Cisco press intrusion prevention fundamentals jan 2006 ISBN 1587052393

The book will answer questions like: Whether you are evaluating IPS technologies or want to learn how to deploy and manage IPS in your network, this book is an invaluable resource for

By Earl Carter, Jonathan Hogue

Publisher: Cisco Press Pub Date: January 18, 2006 Print ISBN-10: 1-58705-239-3 Print ISBN-13: 978-1-58705-239-2 Pages: 312

definition to deployment considerations Implementation examples help you learn how IPS works, so you can make decisions about how and when to use the technology and

understand what "flavors" of IPS are available The book will answer questions like:

Whether you are evaluating IPS technologies or want to learn how to deploy and manage IPS in your network, this book is an invaluable resource for anyone who needs to know how IPS technology works, what problems it can or cannot solve, how it is deployed, and where it fits in the larger security marketplace.

Deploy, configure, and monitor IPS activities and secure IPS communications Learn the capabilities, benefits, and limitations of host IPS

Examine the inner workings of host IPS agents and management infrastructures Enhance your network security posture by deploying network IPS features

Evaluate the various network IPS sensor types and management options

Examine real-world host and network IPS deployment scenarios

This book is part of the Cisco Press® Fundamentals Series Books in this series introduce networking professionals to new networking technologies, covering network topologies, example deployment concepts, protocols, and management techniques.

Includes a FREE 45-Day Online Edition

By Earl Carter, Jonathan Hogue

Publisher: Cisco Press Pub Date: January 18, 2006 Print ISBN-10: 1-58705-239-3 Print ISBN-13: 978-1-58705-239-2 Pages: 312

information storage and retrieval system, without written

permission from the publisher, except for the inclusion of briefquotations in a review

Printed in the United States of America 1 2 3 4 5 6 7 8 9 0First Printing January 2006

fitness is implied

accompany it

The opinions expressed in this book belong to the author andare not necessarily those of Cisco Systems, Inc

trademark or service mark

Feedback Information

At Cisco Press, our goal is to create in-depth technical books ofthe highest quality and value Each book is crafted with careand precision, undergoing rigorous development that involves

technical community

Readers' feedback is a natural continuation of this process Ifyou have any comments about how we could improve thequality of this book, or otherwise alter it to better suit yourneeds, you can contact us through e-mail at

feedback@ciscopress.com Please make sure to include thebook title and ISBN in your message

Luxembourg • Malaysia • Mexico • The Netherlands • New

Zealand • Norway • Peru • Philippines • Poland • Portugal •Puerto Rico • Romania • Russia • Saudi Arabia • Scotland •

Singapore • Slovakia • Slovenia • South Africa • Spain •

Sweden • Switzerland • Taiwan • Thailand • Turkey • Ukraine •United Kingdom • United States • Venezuela • Vietnam •

Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems

Capital, the Cisco Systems logo, Empowering the Internet

Generation, Enterprise/Solver, EtherChannel, EtherSwitch, FastStep, GigaStack, Internet Quotient, IOS, IP/TV, iQ Expertise,the iQ logo, LightStream, MGX, MICA, the Networkers logo,

Printed in the USA

Dedications

Earl's dedication: Without my loving family, I would not be

where I am today They always support all the projects that Iundertake Therefore, I dedicate this book to my wife Chris, mydaughter Ariel, and my son Aidan

Jonathan's dedication: To my wife Liz, for believing in me.

Earl Carter, CCNA, is a consulting engineer and member of the

Security Technologies Assessment Team (STAT) for Cisco

Systems, Inc He performs security evaluations on numerousCisco products, including everything from the PIX Firewall andVPN solutions to Cisco CallManager and other VoIP products Hestarted with Cisco doing research for Cisco Secure IntrusionDetection System (formerly NetRanger) and Cisco Secure

Scanner (formerly NetSonar)

Jonathan Hogue, CISSP, is a technical marketing engineer in

Cisco Security Business Unit, where his primary focus is theCisco Security Agent He has been involved with host-basedsecurity products since 1999 when he joined Trend Micro In

2001, he began working with one of the first host intrusion

prevention products, StormWatch by Okena, Inc Okena wassubsequently acquired by Cisco Systems

Greg Abelar has been an employee of Cisco Systems since

December 1996 He was an original member of the Cisco

Technical Assistance Security team, helping to hire and trainmany of the engineers He has held various positions in boththe Security Architecture and Security Technical Marketing

Engineering teams at Cisco Greg is the primary founder andproject manager of the Cisco written CCIE Security exam

Gary Halleen has been an employee of Cisco Systems, Inc.,

since 2000, and is a consulting systems engineer for securityproducts Gary works closely with Cisco security product teamsand has presented at Networkers and other security

conferences Before he worked at Cisco, Gary held security

positions at a college and an Internet service provider Workingwith local law enforcement, Gary helped to prosecute the firstsuccessful computer crimes conviction in his state

