Category     

Threat Management - Enabling & Configuring IPS/IDS Functionality

« Go Back

Information

 
Content

CP Secure Threat Management - Enabling & Configuring IPS/IDS Functionality

Products Supported: AER16x0, AER2100, AER31x0, IBR9x0, IBR6x0C. Click here to identify your router.

Firmware Version: 5.4.x - for information on upgrading firmware, click here.

Firmware version 6.0 has been released and introduces a vastly improved GUI for all current Series 3 routers.  Cradlepoint has created new Knowledge Base articles with updated screen shots and instructions for the new GUI layout.  As a result, this article has received its final update.  To view the version of this Knowledge Base article for Firmware 6.0 and Later please click here


Quick Links

Summary

Configuration

Related Articles

Summary

This document will explain how to enable CP Secure Threat Management to function as an IDS or IPS, configuring how the service behaves upon failure, application ID logging, updating threat signatures, and how to manually whitelist signatures.

This is an example of how to use Cradlepoint's "CP Secure Threat Management" feature to enable the Intrusion Detection Service (IDS) or Intrusion Prevention Service (IPS) functionality between a LAN and the router's WAN source(s).


Configuration

  • IMPORTANT: CP Secure Threat Management requires a feature license or NCM PRIME to use. Please contact your sales representative for pricing information.
  • Navigate to NETWORK SETTINGS > THREAT MANAGEMENT
    • Note: The THREAT MANAGEMENT menu option will be visible, but the service will not function until after the license has been installed. NCM will hide the option until IPS has been enabled on the account.

Default Settings

User-added image
  • The Threat Management features Configuration section uses these default settings:

    • Operation Mode set to Detect and Prevent.
    • Engine Failure/Error Action set to Allow Traffic
    • Application ID Logging set to Disabled
    • Signature Update Schedule for Non-Modem WANs set to Daily, 1 & 8:))am
    • Signature Update Schedule for Modem WANs set to Monthly, 1 & 8:00am
User-added image

Operation Mode Options

  • Operation Mode can be changed from Disabled to Detect and Prevent (IPS functionality) or Detect Only (IDS functionality)

User-added image

  • Detect and Prevent: The highest form of protection. When attacks are detected, the packets will be dropped, preventing them from accessing your network.

  • Detect Only: Commonly referred to as IDS, or Intrusion Detection. Provides network administrators the ability to monitor the network traffic for potential attacks, but does not provide any protection.

After enabling the service, the Signature Database Version (shown in the Status section) will change from No Rules Loaded to show the current signature version loaded.

For Example:

User-added image

Engine Failure/Error Action Options

  • The Engine Failure/Error Action can be changed from Allow Traffic to Deny Traffic, depending on how you intend for the router to behave if the Threat Management engine fails for some reason.

User-added image

  • Allow Traffic: Allows network traffic to flow normally, as if the Intrusion Prevention system has been disabled.

  • Deny Traffic: Denies any network traffic to flow providing protection until the administrator can fix the issue that caused the engine failure.

Application ID Logging

  • If enabled, the Intrusion Prevention packet scanning engine can identify thousands of applications, and log the detected applications to the System Log.

User-added image

  • IMPORTANT Application ID logging can be very verbose and could cause a lot of log entries to be produced.


Signature Update Scheduling

  • These options allow you to set a schedule on when you want the router to check and see if there are updated signatures available and if there is download and install them.
  • To help minimize cellular modem data usage, it is possible to configure separate schedules for modem and non-modem WAN sources.

User-added image

  • You can set the schedule for Never, Daily, Weekly, or Monthly depending on your needs.

  • NOTE: Non-Modem WANs refer to Ethernet and WiFi-as-WAN connections.

Signature Settings

The Signature Settings tab gives you granular control on behavior for categories or individual signatures as needed.

User-added image

By default, all signatures and their categories will utilize the global settings of the Operation Mode. You can apply the other two options here.


NCM Threat Management

NCM will display the information similar to the local router, and you can configure it at group or device level.

User-added image

You can also setup alerts in NCM for intrusion activity, and what potential security threat has been identified. In the example below, you can see alerts for Denial of Service and Buffer Overflow threats, and how they were dealt with.

User-added image

Related Articles/Links


Published Date: 11/10/2015

This article not have what you need?  Not find what you were looking for?  Think this article can be improved?  Please let us know at suggestions@cradlepoint.com.


 
Knowledge Home | Product