Cisco Press - CCSP IPS Quick Reference _ www.bit.ly/taiho123
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (1.49 MB, 51 trang )
CCSP IPS Quick Reference
Page 1
Return to Table of Contents
Chapter 1:
Introducing Intrusion Detection and
Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Chapter 2:
Installation of a Typical Sensor . . . . . . . . . 15
Chapter 3:
Cisco Intrusion Detection and
Prevention Signatures . . . . . . . . . . . . . . . . . . . . . 21
CCSP IPS Quick
Reference
Chapter 4:
Advanced Configurations . . . . . . . . . . . . . . . . . 31
Anthony Sequeira
Chapter 6:
Monitoring and Maintenance . . . . . . . . . . . . 48
Chapter 5:
Additional Intrusion Detection and
Prevention Devices . . . . . . . . . . . . . . . . . . . . . . . . . 43
ciscopress.com
CCSP IPS Quick Reference
CCSP IPS Quick Reference By Anthony Sequeira ISBN: 9781587055713 Publisher: Cisco
Prepared for Tran Huong, Safari ID:
Press
Licensed by Tran Huong
Print Publication Date: 2008/01/04
User number: 999108 Copyright 2008, Safari Books Online, LLC.
This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior
written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that
otherwise violates the Safari Terms of Service is strictly prohibited.
CCSP IPS Quick Reference
Return to Table of Contents
Page 3
[2]
CCSP IPS Quick Reference by Anthony Sequeira
About the Author
About the Author
Anthony Sequeira (CCIE-R/S #15626) possesses high-level certifications from both Cisco and Microsoft. For the past
15 years, he has written and lectured to massive audiences about the latest in networking technologies. He is a certified
Cisco instructor with Thomson NETg. He lives with his wife and daughter in Tampa, Florida.
About the Technical Editor
Ronald Trunk, CCIE, CISSP, is a highly experienced consultant and network architect with a special interest in secure
network design and implementation. He has designed complex multimedia networks for both government and commercial
clients. He is the author of several articles on network security and troubleshooting. He lives in suburban Washington, D.C.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 52 for more details.
CCSP IPS Quick Reference
CCSP IPS Quick Reference By Anthony Sequeira ISBN: 9781587055713 Publisher: Cisco
Prepared for Tran Huong, Safari ID:
Press
Licensed by Tran Huong
Print Publication Date: 2008/01/04
User number: 999108 Copyright 2008, Safari Books Online, LLC.
This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior
written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that
otherwise violates the Safari Terms of Service is strictly prohibited.
CCSP IPS Quick Reference
Return to Table of Contents
Page 4
[3]
CCSP IPS Quick Reference by Anthony Sequeira
CHAPTER 1
Introducing Intrusion Detection and Prevention
Introducing Intrusion Detection and Prevention
Understanding Intrusion Prevention and Detection
Cisco provides for intrusion detection and prevention in a variety of ways in its current security portfolio. You might add
this powerful tool to your network via a dedicated hardware appliance known as a sensor. Or you might add this functionality using a network module inserted into a router or switch. However you decide to implement the technology, the goal
is the same—to take some action based on an attack introduced into your network. This action might be to alert the
network administrator via an automated notification, or it might be to prevent the attack from dropping the packet at a
device.
Intrusion Prevention Versus Intrusion Detection
Intrusion detection is powerful in that you can be notified when potential problems or attacks are introduced into your
network. However, detection cannot prevent attacks from occurring. Detection cannot prevent attacks because it operates
on copies of packets. Often these copies of packets are received from another Cisco device (typically a switch). Sensors
that operate using intrusion detection are said to run in promiscuous mode.
Intrusion prevention is more powerful because potential threats and attacks can be stopped from entering your network or
a particular network segment. The sensor can perform prevention because it operates inline with packet flows.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 52 for more details.
CCSP IPS Quick Reference
CCSP IPS Quick Reference By Anthony Sequeira ISBN: 9781587055713 Publisher: Cisco
Prepared for Tran Huong, Safari ID:
Press
Licensed by Tran Huong
Print Publication Date: 2008/01/04
User number: 999108 Copyright 2008, Safari Books Online, LLC.
This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior
written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that
otherwise violates the Safari Terms of Service is strictly prohibited.
CCSP IPS Quick Reference
Return to Table of Contents
Page 5
[4]
CHAPTER 1
CCSP IPS Quick Reference by Anthony Sequeira
Introducing Intrusion Detection and Prevention
IPS/IDS Terminology
You should be aware of the many security terms that are related to intrusion detection and prevention technologies.
Vulnerability
A vulnerability is a weakness that compromises the security or functionality of a particular system in your network. An
example of a vulnerability is a web form on your public website that does not adequately filter inputs or guard against
improper data entry. An attacker might enter invalid characters in an attempt to corrupt the underlying database.
