Lecture CCNA security partner - Chapter 11: Intrusion Prevention Systems

This chapter describes the functions and operations of intrusion detection systems (IDS) and intrusion prevention systems (IPS). It explains the underlying IDS and IPS technology embedded in the Cisco IOS IPS solutions. It describe the use of signatures, the need for IPS alarm monitoring, and the design considerations in deploying IPS.

1

Intrusion Prevention Systems

© 2012 Cisco and/or its affiliates All rights reserved 2

This chapter describes the functions and operations of intrusion detection systems (IDS) and intrusion prevention systems (IPS)

• The fundamentals of intrusion prevention, comparing IDS and IPS

• The building blocks of IPS, introducing the underlying technologies and deployment options

• The use of signatures in intrusion prevention, highlighting the benefits

© 2012 Cisco and/or its affiliates All rights reserved 3

Introducing IDS and IPS :

• Targeted, mutating, stealth threats are increasingly difficult to detect

• Attackers have insidious motivations and exploit high-impact targets,

often for financial benefit or economic and political reasons

• Attackers are taking advantage of new ways of communication

IDS:

• Analyzes copies of the traffic stream

• Does not slow network traffic

• Allows some malicious traffic into the network

IPS:

• Works inline in real time to monitor Layer 2 through Layer 7 traffic and

content

• Needs to be able to handle network traffic

• Prevents malicious traffic from entering the network

IPS Fundamentals

© 2012 Cisco and/or its affiliates All rights reserved 4

• IDS and IPS technologies share several characteristics:

• IDS and IPS technologies are deployed as sensors An IDS or an IPS

sensor can be any of the following devices:

• A router configured with Cisco IOS IPS Software

• An appliance specifically designed to provide dedicated IDS or IPS services

• A network module installed in a Cisco adaptive security appliance, switch, or

Intrusion Detection System

• An IDS monitors traffic offline and generates an alert (log) when it detects malicious traffic including:

– Reconnaissance attacks

– Access attacks

– Denial of Service attacks

• It is a passive device because it analyzes copies of the traffic stream traffic

– Only requires a promiscuous interface.

– Does not slow network traffic.

– Allows some malicious traffic into the network.

© 2012 Cisco and/or its affiliates All rights reserved 6

Intrusion Prevention System

• It builds upon IDS technology to detect attacks

– However, it can also immediately address the threat.

• An IPS is an active device because all traffic must pass through it

– Referred to as “inline-mode”, it works inline in real time to monitor Layer 2 through Layer 7 traffic and content.

– It can also stop single-packet attacks from reaching the target system (IDS cannot)

sensor failure or a sensor overload.

packets.

normalization techniques.

overloading impacts the network.

Comparing IDS and IPS Solutions

© 2012 Cisco and/or its affiliates All rights reserved 8

• The IDS sensor in front of the

firewall is deployed in promiscuous

mode to monitor traffic in the

untrusted network

So, IDS or IPS? Why Not Both?

© 2012 Cisco and/or its affiliates All rights reserved 10

Types of IDS and IPS Sensors

• Deny Attacker Inline

• Deny Connection Inline

• Deny Packet Inline

• Log Attacker Packets

• Log Pair Packets

• Log Victim Packets

• Produce Alert

• Produce Verbose Alert

• Request Block Connection

• Request Block Host

• Request SNMP Trap

• Reset TCP Connection

IPS Attack Responses

When an IPS sensor detects malicious activity, it can choose from any or all of the following actions:

© 2012 Cisco and/or its affiliates All rights reserved 12

These techniques include the following:

The following anti-evasion features are available on Cisco IPS sensors:

• Complete session reassembly that supports the string and service

engines that must examine a reliable byte stream between two network

endpoints

• Data normalization (deobfuscation) inside service engines,

• IP Time to Live (TTL) analysis and TCP checksum validation to guard

against end-to-end protocol-level traffic interpretation

• Configurable intervals for correlating signatures• Inspection of traffic

inside Generic Routing Encapsulation (GRE) tunnels to prevent evasion

through tunneling

• Smart and dynamic summarization of events to guard against too many alarms for high event rates

Anti-evasion features

© 2012 Cisco and/or its affiliates All rights reserved 14

Anti-Evasion Techniques Used by Cisco

IPS

Building a Risk Rating into the Detection Capabilities

© 2012 Cisco and/or its affiliates All rights reserved 16

Using these considerations, risk ratings typically include several

components:

• Potential damage that could be caused by the activity described by the

signature

• Asset value of the target of the attack

• Accuracy of the triggering signature

• Relevancy of the attack to the target

• Other security countermeasures (controls) in the environment

Risk-Based Intrusion Prevention

© 2012 Cisco and/or its affiliates All rights reserved 17

• IPv6 awareness is another important consideration for IPS architectures Sensors should be IPv6 aware

