Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 5: Implementing Intrusion Prevention

Published byEverett Powell Modified over 9 years ago

Similar presentations

Presentation on theme: "Chapter 5: Implementing Intrusion Prevention"— Presentation transcript:

1 Chapter 5: Implementing Intrusion Prevention
CCNA-Security

2 Chapter 5: Objectives In this chapter you will:
Explain the functions and operations of IDS and IPS systems. Explain how network-based IPS is implemented. Describe the characteristics of IPS signatures. Explain how signature alarms are used in Cisco IPS solutions. Describe the purpose of tuning signature alarms in a Cisco IPS solution. Explain how the signature actions in a Cisco IPS solution affect network traffic. Explain how to manage and monitor a Cisco IPS solution. Describe the purpose and benefits of IPS Global Correlation. Configure Cisco IOS IPS using CLI. Configure Cisco IOS IPS using CCP. Modify IPS signatures in CLI and CCP. Verify Cisco IOS IPS configuration. Monitor the Cisco IOS IPS events.

3 Chapter 5 5.0 Introduction 5.1 IPS Technologies 5.2 IPS Signatures 5.3 Implement IPS 5.4 Verify and Monitor IPS 5.5 Summary

4 5.1 IPS Technologies

5 IDS and IPS Characteristics Zero-Day Attacks
Worms and viruses can spread across the world in minutes. Zero-day attack (zero-day threat) is a computer attack that tries to exploit software vulnerabilities. Zero-hour describes the moment when the exploit is discovered.

6 IDS and IPS Characteristics Monitor for Attacks
IDSs were implemented to passively monitor the traffic on a network. IDS-enabled device copies the traffic stream, and analyzes the copied traffic rather than the actual forwarded packets. Working offline, it compares the captured traffic stream with known malicious signatures. This offline IDS implementation is referred to as promiscuous mode. The advantage of operating with a copy of the traffic is that the IDS does not negatively affect the actual packet flow. The disadvantage of operating on a copy of the traffic is that the IDS cannot stop malicious single-packet attacks from reaching the target before responding to the attack. A better solution is to use a device that can immediately detect and stop an attack. An IPS performs this function.

7 IDS and IPS Characteristics Detect and Stop Attacks
An IDS monitors traffic offline and generates an alert (log) when it detects malicious traffic including: Reconnaissance attacks Access attacks Denial of Service attacks An IDS is a passive device because it analyzes copies of the traffic stream. Only requires a promiscuous interface. Does not slow network traffic. Allows some malicious traffic into the network.

8 IDS and IPS Characteristics Detect and Stop Attacks Cont.
An IPS builds upon IDS technology to detect attacks. However, it can also immediately address the threat. An IPS is an active device because all traffic must pass through it. Referred to as “inline-mode”, it works inline in real time to monitor Layer 2 through Layer 7 traffic and content. It can also stop single-packet attacks from reaching the target system (IDS cannot).

9 IDS and IPS Characteristics IDS and IPS Characteristics

10 IDS and IPS Characteristics IDS and IPS Characteristics Cont.
An IDS or IPS sensor can be any of the following devices: Router configured with Cisco IOS IPS software. Appliance specifically designed to provide dedicated IDS or IPS services. Network module installed in an adaptive security appliance (ASA), switch, or router. IDS and IPS technologies use signatures to detect patterns in network traffic. A signature is a set of rules that an IDS or IPS uses to detect malicious activity.  Signatures are used to detect severe security breaches, common network attacks, and to gather information.

11 IDS and IPS Characteristics Advantages and Disadvantages of IDS and IPS

12 Network-Based IPS Implementations Network IPS Sensors
Implementation analyzes network-wide activity looking for malicious activity. Configured to monitor known signatures, but can also detect abnormal traffic patterns. Configured on: Dedicated IPS appliances ISR routers ASA firewall appliances Catalyst 6500 network modules

13 Network-Based IPS Implementations Network IPS Sensors Cont.
Sensors are connected to network segments. A single sensor can monitor many hosts. Sensors are network appliances tuned for intrusion detection analysis. The OS is stripped of unnecessary services - “hardened.” The hardware is dedicated to intrusion detection analysis. The hardware includes three components: Network interface card (NIC) - Able to connect to any network. Processor - Requires CPU power to perform intrusion detection analysis and pattern matching. Memory - Intrusion detection analysis is memory-intensive. Growing networks are easily protected. New hosts and devices can be added without adding sensors. New sensors can be easily added to new networks.

