Please enable JavaScript.
Coggle requires JavaScript to display documents.
Module 11: IPS Technologies, image - Coggle Diagram
Module 11: IPS Technologies
Cisco Switched Port Analyzer
Network Monitoring Methods
Some of these tools require captured network data. There are two common methods used to capture traffic and send it to network monitoring devices:
Network taps, sometimes known as test access points (TAPs)
Traffic mirroring using Switch Port Analyzer (SPAN) or other port mirroring approaches
Traffic Mirroring and SPAN
Network switches segment the network by design. This limits the amount of traffic that is visible to network monitoring devices. Because capturing data for network monitoring requires all traffic to be captured, special techniques must be employed to bypass the network segmentation imposed by network switches. Port mirroring is one of these techniques.
SPAN
The association between source ports and a destination port is called a SPAN session. In a single session, one or multiple ports can be monitored. On some Cisco switches, session traffic can be copied to more than one destination port.
Network Taps
A network tap is typically a passive splitting device implemented inline between a device of interest and the network. A tap forwards all traffic, including physical layer errors, to an analysis device while also allowing the traffic to reach its intended destination.
IDS and IPS Characteristics
Zero-Days Attacks
Zero Day Exploit Attack
During the time
it takes the software vendor to develop and release a patch, the network is vulnerable to these exploits, as shown in the figure. Defending against these fast-moving attacks requires network security professionals to adopt a more sophisticated view of the network architecture. It is no longer possible to contain intrusions at a few points in the network.
Microsoft Internet Explorer Zero-Day Vulnerability
Monitor for Attacks
One approach
to prevent malware exploits is for an administrator to continuously monitor the network and analyze the log files generated by network devices. Security operations center (SOC) tools, such as security information and event management (SIEM) and security orchestration, automation, and response (SOAR) systems automate the log file gathering and analysis process. It has become an accepted fact that malware will enter the network despite the best defenses.
Intrusion Detection Systems (IDS)
were implemented to passively monitor the traffic on a network. The figure shows that an IDS-enabled device copies the traffic stream and analyzes the copied traffic rather than the actual forwarded packets.
Operation
Working offline, the IDS compares the captured traffic stream with known malicious signatures, similar to software that checks for viruses. Working offline means several things:
The IDS works passively.
The IDS device is physically positioned in the network so that traffic must be mirrored in order to reach it.
Network traffic does not pass through the IDS unless it is mirrored.
Very little latency is added to network traffic flow.
Intrusion Prevention and Detection Devices
A networking architecture
paradigm shift is required to defend against fast-moving and evolving attacks. This must include cost-effective detection and prevention systems, such as intrusion detection systems (IDS) or the more scalable intrusion prevention systems (IPS).
IDS and IPS Characteristics
Malicious traffic is sent to the target host that is inside the network.
The traffic is routed into the network and received by an IPS-enabled sensor where it is blocked.
The IPS-enabled sensor sends logging information regarding the traffic to the network security management console.
The IPS-enabled sensor kills the traffic. (It is sent to the “Bit Bucket.”)
Advantages and Disadvantages of IDS and IPS
IPS Implementations
Types of IPS
Network-based IPS
A network-based IPS can be implemented using a dedicated or non-dedicated IPS device such as a router. Network-based IPS implementations are a critical component of intrusion prevention. Host-based IDS/IPS solutions must be integrated with a network-based IPS implementation to ensure a robust security architecture.
Sample IPS Sensor Deployment
Host-based IPS
Host-based IPS (HIPS) is software installed on a host to monitor and analyze suspicious activity. A significant advantage of HIPS is that it can monitor and protect operating system and critical system processes that are specific to that host.
Advantages
Provides operating system and application level protection
Protects the host after the message is decrypted
Provides protection specific to a host operating system
Disadvantage
Operating system dependent
Must be installed on all host
Network-Based IPS
Network-based IPS sensors can be implemented in several ways:
On an ASA firewall device
On an ISR router
On a Cisco Firepower appliance
As a virtual Next-Generation IPS (NGIPSv) for VMware
The hardware of all network-based sensors includes three components:
Processor
Intrusion prevention requires CPU power to perform intrusion detection analysis and pattern matching.
Memory
Intrusion detection analysis is memory-intensive. Memory directly affects the ability of a network-based IPS to efficiently and accurately detect an attack.
NIC
The network-based IPS must be able to connect to any network, such as Ethernet, Fast Ethernet, and Gigabit Ethernet.
Network-based IPS gives security managers real-time security insight into their networks regardless of growth. Additional hosts can be added to protected networks without requiring more sensors. Additional sensors are only required when their rated traffic capacity is exceeded, when their performance does not meet current needs, or when a revision in security policy or network design requires additional sensors to help enforce security boundaries. When new networks are added, additional sensors are easy to deploy.
Modes of Deployment
IDS and IPS sensors can operate in inline mode (also known as inline interface pair mode) or promiscuous mode (also known as passive mode).
Promiscuous Mode
As shown in the figure, packets do not flow through the sensor in promiscuous mode. The sensor analyzes a copy of the monitored traffic, not the actual forwarded packet.
The advantage of operating in promiscuous mode is that the sensor does not affect the packet flow with the forwarded traffic.
The disadvantage of operating in promiscuous mode is that the sensor cannot stop malicious traffic from reaching its intended target for certain types of attacks, such as atomic attacks (single-packet attacks)
IPS on Cisco ISRs
Cisco IOS IPS
Cisco IOS IPS
Cisco IOS IPS could be configured to respond as follows:
Send an alarm to a syslog server or a centralized management interface
Drop the packet
Reset the connection
Deny traffic from the source IP address of the threat for a specified amount of time
Deny traffic on the connection for which the signature was seen for a specified amount of time
Enabling a router to work as an IPS is a cost-effective way to protect branch office networks. Rather than purchasing a router and a dedicated IPS device, combining the functionalities in one device not only saves money but also simplifies network designs and administration.
IPS Components
IPS detection and enforcement engine
To validate traffic, the detection engine compares incoming traffic with known attack signatures that are included in the IPS attack signature package.
IPS attack signatures package
This is a list of known attack signatures that are contained in one file. The signature pack is updated frequently as new attacks are discovered. Network traffic is analyzed for matches to these signatures.
As shown in the figure, the IPS detection and enforcement engine that can be implemented depends on the router platform:
Cisco IOS Intrusion Prevention System (IPS)
Cisco Snort IPS
Snort IPS
Snort IPS
Snort Operation
Snort IPS signatures are delivered automatically to the ISR by Cisco Talos. There are currently more than 30,000 signatures in the Snort rule set. It also supports the ability to customize rule sets and provides centralized deployment and management capabilities for 4000 Series ISRs.
Snort can be enabled in either of the following modes:
IDS mode - Snort inspects the traffic and reports alerts, but does not take any action to prevent attacks.
IPS mode - In addition to intrusion detection, actions are taken to prevent attacks.
Snort Features
The table lists the features and benefits of Snort IPS.
Snort System Requirements
To run the service container infrastructure with IDS/IPS functionality, Snort IPS requires an ISR 4000 (i.e., 4300 or higher) with a minimum of 8 GB of memory (DRAM) and 8 GB of flash.
A security K9 license (SEC) is required to activate Snort IPS functionality. Customers also need to purchase a yearly subscription for the signature package distributed on cisco.com.
There are two types of term-based subscriptions:
Subscriber Rule Set
Community Rule Set
Both technologies are deployed as sensors
Both technologies use signatures to detect patterns of misuse in network traffic.
Both can detect atomic patterns (single.packet) or composite patterns (multi-packet).
