© 2008 Cisco Systems, Inc. All rights reserved.Presentation_ID 1 Chapter 5: Implementing Intrusion Prevention CCNA-Security

© 2008 Cisco Systems, Inc. All rights reserved.Presentation_ID 1

Chapter 5: Implementing Intrusion Prevention

CCNA-Security

Presentation_ID 2© 2008 Cisco Systems, Inc. All rights reserved.

Chapter 5: ObjectivesIn this chapter you will:

Explain the functions and operations of IDS and IPS systems.

Explain how network-based IPS is implemented.

Describe the characteristics of IPS signatures.

Explain how signature alarms are used in Cisco IPS solutions.

Describe the purpose of tuning signature alarms in a Cisco IPS solution.

Explain how the signature actions in a Cisco IPS solution affect network traffic.

Explain how to manage and monitor a Cisco IPS solution.

Describe the purpose and benefits of IPS Global Correlation.

Configure Cisco IOS IPS using CLI.

Configure Cisco IOS IPS using CCP.

Modify IPS signatures in CLI and CCP.

Verify Cisco IOS IPS configuration.

Monitor the Cisco IOS IPS events.


Chapter 5

5.0 Introduction

5.1 IPS Technologies

5.2 IPS Signatures

5.3 Implement IPS

5.4 Verify and Monitor IPS

5.5 Summary


5.1 IPS Technologies


IDS and IPS Characteristics

Zero-Day AttacksWorms and viruses can spread across the world in minutes. Zero-day attack (zero-day threat) is a computer attack that tries to

exploit software vulnerabilities.

Zero-hour describes the moment when the exploit is discovered.



Monitor for Attacks IDSs were implemented to passively monitor the traffic on a network.

IDS-enabled device copies the traffic stream, and analyzes the copied traffic rather than the actual forwarded packets.

Working offline, it compares the captured traffic stream with known malicious signatures.

This offline IDS implementation is referred to as promiscuous mode.

The advantage of operating with a copy of the traffic is that the IDS does not negatively affect the actual packet flow.

The disadvantage of operating on a copy of the traffic is that the IDS cannot stop malicious single-packet attacks from reaching the target before responding to the attack.

A better solution is to use a device that can immediately detect and stop an attack. An IPS performs this function.



Detect and Stop Attacks An IDS monitors traffic

offline and generates an alert (log) when it detects malicious traffic including:

• Reconnaissance attacks• Access attacks• Denial of Service attacks

An IDS is a passive device because it analyzes copies of the traffic stream.

• Only requires a promiscuous interface.

• Does not slow network traffic.

• Allows some malicious traffic into the network.



Detect and Stop Attacks Cont.

An IPS builds upon IDS technology to detect attacks.

However, it can also immediately address the threat.

An IPS is an active device because all traffic must pass through it.

Referred to as “inline-mode”, it works inline in real time to monitor Layer 2 through Layer 7 traffic and content.

It can also stop single-packet attacks from reaching the target system (IDS cannot).




carykell

do we have a grphic tat has multipacket as one word (in new graphic requests????) vs hyphenated in grpahic, if not, for sake of time, disregard

Bernadette O'Brien

no

Bernadette O'Brien

this is the graphic in the course now



IDS and IPS Characteristics Cont.An IDS or IPS sensor can be any of the following devices:

Router configured with Cisco IOS IPS software.

Appliance specifically designed to provide dedicated IDS or IPS services.

Network module installed in an adaptive security appliance (ASA), switch, or router.

IDS and IPS technologies use signatures to detect patterns in network traffic.

A signature is a set of rules that an IDS or IPS uses to detect malicious activity.

Signatures are used to detect severe security breaches, common network attacks, and to gather information.



Advantages and Disadvantages of IDS and IPS


Network-Based IPS Implementations

Network IPS Sensors Implementation analyzes

network-wide activity looking for malicious activity.

