Threat Protection
Overview
Threat protection is comprised of the Sourcefire® SNORT® intrusion detection engine and AMP anti-malware technology. More details about AMP can be found in this article.
Threat Protection is available only with Advanced Security Edition licensing.
Advanced Malware Prevention (AMP)
Advanced malware prevention (AMP) inspects HTTP file downloads through an MX Security Appliance and blocks or allows file downloads based on threat intelligence retrieved from the AMP cloud. For more information about AMP, please see this article.
You can enable AMP by setting the Mode option to Enabled in the Security & SD-WAN > Configure > Threat protection page.
When traffic is filtered, the URL or ID and the action taken are logged in the Security Center.
Malware protection is powered by the Advanced Malware Protection engine in MX 12.20 and higher. Previous releases leverage Kaspersky Lab as the malware protection engine.
To review the firmware versions of MX appliances in your organization and to schedule firmware upgrades, please see the Organization > Monitor > Firmware upgrades page.
Dealing with False Positives
Occasionally the MX appliance may block a file or URL that is deemed safe by the administrator. In that case, you can tell MX to allow the download of the content or web page by allowing the content.
Allow list URLs
Find the URL that was blocked in the Event log page and enter it in the Allow list URLs section to allow that URL in the future.
Allow list files
For files, javascripts, and other objects that are not URLs, the MX appliance assigns a unique ID. You can see the blocked items in the Event log page. By entering the ID of the object you want to allow in the Allow list files section you can instruct the appliance to allow the detected signature, even if the URL is different.
Intrusion Detection and Prevention
Intrusion detection feeds all packets flowing between the LAN and internet interfaces, and in between VLANs through the SNORT® intrusion detection engine, and logs the generated alerts to the Security Report. You can export these alerts via Syslog.
Intrusion prevention on the MX used to block triggering malicious packets is designed to be best effort. Subsequent packets within the same malicious flow will be blocked. Recommended best practice is to install an additional layer of host-based security solution to ensure maximum security.
Configuring Intrusion Detection and Prevention
Intrusion Detection
You can enable intrusion detection by setting the Mode to Detection under Security & SD-WAN > Configure > Threat protection > Intrusion detection and prevention. When enabling intrusion detection, there are three distinct detection rulesets to choose from using the Ruleset selector:
- Connectivity: Contains rules from the current year and the previous two years for vulnerabilities with a CVSS score of 10.
- Balanced: Contains rules that are from the current year and the previous two years, are for vulnerabilities with a CVSS score of nine (9) or greater, and are in one of the following categories:
- Malware-CNC: Rules for known malicious command and control activity for identified botnet traffic. This includes call home, downloading of dropped files, and exfiltration of data.
- Blacklist: Rules for URIs, user agents, DNS hostnames, and IP addresses that have been determined to be indicators of malicious activity.
- SQL Injection: Rules that are designed to detect SQL Injection attempts.
- Exploit kit: Rules that are designed to detect exploit kit activity.
- Security: Contains rules that are from the current year and the previous three years, are for vulnerabilities with a CVSS score of eight (8) or greater, and are in one of the following categories:
- Malware-CNC: Rules for known malicious command and control activity for identified botnet traffic. This includes call home, downloading of dropped files, and exfiltration of data.
- Blacklist: Rules for URIs, user agents, DNS hostnames, and IP addresses that have been determined to be indicators of malicious activity.
- SQL Injection: Rules that are designed to detect SQL Injection attempts.
- Exploit kits: Rules that are designed to detect exploit-kit activity.
- App-detect: Rules that look for and control the traffic of certain applications that generate network activity.
The Balanced ruleset will be selected by default.
From time-to-time, Cisco Meraki may add additional signatures that fall outside of these criteria based on various factors, including recommendations from the Cisco Talos threat intelligence group.
Intrusion Prevention
You can enable intrusion prevention by setting the Mode drop-down to Prevention under Security & SD-WAN > Configure > Threat protection > Intrusion detection and prevention. Traffic will be automatically blocked by best effort if it is detected as malicious based on the detection ruleset specified above.
Protected Network section is used to controls the IP addresses or subnets of the systems protectied. Entries should be separated by commas or whitespace. This will narrow down the subnets protected, it will protect only the subnets listed.
Note: The Protected Network section is only available for Security Appliances in Passthrough mode.
Allow list rules
You can allow specific SNORT® signatures by clicking Add an IDS rule to Allow list. Any signatures for which matching traffic has been seen by the appliance will appear in the Select an Option drop-down so you can select which signature(s) you wish to allow.
Note: Allow list rules are only visible to Full Organization Administrators. Read-only Organization admins and network admins are not able to view or modify these rules.
Security Report
Once threat protection is enabled, the Security Report will be accessible via Security & SD-WAN > Monitor > Security center. The report provides you with a graphical representation of intrusion detection events in your network.
The security threats are broken down by:
- Signatures (as defined by SNORT®)
- Networks
- Clients
You can filter the security events by these categories.