Exploit
An exploit is a mechanism designed to take advantage of vulnerabilities that exist in your systems. For example, if poor
passwords are in use on your network, a password-cracking package might be the exploit aimed at this vulnerability.
False Alarms
False alarms are IPS events that you do not want occurring in your implementation. The two types of false alarms are
false positives and false negatives. Both are undesirable.
False Positive
A false positive means that an alert has been triggered, but it was for traffic that does not constitute an actual attack. This
type of traffic is often called benign traffic.
False Negative
A false negative occurs when attack traffic does not trigger an alert on the IPS device. This is often viewed as the worst
type of false alarm—for obvious reasons.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 52 for more details.
CCSP IPS Quick Reference
CCSP IPS Quick Reference By Anthony Sequeira ISBN: 9781587055713 Publisher: Cisco
Prepared for Tran Huong, Safari ID:
Press
Licensed by Tran Huong
Print Publication Date: 2008/01/04
User number: 999108 Copyright 2008, Safari Books Online, LLC.
This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior
written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that
otherwise violates the Safari Terms of Service is strictly prohibited.
CCSP IPS Quick Reference
Return to Table of Contents
Page 6
[5]
CHAPTER 1
CCSP IPS Quick Reference by Anthony Sequeira
Introducing Intrusion Detection and Prevention
True Alarms
The two types of true alarms in IPS terminology are true positive and true negative. Both are desirable.
True Positive
A true positive means that the IPS device recognized and responded to an attack.
True Negative
This means that nonoffending or benign traffic did not trigger an alarm.
Promiscuous Versus Inline Mode
IDS/IPS sensors operate in promiscuous mode by default. This means that a device (often a switch) captures traffic for
the sensor and forwards a copy for analysis to the sensor. Because the device works with a copy of the traffic, the device
performs IDS. It can detect an attack and send an alert (as well as take other actions), but it does not prevent the attack
from entering the network or a network segment. It cannot prevent the attack because it does not operate on traffic inline
in the forwarding path. Figure 1 shows a promiscuous mode IDS implementation.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 52 for more details.
CCSP IPS Quick Reference
CCSP IPS Quick Reference By Anthony Sequeira ISBN: 9781587055713 Publisher: Cisco
Prepared for Tran Huong, Safari ID:
Press
Licensed by Tran Huong
Print Publication Date: 2008/01/04
User number: 999108 Copyright 2008, Safari Books Online, LLC.
This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior
written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that
otherwise violates the Safari Terms of Service is strictly prohibited.
CCSP IPS Quick Reference
Return to Table of Contents
Page 7
[6]
CHAPTER 1
CCSP IPS Quick Reference by Anthony Sequeira
Introducing Intrusion Detection and Prevention
FIGURE 1
Promiscuous
mode (IDS)
Attack
Copy of Attack
Management System
If a Cisco IPS device operates in inline mode (see Figure 2), it can perform prevention as opposed to mere detection. This
is because the IPS device is in the actual traffic path. This makes the device more effective against worms and atomic
attacks (attacks that are carried out by a single packet).
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 52 for more details.
CCSP IPS Quick Reference
CCSP IPS Quick Reference By Anthony Sequeira ISBN: 9781587055713 Publisher: Cisco
Prepared for Tran Huong, Safari ID:
Press
Licensed by Tran Huong
Print Publication Date: 2008/01/04
User number: 999108 Copyright 2008, Safari Books Online, LLC.
This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior
written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that
otherwise violates the Safari Terms of Service is strictly prohibited.
CCSP IPS Quick Reference
Return to Table of Contents
Page 8
[7]
CHAPTER 1
CCSP IPS Quick Reference by Anthony Sequeira
Introducing Intrusion Detection and Prevention
FIGURE 2
Inline mode (IPS)
Attack
Management System
To configure inline mode, you need two monitoring interfaces that are defined in the sensor as an inline pair. This pair of
interfaces acts as a transparent Layer 2 structure that can drop an attack that fires a signature.
Keep in mind that a sensor could be configured inline and could be set up so that it only alerts and doesn’t drop packets.
This would be an example of an inline configuration where only IDS is performed.
IPS version 6.0 software permits a device to do promiscuous mode and inline mode simultaneously. This would allow one
segment to be monitored for IDS only while another segment features IPS protection.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 52 for more details.
CCSP IPS Quick Reference
CCSP IPS Quick Reference By Anthony Sequeira ISBN: 9781587055713 Publisher: Cisco
Prepared for Tran Huong, Safari ID:
Press
Licensed by Tran Huong
Print Publication Date: 2008/01/04
User number: 999108 Copyright 2008, Safari Books Online, LLC.
This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior
written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that
otherwise violates the Safari Terms of Service is strictly prohibited.
