Configure Intrusion Prevention System (IPS) in CSO
Intrusion prevention system (IPS) signatures are used to monitor and prevent intrusions. IPS compares traffic against signatures of known threats and blocks traffic when a threat is detected.
CSO provides predefined IPS signatures, IPS signature static groups, and IPS signature dynamic groups that you can use in IPS or exempt rules in an IPS profile. However, you cannot modify the predefined signatures and groups. CSO also lets you add customized IPS signatures, static groups, and dynamic groups
CSO also provides predefined IPS profiles that contain predefined IPS rules, both of which can’t be modified. You can add customized profiles and add IPS or exempt rules to the profiles. You enable intrusion detection by referencing an IPS profile in a firewall policy intent and deploying the firewall policy.
Explanation of Procedure
The high-level workflow to configure IPS is as follows:
Add IPS Profiles
Contrail Service Orchestration (CSO) contains predefined intrusion prevention system (IPS) profiles that you can use. You can also add customized IPS profiles from the Create IPS Profile page.
To add a customized IPS profile:
After you add an IPS profile, you can add one or more IPS or exempt rules to the profile, and then use the IPS profile in a firewall policy intent.
Setting |
Guideline |
---|---|
Name |
Enter a unique name for the IPS profile that is a string of alphanumeric characters and some special characters (colon, hyphen, period, and underscore). No spaces are allowed and the maximum length is 255 characters. |
Description |
Enter a description for the IPS profile; the maximum length is 255 characters. |
Add IPS or Exempt Rules to IPS Profiles
An IPS rule is used to protect your network from attacks by using attack objects to detect known and unknown attacks, based on stateful signature and protocol anomalies. In contrast, an exempt rule works in conjunction with an IPS rule to prevent unnecessary alarms from being generated. If traffic matches an IPS rule, the system attempts to match the traffic against the exempt rules before performing the action specified.
You can add intrusion prevention system (IPS) rules or exempt rules only to customized IPS profiles.
To add an IPS rule or an exempt rule to a customized IPS profile:
After adding IPS and exempt rules, you can use the IPS profile in a firewall policy intent and deploy the firewall policy, which deploys the IPS and exempt rules associated with the IPS profile.
Setting |
Guideline |
---|---|
[Name] |
CSO generates a unique IPS rule name by default. You can modify the name if needed. The name must begin with an alphanumeric character and can contain alphanumeric characters and some special characters (colons, hyphens, forward slashes, periods, and underscores); 63-character maximum. |
[Description] |
Enter a description for the IPS rule. |
IPS Signatures |
You can add one or more IPS signatures and IPS signature static and dynamic groups to be associated with the rule:
|
Actions |
Select the action to be taken when the monitored traffic matches the attack objects specified in the rules:
|
Additional Actions |
In addition to the IPS action, you can configure one or more additional actions. |
Notifications |
When attacks are detected, you can choose to log the attack, create log records with attack information, and send that information to the log server. To configure notifications:
|
IP Action |
When attacks are detected, you can configure actions that you want IPS to take against future connections that use the same IP address. To configure IP actions:
|
[Additional actions] |
When attacks are detected, you can configure additional actions that you want CSO to take. To configure additional actions:
|
Setting |
Guideline |
---|---|
Attack Logging |
Click the toggle button to enable an attack to be logged when it is detected. By default, attack logging is disabled. |
Alert Flag |
If you enabled attack logging, click the toggle button to enable an alert flag to be set in the attack log. This field is disabled by default. |
Log Packets |
Click the toggle button to enable the logging of packets when an attack is detected. When you enable this field, the Packets Before, Packets After, or Post Window Timeout fields appear and you must specify at least one field. By default, packets are not logged when an attack is detected. In response to a rule match, you can capture the packets received before and after the attack for further offline analysis of attacker behavior. You can configure the number of pre-attack and post-attack packets to be captured for this attack, and limit the duration of post-attack packet capture by specifying a timeout value. |
Packets Before |
Specify the number of packets received before an attack that should be captured for further analysis of the behavior of the attack. Range: 1 through 255. |
Packets After |
Specify the number of packets received after an attack that should be captured for further analysis of attacker behavior. Range: 1 through 255. |
Post Window Timeout |
Specify a time limit (in seconds) for capturing packets received after an attack. No packets are captured after the specified timeout has elapsed. Range: 1 through 1800. |
Setting |
Guideline |
---|---|
IP Action |
Select the action to be taken on future connections that use the same IP address: Note:
If there is an IP action match with more than one rule, then the most severe IP action of all the matched rules is applied. In decreasing order of severity, the actions are block, close, and notify.
|
IP Target |
Specify how the traffic should be matched for the configured IP actions:
|
Refresh Timeout |
Click the toggle button to enable the refresh of the IP action timeout (that you specify in the Timeout Value field) if future traffic matches the IP actions configured. This setting is disabled by default. |
Timeout Value |
Configure the time (in seconds) that you want the IP action to remain in effect. For example, if you configure a timeout of 3600 seconds (1 hour) and traffic matches the IP actions configured, the IP action remains in effect for 1 hour. Range: 0 through 64,800 seconds. |
Log Taken |
Click the toggle button to enable the logging of information about the IP action against the traffic that matches a rule. This setting is disabled by default. |
Log Creation |
Click the toggle button to enable the generation of an event when the IP action filter is triggered. This setting is disabled by default. |
Setting |
Guideline |
---|---|
Severity |
Select a severity level *None, Critical, Info, Major, Minor, Warning) to override the inherited attack severity in the rules. The most dangerous level is critical, which attempts to crash your server or gain control of your network. Informational is the least dangerous level and is used by network administrators to discover holes in their security systems. |
Terminal |
Click the toggle button to enable the marking of the IPS rule as terminal. When a terminal rule is matched, the device stops matching for the rest of the rules in that IPS profile. the generation of an event when the IP action filter is triggered. This setting is disabled by default. |