Please enable JavaScript.
Coggle requires JavaScript to display documents.
Module 12: IPS Operation and Implementation, image, image, image, image,…
Module 12: IPS Operation and Implementation
12.1. IPS Signatures
12.1.1 IPS Signature Attributes
Conceptually similar to the virus.dat file used by virus scanners, a signature is a set of rules that an IDS and an IPS use to detect typical intrusion activity.
12.1.2 Types of Signatures
Some threats can be identified in one packet while other threats may require many packets and their state information
Atomic Signature
This is the simplest type of signature because a single packet, activity, or event identifies an attack.
Composite Signature
Also called a stateful signature because the IPS requires several pieces of data to match an attack signature.
12.1.3 IPS Signature Alarms
The signature alarm (i.e., trigger) for an IPS sensor could be anything that can reliably signal an intrusion or security policy violation.
12.1.4 IPS Signature Actions
When a signature detects the activity for which it is configured, the signature triggers one or more actions.
12.1.5 Evaluating Alerts
Triggering mechanisms can generate alarms that are false positives or false negatives. These alarms must be addressed when implementing an IPS sensor.
12.2 Cisco Snort IPS
12.2.1 IPS Service Options
Cisco Firepower Next-Generation IPS (NGIPS)
Cisco Snort IPS
External Snort IPS Server
12.2.2 NGIPS
NGIPSs are dedicated IPS appliances. They are built on Snort's core open technology and use vulnerability-focused IPS rules and embedded IP-, URL-, and DNS-based security intelligence provided by Cisco Talos.
12.2.3 Snort IPS
Snort is an open source network IPS that performs real-time traffic analysis and generates alerts when threats are detected on IP networks.
12.2.4 Snort Components and Rules
Snort engine
Snort rule software subscriptions for signature updates
12.2.5 ISR Container Applications
Routers have acquired so much processing power that server applications can now be hosted inside the router using virtual machines called service containers.
12.2.6 Snort IPS Rule Alarms
In Snort IPS, signatures are configured using “rules”. These rules serve as the signature alarms by comparing incoming traffic to the Snort rules. Traffic matching a rule header generates an action.
12.2.8 Snort IPS Header Rule Options
A Snort rule header also contains rule options (fields) to provide additional information for the rule. Options are separated by semicolons (;) and the rule option keywords are separated from their arguments using colons (:).
12.4 IPS Operation and Implementation Summary
12.4.1 What Did I Learn in this Module?
IPS Signatures
IPS signatures have three attributes: type, trigger, and action. The signature type can be atomic or composite.
Cisco Snort IPS
Intrusion protection is provided in modern Cisco networks using either dedicated NGIPS Firepower enabled devices, Snort IPS on ISR 4000 routers, or using an external Snort IPS server.
Configure Snort IPS
To configure Snort IPS on an ISR 4000 device, you must download the latest OVA file, install it on the router, configure VPG interfaces, activate the virtual services, configure Snort IPS specifics, and enable UTD.
12.3 Configure Snort IPS
12.3.1 Snort IPS Configuration Steps
The Snort IPS functionality is available only in security K9-licensed IOS XE version. The security license tis required to enable the service. This feature is available in Cisco IOS XE Release 3.16.1S, 3.17S, and later releases.
12.3.2 Step 1. Download the Snort OVA File
An Open Virtualization Archive (OVA) is a file that contains a compressed, installable version of a virtual machine.
12.3.3 Step 2. Install the Snort OVA File
To install the OVA file, use the virtual-service install name virtual-service-name package file-url media file-system privilege EXEC command.
12.3.4 Step 3. Configure Virtual Port Group Interfaces
VGP0
- This is for management traffic to exchange information with IPS servers.
VPG1
- This is for user traffic marked for inspections. This should not be routable and therefore use a non-routable private IP address.
12.3.5 Step 4. Activate Virtual Services
The next step is to configure guest IPs on the same subnet for the container side and activate the virtual service as shown in the output.
12.3.6 Step 5. Configure Snort Specifics
Next is to configure how Snort is to be deployed (i.e. IPS or IDS mode), where the Snort logs should be sent, the policy and profile to configure for Snort, and more.
12.3.7 Step 6. Enable IPS Globally or on Desired Interfaces
Based on the organizational requirements, Snort can be enabled globally (i.e., on all the interfaces) or on selected interfaces.
12.3.8 Step 7. Verify Snort IPS
After Snort IPS is implemented, it is necessary to verify the configuration to ensure correct operation.
