Overview of Aruba IDPS

The Intrusion Detection and Prevention System (IDPS Intrusion Detection and Prevention System (IDPS) monitors, detects, and prevents threats in the inbound and outbound traffic. Aruba IDPS provides an extra layer of protection that actively analyzes the network and takes actions on the traffic flows based on the defined rules. It inspects data packets, and if any threat is identified, acts real-time to prevent it.) monitors, detects, and prevents threats in the inbound and outbound traffic. The Intrusion Detection System (IDS Intrusion Detection System. IDS monitors a network or systems for malicious activity or policy violations and reports its findings to the management system deployed in the network.) monitors the network for any malicious activity and generates threat events. The Intrusion Prevention System (IPS Intrusion Prevention System. The IPS monitors a network for malicious activities such as security threats or policy violations. The main function of an IPS is to identify suspicious activity, log the information, attempt to block the activity, and report it. ) has all the capabilities of IDS along with the ability to prevent intrusions by dropping malicious data packets. As an administrator, you can enable either IDS or IPS.

Aruba IDPS provides an extra layer of protection that actively analyzes the network and takes actions on the traffic flows based on live updated rules. These actions include alerting based on and blocking traffic flows. Aruba IDPS has the capability to inspect data packets that enter the network and act quickly to prevent threats in real time. All identified threats are logged for correlation and analysis.

Why Aruba IDPS?

In today's network environments, which are much larger and more complex than those in the past, applications and connections are vulnerable. In order to address these challenges, Aruba introduces IDPS that adds an additional layer of security that focuses on users, applications and network connections, integrated with your existing Aruba SD-Branch, WAN Wide Area Network. WAN is a telecommunications network or computer network that extends over a large geographical distance., or ArubaOS 10 ArubaOS 10 (AOS 10) is the distributed network operating system working with Aruba Central that controls Aruba Access Points (APs) and optional gateways. solution. Aruba IDPS proactively prevents and protects the network from intrusions. This is a policy-driven intrusion prevention technology that operates efficiently with minimal manual intervention. IDPS protects the network from real-time attacks with an additional advanced security dashboard that provides Security Analysts with everything they need to manage an end-to-end zero trust, edge-to-cloud environment providing network-wide visibility, multi-dimensional threat metrics, threat intelligence data, correlation, and incident management.

When IDPS is enabled, certain scenarios in layer 3 high availability (L3HA) are not ideal. Therefore, please review before you choose L3HA with IDPS enabled.

Key Features and Benefits

The following are some of the key features and benefits of Aruba IDPS:

Full Packet Inspection—Aruba IDPS offers a signature and usage pattern-based inspection that inspects every data packet for intrusion.
North-South and East-West inspection—Monitors both LAN Local Area Network. A LAN is a network of connected devices within a distinct geographic area such as an office or a commercial establishment and share a common communications line or wireless link to a server. and WAN networks for all traffic flows, including traffic coming into the network and leaving the network as well as inter and intra VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. segments.
Multi-dimensional Threat Metrics—Enables you to identify and view threats from different dimensions such as different protocols, threat types, source and destination hosts, geographic locations, time of day, and so on.
Allow listing—Allow the administrators to ignore or bypass traffic from being inspected for certain rulesets.
Threat Intelligence—There are about 50 threat categories that include Command and control, Ransomware, Phishing, Malware, Spyware, Cryptomining, and so on.
Correlation and Incident Management—In addition to monitoring usage patterns, tracking events, and analyzing event logs and data for any relationship to prevent attacks, threat events are also streamed to Security Information and Events Management (SIEM Security Incident and Event Management (SIEM) is a server where Aruba IDPS sends the threat data to perform advanced analysis and generate reports. SIEM provides a holistic picture of the security posture by aggregating and correlating data from disparate sources in the network.) systems such as Splunk Cloud as well as integrated with Central Alert Framework for notification and integration with third-party systems based on the configured threshold.
Simplified Configuration—A user-friendly and intuitive user interface that allows you to configure IDPS for your SD-Branch network with ease. Aruba offers three types of threat profiles: Lenient, Moderate, and Strict for IDS and IPS modes.
Licensing—The Foundation and Advanced Gateway licenses are offered an add-on Security license that provides IDPS feature.
Selective Inspection—Handling any exceptions for the inspection based on your business requirement. Selective Inspection allows you to define a common traffic treatment type for a collection of client roles.

How does Aruba IDPS Work?

Aruba leverages an open source IDPS engine which is integrated as a Virtual Network Function (VNF) with the SD-Branch Gateway and VPNC gateways. This engine detects and prevents intrusion based on rules set by the user.

The following process describes the Aruba IDPS workflow to detect and prevent intrusions:

Download Threat Rulesets—Aruba IDPS downloads threat rulesets from the cloud repository.
Enable Aruba IDPS—Enable IDPS and configure an IDPS policy in Aruba Central.
Stream Realtime Events—The events are streamed real-time based on preset event category.
Enrich Events—Aruba IDPS enriches events with host, application, and location details.
Send Alerts and Block Traffic—Sends alerts and notifications if IDS is selected and blocks traffic if IPS is selected as the mode of inspection.
Monitor Threats—Monitor and move threats to the Allow List in the IDPS dashboard in Aruba Central.
Share Threat Data—The threat data recorded in Aruba Central is shared with the SIEM server and the supported third-party integrations through Central Alert framework, if configured.

Figure 1 Aruba IDPS Architecture Diagram