Intrusion Prevention Systems

© 2012 Cisco and/or its affiliates. All rights reserved.

1


Contents
This chapter describes the functions and operations of intrusion detection
systems (IDS) and intrusion prevention systems (IPS).
• The fundamentals of intrusion prevention, comparing IDS and IPS
• The building blocks of IPS, introducing the underlying technologies and
deployment options
• The use of signatures in intrusion prevention, highlighting the benefits
and drawbacks
• The need for IPS alarm monitoring, evaluating the options for event
managers
• Analyzing the design considerations in deploying IPS

© 2012 Cisco and/or its affiliates. All rights reserved.

2


IPS Fundamentals
Introducing IDS and IPS :
• Targeted, mutating, stealth threats are increasingly difficult to detect.
• Attackers have insidious motivations and exploit high-impact targets,
often for financial benefit or economic and political reasons
• Attackers are taking advantage of new ways of communication
IDS:

• Analyzes copies of the traffic stream
• Does not slow network traffic
• Allows some malicious traffic into the network
IPS:
• Works inline in real time to monitor Layer 2 through Layer 7 traffic and
content
• Needs to be able to handle network traffic
© 2012 Cisco and/or its affiliates. All rights reserved.

3


IDS and IPS technologies
• IDS and IPS technologies share several characteristics:

• IDS and IPS technologies are deployed as sensors. An IDS or an IPS
sensor can be any of the following devices:
• A router configured with Cisco IOS IPS Software
• An appliance specifically designed to provide dedicated IDS or IPS services
• A network module installed in a Cisco adaptive security appliance, switch, or
router

• IDS and IPS technologies typically monitor for malicious activities in two
spots:
• Network:
• Hosts:

• IDS and IPS technologies use signatures to detect patterns of misuse in
network traffic
• IDS and IPS technologies look for the following general patterns of

misuse:
© 2012 Cisco and/or its affiliates. All rights reserved.

4


Intrusion Detection System
• An IDS monitors traffic offline and

generates an alert (log) when it
detects malicious traffic including:
–

Reconnaissance attacks

–

Access attacks

–

Denial of Service attacks

• It is a passive device because it

analyzes copies of the traffic
stream traffic.

© 2012 Cisco and/or its affiliates. All rights reserved.


–

Only requires a promiscuous
interface.

–

Does not slow network traffic.

–

Allows some malicious traffic into
the network.

5


Intrusion Prevention System
• It builds upon IDS technology to

detect attacks.
–

However, it can also immediately
address the threat.

• An IPS is an active device

because all traffic must pass
through it.


© 2012 Cisco and/or its affiliates. All rights reserved.

–

Referred to as “inline-mode”, it
works inline in real time to monitor
Layer 2 through Layer 7 traffic and
content.

–

It can also stop single-packet
attacks from reaching the target
system (IDS cannot).

6


Comparing IDS and IPS Solutions
IDS (Promiscuous Mode)

IPS (Inline Mode)

• No impact on network (latency,
jitter).

• Stops trigger
packets.


Adv
anta • No network impact if there is a
ges
sensor failure or a sensor overload.

• Can use stream
normalization
techniques.

• Response action cannot stop trigger
packets.

• Some impact on
network (latency,
jitter).
•
Correct
tuning
required
for
response
Disa
actions.
• Sensor failure or
dva
overloading
ntag • More vulnerable to network evasion
impacts the
es
techniques.

network.

© 2012 Cisco and/or its affiliates. All rights reserved.

7


So, IDS or IPS? Why Not Both?
• The IDS sensor in front of the

firewall is deployed in promiscuous
mode to monitor traffic in the
untrusted network.

© 2012 Cisco and/or its affiliates. All rights reserved.

8


Alarm Types
• False positive
• False negative
• True positive
• True negative

© 2012 Cisco and/or its affiliates. All rights reserved.

Making Sense of Alarm Types Terminology

9



Types of IDS and IPS Sensors

© 2012 Cisco and/or its affiliates. All rights reserved.

10


IPS Attack Responses
When an IPS sensor detects malicious activity, it can choose from any or all of
the following actions:

• Deny Attacker Inline

• Produce Alert

• Deny Connection Inline

• Produce Verbose Alert

• Deny Packet Inline

• Request Block Connection

• Log Attacker Packets

• Request Block Host

• Log Pair Packets


• Request SNMP Trap

• Log Victim Packets

• Reset TCP Connection

© 2012 Cisco and/or its affiliates. All rights reserved.