CCSP IPS Quick Reference
Return to Table of Contents
Page 9
[8]
CHAPTER 1
CCSP IPS Quick Reference by Anthony Sequeira
Introducing Intrusion Detection and Prevention
Approaches to Intrusion Prevention
Signature-Based
Although Cisco uses a blend of detection and prevention technologies, signature-based IPS is the primary tool that Cisco
IPS solutions use. Cisco releases signatures that are added to the device; they identify a pattern that the most common
attacks present. This tool is much less prone to false positives and ensures that the IPS devices stop common threats. This
type of approach is also called pattern matching. As different types of attacks are created, these signatures can be added,
tuned, and updated to deal with the new attacks.
Anomaly-Based
This type of intrusion prevention technology is often called profile-based. It attempts to discover activity that deviates
from what an engineer defines as “normal.” Because it can be so difficult to define what is “normal” activity for a given
network, this approach tends to be prone to a high number of false positives.
The two common types of anomaly-based IPSs are statistical anomaly detection and nonstatistical. The statistical
approach learns about the traffic patterns on the network itself, and the nonstatistical approach uses information coded by
the vendor.
Policy-Based
With this type of technology, the security policy is “written” into the IPS device. Alarms are triggered if activities are
detected that violate the security policy coded by the organization. Notice how this differs from signature-based.
Signature-based focuses on stopping common attacks, and policy-based is more concerned with enforcing the organization’s security policy.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 52 for more details.
CCSP IPS Quick Reference
CCSP IPS Quick Reference By Anthony Sequeira ISBN: 9781587055713 Publisher: Cisco
Prepared for Tran Huong, Safari ID:
Press
Licensed by Tran Huong
Print Publication Date: 2008/01/04
User number: 999108 Copyright 2008, Safari Books Online, LLC.
This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior
written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that
otherwise violates the Safari Terms of Service is strictly prohibited.
CCSP IPS Quick Reference
Return to Table of Contents
Page 10
[9]
CHAPTER 1
CCSP IPS Quick Reference by Anthony Sequeira
Introducing Intrusion Detection and Prevention
Protocol Analysis-Based
This approach is very similar to signature-based, but it looks deeper into packets because of a protocol-based inspection
of the packet payload that can occur. Whereas most signatures examine rather common settings, protocol analysis-based
can do much deeper packet inspection and is more flexible at finding some types of attacks.
Exploring Evasive Techniques
Because attackers are aware of IPS technologies, they have developed methods of countering these devices in an attempt
to continue attacks on network systems.
String Match
In this type of attack, strings in the data are changed in minor ways in an attempt to evade detection. Obfuscation is one
method, in which control characters, hexadecimal representation, or Unicode representation help disguise the attack.
Another string-match type of evasive technique is to simply change the string’s case.
Fragmentation
With this evasive measure, the attacker breaks the attack packets into fragments so that they are more difficult to recognize. Fragmentation adds a layer of complexity for the sensor, which now must engage in the resource-intensive process
of reassembling the packets.
Session
In this type of attack, the attacker spreads the attack using a large number of very small packets, not using fragmentation
in the approach. TCP segment reassembly can be used to combat this evasive measure.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 52 for more details.
CCSP IPS Quick Reference
CCSP IPS Quick Reference By Anthony Sequeira ISBN: 9781587055713 Publisher: Cisco
Prepared for Tran Huong, Safari ID:
Press
Licensed by Tran Huong
Print Publication Date: 2008/01/04
User number: 999108 Copyright 2008, Safari Books Online, LLC.
This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior
written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that
otherwise violates the Safari Terms of Service is strictly prohibited.
CCSP IPS Quick Reference
Return to Table of Contents
Page 11
[ 10 ]
CHAPTER 1
CCSP IPS Quick Reference by Anthony Sequeira
Introducing Intrusion Detection and Prevention
Insertion
In this evasive technique, the attacker inserts data that is harmless along with the attack data. The IPS sensor does not fire
an alert because of the harmless data. The end system ignores the harmless data and processes only the attack data.
Evasion
With this type of evasive technique, the attacker causes the sensor to see a different data stream than the intended victim.
Unlike the insertion attack, the end system sees more data than the sensor, which results in an attack.
TTL-Based
One way to implement an insertion attack is to manipulate fragments’ time-to-live value. With this evasive procedure, the
IPS sensor sees a different data stream than the end system because of the manipulation of the TTL field in the IP header.
Encryption-Based
This is a very effective means of having attacks enter the network. The attacker sends the attack via an encrypted session.
The IPS device cannot detect the encrypted attack. Because this method of foiling the IPS device exists, care must be
taken to ensure that attackers cannot establish encrypted sessions.
Resource Exhaustion
Another evasive approach is to simply overwhelm the sensor. Often, attackers simply try to overwhelm the physical
device or the staff in charge of monitoring by flooding the device with alarm conditions.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 52 for more details.
CCSP IPS Quick Reference
CCSP IPS Quick Reference By Anthony Sequeira ISBN: 9781587055713 Publisher: Cisco
Prepared for Tran Huong, Safari ID:
Press
Licensed by Tran Huong
Print Publication Date: 2008/01/04
User number: 999108 Copyright 2008, Safari Books Online, LLC.
