Link Search Menu Expand Document

Intrusion Detection/Prevention System (IDS/IPS)

Configuration > Overlays & Security > Security > Intrusion Detection/Prevention System (IDS/IPS)

The Intrusion Detection/Prevention System (IDS/IPS) can monitor traffic for potential threats and malicious activity and generates threat events based on preconfigured rules. Packets are copied and inspected against signatures downloaded to Orchestrator from Cloud Portal. Orchestrator sends appliances the signature file and any rules that have been added to the allow list. The IDS designates traffic for inspection using matching rules enabled in the zone-based firewall. The IPS protects traffic by matching a signature and then performing a configured action (alert, block, or allow).

Use the Intrusion Detection/Prevention System tab to view status or modify the IDS/IPS configuration for appliances selected in the appliance tree. The following information is displayed for selected appliances:

Field Description
Appliance Name of the appliance.
Status Indicates whether IDS/IPS is enabled on the selected appliance.
IDS/IPS State Indicates the state of IDS/IPS on the EdgeConnect device.
Eligible Indicates whether the device is eligible to enable IDS/IPS. For more information, see Prerequisites.
Licensed Indicates whether the device is licensed to run IDS/IPS.
Signature Version Identifies the signature ID running IDS/IPS.
Inspected pkts/sec (last 5 min) Number of packets inspected in the previous five minutes.
Threats detected (last 5 min) Number of threats detected in the previous five minutes.
IPS Flow Drops (Cumulative) Number of dropped flows since IPS has been running. The flow drop count is cumulative and is added to the previous flow drop count.
Events Click the info icon to see the most recent IDS/IPS events on the selected appliance.
Stats Click the stats icon to see the following IDS/IPS statistics for the selected appliance: Packets per second sent to the IDS/IPS, IPS Flow Drops (Cumulative), Threats Detected, and Bits per second sent to the IDS/IPS.

img

Prerequisites

Note the following requirements about using IDS/IPS:

  • IDS/IPS can be enabled only on appliances with a minimum of four cores and 16 GB of RAM.

  • IDS/IPS can be enabled only on appliances running ECOS 9.1.0.0 or later. Appliances running an earlier version of ECOS will not be displayed on the Intrusion Detection/Prevention System tab.

  • IDS/IPS is a licensed feature and can be enabled only on appliances that have been assigned the Advanced Security license (see help text on the Configuration > Overlays & Security > Licensing > Licenses tab).

NOTE: IDS/IPS alarms are logged in standard syslog format. You can configure a logging facility for IDS/IPS and remote log receiver to send logs to a third party for additional review and analytics (see Advanced Reporting and Analytics below).

Apply IDS/IPS on Appliances

  1. To turn on or turn off IDS/IPS on the appliances displayed in the table, click Apply IDS/IPS on Appliances.

    The Apply IDS/IPS dialog box opens.

  2. Apply or remove IDS/IPS:

    • To turn off IDS and IPS for all appliances, select Off.

    • To enable IDS on the appliances, select IDS Only.

    • To enable IPS on the appliances, select IPS-Performant.

      The proposed change in state, if any, is displayed for each appliance in the IDS/IPS State column.

  3. To apply your changes, click Save. Or, to close the dialog box without making any changes, click Cancel.

Associate Actions with IPS Signatures

By default, all rules included in the IDS/IPS Signatures list are enabled on all appliances where IPS is enabled, and the default action is to drop traffic when a rule is triggered. However, for certain traffic or in some specific cases, you might want to specify different actions the IPS takes.

  1. To manage IPS rules and actions, click IDS/IPS Signatures.

    The IDS/IPS Signatures dialog box opens.

    img

  2. Use the search field at the top of the table to filter the list of rules. You can use the filters below the search bar to view rules by class, severity, or action.

  3. Use the drop-down menu in the Action column to set the response for a rule:

    • Drop: Drop the traffic when a matching signature condition exists for the source, destination, or both.

    • Inspect: Continue the traffic flow to the destination, but inspect the traffic for any anomalies.

    • Allow: Pass the traffic from the source.

    NOTE: Reset, quarantine, and packet logging actions will be available in a future release, but are not currently available.

  4. To apply your changes, click Save. Or, to close the dialog box without making any changes, click Cancel.

Specify Traffic to Be Inspected

You can specify the traffic to be inspected according to source and destination zone, as well as specify detailed match criteria, using Firewall Zone Security Policies (Configuration > Overlays & Security > Security > Firewall Zone Security Policies).

img

With the addition of IDS/IPS, firewall actions have the following meanings:

  • allow: Allow traffic and do not inspect

  • deny: Deny traffic and do not inspect

  • inspect: Allow traffic and inspect

NOTE: No traffic will be inspected until rules with the inspect action are specified in the security policy.

For more information, see the following tabs in Orchestrator:

  • Templates (Security Policies): Configuration > Templates & Policies > Templates

  • Routing Segmentation: Configuration > Networking > Routing > Routing Segmentation (VRF)

Advanced Reporting and Analytics

For users who are using or trying Splunk, you can install the Aruba EdgeConnect Security App for Splunk application to enable advanced reporting and analytics using the IDS/IPS alarms forwarded from EdgeConnect appliances. Search Splunkbase for “EdgeConnect” or click this link to search in your browser.

img

Follow the instructions provided to install and configure the application.


Back to top

© Copyright 2023 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Aruba Networks and the Aruba logo are registered trademarks of Aruba Networks, Inc. Third-party trademarks mentioned are the property of their respective owners. To view the end-user software agreement, go to Aruba EULA.