Introduction to Intrusion detection & prevention
Intrusion detection and prevention (IDS/IPS) is an important key to branch security and a component of the Cisco SD-WAN security. An IDS/IPS can inspect traffic in real time in order to detect and prevent cyberattacks by comparing the application behavior against a known database of threat signatures. Once detected, an IDS/IPS can notify the network operator through syslog events and dashboard alerts as well as stop the attack by blocking the threatening traffic flow.
IDS/IPS is enabled through the use of IOS-XE application service container technology The two VM types:
- Kernel Virtual Machines (KVM)
- Linux Virtual Containers (LxC)
These two container types differ from the Linux kernel used in most network operating systems, such as IOS XE. LxC containers use many of the kernel resources of the host, while KVM containers have their own independent kernel.
It is a set of rules that is used to detect typical intrusive activity, such as DoS attacks. Three Signature Levels available within vManage:
- Balanced: This is the default signature set. The Balanced signature set is designed to provide protection without a significant effect on system performance.
Table for Balanced Signature Set
- Connectivity: This signature set contains rules from the current year and the previous two years for vulnerabilities with a CVSS score of 10. The Connectivity signature set is less restrictive, with better performance, as there are fewer rules attached to this signature level.
- Security: This signature set contains rules that are from the current year and the previous three years. With more added rules, this signature level offers more protection, but overall performance of your WAN Edge device may be lower.
Table for Security Signature Set