Chapter 11 intrusion prevention systems

The following anti-evasion features are available on Cisco IPS sensors: • Complete session reassembly that supports the string and service engines that must examine a reliable byte strea

Trang 1

Intrusion Prevention

Systems

Trang 2

This chapter describes the functions and operations of intrusion

detection systems (IDS) and intrusion prevention systems (IPS)

• The fundamentals of intrusion prevention, comparing IDS and IPS

• The building blocks of IPS, introducing the underlying

technologies and deployment options

• The use of signatures in intrusion prevention, highlighting the

benefits and drawbacks

• The need for IPS alarm monitoring, evaluating the options for

event managers

• Analyzing the design considerations in deploying IPS

Contents

Trang 3

Introducing IDS and IPS :

• Targeted, mutating, stealth threats are increasingly difficult to detect.

• Attackers have insidious motivations and exploit high-impact targets, often for

financial benefit or economic and political reasons

• Attackers are taking advantage of new ways of communication

IDS:

• Analyzes copies of the traffic stream

• Does not slow network traffic

• Allows some malicious traffic into the network

IPS:

• Works inline in real time to monitor Layer 2 through Layer 7 traffic and content

• Needs to be able to handle network traffic

• Prevents malicious traffic from entering the network

IPS Fundamentals

Trang 4

• IDS and IPS technologies share several characteristics:

• IDS and IPS technologies are deployed as sensors An IDS or an IPS

sensor can be any of the following devices:

• A router configured with Cisco IOS IPS Software

• An appliance specifically designed to provide dedicated IDS or IPS services

• A network module installed in a Cisco adaptive security appliance, switch, or router

• IDS and IPS technologies typically monitor for malicious activities in two

Trang 5

Intrusion Detection System

• An IDS monitors traffic offline and generates an alert (log) when it detects malicious traffic including:

– Reconnaissance attacks – Access attacks

– Denial of Service attacks

• It is a passive device because it analyzes copies of the traffic stream traffic.

– Only requires a promiscuous interface.

– Does not slow network traffic.

– Allows some malicious traffic into the network.

Trang 6

Intrusion Prevention System

detect attacks.

– However, it can also immediately

address the threat.

because all traffic must pass through it.

– Referred to as “inline-mode”, it works inline in real time to monitor Layer 2 through Layer 7 traffic and content.

– It can also stop single-packet attacks from reaching the target system (IDS cannot)

Trang 7

IDS (Promiscuous Mode) IPS (Inline Mode)

Adv

anta

ges

• No impact on network (latency, jitter).

• No network impact if there is a sensor failure or a sensor overload.

• Stops trigger packets.

• Can use stream normalization techniques.

• Sensor failure or overloading impacts the network.

Comparing IDS and IPS Solutions

Trang 8

• The IDS sensor in front of the

firewall is deployed in

promiscuous mode to monitor

traffic in the untrusted network

So, IDS or IPS? Why Not Both?

Trang 10

Types of IDS and IPS Sensors

Trang 11

• Deny Attacker Inline

• Deny Connection Inline

• Deny Packet Inline

• Log Attacker Packets

• Log Pair Packets

• Log Victim Packets

• Produce Alert

• Produce Verbose Alert

• Request Block Connection

• Request Block Host

• Request SNMP Trap

• Reset TCP Connection

IPS Attack Responses

When an IPS sensor detects malicious activity, it can choose from any or all of the following actions:

Trang 12

These techniques include the following:

Trang 13

The following anti-evasion features are available on Cisco IPS

sensors:

• Complete session reassembly that supports the string and service engines that must examine a reliable byte stream between two

network endpoints

• Data normalization (deobfuscation) inside service engines,

• IP Time to Live (TTL) analysis and TCP checksum validation to

guard against end-to-end protocol-level traffic interpretation

• Configurable intervals for correlating signatures• Inspection of

traffic inside Generic Routing Encapsulation (GRE) tunnels to

prevent evasion through tunneling

• Smart and dynamic summarization of events to guard against too many alarms for high event rates

Anti-evasion features

Trang 14

Anti-Evasion Techniques Used by Cisco

IPS

Trang 15

Building a Risk Rating into the Detection Capabilities

Trang 16

Using these considerations, risk ratings typically include several

components:

• Potential damage that could be caused by the activity described

by the signature

• Asset value of the target of the attack

• Accuracy of the triggering signature

• Relevancy of the attack to the target

• Other security countermeasures (controls) in the environment

Risk-Based Intrusion Prevention

Trang 17

• IPv6 awareness is another important consideration for IPS architectures

Sensors should be IPv6 aware

• Alarms : Alarms fire when specific parameters are met

• You should consider the following factors when implementing alarms that a

signature uses:

• The level assigned to the signature determines the alarm severity level.

