Chapter 15: Cisco IPS/IDS Fundamentals

I. IPS Versus IDS

1. What Sensors Do
1. Analyzes traffic based on a set of rules to decide whether it's okay or malicious or
not.

2. Difference Between IPS and IDS

1. IPS = in-line with traffic, traffic is sent through the IPS and then sent on or denied | a
bit of delay
2. IDS = Copies of packets are forwarded to IDS called promiscuous mode | no delay
as packets are not required to be sent through the sensor first.

Table 15-2 IDS Versus IPS

IDS

IPS

Position in the network Off to the side, the IDS is sent copies of
flow
the original packet

Directly inline with the flow of

network traffic and touches
every packet on its way through
the network

Also known as

Promiscuous mode, out of band

Inline mode

Latency or delay

Does not add delay to the original traffic

because it is not inline

Adds a small amount of delay

before forwarding it through the
network

Impact caused by the

sensor failing to
forward packets

There is no negative impact if the sensor

goes down

If the sensor goes down, traffic

that would normally flow
through the sensor could be
impacted

Ability to prevent
malicious traffic from
going into the network

By itself, a promiscuous mode IDS cannot

stop the original packet. Options do exist
for a sensor in promiscuous mode to
request assistance from another device
that is inline which may block future
packets

The IPS can drop the packet on

its own because it is inline. The
IPS can also request assistance
from another device to block
future packets just as an IDS
does

Normalization ability

Because the IDS does not see the original Because the IPS is inline, it can
packet, it cannot manipulate any original normalize (manipulate or
inline traffic
modify) traffic inline based on a
current set of rules

3. Sensor Platforms
1.
2.
3.
4.
5.

A dedicated IPS appliance, such as the 4200 series

Software running on the router in versions of IOS that support it
A module in an IOS router, such as the AIM-IPS or NME-IPS modules
A module on an ASA firewall in the form of the AIP module for IPS
A blade that works in a 6500 series multilayer switch

4. True/False Negatives/Positives
5. Positive/Negative Terminology
1.
2.
3.
4.

False positive Detection of malicious traffic that really isn't malicious

False negative No detection of real malicious traffic
True positive Accurate detection of malicious traffic
True negative Accurate approval of traffic

II. Identifying Malicious Traffic on the Network

1. Methods an IPS/IDS can use to identify traffic
a. Signature-based IPS/IDS
b. Policy-based IPS/IDS
c. Anomaly-based IPS/IDS
d. Reputation-based IPS/IDS

2. Signature-Based IPS/IDS
1. A set of rules looking for a specific pattern characteristic in either a single packet or
a stream of packets. Cisco provides signatures. Example is looking for a variable in
HTTP.
2. False positives can be tuned out, or alerts can be turned off, options include
including to not alert based on ip addresses for instance.

3. Policy-Based IPS/IDS
1. Creating a custom signature; could be as simple as watching for telnet, and then
creating an alert if promiscuous, or dropping the packet if inline.

4. Anomaly-Based IPS/IDS
1. On by default for the 4200 series appliances; creates a baseline, for example, of half
formed TCP sessions. Can set the limit and thresholds. Called Anomaly Detection
and it can also be used for worm identification.

5. Reputation-Based IPS/IDS
1. Can find out about attacks before they happen from systems all over the planet,
having the IPS collect input from systems that are participating in global correlation.
a. Blocks
a. IP addresses
b. URLs
c. DNS domains etc...
b. Global correlation service managed by Cisco as a cloud service
Table 15-3 IPS/IDS Method Advantages and Disadvantages
Advantages
Disadvantages
Signature based

Easy to configure, simple to

implement

Does not detect attacks outside of the

rules. May need to disable signatures that
are creating false positives. Signatures
must be updated periodically to be current

Policy based

Simple and reliable, very

customizable, only allows policybased traffic that could deny
unknown attacks, which by default
are outside of the policy being
allowed

Policy must be manually created.

