The Intrusion Detection and Protection application is built into the in-depth holistic security framework of the Crystal Eye XDR extending its capabilities to protect the network against threats. The IDPS component of the CE XDR actively monitors network traffic and detects anomalies based on the backend and local IDPS rules.
Note: The backend IDPS rules are the rules developed by the security operations team of Red Piranha and the local rules are created on the CE XDR by the user.
CE XDR’s IDPS has in-built features that allows it to operate in Network Security Monitoring (NSM) mode, Inline mode and Detection & Protection mode. By default, the CE XDR runs on detection and protection mode which only generates alerts and logs suspicious traffic. The app configurations are designed to allow users to create IDPS profiles that can then be assigned to a segmented interface of the CE XDR network. The IDPS policies assigned to each IDPS profile are pre-dominantly a collection of rulesets and base rulesets.
Integration of Multi-tenancy with IDPS Profiles, Rulesets, base rulesets and other parameters of CE XDR’s IDPS application:
The IDPS application is designed to ensure that it supports multi-tenancy in its true sense. The user-friendly application GUI allows CE administrators to create multiple IDPS profiles and then assign them to multiple default or custom security zones. Apart from this, the administrator can also create multiple rulesets and define a base ruleset for them. These rulesets can then be assigned to the IDPS profiles defining the baseline for muti-tenancy characteristics of the application in its true sense.
The Intrusion Detection and Protection application is installed by default and can be accessed from the left-hand navigation panel.
Left-hand navigation Panel > Security Configuration > Intrusion Detection and Protection application
The improved GUI of the IDPS application supports multiple configurations for various internal IDPS related deployment across the CE XDR network. The configuration elements and parameters are spread over various components of the configuration hierarchy such a IDPS profiles, rulesets, base rulesets, local rules development component etc.
The IDPS Configuration Hierarchy can be best understood with the following flowchart:
The latest CE XDR software version (since v4.0) has multi-tenancy integrated which is predominantly visible in the app features that allows creation of multiple rulesets.
There can be numerous reasons as to why multiple rulesets are required!
Multiple rulesets can be created with a base ruleset assigned to them. The base ruleset is fetched from Red Piranha’s servers and are divided under various categories such as balanced, connectivity, custom, OT, Security and WAF. The CE administrator may choose any of these base rulesets based on a specific requirement. Below are the definitions of all the base rulesets available in the CE XDR.
Balanced Ruleset: Content will be updated soon! Connectivity: Content will be updated soon! Custom: Content will be updated soon! OT: Content will be updated soon! Security: Content will be updated soon! WAF: Content will be updated soon!
What is a Default Ruleset in the CE XDR?
The default ruleset has its base ruleset as ‘balanced’ and has two default local rules aligned to it. The IDPS mode is set to Detection & Protection. The default configurations can be changed as per requirement as well.
More about Rulesets and how they can be customized: A ruleset can be filtered based on meta value and meta key. Meta tags filters a larger ruleset to a smaller ruleset based on the meta data key value. Meta data as a key value offers a better schema to the rule. So, if there’s a requirement to fine tune the rule performance to reduce false positives (due to a larger ruleset) in the IDPS alerts, then the ruleset can be sliced and diced to customise it for a deployment. If there’s an explicit requirement to add and use local rules, the CE administrator can create a local rule and tag it along a particular ruleset.
How to create a custom ruleset?
Step 1: In the IDPS application page, click the Add button in the IDPS Rulesets section under the IDPS Rules tab.
Step 2: You will now see the Add Ruleset pop-up. Give a Name for the ruleset.
Step 3: Select the desired IDPS mode (Detection & Protection and Inline).
Step 4: Select the required Base Ruleset as per requirements.
Note: The rules in the base rulesets are created by Red Piranha’s security operations team and are synced with the CE XDR through its service delivery network (SDN). The different base rulesets that can be selected are Balanced, Connectivity, Custom, OT, Security and WAF.
Step 5: Check the Rule Filter checkbox and select the required Meta Key and Meta Value.
Note: A ruleset can be filtered based on meta value and meta key. Meta tags filters a larger ruleset to a smaller ruleset based on the meta data key value. Meta data as a key value offers a better schema to the rule. So, if there is a requirement to fine tune the rule performance to reduce false positives (due to a larger ruleset) in the IDPS alerts then the ruleset can be sliced and diced to customise it for a deployment.
