Home > Security Appliances > Content Filtering and Threat Protection > Threat Protection

Threat Protection

Overview

Threat protection is comprised of the Sourcefire® SNORT® intrusion detection engine and AMP anti-malware technology. More details about AMP can be found in this article. These features require an Advanced Security license.

Advanced Malware Prevention (AMP)

Advanced Malware Prevention inspects HTTP file downloads through an MX Security Appliance and blocks or allows file downloads based on threat intelligence retrieved from the AMP cloud. For more information about AMP, please see this article.

 

You can enable AMP by setting the Mode option to Enabled in the Security Appliance > Configure > Threat protection page.

 

When traffic is filtered, the URL or ID and the action taken are logged in the Security Center.

 

Malware protection is powered by the Advanced Malware Protection engine in MX 12.20 and higher. Previous releases leverage Kaspersky Lab as the malware protection engine.

 

To review the firmware versions of MX appliances in your organization and to schedule firmware upgrades, please see the Organization > Monitor > Firmware upgrades page.

Dealing with false positives

Occasionally the MX appliance may block a file or a URL that is deemed safe by the administrator. In that case, you can tell MX to allow the download of the content or web page by whitelisting the content.

Whitelisting URLs

Find the URL that was blocked in the Event log page and enter it in the Whitelisted URLs section to allow that URL in the future.

Whitelisting IDs

For files, javascripts, and other objects that are not URLs, the MX appliance assigns a unique ID. You can see the blocked items in the Event log page. By entering the ID of the object you want to allow in the Whitelisted IDs section you can instruct the appliance to allow the detected signature, even if the URL is different.

Intrusion Detection and Prevention

Intrusion detection feeds all packets flowing between the LAN and Internet interfaces and in-between VLANs through the SNORT® intrusion detection engine and logs the generated alerts to the Security Report.  You can also export these alerts via Syslog. 

 

Intrusion prevention blocks traffic that is identified as malicious, rather than just generating alerts for it.

Configuring Intrusion Detection and Prevention

Intrusion Detection

You can enable intrusion detection by setting the Detection option to Enabled under Security Appliance > Configure > Threat protection.  When enabling intrusion detection, there are three distinct detection rulesets to choose from using the Ruleset selector:

  • Connectivity:  Contains rules from the current year and the previous two years for vulnerabilities with a CVSS score of 10.
  • Balanced:  Contains rules that are from the current year and the previous two years, are for vulnerabilities with a CVSS score of 9 or greater, and are in one of the following categories:
    • Malware-CNC:  Rules for known malicious command and control activity for identified botnet traffic. This includes call home, downloading of dropped files, and ex-filtration of data.
    • Blacklist:  Rules for URIs, user agents, DNS hostnames, and IP addresses that have been determined to be indicators of malicious activity
    • SQL Injection:  Rules that are designed to detect SQL Injection attempts.
    • Exploit-kit:  Rules that are designed to detect exploit kit activity.
  • Security:  Contains rules that are from the current year and the previous three years, are for vulnerabilities with a CVSS score of 8 or greater, and are in one of the following categories:
    • Malware-CNC:  Rules for known malicious command and control activity for identified botnet traffic. This includes call home, downloading of dropped files, and ex-filtration of data.
    • Blacklist:  Rules for URIs, user agents, DNS hostnames, and IP addresses that have been determined to be indicators of malicious activity
    • SQL Injection:  Rules that are designed to detect SQL Injection attempts.
    • Exploit-kit:  Rules that are designed to detect exploit kit activity.
    • App-detect:  Rules that look for and control the traffic of certain applications that generate network activity.

The Balanced ruleset will be selected by default.

 

Intrusion Prevention

You can enable intrusion prevention by setting the Prevention option to Enabled under Security Appliance > Configure > Threat protection.  Traffic will be automatically blocked if it as detected as malicious based on the detection ruleset specified above.

Whitelisting signatures

You can whitelist specific SNORT® signatures by clicking Whitelist an IDS signature.  Any signatures for which matching traffic has been seen by the appliance will appear in the Select an Option drop-down so that you can select which signature or signatures you wish to whitelist.

Security Report

Once Threat protection is enabled, the Security Report will be accessible via Security Appliance > Monitor > Security center. The report provides you with a graphical representation of Intrusion Detection events in your network.

The security threads are broken down by:

  • Signatures (as defined by SNORT®)
  • Networks
  • Clients

You can filter the security events by these categories.

You must to post a comment.
Last modified
16:43, 14 Sep 2017

Tags

Classifications

This page has no classifications.

Article ID

ID: 4056

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community