IPS
Position in the network Off to the side, the IDS is sent copies of
flow
the original packet
Also known as
Inline mode
Latency or delay
Ability to prevent
malicious traffic from
going into the network
Normalization ability
Because the IDS does not see the original Because the IPS is inline, it can
packet, it cannot manipulate any original normalize (manipulate or
inline traffic
modify) traffic inline based on a
current set of rules
3. Sensor Platforms
1.
2.
3.
4.
5.
4. True/False Negatives/Positives
5. Positive/Negative Terminology
1.
2.
3.
4.
2. Signature-Based IPS/IDS
1. A set of rules looking for a specific pattern characteristic in either a single packet or
a stream of packets. Cisco provides signatures. Example is looking for a variable in
HTTP.
2. False positives can be tuned out, or alerts can be turned off, options include
including to not alert based on ip addresses for instance.
3. Policy-Based IPS/IDS
1. Creating a custom signature; could be as simple as watching for telnet, and then
creating an alert if promiscuous, or dropping the packet if inline.
4. Anomaly-Based IPS/IDS
1. On by default for the 4200 series appliances; creates a baseline, for example, of half
formed TCP sessions. Can set the limit and thresholds. Called Anomaly Detection
and it can also be used for worm identification.
5. Reputation-Based IPS/IDS
1. Can find out about attacks before they happen from systems all over the planet,
having the IPS collect input from systems that are participating in global correlation.
a. Blocks
a. IP addresses
b. URLs
c. DNS domains etc...
b. Global correlation service managed by Cisco as a cloud service
Table 15-3 IPS/IDS Method Advantages and Disadvantages
Advantages
Disadvantages
Signature based
Policy based
Anomaly based
Reputation based
Available only if the sensor is configured as an IPS. This action denies packets
from the source IP address of the attacker for a configurable duration of time,
after which the deny action can be dynamically removed
Deny connection
inline
Available only if the sensor is configured as an IPS. This action terminates the
packet that triggered the action, and future packets on the same TCP flow. The
attacker could open up a new TCP session (using different port numbers), which
could still be permitted through the inline IPS.
Deny packet inline Available only if the sensor is configured as an IPS. All the deny options only
apply to IPS mode. Deny packet terminates the packet that triggered the alert
Log attacker
packets
This action begins to log future packets based on the attacker's source IP address.
This is done usually for a short duration, such as 30 seconds, after the initial alert.
Log files are stored in a format that is readable by most protocol analyzers
Log victim packets This logging action begins to log all IP packets that have a destination IP address
of the victim (the destination address from the packet or packets triggered the
alert).
Log pair packets
This logging action begins to log IP packets if the source and destination
addresses indicate that the packets from the source IP address that triggered the
alert and the destination address match the destination address of the packet that
triggered the alert. In essence, it is future packets between the attacker and the
victim (the attacked device address).
Produce alert
An alert is the basic mechanism that is used by the IDS/IPS to identify that an
event has occurred, such as a signature match indicating malicious traffic. This is
the default behavior for most of the signatures.
Produce verbose
alert
Produce verbose alert has the same behavior as produce alert, with the added
bonus that it includes a copy of the entire packet that triggered the alert. If both
produce alert and produce verbose alert are enabled, it will still only generate a
single alert and will include a copy of the triggering packet
Request block
connection
Some sensor device can ask for help to block the attacker's traffic at some point in
the network. The device that connects to implement the blocking is called a
blocking device, and could be an IOS router, a switch that supports (VACL), or an
ASA. This action causes the sensor to request a blocking device to block based
on the source IP address of the attacker, the destination IP address of the victim,
and the ports involved in the packet that triggered the alert. The difference
between this option and the one that follows is that request blocked connection
gives an opportunity for the attacker to send traffic on different ports or different
destination IPs and still allows connectivity for new sessions
Request block host This causes the sensor to request its blocking devices (see the preceding
paragraph) to implement blocks based on the source IP address of the attacker
regardless of the ports in use or the destination IP addresses for future packets
Request SNMP
trap
This generates a SNMP trap message that is sent to the configured management
address for SNMP
Reset TCP
connection
This causes a sensor to send a proxy TCP reset to the attacker, with the intention
of fooling the attacker into believing it is the victim sending the TCP reset. This
action has an effect only on TCP-based traffic
How critical the attack is as determined by the person who created that
signature
Global correlation
10.Circumventing an IPS/IDS
Table 15-6 IPS/IDS Evasion Techniques
Evasion Method Description
Traffic
fragmentation
Traffic
substitution and
insertion
Protocol level
An attacker may attempt to cause a sensor to IP TTL analysis, TCP checksum
misinterpretation misinterpret the end-to-end meaning of a
validation
network protocol and so perhaps not catch
an attack in progress
Timing attacks
Encryption and
tunneling
Resource
exhaustion
III.
