Please enable JavaScript.
Coggle requires JavaScript to display documents.
Module 11 IPS Technologies - Coggle Diagram
Module 11 IPS Technologies
11.1 IDS and IPS Characteristics
Zero-Day Attacks
Malware can spread across the world in a matter of minutes. A network must instantly recognize and mitigate malware threats. Firewalls can only do so much and cannot provide protection against all malware and zero-day attacks.
A zero-day attack, sometimes referred to as a zero-day threat, is a cyberattack that tries to exploit software vulnerabilities that are unknown or undisclosed by the software vendor
Monitor for Attacks
One approach to prevent malware exploits is for an administrator to continuously monitor the network and analyze the log files generated by network devices. Security operations center (SOC) tools, such as security information and event management (SIEM) and security orchestration, automation, and response (SOAR) systems automate the log file gathering and analysis process. It has become an accepted fact that malware will enter the network despite the best defenses
A better solution is to use a device that can immediately detect and stop an attack. An Intrusion Prevention System (IPS) performs this function.
Intrusion Prevention and Detection Devices
A networking architecture paradigm shift is required to defend against fast-moving and evolving attacks. This must include cost-effective detection and prevention systems, such as intrusion detection systems (IDS) or the more scalable intrusion prevention systems (IPS). The network architecture integrates these solutions into the entry and exit points of the network.
IDS and IPS technologies are both deployed as sensors. An IDS or IPS sensor can be in the form of several different devices:
A router configured with IPS software
A device specifically designed to provide dedicated IDS or IPS services
A hardware module installed in an adaptive security appliance (ASA), switch, or router
11.2 IPS Implementations
Types of IPS
Host-based IPS
(HIPS) is software installed on a host to monitor and analyze suspicious activity. A significant advantage of HIPS is that it can monitor and protect operating system and critical system processes that are specific to that host.
Network-based IPS
A network-based IPS can be implemented using a dedicated or non-dedicated IPS device such as a router. Network-based IPS implementations are a critical component of intrusion prevention.
Sample IPS Sensor Deployment
Network-Based IPS
The hardware of all network-based sensors includes three components:
NIC
The network-based IPS must be able to connect to any network, such as Ethernet, Fast Ethernet, and Gigabit Ethernet.
Processor
Intrusion prevention requires CPU power to perform intrusion detection analysis and pattern matching.
Memory
Intrusion detection analysis is memory-intensive. Memory directly affects the ability of a network-based IPS to efficiently and accurately detect an attack.
Modes of Deployment
Promiscuous Mode
Inline Mode
11.3 IPS on Cisco ISRs
IPS Components
IPS detection and enforcement engine
To validate traffic, the detection engine compares incoming traffic with known attack signatures that are included in the IPS attack signature package.
IPS attack signatures package
This is a list of known attack signatures that are contained in one file. The signature pack is updated frequently as new attacks are discovered. Network traffic is analyzed for matches to these signatures.
Cisco IPS options
Cisco IOS IPS
Snort IPS
Snort Operation
Snort IPS signatures are delivered automatically to the ISR by Cisco Talos. There are currently more than 30,000 signatures in the Snort rule set. It also supports the ability to customize rule sets and provides centralized deployment and management capabilities for 4000 Series ISRs.
11.4 Cisco Switched Port Analyzer
To determine normal network behavior, network monitoring must be implemented. Various tools are used to help discover normal network behavior including IDS, packet analyzers, SNMP, NetFlow, and others.
Some of these tools require captured network data. There are two common methods used to capture traffic and send it to network monitoring devices:
Network taps
A network tap is typically a passive splitting device implemented inline between a device of interest and the network. A tap forwards all traffic, including physical layer errors, to an analysis device while also allowing the traffic to reach its intended destination.
Traffic mirroring using Switch Port Analyzer (SPAN)
Network switches segment the network by design. This limits the amount of traffic that is visible to network monitoring devices. Because capturing data for network monitoring requires all traffic to be captured, special techniques must be employed to bypass the network segmentation imposed by network switches. Port mirroring is one of these techniques. Supported by many enterprise switches, port mirroring enables the switch to copy frames that are received on one or more ports to a Switch Port Analyzer (SPAN) port that is connected to an analysis device.
Configure Cisco SPAN
Switch(config)# monitor session number source [interface interface | vlan vlan]
Switch(config)# monitor session number destination [interface interface | vlan vlan]