Implementation of the policy is only as
good as the signatures you manually
create

Anomaly based

Self-configuring baselines, detect

worms based on anomalies, even if
specific signatures have not been
created yet for that type of traffic

Difficult to accurately profile extremely

large networks. May cause false positives
based on significant changes in valid
network traffic

Reputation based

Leverages enterprise and global

correlation, providing information
based on the experience of other
systems. Early-warning system

Requires timely updates, and requires

participation in the correlation process

6. When Sensors Detect Malicious Traffic

Table 15-4 Possible Sensor Responses to Detected Attacks
Response
What It Means
Deny attacker
inline

Available only if the sensor is configured as an IPS. This action denies packets
from the source IP address of the attacker for a configurable duration of time,
after which the deny action can be dynamically removed

Deny connection
inline

Available only if the sensor is configured as an IPS. This action terminates the
packet that triggered the action, and future packets on the same TCP flow. The
attacker could open up a new TCP session (using different port numbers), which
could still be permitted through the inline IPS.

Deny packet inline Available only if the sensor is configured as an IPS. All the deny options only
apply to IPS mode. Deny packet terminates the packet that triggered the alert
Log attacker
packets

This action begins to log future packets based on the attacker's source IP address.
This is done usually for a short duration, such as 30 seconds, after the initial alert.
Log files are stored in a format that is readable by most protocol analyzers

Log victim packets This logging action begins to log all IP packets that have a destination IP address
of the victim (the destination address from the packet or packets triggered the
alert).
Log pair packets

This logging action begins to log IP packets if the source and destination
addresses indicate that the packets from the source IP address that triggered the
alert and the destination address match the destination address of the packet that
triggered the alert. In essence, it is future packets between the attacker and the
victim (the attacked device address).

Produce alert

An alert is the basic mechanism that is used by the IDS/IPS to identify that an
event has occurred, such as a signature match indicating malicious traffic. This is
the default behavior for most of the signatures.

Produce verbose
alert

Produce verbose alert has the same behavior as produce alert, with the added
bonus that it includes a copy of the entire packet that triggered the alert. If both
produce alert and produce verbose alert are enabled, it will still only generate a
single alert and will include a copy of the triggering packet

Request block
connection

Some sensor device can ask for help to block the attacker's traffic at some point in
the network. The device that connects to implement the blocking is called a
blocking device, and could be an IOS router, a switch that supports (VACL), or an
ASA. This action causes the sensor to request a blocking device to block based
on the source IP address of the attacker, the destination IP address of the victim,
and the ports involved in the packet that triggered the alert. The difference
between this option and the one that follows is that request blocked connection
gives an opportunity for the attacker to send traffic on different ports or different
destination IPs and still allows connectivity for new sessions

Request block host This causes the sensor to request its blocking devices (see the preceding
paragraph) to implement blocks based on the source IP address of the attacker
regardless of the ports in use or the destination IP addresses for future packets
Request SNMP
trap

This generates a SNMP trap message that is sent to the configured management
address for SNMP

Reset TCP
connection

This causes a sensor to send a proxy TCP reset to the attacker, with the intention
of fooling the attacker into believing it is the victim sending the TCP reset. This
action has an effect only on TCP-based traffic

7. Controlling Which Actions the Sensors Should Take

1. IPS/IDS can take action and appropriate countermeasures based on a risk rating,
which is up to 100
2. Three factors that calculate the risk rating
a. Accuracy of the signature (meaning how likely it is to make a mistake)
a. Signature Fidelity Rating (SFR) | Considered as a property of the signature
b. Attack Severity Rating (ASR) of the signature
a. Property of the signature
c. Target Value Rating (TVR) (CUSTOM)
a. To do this, you tell the sensor which of your destination IP addresses or
subnets are the most critical.
Table 15-5 Risk Rating (RR) Calculation Factors
Factor That Influences
Description
Risk Rating
Target value rating (TVR) The value that you as an administrator have assigned to specific
destination IP addresses or subnets where the critical servers/devices live
Signature fidelity rating
(SFR)

The accuracy of the signature as determined by the person who created

that signature

Attack severity rating

(ASR)

