© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

Slides:



Advertisements
Similar presentations
Guide to Network Defense and Countermeasures Second Edition
Advertisements

1 Reading Log Files. 2 Segment Format
Lecture 14 Firewalls modified from slides of Lawrie Brown.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Guide to Network Defense and Countermeasures Second Edition
NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.
Intrusion Detection Systems and Practices
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Intrusion Detection MIS ALTER 0A234 Lecture 3.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 5 Network Defenses.
John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.
Host Intrusion Prevention Systems & Beyond
Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
Computer Security Fundamentals by Chuck Easttom Chapter 9: Computer Security Software.
IDS Mike O’Connor Eric Tallman Matt Yasiejko. Overview IDS defined IDS defined What it does What it does Sample logs Sample logs Why we need it Why we.
Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 5 – Implementing Intrusion Prevention.
Intrusion Detection Chapter 12.
Intrusion Detection Chapter 12.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
C HAPTER 16 C ISCO IOS IPS. S ECURING N ETWORKS WITH IDS AND IPS Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) sensors protect.
Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.
Survey “Intrusion Detection: Systems and Models” “A Stateful Intrusion Detection System for World-Wide Web Servers”
1Cisco Security NOW © 2003, Cisco Systems, Inc. All rights reserved. THIS IS THE POWER OF CISCO SECURITY. now.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
Guide to Network Defense and Countermeasures
1 Guide to Network Defense and Countermeasures Chapter 9.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life.
Chapter 5: Implementing Intrusion Prevention
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
Packet Capture and Analysis: An Introduction to Wireshark 1.
Intrusion Detection System (IDS) Basics LTJG Lemuel S. Lawrence Presentation for IS Sept 2004.
Intrusion Detection System (IDS). What Is Intrusion Detection Intrusion Detection is the process of identifying and responding to malicious activity targeted.
Intrusion Detection Reuven, Dan A. Wei, Li Patel, Rinku H.
Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
1 © 2009 Cisco Learning Institute. CCNA Security Chapter Five Implementing Intrusion Prevention.
Cryptography and Network Security Sixth Edition by William Stallings.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.
Network Security Terms. Perimeter is the fortified boundary of the network that might include the following aspects: 1.Border routers 2.Firewalls 3.IDSs.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.
Chapter 14.  Upon completion of this chapter, you should be able to:  Identify different types of Intrusion Detection Systems and Prevention Systems.
KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY Intrusion Detection and Incidence Response Course Name – IT Intrusion Detection and Incidence.
Intrusion Detection and Prevention Systems By Colton Delman COSC 454 Information Assurance Management.
Security Methods and Practice CET4884
Intrusion Detection Systems Dj Gerena. What is an Intrusion Detection System Hardware and/or software Attempts to detect Intrusions Heuristics /Statistics.
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
HIPS. Host-Based Intrusion Prevention Systems  One of the major benefits to HIPS technology is the ability to identify and stop known and unknown attacks,
CompTIA Security+ Study Guide (SY0-401)
IDS Intrusion Detection Systems
Click to edit Master subtitle style
CompTIA Security+ Study Guide (SY0-401)
Firewalls at UNM 11/8/2018 Chad VanPelt Sean Taylor.
Presentation transcript:

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features

© 2006 Cisco Systems, Inc. All rights reserved. Module 6: Cisco IOS Threat Defense Features Lesson 6.4: Introducing Cisco IOS IPS

© 2006 Cisco Systems, Inc. All rights reserved. Objectives  Compare and contrast Intrusion Detection Systems and Intrusion Protection Systems.  Describe the Cisco IPS products and technologies.  Define IDS and IPS types and options.  Compare Network Based and Host Based IPS systems (HIPS and NIPS).

© 2006 Cisco Systems, Inc. All rights reserved. Intrusion Detection System  IDS is a passive device: Traffic does not pass through the IDS device. Typically uses only one promiscuous interface.  IDS is reactive: IDS generates an alert to notify the manager of malicious traffic.  Optional active response: Further malicious traffic can be denied with a security appliance or router. TCP resets can be sent to the source device.

© 2006 Cisco Systems, Inc. All rights reserved. Intrusion Protection System  IPS is an active device: All traffic passes through IPS. IPS uses multiple interfaces.  Proactive prevention: IPS denies all malicious traffic. IPS sends an alert to the management station.