• Alarms : Alarms fire when specific parameters are met

• You should consider the following factors when implementing alarms

that a signature uses:

• The level assigned to the signature determines the alarm severity level

• A Cisco IPS signature is assigned one of four severity levels

• Informational

• Low

• Medium

• High

• You can manually adjust the severity level that an alarm produces

• To minimize false positives, study your existing network traffic patterns

• As an additional source of information, consider implementing NetFlow

on network access devices such as routers and firewalls

IPv6-Aware IPS

© 2012 Cisco and/or its affiliates All rights reserved 18

Event monitoring and management can be divided into the following two

needs:

• Real-time event monitoring and management

• Analysis based on archived information (reporting)

There is an important difference between reporting and monitoring Note that archives are often a significant source of data when producing

reports

• Reporting: Analysis based on archived information

• Event monitoring: Real-time monitoring

IPS Alarms: Event Monitoring and

Management

Device, Enterprise, and Global

Correlation

© 2012 Cisco and/or its affiliates All rights reserved 20

Global Correlation and Cisco SIO at

Work, Preventing Zero-Day Attack

Examples of IPS Deployments

© 2012 Cisco and/or its affiliates All rights reserved 22

IPS Platforms from Cisco

© 2012 Cisco and/or its affiliates All rights reserved 23

The following are the recommended practices for designing and deploying IPS architecture:

• Use a combination of detection technologies

• Take advantage of multiple form factors to deploy a distributed and effective IPS architecture

cost-• Use a “places in the network” approach, which, for Cisco, refers to the building blocks of a corporate network, such as a data center, a campus, and a branch office

• Enable anti-evasion techniques

• Take advantage of local, enterprise, and global correlation

• Use a risk-based approach to improve accuracy and simplify management

• When deploying a large number of sensors, automatically update signature packages instead of manually upgrading every sensor

• Place the signature packages on a dedicated FTP server within the management network

• Tune the IPS architecture constantly

IPS Best Practices

© 2012 Cisco and/or its affiliates All rights reserved 24

Fail-Open or Fail-Close Approach

© 2012 Cisco and/or its affiliates All rights reserved 25

Recommended practices are based on a series of key factors in current

IPS architectures

• Intelligent, distributed detection

• Vulnerability- and exploit-specific signatures

• Protocol anomaly detection

• Knowledge base anomaly detection

• Reputation filters

• Accurate, precise response to relevant attacks

• Risk management–based policy

• Global correlation adding reputation

• On-box correlation

• “Trustworthiness” linkages with the endpoint

• Flexible deployment options

• Passive and/or inline with flexible response (IDS/IPS)

• Sensor virtualization

• Physical and logical (VLAN) interface support

• Software and hardware bypass

Recommended practices

© 2012 Cisco and/or its affiliates All rights reserved 26

Cisco IPS Architecture

27

Cisco IOS IPS

© 2012 Cisco and/or its affiliates All rights reserved 28

• Profile-based intrusion detection

• Signature-based intrusion detection

• Protocol analysis–based intrusion detection

Cisco IOS IPS Features

Scenario: Protecting the Branch Office

Against Inside Attack

© 2012 Cisco and/or its affiliates All rights reserved 30

Cisco IOS IPS Signature Features

• A signature package has definitions for each signature it contains

• After signatures are loaded and compiled onto a router running Cisco

IOS IPS, IPS can begin detecting the new signatures immediately

• Routers access signature definition information through a directory in

flash that contains three configuration files—the default configuration,

the delta configuration, and the Signature Event Action Processor

(SEAP) configuration

• SEAP is the control unit responsible for coordinating the data flow of a

signature event

Signature file

© 2012 Cisco and/or its affiliates All rights reserved 32

• Encrypted signature support

• Lightweight signatures

• Direct download from Cisco.com capability

• Tuning per top-level categories

• Signature tuning inheritance

Signature Management

Summary of Types of Supported

Signature Engines

© 2012 Cisco and/or its affiliates All rights reserved 34

Details on Signature Microengines

35

Signature Tuning

© 2012 Cisco and/or its affiliates All rights reserved 36

Signatures Interactions with Cisco IOS

Signature States

Combinations of Signature Compilations and States

© 2012 Cisco and/or its affiliates All rights reserved 38

The following list summarizes the guidelines for planning an efficient and effective Cisco IOS IPS signature definition:

• The number of signatures that can be compiled depends on the free

memory available on the router

• For routers with 128 MB of flash, start with the basic signature category

• For routers with 256 MB+ of flash, start with the advanced signature

category

• Retire risk-irrelevant signatures according to your needs

• Monitor free memory when retiring or unretiring signatures

• In restrictive policies, define a fail-closed action if signatures fail to

compile This setting instructs the router to drop all packets until the

signature engine is built and ready to scan traffic If this command is

issued, one of the following scenarios occurs:

• If IPS fails to load the signature package, all packets are dropped—unless the user specifies an access control list (ACL) for packets to send to IPS.