Shawn Merdinger is a security researcher based in Austin,

Texas, with seven years of experience in the network securityindustry He currently works with TippingPoint (a security

division of 3Com), analyzing VoIP security Before Shawn joinedTippingPoint, he worked as a Security Research Engineer withthe Cisco Systems Security Technologies Assessment Team

(STAT) and Security Evaluation Office (SEO), where he

performed vulnerability assessments on a variety of devices,technologies, and implementations Shawn holds a master'sdegree from the University of Texas at Austin Shawn is also anavid supporter of the local non-profit group AustinFreeNet,

which helps to bridge the Digital Divide

First, we want to say that many people helped us during thewriting of this book (too many to be listed here) Everyone that

we have dealt with has been very supportive and cooperative.The technical editors, Greg Abelar, Shawn Merdinger, and GaryHalleen, supplied us with their excellent insight and greatlyimproved the accuracy and clarity of the text

Command Syntax Conventions

The conventions used to present command syntax in this bookare the same conventions used in the IOS Command Reference.The Command Reference describes these conventions as

follows:

Boldface indicates commands and keywords that are

entered literally as shown In actual configuration examples

especially those in charge of corporate security, to determinehow Intrusion Prevention can be deployed on their networks.Furthermore, the information provided assists the reader toassess the benefits of Intrusion Prevention

Goals and Methods

The goal of this book is to provide an introduction and in-depthoverview of Intrusion Prevention as a technology, rather than a

This Book's Audience

technology analysts and architects, especially those in charge ofcorporate security, networks, and business needs These peopleshould have an intermediate level of experience The secondaryaudience includes network and security engineers with

advanced experience as well as general technology analysts andjournalists with experience at a beginner's level

This book assumes that the reader has a basic understanding ofcommon security technologies such as antivirus, Intrusion

Detection Systems, and firewalls Readers should also have abasic understanding of security threat and security regulations

How This Book Is Organized

This book is organized into five major parts with subsections foreach part Part I introduces Intrusion Prevention technology as

Network Intrusion Prevention in a similar manner Part IV delvesinto deployment of both technologies Part V provides a sampleRequest for Information (RFI) document as well as a glossary ofsome key terms associated with Intrusion Prevention

Part I : Intrusion Prevention Overview

The initial part provides a high-level overview of intrusionprevention This overview provides the reader with a strongbackground understanding of Intrusion Prevention that isexpanded in the Host Intrusion Prevention and Network

Intrusion Prevention parts

chapter examines the factors that led to the existence

of IPS, the evolution of security threats, the evolution ofattack mitigation, and basic IPS capabilities

- Chapter 2, "Signatures and Actions"This chapter

discusses the types, triggers, and actions of IPS

signatures

- Chapter 3, "Operational Tasks"This chapter reviewsthe high-level tasks related to using IPS These includedeployment, configuration, monitor IPS activities, andsecure IPS communications

- Chapter 4, "Security in Depth"This chapter

demonstrates the importance of security in depth Itgives examples, explains the role of the security policy,and describes future IPS developments that re-enforcethe concept

Part II : Host Intrusion Prevention

This part provides detailed information about Host IntrusionPrevention and uses Cisco Security Agent (CSA) as a

realistic example The information provided, however, is notdetailed step-by-step configuration examples Instead, itexplains in detail how the products can be used to provideIntrusion Prevention Throughout each chapter, specific

information is provided as to how CSA handles specific HostIntrusion Prevention problems that you might experience onyour network

- Chapter 5, "Host Intrusion Prevention Overview"Thischapter looks at the capabilities, benefits, and

limitations of HIPS

- Chapter 6, "HIPS Components"This chapter examinesthe inner workings of HIPS agents and management

Part III : Network Intrusion Prevention

This part provides detailed information about Network

Intrusion Prevention, along with realistic information to useCisco Network Intrusion Prevention products The

information provided, however, is not detailed step-by-stepconfiguration examples Instead, it explains in detail howthe products can be used to provide Intrusion Prevention.Each chapter provides detailed information on Cisco

Network Intrusion product capabilities and how those

capabilities can protect your network

- Chapter 7, "Network Intrusion Prevention

Overview"This chapter explains the capabilities thatNetwork Intrusion Prevention Systems (NIPS) can add

to a network to enhance its security posture

- Chapter 8, "NIPS Components"This chapter analyzesand explains the various components that comprise aNIPS, including various sensor types and managementoptions

Part IV : Deployment Solutions

This section walks you through the deployment of IntrusionPrevention in different network configurations

- Chapter 9, "Cisco Security Agent Deployment"Thischapter describes the tasks and decisions you need tomake during the implementation of a real-world HIPSproduct, the Cisco Security Agent (CSA)

