© 2006 Cisco Systems, Inc. All rights reserved. SND v Securing Networks with Cisco IOS IPS Introducing IDS and IPS

© 2006 Cisco Systems, Inc. All rights reserved. SND v Outline Overview Introducing IDS and IPS Types of IDS and IPS Sensors Intrusion Prevention Technologies HIPS and Network IPS Introducing Signatures Examining SDFs and Signature Micro-Engines Introducing Signature Alarms Summary

© 2006 Cisco Systems, Inc. All rights reserved. SND v Defining IDS and IPS Intrusion detection system –An IDS analyzes copies of the traffic stream. –Network traffic is not slowed. –Some malicious traffic is allowed into the network. Intrusion protection system –Works in line in real time to monitor Layer 3 to Layer 7 traffic and content –Sensor needs to be able to handle network traffic –Prevents malicious traffic entering the network

© 2006 Cisco Systems, Inc. All rights reserved. SND v IDS and IPS Common Characteristics IDS and IPS technology is deployed in a sensor. These are sensor options: –A router configured with Cisco IOS IPS –An appliance specifically designed to provide dedicated IDS or IPS services –A network module installed in an adaptive security appliance, in a switch, or in a router The network can be monitored by IDS and IPS technologiesNetwork IDS and Network IPS. Host computers can be monitored by HIPS. IDS and IPS technologies use a set of rules called a signature to detect typical intrusive activity. IDS and IPS technologies look for these patterns of misuse: –An atomic pattern –A composite pattern

© 2006 Cisco Systems, Inc. All rights reserved. SND v IDS and IPS Operational Differences Switch Management Console Target 3 Sensor Management Console Target 3 Sensor IPSIDS

© 2006 Cisco Systems, Inc. All rights reserved. SND v Comparing IDS and IPS Solutions AdvantagesDisadvantages IDS (Promiscuous mode) No impact on network (latency, jitter) No impact on sensor failure No network impact on sensor overload Response action cannot stop trigger packets Correct tuning required for response actions More vulnerable to network evasion techniques IPS (In-line mode) Trigger packets stopped Can use stream normalization techniques Sensor issues might affect network traffic Sensor overloading impacts network Some impact on network (latency, jitter)

© 2006 Cisco Systems, Inc. All rights reserved. SND v Internet Placement of IDS and IPS Sensors Inside Network Switch Module IDS and IPS Sensor Network Module IDS Sensor Inside Servers DMZ Server Critical Servers Untrusted Perimeter Inside Firewall Outside Firewall Appliance Sensor Host-Specific

© 2006 Cisco Systems, Inc. All rights reserved. SND v Types of IDS and IPS Sensors AdvantagesDisadvantages Signature- Based Easy configuration Fewer false positives Good signature design No detection of unknown signatures Initially a lot of false positives Signatures must be created, updated, and tuned Policy- Based Simple and reliable Customized policies Can detect unknown attacks Generic output Policy must be created Anomaly- Based Easy configuration Can detect unknown attacks Difficult to profile typical activity in large networks Traffic profile must be constant Honey Pot- Based Window to view attacks Distract and confuse attackers Slow down and avert attacks Collect information about attack Dedicated Honey pot server Honey pot server must not be trusted

© 2006 Cisco Systems, Inc. All rights reserved. SND v Cisco IOS IPS Attack Responses Deny Attacker Inline Deny Connection Inline Deny Packet Inline Log Attacker Packets Log Pair Packets Log Victim Packets Produce Alert Produce Verbose Alert Request Block Connection Request Block Host Request SNMP Trap Reset TCP Connection

© 2006 Cisco Systems, Inc. All rights reserved. SND v Event Monitoring and Management There are two key functions of event monitoring and management: –Real-time event monitoring and management –Analysis based on archived information (reporting) Event monitoring and management hosted are on a single server or on separate servers for larger deployments. To decide how to implement your monitoring services consider this: –It is recommended that a maximum of 25 well-tuned sensors can report to a single IDS management console. Recommended approaches to implementing multiple IDS management consoles: –Separate monitoring domain –Hierarchical monitoring structure

© 2006 Cisco Systems, Inc. All rights reserved. SND v Two-Tier Hierarchical Cisco Security-MARS IPS Monitoring System The Cisco Security-MARS Global Controller monitors two or more local zones. Each zone consists of a cluster of monitored devices and is managed by a Cisco Security-MARS Local Controller. Global Controller Local Controller 1 Local Controller 2 Local Controller 3 Monitored Devices (IPS) Zone AZone BZone C Monitored Devices (IPS)

© 2006 Cisco Systems, Inc. All rights reserved. SND v HIPS Features HIPS audits host log files, host file systems, and resources. Cisco Security Agent software is installed on each host. HIPS provides individual host detection and protection. HIPS does not require special hardware. Cisco Security Agent can stop attacks without any updates by identifying their behavior as malicious and responding to stop the attacks in real time.

