© 2006 Cisco Systems, Inc. All rights reserved. SND v Securing Networks with Cisco IOS IPS Defending Your Network with the Cisco IPS Product Family

© 2006 Cisco Systems, Inc. All rights reserved. SND v Outline Overview Network IPS Solutions HIPS Solutions Positioning IPS Solutions IPS Best Practices Summary

© 2006 Cisco Systems, Inc. All rights reserved. SND v Cisco IPS Platforms Cisco ASA 5500 Series Adaptive Security Appliance Cisco AIP SSM Cisco IDSM-2 Cisco IDS Network Module Cisco IPS 4200 Series Sensors

© 2006 Cisco Systems, Inc. All rights reserved. SND v Throughput on Cisco Routers That Support Cisco IOS IPS Cisco Platform TestedMaximum Throughput Cisco 1841 Integrated Services Router60 Mbps Cisco 2801 Integrated Services Router65 Mbps Cisco 2811 Integrated Services Router70 Mbps Cisco 2821 Integrated Services Router200 Mbps Cisco 2851 Integrated Services Router250 Mbps Cisco 3825 Integrated Services Router325 Mbps Cisco 3845 Integrated Services Router425 Mbps

© 2006 Cisco Systems, Inc. All rights reserved. SND v Performance and Limitations of Platforms Cisco IDS or IPS Cisco IDS 4215 Sensor Cisco IDS 4250 XL Sensor Cisco IPS 4240 Sensor Cisco IPS 4255 Sensor Inline (IPS) ReadyYes Performance (Mbps) Standard Monitoring Interface 10/100 BASE-TX 10/100/1000 Dual BASE-SX Four 10/100/1000 BASE-TX Standard Command and Control Interface 10/100 BASE-TX 10/100/1000 BASE-TX 10/100 BASE-TX Optional Interface Four 10/100 BASE-TX (4-FE) None Four 10/100/1000 BASE-TX (4-FE) Four 10/100/1000 BASE-SX (future) Four 10/100/1000 BASE-TX (4-FE) Four 10/100/1000 BASE-SX (future) FE = Fast Ethernet

© 2006 Cisco Systems, Inc. All rights reserved. SND v Performance and Limitations of Cisco ASA 5500 Series Platforms Cisco ASA 5500 Series Adaptive Security Appliance Cisco ASA 5510 AIP SSM-10 Cisco ASA 5520 AIP SSM-20 Cisco ASA 5540 AIP SSM-20 Firewall + anti-X (Mbps) Maximum VLANs0 (10 sec+)25100 Interfaces (10/100)3+Out-of-Band11 Interfaces (10/100/1000)44 ASA Performance with the Security Service Module

© 2006 Cisco Systems, Inc. All rights reserved. SND v /100/ 1000-TX 10/100-TX10/100/ 1000-TX 10/100/1000-TX 1000-SX 10/100/ 1000-TX Switched/1000 Cisco IDS Network Module Cisco IDS 4215 Sensor AIP SSM Relative Positioning of Cisco IPS Sensors Cisco IPS 4240 Sensor Cisco IPS 4255 Sensor Cisco ASA 5510 Cisco ASA 5540 IDSM-2 Network Media Performance (Mbps)

© 2006 Cisco Systems, Inc. All rights reserved. SND v Cisco IPS Management Software Available to help with IPS solutions: Cisco Security MARS Cisco ICS Cisco SDM Cisco IDM CiscoWorks SIMS Cisco Security Manager CiscoWorks VMS CiscoWorks IPS MC

© 2006 Cisco Systems, Inc. All rights reserved. SND v CSA Architecture CSA MC with Internal or External Database Security Policy Server Protected by CSA Administration Workstation SSL EventsAlerts

© 2006 Cisco Systems, Inc. All rights reserved. SND v Application, Kernel, and Interceptors State Rules and Policies Rules Engine Correlation Engine InterceptorFile System Network Interceptor Configuration Interceptor Execution Space Interceptor Application Kernel Allowed Request Blocked Request

© 2006 Cisco Systems, Inc. All rights reserved. SND v CSA Interceptors Security Application Network Interceptor File System Interceptor Configuration Interceptor Execution Space Interceptor Distributed Firewall X Host Intrusion Detection X X Application Sandbox XXX Network Worm Prevention X X File Integrity Monitor XX

© 2006 Cisco Systems, Inc. All rights reserved. SND v CSA Features CSA features: Supports real-time enterprise-class protection decisions Provides defense in-depth approach Deploys and manages easily Supports many platforms and operating systems Provides enforce rule and detect rule organization Supports internationalization and localization for Microsoft Windows agents Integrates with the Cisco Trust Agent

© 2006 Cisco Systems, Inc. All rights reserved. SND v Cisco IPS Selection Considerations Network media Intrusion detection analysis performance Network environment Number of sensors Sensor placement Management and monitoring options External sensor communication

© 2006 Cisco Systems, Inc. All rights reserved. SND v IPS Configuration Best Practices When setting up a large deployment of sensors, automatically update signature packs rather than manually upgrading every sensor. Place the signature packs on a dedicated FTP server within the management network. Stagger the time of day when the sensors check the FTP server for new signature packs. Group IPS sensors together under a few larger profiles.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Accommodating Network Growth Network growth can occur by adding additional hosts or new networks. –Additional hosts added to protected networks are covered without adding new sensors. –Additional sensors can easily be deployed to protect the new networks. Some of the factors that influence the addition of sensors are as follows: –Exceeded traffic capacity –Performance capabilities of the sensor –Network implementation

© 2006 Cisco Systems, Inc. All rights reserved. SND v Scaling HIPS Systems Deploy a central management console to maintain a database of policies and system nodes. HIPS agents installed on similar systems should be grouped together. Ensure that you place common HIPS hosts into groups based on your security plan.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Summary The Cisco IPS solution runs on network modules, purpose-built appliances, and routers, and it is implemented in software. The CSA solution consists of the CSA MC, the CSA software, and an administration workstation. The CSA intercepts operating system calls. It then determines if the call should be passed to the kernel for execution or if the suspicious nature of the call warrants an action. Use these factors to select the best Cisco IPS solution for your needs: –Network media –Intrusion detection analysis performance –Network environment –Number of sensors –Sensor placement –Management and monitoring options –External sensor communication IPS best practices support IPS policies. The key is to reduce the effort required to manage your sensors while maximizing their ability to defend your network.

© 2006 Cisco Systems, Inc. All rights reserved. SND v