- Chapter 10, "Deploying Cisco Network IPS"This

chapter describes the tasks and decisions you need tomake during the implementation of a real-world NIPSdeployment, using the Cisco Network Intrusion

- Chapter 11, "Deployment Scenarios"This chaptercovers an assortment of IPS deployment scenarioswhere each scenario uses a different type of company

as an example

Part V : Appendix

- Appendix A, "Sample Request for Information (RFI)Questions"This appendix provides a sample RFI to helpthe reader understand some of the issues that need to

be considered when defining your IPS deployment

requirements

GlossaryThe glossary provides the definitions for variousterms related to Intrusion Prevention along with definitions

of other terms related to the book that the reader mightneed to understand

Computer and network security products evolve Like living

things, they change, grow, and adapt to reflect the conditionsaround them Specifically, new threats to security force

conditions in which security products adapt by implementingcountermeasures that can handle the new threats Examiningthe birth of a product and its evolution helps you understandwhy the product exists, what it can do, and how it might change

in the future

Intrusion Prevention Systems (IPS) are security protection

devices or applications that can prevent attacks against yournetwork devices These systems began life as an adjunct

feature of contemporary products, such as firewalls and

featured set of products in their own right You find two types ofIPSs: Network and Host This chapter examines the factors thatled to the existence of IPSs It describes the evolution of

antivirus products, and evolved into an independent and full-computer security threats, the evolution of attack mitigation,and some of the IPSs' capabilities

Security threats have always been around Anything of valuemakes a viable target for a thief Traditionally, theft requiredphysical access to the object being stolen, limiting the number

of attackers and increasing the chances of the perpetrator's

being caught This model applied to initial personal computersystems in which the computer was treated like another piece

of expensive electronic equipment worth stealing

Initially, mainframes and minicomputers allowed access to alimited number of directly connected dumb terminals Gradually,the need for extended connectivity became more important.This need for connectivity led to dialup access to mainframesand minicomputers Adding dialup connectivity increased thescope of attackers by enabling anyone across the world (withaccess to a telephone and a computer with a modem) to

attempt to access the systems This access, however, was stillfairly limited in that attackers had to determine the phone

number to use to connect to the computer system and pay thelong distance charges if they were not in the same physical

vicinity as the system being accessed Furthermore, becausemainframes and minicomputers were very expensive, attackershad difficulty gaining access to a system to try to find securityvulnerabilities (except on the limited number of operational

systems)

The development of the Internet has created an environment inwhich millions of computers across the world are all connected

to each other Furthermore, access to this network is fairly

ubiquitous and cheap, enabling any thieves in the world to

target your computer, regardless of their physical location

Personal computers are now also cheap Attackers can easily(and cost effectively) set up various computers with differentoperating systems and search for exploitable vulnerabilities.Searching for vulnerabilities on systems that they control

an exploit, they can attack similar systems across the world.Therefore, the way you protect your computer assets has tochange to match this new threat landscape In addition, theinternational and distributed nature of the Internet makes itvery difficult to regulate and control attacks against computersystems

To protect access to internal networks, most companies deploy

a firewall at their network perimeter to limit external access.The development of wireless network access (another

technological enhancement) has enabled attackers to bypassthese perimeter protection mechanisms With wireless access,users do not need to be physically connected to gain access tothe network The problem is that wireless connectivity does notstop at the walls of your building In many deployments,

attackers can sit in the parking lot in front of your business andpotentially gain access to your wireless network Without properprotection, this wireless access gives attackers direct

connectivity to your internal network.[click here]

Many factors impact the security threats to which a computersystem is vulnerable Naturally, some threats are more severethan others, so when trying to understand why an IPS is

computing occur regularly Inventions such as the personalcomputer and the Internet force businesses to change the waythey operate

The operational change might take some time because

businesses don't usually adopt new technologies quickly Newtechnology comes with a set of risks, such as poor return oninvestment, security concerns, training costs, and so on

However, most technologies reach a point at which the rewardsfor adoption outweigh the risks At that point, the technology iswidely adopted, and the potential security risks become a

reality Even when these technologies are adopted, however,the objective many times is to simply get the technology

working, with security being left as a future add on

Four widely adopted technologies stand out as having had atremendous impact on the evolution of security threats andthus the evolution of IPSs:

keyboard, but had almost no processing capability Allprocessing occurred on the mainframe.

other users who tried to use the dumb terminal A terminal,however, that cannot store data and has no processor is usuallynot an attractive target Furthermore, dumb terminals cannot

be used as a client or a server because they have no processingcapability and are not connected together

Dumb terminals were replaced by personal computers or

server architecture This resulted in a dramatic increase in thenumber of target hosts and networks available to an attacker

workstations that could meet the requirements of the client-Figure 1-1 illustrates this increase Large businesses can havehundreds of thousands of networked computers, all of which arepotential targets for an attack

