Cisco Press - CCSP IPS Quick Reference _ www.bit.ly/taiho123

.48 Anthony Sequeira ciscopress.com CCSP IPS Quick Reference CCSP IPS Quick Reference By Anthony Sequeira ISBN: 9781587055713 Publisher: Cisco Press Prepared for Tran Huong, Safari ID: t

Trang 1

CCSP IPS Quick

Reference

Prevention .3 Chapter 2:

Installation of a Typical Sensor .15 Chapter 3:

Cisco Intrusion Detection and Prevention Signatures .21 Chapter 4:

Advanced Configurations .31 Chapter 5:

Additional Intrusion Detection and Prevention Devices .43 Chapter 6:

Monitoring and Maintenance .48

Anthony Sequeira

ciscopress.com

CCSP IPS Quick Reference

CCSP IPS Quick Reference By Anthony Sequeira ISBN: 9781587055713 Publisher: Cisco

Press

Prepared for Tran Huong, Safari ID: thuong@CISCO.COM

Licensed by Tran Huong

This PDF is exclusively for your use in accordance with the Safari Terms of Service No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher Redistribution or other use that violates the fair use priviledge under U.S copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.

Trang 2

About the Author

Anthony Sequeira (CCIE-R/S #15626) possesses high-level certifications from both Cisco and Microsoft For the past

15 years, he has written and lectured to massive audiences about the latest in networking technologies He is a certifiedCisco instructor with Thomson NETg He lives with his wife and daughter in Tampa, Florida

About the Technical Editor

Ronald Trunk, CCIE, CISSP, is a highly experienced consultant and network architect with a special interest in secure

network design and implementation He has designed complex multimedia networks for both government and commercialclients He is the author of several articles on network security and troubleshooting He lives in suburban Washington, D.C

Press

Trang 3

CHAPTER 1

Introducing Intrusion Detection and Prevention

Understanding Intrusion Prevention and Detection

Cisco provides for intrusion detection and prevention in a variety of ways in its current security portfolio You might addthis powerful tool to your network via a dedicated hardware appliance known as a sensor Or you might add this function-ality using a network module inserted into a router or switch However you decide to implement the technology, the goal

is the same—to take some action based on an attack introduced into your network This action might be to alert thenetwork administrator via an automated notification, or it might be to prevent the attack from dropping the packet at adevice

Intrusion Prevention Versus Intrusion Detection

Intrusion detection is powerful in that you can be notified when potential problems or attacks are introduced into yournetwork However, detection cannot prevent attacks from occurring Detection cannot prevent attacks because it operates

on copies of packets Often these copies of packets are received from another Cisco device (typically a switch) Sensorsthat operate using intrusion detection are said to run in promiscuous mode

Intrusion prevention is more powerful because potential threats and attacks can be stopped from entering your network or

a particular network segment The sensor can perform prevention because it operates inline with packet flows

Press

Trang 4

An exploit is a mechanism designed to take advantage of vulnerabilities that exist in your systems For example, if poorpasswords are in use on your network, a password-cracking package might be the exploit aimed at this vulnerability.False Alarms

False alarms are IPS events that you do not want occurring in your implementation The two types of false alarms arefalse positives and false negatives Both are undesirable

Press

Trang 5

CHAPTER 1

True AlarmsThe two types of true alarms in IPS terminology are true positive and true negative Both are desirable

True Positive

A true positive means that the IPS device recognized and responded to an attack

True Negative

This means that nonoffending or benign traffic did not trigger an alarm

Promiscuous Versus Inline Mode

IDS/IPS sensors operate in promiscuous mode by default This means that a device (often a switch) captures traffic forthe sensor and forwards a copy for analysis to the sensor Because the device works with a copy of the traffic, the deviceperforms IDS It can detect an attack and send an alert (as well as take other actions), but it does not prevent the attackfrom entering the network or a network segment It cannot prevent the attack because it does not operate on traffic inline

in the forwarding path Figure 1 shows a promiscuous mode IDS implementation

Press

Trang 6

CHAPTER 1

If a Cisco IPS device operates in inline mode (see Figure 2), it can perform prevention as opposed to mere detection This

is because the IPS device is in the actual traffic path This makes the device more effective against worms and atomicattacks (attacks that are carried out by a single packet)

