C HAPTER 16 C ISCO IOS IPS
S ECURING N ETWORKS WITH IDS AND IPS Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) sensors protect your network from malicious traffic. The two systems are deployed differently and scan for malicious traffic in different ways. Each system has strengths and weaknesses when deployed separately, but when used together, IDS and IPS can provide a much richer and deeper level of security 2
B ASIC F UNCTIONS OF THE I NTRUSION D ETECTION S YSTEM (IDS) IDS is typically characterized as a passive listening device. This label is given to these systems because traffic does not have to pass through the system; IDS sensors listen promiscuously to all traffic on the network 3
B ASIC F UNCTIONS OF THE I NTRUSION P REVENTION S YSTEM (IPS) IPS is characterized as an active device. This is because the device is implemented as an inline sensor. The IPS requires the use of more than one interface, and all traffic must pass through the sensor. Network traffic enters through one interface and exits through another 4
U SING IDS AND IPS T OGETHER When you think about having one or the other of these sensors on your network, think about the benefits you would get from having both. An IPS sensor is much like a firewall; it can block traffic that is malicious or threatening. It should only block traffic that is known to be a threat, though. IPS should not block legitimate traffic or you could suffer a disruption in legitimate connectivity and find that applications are unable to perform their tasks 5
B ENEFITS AND D RAWBACKS OF IPS/IDS S ENSORS A network-based monitoring system has the benefit of easily seeing attacks that are occurring across the entire network Encryption of the network traffic stream can effectively blind the sensor. Reconstructing fragmented traffic can also be a difficult problem to solve 6
T YPES OF IDS AND IPS S ENSORS Network Based (NIPS,NIDS) Host Based (HIPS,HIDS) 7
N ETWORK B ASED I NTRUSION P REVENTION S YSTEM (NIPS) Network-based sensors examine packets and traffic that are traversing through the network for known signs of malicious activity. Because these systems are watching network traffic, any attack signatures detected may succeed or fail. It is usually difficult, if not impossible, for network- based monitoring systems to assess the success or failure of the actual attacks 8
H OST B ASED I NTRUSION P REVENTION S YSTEM (HIPS) A host-based sensor examines information at the local host or operating system. The HIPS has full access to the internals of the end station, and can relate incoming traffic to the activity on the end station to understand the context. Host-based sensors can be implemented to a couple of different complexity levels 9
M ALICIOUS T RAFFIC I DENTIFICATION A PPROACHES Signature-based Policy-based Anomaly-based Honeypot 10
S IGNATURE T YPES Exploit signatures Connection signatures String signatures DoS signatures 11
IPS A LARMS An IPS sensor can react in real time when a signature is matched. This allows the sensor to act before network security has been compromised. The sensor can optionally log whatever happened with a syslog message or Security Device Event Exchange (SDEE) 12
C ONFIGURING IOS IPS It is now time to look at the configuration of IOS IPS. This section takes you through the configuration process using the SDM interface. The SDM gives you quite a few configuration capabilities for IOS IPS. You can configure every option through the IPS Edit menu 13
SDM H OME S CREEN 14
D EFAULT C ONFIGURATION S CREEN 15
D EFAULT IPS S CREEN 16
SDEE E NABLE N OTIFICATION 17
IPS W IZARD W ELCOME S CREEN 18
S ELECT I NTERFACES S CREEN 19
SDF L OCATIONS S CREEN 20
A DD A S IGNATURE L OCATION D IALOG B OX 21
SDF L OCATIONS WITH F ILE A DDED 22
W IZARD S UMMARY P AGE 23
S UMMARY 24