Figure 1-1 Mainframe Versus Client-Server

[View full size image]

increasing the number of potential pathways between the

systems Furthermore, because the networked computers havehigh-speed connections and fast processors, they are very

valuable and powerful targets

millions of targets all over the globe Any Internet-connectedhost or network is reachable by any attacker from practicallyanywhere Despite the risks, the Internet is a powerful businesstool, and almost every business uses it in one way or another

physical restriction for access to your network

Wireless connectivity enables an increase in productivity

because it enables your users to easily remain connected asthey travel from their desk to a meeting in a conference, orfrom one meeting to another Furthermore, wireless

connectivity is cheaper because you do not have to install

switch ports throughout your entire facility

However, unlike switch ports, the signals from your wirelessaccess points do not stop at the walls of your facility Withouteffective security measures installed, an attacker can easilygain access to your wireless network without ever entering yourbuilding

Mobile Computing

Corporations commonly make these resources available to theirremote workers through dialup or Internet virtual private

network (VPN) connections Typically, once a user has made anauthorized connection to the corporate network, the user's

device acts like an ordinary network participant It has virtuallyunfettered access (with maybe only minimal restrictions

because of traversing through a firewall)

Having a mobile workforce is tremendously beneficial, but torealize the benefit companies must accept an equal amount ofrisk Mobile workers use many powerful and potentially

vulnerable devices that are frequently outside of the office

While not in the office, these devices are far more vulnerablebecause they are not protected by the countermeasures thatwould guard them ordinarily At the same time, they are able toaccess the corporate network at will

The upshot is that huge numbers of mobile devices are veryvulnerable and tempting targets for attackers Especially

considering that once a device is compromised, the attacker cansometimes use the device's remote access to attack the

corporate network

Another aspect of mobile computing is the increased use of

wireless network connectivity Wireless connectivity enableslaptops and PDAs to remain connected as users move from theirdesks to meetings in various conference rooms

Note

devices connected to your computer, cell phone, or PDA, such

as wireless headsets, mice, and keyboards An attacker mightplace calls on your cell phone by attacking the Bluetooth

protocol that enables your wireless headset to communicatewith your cell phone

Target Value

Initially, personal computers were lucrative targets for theiractual hardware Currently, computer hardware is relativelycheap; however, personal computers are still lucrative targetsbecause of the following factors:

information stored on personal computers (both business andpersonal) has become much more valuable Today, it is commonfor millions of people to access their banks and other financialinstitutions using their personal computers Business computersfrequently house sensitive information such as source code,locally stored e-mail archives, and business roadmaps The

information stored on computers has become more valuablethan the actual systems themselves Furthermore, these

business systems (usually laptops) are frequently used awayfrom the office (when working at home and when traveling)

Zombie Systems

Originally, people had PCs that were connected to the Internetvia a dialup modem These systems, therefore, were connected

to the Internet only for a short period of time (limiting the

attack window timeframe) With the deployment of high-speedInternet connections, many people have systems directly

connected to the Internet 24 hours a day (dramatically

increasing the attack window timeframe) Many of these alwaysconnected machines are running vulnerable software By

compromising these vulnerable systems, attackers can build a

network of machines (known as zombies) that they can use to

perform various kinds of attacks Furthermore, these attacks donot directly originate from the attackers, so tracing the attackback to the real attackers becomes more difficult

Reach of the attacker

Protection from discovery

Before media and networks were commonplace, the prevailingdelivery mechanism was to deliver the attack in person The

touch

The next best approach is to distribute an attack using media ofsome kind The most traditional media are floppy disks,

although they are not in much use today because removableUniversal Serial Bus (USB) storage devices are smaller and

store far more data Media distribution via floppy disks is moreefficient and grants a longer reach than physical access;

however, floppy disks change hands fairly slowly, and the reach

of this sort of attack is still limited

Modems, which have been commercially available since 1962,are another option Attackers created tools they could use tofind unsecured modems Still, finding unsecured modems is alengthy process, and modem connections are relatively slow.Modems give attackers a longer reach To improve the efficiency

of modem-based attacks, attackers developed tools known aswar-dialers to more effectively identify modem connections

discovery

Protection from discovery is the second factor that determinesthe delivery mechanism threat level It has to do with the riskthat the attacker will be identified before, after, or during attackdelivery Naturally, most attackers would rather not be

identified

Physical dissemination is the least protective delivery

mechanism because attacker stands a good chance of beingspotted Even with no eyewitnesses, the attacker might leaveclues such as fingerprints behind Remote delivery mechanismsmake it easier for the attacker to remain anonymous

Media, modems, and the Internet are more anonymous deliverymechanisms and thus have a higher threat level Even so, none

of the three are completely anonymous It might be difficult,but it is quite possible to track an attack back to its point oforigin, and thus the attacker, even if it was delivered via the