• A Cisco IPS signature is assigned one of four severity levels

• Informational

• Low

• Medium

• High

• You can manually adjust the severity level that an alarm produces.

• To minimize false positives, study your existing network traffic patterns

• As an additional source of information, consider implementing NetFlow on

network access devices such as routers and firewalls

IPv6-Aware IPS

Trang 18

Event monitoring and management can be divided into the following two needs:

• Real-time event monitoring and management

• Analysis based on archived information (reporting)

There is an important difference between reporting and monitoring Note that archives are often a significant source of data when

producing reports.

• Reporting: Analysis based on archived information

• Event monitoring: Real-time monitoring

IPS Alarms: Event Monitoring and Management

Trang 19

Device, Enterprise, and Global Correlation

Trang 20

Global Correlation and Cisco SIO at Work, Preventing Zero-Day Attack

Trang 21

Examples of IPS Deployments

Trang 22

IPS Platforms from Cisco

Trang 23

The following are the recommended practices for designing and deploying IPS architecture:

• Use a combination of detection technologies.

• Take advantage of multiple form factors to deploy a distributed and cost-effective IPS architecture.

• Use a “places in the network” approach, which, for Cisco, refers to the building blocks of

a corporate network, such as a data center, a campus, and a branch office.

• Enable anti-evasion techniques.

• Take advantage of local, enterprise, and global correlation.

• Use a risk-based approach to improve accuracy and simplify management.

• When deploying a large number of sensors, automatically update signature packages instead of manually upgrading every sensor.

• Place the signature packages on a dedicated FTP server within the management network.

• Tune the IPS architecture constantly.

IPS Best Practices

Trang 24

Fail-Open or Fail-Close Approach

Trang 25

Recommended practices are based on a series of key factors in current IPS

architectures

• Intelligent, distributed detection

• Vulnerability- and exploit-specific signatures

• Protocol anomaly detection

• Knowledge base anomaly detection

• Reputation filters

• Accurate, precise response to relevant attacks

• Risk management–based policy

• Global correlation adding reputation

• On-box correlation

• “Trustworthiness” linkages with the endpoint

• Flexible deployment options

• Passive and/or inline with flexible response (IDS/IPS)

• Sensor virtualization

• Physical and logical (VLAN) interface support

• Software and hardware bypass

Recommended practices

Trang 26

Cisco IPS Architecture

Trang 27

Cisco IOS IPS

Trang 28

• Profile-based intrusion detection

• Signature-based intrusion detection

• Protocol analysis–based intrusion detection

Cisco IOS IPS Features

Trang 29

Scenario: Protecting the Branch Office Against Inside Attack

Trang 30

Cisco IOS IPS Signature Features

Trang 31

• A signature package has definitions for each signature it contains.

• After signatures are loaded and compiled onto a router running

Cisco IOS IPS, IPS can begin detecting the new signatures

immediately

• Routers access signature definition information through a

directory in flash that contains three configuration files—the

default configuration, the delta configuration, and the Signature

Event Action Processor (SEAP) configuration

• SEAP is the control unit responsible for coordinating the data flow

of a signature event.

Signature file

Trang 32

• Encrypted signature support

• Lightweight signatures

• Direct download from Cisco.com capability

• Tuning per top-level categories

• Signature tuning inheritance

Signature Management

Trang 33

Summary of Types of Supported Signature Engines

Trang 34

Details on Signature Microengines

Trang 35

Signature Tuning

Trang 36

Signatures Interactions with Cisco IOS

Trang 37

Signature States

Combinations of Signature Compilations and States

Trang 38

The following list summarizes the guidelines for planning an efficient and effective Cisco IOS IPS signature definition:

• The number of signatures that can be compiled depends on the free memory available on the router.

• For routers with 128 MB of flash, start with the basic signature category.

• For routers with 256 MB+ of flash, start with the advanced signature category.

• Retire risk-irrelevant signatures according to your needs.

• Monitor free memory when retiring or unretiring signatures.

