This is an example of how to use CradlePoint’s “CP Secure Threat Management” feature to enable the Intrusion Detection Service (IDS) or Intrusion Prevention Service (IPS) functionality between a LAN and the router’s WAN source(s).
This document will explain how to enable CP Secure Threat Management to function as an IDS or IPS, configuring how the service behaves upon failure, application ID logging, updating threat signatures, and how to manually whitelist signatures.
- IMPORTANT: CP Secure Threat Management requires a feature license to use. Please contact your sales representative for pricing information.
- Navigate to NETWORK SETTINGS > FIREWALL > THREAT MANAGEMENT
- Note: The “THREAT MANAGEMENT” menu option will be visible, but the service will not function until after the license has been installed. ECM will hide the option until IPS has been enabled on the account.
- The Threat Management feature’s “Configuration” section uses these default settings:
- “Operation Mode” set to “Disabled”
- “Engine Failure/Error Action” set to “Allow Traffic”
- “Application ID Logging” set to “Disabled”
- “Signature Update Schedule for Non-Modem WANs”set to “Daily” & “8:00am”
- “Signature Update Schedule for Modem WANs” set to “Monthly”, “1”, & “8:00am”
- The Threat Management feature’s “Whistelisted Signatures” section is empty by default.
Operation Mode Options
- The “Operation Mode” can be changed from “Disabled” to “Detect and Prevent” (IPS functionality) or “Detect Only” (IDS functionality)
- “Detect and Prevent”: The highest form of protection. When attacks are detected, the packets will be dropped, preventing them from accessing your network.
- “Detect Only”: Commonly referred to as IDS, or Intrusion Detection. Provides network administrators the ability to monitor the network traffic for potential attacks, but does not provide any protection.
After enabling the service, the “Signature Database Version” (shown in the “Status” section) will change from “No Rules Loaded” to show the current signature version loaded.
Engine Failure/Error Action Options
- The “Engine Failure/Error Action” can be changed from “Allow Traffic” to “Deny Traffic”, depending on how you intend for the router to behave if the Threat Management engine fails for some reason.
- “Allow Traffic”: Allows network traffic to flow normally, as if the Intrusion Prevention system has been disabled.
- “Deny Traffic”: Denies any network traffic to flow providing protection until the administrator can fix the issue that caused the engine failure.
Application ID Logging
- If enabled, the Intrusion Prevention packet scanning engine can identify thousands of applications and log the detected applications to the System Log.
- IMPORTANT: Application ID logging can be very verbose and could cause a lot of log entries to be produced.
Signature Update Scheduling
- These options allow you to set a schedule on when you want the router to check and see if there are updated signatures available and if there is download and install them.
- To help minimize cellular modem data usage, it is possible to configure separate schedules for modem and non-modem WAN sources.
- You can set the schedule for Never, Daily, Weekly, or Monthy depending on your needs.
- NOTE: “Non-Modem” WANs refer to Ethernet and WiFi-as-WAN connections.
- Whitelisting signatures allow an administrator to remove signatures that might be causing False Positive alerts when the traffic is actually valid.
- To add signatures to the Whitelist, click the “Add” button. In the “Whitelisted Signature ID” screen, enter the signature to be whitelisted and click “Submit”.
ECM Threat Management
ECM will display the information similar to the local router, and you can configure it at group or device level.
You can also setup alerts in ECM for intrusion activity, and what potential security threat has been identified. In the example below, you can see alerts for Denial of Service and Buffer Overflow threats, and how they were dealt with.