This chapter describes the functions and operations of intrusion detection systems (IDS) and intrusion prevention systems (IPS). It explains the underlying IDS and IPS technology embedded in the Cisco IOS IPS solutions. It describe the use of signatures, the need for IPS alarm monitoring, and the design considerations in deploying IPS.
Intrusion Prevention Systems © 2012 Cisco and/or its affiliates All rights reserved Contents This chapter describes the functions and operations of intrusion detection systems (IDS) and intrusion prevention systems (IPS) • The fundamentals of intrusion prevention, comparing IDS and IPS • The building blocks of IPS, introducing the underlying technologies and deployment options • The use of signatures in intrusion prevention, highlighting the benefits and drawbacks • The need for IPS alarm monitoring, evaluating the options for event managers • Analyzing the design considerations in deploying IPS © 2012 Cisco and/or its affiliates All rights reserved IPS Fundamentals Introducing IDS and IPS : • Targeted, mutating, stealth threats are increasingly difficult to detect • Attackers have insidious motivations and exploit high-impact targets, often for financial benefit or economic and political reasons • Attackers are taking advantage of new ways of communication IDS: • Analyzes copies of the traffic stream • Does not slow network traffic • Allows some malicious traffic into the network IPS: • Works inline in real time to monitor Layer through Layer traffic and content • Needs to be able to handle network traffic © 2012 Cisco and/or its affiliates All rights reserved IDS and IPS technologies • IDS and IPS technologies share several characteristics: • IDS and IPS technologies are deployed as sensors An IDS or an IPS sensor can be any of the following devices: • A router configured with Cisco IOS IPS Software • An appliance specifically designed to provide dedicated IDS or IPS services • A network module installed in a Cisco adaptive security appliance, switch, or router • IDS and IPS technologies typically monitor for malicious activities in two spots: • Network: • Hosts: • IDS and IPS technologies use signatures to detect patterns of misuse in network traffic • IDS and IPS technologies look for the following general patterns of misuse: © 2012 Cisco and/or its affiliates All rights reserved Intrusion Detection System • An IDS monitors traffic offline and generates an alert (log) when it detects malicious traffic including: – Reconnaissance attacks – Access attacks – Denial of Service attacks • It is a passive device because it analyzes copies of the traffic stream traffic © 2012 Cisco and/or its affiliates All rights reserved – Only requires a promiscuous interface – Does not slow network traffic – Allows some malicious traffic into the network Intrusion Prevention System • It builds upon IDS technology to detect attacks – However, it can also immediately address the threat • An IPS is an active device because all traffic must pass through it © 2012 Cisco and/or its affiliates All rights reserved – Referred to as “inline-mode”, it works inline in real time to monitor Layer through Layer traffic and content – It can also stop single-packet attacks from reaching the target system (IDS cannot) Comparing IDS and IPS Solutions IDS (Promiscuous Mode) IPS (Inline Mode) • No impact on network (latency, jitter) • Stops trigger packets Adv anta • No network impact if there is a ges sensor failure or a sensor overload • Can use stream normalization techniques • Response action cannot stop trigger packets • Some impact on network (latency, jitter) • Correct tuning required for response Disa actions • Sensor failure or dva overloading ntag • More vulnerable to network evasion impacts the es techniques network © 2012 Cisco and/or its affiliates All rights reserved So, IDS or IPS? Why Not Both? • The IDS sensor in front of the firewall is deployed in promiscuous mode to monitor traffic in the untrusted network © 2012 Cisco and/or its affiliates All rights reserved Alarm Types • False positive • False negative True positive True negative â 2012 Cisco and/or its affiliates All rights reserved Making Sense of Alarm Types Terminology Types of IDS and IPS Sensors © 2012 Cisco and/or its affiliates All rights reserved 10 Step 3: Verify Configuration and Signature Files Reviewing IPS Configuration and Interface Status © 2012 Cisco and/or its affiliates All rights reserved 52 Reviewing IPS Signatures © 2012 Cisco and/or its affiliates All rights reserved 53 Step 4: Perform Signature Tuning © 2012 Cisco and/or its affiliates All rights reserved 54 Enable, Disable, Retire, or Unretire Signatures © 2012 Cisco and/or its affiliates All rights reserved 55 Changing Action of Signatures © 2012 Cisco and/or its affiliates All rights reserved 56 Step 5: Verify Alarms • Total Signatures • Total Enabled Signatures • Total Retired Signatures • Total Compiled Signatures © 2012 Cisco and/or its affiliates All rights reserved 57 Monitoring IPS Signature Statistics from CCP © 2012 Cisco and/or its affiliates All rights reserved 58 Monitoring IPS Alarms from CCP © 2012 Cisco and/or its affiliates All rights reserved 59 IPS Signature Statistics Alert Color Coding © 2012 Cisco and/or its affiliates All rights reserved 60 Configuring Cisco IOS IPS Using the CLI © 2012 Cisco and/or its affiliates All rights reserved 61 Configuring Cisco IOS IPS Using the CLI Router(config)# ip ips name sdm_ips_rule Router(config)# ip ips config location flash:/ips/retries Router(config)# ip ips notify SDEE Router(config)# interface FastEthernet0/0 Router(config-if)# ip ips sdm_ips_rule in To configure the router to support the default basic signature set, use the ip ips signature-category Router(config)# ip ips signature-category Router(config-ips-category)# category all Router(config-ips-category-action)# retired true Router(config-ips-category-action)# exit Router(config-ips-category)# category ios_ips basic Router(config-ips-category-action)# retired false © 2012 Cisco and/or its affiliates All rights reserved 62 show ip ips configuration Command Output © 2012 Cisco and/or its affiliates All rights reserved 63 system log messages • %%IPS-6-ENGINE_READY:SERVICE.HTTP – 183136 ms - packets for this engine will be scanned • %IPS-5-PACKET_DROP:SERVICE.DNS – packets dropped while engine is building • %IPS-4-SIGNATURE:Sig:1107 Subsig:0 Sev:2 RFC1918 address [192.168.121.1:137 ->192.168.121.255:137] © 2012 Cisco and/or its affiliates All rights reserved 64 References Cisco.com Resources “Cisco IOS IPS Q&A,” http:// www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/prod_qa Cisco IOS Security Configuration Guide, Release 12.4, “Configuring Cisco IOS Intrusion Prevention System (IPS),” http:// www.cisco.com/en/US/docs/ios/security/configuration/guide/12_4/sec_12_4_bo Cisco Security Information Event Management Deployment Guide, http:// www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns982/sbaSIEM “Getting Started with IOS IPS A Step-by-Step Guide,” http:// www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/prod_wh “Intrusion Prevention System,” http://www.cisco.com/go/ips © 2012 Cisco and/or its affiliates All rights reserved 65 © 2012 Cisco and/or its affiliates All rights reserved 66 ...Contents This chapter describes the functions and operations of intrusion detection systems (IDS) and intrusion prevention systems (IPS) • The fundamentals of intrusion prevention, comparing... rights reserved 27 Cisco IOS IPS Features • Profile-based intrusion detection • Signature-based intrusion detection • Protocol analysis–based intrusion detection © 2012 Cisco and/or its affiliates... the Detection Capabilities © 2012 Cisco and/or its affiliates All rights reserved 15 Risk-Based Intrusion Prevention Using these considerations, risk ratings typically include several components: