Intrusion Prevention Fundamentals By Earl Carter, Jonathan Hogue Publisher: Cisco Press Pub Date: January 18, 2006 Print ISBN-10: 1-58705-239-3 Print ISBN-13: 978-1-58705-239-2 Pages: 312 Table of Contents | Index An introduction to network attack mitigation with IPS Where did IPS come from? How has it evolved? How does IPS work? What components does it have? What security needs can IPS address? Does IPS work with other security products? What is the "big picture"? What are the best practices related to IPS? How is IPS deployed, and what should be considered prior to a deployment? Intrusion Prevention Fundamentals offers an introduction and in-depth overview of Intrusion Prevention Systems (IPS) technology Using real-world scenarios and practical case studies, this book walks you through the lifecycle of an IPS projectfrom needs definition to deployment considerations Implementation examples help you learn how IPS works, so you can make decisions about how and when to use the technology and understand what "flavors" of IPS are available The book will answer questions like: Whether you are evaluating IPS technologies or want to learn how to deploy and manage IPS in your network, this book is an invaluable resource for anyone who needs to know how IPS technology works, what problems it can or cannot solve, how it is deployed, and where it fits in the larger security marketplace Understand the types, triggers, and actions of IPS signatures Deploy, configure, and monitor IPS activities and secure IPS communications Learn the capabilities, benefits, and limitations of host IPS Examine the inner workings of host IPS agents and management infrastructures Enhance your network security posture by deploying network IPS features Evaluate the various network IPS sensor types and management options Examine real-world host and network IPS deployment scenarios This book is part of the Cisco Press® Fundamentals Series Books in this series introduce networking professionals to new networking technologies, covering network topologies, example deployment concepts, protocols, and management techniques Includes a FREE 45-Day Online Edition Intrusion Prevention Fundamentals By Earl Carter, Jonathan Hogue Publisher: Cisco Press Pub Date: January 18, 2006 Print ISBN-10: 1-58705-239-3 Print ISBN-13: 978-1-58705-239-2 Pages: 312 Table of Contents | Index Copyright About the Authors About the Technical Reviewers Acknowledgments Icons Used in This Book Part I: Intrusion Prevention Overview Chapter 1 Intrusion Prevention Overview Evolution of Computer Security Threats Evolution of Attack Mitigation IPS Capabilities Summary Chapter 2 Signatures and Actions Signature Types Signature Triggers Signature Actions Summary Chapter 3 Operational Tasks Deploying IPS Devices and Applications Configuring IPS Devices and Applications Monitoring IPS Activities Securing IPS Communications Summary Chapter 4 Security in Depth Defense-in-Depth Examples The Security Policy The Future of IPS Summary Part II: Host Intrusion Prevention Chapter 5 Host Intrusion Prevention Overview Host Intrusion Prevention Capabilities Host Intrusion Prevention Benefits Host Intrusion Prevention Limitations Summary References in This Chapter Chapter 6 HIPS Components Endpoint Agents Management Infrastructure Summary Part III: Network Intrusion Prevention Chapter 7 Network Intrusion Prevention Overview Network Intrusion Prevention Capabilities Network Intrusion Prevention Benefits Network Intrusion Prevention Limitations Hybrid IPS/IDS Systems Shared IDS/IPS Capabilities Summary Chapter 8 NIPS Components Sensor Capabilities Capturing Network Traffic Analyzing Network Traffic Responding to Network Traffic Sensor Management and Monitoring Summary Part IV: Deployment Solutions Chapter 9 Cisco Security Agent Deployment Step1: Understand the Product Step 2: Predeployment Planning Step 3: Implement Management Step 4: Pilot Step 5: Tuning Step 6: Full Deployment Step 7: Finalize the Project Summary Implement Management Chapter 10 Deploying Cisco Network IPS Step 1: Understand the Product Step 2: Predeployment Planning Step 3: Sensor Deployment Step 4: Tuning Step 5: Finalize the Project Summary Chapter 11 Deployment Scenarios Large Enterprise Branch Office Medium Financial Enterprise Medium Educational Institution Small Office Home Office Summary Part V: Appendix Appendix A Sample Request for Information (RFI) Questions Solution Support Training Licensing Network Intrusion Prevention Host Intrusion Prevention Glossary Index Copyright Intrusion Prevention Fundamentals Earl Carter and Jonathan Hogue Copyright© 2006 Cisco Systems, Inc Published by: Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA All rights reserved No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in a review Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 First Printing January 2006 Library of Congress Cataloging-in-Publication Number: 2005922371 Warning and Disclaimer This book is designed to provide an overview of intrusion prevention