CCNA Security Chapter Five Implementing Intrusion Prevention
© 2009 Cisco Learning Institute.
1
Lesson Planning • This lesson should take 3-6 hours to present • The lesson should include lecture, demonstrations, discussion and assessments • The lesson can be taught in person or using remote instruction
© 2009 Cisco Learning Institute.
2
Major Concepts • Describe the purpose and operation of networkbased and host-based Intrusion Prevention Systems (IPS) • Describe how IDS and IPS signatures are used to detect malicious network traffic • Implement Cisco IOS IPS operations using CLI and SDM • Verify and monitor the Cisco IOS IPS operations using CLI and SDM
© 2009 Cisco Learning Institute.
3
Lesson Objectives Upon completion of this lesson, the successful participant will be able to: 1. Describe the functions and operations of IDS and IPS systems 2. Introduce the two methods of implementing IPS and describe host based IPS 3. Describe network-based intrusion prevention 4. Describe the characteristics of IPS signatures 5. Describe the role of signature alarms (triggers) in Cisco IPS solutions 6. Describe the role of tuning signature alarms (triggers) in a Cisco IPS solution
© 2009 Cisco Learning Institute.
4
Lesson Objectives 7.
Describe the role of signature actions in a Cisco IPS solution
8.
Describe the role of signature monitoring in a Cisco IPS solution
9.
Describe how to configure Cisco IOS IPS Using CLI
10. Describe how to configure Cisco IOS IPS using Cisco SDM 11. Describe how to modify IPS signatures in CLI and SDM 12. Describe how to verify the Cisco IOS IPS configuration 13. Describe how to monitor the Cisco IOS IPS events 14. Describe how to troubleshoot the Cisco IOS IPS events
© 2009 Cisco Learning Institute.
5
Common Intrusions
MARS ACS VPN
Remote Worker
Zero-day exploit attacking the network Firewall
VPN
VPN
Remote Branch
Iron Port
CSA LAN
Web Server
© 2009 Cisco Learning Institute.
Email Server
DNS
6
Intrusion Detection Systems (IDSs) 1. An attack is launched on a network that has a sensor deployed in promiscuous IDS mode; therefore copies of all packets are sent to the IDS sensor for packet analysis. However, the target machine will experience the malicious attack. 2. The IDS sensor, matches the malicious traffic to a signature and sends the switch a command to deny access to the source of the malicious traffic. 3. The IDS can also send an alarm to a management console for logging and other management purposes.
Switch
1 2 Sensor
3
Management Console © 2009 Cisco Learning Institute.
Target 7
Intrusion Prevention Systems (IPSs) 1
1. An attack is launched on a network that has a sensor deployed in IPS mode (inline mode). 2. The IPS sensor analyzes the packets as they enter the IPS sensor interface. The IPS sensor matches the malicious traffic to a signature and the attack is stopped immediately.
2
4
Sensor
3. The IPS sensor can also send an alarm to a management console for logging and other management purposes. 4. Traffic in violation of policy can be dropped by an IPS sensor.
Bit Bucket
3
Management Console © 2009 Cisco Learning Institute.
Target
8
Common characteristics of IDS and IPS
Both technologies are deployed using sensors. Both technologies use signatures to detect patterns of misuse in network traffic. Both can detect atomic patterns (singlepacket) or composite patterns (multi-packet).
© 2009 Cisco Learning Institute.
9
Comparing IDS and IPS Solutions Advantages
IDS
Promiscuous Mode
No impact on network (latency, jitter)
Disadvantages Response action cannot stop trigger packets
Correct tuning required for No network impact if there is a response actions sensor failure Must have a well thoughtout security policy No network impact if there is sensor overload More vulnerable to network evasion techniques
© 2009 Cisco Learning Institute.
10
Comparing IDS and IPS Solutions Advantages
IPS
Inline Mode
Stops trigger packets
Disadvantages Sensor issues might affect network traffic Sensor overloading impacts the network
Can use stream normalization Must have a well thoughttechniques out security policy Some impact on network (latency, jitter)
© 2009 Cisco Learning Institute.
11
Network-Based Implementation
CSA
MARS VPN
Remote Worker Firewall
VPN IPS
CSA VPN
Remote Branch
Iron Port
CSA
Web Server
© 2009 Cisco Learning Institute.
