Manage Selective Inspection

Selective inspection uses the Risk-Oriented Traffic Inspection (ROTI) method to aid the Intrusion Detection and Prevention System (IDPS Intrusion Detection and Prevention System (IDPS) monitors, detects, and prevents threats in the inbound and outbound traffic. Aruba IDPS provides an extra layer of protection that actively analyzes the network and takes actions on the traffic flows based on the defined rules. It inspects data packets, and if any threat is identified, acts real-time to prevent it.). HPE Aruba Networking Central provides threat vectors for defining how you want to do selective inspection on your traffic.

The following threat vectors are available:

  1. Client Roles—Client roles are a combination of device or user roles.

  2. Network Aliases—Network aliases are the aliases provided by you for easier identification and user-friendly management of the networking IP addresses.

Selective Inspection feature allows you to define a Traffic Treatment Type (T3) based on an identity. The T3 Bucket is the implementation of ROTI concept. T3 allows you to define a traffic treatment type for the threat vector.

Selective Inspection also handles any exceptions for the inspection based on your business requirement. It allows you to define a common traffic treatment type for client roles or network aliases. Traffic Treatment Type (T3) buckets are used to group the supported threat vectors (see Adding Client Roles for Selective Inspection and Adding Network Aliases for Selective Inspection) and assign it to a security inspection policy. There are two pre-defined traffic treatment type buckets, named Risky and Safe. These names can be edited by the administrator.

By default, security inspection policy is assigned to the Risky T3 bucket, which implies that all system assigned (default) and administrator assigned traffic flows are evaluated for inspection. For more information, see Understanding Policy Evaluation.

If traffic inspection is already enabled, the existing configurations of IDS Intrusion Detection System. IDS monitors a network or systems for malicious activity or policy violations and reports its findings to the management system deployed in the network., IPS Intrusion Prevention System. The IPS monitors a network for malicious activities such as security threats or policy violations. The main function of an IPS is to identify suspicious activity, log the information, attempt to block the activity, and report it. , and the selected policy is inherited and displayed on the Selective Inspection page. The administrator can either use the inherited configuration or modify it.

Administrator can customize the following based on the security inspection requirements:

  • T3 bucket names

  • Policy association to T3 buckets

  • Default policy assignment

  • Default behavior

  • Associating threat vectors to T3 bucket

  • Prioritization between threat vectors

  • Treatment for the trusted traffic

Anything connected to the trusted port does not get authenticated or get any role. Therefore, a policy cannot be assigned to it. In Selective Inspection, the Trusted Traffic is provided as a separate category and is available for assigning it to a T3 bucket. For more information, see Assigning T3 Bucket for Trusted Traffic.

  • The following are a few scenarios that serve as examples for customizing the selective inspection for Client Roles threat vector:

    • If you want to retain the current behavior along with selective inspection, then keep the default as Risky. All traffic flows are inspected. For example, if IoT Internet of Things. IoT refers to the internetworking of devices that are embedded with electronics, software, sensors, and network connectivity features allowing data exchange over the Internet. devices are considered high risk, it must go through inspection. Critical users who may be target for attacks are also strong candidates for inspection.

    • If you want to skip the inspection, change the default behavior and choose a T3 bucket that does not have a policy assigned or associate appropriate client roles and/or network aliases to the Safe T3 bucket. Vulnerability assessment tools are also security tools, which are typically not inspected. These devices may be assigned to a vulnerability assessment client role and then assigned to Safe bucket or its IP addresses may be added to a network alias and that may be assigned to Safe bucket.

      The source client role or network address is considered for the association and not the destination.

    • If you do not want the default behavior, then assign client roles to a T3 bucket that does not have a policy assigned to it. For example, guests in the lobby may connect to the network only to browse Internet. Then, consider associating guest role to Safe T3 bucket that does not have a policy assigned.

Execution Rules

When both threat vectors are used, the selective inspection execution for the default setting and implicit or explicit assignment of threat vectors in the T3 bucket is based on the following core and special rules:

  • Core Rules

    • When Client Role and Network Aliases vectors of a session have same level of user intention, then precedence configuration is used to determine the risk level.

    • When Client Role and Network Aliases vectors of a session have different levels of user intention, then explicit configuration is used to determine the risk level.

  • Special Rules

    • When an IP address is part of two network aliases and they are part of different T3 buckets, then the risk level for the threat vector corresponding to the non-default T3 bucket is executed.

    • A network session for trusted traffic that has no client role and has explicit assignment, the risk level is determined using the explicit intention.

The following table consists of scenarios explaining what traffic treatment is executed when threat vectors are used in alternate priorities with implicit and explicit assignment done to different T3 buckets.

For example, consider the following in a network session:

  • Client Role—employee

  • Network Aliases—store-alias (10.0.0.1) and byod-alias (10.0.0.2)

Table 1: Combination of Client Roles and Network Aliases

Sl. No. Threat Vectors Priority

Default

T3 Bucket

Assigned T3 Bucket

Selective Inspection

Scenario 1

Client Role - employee

1

Risky

Implicit assignment

Risky Bucket

Risky treatment is executed for traffic based on Core Rules first bullet item.

Network Alias - store-alias

2

Implicit assignment

Risky Bucket

Scenario 2

 

Client Role - employee

1

Risky

Explicit assignment

Risky Bucket

Risky treatment is executed for traffic based on Core Rules first bullet item.

 

Network Alias - store-alias

2

Explicit assignment

Safe Bucket

Scenario 3

 

Network Alias - store-alias

1

Risky

Explicit assignment

Safe Bucket

Safe treatment is executed for traffic based on Core Rules first bullet item.

 

Client Role - employee

2

Implicit assignment

Risky Bucket

Scenario 4

 

Client Role - employee

1

Risky

Implicit assignment

Risky Bucket

Safe treatment is executed for traffic based on Core Rules second bullet item.

 

Network Alias - store-alias

2

Explicit assignment

Safe Bucket

Scenario 5

 

 

Client Role - employee

1

Risky

Implicit assignment

Risky Bucket

Safe treatment is executed for the traffic based on Core Rules second bullet item and Special Rules first bullet item.

 

 

Network Alias - byod-alias

2

Explicit assignment

Risky Bucket

Network Alias - store-alias

2

Explicit assignment

Safe Bucket

Scenario 6

 

 

Client Role - employee

1

Safe

Implicit assignment

Safe Bucket

Risky treatment is executed for the traffic based on Core Rules second bullet item and Special Rules first bullet item.

 

 

Network Alias - byod-alias

2

Explicit assignment

Risky Bucket

Network Alias - store-alias

2

Explicit assignment

Safe Bucket

For information about how to navigate and view or change the traffic treatment type, see Using Selective Inspection.