Advanced Security Policies

Advanced security policies enable you to define rules that identify specific traffic phenomena, and trigger alerts or other actions when some configured condition is matched. The Advanced Security Policies page is available with a license for the Advanced Security Module. Choose Definitions > Advanced Security > Advanced Security Policies to display the Advanced Security Policies page; it provides the following tabs, each comprising the corresponding security policy types:

  • Blacklist: Alert on traffic from or to specific listed hosts.
  • Brute Force: Recognize brute force penetration attacks, based on a number of new connection attempts per second on a security object, and alert on them.
  • DDoS: Recognize DDoS attacks, based on the rate of traffic directed at a particular security object, and alert on them.
  • Exfiltration: Recognize data exfiltration attacks, based on the rate of traffic outbound from a particular security object, and alert on them.
  • New Server: Recognize connection attempts to a security object  from a remote host, and alert on them.
  • Threshold (host): Set limits on traffic to a particular host. Host thresholds trigger when a host in the security object crosses the configured threshold.
  • Threshold (port): Set limits on traffic to a particular port. Port thresholds trigger when a port or protocol in the security object crosses the configured threshold.
  • Threshold (security object): Security object thresholds trigger when the aggregated value for a security object crosses the configured threshold.

Defining Advanced Security Policies

Advanced security policies furnish the criteria by which one or more security objects can be used to generate alerts, and, optionally, execute actions (security integrations) based on the configured criteria.

Defining advanced security policies involves several processes:

  1. Define security objects at Definitions > Advanced Security > Security Objects. For all advanced security policies, security objects specify hosts or networks based on IP addresses or CIDR ranges that a policy will monitor. You must define at least one security object.
  2. Import or define blacklists, at Definitions > Advanced Security > Blacklists, if you will use blacklist policies. The lists of IP addresses to block are defined separately from the policies that specify what should happen when one of those addresses is seen in traffic
  3. Configure security integrations at Administration > Integration > Security Integration. These are the actions to be executed when a particular threshold is crossed for an associated security object.
  4. Verify the advanced security policy instances at Definitions > Advanced Security > Advanced Security Policies. These are the threshold values and corresponding integrations that are associated with one or more security objects. Default policies are provided, and these can be customized as desired per security object. Optionally, you can change the display units in use (bytes or bits) at Administration > User Preferences, Traffic Data Units.

Common Advanced Security Policy Controls

The tab for each advanced security policy type groups security objects by three categories:

  • Default Policy: Expand this entry to see all the security objects associated with the default policy for this type. By default, each security object inherits the default policy for each advanced security policy type when that security object is created. For each security object, you can choose Edit Default Policy to customize a policy for the security object or Clear Default Policy to delete the threshold values and disable the policy for that security object.
  • Customized Policies: Expand this entry to see all security objects that have had their advanced security policy definition modified from the default.
  • Excluded Security Objects: Expand this entry to see any security objects that are explicitly ignored for this policy type.

For each security object associated with an advanced security policy, you can configure a Low Threshold, Medium Threshold, High Threshold, and one or more integrations (actions). Each threshold is in terms of a metric that drives that policy type. An integration is an action to be executed upon a threshold being crossed. Integrations for Advanced Security Policies are configured at Administration > Integration > Security Integration. One or more integrations can be associated with the policy, and each integration can be enabled for each threshold level: Low, Medium, and High.

Blacklist Tab

The Blacklist tab enables you to specify the thresholds and security integrations associated with blacklists. Blacklists are configured at Definitions > Advanced Security > Blacklists, and can be accessed also using the Manage Blacklists button in the Blacklist tab.

The default blacklist policy consists of one or more blacklists associated with each threshold level: Low, Medium, and High. Each blacklist contains the IP addresses that are associated with each threshold level.

Brute Force Tab

The Brute Force tab enables you to associate policies and integrations with brute force penetration attacks. This policy type depends on a number of new connections per second per security object.

DDoS Tab

The DDoS tab enables you to associate policies and integrations with distributed denial of service attacks. The thresholds can be based on bits per second or packets per second.

Exfiltration Tab

The Exfiltration tab enables you to associate policies and integrations with the removal of data to remote hosts. The thresholds are based on bytes of data removed over the associated ports.

New Server Port Tab

The New Server Port tab enables you to associate policies and integrations with new connection attempts per security object.

Threshold (host) Tab

The Threshold (host) tab enables you to associate policies and integrations with individual hosts.

Threshold (port) Tab

The Threshold (port) tab enables you to associate policies and integrations with individual ports or protocols.

Threshold (security object) Tab

The Threshold (security object) tab enables you to associate policies and integrations with individual security objects.

Disabling an Advanced Security Policy

Clear Default Policy: Choosing Clear Default Policy enables you to void the threshold values for a policy, effectively disabling it.