CCNA Security 1.1
Instructional Resource
Chapter 5 – Implementing Intrusion Prevention
© 2012 Cisco and/or its affiliates. All rights reserved.
1
• Describe the underlying IDS and IPS technology that is
embedded in the Cisco host- and network-based IDS and IPS
solutions.
• Configure Cisco IOS IPS using CLI and CCP.
• Verify Cisco IOS IPS using CLI and CCP.
© 2012 Cisco and/or its affiliates. All rights reserved.
2
8.0 Implementing Cisco IPS
8.1 Describe IPS deployment considerations
8.1.3 Placement
8.2 Describe IPS technologies
8.2.1 Attack responses
8.2.2 Monitoring options
8.2.3 Syslog
8.2.4 SDEE
8.2.5 Signature engines
8.2.6 Signatures
8.2.7 Global Correlation and SIO
8.3 Configure Cisco IOS IPS using CCP
8.3.1 Logging
8.3.2 Signatures
© 2012 Cisco and/or its affiliates. All rights reserved.
3
• IDS passively monitors monitors mirrored traffic offline.
• IPS operates inline and is able to detect and and respond to an attack in
real-time.
• IPS is deployed in standalone devices, as a daughter card on ISR’s, as
network modules in ISR’s and ASA’s, and as dedicated blades on high-end
chassis-based switches and routers.
• The three attributes of signatures are type, trigger, and action.
• Signature types are atomic or composite.
• Global Correlation enables Cisco IPS devices to receive real-time threat
updates from the Cisco threat SensorBase Network.
• Alarm types are false positive, false negative, true positive, and true
negative.
• Signature severity levels are high, informational, low, and medium.
• Signature actions are generate an alert, log the activity, prevent the activity,
reset a TCP connection, block future activity, and allow the activity.
• Cisco IOS IPS can be configured via CLI or CCP.
© 2012 Cisco and/or its affiliates. All rights reserved.
4
• Chapter 5 Lab A: Configuring an Intrusion Prevention System
(IPS) Using the CLI and CCP
– Part 1: Basic Router Configuration
– Part 2: Use CLI to configure an IOS Intrusion Prevention System (IPS)
– Part 3: Configuring an Intrusion Prevention System (IPS) using CCP
© 2012 Cisco and/or its affiliates. All rights reserved.
5
Anomaly-based Detection
Involves defining a profile of what is considered normal for the
network or host, learned by monitoring activity on the network
or specific applications on the host over a period of time. An
anomaly-based signature triggers an action if excessive
activity occurs beyond a specified threshold that is not
included in the normal profile.
ASA AIP-SSM
ASA Advanced Inspection and Prevention Security Services
Module is a network module added to ASA devices for
dedicated IPS support.
Atomic Alert
IPS alert generated every time a signature triggers.
Atomic Signature
Simplest type of signature, consisting of a single packet,
activity, or event that is examined.
Composite Signature
Stateful signature which identifies a sequence of operations
distributed across multiple hosts over an arbitrary period of
time. Unlike atomic signatures, the stateful properties of
composite signatures usually require several pieces of data to
match an attack signature.
Crypto Key
Key which verifies the digital signature for the master
signature file (sigdef-default.xml) which is signed by a Cisco
private key to guarantee its authenticity and integrity.
© 2012 Cisco and/or its affiliates. All rights reserved.
6
CSM
Cisco Security Manager (CSM) centrally provisions device
configurations and security policies for firewalls, VPNs, and
IPS devices.
Event Correlation
Process of correlating attacks and other events that are
happening simultaneously at different points across a network.
NTP is used by devices to derive the time from an NTP server,
enabling alerts generated by the IPS to be accurately timestamped.
False Negative Alarm
Result which occurs when an IPS fails to generate an alarm
after processing attack traffic that the IPS is configured to
detect.
False Positive Alarm
Expected but undesired result, which occurs when an IPS
generates an alarm after processing normal user traffic that
should not have triggered an alarm.
Global Correlation
Cisco IPS feature enabling IPS devices to receive regular
threat updates from the Cisco SensorBase Network.
High Severity Level
IPS measure of attacks used to gain access or cause a DoS
attack are detected, and an immediate threat is extremely
likely.
© 2012 Cisco and/or its affiliates. All rights reserved.
7
Honey Pot-based Detection
IPS mechanism of using a dummy server to attract attacks in
order to distract attacks away from real network devices. By
staging different types of vulnerabilities in the honey pot
server, administrators can analyze incoming types of attacks
and malicious traffic patterns.
Host-based IPS
Software installed on an end-system that integrates with
centralized servers to provide intrusion prevention.