This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior
written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that
otherwise violates the Safari Terms of Service is strictly prohibited.
CCSP IPS Quick Reference
Return to Table of Contents
Page 12
[ 11 ]
CHAPTER 1
CCSP IPS Quick Reference by Anthony Sequeira
Introducing Intrusion Detection and Prevention
Cisco Solutions and Products
Cisco offers many products and solutions that address the need for intrusion detection and/or prevention in your network
infrastructure. These Quick Reference Sheets focus on Cisco products that can run version 6.0 of the Cisco IPS Sensor
Software. This version adds many new features, including the following:
n Virtualization support: Allows different policies for different segments that are being monitored by a single sensor.
n New signature engines: Additions that cover Server Message Block and Transparent Network Substrate traffic.
n Passive operating system fingerprinting: A set of features that enables Cisco IPS to identify the operating system of
the victim of an attack.
n Improved risk and threat rating system: The risk rating helps with alerts and is now based on many different compo-
nents to improve the sensor’s performance and operation.
n External product interface: Allows sensors to subscribe to events from other devices.
n Enhanced password recovery: Password recovery no longer requires reimaging.
n Improved Cisco IDM: A new and improved GUI for management.
n Anomaly detection: Designed to detect worm-infested hosts.
Cisco Sensor Family
The Cisco sensor family includes the following devices:
n Cisco IDS Network Module
n Cisco IDS 4215 Sensor
n Cisco IDS 4240 Sensor
n Cisco ASA AIP-SSM
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 52 for more details.
CCSP IPS Quick Reference
CCSP IPS Quick Reference By Anthony Sequeira ISBN: 9781587055713 Publisher: Cisco
Prepared for Tran Huong, Safari ID:
Press
Licensed by Tran Huong
Print Publication Date: 2008/01/04
User number: 999108 Copyright 2008, Safari Books Online, LLC.
This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior
written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that
otherwise violates the Safari Terms of Service is strictly prohibited.
CCSP IPS Quick Reference
Return to Table of Contents
Page 13
[ 12 ]
CHAPTER 1
CCSP IPS Quick Reference by Anthony Sequeira
Introducing Intrusion Detection and Prevention
n Cisco IPS 4255 Sensor
n Cisco Catalyst 6500 Series IDSM-2
n Cisco IPS 4260 Sensor
The following legacy devices also can run IPS 6.0 software:
n Cisco IDS 4235 Sensor
n Cisco IDS 4250 XL Sensor
Sensor Software Solutions
You have many options for configuring and managing Cisco sensors. Also, the sensor operating systems and overall
architecture are worth exploring for the certification exam and beyond.
IPS Sensor Software Architecture
IPS sensor software version 6.0 runs on the Linux operating system. The components include the following:
n Event Store: Provides storage for all events.
n SSH and Telnet: By default, Telnet is disabled.
n Intrusion Detection Application Programming Interface (IDAPI)
n MainApp
n SensorApp: For packet capture and analysis.
n Sensor interfaces
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 52 for more details.
CCSP IPS Quick Reference
CCSP IPS Quick Reference By Anthony Sequeira ISBN: 9781587055713 Publisher: Cisco
Prepared for Tran Huong, Safari ID:
Press
Licensed by Tran Huong
Print Publication Date: 2008/01/04
User number: 999108 Copyright 2008, Safari Books Online, LLC.
This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior
written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that
otherwise violates the Safari Terms of Service is strictly prohibited.
CCSP IPS Quick Reference
Return to Table of Contents
Page 14
[ 13 ]
CHAPTER 1
CCSP IPS Quick Reference by Anthony Sequeira
Introducing Intrusion Detection and Prevention
Management Options
For a single device (element management), options include the following:
n Command-line interface (CLI)
n Cisco IDM (IPS Device Manager), a graphical user interface
For multiple-device management (Enterprise management), options include the following:
n Cisco IPS Event Viewer
n Cisco Security Manager
n Cisco Security Monitoring, Analysis, and Response System (MARS)
Network IPS
Network IPS refers to the deployment in the network of devices (typically sensors) that capture and analyze traffic as it
traverses the network. Because the sensor analyzes network traffic, it can protect many hosts at the same time.
Host IPS
A host IPS solution features software installed on servers and workstations. Note that this solution does not require additional hardware (sensors). The Cisco Host IPS is called Cisco Security Agent. It complements network IPS by protecting
the integrity of applications and operating systems.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 52 for more details.
CCSP IPS Quick Reference
CCSP IPS Quick Reference By Anthony Sequeira ISBN: 9781587055713 Publisher: Cisco
Prepared for Tran Huong, Safari ID:
Press
Licensed by Tran Huong
Print Publication Date: 2008/01/04
User number: 999108 Copyright 2008, Safari Books Online, LLC.
This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior
written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that
otherwise violates the Safari Terms of Service is strictly prohibited.
