based and traffic pattern based threats. For more information, see Threats List.