11


IPS Anti-Evasion Techniques
These techniques include the following:
• Traffic fragmentation
• Traffic substitution
• Protocol-level misinterpretation
• Timing attacks
• Encryption and tunneling
• Resource exhaustion

© 2012 Cisco and/or its affiliates. All rights reserved.

12


Anti-evasion features
The following anti-evasion features are available on Cisco IPS sensors:
• Complete session reassembly that supports the string and service
engines that must examine a reliable byte stream between two network

endpoints
• Data normalization (deobfuscation) inside service engines,
• IP Time to Live (TTL) analysis and TCP checksum validation to guard
against end-to-end protocol-level traffic interpretation
• Configurable intervals for correlating signatures• Inspection of traffic
inside Generic Routing Encapsulation (GRE) tunnels to prevent evasion
through tunneling
• Smart and dynamic summarization of events to guard against too many
alarms for high event rates

© 2012 Cisco and/or its affiliates. All rights reserved.

13


Anti-Evasion Techniques Used by Cisco
IPS

© 2012 Cisco and/or its affiliates. All rights reserved.

14


Building a Risk Rating into the Detection
Capabilities

© 2012 Cisco and/or its affiliates. All rights reserved.

15



Risk-Based Intrusion Prevention
Using these considerations, risk ratings typically include several
components:
• Potential damage that could be caused by the activity described by the
signature
• Asset value of the target of the attack
• Accuracy of the triggering signature
• Relevancy of the attack to the target
• Other security countermeasures (controls) in the environment

© 2012 Cisco and/or its affiliates. All rights reserved.

16


IPv6-Aware IPS
• IPv6 awareness is another important consideration for IPS architectures.

Sensors should be IPv6 aware
• Alarms : Alarms fire when specific parameters are met
• You should consider the following factors when implementing alarms

that a signature uses:
• The level assigned to the signature determines the alarm severity level.
• A Cisco IPS signature is assigned one of four severity levels
• Informational
• Low
• Medium
• High

• You can manually adjust the severity level that an alarm produces.
• To minimize false positives, study your existing network traffic patterns
• As an additional source of information, consider implementing NetFlow
© 2012 Cisco and/or its affiliates. All rights reserved.

17


IPS Alarms: Event Monitoring and
Management
Event monitoring and management can be divided into the following two
needs:
• Real-time event monitoring and management
• Analysis based on archived information (reporting)
There is an important difference between reporting and monitoring. Note
that archives are often a significant source of data when producing
reports.
• Reporting: Analysis based on archived information
• Event monitoring: Real-time monitoring

© 2012 Cisco and/or its affiliates. All rights reserved.

18


Device, Enterprise, and Global
Correlation

© 2012 Cisco and/or its affiliates. All rights reserved.


19


Global Correlation and Cisco SIO at
Work, Preventing Zero-Day Attack

© 2012 Cisco and/or its affiliates. All rights reserved.

20


Examples of IPS Deployments

© 2012 Cisco and/or its affiliates. All rights reserved.

21


IPS Platforms from Cisco

© 2012 Cisco and/or its affiliates. All rights reserved.

22


IPS Best Practices
The following are the recommended practices for designing and deploying
IPS architecture:
• Use a combination of detection technologies.
• Take advantage of multiple form factors to deploy a distributed and costeffective IPS architecture.

• Use a “places in the network” approach, which, for Cisco, refers to the
building blocks of a corporate network, such as a data center, a campus,
and a branch office.
• Enable anti-evasion techniques.
• Take advantage of local, enterprise, and global correlation.
• Use a risk-based approach to improve accuracy and simplify management.
• When deploying a large number of sensors, automatically update signature
packages instead of manually upgrading every sensor.
• Place the signature packages on a dedicated FTP server within the
management network.
© 2012 Cisco and/or its affiliates. All rights reserved.

23


Fail-Open or Fail-Close Approach

© 2012 Cisco and/or its affiliates. All rights reserved.

24


Recommended practices
Recommended practices are based on a series of key factors in current
IPS architectures
• Intelligent, distributed detection
• Vulnerability- and exploit-specific signatures
• Protocol anomaly detection
• Knowledge base anomaly detection
• Reputation filters


• Accurate, precise response to relevant attacks
• Risk management–based policy
• Global correlation adding reputation
• On-box correlation
• “Trustworthiness” linkages with the endpoint

• Flexible deployment options
© 2012 Cisco and/or its affiliates. All rights reserved.

25