Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Chapter Five
Implementing Intrusion Prevention
Lesson Planning
This lesson should take 3-6 hours to present
The lesson should include lecture,
demonstrations, discussion and assessments
The lesson can be taught in person or using
remote instruction
Major Concepts
Describe the purpose and operation of networkbased and host-based Intrusion Prevention
Systems (IPS)
Describe how IDS and IPS signatures are used
to detect malicious network traffic
Implement Cisco IOS IPS operations using CLI
and SDM
Verify and monitor the Cisco IOS IPS operations
using CLI and SDM
Lesson Objectives
Upon completion of this lesson, the successful participant
will be able to:
1. Describe the functions and operations of IDS and IPS systems
2. Introduce the two methods of implementing IPS and describe host
based IPS
3. Describe network-based intrusion prevention
4. Describe the characteristics of IPS signatures
5. Describe the role of signature alarms (triggers) in Cisco IPS
solutions
6. Describe the role of tuning signature alarms (triggers) in a Cisco IPS
solution
Lesson Objectives
7.
8.
9.
10. Describe how to configure Cisco IOS IPS using Cisco SDM
11. Describe how to modify IPS signatures in CLI and SDM
12. Describe how to verify the Cisco IOS IPS configuration
13. Describe how to monitor the Cisco IOS IPS events
14. Describe how to troubleshoot the Cisco IOS IPS events
Common Intrusions
MARS
ACS
VPN
Remote Worker
Zero-day exploit
attacking the network
Firewall
VPN
VPN
Remote Branch
Iron Port
CSA
LAN
Web
Server
Email
Server
DNS
Switch
1
2
Sensor
Management
Console
2009 Cisco Learning Institute.
Target
7
Sensor
Bit Bucket
Management
Console
2009 Cisco Learning Institute.
Target
Common characteristics of
IDS and IPS
IDS
Promiscuous Mode
No impact on network
(latency, jitter)
Disadvantages
Response action cannot
stop trigger packets
10
IPS
Inline Mode
Disadvantages
Sensor issues might affect
network traffic
Sensor overloading
impacts the network
11
Network-Based Implementation
CSA
MARS
VPN
Remote Worker
Firewall
VPN
IPS
CSA
VPN
Remote Branch
Iron Port
CSA
Web
Server
Email
Server
CSA CSA
DNS
12
Host-Based Implementation
CSA
CSA
MARS
VPN
Remote Worker
Firewall
VPN
IPS
CSA
VPN
Remote Branch
Agent
Iron Port
CSA
CSA
CSA
CSA CSA
CSA
Web
Server
Email
Server
DNS
13
Application
Server
Agent
Firewall
Untrusted
Network
Agent
Agent
Agent
Agent
SMTP
Server
Management Center for
Cisco Security Agents
Agent
Agent
Agent
Web
Server
DNS
Server
video
2009 Cisco Learning Institute.
14
15
Host-Based Solutions
Advantages and Disadvantages of HIPS
Advantages
Disadvantages
16
Network-Based Solutions
Corporate
Network
Sensor
Router
Firewall
Untrusted
Network
Sensor
Management
Server
Sensor
Web
Server
DNS
Server
17
18
19
20
21
IPS Sensors
Factors that impact IPS sensor selection and
deployment:
- Amount of network traffic
- Network topology
- Security budget
- Available security staff
Size of implementation
- Small (branch offices)
- Large
- Enterprise
22
Provides application-level
encryption protection
Is cost-effective
Not visible on the network
Operating system
Network
independent
IPS
Lower level network events
seen
Disadvantages
Operating system
dependent
Lower level network events
not seen
Host is visible to attackers
Cannot examine encrypted
traffic
Does not know whether an
attack was successful
23
Signature Characteristics
24
Signature Types
Atomic
- Simplest form
- Consists of a single packet, activity, or event
- Does not require intrusion system to maintain state information
- Easy to identify
Composite
- Also called a stateful signature
- Identifies a sequence of operations distributed across multiple
hosts
- Signature must maintain a state known as the event horizon
25
Signature File
26
Signature Micro-Engines
Version 4.x
SME Prior 12.4(11)T
Version 5.x
Description
ATOMIC.IP
ATOMIC.IP
ATOMIC.ICMP
ATOMIC.IP
Provides simple Internet Control Message Protocol (ICMP) alarms based on the following parameters: type, code,
sequence, and ID
ATOMIC.IPOPTIONS
ATOMIC.IP
ATOMIC.UDP
ATOMIC.IP
Provides simple User Datagram Protocol (UDP) packet alarms based on the following parameters: port, direction, and
data length
ATOMIC.TCP
Provides simple TCP packet alarms based on the following parameters: port, destination, and flags
SERVICE.DNS
SERVICE.DNS
SERVICE.RPC
SERVICE.RPC
SERVICE.SMTP
STATE
SERVICE.HTTP
SERVICE.HTTP
SERVICE.FTP
STRING.TCP
STRING.TCP
STRING.UDP
STRING.UDP
STRING.ICMP
MULTI-STRING
MULTI-STRING
OTHER
NORMALIZER
STRING.ICMP
27
28
Signature Triggers
Advantages
Disadvantages
Easy configuration
Anomalybased
Detection
Generic output
Customized policies
Policy-based
Detection
Easy configuration
Pattern-based
Detection
Honey PotBased
Detection
2009 Cisco Learning Institute.
29
Pattern-based Detection
Trigger
Signature Type
Atomic Signature
Stateful Signature
No state required to
Pattern- examine pattern to
based
determine if signature
detection action should be applied
Example
30
Anomaly-based Detection
Trigger
Signature Type
Atomic Signature
Stateful Signature
No state required to
Anomalyidentify activity that
based
deviates from normal
detection
profile
Example
31
Policy-based Detection
Signature
Trigger
Signature Type
Atomic Signature
Detecting abnormally
large fragmented packets
by examining only the last
fragment
Stateful Signature
Previous activity (state)
required to identify undesirable
behavior
A SUN Unix host sending RPC
requests to remote hosts
without initially consulting the
SUN PortMapper program.