by examining Host-based Intrusion Prevention capabilities and Network-based Intrusion Prevention functionality Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied The information is provided on an "as is" basis The authors, Cisco Press, and Cisco Systems, Inc., shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the discs or programs that may accompany it The opinions expressed in this book belong to the author and are not necessarily those of Cisco Systems, Inc Corporate and Government Sales Cisco Press offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales For more information, please contact: U.S Corporate and Government Sales 1-800-382-3419 corpsales@pearsontechgroup.com For sales outside of the U.S., please contact: International Sales 1-317-581-3793 international@pearsontechgroup.com Trademark Acknowledgments All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized Cisco Press or Cisco Systems, Inc., cannot attest to the accuracy of this information Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark Feedback Information At Cisco Press, our goal is to create in-depth technical books of the highest quality and value Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional technical community Readers' feedback is a natural continuation of this process If you have any comments about how we could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us through e-mail at feedback@ciscopress.com Please make sure to include the book title and ISBN in your message We greatly appreciate your assistance Publisher John Wait Editor-in-Chief John Kane Executive Editor Brett Bartow Cisco Representative Anthony Wolfenden Cisco Press Program Manager Jeff Brady Production Manager Patrick Kanouse Development Editor Deadline Driven Publishing Senior Project Editor San Dee Phillips Copy Editor Kevin Kent Technical Editors Greg Abelar, Gary Halleen, Shawn Merdinger Editorial Assistant Raina Han Book and Cover Designer Louisa Adair Composition Mark Shirar Indexer Tim Wright Corporate Headquarters Cisco Systems, Inc 170 West Tasman Drive San Jose, CA 95134-1706 USA www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 European Headquarters Cisco Systems International BV Haarlerbergpark Haarlerbergweg 13-19 1101 CH Amsterdam The Netherlands www-europe.cisco.com Tel: 31 0 20 357 1000 Fax: 31 0 20 357 1100 Americas Headquarters Cisco Systems, Inc 170 West Tasman Drive San Jose, CA 95134-1706 USA www.cisco.com Tel: 408 526-7660 Fax: 408 527-0883 Asia Pacific Headquarters Cisco Systems, Inc Capital Tower 168 Robinson Road #22-01 to #29-01 Singapore 068912 www.cisco.com Tel: +65 6317 7777 Fax: +65 6317 7799 Cisco Systems has more than 200 offices in the following countries and regions Addresses, phone numbers, and fax numbers are listed on the Cisco.com Web site at www.cisco.com/go/offices Argentina • Australia • Austria • Belgium • Brazil • Bulgaria • Canada • Chile • China PRC • Colombia • Costa Rica • Croatia • Czech Republic • Denmark • Dubai, UAE • Finland • France • Germany • Greece • Hong Kong SAR • Hungary • India • Indonesia • Ireland • Israel • Italy • Japan • Korea • Luxembourg • Malaysia • Mexico • The Netherlands • New Zealand • Norway • Peru • Philippines • Poland • Portugal • Puerto Rico • Romania • Russia • Saudi Arabia • Scotland • Singapore Slovakia Slovenia South Africa Spain Sweden Switzerland Taiwan Thailand Turkey Ukraine United Kingdom United States Venezuela Vietnam Zimbabwe Copyright â 2003 Cisco Systems, Inc All rights reserved CCIP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, the Cisco Systems Verified logo, Cisco Unity, Follow Me Browsing, FormShare, iQ Net Readiness Scorecard, Networking Academy, and ScriptShare are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, The Fastest Way to Increase Your Internet Quotient, and iQuick Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [R] [S] [T] [U] [V] [W] [Z] Off mode (software bypass) On mode (software bypass) OOB (out-of-band) management communication, securing operating systems events kernel organizational units (CSA MC) OSI reference model OTPs (one-time passwords) Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [R] [S] [T] [U] [V] [W] [Z] parent processes passwords, OTPs pattern detection pattern matching, regular expressions pattern-based security policies PCs, zombies peer-to-peer networks permissive systems persistence process application execution file modification system configuration personal firewalls phases of deployment for CSA conducting pilot tests finalizing the project full deployment implementing management predeployment planning selection and classification of target hosts tuning understanding the product for IPS finalizing the project predeployment planning 2nd sensor deployment tuning understanding the product pilot test, conducting 2nd placing IPS sensors in network policy groups configuring secondary groups port security PortMapper predeployment planning phase of IPS deployment processing capacity as sensor selection criteria