IDS
Intrusion Detection Systems (IDS) passively monitor the traffic
on a network. An IDS-enabled device copies the traffic stream,
and analyzes the monitored traffic rather than the actual
forwarded packets.
IDSM-2
IDS Services Module installs in a Catalyst 6500 switch to
provide IPS functionality.
IME
Cisco IPS Manager Express (IME) is an all-in-one GUI-based
configuration and management tool for IPS appliances.
Incident Response Plan
A plan to be implemented when a system is compromised.
The compromised system should be restored to the state it
was in before the attack.
Informational Severity Level
IPS measure of activity that triggers the signature is not
considered an immediate threat, but the information provided
is useful information.
© 2012 Cisco and/or its affiliates. All rights reserved.
8
IOS-Sxxx-CLI.pkg
Cisco IOS signature package.
IPS
Intrusion Prevention Systems (IPS) build on IDS technology.
IPS devices are implemented in inline mode: all traffic must
flow through it for processing. IPS devices can detect and
immediately address a network problem as required.
IPS 4200 Series Sensor
IPS 4200 Series Sensor are standalone Cisco devices
providing dedicated IPS functionality.
IPS AIM
IPS Advanced Integration Module is a daughter card added to
an ISR to provide IPS functionality.
IPS NME
IPS Network Module Enhanced is a module which installs in
an ISR to provide IPS functionality.
Low Severity Attack
IPS measure of abnormal network activity is detected that
could be perceived as malicious, but an immediate threat is
not likely.
Medium Severity Attack
IPS measure of abnormal network activity is detected that
could be perceived as malicious, and an immediate threat is
likely.
Network-based IPS
IPS sensor installed as a network device or integrated within a
network device to provide intrusion prevention.
© 2012 Cisco and/or its affiliates. All rights reserved.
9
Pattern-based Detection
IPS mechanism of matching pre-defined traffic patterns.
Policy-based Detection
IPS mechanism based on administrator-defined behaviors
deemed suspicious based on historical analysis.
realm-cisco.pub.key.txt
Text file containing the public crypto key used by IOS IPS.
Reset TCP Connection
Action used to terminate TCP connections by generating a
packet for the connection with the TCP RST flag set.
SDEE
Secure Device Event Exchange (SDEE) is an alarm format
developed to improve communication of events generated by
security devices. It primarily communicates IDS events, but
the is intended to be extensible and allows additional event
types to be included as they are defined.
SensorBase Network
Centralized Cisco threat database that contains real-time,
detailed information about known threats on the Internet.
Signature
A description of characteristics associated with a known
attack. A malicious packet flow has a specific type of activity
and signature. An IDS or IPS sensor examines the data flow
using signatures. When a sensor matches a signature with a
data flow, it takes action, such as logging the event or sending
an alarm to IDS or IPS management software.
© 2012 Cisco and/or its affiliates. All rights reserved.
10
SIO
Cisco Security Intelligence Operation (SIO) is a security
ecosystem, including the SensorBase Network, designed to
detect threat activity, research and analyze threats, and
provide real-time updates and best practices to keep
organizations informed and protected.
Summary Alert
Single IPS alert that indicates multiple occurrences of the
same signature from the same source address or port.
Trigger
Traffic behavior that signals an intrusion or policy violation.
True Negative Alarm
Describes situation in which normal network traffic does not
generate an alarm.
True Positive Alarm
Describes situation in which an IPS generates an alarm
response to known attack traffic.
© 2012 Cisco and/or its affiliates. All rights reserved.
11
• SDM has been replaced by CCP.
• Host-based IPS content was removed.
• Cisco Global Correlation via the SensorBase Network is now
used to update IPS signatures.
• Cisco Security Intelligence Operation (SIO) is a security
ecosystem, including the SensorBase Network, designed to
detect threat activity, research and analyze threats, and provide
real-time updates and best practices to keep organizations
informed and protected.
© 2012 Cisco and/or its affiliates. All rights reserved.
12
• Chapter 5 is a fairly even combination of theory and practice.
• The goal is to introduce students to the major concepts of IPS
and how IPS devices and IPS signatures are used to proactively
prevent intrusion attempts related to malicious traffic on the
network.
• The lab is designed to teach students to configure IPS using both
the CLI and CCP.
• Students will have used CCP in the lab environment in previous
chapters. The same troubleshooting techniques for connecting
successfully to the ISR via CCP apply here.
© 2012 Cisco and/or its affiliates. All rights reserved.
13
• Obtain the signature packages and the public key from
Cisco.com. To do this, it is required that you have an active
account on Cisco.com.
– Download the files at http://www.cisco.com/pcgi-bin/tablebuild.pl/ios-
v5sigup:
– IOS-Sxxx-CLI.pkg: This is the signature package.