Attack Copy of Attack

Management System

FIGURE 1

Promiscuous

mode (IDS)

Press

Trang 7

CHAPTER 1

To configure inline mode, you need two monitoring interfaces that are defined in the sensor as an inline pair This pair ofinterfaces acts as a transparent Layer 2 structure that can drop an attack that fires a signature

Keep in mind that a sensor could be configured inline and could be set up so that it only alerts and doesn’t drop packets.This would be an example of an inline configuration where only IDS is performed

IPS version 6.0 software permits a device to do promiscuous mode and inline mode simultaneously This would allow onesegment to be monitored for IDS only while another segment features IPS protection

Attack

Management System

FIGURE 2

Inline mode (IPS)

Press

Trang 8

CHAPTER 1

Approaches to Intrusion Prevention

Signature-BasedAlthough Cisco uses a blend of detection and prevention technologies, signature-based IPS is the primary tool that CiscoIPS solutions use Cisco releases signatures that are added to the device; they identify a pattern that the most commonattacks present This tool is much less prone to false positives and ensures that the IPS devices stop common threats Thistype of approach is also called pattern matching As different types of attacks are created, these signatures can be added,tuned, and updated to deal with the new attacks

Anomaly-BasedThis type of intrusion prevention technology is often called profile-based It attempts to discover activity that deviatesfrom what an engineer defines as “normal.” Because it can be so difficult to define what is “normal” activity for a givennetwork, this approach tends to be prone to a high number of false positives

The two common types of anomaly-based IPSs are statistical anomaly detection and nonstatistical The statisticalapproach learns about the traffic patterns on the network itself, and the nonstatistical approach uses information coded bythe vendor

Policy-BasedWith this type of technology, the security policy is “written” into the IPS device Alarms are triggered if activities aredetected that violate the security policy coded by the organization Notice how this differs from signature-based

Signature-based focuses on stopping common attacks, and policy-based is more concerned with enforcing the tion’s security policy

Press

Trang 9

CHAPTER 1

Protocol Analysis-BasedThis approach is very similar to signature-based, but it looks deeper into packets because of a protocol-based inspection

of the packet payload that can occur Whereas most signatures examine rather common settings, protocol analysis-basedcan do much deeper packet inspection and is more flexible at finding some types of attacks

Exploring Evasive Techniques

Because attackers are aware of IPS technologies, they have developed methods of countering these devices in an attempt

to continue attacks on network systems

String Match

In this type of attack, strings in the data are changed in minor ways in an attempt to evade detection Obfuscation is onemethod, in which control characters, hexadecimal representation, or Unicode representation help disguise the attack.Another string-match type of evasive technique is to simply change the string’s case

FragmentationWith this evasive measure, the attacker breaks the attack packets into fragments so that they are more difficult to recog-nize Fragmentation adds a layer of complexity for the sensor, which now must engage in the resource-intensive process

of reassembling the packets

Session

In this type of attack, the attacker spreads the attack using a large number of very small packets, not using fragmentation

in the approach TCP segment reassembly can be used to combat this evasive measure

Press

Trang 10

CHAPTER 1

Insertion

In this evasive technique, the attacker inserts data that is harmless along with the attack data The IPS sensor does not fire

an alert because of the harmless data The end system ignores the harmless data and processes only the attack data.Evasion

With this type of evasive technique, the attacker causes the sensor to see a different data stream than the intended victim.Unlike the insertion attack, the end system sees more data than the sensor, which results in an attack

TTL-BasedOne way to implement an insertion attack is to manipulate fragments’ time-to-live value With this evasive procedure, theIPS sensor sees a different data stream than the end system because of the manipulation of the TTL field in the IP header.Encryption-Based

This is a very effective means of having attacks enter the network The attacker sends the attack via an encrypted session.The IPS device cannot detect the encrypted attack Because this method of foiling the IPS device exists, care must betaken to ensure that attackers cannot establish encrypted sessions

Resource ExhaustionAnother evasive approach is to simply overwhelm the sensor Often, attackers simply try to overwhelm the physicaldevice or the staff in charge of monitoring by flooding the device with alarm conditions

