CCNA Security 1.1 Instructional Resource Chapter 5 – Implementing Intrusion Prevention © 2012 Cisco and/or its affiliates. All rights reserved. 1 • Describe the underlying IDS and IPS technology that is embedded in the Cisco host- and network-based IDS and IPS solutions. • Configure Cisco IOS IPS using CLI and CCP. • Verify Cisco IOS IPS using CLI and CCP. © 2012 Cisco and/or its affiliates. All rights reserved. 2 8.0 Implementing Cisco IPS 8.1 Describe IPS deployment considerations 8.1.3 Placement 8.2 Describe IPS technologies 8.2.1 Attack responses 8.2.2 Monitoring options 8.2.3 Syslog 8.2.4 SDEE 8.2.5 Signature engines 8.2.6 Signatures 8.2.7 Global Correlation and SIO 8.3 Configure Cisco IOS IPS using CCP 8.3.1 Logging 8.3.2 Signatures © 2012 Cisco and/or its affiliates. All rights reserved. 3 • IDS passively monitors monitors mirrored traffic offline. • IPS operates inline and is able to detect and and respond to an attack in real-time. • IPS is deployed in standalone devices, as a daughter card on ISR’s, as network modules in ISR’s and ASA’s, and as dedicated blades on high-end chassis-based switches and routers. • The three attributes of signatures are type, trigger, and action. • Signature types are atomic or composite. • Global Correlation enables Cisco IPS devices to receive real-time threat updates from the Cisco threat SensorBase Network. • Alarm types are false positive, false negative, true positive, and true negative. • Signature severity levels are high, informational, low, and medium. • Signature actions are generate an alert, log the activity, prevent the activity, reset a TCP connection, block future activity, and allow the activity. • Cisco IOS IPS can be configured via CLI or CCP. © 2012 Cisco and/or its affiliates. All rights reserved. 4 • Chapter 5 Lab A: Configuring an Intrusion Prevention System (IPS) Using the CLI and CCP – Part 1: Basic Router Configuration – Part 2: Use CLI to configure an IOS Intrusion Prevention System (IPS) – Part 3: Configuring an Intrusion Prevention System (IPS) using CCP © 2012 Cisco and/or its affiliates. All rights reserved. 5 Anomaly-based Detection Involves defining a profile of what is considered normal for the network or host, learned by monitoring activity on the network or specific applications on the host over a period of time. An anomaly-based signature triggers an action if excessive activity occurs beyond a specified threshold that is not included in the normal profile. ASA AIP-SSM ASA Advanced Inspection and Prevention Security Services Module is a network module added to ASA devices for dedicated IPS support. Atomic Alert IPS alert generated every time a signature triggers. Atomic Signature Simplest type of signature, consisting of a single packet, activity, or event that is examined. Composite Signature Stateful signature which identifies a sequence of operations distributed across multiple hosts over an arbitrary period of time. Unlike atomic signatures, the stateful properties of composite signatures usually require several pieces of data to match an attack signature. Crypto Key Key which verifies the digital signature for the master signature file (sigdef-default.xml) which is signed by a Cisco private key to guarantee its authenticity and integrity. © 2012 Cisco and/or its affiliates. All rights reserved. 6 CSM Cisco Security Manager (CSM) centrally provisions device configurations and security policies for firewalls, VPNs, and IPS devices. Event Correlation Process of correlating attacks and other events that are happening simultaneously at different points across a network. NTP is used by devices to derive the time from an NTP server, enabling alerts generated by the IPS to be accurately timestamped. False Negative Alarm Result which occurs when an IPS fails to generate an alarm after processing attack traffic that the IPS is configured to detect. False Positive Alarm Expected but undesired result, which occurs when an IPS generates an alarm after processing normal user traffic that should not have triggered an alarm. Global Correlation Cisco IPS feature enabling IPS devices to receive regular threat updates from the Cisco SensorBase Network. High Severity Level IPS measure of attacks used to gain access or cause a DoS attack are detected, and an immediate threat is extremely likely. © 2012 Cisco and/or its affiliates. All rights reserved. 7 Honey Pot-based Detection IPS mechanism of using a dummy server to attract attacks in order to distract attacks away from real network devices. By staging different types of vulnerabilities in the honey pot server, administrators can analyze incoming types of attacks and malicious traffic patterns. Host-based IPS Software installed on an end-system that integrates with centralized servers to provide intrusion prevention. IDS Intrusion Detection Systems (IDS) passively monitor the traffic on a network. An IDS-enabled device copies the traffic stream, and analyzes the monitored traffic rather than the actual forwarded packets. IDSM-2 IDS Services Module installs in a Catalyst 6500 switch to provide IPS functionality. IME Cisco IPS Manager Express (IME) is an all-in-one GUI-based configuration and management tool for IPS appliances. Incident Response Plan A plan to be implemented when a system is compromised. The compromised system should be restored to the state it was in before the attack. Informational Severity Level IPS measure of activity that triggers the signature is not considered an immediate threat, but the information provided is useful information. © 2012 Cisco and/or its affiliates. All rights reserved. 