promiscuous mode sensor operation 2nd capturing network traffic protocol decodes 2nd Pull model (management console) Push model (management console) Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [R] [S] [T] [U] [V] [W] [Z] RBAC (role-based access control) matrix regular expressions regulatory compliance remote delivery mechanisms replacement login, example of required HIPS capabilities reset signature action resetting TCP connections responses to suspicious activity alerting actions blocking actions dropping actions logging actions restrictive systems reviewing corporate security policies RFI ( Request for Information), sample questions rootkit 2nd RPC (Remote Procedure Call) RRs (risk ratings) RSPAN (Remote Switch Port Analyzer), capturing network traffic rule modules Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [R] [S] [T] [U] [V] [W] [Z] sample RFI questions sandbox scenarios for IPS deployment at branch offices at home office at large enterprises 2nd at medium educational institutions at medium financial enterprises at small offices secondary policy groups, configuring securing management communication device-to-device OOB security policies anomaly-based atomic rule-based behavioral pattern-based selecting location for IPS sensor placement management method NIPS management architecture sensors, criteria form factor interfaces processing capacity sensors alerts, risk ratings Cisco Catalyst 6500 series IDSM-2 Cisco IDS Network Module Cisco IOS IPS sensors Cisco IPS 4200 series appliance sensors Cisco product availability configuring inline mode failure of functionality installing large deployments promiscuous mode selection criteria form factor interfaces processing capacity small deployments shared IPS/IDS capabilities alert generation initiating IP blocking IP logging logging attacker traffic logging traffic between attacker and victim logging victim traffic resetting TCP connections shims signature updates signatures alerts allow signature action atomic signatures host-based network-based block signature action cabling characteristics of drop signature action event horizon event responses log signature action reset signature action stateful host-based network-based with anomaly-based triggering mechanism triggering mechanisms anomaly-based detection behavior-based detection pattern detection tuning single packets, dropping single-server management model small IPS sensor deployments small office IPS deployment HIPS implementation limiting factors NIPS implementation security policy goals social engineering software bypass software updates source IP addresses dropping all packets from spoofing Spacefiller spam SPAN (Switch Port Analyzer), capturing network traffic spyware SQL Slammer worm stack memory standalone appliance sensors stateful operation method of network traffic analysis stateful signatures host-based network-based summary alerts suspicious activity, IPS response methods alerting actions blocking actions dropping actions logging actions switch ports, role in layered defense switches capturing network traffic symbolic links system call interception system log analysis system state conditions Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [R] [S] [T] [U] [V] [W] [Z] TCP connections resetting three-way handshake TCP Reset interface TCP/IP threats to security, evolution of client-server computing 2nd Internet mobile computing wireless connnectivity three-way handshake tiered management model traffic flows traffic mirroring traffic normalization triggers anomaly-based detection behavior-based detection pattern detection Trojan horses rootkits true negatives true positives tuning phase of CSA deployment Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [R] [S] [T] [U] [V] [W] [Z] uRPF (unicast reverse path forwarding) user state conditions Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [R] [S] [T] [U] [V] [W] [Z] VACLs (VLAN access control lists), capturing network traffic virtual operating systems viruses CIH virus, characteristics of Loveletter virus, characteristics of vulnerabilities 2nd Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [R] [S] [T] [U] [V] [W] [Z] war-dialers wireless connnectivity as security threat wireless network adapters worms Nimda, characteristics of SQL Slammer, characteristics of Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [R] [S] [T] [U] [V] [W] [Z] zombies ... Summary Part II: Host Intrusion Prevention Chapter 5 Host Intrusion Prevention Overview Host Intrusion Prevention Capabilities Host Intrusion Prevention Benefits Host Intrusion Prevention Limitations... Part III: Network Intrusion Prevention Chapter 7 Network Intrusion Prevention Overview Network Intrusion Prevention Capabilities Network Intrusion Prevention Benefits Network Intrusion Prevention Limitations... Network Intrusion Prevention Host Intrusion Prevention Glossary Index Copyright Intrusion Prevention Fundamentals Earl Carter and Jonathan Hogue Copyright© 2006 Cisco Systems, Inc Published by: Cisco Press