How critical the attack is as determined by the person who created that
signature

Attack relevancy (AR)

This is a minor contributor to the risk rating. A signature match that is

destined to a host where the attack is relevant, such as a Windows serverbased attack, which is going to the destination address of a known
Windows server, is considered a relevant attack, and the risk rating
increases slightly as a result

Global correlation

If the sensor is participating in global correlation and receives information

about specific source addresses that are being used to implement largescale attacks, attacks coming from the source IP addresses are also given a
slightly increased risk rating value

8. Implementing Actions Based on the Risk Rating

1. Can configure actions based on signature, but makes more sense to configure based
on risk rating, or a range of risk ratings... such as 90 to 100, sever countermeasures.

9. IPv6 and IPS

10.Circumventing an IPS/IDS
Table 15-6 IPS/IDS Evasion Techniques
Evasion Method Description

Cisco Anti-Evasion Techniques

Traffic
fragmentation

The attacker splits malicious traffic into

multiple parts with the intent that any
detection system will not see the attack for
what it really is

Complete session reassembly so that

the IPS/IDS can see the big picture

Traffic
substitution and
insertion

The attacker substitutes characters in the

data using different formats that have the
same final meaning. An example is
Unicode strings, which an end station could
interpret but perhaps a lesser IPS/IDS might
not

Data normalization and

deobfuscation techniques. Cisco's
implementation is looking for
Unicode, case sensitivity, substitution
of spaces with tabs, and other similar
anti-evasion techniques

Protocol level
An attacker may attempt to cause a sensor to IP TTL analysis, TCP checksum
misinterpretation misinterpret the end-to-end meaning of a
validation
network protocol and so perhaps not catch
an attack in progress
Timing attacks

By sending packets at a rate low enough so Configurable intervals and use of

as to not trigger a signature (for example, a third-party correlation
flood signature that triggers at 1000 packets
per second, and the attacker sending packets
at 900 packets per second)

Encryption and
tunneling

Encrypted payloads are called encrypted for

a reason. If an IPS/IDS sees only encrypted
traffic, the attacker can build a SSL or IPsec
session between himself and the victim and
could then send private data over that VPN

If traffic is encrypted and passing

through the sensor as encrypted data,
the encrypted payload cannot be
inspected. For GRE tunnels, there is
support for inspection if the data is
not encrypted

Resource
exhaustion

If thousands of alerts are being generated by

distractor attacks, an attacker may just be
trying to disguise the single attack that they
are trying to accomplish. The resource
exhaustion could be overwhelming the
sensor and overwhelming the administration
team who has to view the events

Dynamic and configurable event

summarization. Here is an example:
20,000 devices are all under the
control of the attacker. All those
devices begin to send the same
attack. The sensor summarizes those
by showing a few of the attacks as
alerts, and then summaries at regular
intervals that indicate the attack is
still in play and how many thousands
of times it occurred over the last
interval. This is much better than
trying to wade through thousands of
individual alerts

III.

Managing Signatures

1. Signatures are governed by Micro-Engines. Signatures of the same category would

mean that they are of the same Micro-Engine. Micro-Engines are further subdivided
for organization of the signatures. Signatures of a Micro-Engine are compared
simultaneously.
Table 15-7 Micro-Engines (Groupings of Signatures) (Only a subset of Micro-Engines)
Signature
Signatures in This Grouping
Micro-Engine
Atomic

Signatures that can match on a single packet, as compared to a string of packets

Service

Signatures that examine application layer services, regardless of the operating

system

String or
multistring

Supports flexible pattern matching, and can be identified in a single packet or

group of packets, such as a session

Other

Miscellaneous signatures that may not specifically fit into other categories

1. Signature or Severity Levels

1. Attack Severity Rating (ASR) part of the signature property
a. 0 to 100
2. Signature Fidelity Rating (SFR) also part of the signature property
a. 0 to 100
3. Instead of having to set a numeric value of the severity, the interface for IPS/IDS
prompts us for one of four levels. Those four options are informational, low,
medium or high. The higher the severity, the greater the number in the background
that goes into the calculation for this factor into the risk rating
4. All ratings, including the properties of the signature, can be modified

IV.

