Please enable JavaScript.

Coggle requires JavaScript to display documents.

Module 12: IPS Operation and Implementation - Coggle Diagram

- - - - Type - Atomic or Composite
      - Trigger - Also called the alarm
      - Action - What the IPS will do
- - - - Cisco Firepower Next-Generation IPS (NGIPS) - These are dedicated in-line threat prevention appliances that provide industry leading effectiveness against both known and unknown threats.
      - Cisco Snort IPS - This is an IPS service that can be enabled on a second generation ISR (ISR G2) (i.e., ISR 4000s). Note that Cisco 4000 ISRs no longer support Cisco IOS IPS.
      - External Snort IPS Server - This is similar to the Cisco Snort IPS solution but requires a promiscuous port (i.e., a SPAN switch port) and an external Snort IDS/IPS.
  - - - NGIPS features include the following:
        
        IPS rules that identify and block attack traffic targeted at network vulnerabilities.
        
        Tightly integrated defense against advanced malware by incorporating advanced analysis of network and endpoint activity.
        
        Sandboxing technology that uses hundreds of behavioral indicators to identify zero-day and evasive attacks.
        
        Also includes Application Visibility and Control (AVC), Cisco Advanced Malware Protection (AMP) for Networks, and URL Filtering.
  - - - Snort IPS for 4000 Series ISRs consists of two components:
        
        Snort engine - This is the IPS detection and enforcement engine that is included in the Security (SEC) license for 4000 Series ISRs.
        
        Snort rule software subscriptions for signature updates - Snort rule sets to keep current with the latest threat protection are term-based subscriptions, available for one or three years.
    - - There are two types of term-based subscriptions:
        
        Community Rule Set - Available for free, this subscription offers limited coverage against threats. The community rule set focuses on reactive response to security threats versus proactive research work. There is also a 30-day delayed access to updated signatures meaning that newest rule will be a minimum of 30 days old. In addition, there is no Cisco customer support available.
        
        Subscriber Rule Set - Available for a fee, this service provides the best protection against threats. It includes coverage of advance exploits by using the research work of the Cisco Talos security experts. The Subscriber Rule Set also provides the fastest access to updated signatures in response to a security incident or the proactive discovery of a new threat. This subscription is fully supported by Cisco.
  - - - In Snort IPS, signatures are configured using “rules”. These rules serve as the signature alarms by comparing incoming traffic to the Snort rules. Traffic matching a rule header generates an action.
      - A rule header is conceptually similar to an access control list (ACL) statement. It is a one line statement that identifies malicious traffic.
      - The basic rule header command syntax is:
      - [action] [protocol] [sourceIP] [sourceport] -> [destIP] [destport] ([Rule options])
  - - - Snort IDS mode can perform the following three actions:
        
        Alert - Generate an alert using the selected alert method.
        
        Log - Log the packet.
        
        Pass - Ignore the packet.
      - Snort IPS mode can perform all the IDS actions plus the following:
        
        Drop - Block and log the packet.
        
        Reject - Block the packet, log it, and then send a TCP reset if the protocol is TCP or an ICMP port unreachable message if the protocol is UDP.
        
        Sdrop - Block the packet but do not log it.
- - - - To deploy Snort IPS on supported devices, perform the following steps:
      - Step 1. Download the Snort OVA file.
        
        An Open Virtualization Archive (OVA) is a file that contains a compressed, installable version of a virtual machine. The Snort service OVA file is not bundled with the Cisco IOS XE Release images installed on the router. However, if the OVA file is be preinstalled in the flash of the router, it is recommended that the latest OVA file be downloaded from Cisco.com.
      - Step 2. Install the OVA file.
        
        To install the OVA file, use the virtual-service install name virtual-service-name package file-url media file-system privilege EXEC command. The length of the name is 20 characters and the complete path to the OVA file must be specified.
      - Step 3. Configure Virtual Port Group interfaces.
        
        Two VirtualPortGroup (VPG) interfaces must then be configured along with their guest IP addresses.
        
        In our example, the VPG interfaces will be configured as follows:
        
        VGP0 - This is for management traffic to exchange information with IPS servers. The guest IP address needs to be routable to connect to the signature update server and external log server. It is also used to log traffic to log collectors.
        
        VPG1 - This is for user traffic marked for inspections. This should not be routable and therefore use a non-routable private IP address.
      - Step 4. Activate the virtual services.
      - Step 5. Configure Snort specifics.
      - Step 6. Enable IPS globally or on desired interfaces.
      - Step 7. Verify Snort IPS.
        
        After Snort IPS is implemented, it is necessary to verify the configuration to ensure correct operation.
        
        There are several show commands that can be used to verify the Snort IPS configuration and operation.
        
        show virtual-service list - The command displays an overview of resources that are utilized by the applications.
        
        show virtual-service detail - The command displays a list of resources that are committed to a specified application, including attached devices.
        
        show utd engine standard config - The command displays the UTD configuration.
        
        show utd engine standard status - The command displays the status of the UTD engine.
        
        show platform hardware qfp active feature utd stats - The command checks the data plane. It verifies increments for encap, decap, redirect, and reinject and displays a health of "Green".