Ips 2

Explaining Intrusion
Prevention
2005 Cisco Systems, Inc. All rights reserved.
IPS v5.02-1
Intrusion Detection
Versus Intrusion
Prevention
IPS v5.02-2
IDS vs IPS
An intrusion detection system has the
capability to detect misuse and abuse of, and
unauthorized access to, networked
resources.
An intrusion prevention system has the
capability to detect and prevent misuse and
abuse of, and unauthorized access to,
networked resources.
IPS v5.02-3
Intrusion Prevention Systems

An intrusion prevention system has the
capability to detect and prevent misuse and
abuse of, and unauthorized access to,
networked resources.
IPS v5.02-4
Intrusion Detection
Technologies
IPS v5.02-5
Profile-Based Intrusion Detection

Is also known as anomaly detection because
activity detected deviates from the profile of
normal activity
Requires creation of statistical user and network
profiles
Is prone to high number of false positives; difficult
to define normal activity
IPS v5.02-6
Signature-Based Intrusion Detection

Is also known as misuse detection or pattern
matching; matches pattern of malicious activity
Requires creation of signatures
Is less prone to false positives; based on the
signatures ability to match malicious activity
IPS v5.02-7
Protocol Analysis
Intrusion detection analysis is performed on
the protocol specified in the data stream.
Examines the protocol to determine the validity of
the packet
Checks the content of the payload (pattern
matching)
IPS v5.02-8
Intrusion Detection
Evasive Technique
IPS v5.02-9
Evasive Techniques
Attempts to elude intrusion prevention and
detection use evasive techniques such as the
following:
Flooding
Fragmentation
Encryption
IPS v5.02-10
Flooding
Saturating the network with noise traffic

while also trying to launch an attack against
the target is referred to as flooding.
IPS v5.02-11
Fragmentation
Splitting malicious packets into smaller

packets to avoid detection and prevention is
known as fragmentation.
IPS v5.02-12
Encryption
SSL Session
Launching an attack via an encrypted session can

avoid network-based intrusion detection and
prevention.
This type of evasive technique assumes that the
attacker has already established a secure session
with the target network or host.
IPS v5.02-13
Cisco Network Sensors
IPS v5.02-14
Cisco Sensor Family
Performance (Mbps)
600
250
IDSM-2
IDS 4255
200
IPS 4240
80
AIP-SSM
45
NM-CIDS
10/100/1000 TX
IPS 4215
10/100 TX
10/100/1000 TX
10/100/1000 TX
1000 SX
10/100/1000 TX
Switched/1000
Network Media
IPS v5.02-15
Sensor Appliances
IPS v5.02-16
Sensor Appliance Interfaces

Untrusted
Network
Monitoring Interface
Router
Switch
Sensor
Router
Protected
Network
Command and
Control Interface
Management System
IPS v5.02-17
Cisco 4215 Sensor Front Panel

Monitoring
Network
Interface
Card LED
Power LED
Command and
Control Network
Interface Card
LED
IPS v5.02-18
Cisco 4215 Sensor Back Panel
Optional
Monitoring
Interfaces
Console
Port
Monitoring
Interface
Command
and Control
Interface
IPS v5.02-19
Power
Indicator
Status
Indicator
Flash
Indicator
IPS v5.02-20
Command and
Control
Interface
Expansion Slot
Monitoring
Interfaces
Power
Connector
Indicators
Auxiliary
Port
USB
Ports
Power
Indicator
Compact
Flash
Status
Indicator
Console
Port
Flash
Indicator
Indicator
Light
Power
Switch
IPS v5.02-21
Power
Indicator
Status
Indicator
Flash
Indicator
IPS v5.02-22
Command
and Control
Interface
Monitoring
Interfaces
USB
Ports
Status
Indicator
Console
Port
Indicators
Power
Indicator
Expansion Slot
Compact
Flash
Power
Connector
Auxiliary
Port
Flash
Indicator
Indicator
Light
Power
Switch
IPS v5.02-23
Promiscuous-Mode IDS
and Inline-Mode IPS
IPS v5.02-24
Promiscuous-Mode Protection: IDS

1
A network device sends copies
of packets to the sensor for analysis.
2
If the traffic matches a signature,
the signature fires.
Switch
32
The sensor can send an alarm
to a management console and
take a response action such as
resetting the connection.
Sensor
Management
System
Target
IPS v5.02-25
Inline-Mode Protection: IPS
The sensor resides in the

data forwarding path.
Sensor
An alert can be
sent to the
management console.
Management
System
If a packet triggers a
signature, it can be
dropped before it
reaches its target.
Target
IPS v5.02-26
Reliable IPS
IPS software contains several features that
enable you to use inline deny actions with
confidence. Among these features are the
following:
Risk rating
Software bypass mode
Application firewall
Meta event generator
IPS v5.02-27
Cisco Defense in Depth
IPS v5.02-28
Network IPS
Sensors are connected to network segments. A
single sensor can monitor many hosts.
Growth of a network is easily protected. New hosts
and devices can be added to the network without
additional sensors.
The sensors are network appliances tuned for
intrusion detection analysis.
The operating system is hardened.
The hardware is dedicated to intrusion detection
analysis.
IPS v5.02-29
Network IPS (Cont.)

Corporate
Network
Firewall
Switch
Switch
Router
Untrusted
Network
Sensor
Management
Server
IPS v5.02-30
Host Intrusion Prevention System

Consists of agent software installed on each host
Provides individual host detection and protection
Does not require special hardware
IPS v5.02-31
Host Intrusion Prevention System (Cont.)