14 Network-Based IPS Implementations Cisco IPS Solutions

15 Network-Based IPS Implementations Cisco IPS Solutions Cont.

16 Network-Based IPS Implementations Choose an IPS Solution
There are several factors that affect the IPS sensor selection and deployment: Amount of network traffic Network topology Security budget Available security staff to manage IPS Organization Site

17 Network-Based IPS Implementations IPS Advantages and Disadvantages

18 5.2 IPS Signatures

19 IPS Signature Characteristics Signature Attributes
Malicious traffic displays distinct characteristics or “signatures.” These signatures uniquely identify specific worms, viruses, protocol anomalies, or malicious traffic. IPS sensors are tuned to look for matching signatures or abnormal traffic patterns. When a sensor matches a signature with a data flow, it takes action, such as logging the event or sending an alarm to IDS or IPS.  Signatures have three distinctive attributes: Type Trigger (alarm) Action

20 IPS Signature Characteristics Signature Types- Atomic Signature
Signature types are categorized as atomic or composite. An atomic signature is the simplest type of signature. It consists of a single packet, activity, or event. Detecting atomic signatures consumes minimal resources. These signatures are easy to identify and understand because they are compared against a specific event or packet.

21 IPS Signature Characteristics Signature Types- Atomic Signature Cont.
A land attack contains a spoofed TCP SYN packet with the IP address of the target host as both source and destination, causing the machine to reply to itself continuously.

22 IPS Signature Characteristics Signature Types - Composite Signature
A composite signature is also called a stateful signature. A composite signature identifies a sequence of operations distributed across multiple hosts over an arbitrary period of time. An IPS uses a configured event horizon to determine how long it looks for a specific attack signature. 

23 IPS Signature Characteristics Signature File
As new threats are identified, new signatures must be created and uploaded to an IPS. To make this process easier, all signatures are contained in a signature file and uploaded to an IPS on a regular basis.

24 IPS Signature Characteristics Signature Micro-Engines
To make the scanning of signatures more efficient, the Cisco IOS software relies on signature micro-engines (SME), which categorize common signatures in groups. The Cisco IOS software can then scan for multiple signatures based on group characteristics, instead of one at a time. The available SMEs vary depending on the platform, Cisco IOS version, and version of the signature file.

25 IPS Signature Characteristics Acquire the Signature File
Cisco investigates/creates signatures for new threats as they are discovered, and publishes them regularly. Lower priority IPS signature files are published biweekly. If the threat is severe, Cisco publishes signature files within hours of identification. Update the signature file regularly to protect the network. Each update includes new signatures and all the signatures in the previous version. For example, the IOS-S595-CLI.pkg signature file includes all signatures in file IOS-S594-CLI.pkg, plus signatures created for threats discovered subsequently. New signatures are downloadable from CCO, and required a valid CCO login.

26 IPS Signature Alarms Signature Alarm
The heart of any IPS signature is the signature alarm, often referred to as the signature trigger.

27 Signature Alarm Pattern-Based Detection
Pattern-based detection, also known as signature-based detection, compares the network traffic to a database of known attacks and triggers an alarm, or prevents communication if a match is found. 

28 Signature Alarm Anomaly-Based Detection
Anomaly-based detection, also known as profile-based detection, involves first defining a profile of what is considered normal for the network or host. The signature triggers an action if excessive activity occurs beyond a specified threshold that is not included in the normal profile. 

29 IPS Signature Alarms Policy-Based Detection
Policy-based detection is also known as behavior-based detection. The administrator defines behaviors that are suspicious based on historical analysis. Honeypot-based detection uses a dummy server to attract attacks. The honeypot approach is to distract attacks away from real network devices. Honeypot systems are rarely used in production environments.

30 IPS Signature Alarms Benefits of Implementing an IPS
IPS use the underlying routing infrastructure to provide an additional layer of security. Since Cisco IOS IPS is inline, attacks can be effectively mitigated by denying malicious traffic from both inside and outside the network. When used in combination with Cisco IDS, Cisco IOS Firewall, VPN, and Network Admission Control (NAC) solutions, Cisco IOS IPS provides threat protection at all entry points to the network. It is supported by easy and effective management tools, such as the Cisco Configuration Professional. The size of the signature database used by the device can be adapted to the amount of available memory in the router.