– realm-cisco.pub.key.txt: This is the public crypto key used by IOS IPS.
• The mechanics of preparing for the IPS lab are extensive and the
requirements for success are exacting. Ensure that the PCs or
VMs in the lab have the appropriate Java updates, that the Java
runtime parameters are configured correctly, that appropriate
browser versions are installed, that the appropriate signature files
are available on the PCs or routers, and that the appropriate
image is installed on the routers.
© 2012 Cisco and/or its affiliates. All rights reserved.
14
• Prepare students to be patient when compiling the IPS signatures
for the first time on the router, as it can take quite awhile.
• After completing the IPS installation in CCP, encourage students
to explore the various signature parameters by way of the Edit tab
in CCP.
© 2012 Cisco and/or its affiliates. All rights reserved.
15
• Compare and contrast the role of intrusion prevention solutions
versus the role of firewalls. When students are first learning
security it is not uncommon for them to confuse the purpose of
IPS versus that of a firewall.
– Explain that firewalls are not updated regularly as with IPS signatures on
ISRs or virus definitions on PCs.
– Firewalls permit or deny traffic based on preconfigured parameters. Intrusion
prevention responds to detected malicious traffic with an action, such as reset
TCP connection or deny packet inline.
– IPS solutions are inherently more dynamic than firewalls.
• Host-based IPS solutions are deprecated in this version of the
curriculum, but this does not preclude their introduction in the
classroom. In this, case, compare and contrast host-based versus
network-based approaches. A combination of these two
approaches is ideal. Some philosophy is involved here – security
experts often differ on the relative importance of each approach.
© 2012 Cisco and/or its affiliates. All rights reserved.
16
• Compare and contrast the CLI and CCP implementation methods
for Cisco IPS. An open-ended discussion on the merits of each
approach is beneficial to practitioners.
• Compare the advantage and disadvantages of the four types of
signatures triggers to minimize common confusion about these:
© 2012 Cisco and/or its affiliates. All rights reserved.
17
• Compare and contrast IDS solutions and IPS solutions.
– What are some advantages of IDS over IPS?
– Does IDS require any additional technologies compared to IPS?
– What can an IPS device do that an IDS device cannot?
• Contrast the IPS management options: Cisco IPS Manager
Express (IME) or Cisco Security Manager (CSM).
• Compare and contrast the IPS logging solutions provided by
Security Device Event Exchange (SDEE) and syslog.
© 2012 Cisco and/or its affiliates. All rights reserved.
18
• (Optional) Compare and contrast the Global Correlation method
with SensorBase now recommended for IPS implementations
with the previous generation of IPS update methods which
required more administrator intervention.
• Describe a hypothetical network with and without IPS
implemented.
– What types of problems might occur in the network without IPS deployed?
– Which types of attacks is a network most susceptible to when IPS is
deployed?
– What assets are protected by an IPS deployment?
© 2012 Cisco and/or its affiliates. All rights reserved.
19
• What did network administrators do prior to the availability of IPS
solutions?
• What specific events or trends resulted in the mainstream usage
of IPS solutions?
• How do you determine what IPS actions to implement when
signatures for malicious traffic are triggered?
• How do you decide which IPS signatures to implement,
considering the fact that a given device may only reasonably
support a certain threshold of signatures?
• What do you notice regarding the differences between the log
output of Syslog versus SDEE?
© 2012 Cisco and/or its affiliates. All rights reserved.
20
• Research the major historical Internet attacks (some were
introduced in Chapter 1). Have students report back as to the role
IPS would play (in retrospect) in mitigating these attacks.
• Ask students to put themselves in the mind of the malicious
hacker. What would such a person do to circumvent IPS
implementations on a network? What attacks would be used to
cause the greatest damage to a network with or without an IPS
solution?
© 2012 Cisco and/or its affiliates. All rights reserved.
21
• http://en.wikipedia.org/wiki/Intrusion_prevention_system
• http://www.cisco.com/en/US/products/ps5729/Products_Sub_Cat
egory_Home.html
• http://csrc.nist.gov/publications/nistpubs/800-94/SP800-94.pdf
• http://www.cisco.com/en/US/solutions/collateral/ns340/ns394/ns1
71/ns441/lippis-cloud-based.pdf
• http://tools.cisco.com/security/center/home.x
• http://www.cisco.com/en/US/docs/ios-
xml/ios/sec_data_ios_ips/configuration/15-2mt/sec-data-ios-ips15-2mt-book.html
© 2012 Cisco and/or its affiliates. All rights reserved.
22
© 2011 Cisco and/or its affiliates. All rights reserved.
23