Implementing Secure Converged Wide Area Networks ISCW Cisco IOS IPS IDS Overview • Intrusion Detection System • Monitors traffic for malicious traffic • Responds accordingly – Generate l
Trang 1Implementing Secure Converged Wide Area Networks (ISCW)
Cisco IOS IPS
IDS Overview
• Intrusion Detection System
• Monitors traffic for malicious traffic
• Responds accordingly
– Generate logs/alarms – Instruct managed device to block traffic – Reset TCP session
• Typically not in the traffic transit path
– i.e “promiscuous”
• Attack response time an issue
Trang 2Copyright © © 2009 Internetwork Expert, Inc www.INE.com
Typical IDS Design
IPS Overview
• Intrusion Prevention System
• Same as IDS, but directly in the transit path
– i.e “inline”
• Allows more sophisticated attack responses and faster response times
Trang 3Copyright © © 2009 Internetwork Expert, Inc www.INE.com
Typical IPS Design
Types of IDS/IPS
• Signature based
– Checks traffic against known database of attacks
• Anomaly based
– Discovers nominal network behavior and adapts to events outside the norm
• Policy based
– Checks for events to breach preconfigured thresholds
– e.g TCP SYN attack
Trang 4Copyright © © 2009 Internetwork Expert, Inc
www.INE.com
Types of IDS/IPS (cont.)
• Honeypots
– Unprotected systems designed to collect attack patterns for further analysis
• Network based (NIPS)
– IPS appliance in the network transit path
• Host based (HIPS)
– IPS software on the end host
Cisco IPS Devices
• Hardware based
– IPS 4200 – Catalyst 6500
• Intrusion Detection System Services Module (IDSM)
– ASA 5500
• Advanced Inspection and Prevention Security Services Module (AIP-SSM)
• Software based
– IOS IPS
Trang 5Copyright © © 2009 Internetwork Expert, Inc
www.INE.com
IOS IPS Overview
• Software based inline IPS solution
• Signature based
– Includes built-in signatures – Downloadable Signature Definition Files (SDFs)
IOS IPS Event Actions
• Alarm
– Syslog – Security Device Event Exchange (SDEE)
• Uses HTTPS
• Drop
• Reset
• Block attacker inline
• Block connection inline
Trang 6Copyright © © 2009 Internetwork Expert, Inc
www.INE.com
IOS IPS CLI Configuration
• Create IPS rule
• Apply rule to interface
• Retire all signatures
• Specify signature storage location in flash
– Signature configuration not stored in NVRAM
• Install signatures public key
• Compile signatures
• Fail open or closed
• Signature tuning
IOS IPS Configuration Examples
R3 R4
Fa0/0
102 103
30 1
201
R1 R2
Fa0/0
S1/0.301
S0/0.102
S0/0.103
200.0.12.0/24
R6
Fa0/0 Fa0/0
Fa0/0.10 Fa0/1
S0/0.102
200.0.13.0/24 200.0.16.0/24
10.0.0.0/24
192.168.2.0/24
172.16.34.0/24 192.168.2.100/24
R5
Fa0/0 Fa0/0.56
10.0.56.0/24