Please enable JavaScript.
Coggle requires JavaScript to display documents.
Module 12: IPS Operation and Implementation - Coggle Diagram
Module 12: IPS Operation and Implementation
12.1 IPS Signatures
IPS Signature Attributes
The network must be able to identify incoming malicious traffic in order to stop it. Fortunately, malicious traffic displays distinct characteristics or “signatures”.
A malicious packet flow has a specific type of activity and signature. IPS sensors must be tuned to look for matching signatures or abnormal traffic patterns. As sensors scan network packets, they use signatures to detect known attacks and respond with predefined actions. An IDS or IPS sensor examines the data flow using many different signatures. A sensor takes action when it matches a signature with a data flow, such as logging the event or sending an alarm to the IDS or IPS management software.
Signatures also have three distinctive attributes:
Type - Atomic or Composite
Trigger - Also called the alarm
Action - What the IPS will do
Types of Signatures
Some threats can be identified in one packet while other threats may require many packets and their state information (i.e., IP addresses, port numbers, and more) to identify a threat.
There are two types of signatures:
Atomic Signature - This is the simplest type of signature because a single packet, activity, or event identifies an attack. The IPS does not need to maintain state information and traffic analysis can usually be performed very quickly and efficiently.
Composite Signature - Also called a stateful signature because the IPS requires several pieces of data to match an attack signature. The IPS must also maintain state information, which is referred to as the event horizon. The length of an event horizon varies from one signature to the next.
IPS Signature Alarms
The heart of any IPS signature is the signature alarm, which is often referred to as the signature trigger. The signature alarm (i.e., trigger) for an IPS sensor could be anything that can reliably signal an intrusion or security policy violation. A network-based IPS might trigger a signature action if it detects a packet with a payload containing a specific string that is going to a specific TCP port
Evaluating Alerts
Triggering mechanisms can generate alarms that are false positives or false negatives. These alarms must be addressed when implementing an IPS sensor. True positives and true negatives are desirable and indicate the IPS is functioning properly. False positives and false negatives are undesirable and must be investigated.
12.2 Cisco Snort IPS
IPS Service Options
Cisco Firepower Next-Generation IPS (NGIPS)
These are dedicated in-line threat prevention appliances that provide industry leading effectiveness against both known and unknown threats.
Cisco Snort IPS
This is an IPS service that can be enabled on a second generation ISR (ISR G2) (i.e., ISR 4000s). Note that Cisco 4000 ISRs no longer support Cisco IOS IPS.
External Snort IPS Server
This is similar to the Cisco Snort IPS solution but requires a promiscuous port (i.e., a SPAN switch port) and an external Snort IDS/IPS.
NGIPS
IPS rules that identify and block attack traffic targeted at network vulnerabilities.
Tightly integrated defense against advanced malware by incorporating advanced analysis of network and endpoint activity.
Sandboxing technology that uses hundreds of behavioral indicators to identify zero-day and evasive attacks.
Also includes Application Visibility and Control (AVC), Cisco Advanced Malware Protection (AMP) for Networks, and URL Filtering.
SR Container Applications
Snort IPS
Snort IPS on the 4000 Series ISR provides the following functionalities:
IDS and IPS mode
Three signature levels
An allowed list
Snort health monitoring
Fail open and close
Signature update
Event logging
Snort Components and Rules
Snort engine
This is the IPS detection and enforcement engine that is included in the Security (SEC) license for 4000 Series ISRs.
Snort IPS Rule Alarms
Snort IPS Rule Actions
Snort IDS mode can perform the following three actions:
Snort IPS mode can perform all the IDS actions plus the following:
12.3 Configure Snort IPS
To deploy Snort IPS on supported devices, perform the following steps:
Step 1. Download the Snort OVA file.
An Open Virtualization Archive (OVA) is a file that contains a compressed, installable version of a virtual machine. The Snort service OVA file is not bundled with the Cisco IOS XE Release images installed on the router. However, if the OVA file is be preinstalled in the flash of the router, it is recommended that the latest OVA file be downloaded from Cisco.com.
Step 2. Install the OVA file.
To install the OVA file, use the virtual-service install name virtual-service-name package file-url media file-system privilege EXEC command. The length of the name is 20 characters and the complete path to the OVA file must be specified.
Step 3. Configure Virtual Port Group interfaces.
Two VirtualPortGroup (VPG) interfaces must then be configured along with their guest IP addresses.
Step 4. Activate the virtual services.
The next step is to configure guest IPs on the same subnet for the container side and activate the virtual service as shown in the output.
R1(config)# virtual-service MYIPS
R1(config-virt-serv)# vnic gateway VirtualPortGroup0
R1(config-virt-serv-vnic)# guest ip address 209.165.201.2
R1(config-virt-serv-vnic)# exit
R1(config-virt-serv)# vnic gateway VirtualPortGroup1
R1(config-virt-serv-vnic)# guest ip address 192.168.0.2
R1(config-virt-serv-vnic)# exit
R1(config-virt-serv)# activate
Step 5. Configure Snort specifics.
Next is to configure how Snort is to be deployed (i.e. IPS or IDS mode), where the Snort logs should be sent, the policy and profile to configure for Snort, and more.
R1(config)# utd engine standard
R1(config-utd-eng-std)# logging host 10.10.10.254
R1(config-utd-eng-std)# logging syslog
R1(config-utd-eng-std)# threat-inspection
R1(config-utd-engstd-insp)# threat protection
R1(config-utd-engstd-insp)# policy balanced
R1(config-utd-engstd-insp)# signature update occur-at daily 0 0
R1(config-utd-engstd-insp)# signature update server cisco username Bob password class
R1(config-utd-engstd-insp)# logging level warning
Step 6. Enable IPS globally or on desired interfaces.
Based on the organizational requirements, Snort can be enabled globally (i.e., on all the interfaces) or on selected interfaces.
The example in the output enables UTD globally on all interfaces and defines what to do if the Snort engine fails.
R1(config)# utd
R1(config-utd)# all-interfaces
R1(config-utd)# engine standard
R1(config-engine-std)# fail close
Alternatively, Snort could be enabled only on select interfaces as shown.
R1(config)# interface G0/0/0
R1(config-if)# utd enable
R1(config)# interface G0/0/1
R1(config-if)# utd enable
Step 7. Verify Snort IPS.
After Snort IPS is implemented, it is necessary to verify the configuration to ensure correct operation.
There are several show commands that can be used to verify the Snort IPS configuration and operation.
show virtual-service list - The command displays an overview of resources that are utilized by the applications.
show virtual-service detail - The command displays a list of resources that are committed to a specified application, including attached devices.
show utd engine standard config - The command displays the UTD configuration.
show utd engine standard status - The command displays the status of the UTD engine.
show platform hardware qfp active feature utd stats - The command checks the data plane. It verifies increments for encap, decap, redirect, and reinject and displays a health of "Green".
