Please enable JavaScript.
Coggle requires JavaScript to display documents.
Module 12.0 IPS Operation and Implementation, image, image, image, image,…
Module 12.0 IPS Operation and Implementation
12.1 IPS Signatures
12.1.1 IPS Signature Attributes
The network must be able to identify incoming malicious traffic in order to stop it. Fortunately, malicious traffic displays distinct characteristics or “signatures”.
Conceptually similar to the virus.dat file used by virus scanners, a signature is a set of rules that an IDS and an IPS use to detect typical intrusion activity. Signatures uniquely identify specific viruses, worms, protocol anomalies, and malicious traffic (e.g., a DoS attacks).
12.1.2 Types of Signatures
*Atomic Signature - This is the simplest type of signature because a single packet, activity, or event identifies an attack. The IPS does not need to maintain state information and traffic analysis can usually be performed very quickly and efficiently
*Composite Signature - Also called a stateful signature because the IPS requires several pieces of data to match an attack signature. The IPS must also maintain state information, which is referred to as the event horizon. The length of an event horizon varies from one signature to the next.
12.1.3 IPS Signature Alarms
The signature alarm (i.e., trigger) for an IPS sensor could be anything that can reliably signal an intrusion or security policy violation. A network-based IPS might trigger a signature action if it detects a packet with a payload containing a specific string that is going to a specific TCP port, for example.
12.3 Configure Snort IPS
12.3.1 Snort IPS Configuration Steps
Step 1. Download the Snort OVA file.
Step 2. Install the OVA file.
Step 3. Configure Virtual Port Group interfaces.
Step 4. Activate the virtual services.
Step 5. Configure Snort specifics.
Step 6. Enable IPS globally or on desired interfaces.
Step 7. Verify Snort IPS.
12.3.2 Step 1. Download the Snort OVA File
An Open Virtualization Archive (OVA) is a file that contains a compressed, installable version of a virtual machine. The Snort service OVA file is not bundled with the Cisco IOS XE Release images installed on the router. However, if the OVA file is be preinstalled in the flash of the router, it is recommended that the latest OVA file be downloaded from Cisco.com.
12.3.3 Step 2. Install the Snort OVA File
To install the OVA file, use the virtual-service install name virtual-service-name package file-url media file-system privilege EXEC command. The length of the name is 20 characters and the complete path to the OVA file must be specified.
12.3.4 Step 3. Configure Virtual Port Group Interfaces
Two VirtualPortGroup (VPG) interfaces must then be configured along with their guest IP addresses. In our example, the VPG interfaces will be configured as follows:
VGP0 - This is for management traffic to exchange information with IPS servers. The guest IP address needs to be routable to connect to the signature update server and external log server. It is also used to log traffic to log collectors.
VPG1 - This is for user traffic marked for inspections. This should not be routable and therefore use a non-routable private IP address.
12.3.5 Step 4. Activate Virtual Services
The virtual-service virtual-service-name command configures the logical name, MYIPS in the example, that is used to identify the virtual container service.
The vnic gateway VirtualPortGroup interface-number command creates a virtual network interface card (vNIC) gateway interface for the virtual container service. It also maps the vNIC gateway interface to the virtual port group, and enters the virtual-service vNIC configuration mode.
The guest ip address ip-address command configures a guest vNIC address for the vNIC gateway interface.
Finally, the activate command activates the application installed in a virtual container service.
12.3.6 Step 5. Configure Snort Specifics
12.3.7 Step 6. Enable IPS Globally or on Desired Interfaces
The all-interfaces option configures unified threat defense (UTD) on all Layer 3 interfaces of the device.
The engine standard command configures the Snort-based UTD engine and enters standard engine configuration mode. From this mode, we can specify how Snort will behave if there is a UTD engine failure.
Specifically, Snort can be configured to:
fail-open (default) - When there is a UTD engine failure, this option allows all of the IPS/IDS traffic through without being inspected.
fail-close - If enabled, this option drops all the IPS/IDS traffic when there is an UTD engine failure. Therefore, no traffic will be allowed to leave.
12.3.8 Step 7. Verify Snort IPS
show virtual-service list - The command displays an overview of resources that are utilized by the applications.
show virtual-service detail - The command displays a list of resources that are committed to a specified application, including attached devices.
show utd engine standard config - The command displays the UTD configuration.
show utd engine standard status - The command displays the status of the UTD engine.
show platform hardware qfp active feature utd stats - The command checks the data plane. It verifies increments for encap, decap, redirect, and reinject and displays a health of "Green".
12.2 Cisco Snort IPS
12.2.1 IPS Service Options
Cisco IOS IPS, which provided intrusion prevention on ISR G1 routers, was discontinued in 2018. Currently, there are three options for intrusion prevention:
Cisco Firepower NGIPS: A dedicated appliance for threat prevention.
Cisco Snort IPS: An IPS service for ISR G2 routers (ISR 4000s).
External Snort IPS Server: Requires a promiscuous port and an external Snort server.
All three use Snort and receive updates from Cisco Talos.
