Knowledge Base

 
Reset Search
 

 

Article

NCOS: Threat Management - Enabling & Configuring IPS/IDS Functionality

« Go Back

Information

 
Content

NCOS: Threat Management - Enabling & Configuring IPS/IDS Functionality

Products Supported: AER16x0, AER21x0, AER2200, AER31x0, IBR9x0, IBR1700. Click here to identify your router.

NCOS Version: 6.0 or later - for information on upgrading NCOS, click here.


Quick Links

Summary

Configuration

Related Articles


Summary

This document will explain how to enable CP Secure Threat Management to function as an IDS or IPS, configuring how the service behaves upon failure, application ID logging, updating threat signatures, and how to manually whitelist signatures.

This is an example of how to use Cradlepoint's "CP Secure Threat Management" feature to enable the Intrusion Detection Service (IDS) or Intrusion Prevention Service (IPS) functionality between a LAN and the router's WAN source(s).


Configuration

  • IMPORTANT: CP Secure Threat Management requires a feature license or NCM Prime to use. Please contact your sales representative for pricing information.
  • Navigate to SECURITY > Threat Management > Signature Settings
    • Note: The Threat Management menu option will be visible, but the service will not function until after the license has been installed. NCM will hide the option until CP Secure Threat Management has been enabled on the account. To assign a license to a router, see this article: How To Enable CP Secure Threat Management

Default Settings

User-added image

  • The Threat Management features Configuration section uses these default settings:
    • Operation Mode set to Detect and Prevent.
    • Engine Failure/Error Action set to Allow Traffic
    • Application ID Logging set to Disabled

User-added image


Global Default Mode Options

  • Global Default Mode can be changed from Disabled to Detect and Prevent(IPS functionality) or Detect Only (IDS functionality)

User-added image

  • Detect and Prevent: The highest form of protection. When attacks are detected, the packets will be dropped, preventing them from accessing your network.
  • Detect Only: Commonly referred to as IDS, or Intrusion Detection. Provides network administrators the ability to monitor the network traffic for potential attacks, but does not provide any protection.

After enabling the service, the Signature Database Version (shown in SECURITY > Threat Management > Update Settings section) will change from No Rules Loaded to show the current signature version loaded.

For Example:

User-added image


Engine Failure/Error Action Options

  • The Engine Failure/Error Action can be changed from Allow Traffic to Deny Traffic, depending on how you intend for the router to behave if the Threat Management engine fails for some reason.

User-added image

  • Allow Traffic: Allows network traffic to flow normally, as if the Intrusion Prevention system has been disabled.
  • Deny Traffic: Denies any network traffic to flow providing protection until the administrator can fix the issue that caused the engine failure.

Application ID Logging

  • If enabled, the Intrusion Prevention packet scanning engine can identify thousands of applications, and log the detected applications to the System Log.

User-added image

  • IMPORTANT Application ID logging can be very verbose and could cause a lot of log entries to be produced.

Signature Update Scheduling

Shown in SECURITY > Threat Management > Update Settings
  • These options allow you to set a schedule on when you want the router to check and see if there are updated signatures available and if there is download and install them.
  • To help minimize cellular modem data usage, it is possible to configure separate schedules for modem and non-modem WAN sources.

User-added image

  • You can set the schedule for Never, Daily, Weekly, or Monthly depending on your needs.
  • NOTE: Non-Modem WANs refer to Ethernet and WiFi-as-WAN connections.

Signature Settings

  • Security Categories or Signatures can be set to Global Default or overwrote to the desired Mode. Categories and Signatures that are set to Global Default are indicated by  (Global Default) and all changes to Global Default Mode will propagate to those Categories and Signatures.
    • Overrides can be configured by selection the Category or Signature and Editing its Mode.
    • Categories or Signatures can be restored to Global Defaults by selecting the Category or Signature and pressing Reset to Default
    • Individual Signatures can be searched by Category, Description/Name, or Signature ID.

User-added image
User-added image

  • Anomaly Categories or Signatures can be set to Global Default or overwritten to the desired Mode. Categories and Signatures that are set to Global Default are indicated by  (Global Default) and all changes to Global Default Mode will propagate to those Categories and Signatures.
    • Anomaly Categories can also be configured to trigger at a desired Sensitivity Threshold. Sensitivity Thresholds apply to all Signatures within the Category and can be Edited to threshold.
    • The percentage of Sensitivity Threshold is in reference to the number of Signature occurrences observed with a 5 second period.
    • The bounds are:
      • min: 1% or 10 Occurrences
      • max: 100% or 32k Occurrences
      • default: 6% or 2000 Occurrence
    • Overrides can be configured by selection, the Category or Signature and Editing its Mode. 
    • Categories or Signatures can be restored to Global Defaults by selecting the Category or Signature and pressing Reset to Default.
    • Individual Signatures can be searched by Category, Description/Name, or Signature ID.
User-added image
User-added image

To Configure Individual Signatures Thresholds

  • set config/security/ips/anom_tholds/*signature* *value*
    • Signatures:
      • flood
      • flood_ip
      • flood_tcp
      • flood_udp
      • flood_icmp
      • flood_igmp
      • flood_tcp_srcsyn
      • flood_tcp_dstsyn
      • ipsweep
      • portscan
      • portscan_syn
      • portscan_null
      • portscan_fin
      • portscan_xmas
      • portscan_unknown
      • portscan_udp


NCM Threat Management

NCM will display the information similar to the local router, and you can configure it at group or device level. You can also setup alerts in NCM for intrusion activity, and what potential security threat has been identified. In the example below, you can see alerts for Denial of Service and Buffer Overflow threats, and how they were dealt with.

User-added image

Related Articles/Links


Published Date: 1/26/18

This article not have what you need?  Not find what you were looking for?  Think this article can be improved?  Please let us know at suggestions@cradlepoint.com
 

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255