Step 6: Select the Rule checkbox if there is a requirement to add rules that are created locally using the Local Rules feature and click the Add button.
Note: Refer to Creating and Managing Local Rules section to know how to create local IDPS rules on the CE XDR appliance and then assign it to a IDPS profile.
The property of a rule action determines what will happen when a signature matches. The rule action of the IDPS module of the Crystal Eye XDR draws the line between detection & protection mode or the In-line mode.
CE XDR’s IDPS can be used as a detection & protection or an Inline IDS system. Detection & protection is only able to identify malicious behaviour, while an Inline IPS can both identify and handle malicious packets.
The following are the definitions of each rule action:
Pass - if a signature matches and contains pass, Suricata stops scanning the packet and skips to the end of all rules for the current packet.
Drop - this only concerns the in-line mode. If the program finds a signature that matches, containing drop, it stops immediately. The packet will not be sent any further. The receiver does not receive a message of what is going on, resulting in a time-out (certainly with TCP). Suricata generates an alert for this packet.
Reject - this is an active rejection of the packet. Both the receiver and the sender receive a reject packet. There are two types of reject packets that will be automatically selected. If the offending packet concerns TCP, it will be a Reset-packet. For all other protocols, it will be an ICMP-error packet. Suricata also generates an alert.
Note: When in Inline mode, all the offending packet matching with the reject action will be dropped (like with the ‘drop’ action).
Alert - if a signature matches and contains alert, the packet will be treated like any other non-threatening packet, except an alert will be generated by Suricata. Only the system administrator can notice this alert.
A Crystal Eye administrator can create IDPS rules locally using the Local Rules feature of the IDPS application. This feature comes with a user-friendly UI which works as a flawless local rules developer.
The configuration hierarchy while creating local rules are such that there is an option to configure general settings and advanced settings. The sub-sections that fall under general and advanced settings are discussed in detail below.
Rule Details Section: This section includes fields defining the name of the local rule, signature identity (SID), protocol (TCP, UDP, ICMP, HTTP, FTP, TLS, SMB, DNS and IP) and Actions (Alert, Reject, Drop, Pass).
Source Section: The source section allows to assign a source network and source port to ensure that the local rule applies to a specific source network traffic. The Host and Groups application can be used to create an IP network group (for networks) and service group (for ports). The required IP network group (for networks) and service group (for ports) can then be selected from the source network dropdown and the source port dropdown respectively. You can comma separate the source network IP address and source port to enter it directly to the textboxes. Learn how to create IP network group object and service group objects (for ports).
Direction Section: This dropdown option allows users to select the traffic type the local rule must be applied to further inspect the traffic flow. The traffic can either be inspected source to destination or both directions.
Destination Section: The destination section allows to assign a destination network and destination port to ensure that the local rule applies to a specific destination network traffic. The Host and Groups application can be used to create an IP network group (for networks) and service group (for ports). The required IP network group (for networks) and service group (for ports) can then be selected from the destination network dropdown and the destination port dropdown respectively. You can comma separate the source network IP address and source port to enter it directly to the textboxes.
Rule Body: This section consists of a message textbox which is meant to create a custom message that will append in log if the packet matches the rule.
Sticky Buffer: The sticky buffers are the modifier keywords that provides an efficient way to inspect a specific field of protocols. The functionality of sticky buffers can be best explained by selecting a protocol in the Rules Details section and then selecting the corresponding sticky buffer from the dropdown.
Rule Body: This section has fields that defines the rule body by allowing users to enter content match and keywords, assign priority, reference, and group ID.
Note: The Priority number must be a number between 1-255 (1 being the highest priority). If priority is assigned it overrides the rule classification.
How to Create a Local Rule and Assign it to a Ruleset & IDPS Profile?
Step 1: Click the Add button in the Local Rules section of the IDPS Rules tab.
Note: You’ll now see the Add Local Rule pop-up. The system will automatically assign a SID to the rule which will be visible under the Rule details section under the General Settings Tab.
