Manage IPS Profiles
Secure Access's Intrusion Prevention System (IPS) protects your network and assets from known threats. You define IPS profiles with signature lists that group these threats and allow you to specify how each threat should be handled. You then specify an IPS profile in each access rule.
How IPS Works
Secure Access IPS uses signature-based detection and provides an added layer of protection against threats such as malware, botnets, phishing, and command and control call backs. When IPS is enabled, it's enabled for your entire environment, including all of your network tunnels.
IPS Signature Lists contain signatures filtered by three actions:
- Block—Signatures are screened for threats on your network and recorded in Activity Search.
- Log Only—Signatures are recorded in Activity Search, but not screened for threats.
- Ignore—Signatures are completely ignored and not recorded in Activity Search.
Hit Counts
Hit counts represent the amount of times signatures were detected on your network for a certain period. By default, hit count durations for all lists are set to the last 24 hours. Each list's hit count duration can be changed to the last five minutes, last hour, yesterday, or the last 30 days. Hit counts may also be reset at any time.
Cisco-Provided IPS Signature Lists
The IPS signature lists provided by Cisco are constructed based on the balance between network connectivity and network security. The more a list is focused on security the more signatures are set to Blocked in that list rather than Log Only or Ignored.
- Connectivity Over Security—This signature list places an emphasis on network connectivity and throughput at the possible expense of security. Traffic is inspected less deeply, and fewer rules are evaluated.
- Balanced Security and Connectivity—This signature list attempts to balance network connectivity and security to keep users secure while being less obtrusive toward normal traffic. Less strict than Connectivity Over Security.
- Security Over Connectivity—This signature list emphasizes security over network connectivity. Traffic is inspected more deeply and more rules are evaluated. The result is an increase in false positives and network latency.
- Maximum Detection—This signature list places all emphasis on security, such that network connectivity and throughput are compromised. Only select this setting when total protection is required as alerts must be monitored and validated manually.
Decryption is Required for Effective Intrusion Prevention
IPS requires decryption in order to effectively evaluate threats in traffic. Decrypting traffic requires certificates that you must provide and manage:
- Certificates required for decrypting traffic to internet destinations.
See Certificates for Internet Decryption. - Certificates required for decrypting traffic to private destinations
See Certificates for Private Resource Decryption.
Exceptions for Traffic That Should Not be Decrypted
If regulation or policy requires traffic to certain types of internet destinations to remain confidential, you can use the system-provided Do Not Decrypt List for this purpose. Navigate to Secure > Settings > Do Not Decrypt Lists and click the the System Provided Do Not Decrypt List. (Additional lists that you create on this page do not apply to IPS.) For more information, see Important Information About Do Not Decrypt Lists.
IPS is Used in Both Types of Access Rules
IPS profiles are used in both internet access rules and private access rules.
Settings such as the default IPS profile and the decryption setting in global settings apply to both types of access rules.
Add a VPN Connection Posture Profile < Manage IPS Profiles > Manage Security Profiles
Updated 12 days ago