Press

Trang 11

CHAPTER 1

Cisco Solutions and Products

Cisco offers many products and solutions that address the need for intrusion detection and/or prevention in your networkinfrastructure These Quick Reference Sheets focus on Cisco products that can run version 6.0 of the Cisco IPS SensorSoftware This version adds many new features, including the following:

n Virtualization support: Allows different policies for different segments that are being monitored by a single sensor

n New signature engines: Additions that cover Server Message Block and Transparent Network Substrate traffic

n Passive operating system fingerprinting: A set of features that enables Cisco IPS to identify the operating system ofthe victim of an attack

n Improved risk and threat rating system: The risk rating helps with alerts and is now based on many different nents to improve the sensor’s performance and operation

compo-n External product interface: Allows sensors to subscribe to events from other devices

n Enhanced password recovery: Password recovery no longer requires reimaging

n Improved Cisco IDM: A new and improved GUI for management

n Anomaly detection: Designed to detect worm-infested hosts

Cisco Sensor FamilyThe Cisco sensor family includes the following devices:

n Cisco IDS Network Module

n Cisco IDS 4215 Sensor

n Cisco ASA AIP-SSM

Press

Trang 12

CHAPTER 1

n Cisco IPS 4255 Sensor

n Cisco Catalyst 6500 Series IDSM-2

n Cisco IPS 4260 SensorThe following legacy devices also can run IPS 6.0 software:

n Cisco IDS 4250 XL Sensor

Sensor Software Solutions

You have many options for configuring and managing Cisco sensors Also, the sensor operating systems and overallarchitecture are worth exploring for the certification exam and beyond

IPS Sensor Software ArchitectureIPS sensor software version 6.0 runs on the Linux operating system The components include the following:

n Event Store: Provides storage for all events

n SSH and Telnet: By default, Telnet is disabled

n Intrusion Detection Application Programming Interface (IDAPI)

n MainApp

n SensorApp: For packet capture and analysis

n Sensor interfaces

Press

Trang 13

CHAPTER 1

Management OptionsFor a single device (element management), options include the following:

n Command-line interface (CLI)

n Cisco IDM (IPS Device Manager), a graphical user interfaceFor multiple-device management (Enterprise management), options include the following:

n Cisco IPS Event Viewer

n Cisco Security Manager

n Cisco Security Monitoring, Analysis, and Response System (MARS)

Press

Trang 14

CHAPTER 1

Deploying Sensors

Consider these technical factors when selecting sensors for deployment in an organization:

n The network media in use

n The performance of the sensor

n The overall network design

n The IPS design: Will the sensor analyze and protect many systems, or just a few?

n Virtualization: Will multiple virtual sensors be created in the sensor?

Here are some important issues to keep in mind for an IPS design:

n Your network topology: Size and complexity, connections, the amount and type of traffic

n The placement of sensors: Recommended to be placed at entry and exit points that provide sufficient IPS coverage

n Your management and monitoring options: The number of sensors often dictates the level of management you need.Locations that generally need to be protected include the following:

n Internet: The sensor between your perimeter gateway and the Internet

n Extranet: Between your network and extranet connection

n Internal: Between internal data centers

n Remote access: Hardens perimeter control

n Server farm: The network IPS at the perimeter and host IPS on the servers

Press

Trang 15

CHAPTER 2

Installation of a Typical Sensor

The Command-Line Interface (CLI)

The CLI is much like the IOS version, but with fewer commands and different modes You can access the CLI using

n Telnet (disabled by default)

n SSH

n The serial interface

The default username is cisco, with a default password of cisco You are prompted to change these upon the first login.

The CLI can be used to

n Initialize the sensor

n Configure

n Administer

n Troubleshoot

n MonitorTwo modes of the CLI differ from a router:

n Service mode: Used to edit a service You enter it using the command service service-name.

n Multi-instance service mode: Some of the services are multi-instance services to support virtualization To enter this

mode, you use the command service service-name logical-instance-name.

