Intrusion Prevention Policy
An IPS (Intrusion Prevention System) policy in Cisco SD-WAN helps detect and prevent security threats by inspecting network traffic and blocking malicious activities.
A policy is defined by providing the settings that dictate the operational mode of the Snort engine and actions invoked by the matching of specific signatures (Snort rules).
Diagram
Classes
definitions (sdwan.security_policies)
Name | Type | Constraint | Mandatory | Default Value |
---|---|---|---|---|
intrusion_prevention | List | [intrusion_prevention] | No |
intrusion_prevention (sdwan.security_policies.definitions)
Name | Type | Constraint | Mandatory | Default Value |
---|---|---|---|---|
name | String | Regex: ^[A-Za-z0-9\-_]{1,32}$ | No | |
description | String | Yes | ||
mode | Choice | security | Yes | |
inspection_mode | Choice | protection , detection | Yes | |
log_level | Choice | emergency , alert , critical , error , warning , notice , informational , debug | Yes | |
signature_set | Choice | balanced , connectivity , security | Yes | |
target_vpns | List | Integer[min: 0 , max: 65530 ] | Yes |
Examples
Example-1:Enforcing Compliance for Regulatory Requirements
The organization needs to enforce regulatory compliance by restricting non-compliant applications from internet-bound traffic. This policy aims to ensure that only approved and compliant applications are allowed to access the internet, preventing any unauthorized or non-compliant applications from being used. It also ensures that security events related to these activities are logged for future audits and compliance checks, helping the organization maintain transparency and control over its internet traffic.
The YAML configuration defines a feature policy named Regulatory_Compliance, which enforces compliance for internet-bound traffic by restricting access to certain applications. The application list Restrict_Non_Compliant_Apps specifies the approved applications, such as various Amazon services (e.g., Amazon Web Services, EC2, S3, CloudFront), and blocks non-compliant applications from accessing the internet. This policy is linked with an intrusion prevention policy named Compliance_IPS_Policy, which prevents any non-compliant traffic from passing through the network. The firewall settings ensure that an audit trail is maintained for all events, with high-speed logging configured to send logs to an external server at 192.168.5.100 on port 514, enabling efficient log collection. Additionally, the IPS settings forward logs to another external syslog server located at 192.168.5.101.
The intrusion prevention policy (Compliance_IPS_Policy) operates in protection mode with a log level of alert, ensuring that any attempts to bypass the compliance rules are detected and logged. The policy is applied to VPN ID 400, which represents the zone for internet-bound traffic. This configuration ensures that only compliant applications can access the internet, and any attempts to violate this policy are blocked and logged for audit and security purposes.
sdwan: security_policies: definitions: intrusion_prevention: - name: Compliance_IPS_Policy description: IPS policy to prevent non-compliant traffic mode: security inspection_mode: protection log_level: alert signature_set: security target_vpns: - 400
The security policy YAML mentioned above will only be effective if the following policy objects abd security policy is created.
sdwan: policy_objects: application_lists: - name: Restrict_Non_Compliant_Apps applications: - amazon - amazon-web-services - amazon-instant-video - amazon-cloudfront - amazon-ec2 - amazon-s3 security_policies: definitions: feature_policies: - name: Regulatory_Compliance description: Policy to enforce compliance for internet-bound traffic use_case: compliance intrusion_prevention_policy: Compliance_IPS_Policy firewall_policies: - Restrict_Non_Compliant_Apps additional_settings: firewall: audit_trail: true high_speed_logging: vpn_id: 400 server_ip: "192.168.5.100" server_port: 514 ips_url_amp: external_syslog_server: vpn_id: 400 server_ip: "192.168.5.101"
Example-2: IPS policy for branch office security
The organization needs to provide secure direct internet access for its branch offices while maintaining a robust security posture. This use case ensures that branch offices can securely access the internet without passing through the corporate network, while also preventing potential threats and unauthorized access through an intrusion prevention policy (IPS). This setup is critical for ensuring both seamless internet access and the protection of branch offices from cyber threats.
The YAML configuration defines a feature policy named Secure_Internet_Access, which enables secure direct internet access for branch offices. The policy is designed to secure internet-bound traffic by leveraging an intrusion prevention policy (Branch_IPS_Policy) to inspect and protect the traffic. The Secure_Internet_Access policy is configured with the use case custom, allowing the branch offices to securely access the internet without routing through the corporate network. The policy also includes settings for forwarding IPS logs to an external syslog server at 192.168.3.100 (VPN ID 200), ensuring real-time monitoring and audit of network traffic. The failure mode is set to close, meaning if the syslog server is unavailable, traffic will be blocked, preventing any unlogged events from occurring.
The intrusion prevention policy (Branch_IPS_Policy) operates in security mode, with protection inspection mode enabled to actively block malicious traffic while maintaining alerts on detected threats. The policy applies to VPNs 100 and 200, covering the relevant branch office networks and ensuring that only secure traffic passes through. The IPS system uses a balanced signature set to provide optimal security without compromising performance, making sure the branch offices have secure internet access while preventing cyber threats.
sdwan: security_policies: definitions: intrusion_prevention: - name: Branch_IPS_Policy description: IPS policy for branch office security mode: security inspection_mode: protection log_level: alert signature_set: balanced target_vpns: - 100 - 200
The security policy YAML mentioned above will only be effective if the following policy objects abd security policy is created.
sdwan: security_policies: definitions: feature_policies: - name: Secure_Internet_Access description: Policy to enable secure internet access for branch offices use_case: custom intrusion_prevention_policy: Branch_IPS_Policy additional_settings: ips_url_amp: external_syslog_server: vpn_id: 200 server_ip: "192.168.3.100" failure_mode: close