CCSP IPS Quick Reference
Return to Table of Contents
Page 15
[ 14 ]
CHAPTER 1
CCSP IPS Quick Reference by Anthony Sequeira
Introducing Intrusion Detection and Prevention
Deploying Sensors
Consider these technical factors when selecting sensors for deployment in an organization:
n The network media in use
n The performance of the sensor
n The overall network design
n The IPS design: Will the sensor analyze and protect many systems, or just a few?
n Virtualization: Will multiple virtual sensors be created in the sensor?
Here are some important issues to keep in mind for an IPS design:
n Your network topology: Size and complexity, connections, the amount and type of traffic.
n The placement of sensors: Recommended to be placed at entry and exit points that provide sufficient IPS coverage.
n Your management and monitoring options: The number of sensors often dictates the level of management you need.
Locations that generally need to be protected include the following:
n Internet: The sensor between your perimeter gateway and the Internet.
n Extranet: Between your network and extranet connection.
n Internal: Between internal data centers.
n Remote access: Hardens perimeter control.
n Server farm: The network IPS at the perimeter and host IPS on the servers.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 52 for more details.
CCSP IPS Quick Reference
CCSP IPS Quick Reference By Anthony Sequeira ISBN: 9781587055713 Publisher: Cisco
Prepared for Tran Huong, Safari ID:
Press
Licensed by Tran Huong
Print Publication Date: 2008/01/04
User number: 999108 Copyright 2008, Safari Books Online, LLC.
This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior
written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that
otherwise violates the Safari Terms of Service is strictly prohibited.
CCSP IPS Quick Reference
Return to Table of Contents
Page 16
[ 15 ]
CHAPTER 2
CCSP IPS Quick Reference by Anthony Sequeira
Installation of a Typical Sensor
Installation of a Typical Sensor
The Command-Line Interface (CLI)
The CLI is much like the IOS version, but with fewer commands and different modes. You can access the CLI using
n Telnet (disabled by default)
n SSH
n The serial interface
The default username is cisco, with a default password of cisco. You are prompted to change these upon the first login.
The CLI can be used to
n Initialize the sensor
n Configure
n Administer
n Troubleshoot
n Monitor
Two modes of the CLI differ from a router:
n Service mode: Used to edit a service. You enter it using the command service service-name.
n Multi-instance service mode: Some of the services are multi-instance services to support virtualization. To enter this
mode, you use the command service service-name logical-instance-name.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 52 for more details.
CCSP IPS Quick Reference
CCSP IPS Quick Reference By Anthony Sequeira ISBN: 9781587055713 Publisher: Cisco
Prepared for Tran Huong, Safari ID:
Press
Licensed by Tran Huong
Print Publication Date: 2008/01/04
User number: 999108 Copyright 2008, Safari Books Online, LLC.
This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior
written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that
otherwise violates the Safari Terms of Service is strictly prohibited.
CCSP IPS Quick Reference
Return to Table of Contents
Page 17
[ 16 ]
CHAPTER 2
CCSP IPS Quick Reference by Anthony Sequeira
Installation of a Typical Sensor
Initializing the Sensor
The setup command at the CLI walks you through initialization. You can do the following:
n Assign a hostname to the sensor. This is case-sensitive. It defaults to sensor.
n Assign an IP address to the command and control interface. The default is 10.1.9.201/24.
n Assign a default gateway. The default is 10.1.9.1.
n Enable or disable the Telnet server. Telnet is disabled by default.
n Specify the web server port. The default is 443.
n Create network ACLs that can access the sensor for management.
n Configure the date and time.
n Configure the sensor interfaces.
n Configure virtual sensors. This enables the configuration of promiscuous and inline interface pairs.
n Configure threat prevention. An event action override denies high-risk network traffic with a risk rating of 90 to 100.
This option lets you disable this feature.
Common CLI Configuration Tasks
Here are some common commands that are available for use at the CLI:
n ping
n trace
n banner login
n show version
n copy /erase source-url destination-url: The erase option erases the destination file before copying.
n copy current-config backup-config
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 52 for more details.
CCSP IPS Quick Reference
CCSP IPS Quick Reference By Anthony Sequeira ISBN: 9781587055713 Publisher: Cisco
Prepared for Tran Huong, Safari ID:
Press
Licensed by Tran Huong
Print Publication Date: 2008/01/04
User number: 999108 Copyright 2008, Safari Books Online, LLC.
This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior
written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that
otherwise violates the Safari Terms of Service is strictly prohibited.
CCSP IPS Quick Reference
Return to Table of Contents
Page 18
[ 17 ]
CHAPTER 2
CCSP IPS Quick Reference by Anthony Sequeira
Installation of a Typical Sensor
n copy /erase backup-config current-config
n more keyword: Displays configs.
n show settings
n show events
Using the Intrusion Prevention System Device Manager
The Cisco IDM, shown in Figure 3, is a superb web-based graphical user interface for managing the IPS device. To maintain security, the IDM and the client engage in TLS and SSL. The server uses a trusted host certificate to verify the identity of the management workstation. The client uses a server certificate to ensure the identity of the IPS device.