© 2006 Cisco Systems, Inc. All rights reserved. SND v HIPS Operation Details HIPS Kernel Application 1. An application calls for system resources. 2. HIPS checks the call against the policy. 3. Requests are allowed or denied. HIPS intercepts operation system and application calls. Rules control application and network stacks. Processor controls limit buffer overflow, registry updates, writes to the system directory, and the launching of installation programs. HIPS is behavior-based. X

© 2006 Cisco Systems, Inc. All rights reserved. SND v Firewall Corporate Network DNS Server Web Server Cisco HIPS Deployment CiscoWorks Management Center for Cisco Security Agents SMTP Serve r Application Server Agent Untrusted Network Agent

© 2006 Cisco Systems, Inc. All rights reserved. SND v NIPS Features Sensors are connected to network segments. A single sensor can monitor many hosts. Sensors are network appliances tuned for intrusion detection analysis. –The operating system is hardened. –The hardware is dedicated to intrusion detection analysis. Growing networks are easily protected. –New hosts and devices can be added without adding sensors. –New sensors can be easily added to new networks.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Management Server Corporate Network DNS Server Web Server Sensor Firewall Cisco NIPS Deployment Sensor Router Untrusted Network

© 2006 Cisco Systems, Inc. All rights reserved. SND v Comparing HIPS and Network IPS AdvantagesDisadvantages HIPS Host-specific Understands context of attack Protects host after decryption Application-level encryption protection Operating system dependent Lower level network events not seen Host is visible to attackers Network IPS Cost-effective Not visible on the network Operating system independent Lower level network events seen Cannot examine encrypted traffic Does not understand context of an attack

© 2006 Cisco Systems, Inc. All rights reserved. SND v HIPS and Network IPS Monitoring Application-level encryption protection Policy enhancement (resource control) Web application protection Buffer overflow Network attack and reconnaissance prevention DoS prevention HIPS Network IPS

© 2006 Cisco Systems, Inc. All rights reserved. SND v IPS Signature Operational Characteristics A network IPS signature is a set of rules used to detect intrusive activity. Sensors scan network packets using existing signatures to detect known attacks and respond with predefined actions. You need to tune signatures to reduce false positives. Tune signatures by altering signature parameters. You cannot add or delete built-in signatures. Some built-in signatures can provide tuning information. Some signatures have subsignatures. Configuring a subsignature changes only that subsignature.

© 2006 Cisco Systems, Inc. All rights reserved. SND v IPS Signature Characteristics (Cont.) There are four types of signatures: –Exploit –Connection –String –DoS –State-tracking The type of signature used depends on these factors: –Network infrastructure –Protocols used –Operating systems –Services enabled The number of signatures available depends on the IPS sensor platform type.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Attack Methods, IPS Signature Types, and Capabilities Signature Attack MethodTypeCapabilities Attempt to connect from a reserved IP address ConnectionSensor checks the source address field in an IP header. Illegal TCP flag combination ConnectionSensor compares the flags set in a TCP header against known good or bad flag combinations. infected with a virus ExploitSensor compares the subject of messages to the subject of known messages associated with the viruses, or it can look for a specific attachment. DNS buffer overflow attempt contained in the payload of a query StringThe sensor can parse the DNS fields and check their length or look for exploit shell code sequences in the payload. Denial of service attack on a server DoSThe sensor signature keeps track of how many times the command is issued and sends an alert if that number exceeds the set threshold. Unauthorized access to an FTP server State- tracking The sensor monitors FTP traffic for an authorized login. An alert would be sent if unauthorized commands were issued before the user had been properly authenticated.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Signature Definition Files An SDF contains all or a subset of the signatures supported by Cisco IPS. An IPS loads the signatures contained in the SDF and scans incoming traffic for matching signatures. The IPS enforces the policy defined in the signature action. Cisco IPS uses the SDF to populate internal tables with the information necessary to detect each signature. The SDF can be saved on the router flash memory. SDFs are downloaded automatically using Cisco services. Three prebuilt SDFs come with Cisco integrated services routers: –256MB.sdf –128MB.sdf, –attack-drop.sdf