8 IOS-Sxxx-CLI.pkg Cisco IOS signature package. IPS Intrusion Prevention Systems (IPS) build on IDS technology. IPS devices are implemented in inline mode: all traffic must flow through it for processing. IPS devices can detect and immediately address a network problem as required. IPS 4200 Series Sensor IPS 4200 Series Sensor are standalone Cisco devices providing dedicated IPS functionality. IPS AIM IPS Advanced Integration Module is a daughter card added to an ISR to provide IPS functionality. IPS NME IPS Network Module Enhanced is a module which installs in an ISR to provide IPS functionality. Low Severity Attack IPS measure of abnormal network activity is detected that could be perceived as malicious, but an immediate threat is not likely. Medium Severity Attack IPS measure of abnormal network activity is detected that could be perceived as malicious, and an immediate threat is likely. Network-based IPS IPS sensor installed as a network device or integrated within a network device to provide intrusion prevention. © 2012 Cisco and/or its affiliates. All rights reserved. 9 Pattern-based Detection IPS mechanism of matching pre-defined traffic patterns. Policy-based Detection IPS mechanism based on administrator-defined behaviors deemed suspicious based on historical analysis. realm-cisco.pub.key.txt Text file containing the public crypto key used by IOS IPS. Reset TCP Connection Action used to terminate TCP connections by generating a packet for the connection with the TCP RST flag set. SDEE Secure Device Event Exchange (SDEE) is an alarm format developed to improve communication of events generated by security devices. It primarily communicates IDS events, but the is intended to be extensible and allows additional event types to be included as they are defined. SensorBase Network Centralized Cisco threat database that contains real-time, detailed information about known threats on the Internet. Signature A description of characteristics associated with a known attack. A malicious packet flow has a specific type of activity and signature. An IDS or IPS sensor examines the data flow using signatures. When a sensor matches a signature with a data flow, it takes action, such as logging the event or sending an alarm to IDS or IPS management software. © 2012 Cisco and/or its affiliates. All rights reserved. 10 SIO Cisco Security Intelligence Operation (SIO) is a security ecosystem, including the SensorBase Network, designed to detect threat activity, research and analyze threats, and provide real-time updates and best practices to keep organizations informed and protected. Summary Alert Single IPS alert that indicates multiple occurrences of the same signature from the same source address or port. Trigger Traffic behavior that signals an intrusion or policy violation. True Negative Alarm Describes situation in which normal network traffic does not generate an alarm. True Positive Alarm Describes situation in which an IPS generates an alarm response to known attack traffic. © 2012 Cisco and/or its affiliates. All rights reserved. 11 • SDM has been replaced by CCP. • Host-based IPS content was removed. • Cisco Global Correlation via the SensorBase Network is now used to update IPS signatures. • Cisco Security Intelligence Operation (SIO) is a security ecosystem, including the SensorBase Network, designed to detect threat activity, research and analyze threats, and provide real-time updates and best practices to keep organizations informed and protected. © 2012 Cisco and/or its affiliates. All rights reserved. 12 • Chapter 5 is a fairly even combination of theory and practice. • The goal is to introduce students to the major concepts of IPS and how IPS devices and IPS signatures are used to proactively prevent intrusion attempts related to malicious traffic on the network. • The lab is designed to teach students to configure IPS using both the CLI and CCP. • Students will have used CCP in the lab environment in previous chapters. The same troubleshooting techniques for connecting successfully to the ISR via CCP apply here. © 2012 Cisco and/or its affiliates. All rights reserved. 