31 Tuning IPS Signature Alarms Trigger False Alarms
Triggering mechanisms can generate alarms that are false positives or false negatives. These alarms must be addressed when implementing an IPS sensor.

32 Tuning IPS Signature Alarms Tune Signature
An administrator must balance the number of incorrect alarms that can be tolerated with the ability of the signature to detect actual intrusions. If IPS systems use untuned signatures, they produce many false positive alarms.

33 Tuning IPS Signature Alarms Tune Signature Cont.
Low Abnormal network activity is detected that could be perceived as malicious, but an immediate threat is unlikely. Medium Abnormal network activity is detected that could be perceived as malicious, and an immediate threat is likely. High Attacks used to gain access or cause a DoS attack are detected, and an immediate threat is extremely likely. Informational Activity that triggers the signature is not considered an immediate threat, but the information provided is useful information.

34 IPS Signature Actions Signature Actions
Whenever a signature detects the activity for which it is configured, the signature triggers one or more actions. Several actions can be performed: Generate an alert. Log the activity. Drop or prevent the activity. Reset a TCP connection. Block future activity. Allow the activity.

35 IPS Signature Actions Signature Actions Cont.

36 IPS Signature Actions Generate an Alert
An IPS can be enabled to produce alert or a verbose alert. Atomic alerts are generated every time a signature triggers Some IPS solutions enable the administrator to generate summary alerts, which indicates multiple occurrences of the same signature from the same source address or port.

37 IPS Signature Actions Log the Activity
Used when an administrator does not necessarily have enough information to stop an activity. An IPS can be enabled to log the attacker packets, pair packets, or just the victim packets. An administrator can then perform a detailed analysis, and identify exactly what is taking place and make a decision as to whether it should be allowed or denied in the future.

38 IPS Signature Actions Drop or Prevent the Activity
An IPS can be enabled to deny the attacker packets, deny the connection, or deny the specific packet.

39 IPS Signature Actions Reset, Block, and Allow Traffic

40 Manage and Monitor IPS Monitor Activity
Monitoring the security-related events on a network is also a crucial aspect of protecting a network from attack.

41 Manage and Monitor IPS Monitoring Considerations

42 Manage and Monitor IPS Monitor IPS Using CCP
GUI-based IPS device managers include: Cisco Configuration Professional (CCP) - Allows administrators to control the application of Cisco IOS IPS on interfaces, import and edit signature definition files (SDFs) from cisco.com, and to configure the action that Cisco IOS IPS is to take if a threat is detected. Cisco IPS Manager Express (IME) - An all-in-one IPS management application to provision, monitor, troubleshoot, and generate reports for up to 10 IPS sensors. Cisco Security Manager - Can be used to manage multiple IPS sensors and other infrastructure devices. It supports automatic policy-based IPS sensor software and signature updates and includes a signature update wizard allowing easy review and editing prior to deployment.

43 Manage and Monitor IPS Secure Device Event Exchange
IPS sensors and Cisco IOS IPS generate alarms when an enabled signature is triggered. These alarms are stored on the sensor and can be viewed locally, or through a management application, such as IPS Manager Express. The Cisco IOS IPS feature can send a syslog message or an alarm in Secure Device Event Exchange (SDEE) format. CCP can monitor syslog and SDEE-generated events and keep track of alarms that are common in SDEE system messages, including IPS signature alarms.

44 Manage and Monitor IPS IPS Configuration Best Practices
The need to upgrade sensors with the latest signature packs must be balanced with the momentary downtime during which the network becomes vulnerable to attack. Update signature packs automatically. Download new signatures to a secure server within the management network. Place signature packs on a dedicated SFTP server within the management network.

45 Manage and Monitor IPS IPS Configuration Best Practices Cont.
Configure the sensors to regularly check the SFTP server for new signature packs.  Keep the signature levels that are supported on the management console synchronized with the signature packs on the sensors.

46 IPS Global Correlation Cisco Global Correlation
Cisco IPS includes a security feature called Cisco Global Correlation. Cisco IPS devices receive regular threat updates from a centralized Cisco threat database called the Cisco SensorBase Network. The Cisco SensorBase Network contains real-time, detailed information about known threats on the Internet.

47 IPS Global Correlation Cisco SensorBase Network
When participating in global correlation, the Cisco SensorBase Network provides information to the IPS sensor about IP addresses with a reputation. The sensor uses this information to determine which actions, if any, to perform when potentially harmful traffic is received from a host with a known reputation.