Corporate
Network
Agent
Agent
Application
Server
Firewall
Untrusted
Network
Agent
Agent
Agent
Agent
SMTP
Server
Agent
Console
Agent
Agent
WWW DNS
Server Server
IPS v5.02-32
Defense in Depth: A Layer Solution
Application-level encryption
protection
Host-Focused
Technology
Policy enforcement (resource

control)
Web application protection

Buffer overflow
Network attack and
reconnaissance detection
DoS detection
Network-Focused
Technology
IPS v5.02-33
Sensor Deployment
IPS v5.02-34
Sensor Selection Factors

Network media: Ethernet, Fast Ethernet, or Gigabit
Ethernet
Intrusion detection analysis performance: bits per
second
Network environment: T1/E1, switched, multiple
T3/E3, or gigabit
IPS v5.02-35
Deploying IDS and IPS

Branch
Corporate
Network
NM-CIDS
Router Firewall
Untrusted
Network
Sensor
IDSM2
Management
Server
Sensor
CSA Agent
WWW
Server
CSA Agent
DNS
Server
IPS v5.02-36
IDS and IPS Sensor Placement

Inside
Attacker
Internet
Sensor on Outside:
Sensor on Inside:
Sees all traffic destined

for your network
Sees only traffic

permitted by firewall
Has high probability of

false positives
Has lower probability of

false positives
Does not detect internal

attacks
Requires immediate
response to alarms
IPS v5.02-37
IPS Terminology
IPS v5.02-38
Vulnerabilities and Exploits

A vulnerability is a weakness that compromises
either the security or the functionality of a system.
Poor passwords
Improper input handling
Insecure communications
An exploit is the mechanism used to leverage a
vulnerability.
Password guessing tools
Shell scripts
Executable code
IPS v5.02-39
False Alarms
False positive: Normal traffic or a benign action
causes the signature to fire.
False negative: A signature is not fired when
offending traffic is detected. An actual attack is not
detected.
IPS v5.02-40
True Alarms
True positive: A signature is fired properly when
the offending traffic is detected. An attack is
detected as expected.
True negative: A signature is not fired when
nonoffending traffic is detected. Normal traffic or a
benign action does not cause an alarm.
IPS v5.02-41
Cisco IPS Software

Architecture
IPS v5.02-42
Software Architecture Overview

These are the primary components of the IPS
software architecture:
Event Store provides storage for all events.
Analysis Engine is the monitoring application.
MainApp is the core application.
Web server runs within mainApp and services all

web and SSL requirements.
SSH and Telnet services SSH and Telnet
requirements for the CLI application.
IPS v5.02-43
Software Architecture Overview (Cont.)

IDAPI provides the communication channel
between applications.
Network Access Controller runs within mainApp
and is used to initiate the blocking response action
on network devices.
NotificationApp supports SNMP gets.
Sensor interfaces serve as the traffic inspection

points. Sensor interfaces are also used for TCP
resets and IP logging.
IPS v5.02-44

Ips 2

Caricato da

Informazioni sul documento

Descrizione originale:

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Ips 2

Caricato da

Copyright:

Formati disponibili

Explaining Intrusion

2005 Cisco Systems, Inc. All rights reserved.

2005 Cisco Systems, Inc. All rights reserved.

2005 Cisco Systems, Inc. All rights reserved.

Intrusion Prevention Systems

2005 Cisco Systems, Inc. All rights reserved.

2005 Cisco Systems, Inc. All rights reserved.

Profile-Based Intrusion Detection

2005 Cisco Systems, Inc. All rights reserved.

Signature-Based Intrusion Detection

2005 Cisco Systems, Inc. All rights reserved.

2005 Cisco Systems, Inc. All rights reserved.

2005 Cisco Systems, Inc. All rights reserved.

2005 Cisco Systems, Inc. All rights reserved.

Saturating the network with noise traffic

2005 Cisco Systems, Inc. All rights reserved.

Splitting malicious packets into smaller

2005 Cisco Systems, Inc. All rights reserved.

Launching an attack via an encrypted session can

Cisco Network Sensors

2005 Cisco Systems, Inc. All rights reserved.

Cisco Sensor Family

2005 Cisco Systems, Inc. All rights reserved.

Sensor Appliance Interfaces

Cisco 4215 Sensor Front Panel

2005 Cisco Systems, Inc. All rights reserved.

Cisco 4215 Sensor Back Panel

2005 Cisco Systems, Inc. All rights reserved.

Cisco 4240 Sensor Front Panel

2005 Cisco Systems, Inc. All rights reserved.

Cisco 4240 Sensor Back Panel

2005 Cisco Systems, Inc. All rights reserved.

Cisco 4255 Sensor Front Panel

2005 Cisco Systems, Inc. All rights reserved.

Cisco 4255 Sensor Back Panel

2005 Cisco Systems, Inc. All rights reserved.

Promiscuous-Mode Protection: IDS

Inline-Mode Protection: IPS

The sensor resides in the

2005 Cisco Systems, Inc. All rights reserved.

Cisco Defense in Depth

2005 Cisco Systems, Inc. All rights reserved.

2005 Cisco Systems, Inc. All rights reserved.

Network IPS (Cont.)

2005 Cisco Systems, Inc. All rights reserved.

Host Intrusion Prevention System

Does not require special hardware

2005 Cisco Systems, Inc. All rights reserved.

Host Intrusion Prevention System (Cont.)

2005 Cisco Systems, Inc. All rights reserved.

Defense in Depth: A Layer Solution

Policy enforcement (resource

Web application protection

2005 Cisco Systems, Inc. All rights reserved.

Sensor Selection Factors

2005 Cisco Systems, Inc. All rights reserved.

Deploying IDS and IPS

IDS and IPS Sensor Placement

Sees all traffic destined

Sees only traffic

Has high probability of

Has lower probability of