NCOS: Threat Management - Enabling & Configuring IPS/IDS Functionality
Products Supported: AER16x0, AER21x0, AER31x0, IBR9x0, IBR6x0C. Click here to identify your router.
NCOS Version: 6.0 or later - for information on upgrading NCOS, click here.
This document will explain how to enable CP Secure Threat Management to function as an IDS or IPS, configuring how the service behaves upon failure, application ID logging, updating threat signatures, and how to manually whitelist signatures.
This is an example of how to use Cradlepoint's "CP Secure Threat Management" feature to enable the Intrusion Detection Service (IDS) or Intrusion Prevention Service (IPS) functionality between a LAN and the router's WAN source(s).
- IMPORTANT: CP Secure Threat Management requires a feature license or NCM Prime to use. Please contact your sales representative for pricing information.
- Navigate to SECURITY > THREAT MANAGEMENT
- Note: The THREAT MANAGEMENT menu option will be visible, but the service will not function until after the license has been installed. NCM will hide the option until IPS has been enabled on the account.
- The Threat Management features Configuration section uses these default settings:
- Operation Mode set to Detect and Prevent.
- Engine Failure/Error Action set to Allow Traffic
- Application ID Logging set to Disabled
- Signature Update Schedule for Non-Modem WANs set to Daily, 1 & 8:))am
- Signature Update Schedule for Modem WANs set to Monthly, 1 & 8:00am
Operation Mode Options
- Operation Mode can be changed from Disabled to Detect and Prevent(IPS functionality) or Detect Only (IDS functionality)
- Detect and Prevent: The highest form of protection. When attacks are detected, the packets will be dropped, preventing them from accessing your network.
- Detect Only: Commonly referred to as IDS, or Intrusion Detection. Provides network administrators the ability to monitor the network traffic for potential attacks, but does not provide any protection.
After enabling the service, the Signature Database Version (shown in the Status section) will change from No Rules Loaded to show the current signature version loaded.
Engine Failure/Error Action Options
- The Engine Failure/Error Action can be changed from Allow Traffic to Deny Traffic, depending on how you intend for the router to behave if the Threat Management engine fails for some reason.
- Allow Traffic: Allows network traffic to flow normally, as if the Intrusion Prevention system has been disabled.
- Deny Traffic: Denies any network traffic to flow providing protection until the administrator can fix the issue that caused the engine failure.
Application ID Logging
- If enabled, the Intrusion Prevention packet scanning engine can identify thousands of applications, and log the detected applications to the System Log.
- IMPORTANT Application ID logging can be very verbose and could cause a lot of log entries to be produced.
Signature Update Scheduling
- These options allow you to set a schedule on when you want the router to check and see if there are updated signatures available and if there is download and install them.
- To help minimize cellular modem data usage, it is possible to configure separate schedules for modem and non-modem WAN sources.
- You can set the schedule for Never, Daily, Weekly, or Monthly depending on your needs.
- NOTE: Non-Modem WANs refer to Ethernet and WiFi-as-WAN connections.
The Signature Settings tab gives you granular control on behavior for categories or individual signatures as needed.
By default, all signatures and their categories will utilize the global settings of the Operation Mode. You can apply the other two options here.
NCM Threat Management
NCM will display the information similar to the local router, and you can configure it at group or device level. You can also setup alerts in NCM for intrusion activity, and what potential security threat has been identified. In the example below, you can see alerts for Denial of Service and Buffer Overflow threats, and how they were dealt with.
Published Date: 9/14/2015
This article not have what you need? Not find what you were looking for? Think this article can be improved? Please let us know at firstname.lastname@example.org.