Step 2: Assign a name of the rule in the Name textbox and select the desired protocol that needs to be inspected in the Protocol dropdown.
Step 3: Select the Actions from the dropdown menu.
Note: Refer to Actions in Detection and Protection Mode and Inline Mode to know more about Alert, Reject, Drop and Pass.
Step 4: Enter the Source Network details and the Source Ports details under the Source section.
Note: You can enter the IP address and the port number in the Source Network and the Source Ports directly in the textbox. Alternatively, you may create an IP Host Group object to club multiple IPs under one umbrella and then select it from the source network and source port dropdown.
Step 5: Select the inspection flow of the traffic from the Inspect Traffic Flow dropdown under the Direction section.
Note: The traffic flow can be inspected using two methodologies, namely, Source to Destination or Both Directions.
Step 6: Enter the Destination Network details and the Destination Ports details under the Destination section.
Note: You can enter the IP address and the port number in the Destination Network and the Destination Ports directly in the textbox. Alternatively, you may create an IP Host Group object to club multiple IPs under one umbrella and then select it from the Destination network and Destination port dropdown.
Step 7: Enter the message that will append in log if packet is matching rule in the Message textbox.
Step 8: Select Sticky Buffer from the dropdown. Sticky buffers provide an efficient way to inspect specific fields of the protocol selected in the Rules Details section under the Protocol dropdown.
Note: If you have selected HTTP protocol in the Rules Details section, HTTP specific sticky buffers will be displayed in the Sticky Buffers dropdown which can be used to efficiently inspect specific fields of the HTTP protocol.
Step 9: Select the classification criteria from the Rules Classification dropdown.
Step 10: Click the Advanced Settings tab and then enter the content match and keywords in the designated textbox.
Step 11: Enter the rule priority (Number between 1 (highest) and 255, overrides classification) in the Priority textbox, enter the Group ID in the textbox and click the Add button.
Note: Once the local rule is created, it will show up in the Local Rules section. In fact you will be directed to the Local Rules section after clicking the Add button in the screenshot above.
Now that you have created the Local IDPS Rule, you will now have to add this rule to the ruleset. You can either add the local rule to a default ruleset or a custom ruleset. In the screenshots below, we will add the local IDPS rule to a custom ruleset. Please note that the local rule can be added to the custom ruleset while creating the custom ruleset of after it is created.
Step 12: To add the local IDPS rule to a custom ruleset, click on the Add button in the IDPS Ruleset section. Please note that we are adding the local IDPS rule to the custom ruleset in this step.
Step 13: You will now see the Add Ruleset popup. Click the Rule tick box then select the local rule created previously from the dropdown and click the Add button.
By following the above 13 steps’, you’ll be able to create a Local Rule and then assign it to a custom or default ruleset. This ruleset can then be assigned to a IDPS profile (both custom or default IDPS profiles)
Crystal Eye XDR’s IDPS profile enables CE administrators to implement a variety of attack detection and prevention techniques on selective security zones and traffic across the CE XDR network.
Integration of Multi-tenancy with IDPS Profiles: Multiple IDPS profiles can be created and be made operational to align with various security zones (both custom and default zone) with different IDPS policies. This also sheds light on the latest integration of multi-tenancy with IDPS profiles.
The IDPS profile is designed to define various other parameters as well such as IDPS mode (detection & protection, Inline and NSM) and assign a ruleset. It also helps in selecting specific IDPS events category to be logged which helps in reducing false positives and further fine tunning the IDPS feature of the CE XDR.
Default IDPS Profile: The IDPS application runs on a default IDPS profile which is built into the core system. Although this profile consists of default configurations, it can be fine-tuned or changed if the need arises. As a default configuration, this profile runs on the default ruleset which has its base ruleset as ‘balanced’. This default IDPS profile logs specific events like anomaly, http, dns, tls, files, smtp, drop, krb5, sip, dhcp and ssh. The default profile functions on the detection and protection mode, and the IDPS policies are aligned to all default security zones (LAN, WAN, HOTLAN and DMZ). The following screenshot shows the default configurations of the default IDPS profile.
How to create a custom IDPS profile?
Step 1: In the IDPS application page, click the Add New Profile button.
Step 2: You’ll now see the Add Profile pop-up. Enter the Name of the profile and Description.
