© 2005 Cisco Systems, Inc. All rights reserved. IPS v Lesson 2 Explaining Intrusion Prevention

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Intrusion Detection Versus Intrusion Prevention

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Intrusion Detection Systems An intrusion detection system has the capability to detect misuse and abuse of, and unauthorized access to, networked resources.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Intrusion Prevention Systems An intrusion prevention system has the capability to detect and prevent misuse and abuse of, and unauthorized access to, networked resources.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Intrusion Detection Technologies

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Profile-Based Intrusion Detection Is also known as anomaly detection because activity detected deviates from the profile of normal activity Requires creation of statistical user and network profiles Is prone to high number of false positives; difficult to define normal activity

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Signature-Based Intrusion Detection Is also known as misuse detection or pattern matching; matches pattern of malicious activity Requires creation of signatures Is less prone to false positives; based on the signatures ability to match malicious activity

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Protocol Analysis Intrusion detection analysis is performed on the protocol specified in the data stream. Examines the protocol to determine the validity of the packet Checks the content of the payload (pattern matching)

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Intrusion Detection Evasive Technique

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Evasive Techniques Attempts to elude intrusion prevention and detection use evasive techniques such as the following: –Flooding –Fragmentation –Encryption –Obfuscation

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Flooding Saturating the network with noise traffic while also trying to launch an attack against the target is referred to as flooding.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Fragmentation Splitting malicious packets into smaller packets to avoid detection and prevention is known as fragmentation.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Encryption Launching an attack via an encrypted session can avoid network-based intrusion detection and prevention. This type of evasive technique assumes that the attacker has already established a secure session with the target network or host. SSL Session

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Obfuscation Disguising an attack by using special characters to conceal it from a sensor is commonly referred to as obfuscation. The following are forms of obfuscation: –Control characters –Hex representation –Unicode representation

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Cisco Network Sensors

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Performance (Mbps) Network Media Cisco Sensor Family IDSM-2 IDS 4255 IPS IPS /100/1000 TX NM-CIDS 10/100 TX AIP-SSM 10/100/1000 TX 1000 SX 10/100/1000 TX Switched/100010/100/1000 TX

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Cisco 4200 Series Appliance Appliance solution focused on protecting network devices, services, and applications Sophisticated attack detection: –Network attacks –Application attacks –DoS attacks –Fragmented attacks –Whisker attacks Intrusion prevention capability

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Advanced Inspection and Prevention Security Services Module High-performance module designed to provide additional security services to the Cisco Adaptive Security Appliance Diskless design for improved reliability External 10/100/1000 Ethernet interface for management and software downloads Intrusion prevention capability Runs the same software image as the sensor appliances

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Cisco Catalyst 6500 IDSM-2 Switch-integrated intrusion protection module delivering a high-value security service in the core network fabric device Supports unlimited number of VLANs Intrusion prevention capability Runs same software image as sensor appliances

© 2005 Cisco Systems, Inc. All rights reserved. IPS v IDS Network Module Integrates IDS into Cisco 2600XM, 2691, 3660, 3725, and 3745 access routers and the 2811, 2821, 2851, 3825, and 3845 integrated services routers Provides full-featured intrusion protection Is able to monitor traffic from all router interfaces Is able to inspect GRE and IPSec traffic that has been decrypted at the router Delivers comprehensive intrusion protection at branch offices, isolating threats from corporate network Runs same software image as sensor appliances

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Sensor Appliances

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Sensor Appliance Interfaces Monitoring Interface Command and Control Interface Protected Network Management System Sensor Switch Router Untrusted Network

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Cisco 4215 Sensor Front Panel Monitoring Network Interface Card LED Power LED Command and Control Network Interface Card LED

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Cisco 4215 Sensor Back Panel Monitoring Interface Command and Control Interface Console Port Optional Monitoring Interfaces

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Cisco 4240 Sensor Front Panel Flash Indicator Power Indicator Status Indicator

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Cisco 4240 Sensor Back Panel Power Connector Flash Indicator Monitoring Interfaces Command and Control Interface Console Port Expansion Slot Auxiliary Port Compact Flash Status Indicator Power Indicator USB Ports Power Switch Indicator Light Indicators

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Cisco 4255 Sensor Front Panel Flash Indicator Power Indicator Status Indicator

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Cisco 4255 Sensor Back Panel Command and Control Interface Indicators Monitoring Interfaces Compact Flash Console Port Indicator Light Power Connector Power Switch Auxiliary Port Flash Indicator Status Indicator Power Indicator USB Ports Expansion Slot

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Promiscuous-Mode IDS and Inline-Mode IPS

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Promiscuous-Mode Protection: IDS A network device sends copies of packets to the sensor for analysis. If the traffic matches a signature, the signature fires. The sensor can send an alarm to a management console and take a response action such as resetting the connection. Target Management System Sensor Switch

