Information About Multi-Tenancy for Unified Threat Defense
Multi-tenancy for Snort IPS and Web Filtering allows you to define policies for one or more tenants, in one Cisco CSR 1000v instance. This feature was introduced in Cisco IOS XE Everest 16.6.1.
Each tenant is a VPN routing and forwarding instance with one or more VPN routing and forwarding tables (VRFs). A Unified Threat Defense (UTD) policy is associated with a threat inspection profile and web filtering profile. Multiple tenants can share a UTD policy.
The system logs include the name of the VRF which allows you to produce statistics per-tenant.
The CLI commands used in multi-tenancy mode are similar to those used in single-tenancy mode (see Snort IPS and Web Filtering). In multi-tenancy, you enter a sub-mode utd engine standard multi-tenancy
and configure UTD policies, web filtering and threat-inspection profiles. After exiting the utd engine standard multi-tenancy
sub-mode, the UTD policies are applied.
The benefits of web filtering and threat inspection (Snort IPS/IDS) are explained in the following sections:
Web Filtering Overview
Web Filtering allows you to provide controlled access to the internet by configuring URL-based policies and filters. Web Filtering helps to control access to websites by blocking malicious or unwanted websites and therefore making the network more secure. You can blocked list individual URLs or domain names and configure allowed list policies for the same. You can also make provision to allow or block a URL based on reputation or category.
Snort IPS Overview
The Snort IPS feature enables Intrusion Prevention System (IPS) or Intrusion Detection System (IDS) for branch offices on Cisco 4000 Series Integrated Services Routers and Cisco Cloud Services Router 1000v Series. This feature uses the Snort engine to provide IPS and IDS functionalities.
Snort is an open source network IPS that performs real-time traffic analysis and generates alerts when threats are detected on IP networks. It can also perform protocol analysis, content searching or matching, and detect a variety of attacks and probes, such as buffer overflows, stealth port scans, and so on. The Snort engine runs as a virtual container service on Cisco 4000 Series Integrated Services Routers and Cisco Cloud Services Router 1000v Series.
The Snort IPS feature works in the network intrusion detection and prevention mode that provides IPS or IDS functionalities. In the network intrusion detection and prevention mode, Snort performs the following actions:
-
Monitors network traffic and analyzes against a defined rule set.
-
Performs attack classification.
-
Invokes actions against matched rules.
Based on your requirements, you can enable Snort either in IPS or IDS mode. In IDS mode, Snort inspects the traffic and reports alerts, but does not take any action to prevent attacks. In IPS mode, in addition to intrusion detection, actions are taken to prevent attacks.
The Snort IPS monitors the traffic and reports events to an external log server or the IOS syslog. Enabling logging to the IOS syslog may impact performance due to the potential volume of log messages. External third-party monitoring tools, which supports Snort logs, can be used for log collection and analysis.
Snort IPS Solution
The Snort IPS solution consists of the following entities:
-
Snort sensor—Monitors the traffic to detect anomalies based on the configured security policies (that includes signatures, statistics, protocol analysis, and so on) and sends alert messages to the Alert/Reporting server. The Snort sensor is deployed as a virtual container service on the router.
-
Signature store—Hosts the Cisco Signature packages that are updated periodically. These signature packages are downloaded to Snort sensors either periodically or on demand. Validated signature packages are posted to Cisco.com. Based on the configuration, signature packages can be downloaded from Cisco.com or a local server.
The following domains are accessed by the router in the process of downloading the signature package from cisco.com:
-
api.cisco.com
-
apx.cisco.com
-
cloudsso.cisco.com
-
cloudsso-test.cisco.com
-
cloudsso-test3.cisco.com
-
cloudsso-test4.cisco.com
-
cloudsso-test5.cisco.com
-
cloudsso-test6.cisco.com
-
cloudsso.cisco.com
-
download-ssc.cisco.com
-
dl.cisco.com
-
resolver1.opendns.com
-
resolver2.opendns.com
Note
If you are downloading signature packages from a local server to hold the signature packages, only HTTP is supported.
Signature packages must be manually downloaded from Cisco.com to the local server by using Cisco.com credentials before the Snort sensor can retrieve them.
The Snort container performs a domain-name lookup (on the DNS server(s) configured on the router) to resolve the location for automatic signature updates from Cisco.com or on the local server, if the URL is not specified as the IP address.
-
-
Alert/Reporting server—Receives alert events from the Snort sensor. Alert events generated by the Snort sensor can either be sent to the IOS syslog or an external syslog server or to both IOS syslog and external syslog server. No external log servers are bundled with the Snort IPS solution.
-
Management—Manages the Snort IPS solution. Management is configured using the IOS CLI. Snort Sensor cannot be accessed directly, and all configuration can only be done using the IOS CLI.