Please enable JavaScript.
Coggle requires JavaScript to display documents.
Module 12: IPS Operation and Implementation, image - Coggle Diagram
Module 12: IPS Operation and Implementation
12.3. Configure Sort IPS
Snort IPS configuration steps
Step 1. Download the Snort OVA file.
An Open Virtualization Archive (OVA) is a file that contains a compressed, installable version of a virtual machine. The Snort service OVA file is not bundled with the Cisco IOS XE Release images installed on the router. However, if the OVA file is be preinstalled in the flash of the router, it is recommended that the latest OVA file be downloaded from Cisco.com.
Step 2. Install the OVA file.
To install the OVA file, use the virtual-service install name virtual-service-name package file-url media file-system privilege EXEC command. The length of the name is 20 characters and the complete path to the OVA file must be specified.
During the OVA file installation, the security license is checked and an error is reported if the license is not present. Therefore, the Cisco IOS XE image must be enabled with the security license. In the output, you can see that the OVA is Cisco signed.
Step 3. Configure Virtual Port Group interfaces.
the VPG interfaces will be configured as follows:
VGP0 - This is for management traffic to exchange information with IPS servers. The guest IP address needs to be routable to connect to the signature update server and external log server. It is also used to log traffic to log collectors.
VPG1 - This is for user traffic marked for inspections. This should not be routable and therefore use a non-routable private IP address.
Step 4. Activate the virtual services.
The next step is to configure guest IPs on the same subnet for the container side and activate the virtual service as shown in the output.
Step 5. Configure Snort specifics.
Next is to configure how Snort is to be deployed (i.e. IPS or IDS mode), where the Snort logs should be sent, the policy and profile to configure for Snort, and more.
Step 6. Enable IPS globally or on desired interfaces.
Based on the organizational requirements, Snort can be enabled globally (i.e., on all the interfaces) or on selected interfaces.
Step 7. Verify Snort IPS.
After Snort IPS is implemented, it is necessary to verify the configuration to ensure correct operation.
There are several show commands that can be used to verify the Snort IPS configuration and operation.
show virtual-service list - The command displays an overview of resources that are utilized by the applications.
show virtual-service detail - The command displays a list of resources that are committed to a specified application, including attached devices.
show utd engine standard config - The command displays the UTD configuration.
show utd engine standard status - The command displays the status of the UTD engine.
show platform hardware qfp active feature utd stats - The command checks the data plane. It verifies increments for encap, decap, redirect, and reinject and displays a health of "Green".
12.1 IPS Signatures
IPS Signature Attributes
The network must be able to identify incoming malicious traffic in order to stop it
malicious traffic displays distinct characteristics or
“signatures”.
A signature is a set of rules that an IDS and an IPS use to detect typical intrusion activity.
Signatures uniquely identify specific viruses, worms, protocol anomalies, and malicious traffic
A sensor takes action when it matches a signature with a data flow, such as logging the event or sending an alarm to the IDS or IPS management software.
three distinctive attributes of Signatures:
Type
:star:
Atomic or Composite
Trigger
:star:
Also called the alarm
Action
:star:
What the IPS will do
Types of Signatures
Composite Signature
Also called a stateful signature because the IPS requires several pieces of data to match an attack signature. The IPS must also maintain state information, which is referred to as the event horizon. The length of an event horizon varies from one signature to the next.
Atomic Signature
This is the simplest type of signature because a single packet, activity, or event identifies an attack. The IPS does not need to maintain state information and traffic analysis can usually be performed very quickly and efficiently.
IPS Signature Alarms
Anomaly-Based Detection
Advantages
Also known as profile-based detection.
Involves first defining a profile of what is considered normal network or host activity.
This normal profile is usually defined by monitoring traffic and establishing a baseline.
Once defined, any activity beyond a specified threshold in the normal profile will generate a signature trigger and action.
Policy-Based Detection
Advantages
Also known as behavior-based detection.
Although similar to pattern-based detection, an administrator manually defines behaviors that are suspicious based on historical analysis.
The use of behaviors enables a single signature to cover an entire class of activities without having to specify each individual situation.
Pattern-Based Detection
Advantages
Also known as signature-based detection.
Simplest triggering mechanism as it searches for a specific and pre-defined atomic or composite pattern.
An IPS sensor compares the network traffic to a database of known attacks and triggers an alarm or prevents communication if a match is found.
Honey Pot-Based Detection
Advantages
Honey pot-based detection uses a server as a decoy server to attract attacks.
The purpose of a decoy server is to lure attacks away from production devices.
Allows administrators to analyze incoming attacks and malicious traffic patterns to tune their sensor signatures.
IPS Signature Actions
When a signature detects the activity for which it is configured, the signature triggers one or more actions.
Depending on the IPS sensor, various actions can be enabled. The table lists some actions that an IPS sensor may provide.
Note: The available actions depend on the signature type and the platform.
Evaluating Alerts
Triggering mechanisms can generate alarms that are false positives or false negatives. These alarms must be addressed when implementing an IPS sensor. True positives and true negatives are desirable and indicate the IPS is functioning properly. False positives and false negatives are undesirable and must be investigated.
Alerts can be classified as follows:
True positive - (Desirable) This is used when the IPS generates an alarm because it detected known attack traffic. The alert has been verified to be an actual security incident and also indicates that the IPS rule worked correctly.