Email Server
CSA
CSA
DNS
12
Host-Based Implementation CSA
CSA
MARS VPN
Management Center for Cisco Security Agents
Remote Worker Firewall
VPN IPS
CSA VPN
Remote Branch
Agent
Iron Port
CSA
CSA
CSA
CSA CSA
CSA
Web Server
© 2009 Cisco Learning Institute.
Email Server
DNS
13
Cisco Security Agent Corporate Network Application Server Agent
Agent
Firewall
Untrusted Network Agent
Agent
Agent
Agent
SMTP Server
Agent
Agent
Agent
Web Server
DNS Server
Management Center for Cisco Security Agents
video © 2009 Cisco Learning Institute.
14
Cisco Security Agent Screens A warning message appears when CSA detects a Problem.
A waving flag in the system tray indicates a potential security problem.
© 2009 Cisco Learning Institute.
CSA maintains a log file allowing the user to verify problems and learn more information.
15
Host-Based Solutions Advantages and Disadvantages of HIPS
Advantages
Disadvantages
The success or failure of an attack can be readily determined.
HIPS does not provide a complete network picture.
HIPS has a requirement to HIPS does not have to worry support multiple operating about fragmentation attacks systems. or variable Time to Live (TTL) attacks. HIPS has access to the traffic in unencrypted form.
© 2009 Cisco Learning Institute.
16
Network-Based Solutions Corporate Network Sensor
Router
Firewall
Untrusted Network
Sensor
Management Server
Sensor Web Server
© 2009 Cisco Learning Institute.
DNS Server 17
Cisco IPS Solutions AIM and Network Module Enhanced • Integrates IPS into the Cisco 1841 (IPS AIM only), 2800 and 3800 ISR routers • IPS AIM occupies an internal AIM slot on router and has its own CPU and DRAM • Monitors up to 45 Mb/s of traffic • Provides full-featured intrusion protection • Is able to monitor traffic from all router interfaces • Can inspect GRE and IPsec traffic that has been decrypted at the router • Delivers comprehensive intrusion protection at branch offices, isolating threats from the corporate network • Runs the same software image as Cisco IPS Sensor Appliances
© 2009 Cisco Learning Institute.
18
Cisco IPS Solutions ASA AIP-SSM • High-performance module designed to provide additional security services to the Cisco ASA 5500 Series Adaptive Security Appliance • Diskless design for improved reliability • External 10/100/1000 Ethernet interface for management and software downloads • Intrusion prevention capability • Runs the same software image as the Cisco IPS Sensor appliances
© 2009 Cisco Learning Institute.
19
Cisco IPS Solutions 4200 Series Sensors • Appliance solution focused on protecting network devices, services, and applications • Sophisticated attack detection is provided.
© 2009 Cisco Learning Institute.
20
Cisco IPS Solutions Cisco Catalyst 6500 Series IDSM-2 • Switch-integrated intrusion protection module delivering a high-value security service in the core network fabric device • Support for an unlimited number of VLANs • Intrusion prevention capability • Runs the same software image as the Cisco IPS Sensor Appliances
© 2009 Cisco Learning Institute.
21
IPS Sensors • Factors that impact IPS sensor selection and deployment: - Amount of network traffic - Network topology - Security budget - Available security staff
• Size of implementation - Small (branch offices) - Large - Enterprise
© 2009 Cisco Learning Institute.
22
Comparing HIPS and Network IPS Advantages Is host-specific Protects host after decryption HIPS
Provides application-level encryption protection
Disadvantages Operating system dependent Lower level network events not seen Host is visible to attackers
Is cost-effective Not visible on the network Network Operating system independent IPS Lower level network events seen © 2009 Cisco Learning Institute.
Cannot examine encrypted traffic Does not know whether an attack was successful
23
Signature Characteristics
Hey, come look at this. This looks like the signature of a LAND attack.
• An IDS or IPS sensor matches a signature with a data flow • The sensor takes action • Signatures have three distinctive attributes - Signature type - Signature trigger - Signature action
© 2009 Cisco Learning Institute.
24
Signature Types • Atomic - Simplest form - Consists of a single packet, activity, or event - Does not require intrusion system to maintain state information - Easy to identify
• Composite - Also called a stateful signature - Identifies a sequence of operations distributed across multiple hosts - Signature must maintain a state known as the event horizon
© 2009 Cisco Learning Institute.
