Deploy cognitix Threat Defender as an IDS at the Network Perimeter

The following setup illustrates how cognitix Threat Defender can be deployed as an IDS at the network perimeter. In this setup, it extends a high availability P-A-P stack consisiting of genugates and genuscreens.

cTD as a perimeter IDS

cognitix Threat Defender used as an IDS at the network perimeter.

Tip

The P-A-P concept is recommended by the BSI (German Federal Office for Security in Information Technology). A packet filter, an application level gateway, and a second packet filter are combined so that all traffic has to pass through all three components. This type of 3-tier firewall architecture is used primarily to separate two networks that differ significantly in terms of trust level, e.g. to separate the internet from an intranet.

In this setup, cognitix Threat Defender is connected to the network-facing switch, for example via mirror port. This places it at the perimeter between the external network and the first packet filter. Here, Threat Defender can see and analyze all incoming external traffic as well as all outgoing traffic.

To ensure high availability, each Threat Defender is connected to the genuscreen appliances in both legs of the P-A-P. This way, traffic information is shared between the two instances of Threat Defender. This avoids loss of information in case one component fails and the active P-A-P leg is switched.

Used as a perimeter IDS, cognitix Threat Defender complements the P-A-P system in the following ways:

  • Analysis of tunneled and encrypted communication.

  • Additional monitoring of services that cannot be sufficiently controlled, such as protocols for which application gateways are not available.

  • Detection and monitoring of external access that is not routed through the firewall e.g. via modems.

  • Threat Defender can also be used to check whether the firewall is working according to its specifications.

cognitix Threat Defender compares the network traffic to a bundle of IDS/IPS feeds from multiple sources (see Intelligence Database). If a threat indicator is discovered, the policy engine can be used to log the event and/or intercept the concerned traffic.

Under Threats > Incident Logs the detected IDS hits are shown over time and by severity. You can filter the incident logs and create PDF reports see Incident Logs.

By creating custom IPS rule sets, you can control in detail what traffic is to be logged and/or blocked. See IPS Settings.

This setup can quickly be adapted to actively integrate cognitix Threat Defender and use it as an IPS. The only required change is that cognitix Threat Defender cannot be connected to a mirror port but has to be able to intercept the traffic and enforce the policy.