True negative - (Desirable) This is used when the system is performing as expected. No alerts are issued because the traffic that is passing through the system is clear of threats.
False positive - (Undesirable) This is used when an IPS generates an alarm after processing normal user traffic that should not have triggered an alarm. The IPS must be tuned to change these alarm types to true negatives. The alert does not indicate an actual security incident. Benign activity that results in a false positive is sometimes referred to as a benign trigger. False positives are costly because they must be investigated.
False negative - (Dangerous) This is used when an IPS fails to generate an alarm and known attacks are not being detected. This means that exploits are not being detected by the security systems that are in place. These incidents could go undetected for a long time, and ongoing data loss and damage could result. The goal is for these alarm types to generate true positive alarms.
12.2. Cisco Snort IPS
IPS service options
Intrusion prevention services were available on the first-generation Integrated Services Routers (ISR G1) using the Cisco IOS IPS. Cisco IOS IPS monitored and prevented intrusions by comparing traffic against signatures of known threats and blocking the traffic when a threat was detected.
Cisco Firepower Next-Generation IPS (NGIPS) - These are dedicated in-line threat prevention appliances that provide industry leading effectiveness against both known and unknown threats.
Cisco Snort IPS - This is an IPS service that can be enabled on a second generation ISR (ISR G2) (i.e., ISR 4000s). Note that Cisco 4000 ISRs no longer support Cisco IOS IPS.
External Snort IPS Server - This is similar to the Cisco Snort IPS solution but requires a promiscuous port (i.e., a SPAN switch port) and an external Snort IDS/IPS.
NGIPS
NGIPSs are dedicated IPS appliances. They are built on Snort's core open technology and use vulnerability-focused IPS rules and embedded IP-, URL-, and DNS-based security intelligence provided by Cisco Talos.
IPS rules that identify and block attack traffic targeted at network vulnerabilities.
Tightly integrated defense against advanced malware by incorporating advanced analysis of network and endpoint activity.
Sandboxing technology that uses hundreds of behavioral indicators to identify zero-day and evasive attacks.
Also includes Application Visibility and Control (AVC), Cisco Advanced Malware Protection (AMP) for Networks, and URL Filtering.
Snort IPS
Snort is an open source network IPS that performs real-time traffic analysis and generates alerts when threats are detected on IP networks. It can also perform protocol analysis, content searching or matching, and detect a variety of attacks and probes.
Snort IPS on the 4000 Series ISR provides the following functionalities:
IDS and IPS mode
Three signature levels
An allowed list
Snort health monitoring
Fail open and close
Signature update
Event logging
Snort Rule Actions
Snort can be enabled in IDS mode or in IPS mode.
Snort IDS mode can perform the following three actions:
Alert - Generate an alert using the selected alert method.
Log - Log the packet.
Snort IPS mode can perform all the IDS actions plus the following:
Drop - Block and log the packet.
Reject - Block the packet, log it, and then send a TCP reset if the protocol is TCP or an ICMP port unreachable message if the protocol is UDP.
Sdrop - Block the packet but do not log it.
Snort IPS Rule Alarms
In Snort IPS, signatures are configured using “rules”. These rules serve as the signature alarms by comparing incoming traffic to the Snort rules. Traffic matching a rule header generates an action.
The basic rule header command syntax is:
[action] [protocol] [sourceIP] [sourceport] -> [destIP] [destport] ([Rule options])
Example:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
Snort IPS Header Rule Options
A Snort rule header also contains rule options (fields) to provide additional information for the rule. Options are separated by semicolons (;) and the rule option keywords are separated from their arguments using colons (:).
Snort IPS Operation
Packets arriving on Snort enabled interfaces are inspected as follows:
Cisco IOS Software forwards the packets to be inspected to the Snort IPS engine using an internal virtual port group (VPG) interface.
Snort IPS inspects the traffic and takes necessary action.
Snort drops the packets associated with bad flows (IPS mode). Good flow packets are returned back to the router for further processing.
Snort IPS requires two VPG interfaces:
Management interface - This is the interface that is used to source logs to the log collector and for retrieving signature updates from Cisco.com. For this reason, this interface requires a routable IP address.
Data interface - This is the interface that is used to send user traffic between the Snort virtual container service and the router forwarding plane.
ISR Container Applications
Routers were initially packet processing devices. However, over the years, they have evolved to perform many computing functions. Routers have acquired so much processing power that server applications can now be hosted inside the router using virtual machines called service containers.
Specifically, the Snort engine on the 4000 Series ISR runs as a container application. The 4000 Series ISR uses a multi-core CPU, and the Cisco IOS-XE has the ability to allocate these cores for control-plane or data-plane functions.
Snort Components and Rules
Snort IPS for 4000 Series ISRs consists of two components:
Snort engine - This is the IPS detection and enforcement engine that is included in the Security (SEC) license for 4000 Series ISRs.
Snort rule software subscriptions for signature updates - Snort rule sets to keep current with the latest threat protection are term-based subscriptions, available for one or three years.
There are two types of term-based subscriptions:
Community Rule Set - Available for free, this subscription offers limited coverage against threats. The community rule set focuses on reactive response to security threats versus proactive research work.
Subscriber Rule Set - Available for a fee, this service provides the best protection against threats. It includes coverage of advance exploits by using the research work of the Cisco Talos security experts.