Monitoring and Managing Alarms and Alerts

1. Use a monitoring system and see color-coded formats, or go to the database of
stored alerts/extract/analyze
2. Three main protocols for delivering alerts
a. Security Device Event Exchange (SDEE)
a. Most secure method
b. IPS Manager Express (IME) up to 10 sensors simultaneously
c. Cisco Security Manager (CSM) up to 25 sensors
b. Syslog
c. SNMP
d. Can use a subset, or all of these protocols

2. Security Intelligence
1. The longer the sensor is operational, the smarter it gets
a. The more sensors, the better the information is going to be about the attacks that
are going on
2. Single sensor gives local network intelligence
3. Multiple sensors gives us enterprise intelligence
4. Global multiple sensors gives us global intelligence (participation in global
correlation)
5. Cisco offers Security Intelligence Operations (SIO) service, which facilitates global
threat information, reputation-based services, and sophisticated analysis for the
benefit of Cisco security devices to better protect the networks they serve.

3. IPS/IDS Best Practices

1. Implement an IPS so that you can analyze traffic going to your critical servers and
other mission-critical devices
2. If you cannot afford dedicated appliances, use modules or IOS software-based
IPS/IDS. Appliances have better performance than modules, and modules have
better performance than adding on the feature to existing IOS routers in software
only
3. Take advantage of global correlation to improve your resistance against attacks that
may be moving toward your organization, and use correlation internally across all
your sensors to get the best visibility of the network attacks that are being attempted
4. Use a risk-based approach, where countermeasures occur based on the calculated
risk rating as opposed to manually assigning countermeasures to individual
signatures
5. Use automated signature updates when possible instead of manually installing
updates; this will assist in keeping the signatures current
6. Continue to tune the IPS/IDS infrastructure as traffic flows and network devices and
topologies change. IPS tuning is mostly done on a brand-new implementation, but is
never truly 100 percent complete

V. Do I Know This Already? Quiz

Table 15-1 Do I Know This Already? Section-to-Question Mapping
Foundation Topics Section
Questions
IPS Versus IDS

1-3

Identifying Malicious Traffic on the Network

4-6

Managing Signatures

7-8

Monitoring and Managing Alarms and Alerts

9-10

1. Which method should you implement when it is not acceptable for an attack to reach
its intended victim?
a. IDS
b. IPS
c. Out of band
d. Hardware appliance
2. A company has hired you to determine whether attacks are happening against the
server farm, and they do not want any additional delay added to the network. Which
deployment method should be used?
a. Appliance based inline
b. IOS software based inline
c. Appliance based IPS
d. IDS
3. Why does IPS have the ability to prevent an ICMP-based attack from reaching the
intended victim?
a. Policy-based routing
b. TCP resets are used
c. The IPS is inline with the traffic
d. The IPS is in promiscuous mode
4. Which method of IPS uses a baseline of normal network behavior and looks for
deviations from that baseline?
a. Reputation-based IPS
b. Policy-based IPS
c. Signature-based IPS
d. Anomaly-based IPS

5. Which type of implementation requires custom signatures to be created by the

administrator?
a. Reputation-based IPS
b. Policy-based IPS
c. Engine-based IPS
d. Anomaly-based IPS
6. Which method requires participation in global correlation involving groups outside
your own enterprise?
a. Reputation-based IPS
b. Policy-based IPS
c. Signature-based IPS
d. Anomaly-based IPS
7. Which of the micro-engines contains signatures that can only match on a single
packet, as opposed to a flow of packets?
a. Atomic
b. String
c. Flood
d. Other
8. Which of the following are properties directly associated with a signature? (Choose
all that apply.)
a. ASR
b. SFR
c. TVR
d. RR
9. Which of the following is not a best practice?
a. Assign aggressive IPS responses to specific signatures
b. Assign aggressive IPS responses based on the resulting risk rating generated by
the attack
c. Tune the IPS and revisit the tuning process periodically
d. Use correlation within the enterprise and globally, for an improved security
posture
10. What is the name of Cisco cloud-based services for IPS correlation?
a. SIO
b. EBAY
c. ISO
d. OSI

VI.

