Collaborative Detection & Response, also known as CDR, is a technology that enhances the security of your network. Basically, it allows the network edge (e.g. wirelessly connected device to an AP) to identify virus-infected end devices.
More information and a full description of all features around CDR can be found here: Collaborative Detection & Response
Please note: CDR is a licensed security feature - it is contained within the bundle Licences and is only applicable currently to gateways of the ATP-Series as well as USG FLEX-Series. Also, regarding the supported APs, there are limitations (see very bottom of this article, or for always up-to-date information, check the link above.
A New Connected Security Frontier
Collaborative Detection & Response (CDR) identifies threats and risks posed in the organization workforce, workload, and workplace. Depending on the attack frequency and threat level, it generates a protection rule. The integrated cloud threat intelligence takes a great leap forward to adopt this generated protection rule to automatically stop threats at the network edge by blocking or quarantining, preventing damage to the network. It’s a perfect fit for SMB(s) to address the requirements of a decentralized, IoT-driven network infrastructure.
Technical Details
CDR consist of the following CVEs, meaning it can detect these CVEs on the network edge:
IDP included vulnerability:
CVE-2019-0708: Remote Desktop Services Remote Code Execution Vulnerability
CVE-2020-0796: Microsoft Windows SMB 3.1.1 Remote Code Execution attempt
ID 117723: Microsoft Windows SMB large NT RENAME transaction request information leak attempt
ID 117724/117726: Microsoft Windows SMB remote code execution attempt
Configuration
CDR can be configured via:
The three different containment behaviours are explained below:
- Alert
- Send alert mail only.
- Block
- Wired Client: Block client IP traffic and show block page for client
- Wi-Fi Client: Client associate to AP. Block client IP traffic and show block page
- Block Wireless Client: Mang. AP will disassociate and block MAC address
- Quarantine
- Wired Client: Block client IP traffic and show block page for client
- Wi-Fi Client: Disassociate client and assign quarantine VLAN for the following client
In the Exempt List, you may add devices that are not affected by CDR - these might be servers or similar which are crucial for the entire network to work.
CDR - Miscellaneous
- Block detected client by IP address in default - can be set via CLI:
- Router(config)# cdr blocked-by ip | mac
- Containment list will keep on the gateway/managed AP even reboot
- Service licenses are required
- ATP Series: Include in Gold Security Pack
- USG Flex Series: CDR is included in UTM Security Pack
- Supported AP (Gateway firmware v5.00): WAX650S / WAX610D / WAX510D / WAC500 / WAC500H
- APs must be upgraded to v6.20 Firmware