25
Signature File
© 2009 Cisco Learning Institute.
26
Signature Micro-Engines Version 4.x SME Prior 12.4(11)T
Description Atomic – Examine simple packets Version 5.x
SME 12.4(11)T and later
ATOMIC.IP
ATOMIC.IP
Provides simple Layer 3 IP alarms
ATOMIC.ICMP
ATOMIC.IP
Provides simple Internet Control Message Protocol (ICMP) alarms based on the following parameters: type, code, sequence, and ID
ATOMIC.IPOPTIONS
ATOMIC.IP
Provides simple alarms based on the decoding of Layer 3 options
ATOMIC.UDP
ATOMIC.IP
Provides simple User Datagram Protocol (UDP) packet alarms based on the following parameters: port, direction, and data length
ATOMIC.TCP
Service – Examine the many services that are attacked ATOMIC.IP
Provides simple TCP packet alarms based on the following parameters: port, destination, and flags
SERVICE.DNS
SERVICE.DNS
Analyzes the Domain Name System (DNS) service
SERVICE.RPC
SERVICE.RPC
Analyzes the remote-procedure call (RPC) service
SERVICE.SMTP
STATE
SERVICE.HTTP
SERVICE.HTTP
SERVICE.FTP
Inspects Simple Mail Transfer Protocol (SMTP) Provides HTTP protocol decode-based string engine that includes ant evasive URL de-obfuscation
String – Use expression-based patterns to detect intrusions SERVICE.FTP
Provides FTP service special decode alarms
STRING.TCP
STRING.TCP
Offers TCP regular expression-based pattern inspection engine services
STRING.UDP
STRING.UDP
Offers UDP regular expression-based pattern inspection engine services
STRING.ICMP
Provides ICMP regular expression-based pattern inspection engine services
MULTI-STRING
MULTI-STRING
Supports flexible pattern matching and supports Trend Labs signatures
OTHER
NORMALIZER
Provides internal engine to handle miscellaneous signatures
STRING.ICMP
Multi-String Supports flexible pattern matching
Other – Handles miscellaneous signatures © 2009 Cisco Learning Institute.
27
Cisco Signature List
© 2009 Cisco Learning Institute.
28
Signature Triggers Advantages
Disadvantages
• Easy configuration
• No detection of unknown signatures
• Fewer false positives
• Initially a lot of false positives
• Good signature design
• Signatures must be created, updated, and tuned
Anomalybased Detection
• Simple and reliable
• Generic output
• Customized policies
• Policy must be created
Policy-based Detection
• Easy configuration
Pattern-based Detection
Honey PotBased Detection
© 2009 Cisco Learning Institute.
• Can detect unknown attacks • Can detect unknown attacks
• Difficult to profile typical activity in large networks • Traffic profile must be constant
• Window to view attacks
• Dedicated honey pot server
• Distract and confuse attackers
• Honey pot server must not be trusted
• Slow down and avert attacks • Collect information about attack
29
Pattern-based Detection
Trigger
Signature Type Atomic Signature Stateful Signature
No state required to Patternexamine pattern to based determine if signature detection action should be applied
Must maintain state or examine multiple items to determine if signature action should be applied
Detecting for an Address Resolution Protocol Example (ARP) request that has a source Ethernet address of FF:FF:FF:FF:FF:FF
Searching for the string confidential across multiple packets in a TCP session
© 2009 Cisco Learning Institute.
30
Anomaly-based Detection
Trigger
Signature Type Atomic Signature Stateful Signature
No state required to Anomalyidentify activity that based deviates from normal detection profile
State required to identify activity that deviates from normal profile
Detecting traffic that is going to a destination port Verifying protocol compliance Example that is not in the normal for HTTP traffic profile
© 2009 Cisco Learning Institute.
31
Policy-based Detection
Signature Trigger
Signature Type Atomic Signature
Stateful Signature
Policy- No state required to based identify undesirable detection behavior
Previous activity (state) required to identify undesirable behavior
Detecting abnormally large fragmented packets Example by examining only the last fragment
A SUN Unix host sending RPC requests to remote hosts without initially consulting the SUN PortMapper program.
© 2009 Cisco Learning Institute.
