Aruba Central Online Help

Overview of Aruba IDPS

The Intrusion Detection and Prevention System (IDPS) monitors, detects, and prevents threats in the inbound and outbound traffic. The Intrusion Detection System (IDSIntrusion Detection System. IDS monitors a network or systems for malicious activity or policy violations and reports its findings to the management system deployed in the network.) monitors the network for any malicious activity and generates threat events. The Intrusion Prevention System (IPSIntrusion Prevention System. The IPS monitors a network for malicious activities such as security threats or policy violations. The main function of an IPS is to identify suspicious activity, log the information, attempt to block the activity, and report it. ) has all the capabilities of IDS along with the ability to prevent intrusions by dropping malicious data packets. As an administrator, you can enable either IDS or IPS.

Aruba IDPS provides an extra layer of protection that actively analyzes the network and takes actions on the traffic flows based on preconfigured rules. These actions include sending threat events and dropping data packets. Aruba IDPS has the capability to analyze data packets that enter the network and act quickly to prevent threats in real time. All identified threats are logged for correlation analysis.

Why Aruba IDPS?

In today's network environments, which are much larger and more complex than in the past, applications and connections are extremely vulnerable. In order to address these challenges, Aruba introduces IDPS that adds an extra layer of security that focuses on users, applications and network connections, and can be integrated with your existing SD-WANSoftware-Defined Wide Area Network. SD-WAN is an application for applying SDN technology to WAN connections that connect enterprise networks across disparate geographical locations. solution. Aruba IDPS proactively prevents and protects the network from intrusions. This is a policy-driven intrusion prevention technology that operates efficiently without manual intervention. IDPS protects the network from real-time attacks without degrading network performance. An advanced security dashboard provides Security Analysts with everything they need to manage an end-to-end zero trust, edge-to-cloud environment providing network-wide visibility, multi-dimensional threat metrics, threat intelligence data, correlation, and incident management.

When IDPS is enabled, certain scenarios in layer 3 high availability (L3HA) are not ideal. Therefore, please review before you choose L3HA with IDPS enabled.

Key Features and Benefits

The following are some of the key features and benefits of Aruba IDPS:

How does Aruba IDPS Work?

Aruba leverages an open source IDPS engine which is integrated as a Virtual Network Function (VNF) with the SD-Branch Gateway. This engine detects and prevents intrusion based on rules set by the user.

The following process describes the Aruba IDPS workflow to detect and prevent intrusions:

  • Download Threat Rulesets—Aruba IDPS downloads threat rulesets from the cloud repository.
  • Enable Aruba IDPS—Enable IDPS and configure an IDPS policy in Aruba Central.
  • Stream Realtime Events—The events are streamed real-time based on preset event category.
  • Enrich EventsAruba IDPS enriches events with host, application, and location details.
  • Send Alerts and Drop Packets—Sends alerts and notifications if IDS is selected and blocks traffic if IPS is selected as the mode of inspection.
  • Monitor Threats—Monitor and move threats to the Allow List in the IDPS dashboard in Aruba Central.
  • Share Threat Data—The threat data recorded in Aruba Central is shared with the SIEM server, if configured.

Figure 1  Aruba IDPS Architecture Diagram