Link Search Menu Expand Document

Intrusion Detection System (IDS)

Configuration > Overlays & Security > Security > Intrusion Detection System (IDS)

The Intrusion Detection System (IDS) can monitor traffic for potential threats and malicious activity and generates threat events based on preconfigured rules. Packets are copied and inspected against signatures downloaded to Orchestrator from Cloud Portal. Orchestrator sends appliances the signature file and any rules that have been added to the allow list. Traffic is designated for inspection using matching rules enabled in the zone-based firewall.

Use the Intrusion Detection System tab to view status or modify the IDS configuration for appliances selected in the appliance tree. The following information is displayed for selected appliances:

FieldDescription
ApplianceName of the appliance.
StatusIndicates whether or not IDS is enabled on the selected appliance.
EventsClick Show Last 100 Events to see the 100 most recent IDS events on the selected appliance.
StatsClick Show Stats to see the following IDS statistics for the selected appliance: Decoder Packets, Kernel Drops, Alerts Detected, and Decoder Bytes.

img

Prerequisites

Note the following requirements about using IDS:

  • IDS can be enabled only on appliances with a minimum of four cores and 16 GB of RAM.

  • IDS can be enabled only on appliances running ECOS 9.1.0.0 or later, and appliances running an earlier version of ECOS will not be displayed on the Intrusion Detection System tab.

  • IDS is a licensed feature and can be enabled only on appliances that have been assigned the Advanced Security license (see help text on the Configuration > Overlays & Security > Licensing > Licenses tab).

NOTE: IDS alarms are logged in standard syslog format. You can configure a logging facility for IDS and remote log receiver to send logs to a third party for additional review and analytics (see Advanced Reporting and Analytics below).

Enable or Disable IDS on Appliances

Click Enable IDS on Appliances to add (enable) or remove (disable) IDS on all appliances displayed in the table.

img

  1. Select the Add check box to enable IDS on the appliances or select the Remove check box to disable IDS on the appliances.

    The proposed change in state, if any, is displayed for each appliance in the IDS State column.

  2. Click Save to apply your changes or click Cancel to close the dialog box without making any changes.

Enable or Disable Rules with the IDS Allow List

By default, all rules included in the IDS signature list are enabled on all appliances where IDS is enabled. For certain traffic or in some specific cases, however, you might want to disable logging and alarms for a rule by adding it to the IDS allow list.

  1. To manage which IDS rules are enabled and disabled, click IDS Allow List.

    The Allow IDS Rules dialog box opens.

    img

  2. Use the search field at the top of the table to filter the list of rules. You can click Show Allowed Rules or Show All Rules to display only disabled rules or all rules, respectively.

    NOTE: If you disable or enable any rules, and then toggle the display between allowed and all rules without saving, your changes will be undone.

  3. Use the check box in the Allow column to disable or enable rules:

    • To disable a rule and add it to the allow list, select the check box.

    • To enable a rule and remove it from the allow list, clear the check box.

  4. Click Save to apply your changes or click Cancel to close the dialog box without making any changes.

Specify Traffic to Be Inspected

You can specify the traffic to be inspected according to source and destination zone, as well as specify detailed match criteria, using Firewall Zone Security Policies.

img

With the addition of IDS, firewall actions have the following meanings:

  • allow: Allow traffic and do not inspect

  • deny: Deny traffic and do not inspect

  • inspect: Allow traffic and inspect

NOTE: No traffic will be inspected until rules with the inspect action are specified in the security policy.

For more information, see the following tabs in Orchestrator:

  • Templates (Security Policies): Configuration > Templates & Policies > Templates

  • Routing Segmentation: Configuration > Networking > Routing > Routing Segmentation (VRF)

Advanced Reporting and Analytics

For users who are using or trying Splunk, you can install the Aruba EdgeConnect application to enable advanced reporting and analytics using the IDS alarms forwarded from EdgeConnect appliances. Search Splunkbase for “EdgeConnect” or click this link to search in your browser.

img

Follow the instructions provided to install and configure the application.


Back to top

© Copyright 2022 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Aruba Networks and the Aruba logo are registered trademarks of Aruba Networks, Inc. Third-party trademarks mentioned are the property of their respective owners. To view the end-user software agreement, go to Aruba EULA.