Configured to monitor known signatures, but can also detect abnormal traffic patterns.

Configured on:• Dedicated IPS appliances

• ISR routers

• ASA firewall appliances

• Catalyst 6500 network modules



Network IPS Sensors Cont. Sensors are connected to network segments. A single sensor can

monitor many hosts.

Sensors are network appliances tuned for intrusion detection analysis.

• The OS is stripped of unnecessary services - “hardened.”• The hardware is dedicated to intrusion detection analysis.

The hardware includes three components:• Network interface card (NIC) - Able to connect to any network.• Processor - Requires CPU power to perform intrusion detection

analysis and pattern matching.• Memory - Intrusion detection analysis is memory-intensive.

Growing networks are easily protected.• New hosts and devices can be added without adding sensors.• New sensors can be easily added to new networks.



Cisco IPS Solutions



Cisco IPS Solutions Cont.



Choose an IPS Solution

There are several factors that affect the IPS sensor selection and deployment: Amount of network traffic

Network topology

Security budget

Available security staff to manage IPS

Organization Site



IPS Advantages and Disadvantages


5.2 IPS Signatures


IPS Signature Characteristics

Signature Attributes Malicious traffic displays distinct characteristics or

“signatures.” These signatures uniquely identify specific worms,

viruses, protocol anomalies, or malicious traffic. IPS sensors are tuned to look for matching signatures or

abnormal traffic patterns. When a sensor matches a signature with a data flow, it

takes action, such as logging the event or sending an alarm to IDS or IPS.

Signatures have three distinctive attributes:• Type

• Trigger (alarm)

• Action



Signature Types- Atomic SignatureSignature types are categorized as atomic or composite.

An atomic signature is the simplest type of signature. It consists of a single packet, activity, or event.

Detecting atomic signatures consumes minimal resources. These signatures are easy to identify and understand because they are compared against a specific event or packet.



Signature Types- Atomic Signature Cont.A land attack contains a spoofed TCP SYN packet with the IP address of the target host as both source and destination, causing the machine to reply to itself continuously.



Signature Types - Composite Signature A composite signature is also called a stateful signature. A composite signature identifies a sequence of operations

distributed across multiple hosts over an arbitrary period of time.

An IPS uses a configured event horizon to determine how long it looks for a specific attack signature.



Signature File As new threats are identified, new signatures must be

created and uploaded to an IPS.

To make this process easier, all signatures are contained in a signature file and uploaded to an IPS on a regular basis.



Signature Micro-Engines To make the scanning of

signatures more efficient, the Cisco IOS software relies on signature micro-engines (SME), which categorize common signatures in groups.

The Cisco IOS software can then scan for multiple signatures based on group characteristics, instead of one at a time.

The available SMEs vary depending on the platform, Cisco IOS version, and version of the signature file.



Acquire the Signature File Cisco investigates/creates signatures for new threats as

they are discovered, and publishes them regularly. • Lower priority IPS signature files are published biweekly.

• If the threat is severe, Cisco publishes signature files within hours of identification.

Update the signature file regularly to protect the network. • Each update includes new signatures and all the signatures in the

previous version.

• For example, the IOS-S595-CLI.pkg signature file includes all signatures in file IOS-S594-CLI.pkg, plus signatures created for threats discovered subsequently.

New signatures are downloadable from CCO, and required a valid CCO login.


IPS Signature Alarms

Signature AlarmThe heart of any IPS signature is the signature alarm, often referred to as the signature trigger.


Signature Alarm

Pattern-Based DetectionPattern-based detection, also known as signature-based detection, compares the network traffic to a database of known attacks and triggers an alarm, or prevents communication if a match is found.


Signature Alarm

Anomaly-Based Detection Anomaly-based detection, also known as profile-based

detection, involves first defining a profile of what is considered normal for the network or host.

The signature triggers an action if excessive activity occurs beyond a specified threshold that is not included in the normal profile.