12.2.2 NGIPS
NGIPSs are dedicated IPS appliances. They are built on Snort's core open technology and use vulnerability-focused IPS rules and embedded IP-, URL-, and DNS-based security intelligence provided by Cisco Talos.
NGIPS features include the following:
IPS rules that identify and block attack traffic targeted at network vulnerabilities.
Tightly integrated defense against advanced malware by incorporating advanced analysis of network and endpoint activity.
Sandboxing technology that uses hundreds of behavioral indicators to identify zero-day and evasive attacks.
Also includes Application Visibility and Control (AVC), Cisco Advanced Malware Protection (AMP) for Networks, and URL Filtering.
Note: Further discussion of NGIPS appliances is out of scope for this course.
12.2.3 Snort IPS
Snort is an open-source network IPS that performs real-time traffic analysis and generates alerts for detected threats. It can detect various attacks, such as buffer overflows and port scans. Snort can now run as a virtual container on Cisco 4000 ISRs and Cisco Cloud Services Router 1000v Series, making it ideal for smaller organizations seeking a cost-effective security solution.
Snort IPS on the 4000 Series ISRs provides advanced routing and integrated security, including features like VPN, Cisco IOS firewalls, and Cisco Cloud Web Security. It offers threat detection and prevention in a small footprint, suitable for branch offices that don't need separate firewall devices.
Key features of Snort IPS on the 4000 Series ISRs include:
IDS/IPS mode for detecting or preventing attacks.
Three signature levels: connectivity (least secure), balanced, and security (most secure).
An allowed list to prevent false positives.
Health monitoring for the Snort engine.
Fail open/close options in case of IPS engine failure.
Automatic and manual signature updates.
Event logging to independent collectors or syslog servers.
12.2.4 Snort Components and Rules
Snort IPS for 4000 Series ISRs has two main components:
Snort Engine: The IPS detection and enforcement engine, included in the Security (SEC) license for 4000 Series ISRs.
Snort Rule Software Subscriptions: Term-based subscriptions for signature updates, available for one or three years.
There are two types of subscriptions:
Community Rule Set: Free, with limited coverage, delayed access (30 days) to updated signatures, and no Cisco support.
Subscriber Rule Set: Paid, offering the best protection with faster access to updates and full Cisco support, including coverage of advanced exploits based on Cisco Talos research.
12.2.5 ISR Container Applications
Routers have evolved from packet processing devices to powerful systems capable of hosting server applications through virtual machines called service containers. On IOS XE platforms, which are based on Linux, applications like Snort IPS can be hosted inside routers.
The Snort engine runs as a Linux service container on ISR 4000 Series routers, using dedicated computing resources that operate independently from the data plane CPU. This setup allows for easier updates and efficient resource allocation, as unused control-plane CPU resources can be used for running other services in the container infrastructure.
12.2.6 Snort IPS Rule Alarms
In Snort IPS, signatures are configured using “rules”. These rules serve as the signature alarms by comparing incoming traffic to the Snort rules. Traffic matching a rule header generates an action.
A rule header is conceptually similar to an access control list (ACL) statement. It is a one line statement that identifies malicious traffic.
The basic rule header command syntax is:
[action] [protocol] [sourceIP] [sourceport] -> [destIP] [destport] ([Rule options])
Note: The Rule options contain additional rule information.
For example, the following sample header generates an alert whenever a TCP connection for the hosts/ports identified in the rule header variables are going to the identified destination hosts/ports variables:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
12.2.7 Snort IPS Rule Actions
Snort can be enabled in IDS mode or in IPS mode.
Snort IDS mode can perform the following three actions:
Alert - Generate an alert using the selected alert method.
Log - Log the packet.
Pass - Ignore the packet.
Snort IPS mode can perform all the IDS actions plus the following:
Drop - Block and log the packet.
Reject - Block the packet, log it, and then send a TCP reset if the protocol is TCP or an ICMP port unreachable message if the protocol is UDP.
Sdrop - Block the packet but do not log it.
12.2.8 Snort IPS Header Rule Options
A Snort rule header also contains rule options (fields) to provide additional information for the rule. Options are separated by semicolons (;) and the rule option keywords are separated from their arguments using colons (:).
The figure displays sample rule options for the alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any rule header.
The table describes the common general rule and the detection rule options in the sample rule header.
Note: These are just a few of the different types of rule options. For more examples, search the internet for "snort rule options"
12.2.9 Snort IPS Operation
Packets arriving on Snort-enabled interfaces are processed as follows:
Cisco IOS Software forwards packets to the Snort IPS engine via an internal virtual port group (VPG) interface.
Snort IPS inspects the traffic, drops packets from malicious flows (IPS mode), and returns valid packets to the router for further processing.
Communication between container applications and the IOS data plane occurs through VPG interfaces, which are routed via the router's backplane and appear as virtual Ethernet ports.
Snort IPS requires two VPG interfaces:
Management interface: For log collection and signature updates, requiring a routable IP address.
Data interface: For sending user traffic between the Snort container and the router’s forwarding plane.
VPG0 handles management traffic, while VPG1 handles user traffic to be inspected.
