Please enable JavaScript.

Coggle requires JavaScript to display documents.

Modulo 12:IPS Operation and implemetation - Coggle Diagram

- - - - Type - Atomic or Composite
      - Trigger - Also called the alarm
      - Action - What the IPS will do
  - - - Atomic Signature - This is the simplest type of signature because a single packet, activity, or event identifies an attack. The IPS does not need to maintain state information and traffic analysis can usually be performed very quickly and efficiently.
      - Composite Signature - Also called a stateful signature because the IPS requires several pieces of data to match an attack signature. The IPS must also maintain state information, which is referred to as the event horizon. The length of an event horizon varies from one signature to the next.
  - - - Also known as signature-based detection.
      - Simplest triggering mechanism as it searches for a specific and pre-defined atomic or composite pattern.
      - A IPS sensor compares the network traffic to a database of known attacks, and triggers an alarm or prevents communication if a match is found.
    - - Also known as profile-based detection.
      - Involves first defining a profile of what is considered normal network or host activity.
      - This normal profile is usually defined by monitoring traffic and establishing a baseline.
      - Once defined, any activity beyond a specified threshold in the normal profile will generate a signature trigger and action.
  - - - True positive - (Desirable) This is used when the IPS generates an alarm because it detected known attack traffic. The alert has been verified to be an actual security incident and also indicates that the IPS rule worked correctly.
      - True negative - (Desirable) This is used when the system is performing as expected. No alerts are issued because the traffic that is passing through the system is clear of threats.
      - False positive - (Undesirable) This is used when an IPS generates an alarm after processing normal user traffic that should not have triggered an alarm. The IPS must be tuned to change these alarm types to true negatives. The alert does not indicate an actual security incident. Benign activity that results in a false positive is sometimes referred to as a benign trigger. False positives are costly because they must be investigated.
      - False negative - (Dangerous) This is used when an IPS fails to generate an alarm and known attacks are not being detected. This means that exploits are not being detected by the security systems that are in place. These incidents could go undetected for a long time, and ongoing data loss and damage could result. The goal is for these alarm types to generate true positive alarms.
- - - - Cisco Firepower Next-Generation IPS (NGIPS) - These are dedicated in-line threat prevention appliances that provide industry leading effectiveness against both known and unknown threats.
      - Cisco Snort IPS - This is an IPS service that can be enabled on a second generation ISR (ISR G2) (i.e., ISR 4000s). Note that Cisco 4000 ISRs no longer support Cisco IOS IPS.
      - External Snort IPS Server - This is similar to the Cisco Snort IPS solution but requires a promiscuous port (i.e., a SPAN switch port) and an external Snort IDS/IPS.
  - - - IPS rules that identify and block attack traffic targeted at network vulnerabilities.
      - Tightly integrated defense against advanced malware by incorporating advanced analysis of network and endpoint activity.
      - Sandboxing technology that uses hundreds of behavioral indicators to identify zero-day and evasive attacks.
      - Also includes Application Visibility and Control (AVC), Cisco Advanced Malware Protection (AMP) for Networks, and URL Filtering
  - - - IDS and IPS mode - Configure threat detection or prevention mode. In prevention mode, attack traffic will be dropped.
      - Three signature levels - Snort provides three levels of signature protection: connectivity (least secure), balanced (middle option), and security (most secure). The security level is the most secure as it enables the highest number of signatures to be verified.
      - An allowed list - This provides the ability to turn off certain signatures and helps to avoid false positives such as legitimate traffic triggering an IPS action. Up to 1000 entries can be supported in the allowed list.
      - Snort health monitoring - Cisco IOS Software keeps track of the health of the Snort engine that is running in the service container.
      - Fail open and close - In the event of IPS engine failure, the router can be configured to block the traffic flow or to bypass IPS checking until the Snort engine recovers.
      - Signature update - Automatic and manual updates are supported. Snort IPS can download the signature package directly from cisco.com or a local resource location over HTTP and HTTPS.
      - Event logging - IPS logs can be sent to an independent log collector or included along with the router syslog stream. Sending IPS logs separately helps if the security event management tool is different from the regular syslog server.
  - - - Snort engine - This is the IPS detection and enforcement engine that is included in the Security (SEC) license for 4000 Series ISRs.
        Snort rule software subscriptions for
      - signature updates - Snort rule sets to keep current with the latest threat protection are term-based subscriptions, available for one or three years.
    - - Community Rule Set - Available for free, this subscription offers limited coverage against threats. The community rule set focuses on reactive response to security threats versus proactive research work. There is also a 30-day delayed access to updated signatures meaning that newest rule will be a minimum of 30 days old. In addition, there is no Cisco customer support available.
      - Subscriber Rule Set - Available for a fee, this service provides the best protection against threats. It includes coverage of advance exploits by using the research work of the Cisco Talos security experts. The Subscriber Rule Set also provides the fastest access to updated signatures in response to a security incident or the proactive discovery of a new threat. This subscription is fully supported by Cisco.
  - - - Alert - Generate an alert using the selected alert method.
      - Log - Log the packet.
      - Pass - Ignore the packet.
    - - Drop - Block and log the packet.
      - Reject - Block the packet, log it, and then send a TCP reset if the protocol is TCP or an ICMP port unreachable message if the protocol is UDP.
      - Sdrop - Block the packet but do not log it.
- - - - Step 1. Download the Snort OVA file.
      - Step 2. Install the OVA file.
      - Step 3. Configure Virtual Port Group interfaces.
      - Step 4. Activate the virtual services.
      - Step 5. Configure Snort specifics.
      - Step 6. Enable IPS globally or on desired interfaces.
      - Step 7. Verify Snort IPS.
  - - - show virtual-service list - The command displays an overview of resources that are utilized by the applications.
      - show virtual-service detail - The command displays a list of resources that are committed to a specified application, including attached devices.
      - show utd engine standard config - The command displays the UTD configuration.
      - show utd engine standard status - The command displays the status of the UTD engine.
      - show platform hardware qfp active feature utd stats - The command checks the data plane. It verifies increments for encap, decap, redirect, and reinject and displays a health of "Green".