Step 3: Select the IDPS rule mode (Detection & Protection, Inline and NSM).
Step 4: Select the desired Reference Ruleset in the IDPS Rules section.
Note: Custom ruleset can be created, and it gets displayed in the ruleset section under the IDPS Rules tab. Click here to learn how to create custom rulesets.
Step 5: Select the Events that needs to be logged and shown in the IDPS alerts report and the live IDPS alerts in the security dashboard. These events are pre-defined and can be selected from the Log Events dropdown.
Note: You may select multiple events for logging as required.
Step 6: Select the Security Zones on which the IDPS profile and its policies needs to be aligned to and then click the Add button.
Note: You may select multiple zones as required.
The Detection & Protection mode of the Crystal Eye XDR’s IDPS application ensures that the traffic flowing through from devices connected to the network is monitored. In this mode, analysis is performed on the traffic and this traffic is further passed through a database of known attacks to match anomalies and threats. These abnormal behaviours are identified and flagged in the real time IDPS alerts section of the security dashboard of the CE XDR.
Note: All drop rules will be automatically converted to reject in detection and protection IDPS mode.
The CE XDR administrator can then quickly act upon the anomaly by setting up a quick mitigation strategy or by using the in-built escalation feature that allows admins to escalate a triggered IDPS alert to the security operations team of Red Piranha for further analysis.
How to switch the CE XDR in Detection & Protection Mode?
In the steps below, we will create a custom ruleset with detection & protection mode activated on it. We will then create a new IDPS profile and then assign the custom ruleset to it. We will also ensure that the custom IDPS profile is set to detection and protection mode.
Step 1: In the IDPS application page, click the IDPS Rules tab and then click the Add button.
Step 2: You’ll now see the Add Ruleset pop-up.
When the Crystal Eye XDR is run on NSM mode, it provides traceability of various processes and activities that takes place in the network. In a typical NSM deployment the CE XDR acts as the hardware element that collects logs of network events and makes it available for further analysis.
Note: The NSM mode is highly recommended when the CE XDR is deployed in-line with another security solution. While it still stays in the network it would provide the much-required IDPS alerts and the rest of the XDR features readily available. Please take note that when the CE XDR is switched to NSM mode, it would only provide alerts and will not drop or reject the packets by any means.
How to switch the CE XDR in NSM mode?
The CE XDR can be operated in NSM mode both in default IDPS profile and custom IDPS profile. In the steps mentioned below, we will assign the NSM mode in a custom IDPS profile.
Step 1: In the IDPS application page, click the Add New Profile button.
Step 2: You’ll now be directed to the Add Profile pop-up. Enter the name of the IDPS profile, enter the description, select NSM from the Mode dropdown, select the Zones where you want this IDPS profile to be deployed.
The Inline mode of the IDPS module of the Crystal Eye XDR drops suspicious network traffic based on the rules in addition to generating alerts. This also means that if a drop rule action is triggered it would drop illegitimate traffic based on the malicious signature match.
There is no doubt that the most valuable asset of an organization is its data. Hackers know this very well and henceforth they try a variety of methodologies to attack company networks to steal information.
The ever-evolving sophisticated hacking weapons carrying cyber-attacks have diversified to the extent that they require additional layers of security to be dealt with. Such an additional layer of security can be attained through the IDPS in-line mode feature of the Crystal Eye XDR.
Automation of Business Processes with Web Applications Increases the Attack Surface
With more and more companies resorting to automation of business processes with web applications, a solution providing multiple layers of defence to thwart attacks on web applications must be considered.
Crystal Eye’s IDPS application when run on in-line mode with a pre-defined WAF ruleset running on the background can deal with threats derived from unavoidable security gaps in the backend codes of the web applications.
Be it a web application running on an AWS virtual private cloud (VPC) or a web application running on a private server deployed behind the Crystal XDR, the IDPS app running on in-line mode with WAF rulesets as a baseline can provide the much-needed protection.
Use Case Details – IDPS Inline Mode (WAF Ruleset)
The Crystal Eye’s IDPS application can be configured to ensure pre-defined WAF rules are applied to a particular HTTP traffic (request and response) in the CE XDR network. These IDPS WAF rules create a strong network perimeter while it sniffs malicious HTTP requests such as SQL Injection, Cross-Site Scripting (XSS), cookie manipulation and many more.