13 • Obtain the signature packages and the public key from Cisco.com. To do this, it is required that you have an active account on Cisco.com. – Download the files at http://www.cisco.com/pcgi-bin/tablebuild.pl/ios- v5sigup: – IOS-Sxxx-CLI.pkg: This is the signature package. – realm-cisco.pub.key.txt: This is the public crypto key used by IOS IPS. • The mechanics of preparing for the IPS lab are extensive and the requirements for success are exacting. Ensure that the PCs or VMs in the lab have the appropriate Java updates, that the Java runtime parameters are configured correctly, that appropriate browser versions are installed, that the appropriate signature files are available on the PCs or routers, and that the appropriate image is installed on the routers. © 2012 Cisco and/or its affiliates. All rights reserved. 14 • Prepare students to be patient when compiling the IPS signatures for the first time on the router, as it can take quite awhile. • After completing the IPS installation in CCP, encourage students to explore the various signature parameters by way of the Edit tab in CCP. © 2012 Cisco and/or its affiliates. All rights reserved. 15 • Compare and contrast the role of intrusion prevention solutions versus the role of firewalls. When students are first learning security it is not uncommon for them to confuse the purpose of IPS versus that of a firewall. – Explain that firewalls are not updated regularly as with IPS signatures on ISRs or virus definitions on PCs. – Firewalls permit or deny traffic based on preconfigured parameters. Intrusion prevention responds to detected malicious traffic with an action, such as reset TCP connection or deny packet inline. – IPS solutions are inherently more dynamic than firewalls. • Host-based IPS solutions are deprecated in this version of the curriculum, but this does not preclude their introduction in the classroom. In this, case, compare and contrast host-based versus network-based approaches. A combination of these two approaches is ideal. Some philosophy is involved here – security experts often differ on the relative importance of each approach. © 2012 Cisco and/or its affiliates. All rights reserved. 16 • Compare and contrast the CLI and CCP implementation methods for Cisco IPS. An open-ended discussion on the merits of each approach is beneficial to practitioners. • Compare the advantage and disadvantages of the four types of signatures triggers to minimize common confusion about these: © 2012 Cisco and/or its affiliates. All rights reserved. 17 • Compare and contrast IDS solutions and IPS solutions. – What are some advantages of IDS over IPS? – Does IDS require any additional technologies compared to IPS? – What can an IPS device do that an IDS device cannot? • Contrast the IPS management options: Cisco IPS Manager Express (IME) or Cisco Security Manager (CSM). • Compare and contrast the IPS logging solutions provided by Security Device Event Exchange (SDEE) and syslog. © 2012 Cisco and/or its affiliates. All rights reserved. 18 • (Optional) Compare and contrast the Global Correlation method with SensorBase now recommended for IPS implementations with the previous generation of IPS update methods which required more administrator intervention. • Describe a hypothetical network with and without IPS implemented. – What types of problems might occur in the network without IPS deployed? – Which types of attacks is a network most susceptible to when IPS is deployed? – What assets are protected by an IPS deployment? © 2012 Cisco and/or its affiliates. All rights reserved. 19 • What did network administrators do prior to the availability of IPS solutions? • What specific events or trends resulted in the mainstream usage of IPS solutions? • How do you determine what IPS actions to implement when signatures for malicious traffic are triggered? • How do you decide which IPS signatures to implement, considering the fact that a given device may only reasonably support a certain threshold of signatures? • What do you notice regarding the differences between the log output of Syslog versus SDEE? © 2012 Cisco and/or its affiliates. All rights reserved. 20 • Research the major historical Internet attacks (some were introduced in Chapter 1). Have students report back as to the role IPS would play (in retrospect) in mitigating these attacks. • Ask students to put themselves in the mind of the malicious hacker. What would such a person do to circumvent IPS implementations on a network? What attacks would be used to cause the greatest damage to a network with or without an IPS solution? © 2012 Cisco and/or its affiliates. All rights reserved. 21 • http://en.wikipedia.org/wiki/Intrusion_prevention_system • http://www.cisco.com/en/US/products/ps5729/Products_Sub_Cat egory_Home.html • http://csrc.nist.gov/publications/nistpubs/800-94/SP800-94.pdf • http://www.cisco.com/en/US/solutions/collateral/ns340/ns394/ns1 71/ns441/lippis-cloud-based.pdf • http://tools.cisco.com/security/center/home.x • http://www.cisco.com/en/US/docs/ios- xml/ios/sec_data_ios_ips/configuration/15-2mt/sec-data-ios-ips15-2mt-book.html © 2012 Cisco and/or its affiliates. All rights reserved. 22 © 2011 Cisco and/or its affiliates. All rights reserved. 23