Please enable JavaScript.

Coggle requires JavaScript to display documents.

:star: IPS Technologies :star:, image, image, image, image, image, image,…

- - - - The Snort engine runs in a virtual service container on Cisco 4000 Series ISRs. A virtual service container is a virtual machine that runs on the ISR router operating system. Service containers are applications that can be hosted directly on Cisco IOS XE routing platforms. These apps use the Linux aspects of the IOS XE operating system to host both Linux Virtual Containers (LXC) and Kernel virtual machines (KVM). The Snort container is distributed as an Open Virtualization Appliance (OVA) file that is installed on the router.
        
        Unlike IOS IPS, Snort IPS can use the computer power of the service container to scale security with the platform without affecting routing capabilities or other data plane functionality. The virtual service supports three resource profiles that indicate how the Snort container uses system CPU, RAM, and Flash or disk resources.
  - - - IDS mode - Snort inspects the traffic and reports alerts, but does not take any action to prevent attacks.
      - IPS mode - In addition to intrusion detection, actions are taken to prevent attacks.
  - - - The network administrator could configure the Cisco IOS IPS to choose the appropriate response to various threats. For example, when packets in a session matched a signature, Cisco IOS IPS could be configured to respond as follows:
        
        Send an alarm to a syslog server or a centralized management interface
        
        Drop the packet
        
        Reset the connection
        
        Deny traffic from the source IP address of the threat for a specified amount of time
        
        Deny traffic on the connection for which the signature was seen for a specified amount of time
  - - - IPS detection and enforcement engine - To validate traffic, the detection engine compares incoming traffic with known attack signatures that are included in the IPS attack signature package.
      - IPS attack signatures package - This is a list of known attack signatures that are contained in one file. The signature pack is updated frequently as new attacks are discovered. Network traffic is analyzed for matches to these signatures.
    - - Cisco IOS Intrusion Prevention System (IPS) - This is available on older Cisco 800, 1900, 2900, and 3900 Series ISRs. IOS IPS is no longer supported and should not be used.
      - Cisco Snort IPS - This is available on the Cisco 4000 Series ISRs and Cisco Cloud Services Routers in the 1000v Series.
  - - - Community Rule Set - This set offers limited coverage against threats, focusing on reactive response to security threats versus proactive research work. There is 30-day delayed access to updated signatures in the Community Rule Set, and this subscription does not entitle the customer to Cisco support.
      - Subscriber Rule Set - This set offers the best protection against threats. It includes coverage in advance of exploits by using the research work of the Cisco Talos security experts. The Subscriber Rule Set also provides the fastest access to updated signatures in response to a security incident or the proactive discovery of a new threat. This subscription is fully supported by Cisco.
- - - - The IDS works passively.
      - The IDS device is physically positioned in the network so that traffic must be mirrored in order to reach it.
      - Network traffic does not pass through the IDS unless it is mirrored.
      - Very little latency is added to network traffic flow.
- - - - Notice how the tap simultaneously sends both the transmit (TX) data stream from the internal router and the receive (RX) data stream to the internal router on separate, dedicated channels. This ensures that all data arrives at the monitoring device in real time. Therefore, network performance is not affected or degraded by monitoring the connection.
        Taps are also typically fail-safe, which means if a tap fails or loses power, traffic between the firewall and internal router is not affected.
  - - - The switch will forward ingress traffic on F0/1 and egress traffic on F0/2 to the destination SPAN port G0/1 that connects to an IDS.
        The association between source ports and a destination port is called a SPAN session. In a single session, one or multiple ports can be monitored. On some Cisco switches, session traffic can be copied to more than one destination port. Alternatively, a source VLAN can be specified in which all ports in the source VLAN become sources of SPAN traffic. Each SPAN session can have ports or VLANs as sources, but not both.
  - - - Some of these tools require captured network data. There are two common methods used to capture traffic and send it to network monitoring devices
        
        Network taps, sometimes known as test access points (TAPs)
        
        Traffic mirroring using Switch Port Analyzer (SPAN) or other port mirroring approaches
  - - - The show monitor command is used to verify the SPAN session. The command displays the type of the session, the source ports for each traffic direction, and the destination port. In the example below, the session number is 1, the source port for both traffic directions is F0/1, and the destination port is F0/2. The ingress SPAN is disabled on the destination port, so only traffic that leaves the destination port is copied to that port.