32
33
34
Signature Alarms
Alarm Type
Network Activity
IPS Activity
Outcome
False positive
Alarm
generated
Tune alarm
False negative
Attack traffic
No alarm
generated
Tune alarm
True positive
Attack traffic
Alarm
generated
Ideal
setting
True negative
No alarm
generated
Ideal
setting
35
36
Generating an Alert
Specific
Alert
Description
Produce alert
Produce
verbose alert
37
Log victim
packets
38
Deny connection
inline
Deny packet
inline
39
Allowing
Activity
2009 Cisco Learning Institute.
Request
block host
Request
SNMP trap
The MARS
appliance
detected and
mitigated the
ARP poisoning
attack.
There
Thereare
arefour
fourfactors
factorsto
to
consider
consider when
whenplanning
planningaa
monitoring
monitoringstrategy.
strategy.
Management
Managementmethod
method
Event
Eventcorrelation
correlation
Security
Securitystaff
staff
Incident
Incidentresponse
responseplan
plan
2009 Cisco Learning Institute.
41
MARS
The
Thesecurity
securityoperator
operatorexamines
examines
the
theoutput
outputgenerated
generatedby
bythe
the
MARS
MARSappliance:
appliance:
MARS
MARSisisused
usedto
tocentrally
centrally
manage
manageall
allIPS
IPSsensors.
sensors.
MARS
MARSisisused
usedto
tocorrelate
correlateall
all
of
ofthe
theIPS
IPSand
andSyslog
Syslogevents
events
ininaacentral
centrallocation.
location.
The
Thesecurity
securityoperator
operatormust
must
proceed
proceedaccording
accordingto
tothe
the
incident
incidentresponse
responseplan
plan
identified
identifiedininthe
theNetwork
Network
Security
SecurityPolicy.
Policy.
42
43
44
45
46
47
48
Alarm
SDEE Protocol
Alarm
Syslog
Network
Management
Console
Syslog
Server
49
Best Practices
The need to upgrade sensors with the latest signature packs must be
balanced against the momentary downtime.
When setting up a large deployment of sensors, automatically update
signature packs rather than manually upgrading every sensor.
When new signature packs are available, download the new signature
packs to a secure server within the management network. Use
another IPS to protect this server from attack by an outside party.
Place the signature packs on a dedicated FTP server within the
management network. If a signature update is not available, a custom
signature can be created to detect and mitigate a specific attack.
50
Best Practices
Configure the FTP server to allow read-only access to the files within
the directory on which the signature packs are placed only from the
account that the sensors will use.
Configure the sensors to automatically update the signatures by
checking the FTP server for the new signature packs periodically.
Stagger the time of day when the sensors check the FTP server for
new signature packs.
The signature levels that are supported on the management console
must remain synchronized with the signature packs on the sensors
themselves.
51
52
53
2. Create Directory
R1# mkdir ips
Create directory filename [ips]?
Created dir flash:ips
R1#
R1# dir flash:
Directory of flash:/
5 -rw51054864 Jan 10 2009 15:46:14 -08:00
c2800nm-advipservicesk9-mz.124-20.T1.bin
6 drw0 Jan 15 2009 11:36:36 -08:00 ips
64016384 bytes total (12693504 bytes free)
R1#
To rename a directory:
R1# rename ips ips_new
Destination filename [ips_new]?
R1#
54
R1# conf t
R1(config)#
1 Highlight and copy the text contained in the public key file.
2 Paste it in global configuration mode.
2009 Cisco Learning Institute.
55
01050003
206BE3A2
11FC7AF7
F30AF10A
9479039D
F65875D6
69C46F9C
5539E1D1
BFF668E9
82010F00
06FBA13F
DCDD81D9
C0EFB624
20F30663
85EAF974
A84DFBA5
9693CCBB
689782A5
3082010A
6F12CB5B
43CDABC3
7E0764BF
9AC64B93
6D9CC8E3
7A0AF99E
551F78D2
CF31CB6E
02820101
4E441F16
6007D128
3E53053E
C0112A35
F0B08B85
AD768C36
892356AE
B4B094D3
<Output omitted>
56
57
58
1
2
59
60
61
Using SDM
62
Using SDM
63
Using SDM
Using SDM
65
66
!
interface Serial0/0/0
ip ips sdm_ips_rule in
ip virtual-reassembly
<Output omitted>
2009 Cisco Learning Institute.
67
68
69
70
To modify a signature
action, right-click on the
signature and choose
Actions
71
72
73
74
Using SDM
Choose Configure > Intrusion Prevention > Edit IPS
75
76
77
78
79