Intrusion Protection & Detection

Overview


The Intrusion Detection and Protection application is built into the in-depth holistic security framework of the Crystal Eye XDR extending its capabilities to protect the network against threats. The IDPS component of the CE XDR actively monitors network traffic and detects anomalies based on the backend and local IDPS rules.

CE XDR’s IDPS has in-built features that allows it to operate in Network Security Monitoring (NSM) mode, Inline mode and Detection & Protection mode. The app configurations are designed to allow users to create IDPS profiles that can then be assigned to a segmented interface of the CE XDR network. The IDPS policies assigned to each IDPS profile are pre-dominantly a collection of rulesets and base rulesets.

Integration of Multi-tenancy with IDPS Profiles, Rulesets, base rulesets and other parameters of CE XDR’s IDPS application:

The IDPS application is designed to ensure that it supports multi-tenancy in its true sense. The user-friendly application GUI allows CE administrators to create multiple IDPS profiles and then assign them to multiple default or custom security zones. Apart from this, the administrator can also create multiple rulesets and define a base ruleset for them. These rulesets can then be assigned to the IDPS profiles defining the baseline for muti-tenancy characteristics of the application in its true sense.

Navigation to Intrusion Detection and Protection application


Left-hand navigation Panel > Security Configuration > Intrusion Detection and Protection application

crystal-eye-xdr-navigation-to-idps-app

Understanding IDPS Configuration Hierarchy


The improved GUI of the IDPS application supports multiple configurations for various internal IDPS related deployment across the CE XDR network. The configuration elements and parameters are spread over various components of the configuration hierarchy such a IDPS profiles, rulesets, base rulesets, local rules development component etc.

The IDPS Configuration Hierarchy can be best understood with the following flowchart:

Understanding-IDPS-Configuration-Hierarchy

IDPS Profiles


Crystal Eye XDR’s IDPS profile enables CE administrators to implement a variety of attack detection and prevention techniques on selective security zones and traffic across the CE XDR network.

Integration of Multi-tenancy with IDPS Profiles: Multiple IDPS profiles can be created and be made operational to align with various security zones (both custom and default zone) with different IDPS policies. This also sheds light on the latest integration of multi-tenancy with IDPS profiles.

The IDPS profile is designed to define various other parameters as well such as IDPS mode (detection & protection, Inline and NSM) and assign a ruleset. It also helps in selecting specific IDPS events category to be logged which helps in reducing false positives and further fine tunning the IDPS feature of the CE XDR.

Default IDPS Profile: The IDPS application runs on a default IDPS profile which is built into the core system. Although this profile consists of default configurations, it can be fine-tuned or changed if the need arises. As a default configuration, this profile runs on the default ruleset which has its base ruleset as ‘balanced’. This default IDPS profile logs specific events like anomaly, http, dns, tls, files, smtp, drop, krb5, sip, dhcp and ssh. The default profile functions on the detection and protection mode, and the IDPS policies are aligned to all default security zones (LAN, WAN, HOTLAN and DMZ). The following screenshot shows the default configurations of the default IDPS profile. crystal-eye-xdr-default-idps-profile

How to create a custom IDPS profile?

Step 1: In the IDPS application page, click the Add New Profile button. crystal-eye-xdr-create-custom-idps-profile1

Step 2: You’ll now see the Add Profile pop-up. Enter the Name of the profile and Description. crystal-eye-xdr-create-custom-idps-profile2

Step 3: Select the IDPS rule mode (Detection & Protection, Inline and NSM). crystal-eye-xdr-create-custom-idps-profile3

Step 4: Select the desired Reference Ruleset in the IDPS Rules section. crystal-eye-xdr-create-custom-idps-profile4

Note: Custom ruleset can be created, and it gets displayed in the ruleset section under the IDPS Rules tab. Click here to learn how to create custom rulesets.

Step 5: Select the Events that needs to be logged and shown in the IDPS alerts report and the live IDPS alerts in the security dashboard. These events are pre-defined and can be selected from the Log Events dropdown. crystal-eye-xdr-create-custom-idps-profile5

Note: You may select multiple events for logging as required.

Step 6: Select the Security Zones on which the IDPS profile and its policies needs to be aligned to and then click the Add button. crystal-eye-xdr-create-custom-idps-profile6

Note: You may select multiple zones as required.