Review All the Key Topics

Table 15-8 Key Topics

Key Topic Description
Element

Page
Number

Table 15-2 IDS versus IPS

375

Text

Sensor platforms

376

List

Positive/negative terminology

377

List

The core methods for matching malicious traffic

377

Table 15-3 IPS methods advantages and disadvantages

379

Table 15-5 Risk rating calculation factors

381

Table 15-6 IPS evasion technologies

383

Table 15-7 Micro-engines (groupings of signatures)

384

List

386

VII.

IPS/IDS best practices

Complete the Tables and Lists from Memory

Table 15-2 General Functions Available in the Cisco VPN Client

Functions
Details
Connection types
supported

Internet-attached Ethernet, async serial PPP

Protocol support

IP/IPsec

User authentication
methods available

RADIUS, TACACS+, RSA SecurID, VPN Server local authentication, PKI,

Smart Cards, Microsoft Active Directory

General features

On-line help, event logging, NAT Transparency, optional MTU size setting,
support for dynamic Domain Name System (DNS), virtual adapter, VPN client
application programming interface (API), and so on

Firewall

Support for firewalls, centralized protection policy, stateful firewall, Internet

Control Message Protocol (ICMP) permission

IPsec

ISAKMP, IKE keepalives, split tunneling, split DNS support, LZS data
compression, single SA

Troubleshooting

Multiple logging levels available for local event and connection logging

Table 15-4 Cisco VPN Client Supported IPsec Attributes

IPsec Attribute
Details
Main and Aggressive mode

Available IKE Phase 1 methods

Authentication algorithms

HMAC MD5
HMAC SHA-1

Peer authentication modes

Pre-shared keys
Mutual group authentication
X.509 digital certificates

Diffie-Hellman groups

Group 1 768-bit Prime Modulus

Group 2 1024-bit Prime Modulus
Group 5 1536-bit Prime Modulus

X-Auth

Support for IKE user authentication (optional IKE

Phase 1.5)

Tunnel encapsulation modes

IPsec over UDP

IPsec over TCP
NAT-T IPsec over UDP/4500

Table 15-2 IDS Versus IPS

IDS

IPS

Position in the
network flow

Off to the side, the IDS

is sent copies of the
original packets

Directly inline with the flow of network traffic and

touches every packet on its way through the network

Also known as

Promiscuous mode, out Inline mode

of band

Latency or delay

Does not add delay to

the original traffic
because it is not inline

Adds a small amount of delay before forwarding it

through the network

Impact caused by There is no negative

If the sensor goes down, traffic that would normally
the sensor failing to impact if the sensor goes flow through the sensor could be impacted
forward packets
down
Ability to prevent
malicious traffic
from going into the
network

By itself, a promiscuous
mode IDS cannot stop
the original packet.
Options do exist for a
sensor in promiscuous
mode to request
assistance from another
device that is inline
which may block future
packets

The IPS can drop the packet on its own because it is

inline. The IPS can also request assistance from
another device to block future packets just as the IDS
does

Normalization
ability

Because the IDS does

Because the IPS is inline, it can normalize (manipulate
not see the original
or modify) traffic inline based on a current set of rules
packet, it cannot
manipulate any original
inline traffic

Table 15-3 IPS/IDS Method Advantages and Disadvantages

Advantages

Disadvantages

Signature based

Easy to configure, simple to

implement

Does not detect attacks outside

of the rules. May need to disable
signatures that are creating false
positives. Signatures must be
updated periodically to be
current

Policy based

Simple and reliable, very

customizable, only allows
policy-based traffic that could
deny unknown attacks, which by
default are outside of the policy
being allowed

Policy must be manually created.