FIGURE 3
Cisco IDM
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 52 for more details.
CCSP IPS Quick Reference
CCSP IPS Quick Reference By Anthony Sequeira ISBN: 9781587055713 Publisher: Cisco
Prepared for Tran Huong, Safari ID:
Press
Licensed by Tran Huong
Print Publication Date: 2008/01/04
User number: 999108 Copyright 2008, Safari Books Online, LLC.
This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior
written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that
otherwise violates the Safari Terms of Service is strictly prohibited.
CCSP IPS Quick Reference
Return to Table of Contents
Page 19
[ 18 ]
CHAPTER 2
CCSP IPS Quick Reference by Anthony Sequeira
Installation of a Typical Sensor
The version 6.0 sensor software uses Security Device Event Exchange (SDEE) for communication, but it still relies on
Remote Data Exchange Protocol (RDEP2) to communicate configuration and IP log information.
SDEE is an IPS communications protocol developed by Cisco. Through SDEE, IPS software version 6 provides an application programming interface (API) for the sensor itself. SDEE is an enhancement to the earlier RDEP.
The Cisco IDM runs on the following:
n Windows 2000, XP: Internet Explorer 6 with Java Plug-in 1.5, Netscape 7.1 with Java Plug-in 1.5
n Sun SPARC Solaris 2.8 or 2.9: Mozilla 1.7
n Red Hat 9.0 or Red Hat Enterprise Linux WS, version 3 running GNOME or KDE: Mozilla 1.7
To log in to the IDM enter https://sensor_ip_address. The default address is 10.1.9.201 if you did not provide one during
setup.
After you are in the IDM, you can configure the general network settings (such as hostname and IP address) by choosing
Configuration > Sensor Setup > Network.
To display or re-create the sensor’s SSH host key, choose Configuration > Sensor Setup > SSH > Sensor Key.
To reboot the sensor, choose Configuration > Reboot.
To shut down the sensor, choose Configuration > Shut Down Sensor. For both the reboot and shutdown, the sensor
delays for 30 seconds. The logged-in users are notified that the sensor is shutting down.
Configuring Basic Sensor Settings
This section provides guidance for completing the basic sensor setup. As soon as these tasks are complete, a very basic
sensor configuration will be in place in your network. The sensor will generate alarms for potentially unsafe traffic that it
sees. Although many of these tasks may have been completed using the setup command at the command line, this section
focuses on using the IDM for sensor configuration.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 52 for more details.
CCSP IPS Quick Reference
CCSP IPS Quick Reference By Anthony Sequeira ISBN: 9781587055713 Publisher: Cisco
Prepared for Tran Huong, Safari ID:
Press
Licensed by Tran Huong
Print Publication Date: 2008/01/04
User number: 999108 Copyright 2008, Safari Books Online, LLC.
This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior
written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that
otherwise violates the Safari Terms of Service is strictly prohibited.
CCSP IPS Quick Reference
Return to Table of Contents
Page 20
[ 19 ]
CHAPTER 2
CCSP IPS Quick Reference by Anthony Sequeira
Installation of a Typical Sensor
Configuring Allowed Hosts
To configure the hosts that are allowed to access the sensor for management and configuration, choose Configuration >
Sensor Setup > Allowed Hosts.
Setting the Time
It is very important to ensure that the sensor knows the correct time. This way, event information is more valuable. For a
sensor, use NTP or, if you must, set the time manually. For the Cisco Catalyst 6500 IDSM-2, use the parent device or
NTP. For the AIP-SSM, use the parent device or NTP. For the sensor, choose Configuration > Sensor Setup > Time to
find the time settings.
Configuring Certificates
The sensor uses certificates to prove its identity to other Cisco devices on the network, and also to verify the identity of
those devices.
The sensor generates a server certificate when it first starts. You can view this certificate and generate a new one by
choosing Configuration > Sensor Setup > Certificates > Server Certificate.
The Trusted Hosts area lists all the trusted host certificates your sensor will accept from other Cisco devices. To modify
this list, choose Configuration > Sensor Setup > Certificates > Server Certificate and Configuration > Sensor Setup >
Certificates > Trusted Hosts.
User Accounts
When creating user accounts on the sensor for management, you can choose from one of four roles:
n Administrator is the highest level of privileges.
n Operator can view all configuration and events.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 52 for more details.
CCSP IPS Quick Reference
CCSP IPS Quick Reference By Anthony Sequeira ISBN: 9781587055713 Publisher: Cisco
Prepared for Tran Huong, Safari ID:
Press
Licensed by Tran Huong
Print Publication Date: 2008/01/04
User number: 999108 Copyright 2008, Safari Books Online, LLC.
This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior
written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that
otherwise violates the Safari Terms of Service is strictly prohibited.