Press

Trang 16

CHAPTER 2

Initializing the SensorThe setup command at the CLI walks you through initialization You can do the following:

n Assign a hostname to the sensor This is case-sensitive It defaults to sensor.

n Assign an IP address to the command and control interface The default is 10.1.9.201/24

n Assign a default gateway The default is 10.1.9.1

n Enable or disable the Telnet server Telnet is disabled by default

n Specify the web server port The default is 443

n Create network ACLs that can access the sensor for management

n Configure the date and time

n Configure the sensor interfaces

n Configure virtual sensors This enables the configuration of promiscuous and inline interface pairs

n Configure threat prevention An event action override denies high-risk network traffic with a risk rating of 90 to 100.This option lets you disable this feature

Common CLI Configuration TasksHere are some common commands that are available for use at the CLI:

n ping

n trace

n banner login

n show version

n copy /erase source-url destination-url: The erase option erases the destination file before copying.

n copy current-config backup-config

Press

Trang 17

CHAPTER 2

n copy /erase backup-config current-config

n more keyword: Displays configs.

n show settings

n show eventsUsing the Intrusion Prevention System Device Manager

The Cisco IDM, shown in Figure 3, is a superb web-based graphical user interface for managing the IPS device To tain security, the IDM and the client engage in TLS and SSL The server uses a trusted host certificate to verify the iden-tity of the management workstation The client uses a server certificate to ensure the identity of the IPS device

FIGURE 3

Cisco IDM

Press

Trang 18

CHAPTER 2

The version 6.0 sensor software uses Security Device Event Exchange (SDEE) for communication, but it still relies onRemote Data Exchange Protocol (RDEP2) to communicate configuration and IP log information

SDEE is an IPS communications protocol developed by Cisco Through SDEE, IPS software version 6 provides an cation programming interface (API) for the sensor itself SDEE is an enhancement to the earlier RDEP

appli-The Cisco IDM runs on the following:

n Windows 2000, XP: Internet Explorer 6 with Java Plug-in 1.5, Netscape 7.1 with Java Plug-in 1.5

n Sun SPARC Solaris 2.8 or 2.9: Mozilla 1.7

n Red Hat 9.0 or Red Hat Enterprise Linux WS, version 3 running GNOME or KDE: Mozilla 1.7

To log in to the IDM enter https://sensor_ip_address The default address is 10.1.9.201 if you did not provide one during

setup

After you are in the IDM, you can configure the general network settings (such as hostname and IP address) by choosing

Configuration > Sensor Setup > Network.

To display or re-create the sensor’s SSH host key, choose Configuration > Sensor Setup > SSH > Sensor Key.

To reboot the sensor, choose Configuration > Reboot.

To shut down the sensor, choose Configuration > Shut Down Sensor For both the reboot and shutdown, the sensor

delays for 30 seconds The logged-in users are notified that the sensor is shutting down

Configuring Basic Sensor Settings

This section provides guidance for completing the basic sensor setup As soon as these tasks are complete, a very basicsensor configuration will be in place in your network The sensor will generate alarms for potentially unsafe traffic that it

sees Although many of these tasks may have been completed using the setup command at the command line, this section

focuses on using the IDM for sensor configuration

Press

Trang 19

CHAPTER 2

Configuring Allowed Hosts

To configure the hosts that are allowed to access the sensor for management and configuration, choose Configuration > Sensor Setup > Allowed Hosts.

Setting the Time

It is very important to ensure that the sensor knows the correct time This way, event information is more valuable For asensor, use NTP or, if you must, set the time manually For the Cisco Catalyst 6500 IDSM-2, use the parent device or

NTP For the AIP-SSM, use the parent device or NTP For the sensor, choose Configuration > Sensor Setup > Time to

find the time settings

Configuring CertificatesThe sensor uses certificates to prove its identity to other Cisco devices on the network, and also to verify the identity ofthose devices

The sensor generates a server certificate when it first starts You can view this certificate and generate a new one by

choosing Configuration > Sensor Setup > Certificates > Server Certificate.

The Trusted Hosts area lists all the trusted host certificates your sensor will accept from other Cisco devices To modify

this list, choose Configuration > Sensor Setup > Certificates > Server Certificate and Configuration > Sensor Setup > Certificates > Trusted Hosts.

User AccountsWhen creating user accounts on the sensor for management, you can choose from one of four roles:

n Administrator is the highest level of privileges

n Operator can view all configuration and events

Press

Trang 20

CHAPTER 2

n Viewer cannot modify any configuration except its own password

n Service is a special role for troubleshooting by TAC There’s only one per sensor

Only one user at a time can log into IDM

Create users by choosing Configuration > Sensor Setup > Users.