• If IPS successfully loads the signature package, but fails to build a signature

engine, all packets that are destined for that engine are dropped.

• If this command is not issued, all packets are passed without scanning if the

signature engine fails to build.

• Disabled signatures are still scanned and processed, and will consume resources

• Never unretire the “All” signature category

Combinations of Signature Compilations and States

39

Monitoring IPS Alarms and Event

Management

© 2012 Cisco and/or its affiliates All rights reserved 40

Cisco IOS IPS Alarms Monitoring

Support for SDEE and Syslog

The support for SDEE and syslog in the Cisco IOS IPS solution is as

follows:

• Cisco IOS Software supports the SDEE protocol

• SDEE uses a pull mechanism That is, requests come from the network management application, and the IDS and IPS router responds

• SDEE becomes the standard format for all vendors to communicate

events to a network management application

• You must also enable HTTP or HTTPS on the router, using the ip http

server command, when you enable SDEE The use of HTTPS ensures

that data is secured as it traverses the network

• The Cisco IOS IPS router still sends IPS alerts via syslog

SDEE and syslog

© 2012 Cisco and/or its affiliates All rights reserved 42

• Local event management and correlation

• Cisco Configuration Professional

• IPS Device Manager

• IPS Manager Express

• Enterprise event management and correlation

• Cisco Security Manager

• Third-party ecosystem partner SIEM systems

• Global event management and correlation

• Cisco Security Intelligence Operations (SIO)

Event Management

© 2012 Cisco and/or its affiliates All rights reserved 43

Following are the configuration steps to deploy Cisco IOS IPS using CCP:

Step 1 Download the latest Cisco IOS IPS signature package to a local

PC using Cisco Configuration Professional Auto Update

Step 2 Launch the IPS Policies Wizard to configure Cisco IOS IPS

Step 3 Verify that Cisco IOS IPS configuration and signatures are

properly loaded

Step 4 Perform signature tuning

Step 5 Verify alarms

Configuring Cisco IOS IPS Using Cisco

Configuration Professional

© 2012 Cisco and/or its affiliates All rights reserved 44

Step 1: Download Cisco IOS IPS

Signature Package

Step 2: Launch IPS Policies Wizard

Creating an IPS Policy by Launching the IPS Policies Wizard in CCP

© 2012 Cisco and/or its affiliates All rights reserved 46

IPS Policies Wizard: Selecting the

Interfaces

IPS Policies Wizard: Selecting the

Signature File

© 2012 Cisco and/or its affiliates All rights reserved 48

IPS Policies Wizard: Downloading and

Installing Cisco’s Public Key

IPS Policies Wizard: Storing Signature

Information

© 2012 Cisco and/or its affiliates All rights reserved 50

IPS Policies Wizard: Configuring

Location and Signature Category

IPS Policies Wizard: Summary

Configuration

© 2012 Cisco and/or its affiliates All rights reserved 52

Step 3: Verify Configuration and

Signature Files

Reviewing IPS Configuration and Interface Status

Reviewing IPS Signatures

© 2012 Cisco and/or its affiliates All rights reserved 54

Step 4: Perform Signature Tuning

Enable, Disable, Retire, or Unretire

Signatures

© 2012 Cisco and/or its affiliates All rights reserved 56

Changing Action of Signatures

• Total Signatures

• Total Enabled Signatures

• Total Retired Signatures

• Total Compiled Signatures

Step 5: Verify Alarms

© 2012 Cisco and/or its affiliates All rights reserved 58

Monitoring IPS Signature Statistics from CCP

Monitoring IPS Alarms from CCP

© 2012 Cisco and/or its affiliates All rights reserved 60

IPS Signature Statistics

Alert Color Coding

61

Configuring Cisco IOS IPS Using the

CLI

© 2012 Cisco and/or its affiliates All rights reserved 62

Router(config)# ip ips name sdm_ips_rule

Router(config)# ip ips config location flash:/ips/retries 1

Router(config)# ip ips notify SDEE

Router(config)# interface FastEthernet0/0

Router(config-if)# ip ips sdm_ips_rule in

To configure the router to support the default basic signature set, use the

ip ips signature-category

Router(config)# ip ips signature-category

Router(config-ips-category)# category all

Router(config-ips-category-action)# retired true

Router(config-ips-category-action)# exit

Router(config-ips-category)# category ios_ips basic

Router(config-ips-category-action)# retired false

Configuring Cisco IOS IPS Using the CLI

show ip ips configuration Command

Output