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Inline-Mode Protection: IPS Target Management System The sensor resides in the data forwarding path. If a packet triggers a signature, it can be dropped before it reaches its target. An alert can be sent to the management console. Sensor

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Reliable IPS IPS 5.0 software contains several features that enable you to use inline deny actions with confidence. Among these features are the following: Risk rating Software bypass mode Application firewall Meta event generator

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Cisco Defense in Depth

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Network IPS Sensors are connected to network segments. A single sensor can monitor many hosts. Growth of a network is easily protected. New hosts and devices can be added to the network without additional sensors. The sensors are network appliances tuned for intrusion detection analysis. –The operating system is hardened. –The hardware is dedicated to intrusion detection analysis.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Corporate Network Network IPS (Cont.) Management Server Sensor Firewall Router Switch Untrusted Network

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Host Intrusion Prevention System Consists of agent software installed on each host Provides individual host detection and protection Does not require special hardware

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Firewall Corporate Network DNS Server WWW Server Agent Host Intrusion Prevention System (Cont.) Console Agent SMTP Server Application Server Agent Untrusted Network Agent

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Defense in Depth: A Layer Solution Application-level encryption protection Policy enforcement (resource control) Web application protection Buffer overflow Network attack and reconnaissance detection DoS detection Host-Focused Technology Network-Focused Technology

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Sensor Deployment

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Sensor Selection Factors Network media: Ethernet, Fast Ethernet, or Gigabit Ethernet Intrusion detection analysis performance: bits per second Network environment: T1/E1, switched, multiple T3/E3, or gigabit

© 2005 Cisco Systems, Inc. All rights reserved. IPS v IDS and IPS Deployment Considerations Deploy an IDS sensor in areas where you cannot deploy an inline device or where you do not plan to use deny actions. Deploy an IPS sensor in those areas where you need and plan to use deny actions.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Sensor Deployment Considerations Number of sensors Sensor placement Management and monitoring options External sensor communications

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Deploying IDS and IPS DNS Server WWW Server Branch Management Server Sensor Firewall Sensor Router IDSM2 NM-CIDS Corporate Network CSA Agent Untrusted Network

© 2005 Cisco Systems, Inc. All rights reserved. IPS v IDS and IPS Sensor Placement Attacker Inside Sensor on Outside: Sees all traffic destined for your network Has high probability of false positives Does not detect internal attacks Sensor on Inside: Sees only traffic permitted by firewall Has lower probability of false positives Requires immediate response to alarms Internet

© 2005 Cisco Systems, Inc. All rights reserved. IPS v IPS Terminology

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Vulnerabilities and Exploits A vulnerability is a weakness that compromises either the security or the functionality of a system. –Poor passwords –Improper input handling –Insecure communications An exploit is the mechanism used to leverage a vulnerability. –Password guessing tools –Shell scripts –Executable code

© 2005 Cisco Systems, Inc. All rights reserved. IPS v False Alarms False positive: Normal traffic or a benign action causes the signature to fire. False negative: A signature is not fired when offending traffic is detected. An actual attack is not detected.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v True Alarms True positive: A signature is fired properly when the offending traffic is detected. An attack is detected as expected. True negative: A signature is not fired when nonoffending traffic is detected. Normal traffic or a benign action does not cause an alarm.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Cisco IPS Software Architecture

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Software Architecture Overview These are the primary components of the IPS software architecture: Event Store provides storage for all events. Analysis Engine is the monitoring application. MainApp is the core application. Web server runs within mainApp and services all web and SSL requirements. SSH and Telnet services SSH and Telnet requirements for the CLI application.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Software Architecture Overview (Cont.) IDAPI provides the communication channel between applications. Network Access Controller runs within mainApp and is used to initiate the blocking response action on network devices. NotificationApp supports SNMP gets. Sensor interfaces serve as the traffic inspection points. Sensor interfaces are also used for TCP resets and IP logging.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Summary

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Summary An intrusion detection system has the ability to detect misuse and abuse of, and unauthorized access to, networked resources. An intrusion prevention system has the ability to detect and prevent misuse and abuse of, and unauthorized access to, networked resources. Profile-based intrusion detection notes activity considered outside of normal activity. Signature-based intrusion prevention matches patterns of malicious activity. Cisco offers a wide variety of IDS and IPS appliances and modules.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Summary (Cont.) Cisco offers two types of intrusion detection and prevention systems: promiscuous-mode IDS and inline IPS. An HIPS provides individual host protection and detection. A network IDS or IPS provides broader protection by monitoring network segments. There are several factors to consider when deploying intrusion detection and intrusion prevention. Ciscos software architecture is an integrated application that runs on the Linux operating system.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Summary (Cont.) A defense-in-depth security solution is focused on providing multiple layers of security beyond a single device or technology. Selection of network sensors depends on the following factors: network media, intrusion detection analysis performance, and network environment. Sensor deployment considerations include the following: number of sensors needed, sensor placement, management and monitoring options, and external sensor communications.