Intrusion Prevention Systems © 2012 Cisco and/or its affiliates All rights reserved Contents This chapter describes the functions and operations of intrusion detection systems (IDS) and intrusion prevention systems (IPS) • The fundamentals of intrusion prevention, comparing IDS and IPS • The building blocks of IPS, introducing the underlying technologies and deployment options • The use of signatures in intrusion prevention, highlighting the benefits and drawbacks • The need for IPS alarm monitoring, evaluating the options for event managers • Analyzing the design considerations in deploying IPS © 2012 Cisco and/or its affiliates All rights reserved IPS Fundamentals Introducing IDS and IPS : • Targeted, mutating, stealth threats are increasingly difficult to detect • Attackers have insidious motivations and exploit high-impact targets, often for financial benefit or economic and political reasons • Attackers are taking advantage of new ways of communication IDS: • Analyzes copies of the traffic stream • Does not slow network traffic • Allows some malicious traffic into the network IPS: • Works inline in real time to monitor Layer through Layer traffic and content • Needs to be able to handle network traffic ã Prevents malicious traffic from entering the network â 2012 Cisco and/or its affiliates All rights reserved IDS and IPS technologies • IDS and IPS technologies share several characteristics: • IDS and IPS technologies are deployed as sensors An IDS or an IPS sensor can be any of the following devices: • A router configured with Cisco IOS IPS Software • An appliance specifically designed to provide dedicated IDS or IPS services • A network module installed in a Cisco adaptive security appliance, switch, or router • IDS and IPS technologies typically monitor for malicious activities in two spots: • Network: • Hosts: • IDS and IPS technologies use signatures to detect patterns of misuse in network traffic • IDS and IPS technologies look for the following general patterns of misuse: ã Atomic pattern ã Composite pattern â 2012 Cisco and/or its affiliates All rights reserved Intrusion Detection System • An IDS monitors traffic offline and generates an alert (log) when it detects malicious traffic including: – Reconnaissance attacks – Access attacks – Denial of Service attacks • It is a passive device because it analyzes copies of the traffic stream traffic – Only requires a promiscuous interface – Does not slow network traffic – Allows some malicious traffic into the network © 2012 Cisco and/or its affiliates All rights reserved Intrusion Prevention System • It builds upon IDS technology to detect attacks – However, it can also immediately address the threat • An IPS is an active device because all traffic must pass through it – Referred to as “inline-mode”, it works inline in real time to monitor Layer through Layer traffic and content – It can also stop single-packet attacks from reaching the target system (IDS cannot) © 2012 Cisco and/or its affiliates All rights reserved Comparing IDS and IPS Solutions IDS (Promiscuous Mode) IPS (Inline Mode) • No impact on network (latency, jitter) • Stops trigger packets Adv • No network impact if there is a sensor anta failure or a sensor overload ges • Response action cannot stop trigger packets Disa • Correct tuning required for response actions dva ntag ã More vulnerable to network evasion es techniques â 2012 Cisco and/or its affiliates All rights reserved • Can use stream normalization techniques • Some impact on network (latency, jitter) • Sensor failure or overloading impacts the network So, IDS or IPS? Why Not Both? • The IDS sensor in front of the firewall is deployed in promiscuous mode to monitor traffic in the untrusted network © 2012 Cisco and/or its affiliates All rights reserved Alarm Types • False positive • False negative • True positive • True negative © 2012 Cisco and/or its affiliates All rights reserved Making Sense of Alarm Types Terminology Types of IDS and IPS Sensors © 2012 Cisco and/or its affiliates All rights reserved 10 Step 3: Verify Configuration and Signature Files Reviewing IPS Configuration and Interface Status © 2012 Cisco and/or its affiliates All rights reserved 52 Reviewing IPS Signatures © 2012 Cisco and/or its affiliates All rights reserved 53 Step 4: Perform Signature Tuning © 2012 Cisco and/or its affiliates All rights reserved 54 Enable, Disable, Retire, or Unretire Signatures © 2012 Cisco and/or its affiliates All rights reserved 55 Changing Action of Signatures © 2012 Cisco and/or its affiliates All rights reserved 56 Step 5: Verify Alarms • Total Signatures • Total Enabled Signatures • Total Retired Signatures • Total Compiled Signatures © 2012 Cisco and/or its affiliates All rights reserved 57 Monitoring IPS Signature Statistics from CCP © 2012 Cisco and/or its affiliates All rights reserved 58 Monitoring IPS Alarms from CCP © 2012 Cisco and/or its affiliates All rights reserved 59 IPS Signature Statistics Alert Color Coding © 2012 Cisco and/or its affiliates All rights reserved 60 Configuring Cisco IOS IPS Using the CLI © 2012 Cisco and/or its affiliates All rights reserved 61 Configuring Cisco IOS IPS Using the CLI Router(config)# ip ips name sdm_ips_rule Router(config)# ip ips config location flash:/ips/retries Router(config)# ip ips notify SDEE Router(config)# interface FastEthernet0/0 Router(config-if)# ip ips sdm_ips_rule in To configure the router to support the default basic signature set, use the ip ips signature-category Router(config)# ip ips signature-category Router(config-ips-category)# category all Router(config-ips-category-action)# retired true Router(config-ips-category-action)# exit Router(config-ips-category)# category ios_ips basic Router(config-ips-category-action)# retired false © 2012 Cisco and/or its affiliates All rights reserved 62 show ip ips configuration Command Output © 2012 Cisco and/or its affiliates All rights reserved 63 system log messages • %%IPS-6-ENGINE_READY:SERVICE.HTTP – 183136 ms - packets for this engine will be scanned • %IPS-5-PACKET_DROP:SERVICE.DNS – packets dropped while engine is building • %IPS-4-SIGNATURE:Sig:1107 Subsig:0 Sev:2 RFC1918 address [192.168.121.1:137 ->192.168.121.255:137] © 2012 Cisco and/or its affiliates All rights reserved 64 References Cisco.com Resources “Cisco IOS IPS Q&A,” http:// www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6 634/prod_qas0900aecd806fc530.html Cisco IOS Security Configuration Guide, Release 12.4, “Configuring Cisco IOS Intrusion Prevention System (IPS),” http:// www.cisco.com/en/US/docs/ios/security/configuration/guide/12_4/ sec_12_4_book.html Cisco Security Information Event Management Deployment Guide, http:// www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns9 82/sbaSIEM_deployG.pdf “Getting Started with IOS IPS A Step-by-Step Guide,” http:// www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps 6634/prod_white_paper0900aecd805c4ea8.html © 2012 Cisco and/or its affiliates All rights reserved 65 © 2012 Cisco and/or its affiliates All rights reserved 66 ...Contents This chapter describes the functions and operations of intrusion detection systems (IDS) and intrusion prevention systems (IPS) • The fundamentals of intrusion prevention, comparing... rights reserved 27 Cisco IOS IPS Features • Profile-based intrusion detection • Signature-based intrusion detection • Protocol analysis–based intrusion detection © 2012 Cisco and/or its affiliates... malicious traffic into the network © 2012 Cisco and/or its affiliates All rights reserved Intrusion Prevention System • It builds upon IDS technology to detect attacks – However, it can also