Manage IPS Profiles

Secure Access's Intrusion Prevention System (IPS) protects your network and assets from known threats. You define IPS profiles with signature lists that group these threats and allow you to specify how each threat should be handled. You then specify an IPS profile in each access rule.

How IPS Works

Secure Access IPS uses signature-based detection and provides an added layer of protection against threats such as malware, botnets, phishing, and command and control call backs. When IPS is enabled, it's enabled for your entire environment, including all of your network tunnels.

IPS Signature Lists contain signatures filtered by three actions:

• Block—Signatures are screened for threats on your network and recorded in Activity Search.
• Log Only—Signatures are recorded in Activity Search, but not screened for threats.
• Ignore—Signatures are completely ignored and not recorded in Activity Search.

Hit Counts

Hit counts represent the amount of times signatures were detected on your network for a certain period. By default, hit count durations for all lists are set to the last 24 hours. Each list's hit count duration can be changed to the last five minutes, last hour, yesterday, or the last 30 days. Hit counts may also be reset at any time.

Cisco-Provided IPS Signature Lists

The IPS signature lists provided by Cisco are constructed based on the balance between network connectivity and network security. The more a list is focused on security the more signatures are set to Blocked in that list rather than Log Only or Ignored.

• Connectivity Over Security—This signature list places an emphasis on network connectivity and throughput at the possible expense of security. Traffic is inspected less deeply, and fewer rules are evaluated.
• Balanced Security and Connectivity—This signature list attempts to balance network connectivity and security to keep users secure while being less obtrusive toward normal traffic. Less strict than Connectivity Over Security.
• Security Over Connectivity—This signature list emphasizes security over network connectivity. Traffic is inspected more deeply and more rules are evaluated. The result is an increase in false positives and network latency.
• Maximum Detection—This signature list places all emphasis on security, such that network connectivity and throughput are compromised. Only select this setting when total protection is required as alerts must be monitored and validated manually.

Decryption is Required for Effective Intrusion Prevention

IPS requires decryption in order to effectively evaluate threats in traffic. Decrypting traffic requires certificates that you must provide and manage:

• Certificates required for decrypting traffic to internet destinations.
  See Certificates for Internet Decryption.
• Certificates required for decrypting traffic to private destinations
  See Certificates for Private Resource Decryption.

Exceptions for Traffic That Should Not be Decrypted

If regulation or policy requires traffic to certain types of internet destinations to remain confidential, you can use the default Do Not Decrypt List for this purpose. Navigate to Secure > Settings > Do Not Decrypt Lists and configure the default list. (Additional lists that you create on this page do not apply to IPS.) For more informatin, see Important Information About Do Not Decrypt Lists.

IPS is Used in Both Types of Access Rules

IPS profiles are used in both internet access rules and private access rules.

Settings such as the default IPS profile and the decryption setting global settings apply to both types of access rules.

Add a VPN Connection Posture Profile < Manage IPS Profiles > Manage Web Profiles