Deploying Intrusion Prevention

Deploying Intrusion Prevention

An intrusion detection and prevention system detects and blocks known network attacks. It uses a set of signatures to detect network attacks from both external and internal sources.

Cisco SD-WAN security services utilize the Snort engine for Intrusion Detection and Prevention. Snort is an open-source network IPS performing real-time traffic analysis and alerting when it detects threats. Within the Cisco SD-WAN solution, the IPS is an on-box, on-prem feature used to protect network resources as required by regulatory requirements, such as the Payment Card Industry Data Security Standard (PCI DSS).

For Intrusion Prevention, a feature that uses the Security Virtual Image, platforms must meet the minimum requirements of 8 GB of RAM and 8 GB of flash memory. The number of CPU cores you can assign to the IPS services depends on the total number of cores available per device hosting the security applications. In addition to the hardware requirements, to enable the Snort IPS, make sure that the SD-WAN routers are running IOS XE 16.10 or higher and the recommended Unified Threat Defense (UTD) engine code. The SD-WAN controllers must also be running version 18.4 or higher.

To enable IPS, you should install the UTD engine image file into the vManage virtual image repository. To bring up the container with Snort enabled, download the image from vManage and install it in the Cisco SD-WAN Edge device. Deploy the Snort sensor within the router as a virtual container service that performs the traffic monitoring and logging.

Security App Hosting Profiles

UTD features use the Snort engine to process packets. You can use the Security App Hosting feature template to improve performance to allow UTD to use more resources.

You can use the Security App Hosting feature template to modify the resource profile as follows:

• Deploy more Snort instances: When UTD is enabled, the device sends each data packet to the service plane. UTD serially inspects each packet. A packet is returned to the data plane after inspection by UTD. UTD analyzes each packet. These operations add latency to the packet flow, reducing device throughput. More Snort instances can help reduce latency. UTD can process more packets at once with numerous Snort instances, reducing latency and increasing throughput. This feature eats up more resources.
• Download URL databases to the devices: This feature allows UTD's URL Filtering to use a downloaded URL database on the device. If the device downloads the database, UTD searches the device's database first. UTD connects to the Cloud if a URL is missing from the downloaded database. This Cloud result is cached locally for future URL requests. This feature requires 16 GB RAM and 16 GB bootflash. You can configure the UTD resource profiles using the Cisco vManage Templates configuration section. You add the Security App Hosting template and choose available features regarding your profile requirements.

IPS Signatures

The Intrusion Prevention service provides three different types of signature sets depending on the security requirements. You can configure these signature sets to prefer connectivity over security, security over connectivity, or a generic balanced signature type.

IPS signatures set types are:

• Connectivity: The Connectivity ruleset is the least restrictive and aims to provide better performance by enabling fewer rules. This set blocks vulnerability with a Common Vulnerability Scoring System (CVSS) score of 10 for Common Vulnerabilities and Exposures (CVEs) published within the last two years.
• Balanced: The Balanced ruleset provides a balance between security without significant impact on the performance of the device. It blocks vulnerabilities with a CVSS score of 9 or higher for CVEs published within the last two years with specific rule categories.
• Security: The Security ruleset prefers security over connectivity and, although it provides more protection, it also imposes an impact on device performance. It blocks vulnerabilities with a CVSS score of 8 or higher for CVEs published within the last three years and expands on the enabled rule categories.

There are two options available if there is a failure of the inspection engine. The Fail-close option drops all the IPS or IDS traffic when there is an engine failure. The Fail-open option allows for the flow of traffic bypassing all security features even at the time of an engine failure. The default option is Fail-open. Enable Fail-close if security is the concern and choose the option Fail-open only if connectivity is the concern.