© 2006 Cisco Systems, Inc. All rights reserved. Combining IDS and IPS  IPS actively blocks offending traffic: Should not block legitimate data Only stops “known malicious traffic” Requires focused tuning to avoid connectivity disruption  IDS complements IPS: Verifies that IPS is still operational Alerts you about any suspicious data except “known good traffic” Covers the “gray area” of possibly malicious traffic that IPS did not stop

© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS IPS Products and Technologies  Cisco IOS IPS uses a blend of Cisco IDS and IPS products: Cisco IDS Series appliances Cisco Catalyst Series IDS services modules Cisco network module hardware IDS appliances  Cisco IOS IPS uses a blend of technologies: Profile-based intrusion detection Signature-based intrusion detection Protocol analysis-based intrusion detection

© 2006 Cisco Systems, Inc. All rights reserved. CriteriaTypeDescription Deployment Options Network-based Network sensors scan traffic that is destined to many hosts. Host-based Host agent monitors all operations within an operating system. Approaches to Identifying Malicious Traffic Signature-basedA vendor provides a customizable signature database. Policy-basedPolicy definition and description is created. Anomaly-based“Normal” and “abnormal” traffic is defined. Honeypot-basedSacrificial host is set up to lure the attacker. IDS and IPS Types and Options

© 2006 Cisco Systems, Inc. All rights reserved. Network-Based and Host-Based IPS  NIPS: Sensor appliances are connected to network segments to monitor many hosts.  HIPS: Centrally managed software agents are installed on each host. CSAs defend the protected hosts and report to the central management console. HIPS provides individual host detection and protection. HIPS does not require special hardware.

© 2006 Cisco Systems, Inc. All rights reserved. Comparing HIPS and NIPS  Application-level encryption protection  Policy enhancement (resource control)  Web application protection  Buffer overflow  Network attack and reconnaissance prevention  DoS prevention

© 2006 Cisco Systems, Inc. All rights reserved. NIPS Features  Sensors are network appliances that you tune for intrusion detection analysis: The operating system is “hardened.” The hardware is dedicated to intrusion detection analysis.  Sensors are connected to network segments. A single sensor can monitor many hosts.  Growing networks are easily protected: New hosts and devices can be added without adding sensors. New sensors can be easily added to new networks.

© 2006 Cisco Systems, Inc. All rights reserved. NIDS and NIPS Deployment

© 2006 Cisco Systems, Inc. All rights reserved. Signature-Based IDS and IPS  Observes and blocks or alarms if a known malicious event is detected: Requires a database of known malicious patterns. The database must be continuously updated.

© 2006 Cisco Systems, Inc. All rights reserved. Policy-Based IDS and IPS  Observes and blocks or alarms if an event outside the configured policy is detected  Requires a policy database !!

© 2006 Cisco Systems, Inc. All rights reserved. Anomaly-Based IDS and IPS  Observes and blocks or alarms if an event outside known normal behavior is detected: Statistical versus nonstatistical anomaly detection Requires a definition of “normal”

© 2006 Cisco Systems, Inc. All rights reserved. Honeypot-Based IDS and IPS  Observes a special system and alarms if any activity is directed at the system: The special system is a trap for attackers and not used for anything else. The special system is well-isolated from the system’s environment. The system is typically used as IDS, not IPS.

© 2006 Cisco Systems, Inc. All rights reserved. Signature Categories  Four types of signatures: Exploit signatures match specific known attacks. Connection signatures match particular protocol traffic. String signatures match string sequences in data. DoS signatures match DoS attempts.  Signature selection is based on: Type of network protocol Operating system Service Attack type  Number of available signatures: About 1500 for IPS sensors, 1200 for IOS IPS

© 2006 Cisco Systems, Inc. All rights reserved. Exploit Signatures Application Presentation Session Transport Network Data Link Physical  DNS reconnaissance and DoS  Worms, viruses, Trojan horses, adware, malware  Port sweeps  Port scans  TCP SYN attack  Fragmentation attacks  IP options  ICMP reconnaissance and DoS

© 2006 Cisco Systems, Inc. All rights reserved. Signature Examples IDNameDescription 1101Unknown IP Protocol This signature triggers when an IP datagram is received with the protocol field set to 134 or greater. 1307TCP Window Size Variation This signature will fire when the TCP window varies in a suspect manner. 3002TCP SYN Port Sweep This signature triggers when a series of TCP SYN packets have been sent to a number of different destination ports on a specific host. 3227WWW HTML Script Bug This signature triggers when an attempt is made to view files above the HTML root directory.

© 2006 Cisco Systems, Inc. All rights reserved. Summary  The intrusion detection system (IDS) is a software- or hardware- based solution that passively listens to network traffic.  An intrusion prevention system (IPS) is an active device in the traffic path that listens to network traffic and permits or denies flows and packets into the network.  In a network-based system, or network intrusion prevention system (NIPS), the IPS analyses individual packets that flow through a network.  In a host-based system, a host-based intrusion prevention system (HIPS) examines the activity on each individual computer or host.  IDS and IPS uses any one of four approaches to identifying malicious traffic: Signature-based Policy-based Anomaly-based Honeypot-based

© 2006 Cisco Systems, Inc. All rights reserved. Q and A

© 2006 Cisco Systems, Inc. All rights reserved. Resources  Cisco Intrusion Prevention System ex.html  Cisco Intrusion Prevention System Support _products_support_series_home.html

© 2006 Cisco Systems, Inc. All rights reserved.