Interface RolesEach sensor has one command and control interface for management purposes Depending on the sensor, you can config-ure up to nine monitoring interfaces Interfaces can function as command and control, or monitoring, or alternate TCPreset interfaces The alternate TCP reset interface is for when the interface is operating in promiscuous mode and cannotsend TCP reset packets over the same interface where the attack was detected

Monitoring interfaces can operate in one of four modes:

n Promiscuous mode: In this mode, packets do not flow through the sensor The sensor causes no performance issues.These interfaces can operate on a sensor also configured for inline mode

n Inline mode: Traffic passes through the sensor Two monitoring interfaces must be configured as a pair

n Inline VLAN pair mode: Here the monitoring interface acts as an 802.1Q trunk port The sensor bridges betweenpairs of VLANs on the trunk

n VLAN group mode: Each physical interface can be divided into VLAN group subinterfaces This allows you to use asensor with only a few interfaces as if it had many interfaces This is critical when you are using virtualization.Configuring Interfaces

To set up monitoring interfaces, choose Configuration > Interface Configuration > Interfaces.

Press

Trang 21

CHAPTER 3

Cisco Intrusion Detection and Prevention Signatures

Software and Hardware Bypass ModeThe software bypass feature allows the sensor to continue passing traffic even if the sensor software fails This feature is

intended for use with only inline paired interfaces You configure it by choosing Configuration > Interface Configuration > Bypass The possible modes are Auto, Off, and On Choosing On causes the sensor to simply act as a

bridge and not inspect traffic Hardware bypass complements software bypass The four-port Gigabit Ethernet bypass cardsupports hardware bypass only between ports 0 and 1 and ports 2 and 3

Viewing Events

As you have learned, following the steps described in this chapter allows you to configure the basics on the sensor Thesensor will now produce alerts based on its default signature settings You can view the events triggered by signatures that

are enabled very easily in IDM To do this, choose Monitoring > Events.

Configuring Signatures and Alerts

Signatures are the foundation of IPS This chapter shows you how to tune and configure signatures to control how thesensor behaves There are default signatures, tuned signatures (default signatures that you have modified), and your owncustom signatures By default, all built-in signatures generate an alert when fired

Frequent configuration tasks include enabling or disabling signatures and defining the actions that should occur uponfiring

To access the signatures for configuration, choose Configuration > Signature Definitions > Signature Configuration.

Press

Trang 22

CHAPTER 3

Here are the possible actions that you can configure in response to a signature firing:

n Deny attacker inline terminates the current packet and future packets from the attacker address This is the mostsevere of the deny actions

n Deny attacker service pair inline terminates the current packet and future packets from the attacker address victimport pair

n Deny attacker victim pair inline terminates the current packet and future packets from the attacker address andvictim address pair

n Deny connection inline terminates the current packet and future packets on the flow

n Deny packet inline terminates the packet

n Log attacker packets starts IP logging and sends an alert

n Log pair packets starts IP logging for the attacker and victim pair and sends an alert

n Log victim packets starts IP logging for the victim address and sends an alert

n Produce alert

n Produce verbose alert

n Request block connection sends a request to a blocking device

n Request block host

n Request SNMP trap

n Reset TCP connection

Notice that many of the response actions to a signature firing involve denying attackers access to your protected network

To manage denied attackers, choose Monitoring > Denied Attackers.

Press

Trang 23

The Summary mode common parameter controls the number of alarms generated:

n Fire Once

n Fire All is an alarm for all activity that matches signature characteristics

n Summarize consolidates alarms

n Global summarize consolidates alarms for all address combinations

Summary threshold and global summary threshold values allow you to configure automatic summarization based on thenumber of alerts detected This can prevent you from being overwhelmed by a large number of events produced by thesensor

ATOMICThese are support signatures that are triggered by the content of a single packet They do not store any state informationacross packets

Press

Trang 24

CHAPTER 3

ATOMIC signature engines are

n ATOMIC ARP

n ATOMIC IP

n ATOMIC IP version 6FLOOD

The FLOOD signature engines are designed to detect attacks in which the attacker floods traffic to a single host or anentire network

FLOOD signature engines are

n FLOOD.NET

n FLOOD.HOSTSERVICEThese engines analyze traffic at and above Layer 5 of the OSI model They provide protocol decoding for numerousprotocols

SERVICE signature engines are

Press

Trang 25

n STRING ICMP

n STRING TCP

n STRING UDP

n Multi STRING

Press

Định dạng
Số trang	51
Dung lượng	1,49 MB