32
Honey Pot-based Detection • Uses a dummy server to attract attacks • Distracts attacks away from real network devices • Provides a means to analyze incoming types of attacks and malicious traffic patterns
© 2009 Cisco Learning Institute.
33
Cisco IOS IPS Solution Benefits • Uses the underlying routing infrastructure to provide an additional layer of security with investment protection • Attacks can be effectively mitigated to deny malicious traffic from both inside and outside the network • Provides threat protection at all entry points to the network when combined with other Cisco solutions • Is supported by easy and effective management tools • Offers pervasive intrusion prevention solutions that are designed to integrate smoothly into the network infrastructure and to proactively protect vital resources • Supports approximately 2000 attack signatures from the same signature database that is available for Cisco IPS appliances
© 2009 Cisco Learning Institute.
34
Signature Alarms
Alarm Type
Network Activity
IPS Activity
Outcome
False positive
Normal user traffic
Alarm generated
Tune alarm
False negative
Attack traffic
No alarm generated
Tune alarm
True positive
Attack traffic
Alarm generated
Ideal setting
True negative
Normal user traffic
No alarm generated
Ideal setting
© 2009 Cisco Learning Institute.
35
Signature Tuning Levels
Informational – Activity that triggers the signature High Medium Low Abnormal Attacks -immediate Abnormal used network network to gain activity access activity detected, or is cause detected, a DoS could is not––an threat, but theis information attack be could malicious, areisdetected and immediate (immediate threat threat is likely extremely likely provided useful be malicious, and immediate threat is not likely © 2009 Cisco Learning Institute.
36
Generating an Alert Specific Alert
Description
Produce alert
This action writes the event to the Event Store as an alert.
Produce verbose alert
This action includes an encoded dump of the offending packet in the alert.
© 2009 Cisco Learning Institute.
37
Logging the Activity Specific Alert Description Log attacker packets Log pair packets Log victim packets
© 2009 Cisco Learning Institute.
This action starts IP logging on packets that contain the attacker address and sends an alert. This action starts IP logging on packets that contain the attacker and victim address pair. This action starts IP logging on packets that contain the victim address and sends an alert.
38
Dropping/Preventing the Activity Specific Alert Description • Terminates the current packet and future packets from this attacker address for a period of time. • The sensor maintains a list of the attackers currently being denied by the system. Deny attacker inline
• Entries may be removed from the list manually or wait for the timer to expire. • The timer is a sliding timer for each entry.
Deny connection inline Deny packet inline © 2009 Cisco Learning Institute.
• If the denied attacker list is at capacity and cannot add a new entry, the packet is still denied. • Terminates the current packet and future packets on this TCP flow. •Terminates the packet. 39
Resetting a TCP Connection/Blocking Activity/Allowing Activity Category
Specific Description Alert
Resetting a Reset TCP • Sends TCP resets to hijack and terminate the TCP connection TCP flow connection
Blocking future activity
Allowing Activity © 2009 Cisco Learning Institute.
Request • This action sends a request to a blocking block device to block this connection. connection • This action sends a request to a blocking Request block host device to block this attacker host. • Sends a request to the notification application Request component of the sensor to perform SNMP SNMP trap notification. • Allows administrator to define exceptions to configured signatures 40
Planning a Monitoring Strategy
The MARS appliance detected and mitigated the ARP poisoning attack.
There Thereare arefour fourfactors factorsto to consider consider when whenplanning planningaa monitoring monitoringstrategy. strategy. ••Management Managementmethod method ••Event Event correlation correlation ••Security Securitystaff staff ••Incident Incidentresponse responseplan plan © 2009 Cisco Learning Institute.
41
MARS
The Thesecurity securityoperator operatorexamines examines the theoutput outputgenerated generatedby bythe the MARS MARSappliance: appliance: ••MARS MARSisisused usedto tocentrally centrally manage manageall allIPS IPSsensors. sensors. ••MARS MARSisisused usedto tocorrelate correlateall all of ofthe theIPS IPSand andSyslog Syslogevents events ininaacentral centrallocation. location. ••The Thesecurity securityoperator operatormust must proceed proceedaccording accordingto tothe the incident incidentresponse responseplan plan identified identifiedininthe theNetwork Network Security SecurityPolicy. Policy.
© 2009 Cisco Learning Institute.