CCSP IPS Quick Reference
Return to Table of Contents
Page 21
[ 20 ]
CHAPTER 2
CCSP IPS Quick Reference by Anthony Sequeira
Installation of a Typical Sensor
n Viewer cannot modify any configuration except its own password.
n Service is a special role for troubleshooting by TAC. There’s only one per sensor.
Only one user at a time can log into IDM.
Create users by choosing Configuration > Sensor Setup > Users.
Interface Roles
Each sensor has one command and control interface for management purposes. Depending on the sensor, you can configure up to nine monitoring interfaces. Interfaces can function as command and control, or monitoring, or alternate TCP
reset interfaces. The alternate TCP reset interface is for when the interface is operating in promiscuous mode and cannot
send TCP reset packets over the same interface where the attack was detected.
Monitoring interfaces can operate in one of four modes:
n Promiscuous mode: In this mode, packets do not flow through the sensor. The sensor causes no performance issues.
These interfaces can operate on a sensor also configured for inline mode.
n Inline mode: Traffic passes through the sensor. Two monitoring interfaces must be configured as a pair.
n Inline VLAN pair mode: Here the monitoring interface acts as an 802.1Q trunk port. The sensor bridges between
pairs of VLANs on the trunk.
n VLAN group mode: Each physical interface can be divided into VLAN group subinterfaces. This allows you to use a
sensor with only a few interfaces as if it had many interfaces. This is critical when you are using virtualization.
Configuring Interfaces
To set up monitoring interfaces, choose Configuration > Interface Configuration > Interfaces.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 52 for more details.
CCSP IPS Quick Reference
CCSP IPS Quick Reference By Anthony Sequeira ISBN: 9781587055713 Publisher: Cisco
Prepared for Tran Huong, Safari ID:
Press
Licensed by Tran Huong
Print Publication Date: 2008/01/04
User number: 999108 Copyright 2008, Safari Books Online, LLC.
This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior
written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that
otherwise violates the Safari Terms of Service is strictly prohibited.
CCSP IPS Quick Reference
Return to Table of Contents
Page 22
[ 21 ]
CCSP IPS Quick Reference by Anthony Sequeira
CHAPTER 3
Cisco Intrusion Detection and Prevention Signatures
Software and Hardware Bypass Mode
The software bypass feature allows the sensor to continue passing traffic even if the sensor software fails. This feature is
intended for use with only inline paired interfaces. You configure it by choosing Configuration > Interface
Configuration > Bypass. The possible modes are Auto, Off, and On. Choosing On causes the sensor to simply act as a
bridge and not inspect traffic. Hardware bypass complements software bypass. The four-port Gigabit Ethernet bypass card
supports hardware bypass only between ports 0 and 1 and ports 2 and 3.
Viewing Events
As you have learned, following the steps described in this chapter allows you to configure the basics on the sensor. The
sensor will now produce alerts based on its default signature settings. You can view the events triggered by signatures that
are enabled very easily in IDM. To do this, choose Monitoring > Events.
Cisco Intrusion Detection and Prevention
Signatures
Configuring Signatures and Alerts
Signatures are the foundation of IPS. This chapter shows you how to tune and configure signatures to control how the
sensor behaves. There are default signatures, tuned signatures (default signatures that you have modified), and your own
custom signatures. By default, all built-in signatures generate an alert when fired.
Frequent configuration tasks include enabling or disabling signatures and defining the actions that should occur upon
firing.
To access the signatures for configuration, choose Configuration > Signature Definitions > Signature Configuration.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 52 for more details.
CCSP IPS Quick Reference
CCSP IPS Quick Reference By Anthony Sequeira ISBN: 9781587055713 Publisher: Cisco
Prepared for Tran Huong, Safari ID:
Press
Licensed by Tran Huong
Print Publication Date: 2008/01/04
User number: 999108 Copyright 2008, Safari Books Online, LLC.
This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior
written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that
otherwise violates the Safari Terms of Service is strictly prohibited.
CCSP IPS Quick Reference
Return to Table of Contents
Page 23
[ 22 ]
CHAPTER 3
CCSP IPS Quick Reference by Anthony Sequeira
Cisco Intrusion Detection and Prevention Signatures
Here are the possible actions that you can configure in response to a signature firing:
n Deny attacker inline terminates the current packet and future packets from the attacker address. This is the most
severe of the deny actions.
n Deny attacker service pair inline terminates the current packet and future packets from the attacker address victim
port pair.
n Deny attacker victim pair inline terminates the current packet and future packets from the attacker address and
victim address pair.
n Deny connection inline terminates the current packet and future packets on the flow.
n Deny packet inline terminates the packet.
n Log attacker packets starts IP logging and sends an alert.
n Log pair packets starts IP logging for the attacker and victim pair and sends an alert.
n Log victim packets starts IP logging for the victim address and sends an alert.
n Produce alert.
n Produce verbose alert.
n Request block connection sends a request to a blocking device.
n Request block host.
n Request SNMP trap.
n Reset TCP connection.