Managing Signatures
Service
String or
multistring
Other
Miscellaneous signatures that may not specifically fit into other categories
IV.
2. Security Intelligence
1. The longer the sensor is operational, the smarter it gets
a. The more sensors, the better the information is going to be about the attacks that
are going on
2. Single sensor gives local network intelligence
3. Multiple sensors gives us enterprise intelligence
4. Global multiple sensors gives us global intelligence (participation in global
correlation)
5. Cisco offers Security Intelligence Operations (SIO) service, which facilitates global
threat information, reputation-based services, and sophisticated analysis for the
benefit of Cisco security devices to better protect the networks they serve.
1-3
4-6
Managing Signatures
7-8
9-10
1. Which method should you implement when it is not acceptable for an attack to reach
its intended victim?
a. IDS
b. IPS
c. Out of band
d. Hardware appliance
2. A company has hired you to determine whether attacks are happening against the
server farm, and they do not want any additional delay added to the network. Which
deployment method should be used?
a. Appliance based inline
b. IOS software based inline
c. Appliance based IPS
d. IDS
3. Why does IPS have the ability to prevent an ICMP-based attack from reaching the
intended victim?
a. Policy-based routing
b. TCP resets are used
c. The IPS is inline with the traffic
d. The IPS is in promiscuous mode
4. Which method of IPS uses a baseline of normal network behavior and looks for
deviations from that baseline?
a. Reputation-based IPS
b. Policy-based IPS
c. Signature-based IPS
d. Anomaly-based IPS
VI.
Page
Number
375
Text
Sensor platforms
376
List
Positive/negative terminology
377
List
377
379
381
383
384
List
386
VII.
Protocol support
IP/IPsec
User authentication
methods available
General features
On-line help, event logging, NAT Transparency, optional MTU size setting,
support for dynamic Domain Name System (DNS), virtual adapter, VPN client
application programming interface (API), and so on
Firewall
IPsec
ISAKMP, IKE keepalives, split tunneling, split DNS support, LZS data
compression, single SA
Troubleshooting
Multiple logging levels available for local event and connection logging
Authentication algorithms
HMAC MD5
HMAC SHA-1
Pre-shared keys
Mutual group authentication
X.509 digital certificates
Diffie-Hellman groups
X-Auth
IPS
Position in the
network flow
Also known as
Latency or delay
By itself, a promiscuous
mode IDS cannot stop
the original packet.
Options do exist for a
sensor in promiscuous
mode to request
assistance from another
device that is inline
which may block future
packets
Normalization
ability
Disadvantages
Signature based
Policy based
Anomaly based
Self-configuring baselines,
detect worms based on
anomalies, even if specific
signatures have not been created
yet for that type of traffic
Reputation based
Signature fidelity
rating (SFR)
The accuracy of the signature as determined by the person who created that
signature
How critical the attack is as determined by the person who created that
signature
Attack relevancy (AR) This is a minor contributor to the risk rating. A signature match that is
destined to a host where the attack is relevant, such as a Windows serverbased attack, which is going to the destination address of a known Windows
server, is considered a relevant attack, and the risk rating increases slightly as
a result
Global correlation
Traffic
fragmentation
The attacker splits malicious traffic into multiple Complete session reassembly so
parts with the intent that any detection system
that the IPS/IDS can see the big
will not see the attack for what it really is
picture
Traffic
substitution and
insertion
Protocol level
An attacker may attempt to cause a sensor to
misinterpretation misinterpret the end-to-end meaning of a
network protocol and so perhaps not catch an
attack in progress
Timing attacks
Encryption and
tunneling
Resource
exhaustion
Service
Signatures that examine application layer services, regardless of the operating system
String or
Multistring
Supports flexible pattern matching, and can be identified in a single packet or group
of packets, such as a session
Other
Miscellaneous signatures that may not specifically fit into other categories
VIII.
IPS IDS risk rating attack severity rating target value rating signature fidelity rating -