www.INE.com Implementing Secure Converged Wide Area Networks (ISCW) Cisco IOS IPS http://www.INE.com IDS Overview • Intrusion Detection System • Monitors traffic for malicious traffic • Responds accordingly – Generate logs/alarms – Instruct managed device to block traffic – Reset TCP session • Typically not in the traffic transit path – i.e promiscuous ã Attack response time an issue Copyright â 2009 Internetwork Expert, Inc www.INE.com Copyright © 2009 Internetwork Expert www.INE.com Typical IDS Design Copyright © 2009 Internetwork Expert, Inc www.INE.com IPS Overview • Intrusion Prevention System • Same as IDS, but directly in the transit path – i.e “inline” • Allows more sophisticated attack responses and faster response times Copyright © 2009 Internetwork Expert, Inc www.INE.com Copyright © 2009 Internetwork Expert www.INE.com Typical IPS Design Copyright © 2009 Internetwork Expert, Inc www.INE.com Types of IDS/IPS • Signature based – Checks traffic against known database of attacks • Anomaly based – Discovers nominal network behavior and adapts to events outside the norm • Policy based – Checks for events to breach preconfigured thresholds – e.g TCP SYN attack Copyright © 2009 Internetwork Expert, Inc www.INE.com Copyright © 2009 Internetwork Expert www.INE.com Types of IDS/IPS (cont.) • Honeypots – Unprotected systems designed to collect attack patterns for further analysis • Network based (NIPS) – IPS appliance in the network transit path • Host based (HIPS) – IPS software on the end host Copyright © 2009 Internetwork Expert, Inc www.INE.com Cisco IPS Devices • Hardware based – IPS 4200 – Catalyst 6500 • Intrusion Detection System Services Module (IDSM) – ASA 5500 • Advanced Inspection and Prevention Security Services Module (AIP-SSM) ã Software based IOS IPS Copyright â 2009 Internetwork Expert, Inc www.INE.com Copyright © 2009 Internetwork Expert www.INE.com IOS IPS Overview • Software based inline IPS solution • Signature based – Includes built-in signatures – Downloadable Signature Definition Files (SDFs) Copyright © 2009 Internetwork Expert, Inc www.INE.com IOS IPS Event Actions • Alarm – Syslog – Security Device Event Exchange (SDEE) • Uses HTTPS • • • • Drop Reset Block attacker inline Block connection inline Copyright © 2009 Internetwork Expert, Inc www.INE.com Copyright © 2009 Internetwork Expert www.INE.com IOS IPS CLI Configuration • • • • Create IPS rule Apply rule to interface Retire all signatures Specify signature storage location in flash – Signature configuration not stored in NVRAM • • • • Install signatures public key Compile signatures Fail open or closed Signature tuning Copyright © 2009 Internetwork Expert, Inc www.INE.com IOS IPS Configuration Examples 192.168.2.0/24 Fa0/0 R2 S0/0.102 192.168.2.100/24 200.0.12.0/24 S0/0.102 20 30 102 103 R1 S0/0.103 Fa0/0 200.0.16.0/24 200.0.13.0/24 Fa0/0 R4 Fa0/0 R3 S1/0.301 10.0.56.0/24 172.16.34.0/24 Fa0/1 Fa0/0 R5 R6 Fa0/0.56 10.0.0.0/24 Copyright © 2009 Internetwork Expert, Inc www.INE.com Copyright © 2009 Internetwork Expert Fa0/0.10 10.0.0.100/24