• In restrictive policies, define a fail-closed action if signatures fail to compile This setting

instructs the router to drop all packets until the signature engine is built and ready to scan

traffic If this command is issued, one of the following scenarios occurs:

• If IPS fails to load the signature package, all packets are dropped—unless the user specifies an access control list (ACL) for packets to send to IPS.

• If IPS successfully loads the signature package, but fails to build a signature engine, all packets that are

destined for that engine are dropped.

• If this command is not issued, all packets are passed without scanning if the signature engine fails to build.

• Disabled signatures are still scanned and processed, and will consume resources.

• Never unretire the “All” signature category.

Combinations of Signature Compilations and States

Trang 39

Monitoring IPS Alarms and

Event Management

Trang 40

Cisco IOS IPS Alarms Monitoring

Support for SDEE and Syslog

Trang 41

The support for SDEE and syslog in the Cisco IOS IPS solution is

as follows:

• Cisco IOS Software supports the SDEE protocol

• SDEE uses a pull mechanism That is, requests come from the

network management application, and the IDS and IPS router

responds.

• SDEE becomes the standard format for all vendors to

communicate events to a network management application.

• You must also enable HTTP or HTTPS on the router, using the ip http server command, when you enable SDEE The use of HTTPS ensures that data is secured as it traverses the network.

• The Cisco IOS IPS router still sends IPS alerts via syslog

SDEE and syslog

Trang 42

• Local event management and correlation

• Cisco Configuration Professional

• IPS Device Manager

• IPS Manager Express

• Enterprise event management and correlation

• Cisco Security Manager

• Third-party ecosystem partner SIEM systems

• Global event management and correlation

• Cisco Security Intelligence Operations (SIO)

Event Management

Trang 43

Following are the configuration steps to deploy Cisco IOS IPS using CCP:

Step 1 Download the latest Cisco IOS IPS signature package to a local PC using Cisco

Configuration Professional Auto Update.

Step 2 Launch the IPS Policies Wizard to configure Cisco IOS IPS.

Step 3 Verify that Cisco IOS IPS configuration and signatures are properly loaded.

Step 4 Perform signature tuning.

Step 5 Verify alarms.

Configuring Cisco IOS IPS Using Cisco Configuration Professional

Trang 44

Step 1: Download Cisco IOS IPS Signature Package

Trang 45

Step 2: Launch IPS Policies Wizard

Creating an IPS Policy by Launching the IPS Policies Wizard in CCP

Trang 46

IPS Policies Wizard: Selecting the Interfaces

Trang 47

IPS Policies Wizard: Selecting the Signature File

Trang 48

IPS Policies Wizard: Downloading and Installing Cisco’s Public Key

Trang 49

IPS Policies Wizard: Storing Signature Information

Trang 50

IPS Policies Wizard: Configuring Location and Signature Category

Trang 51

IPS Policies Wizard: Summary Configuration

Trang 52

Step 3: Verify Configuration and Signature Files

Reviewing IPS Configuration and Interface Status

Trang 53

Reviewing IPS Signatures

Trang 54

Step 4: Perform Signature Tuning

Trang 55

Enable, Disable, Retire, or Unretire Signatures

Trang 56

Changing Action of Signatures

Trang 57

• Total Signatures

• Total Enabled Signatures

• Total Retired Signatures

• Total Compiled Signatures

Step 5: Verify Alarms

Trang 58

Monitoring IPS Signature Statistics from CCP

Trang 59

Monitoring IPS Alarms from CCP

Trang 60

IPS Signature Statistics

Alert Color Coding

Trang 61

Configuring Cisco IOS IPS Using the CLI

Trang 62

Router(config)# ip ips name sdm_ips_rule

Router(config)# ip ips config location flash:/ips/retries 1

Router(config)# ip ips notify SDEE

Router(config)# interface FastEthernet0/0

Router(config-if)# ip ips sdm_ips_rule in

To configure the router to support the default basic signature set, use the ip ips

signature-category

Router(config)# ip ips signature-category

Router(config-ips-category)# category all

Router(config-ips-category-action)# retired true

Router(config-ips-category-action)# exit

Router(config-ips-category)# category ios_ips basic

Router(config-ips-category-action)# retired false

Configuring Cisco IOS IPS Using the CLI

Trang 63

show ip ips configuration Command Output

Định dạng
Số trang	66
Dung lượng	5,87 MB