48 IPS Global Correlation Cisco Security Intelligence Operation
The SensorBase Network is part of a larger, back-end security ecosystem, known as the Cisco Security Intelligence Operation (SIO).  Its purpose is to detect threat activity, research and analyze threats, and provide real-time updates and best practices to keep organizations informed and protected.  Cisco SIO consists of three elements: Threat intelligence from the Cisco SensorBase Network. The Threat Operations Center is the combination of automated and human processing and analysis. The automated and best practices content that is pushed to network elements in the form of dynamic updates.

49 5.3 Implement IPS

50 Configure Cisco IOS IPS with CLI Implement IOS IPS Files
To implement the Cisco IOS IPS: Download the IOS IPS files. Create an IOS IPS configuration directory in flash. Configure an IOS IPS crypto key. Enable IOS IPS (consists of several substeps). Load the IOS IPS signature package to the router.

51 Configure Cisco IOS IPS with CLI Download the IOS IPS Files
Cisco IOS release 12.4(10)T and earlier, provided built-in signatures in the Cisco IOS software image and support for imported signatures. With newer IOS versions, all signatures are stored in a separate signature file and must be imported. Step 1. Download the IOS IPS signature package files and a public crypto key from cisco.com. IOS-Sxxx-CLI.pkg - The latest signature package realm-cisco.pub.key.txt - The public crypto key used by IOS IPS

52 Configure Cisco IOS IPS with CLI Download the IOS IPS Files Cont.
Step 2. Create an IOS IPS configuration directory in flash.

53 Configure Cisco IOS IPS with CLI Configure an IPS Crypto Key
The crypto key verifies the digital signature for the master signature file (sigdef-default.xml). The content of the file is signed by a Cisco private key to guarantee its authenticity and integrity. Step 3. Configure an IOS IPS crypto key. Highlight and copy the text in the public key file. Paste the copied text at the global configuration prompt.

54 Configure Cisco IOS IPS with CLI Enable IOS IPS
Step 4. Enable IOS IPS. a. Identify the IPS rule name and specify the location. Use the ip ips name [rule name] [optional ACL] command to create a rule name. An optional extended or standard ACL can be used to filter the traffic. Traffic that is denied by the ACL is not inspected by the IPS. Use the ip ips config location flash:directory-name command to configure the IPS signature storage location. Prior to IOS 12.4(11)T, the ip ips sdf location command was used.

55 Configure Cisco IOS IPS with CLI Enable IOS IPS Cont.
Step 4. Enable IOS IPS. b. Enable SDEE and logging event notification. HTTP server must first be enabled with the ip http server command. SDEE notification must be explicitly enabled using the ip ips notify sdee command. IOS IPS also supports logging to send event notification. SDEE and logging can be used independently or simultaneously. Logging notification is enabled by default. Use the ip ips notify log command to enable logging.

56 Configure Cisco IOS IPS with CLI Enable IOS IPS Cont.
Step 4. Enable IOS IPS. c. Configure the signature category. All signatures are grouped into categories, and the categories are hierarchical. The three most common categories are all, basic, and advanced.

57 Configure Cisco IOS IPS with CLI Enable IOS IPS Cont.
Step 4. Enable IOS IPS. d. Apply the IPS rule to an interface, and specify direction. Use the ip ips rule-name [in | out] interface configuration mode command to apply the IPS rule.

58 Configure Cisco IOS IPS with CLI Load the IPS Signature Package in RAM
Step 5. Load the IOS IPS Signature package to the router. Upload the signature package to the router using either FTP or TFTP. To copy the downloaded signature package from the FTP server to the router, use the idconf parameter at the end of the command.

59 Configure Cisco IOS IPS using CCP Implement IOS IPS Using CCP
CCP needs a minimum Java memory heap size of 256 MB to support IOS IPS. Exit CCP and open the Windows Control Panel. Click the Java option to opens the Java Control Panel. Select the Java tab and click View under the Java Applet Runtime Settings. In the Java Runtime Parameter field, enter -Xmx256m, and click OK.

60 Configure Cisco IOS IPS using CCP Implement IOS IPS Using CCP Cont.
CCP provides controls for applying Cisco IOS IPS on interfaces, importing and editing signature files from cisco.com, and configuring the action that Cisco IOS IPS takes if a threat is detected.