Notice that many of the response actions to a signature firing involve denying attackers access to your protected network.
To manage denied attackers, choose Monitoring > Denied Attackers.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 52 for more details.
CCSP IPS Quick Reference
CCSP IPS Quick Reference By Anthony Sequeira ISBN: 9781587055713 Publisher: Cisco
Prepared for Tran Huong, Safari ID:
Press
Licensed by Tran Huong
Print Publication Date: 2008/01/04
User number: 999108 Copyright 2008, Safari Books Online, LLC.
This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior
written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that
otherwise violates the Safari Terms of Service is strictly prohibited.
CCSP IPS Quick Reference
Return to Table of Contents
Page 24
[ 23 ]
CHAPTER 3
CCSP IPS Quick Reference by Anthony Sequeira
Cisco Intrusion Detection and Prevention Signatures
Signature Engines
An IPS sensor relies on signature engines to efficiently monitor your network using the many signatures that make up the
operation of the sensor. Each signature engine is responsible for running a group for the signatures.
Many signature engines support entire categories of signatures. Signature engines include tunable parameters. Some
parameters are specific to an engine, and others are more common.
Common Parameters
Some common signature parameters include Signature ID, Alert Severity, and Sig Fidelity Rating.
The Summary mode common parameter controls the number of alarms generated:
n Fire Once.
n Fire All is an alarm for all activity that matches signature characteristics.
n Summarize consolidates alarms.
n Global summarize consolidates alarms for all address combinations.
Summary threshold and global summary threshold values allow you to configure automatic summarization based on the
number of alerts detected. This can prevent you from being overwhelmed by a large number of events produced by the
sensor.
ATOMIC
These are support signatures that are triggered by the content of a single packet. They do not store any state information
across packets.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 52 for more details.
CCSP IPS Quick Reference
CCSP IPS Quick Reference By Anthony Sequeira ISBN: 9781587055713 Publisher: Cisco
Prepared for Tran Huong, Safari ID:
Press
Licensed by Tran Huong
Print Publication Date: 2008/01/04
User number: 999108 Copyright 2008, Safari Books Online, LLC.
This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior
written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that
otherwise violates the Safari Terms of Service is strictly prohibited.
CCSP IPS Quick Reference
Return to Table of Contents
Page 25
[ 24 ]
CHAPTER 3
CCSP IPS Quick Reference by Anthony Sequeira
Cisco Intrusion Detection and Prevention Signatures
ATOMIC signature engines are
n ATOMIC ARP
n ATOMIC IP
n ATOMIC IP version 6
FLOOD
The FLOOD signature engines are designed to detect attacks in which the attacker floods traffic to a single host or an
entire network.
FLOOD signature engines are
n FLOOD.NET
n FLOOD.HOST
SERVICE
These engines analyze traffic at and above Layer 5 of the OSI model. They provide protocol decoding for numerous
protocols.
SERVICE signature engines are
n SERVICE DNS
n SERVICE FTP
n SERVICE GENERIC
n SERVICE GENERIC ADVANCED
n SERVICE H225
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 52 for more details.
CCSP IPS Quick Reference
CCSP IPS Quick Reference By Anthony Sequeira ISBN: 9781587055713 Publisher: Cisco
Prepared for Tran Huong, Safari ID:
Press
Licensed by Tran Huong
Print Publication Date: 2008/01/04
User number: 999108 Copyright 2008, Safari Books Online, LLC.
This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior
written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that
otherwise violates the Safari Terms of Service is strictly prohibited.
CCSP IPS Quick Reference
Return to Table of Contents
Page 26
[ 25 ]
CHAPTER 3
CCSP IPS Quick Reference by Anthony Sequeira
Cisco Intrusion Detection and Prevention Signatures
n SERVICE HTTP
n SERVICE IDENT
n SERVICE MSRPC
n SERVICE MSSQL
n SERVICE NTP
n SERVICE RPC
n SERVICE SMB
n SERVICE SMB ADVANCED
n SERVICE SNMP
n SERVICE SSH
n SERVICE TNS
STRING
The STRING signature engines support regular expressions for pattern matching. Also, alarm functionality is provided for
ICMP, UDP, and TCP. State information is maintained because pattern matches are made across a stream of packets.
The STRING engines are
n STRING ICMP
n STRING TCP
n STRING UDP
n Multi STRING
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 52 for more details.
CCSP IPS Quick Reference
CCSP IPS Quick Reference By Anthony Sequeira ISBN: 9781587055713 Publisher: Cisco
Prepared for Tran Huong, Safari ID:
Press
Licensed by Tran Huong
Print Publication Date: 2008/01/04
User number: 999108 Copyright 2008, Safari Books Online, LLC.
This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior
written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that
otherwise violates the Safari Terms of Service is strictly prohibited.