© 2006 Cisco Systems, Inc. All rights reserved. SND v Memory Requirements of Pre-Built SDFs Memory Available Recommended SDF Number of Signatures 256 MB or lower256MB.sdf~ MB or lower128MB.sdf~ MB or lowerattack-drop.sdf~ 82

© 2006 Cisco Systems, Inc. All rights reserved. SND v Distributed Threat Mitigation with Intrusion Prevention System Cisco Security-MARS Distributed Thread Mitigation with IPS is facilitating signature tuning and helps to reduce the number of false alarms. Alarms and Event Logs Cisco IPS 4200 Series Sensor, IDM, or NM-CIDS* DTM Management Cisco Security-MARS Correlation Engine Provision and Activate Signatures Aggregation and Preprocessing *NM-CIDS = Network Module Cisco Intrusion Detection

© 2006 Cisco Systems, Inc. All rights reserved. SND v Benefits of DTM with Cisco IOS IPS Software Attempts to use the resources of the router for IPS only occur when needed. This solution provides (optionally) automated tuning of IPS signatures. Customers that turn on and use the IPS feature on their branch routers will not have to deal with too many (sometimes false) alarms. This solution increases the value of a company investment in network-based intrusion detection products. This solution helps the operator to quickly locate the source of the attacks. The Cisco IOS IPS system evaluates network device and security device events, correlating that data with anomalous traffic flow analysis to determine the fidelity of an IPS device signature alert before applying that signature.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Signature Micro-Engines Cisco IPS relies on signature micro-engines to support IPS signatures. –All the signatures in a signature micro-engine are scanned in parallel. Each signature micro-engine does the following: –Categorizes a group of signatures (and each signature detects patterns of misuse in network traffic) –Is customized for the protocol and fields it is designed to inspect –Defines a set of legal parameters that have allowable ranges or sets of values –Uses router memory to compile, load, and merge signatures

© 2006 Cisco Systems, Inc. All rights reserved. SND v Supported Signature Micro-Engines Signature Micro- Engines Description Atomic Signatures that examine simple packets, such as ICMP and UDP Service Signatures that examine the many services that are attacked String Signatures that use regular expression-based patterns to detect intrusions Multi-string Supports flexible pattern matching and supports Trend Labs signatures OtherInternal engine to handle miscellaneous signatures

© 2006 Cisco Systems, Inc. All rights reserved. SND v Examining Signature Micro-Engine and SDF Build Failures Type of FailureDefault Response Signature micro-engine build failure Fail open SDF load failure Fail back to previously loaded SDF SDF merge failure Fail back to previously loaded SME Unsupported signature or signature parameter Print a syslog message

© 2006 Cisco Systems, Inc. All rights reserved. SND v Cisco Signature Alarm Types False positive: –Normal traffic or a benign action causes the signature to fire. False negative: –An actual attack is not detected. True positive: –An attack is detected as expected. True negative: –Normal traffic or a benign action does not cause an alarm.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Support for SDEE and Syslog Network Management Console Alarm SDEE Protocol Syslog Server Alarm Syslog

© 2006 Cisco Systems, Inc. All rights reserved. SND v Viewing SDEE Alarm Messages

© 2006 Cisco Systems, Inc. All rights reserved. SND v Implementing Alarms in Signatures The level assigned to the signature determines the alarm severity level. The alarm severity levels are informational, low, medium, and high. Make the severity level of the signature the same as the severity level of the alarm. Tune your signatures to recognize intrusion patterns out of character with your network traffic patterns.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Summary IDS technology is passive and monitors the network for suspicious activity and parsed system log files. IPS technology is reactive and is able to forward or drop packets based on what is detected. IDS and IPS can be implemented on the same sensor. There are four types of IDS and IPS sensors: –Signature-based –Policy-based –Anomaly-based –Honey pot-based When an IPS sensor, configured with Cisco IOS IPS software it can detect malicious activity and respond to protect a network in real- time. Using event monitoring and management tools malicious activity can be done in real-time or on archived information. HIPS and Network IPS implementations complement one another. –HIPS examines local host or operating system information. –Network IPS examines network packets for instructive activity.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Summary (Cont.) Cisco IPS uses a signature to detect known intrusive activity and to respond with actions that you define. An SDF is a bundle of common signature files. Cisco IPS uses signature micro-engines to implement the signatures found in SDFs to detect malicious traffic. Configure alarms in a signature file by making the severity level of the alarm the same severity level as the signature. Minimize false positives and tune your signatures to recognize the intrusion patterns of your network.

© 2006 Cisco Systems, Inc. All rights reserved. SND v