The Intrusion Detection and Prevention System (IDPS) monitors, detects, and prevents threats in the inbound and outbound traffic. The Intrusion Detection System (IDSIntrusion Detection System. IDS monitors a network or systems for malicious activity or policy violations and reports its findings to the management system deployed in the network.) monitors the network for any malicious activity and generates threat events. The Intrusion Prevention System (IPSIntrusion Prevention System. The IPS monitors a network for malicious activities such as security threats or policy violations. The main function of an IPS is to identify suspicious activity, log the information, attempt to block the activity, and report it. ) has all the capabilities of IDS along with the ability to prevent intrusions by dropping malicious data packets. As an administrator, you can enable either IDS or IPS.
Aruba IDPS provides an extra layer of protection that actively analyzes the network and takes actions on the traffic flows based on preconfigured rules. These actions include sending threat events and dropping data packets. Aruba IDPS has the capability to analyze data packets that enter the network and act quickly to prevent threats in real time. All identified threats are logged for correlation analysis.
Why Aruba IDPS?
In today's network environments, which are much larger and more complex than in the past, applications and connections are extremely vulnerable. In order to address these challenges, Aruba introduces IDPS that adds an extra layer of security that focuses on users, applications and network connections, and can be integrated with your existing SD-WANSoftware-Defined Wide Area Network. SD-WAN is an application for applying SDN technology to WAN connections that connect enterprise networks across disparate geographical locations. solution. Aruba IDPS proactively prevents and protects the network from intrusions. This is a policy-driven intrusion prevention technology that operates efficiently without manual intervention. IDPS protects the network from real-time attacks without degrading network performance. An advanced security dashboard provides Security Analysts with everything they need to manage an end-to-end zero trust, edge-to-cloud environment providing network-wide visibility, multi-dimensional threat metrics, threat intelligence data, correlation, and incident management.
When IDPS is enabled, certain scenarios in layer 3 high availability (L3HA) are not ideal. Therefore, please review before you choose L3HA with IDPS enabled.
Key Features and Benefits
The following are some of the key features and benefits of Aruba IDPS:
- Full Packet Inspection—Aruba IDPS offers a signature and pattern-based inspection that inspects every data packet for intrusion.
- North-South and East-West inspection—Monitors both LANLocal Area Network. A LAN is a network of connected devices within a distinct geographic area such as an office or a commercial establishment and share a common communications line or wireless link to a server. and WANWide Area Network. WAN is a telecommunications network or computer network that extends over a large geographical distance. networks.
- Multi-dimensional Threat Metrics—Allows you to identify and view threats from different dimensions such as different protocols, threat types, and so on.
- Allow listing—A list of network-wide and device-level threats, which need not be checked.
- Threat Intelligence—There are various Threat Intelligence categories that can be used in Security Information and Event Management (SIEM). These include Command and control, Ransomware, Phishing, Malware, Spyware, Cryptomining, and so on.
- Correlation and Incident Management—Monitors usage patterns, tracks events, and analyzes event logs and data for any relationship to prevent attacks.
- Simplified Configuration—A user-friendly and intuitive user interface that allows you to configure IDPS for your SD-WAN network with ease. Aruba offers three types of threat profiles: Lenient, Moderate, and Strict.
- Licensing—The Foundation and Advanced SD-WAN licenses are packaged with a Security license that provides IDPS feature.
How does Aruba IDPS Work?
Aruba leverages an open source IDPS engine which is integrated as a Virtual Network Function (VNF) with the SD-Branch Gateway. This engine detects and prevents intrusion based on rules set by the user.
The following process describes the Aruba IDPS workflow to detect and prevent intrusions:
- —Aruba IDPS downloads threat rulesets from the cloud repository.
- —Enable IDPS and configure an IDPS policy in Aruba Central.
- —The events are streamed real-time based on preset event category.
- Aruba IDPS enriches events with host, application, and location details. —
- —Sends alerts and notifications if IDS is selected and blocks traffic if IPS is selected as the mode of inspection.
- —Monitor and move threats to the Allow List in the IDPS dashboard in Aruba Central.
- Aruba Central is shared with the SIEM server, if configured. —The threat data recorded in
Figure 1 Aruba IDPS Architecture Diagram