61 Configure Cisco IOS IPS using CCP Launch the IPS Rule Wizard
Prior to configuring IPS with the Cisco Configuration Professional, download the latest IPS signature file and public key, if required, from cisco.com. To launch the IPS Rule wizard: On the CCP menu bar, click Configure > Security > Intrusion Prevention > Create IPS. Click Launch IPS Rule Wizard. Read the Welcome to the IPS Policies Wizard screen and click Next. In the Select Interfaces window, select the interfaces to which to apply the IPS rule and the direction of traffic.

62 Configure Cisco IOS IPS using CCP Configure the Crypto Key

63 Configure Cisco IOS IPS using CCP Specify the Signature File

64 Configure Cisco IOS IPS using CCP Complete the IOS IPS Wizard
Use the show running-config command to verify the IPS configuration generated by the CCP IPS wizard.

65 Modify Cisco IOS IPS Signatures Retire and Unretire Signatures
The Cisco IOS CLI can be used to retire or unretire individual signatures or a group of signatures that belong to a signature category.  Retire a Specific Signature Unretire a Signature Category

66 Modify Cisco IOS IPS Signatures Change Signature Actions
To change an action, the event-action command must be used in IPS Category Action mode or Signature Definition Engine mode. Change Actions for a Signature Change Actions for a Category

67 Modify Cisco IOS IPS Signatures Edit Signatures

68 Modify Cisco IOS IPS Signatures Tune a Signature

69 Modify Cisco IOS IPS Signatures Access and Configure Signature Parameters

70 Modify Cisco IOS IPS Signatures Access and Configure Signature Parameters Cont.

71 5.4 Verify and Monitor IPS

72 Verify Cisco IOS IPS Verify IOS IPS
Several show commands can be used to verify the IOS IPS configuration. The show ip ips privileged EXEC mode command can be used with other parameters to provide specific IPS information; for example: show ip ips all show ip ips configuration show ip ips interfaces show ip ips signatures

73 Verify Cisco IOS IPS Verify IOS IPS Using CCP

74 Monitoring Cisco IOS IPS Report IPS Alerts
Two methods to report IPS intrusion alerts: Cisco Configuration Professional Security Device Event Exchange (SDEE) The sdee keyword sends messages in SDEE format. Cisco IOS logging via syslog The log keyword sends messages in syslog format.

75 Monitoring Cisco IOS IPS Enable SDEE
SDEE is the preferred method of reporting IPS activity. SDEE uses HTTP and XML to provide a standardized approach. Enable an IOS IPS router using the ip ips notify sdee command.

76 Monitoring Cisco IOS IPS Monitor IOS IPS Using CCP

77 5.5 Summary

78 IPS signatures provide an IPS with a list of identified problems.
Chapter 5 Summary A network must be able to instantly recognize and mitigate worm and virus threats.  A network-based IPS should be implemented inline to defend against fast-moving Internet worms and viruses. IPS signatures provide an IPS with a list of identified problems. The IPS signatures are configured to use various triggers and actions. Security staff must continuously monitor an IPS solution and tune signatures as necessary to ensure an adequate level of protection.  Summary

79

Download ppt "Chapter 5: Implementing Intrusion Prevention"

Similar presentations

© 2003, Cisco Systems, Inc. All rights reserved..

© 2003, Cisco Systems, Inc. All rights reserved..
Chapter 9: Access Control Lists

Chapter 9: Access Control Lists
Guide to Network Defense and Countermeasures Third Edition

Guide to Network Defense and Countermeasures Third Edition
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
CCNA2 MODULE 5.

CCNA2 MODULE 5.
Managing Your Network Environment © 2004 Cisco Systems, Inc. All rights reserved. Managing Cisco IOS Devices INTRO v2.0—9-1.

Managing Your Network Environment © 2004 Cisco Systems, Inc. All rights reserved. Managing Cisco IOS Devices INTRO v2.0—9-1.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 11: Monitoring Server Performance.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 11: Monitoring Server Performance.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Maintaining and Updating Windows Server 2008

Maintaining and Updating Windows Server 2008
Host Intrusion Prevention Systems & Beyond

Host Intrusion Prevention Systems & Beyond
Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.

Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering

Department Of Computer Engineering
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.

Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.
1 Semester 2 Module 2 Introduction to Routers Yuda college of business James Chen

1 Semester 2 Module 2 Introduction to Routers Yuda college of business James Chen

Similar presentations

Ads by Google