Please enable JavaScript.
Coggle requires JavaScript to display documents.
Cisco IDS/IPS Fundamentals (Sensor Platforms (Dedicated IPS appliance,…
Cisco IDS/IPS Fundamentals
Difference Between IPS and IDS
Whenever heard IPS mentioned, we immediately know that the sensor is inline with the traffic. which makes it possible to prevent the attack from making it further into the network
Any traffic going through the network is forced to go in one physical or logical port on the sensor. It will be analyzed and permitted or denied to continue its journey to reach the destination
One negative about IPS is that because it is inline, if the sensor fails and you do not have an alternate path in your network, the entire network could fail as a result of the sensor having a problem
Instead of placing the sensor inline in the network, we just send copies of the packets that are going through a network to the IDS sensor
Instead of preventing the malicious traffic to reach the destination, the IDS just send alerts if it detects something wrong.
Sensor Platforms
Dedicated IPS appliance, such as the 4200 series
Software running on the router in versions of IOS that support it
Module in an IOS router, such as the AIM-IPS or NME-IPS modules
Module on an ASA firewall in the form of the AIP module for IPS
Blade that works in a 6500 series multilayer switch
Cisco FirePOWER 8000/7000 series appliances
Virtual Next-Generation IPS (NGIPSv) for VMware
ASA with FirePOWER services
Positive/Negative Terminology
A false positive is when the sensor generates an alert about traffic and that traffic is not
malicious
or important as related to the safety of the network. False positives are easy to identify because alerts are generated and easily viewed.
false negative, however, is when there is malicious traffic on the network, and for whatever reason the IPS/IDS did not trigger an alert, so there is no visual indicator (at least from the IPS/IDS system) that anything negative is going on
must use some third-party or external system to alert you to the problem at hand, such as syslog messages from a network device
True positive
means that there was malicious traffic and that the sensor saw it and reported on it; if the sensor was an IPS, it may have dropped the malicious traffic based on the current set of rules in place.
A true negative is also a wonderful thing in that there was normal nonmalicious traffic, and the sensor did not generate any type of alert, which is normal sensor behavior regarding nonmalicious traffic.
Identifying Malicious Traffic on the Network
Signature-based IPS/IDS
Policy-based IPS/IDS
Anomaly-based IPS/IDS
Reputation-based IPS/IDS
Possible Sensor Responses to Detected Attacks/for further details see table in page 503/504
Deny attacker
inline
This action denies packets from the source IP address of the attacker for a configurable duration of time, after which the deny action can be dynamically removed (existing option in IPS only).
Deny connection inline
This action terminates the packet that triggered the action and future packets that are part of the same TCP connection. The attacker could open up a new TCP session (using different port numbers), which could still be permitted through the inline IPS.
Deny packet inline
Deny packet terminates the packet that triggered the alert (IPS only)
Log attacker (source) packets
This action begins to log future packets based on the attacker’s source IP address. This is done usually for a short duration, such as 30 seconds, after the initial alert. Log files are stored in a format that is readable by most protocol analyzers
Log victim (destination) packets
This logging action begins to log all IP packets that have a destination IP address of the victim (the destination address from the packet or packets that triggered the alert)
Log pair (source,destination) packets
This logging action begins to log IP packets if the source and destination addresses indicate that the packets from the source IP address that triggered the alert and the destination address match the destination address of the packet that triggered the alert. In essence, the sensor is only logging future packets sent between the attacker and the victim (the attacked device address )
Produce alert
An alert is a basic mechanism that is used by the IDS/IPS to identify that an event has occurred, such as a signature match indicating malicious traffic.This is the default behavior for most signatures enabled on a sensor.
Risk Rating (RR) Calculation Factors
Target value rating (TVR) "assigned to specific
destination IP addresses or subnets where the critical servers/devices live"
Signature fidelity rating (SFR)=>la precision de la signature donné par le propritaire et la probabilité qu'elle n'est pas une resultat d'un faut positif
Attack severity rating (ASR)=>The criticality of the attack as determined by the person who created that signature
Attack relevancy (AR)=>pertinance de l'attaque en cas ou nous connaissons l'adresse ip du host visée
Global correlation