© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Cisco IOS Threat Defense Features Introducing Cisco IOS IPS

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Introducing Cisco IOS IDS and IPS

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v IDS Introduction IDS is a passive devicetraffic does not pass through the IDS device. IDS is reactivegenerates alert to notify manager of malicious traffic. Optional active response: –Further malicious traffic may be denied with security appliance or router –TCP resets can be sent to the source device

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v IPS Introduction IPS is an active device: –All traffic passes through IPS –Uses multiple interfaces Proactive prevention: –Malicious traffic is denied –Alert is sent to management station

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Combining IDS and IPS IPS actively blocks offending traffic: –Should not block legitimate data –Only stops known malicious traffic –Requires focused tuning to avoid connectivity disruption IDS complements IPS: –Verifies that IPS is still operational –Alerts about any suspicious data except known good traffic –Covers the gray area of possibly malicious traffic that IPS did not stop

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Types of IDS and IPS Systems

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v CriteriaTypeDescription Approach to identify malicious traffic Signature-based Vendor provides a signature database. Signatures should be customized. Policy-basedPolicy definition and description is created. Anomaly-basedNormal and abnormal traffic is defined. HoneypotSacrificial host is set up to lure the attacker. Coverage scope Network-based Network sensors scan traffic destined to many hosts. Host-based Host agent monitors all operations within an operating system. Types of IDS and IPS Systems

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Signature-Based IDS and IPS Observe, and block or alarm if a known malicious event is detected. Requires a database of known malicious patterns. The database must be continuously updated.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Policy-Based IDS and IPS Observes, and blocks or alarms if an event outside the configured policy is detected Requires a policy database

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Anomaly-Based IDS and IPS Observe, and block or alarm if an event outside known normal behavior is detected. Statistical versus nonstatistical anomaly detection Requires a definition of normal

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Honeypot Observe a special system, and alarm if any activity is directed at it. The special system is a trap for attackers and not used for anything else. The special system is well-isolated from its environment. Typically used as IDS, not IPS.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Network-Based and Host-Based IPS NIPS: Sensor appliances are connected to network segments to monitor many hosts. HIPS: Centrally managed software agents are installed on each host. –Cisco Security Agents (CSAs) defend the protected hosts and report to the central management console. –HIPS provides individual host detection and protection. –HIPS does not require special hardware.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Network-Based vs. Host-Based IPS Application-level encryption protection Policy enhancement (resource control) Web application protection Buffer overflow Network attack and reconnaissance prevention DoS prevention

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v NIPS Features Sensors are network appliances tuned for intrusion detection analysis. –The operating system is hardened. –The hardware is dedicated to intrusion detection analysis. Sensors are connected to network segments. A single sensor can monitor many hosts. Growing networks are easily protected. –New hosts and devices can be added without adding sensors. –New sensors can be easily added to new networks.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v NIDS and NIPS Deployment

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v IDS and IPS Signatures

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Signature Categories Four types of signatures: –Exploit signatures match specific known attacks. –Connection signatures match particular protocol traffic. –String signatures match string sequences in data. –DoS signatures match DoS attempts. Signature selection is based on: –Type of network protocol –Operating system –Service –Attack type Number of available signatures: –About 1500 for IPS sensors, 1200 for IOS IPS

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Exploit Signatures OSI LayerExploit Signatures Application layerDNS reconnaissance and DoS Worms, viruses, Trojan horses, adware, malware Transport layerPort sweeps TCP SYN attack Network layerFragmentation attacks IP options ICMP reconnaissance and DoS

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Signature Examples IDNameDescription 1101Unknown IP Protocol Triggers when an IP datagram is received with the protocol field set to 134 or greater. 1307TCP Window Size Variation This signature will fire when the TCP window varies in a suspect manner. 3002TCP SYN Port Sweep Triggers when a series of TCP SYN packets have been sent to a number of different destination ports on a specific host. 3227WWW HTML Script Bug Triggers when an attempt is made to view files above the HTML root directory.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Cisco IOS IPS Signature Definition Files

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Cisco IOS IPS SDFs A Cisco IOS router acts as an in-line intrusion prevention sensor. Signature databases: –Built-in (100 signatures embedded in Cisco IOS software) –SDF files (can be downloaded from Cisco.com): Static (attack-drop.sdf) Dynamic (128MB.sdf, 256MB.sdf)based on installed RAM Configuration flexibility: –Load built-in signature database, SDF file, or even merge signatures to increase coverage –Tune or disable individual signatures

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Cisco IOS IPS Alarms

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Cisco IOS IPS Alarms: Configurable Actions Send an alarm to a syslog server or a centralized management interface (syslog or SDEE). Drop the packet. Reset the connection. Block traffic from the source IP address of the attacker for a specified amount of time. Block traffic on the connection on which the signature was seen for a specified amount of time.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Cisco IOS IPS Alarm Considerations Alarms can be combined with reactive actions. SDEE is a communication protocol for IPS message exchange between IPS clients and IPS servers: –More secure than syslog –Reports events to the SDM When blocking an IP address, beware of IP spoofing: –May block a legitimate user –Especially recommended where spoofing is unlikely When blocking a connection: –IP spoofing less likely –Allows the attacker to use other attack methods

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Summary IDS and IPS are complementary technologies. IDS is passive and triggers a wider range of alarms. IPS is reactive and more focused on the environment. Common types of IDS and IPS are: policy, signature, anomaly, honeypot, network- and host-based. Signatures are categorized based on their nature and OSI layer. Cisco IOS IPS in-line sensor uses SDFs to prevent intrusions. Possible actions when a signature triggers include: alarm, drop packet, reset connection, block IP address, block connection.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v