Policy-Based Detection Policy-based detection is also known as behavior-based

detection.

The administrator defines behaviors that are suspicious based on historical analysis.

Honeypot-based detection uses a dummy server to attract attacks.

• The honeypot approach is to distract attacks away from real network devices.

• Honeypot systems are rarely used in production environments.



Benefits of Implementing an IPS IPS use the underlying routing infrastructure to provide an

additional layer of security.

Since Cisco IOS IPS is inline, attacks can be effectively mitigated by denying malicious traffic from both inside and outside the network.

When used in combination with Cisco IDS, Cisco IOS Firewall, VPN, and Network Admission Control (NAC) solutions, Cisco IOS IPS provides threat protection at all entry points to the network.

It is supported by easy and effective management tools, such as the Cisco Configuration Professional.

The size of the signature database used by the device can be adapted to the amount of available memory in the router.


Tuning IPS Signature Alarms

Trigger False Alarms Triggering mechanisms can generate alarms that are false

positives or false negatives.

These alarms must be addressed when implementing an IPS sensor.



Tune Signature An administrator must balance the number of incorrect

alarms that can be tolerated with the ability of the signature to detect actual intrusions.

If IPS systems use untuned signatures, they produce many false positive alarms.



Tune Signature Cont. Low

Abnormal network activity is detected that could be perceived as malicious, but an immediate threat is unlikely.

MediumAbnormal network activity is detected that could be perceived as malicious, and an immediate threat is likely.

HighAttacks used to gain access or cause a DoS attack are detected, and an immediate threat is extremely likely.

InformationalActivity that triggers the signature is not considered an immediate threat, but the information provided is useful information.


IPS Signature Actions

Signature Actions Whenever a signature detects the activity for which it is

configured, the signature triggers one or more actions.

Several actions can be performed:• Generate an alert.

• Log the activity.

• Drop or prevent the activity.

• Reset a TCP connection.

• Block future activity.

• Allow the activity.



Signature Actions Cont.



Generate an Alert An IPS can be enabled to produce alert or a verbose alert.

Atomic alerts are generated every time a signature triggers

Some IPS solutions enable the administrator to generate summary alerts, which indicates multiple occurrences of the same signature from the same source address or port.



Log the Activity Used when an administrator does not necessarily have

enough information to stop an activity.

An IPS can be enabled to log the attacker packets, pair packets, or just the victim packets.

An administrator can then perform a detailed analysis, and identify exactly what is taking place and make a decision as to whether it should be allowed or denied in the future.



Drop or Prevent the ActivityAn IPS can be enabled to deny the attacker packets, deny the connection, or deny the specific packet.



Reset, Block, and Allow Traffic


Manage and Monitor IPS

Monitor ActivityMonitoring the security-related events on a network is also a crucial aspect of protecting a network from attack.



Monitoring Considerations



Monitor IPS Using CCPGUI-based IPS device managers include:

Cisco Configuration Professional (CCP) - Allows administrators to control the application of Cisco IOS IPS on interfaces, import and edit signature definition files (SDFs) from cisco.com, and to configure the action that Cisco IOS IPS is to take if a threat is detected.

Cisco IPS Manager Express (IME) - An all-in-one IPS management application to provision, monitor, troubleshoot, and generate reports for up to 10 IPS sensors.

Cisco Security Manager - Can be used to manage multiple IPS sensors and other infrastructure devices. It supports automatic policy-based IPS sensor software and signature updates and includes a signature update wizard allowing easy review and editing prior to deployment.



Secure Device Event Exchange IPS sensors and Cisco IOS IPS generate alarms when an

enabled signature is triggered. These alarms are stored on the sensor and can be viewed locally, or through a management application, such as IPS Manager Express.

The Cisco IOS IPS feature can send a syslog message or an alarm in Secure Device Event Exchange (SDEE) format.

CCP can monitor syslog and SDEE-generated events and keep track of alarms that are common in SDEE system messages, including IPS signature alarms.