42
Cisco IPS Solutions • Locally Managed Solutions: - Cisco Router and Security Device Manager (SDM) - Cisco IPS Device Manager (IDM)
• Centrally Managed Solutions: - Cisco IDS Event Viewer (IEV) - Cisco Security Manager (CSM) - Cisco Security Monitoring, Analysis, and Response System (MARS)
© 2009 Cisco Learning Institute.
43
Cisco Router and Security Device Manager
Monitors and prevents intrusions by comparing traffic against signatures of known threats and blocking the traffic when a threat is detected
Lets administrators control the application of Cisco IOS IPS on interfaces, import and edit signature definition files (SDF) from Cisco.com, and configure the action that Cisco IOS IPS is to take if a threat is detected
© 2009 Cisco Learning Institute.
44
Cisco IPS Device Manager • A web-based configuration tool • Shipped at no additional cost with the Cisco IPS Sensor Software • Enables an administrator to configure and manage a sensor • The web server resides on the sensor and can be accessed through a web browser
© 2009 Cisco Learning Institute.
45
Cisco IPS Event Viewer
• View and manage alarms for up to five sensors • Connect to and view alarms in real time or in imported log files • Configure filters and views to help you manage the alarms. • Import and export event data for further analysis.
© 2009 Cisco Learning Institute.
46
Cisco Security Manager • Powerful, easy-to-use solution to centrally provision all aspects of device configurations and security policies for Cisco firewalls, VPNs, and IPS • Support for IPS sensors and Cisco IOS IPS • Automatic policy-based IPS sensor software and signature updates • Signature update wizard
© 2009 Cisco Learning Institute.
47
Cisco Security Monitoring Analytic and Response System
• An appliance-based, allinclusive solution that allows network and security administrators to monitor, identify, isolate, and counter security threats • Enables organizations to more effectively use their network and security resources. • Works in conjunction with Cisco CSM. © 2009 Cisco Learning Institute.
48
Secure Device Event Exchange
Alarm SDEE Protocol
Alarm
Syslog
Network Management Console
Syslog Server
• The SDEE format was developed to improve communication of events generated by security devices • Allows additional event types to be included as they are defined
© 2009 Cisco Learning Institute.
49
Best Practices • The need to upgrade sensors with the latest signature packs must be balanced against the momentary downtime. • When setting up a large deployment of sensors, automatically update signature packs rather than manually upgrading every sensor. • When new signature packs are available, download the new signature packs to a secure server within the management network. Use another IPS to protect this server from attack by an outside party. • Place the signature packs on a dedicated FTP server within the management network. If a signature update is not available, a custom signature can be created to detect and mitigate a specific attack.
© 2009 Cisco Learning Institute.
50
Best Practices • Configure the FTP server to allow read-only access to the files within the directory on which the signature packs are placed only from the account that the sensors will use. • Configure the sensors to automatically update the signatures by checking the FTP server for the new signature packs periodically. Stagger the time of day when the sensors check the FTP server for new signature packs. • The signature levels that are supported on the management console must remain synchronized with the signature packs on the sensors themselves.
© 2009 Cisco Learning Institute.
51
Overview of Implementing IOS IPS I want to use CLI to manage my signature files for IPS. I have downloaded the IOS IPS files.
1. Download the IOS IPS files 2. Create an IOS IPS configuration directory on Flash 3. Configure an IOS IPS crytpo key 4. Enable IOS IPS 5. Load the IOS IPS Signature Package to the router
© 2009 Cisco Learning Institute.
52
1. Download the Signature File
Download IOS IPS signature package files and public crypto key
© 2009 Cisco Learning Institute.
53
2. Create Directory R1# mkdir ips Create directory filename [ips]? Created dir flash:ips R1# R1# dir flash: Directory of flash:/ 5 -rw51054864 Jan 10 2009 15:46:14 -08:00 c2800nm-advipservicesk9-mz.124-20.T1.bin 6 drw0 Jan 15 2009 11:36:36 -08:00 ips 64016384 bytes total (12693504 bytes free) R1#
To rename a directory: R1# rename ips ips_new Destination filename [ips_new]? R1#
© 2009 Cisco Learning Institute.
54
3. Configure the Crypto Key 1
2
R1# conf t R1(config)#
1 – Highlight and copy the text contained in the public key file. 2 – Paste it in global configuration mode. © 2009 Cisco Learning Institute.
55
Confirm the Crypto Key R1# show run