In the use case discussed below, we will deploy a server in the DMZ zone assigned to LAN2 interface of the CE XDR network. This server which has an enterprise web application running on it will have CE XDR’s IDPS WAF rules applied to its incoming and outgoing traffic. We will create a custom IDPS profile and set it to inline IDPS mode.
Let’s understand this setup with the help of the diagram below.
In the diagram above, malicious traffic is sent through a legitimate port by a malicious actor. The Crystal Eye XDR is deployed as a gateway firewall and has web application firewall (WAF) rulesets activated in its IDPS app. The CE XDR only sends legitimate web traffic to the web applications running on the servers in the DMZ zone.
Now, let’s configure a custom IDPS profile and set it to inline mode. This will activate the drop IDPS WAF rules of the CE XDR. We will then create firewall rules to ensure that the WAF rules are applied.
In-line Mode Configuration on the CE XDR as per the use case discussed above can be done in the following 4 phases:
|Assign DMZ Zone to an interface. As per the use case, we shall assign DMZ Zone to LAN 2 interface of the CE XDR. This is the zone where we would be deploying the server|
Step 1: Go to Network Controls > Infrastructure > Network Settings.
Step 2: You will see the Network Settings page. Click the Edit icon in the Actions Row.
Step 3: You will now be directed to the Update Interface page. Select DMZ zone from the Zone dropdown.
Note: You will now see the DMZ Zone assigned to LAN 2 in the Interfaces dashboard.
|Creation of a custom IDPS ruleset (Testinline1) with the base ruleset as ‘WAF’|
Step 1: Go to Security Configuration > Intrusion Detection & Protection.
Step 2: You will see the IDPS application page. Click the Add button in the IDPS Rulesets section.
Step 3: You will see the Add Ruleset pop-up. Enter the name of the of the ruleset, select Inline from the Mode dropdown, select the Base Ruleset as WAF and click the Add button.
Note: You will now see the Ruleset created and displayed in the IDPS Rulesets section.
|Create a custom in-line IDPS profile (profile2) and align it with the custom IDPS ruleset (Testline1)|
Step 1: Go to Security Configuration > Intrusion Detection & Protection and click the IDPS Profiles tab.
Step 2: Click the Add New Profile button.
Step 3: You will see the Add Profile pop-up. Enter the name of the profile (Profile1), enter the description, select Inline from the Mode dropdown, select the custom ruleset (Testinline1) from the Reference Ruleset dropdown and click the Add button.
Note: You will now see the newly created profile (named Profile1) in the IDPS Profiles dashboard. The dashboard will display information about the profile such as profile name, profile description, base ruleset aligned to this profile, log events, interfaces aligned to the profile, rule statistics and rule filter details.
|Create incoming firewall rules to implement WAF IDPS rules on the DMZ zone traffic|
Step 1: Go to Security Configuration > Advanced Firewall and click the Traffic Rules tab.
Step 2: You will be directed to the Traffic Rules page. Click the Add button on the top-right corner of the Rules section.
Step 3: You will see the Add New Traffic Rule pop-up. Now, enter the description, select Any from the Protocol dropdown, select WAN as the Source Zone, select DMZ as the Destination Zone, select IDPS from the Target dropdown under the Actions section and the Inline profile (we shall select Profile1 as per the use case scenario).
Step 4: You will now be directed to the Traffic Rules dashboard. Here you will see the traffic rule named ‘WAN2DMZ_INLINE’ in the Rules section.
|Create outgoing firewall rules to implement WAF IDPS rules on the DMZ zone traffic|
Step 1: Click the Add button in the top-right corner of the Rules section under the Traffic Rules tab.
Step 2: You will see the Add New Traffic Rule pop-up. Now, enter the description, select Any from the Protocol dropdown, select DMZ as the Source Zone, select WAN as the Destination Zone, select IDPS from the Target dropdown under the Actions section and the inline profile (we shall select Profile1 as per the use case scenario).
Step 3: You will now see the rule displayed in the Traffic Rules dashboard in the Rules section.