IPS Configuration Best Practices The need to upgrade

sensors with the latest signature packs must be balanced with the momentary downtime during which the network becomes vulnerable to attack.

Update signature packs automatically.

Download new signatures to a secure server within the management network.

Place signature packs on a dedicated SFTP server within the management network.



IPS Configuration Best Practices Cont. Configure the sensors to

regularly check the SFTP server for new signature packs.

Keep the signature levels that are supported on the management console synchronized with the signature packs on the sensors.


IPS Global Correlation

Cisco Global Correlation Cisco IPS includes a security feature called Cisco Global

Correlation.

Cisco IPS devices receive regular threat updates from a centralized Cisco threat database called the Cisco SensorBase Network.

The Cisco SensorBase Network contains real-time, detailed information about known threats on the Internet.



Cisco SensorBase Network When participating in global correlation, the Cisco

SensorBase Network provides information to the IPS sensor about IP addresses with a reputation.

The sensor uses this information to determine which actions, if any, to perform when potentially harmful traffic is received from a host with a known reputation.



Cisco Security Intelligence Operation The SensorBase Network is part of a larger, back-end

security ecosystem, known as the Cisco Security Intelligence Operation (SIO).

Its purpose is to detect threat activity, research and analyze threats, and provide real-time updates and best practices to keep organizations informed and protected.

Cisco SIO consists of three elements:• Threat intelligence from the Cisco SensorBase Network.

• The Threat Operations Center is the combination of automated and human processing and analysis.

• The automated and best practices content that is pushed to network elements in the form of dynamic updates.


5.3 Implement IPS


Configure Cisco IOS IPS with CLI

Implement IOS IPS Files

To implement the Cisco IOS IPS:

Download the IOS IPS files.

Create an IOS IPS configuration directory in flash.

Configure an IOS IPS crypto key.

Enable IOS IPS (consists of several substeps).

Load the IOS IPS signature package to the router.



Download the IOS IPS Files Cisco IOS release 12.4(10)T and earlier, provided built-in

signatures in the Cisco IOS software image and support for imported signatures.

With newer IOS versions, all signatures are stored in a separate signature file and must be imported.

Step 1. Download the IOS IPS signature package files and a public crypto key from cisco.com.

• IOS-Sxxx-CLI.pkg - The latest signature package

• realm-cisco.pub.key.txt - The public crypto key used by IOS IPS



Download the IOS IPS Files Cont.

Step 2. Create an IOS IPS configuration directory in flash.



Configure an IPS Crypto KeyThe crypto key verifies the digital signature for the master signature file (sigdef-default.xml). The content of the file is signed by a Cisco private key to guarantee its authenticity and integrity.

Step 3. Configure an IOS IPS crypto key.Highlight and copy the text in the public key file. Paste the copied text at the global configuration prompt.



Enable IOS IPSStep 4. Enable IOS IPS.

a. Identify the IPS rule name and specify the location. • Use the ip ips name [rule name] [optional ACL] command to create a

rule name.

• An optional extended or standard ACL can be used to filter the traffic.

• Traffic that is denied by the ACL is not inspected by the IPS.

• Use the ip ips config location flash:directory-name command to configure the IPS signature storage location.

• Prior to IOS 12.4(11)T, the ip ips sdf location command was used.



Enable IOS IPS Cont.Step 4. Enable IOS IPS.

b. Enable SDEE and logging event notification.• HTTP server must first be enabled with the ip http server command.

• SDEE notification must be explicitly enabled using the ip ips notify sdee command.

• IOS IPS also supports logging to send event notification.

• SDEE and logging can be used independently or simultaneously.

• Logging notification is enabled by default.

• Use the ip ips notify log command to enable logging.



Enable IOS IPS Cont.Step 4. Enable IOS IPS.

c. Configure the signature category.• All signatures are grouped into categories, and the categories are hierarchical.