Implementation of the policy is
only as good as the signatures
you manually create

Anomaly based

Self-configuring baselines,
detect worms based on
anomalies, even if specific
signatures have not been created
yet for that type of traffic

Difficult to accurately profile

extremely large networks. May
cause false positives based on
significant changes in valid
network traffic

Reputation based

Leverages enterprise and global

correlation, providing
information based on the
experience of other systems.
Early-warning system

Requires timely updates, and

requires participation in the
correlation process

Table 15-5 Risk Rating (RR) Calculation Factors

Factor That
Description
Influences Risk
Rating
Target value rating
(TVR)

The value that you as an administrator have assigned to specific destination

IP addresses or subnets where the critical servers/devices live

Signature fidelity
rating (SFR)

The accuracy of the signature as determined by the person who created that
signature

Attack severity rating

(ASR)

How critical the attack is as determined by the person who created that
signature

Attack relevancy (AR) This is a minor contributor to the risk rating. A signature match that is
destined to a host where the attack is relevant, such as a Windows serverbased attack, which is going to the destination address of a known Windows
server, is considered a relevant attack, and the risk rating increases slightly as
a result
Global correlation

If the sensor is participating in global correlation and receives information

about specific source addresses that are being used to implement large-scale
attacks, attacks coming from the source IP addresses are also given a slightly
increased risk rating value

Table 15-6 IPS/IDS Evasion Techniques

Evasion Method Description

Cisco Anti-Evasion Techniques

Traffic
fragmentation

The attacker splits malicious traffic into multiple Complete session reassembly so
parts with the intent that any detection system
that the IPS/IDS can see the big
will not see the attack for what it really is
picture

Traffic
substitution and
insertion

The attacker substitutes characters in the data

using different formats that have the same final
meaning. An example is Unicode strings, which
an end station could interpret but perhaps a
lesser IPS/IDS might not

Protocol level
An attacker may attempt to cause a sensor to
misinterpretation misinterpret the end-to-end meaning of a
network protocol and so perhaps not catch an
attack in progress

Data normalization and deobfuscation techniques. Cisco's

implementation is looking for
Unicode, case sensitivity,
substitution of spaces with tabs,
and other similar anti-evasion
techniques
IP Time-To-Live (TTL) analysis,
TCP checksum validation

Timing attacks

By sending packets at a rate low enough so as to Configurable intervals and use of

not trigger a signature (for example, a flood
third-party correlation
signature that triggers at 1000 packets per
second, and the attacker sending packets at 900
packets per second)

Encryption and
tunneling

Encrypted payloads are called encrypted for a

reason. If an IPS/IDS sees only encrypted
traffic, the attacker can build a Secure Sockets
Layer (SSL) or IPsec session between himself
and the victim and could then send private data
over the virtual private network (VPN)

If traffic is encrypted and passing

through the sensor as encrypted
data, the encrypted payload
cannot be inspected. For generic
routing encapsulation (GRE)
tunnels, there is support for
inspection if the data is not
encrypted

Resource
exhaustion

If thousands of alerts are being generated by

distractor attacks, an attacker may just be trying
to disguise the single attack that they are trying
to accomplish. The resource exhaustion could
be overwhelming the sensor and overwhelming
the administration team who has to view the
events

Dynamic and configurable event

summarization. Here is an
example: 20,000 devices are all
under the control of the attacker.
All those devices begin to send
the same attack. The sensor
summarizes those by showing a
few of the attacks as alerts, and
then summaries at regular
intervals that indicate the attack
is still in play and how many
thousands of times it occurred
over the last interval. This is
much better than trying to wade
through thousands of individual
alerts

Table 15-7 Micro-Engines (Groupings of Signatures)

Signature
Signatures in This Grouping
Micro-Engine
Atomic

Signatures that can match on a single packet, as compared to a string of packets

Service

Signatures that examine application layer services, regardless of the operating system

String or
Multistring

Supports flexible pattern matching, and can be identified in a single packet or group
of packets, such as a session

Other

Miscellaneous signatures that may not specifically fit into other categories

VIII.

Define Key Terms

1.
2.
3.
4.
5.
6.

IPS IDS risk rating attack severity rating target value rating signature fidelity rating -