• The three most common categories are all, basic, and advanced.



Enable IOS IPS Cont.

Step 4. Enable IOS IPS.

d. Apply the IPS rule to an interface, and specify direction.Use the ip ips rule-name [in | out] interface configuration mode command to apply the IPS rule.



Load the IPS Signature Package in RAM

Step 5. Load the IOS IPS Signature package to the router.• Upload the signature package to the router using either FTP or TFTP.

• To copy the downloaded signature package from the FTP server to the router, use the idconf parameter at the end of the command.


CCP needs a minimum Java memory heap size of 256 MB to support IOS IPS. Exit CCP and open the Windows Control Panel.

Click the Java option to opens the Java Control Panel.

Select the Java tab and click View under the Java Applet Runtime Settings.

In the Java Runtime Parameter field, enter -Xmx256m, and click OK.

Configure Cisco IOS IPS using CCP

Implement IOS IPS Using CCP



Implement IOS IPS Using CCP Cont.

CCP provides controls for applying Cisco IOS IPS on interfaces, importing and editing signature files from cisco.com, and configuring the action that Cisco IOS IPS takes if a threat is detected.



Launch the IPS Rule Wizard

Prior to configuring IPS with the Cisco Configuration Professional, download the latest IPS signature file and public key, if required, from cisco.com.

To launch the IPS Rule wizard: 1. On the CCP menu bar, click Configure > Security > Intrusion

Prevention > Create IPS.

2. Click Launch IPS Rule Wizard.

3. Read the Welcome to the IPS Policies Wizard screen and click Next.

4. In the Select Interfaces window, select the interfaces to which to apply the IPS rule and the direction of traffic.



Configure the Crypto Key



Specify the Signature File



Complete the IOS IPS Wizard

Use the show running-config command to verify the IPS configuration generated by the CCP IPS wizard.


Modify Cisco IOS IPS Signatures

Retire and Unretire Signatures

The Cisco IOS CLI can be used to retire or unretire individual signatures or a group of signatures that belong to a signature category.

Retire a Specific Signature Unretire a Signature Category



Change Signature Actions

To change an action, the event-action command must be used in IPS Category Action mode or Signature Definition Engine mode.

Change Actions for a Signature Change Actions for a Category



Edit Signatures



Tune a Signature



Access and Configure Signature Parameters



Access and Configure Signature Parameters Cont.


5.4 Verify and Monitor IPS


Verify Cisco IOS IPS

Verify IOS IPS

Several show commands can be used to verify the IOS IPS configuration.

The show ip ips privileged EXEC mode command can be used with other parameters to provide specific IPS information; for example:

• show ip ips all

• show ip ips configuration

• show ip ips interfaces

• show ip ips signatures


Verify Cisco IOS IPS

Verify IOS IPS Using CCP


Monitoring Cisco IOS IPS

Report IPS Alerts

Two methods to report IPS intrusion alerts:

Cisco Configuration Professional Security Device Event Exchange (SDEE)

The sdee keyword sends messages in SDEE format.

Cisco IOS logging via syslogThe log keyword sends messages in syslog format.



Enable SDEE

SDEE is the preferred method of reporting IPS activity.

SDEE uses HTTP and XML to provide a standardized approach.

Enable an IOS IPS router using the ip ips notify sdee command.



Monitor IOS IPS Using CCP


5.5 Summary


Chapter 5

Summary A network must be able to instantly recognize and mitigate

worm and virus threats.

A network-based IPS should be implemented inline to defend against fast-moving Internet worms and viruses.

IPS signatures provide an IPS with a list of identified problems.

The IPS signatures are configured to use various triggers and actions.

Security staff must continuously monitor an IPS solution and tune signatures as necessary to ensure an adequate level of protection.


Documents

© 2008 Cisco Systems, Inc. All rights reserved.Presentation_ID 1 Chapter 5: Implementing Intrusion Prevention CCNA-Security