Intrusion Prevention
Systems

© 2012 Cisco and/or its affiliates. All rights reserved.

1


Contents
This chapter describes the functions and operations of intrusion
detection systems (IDS) and intrusion prevention systems (IPS).
• The fundamentals of intrusion prevention, comparing IDS and IPS
• The building blocks of IPS, introducing the underlying
technologies and deployment options
• The use of signatures in intrusion prevention, highlighting the
benefits and drawbacks
• The need for IPS alarm monitoring, evaluating the options for
event managers
• Analyzing the design considerations in deploying IPS

© 2012 Cisco and/or its affiliates. All rights reserved.

2


IPS Fundamentals
Introducing IDS and IPS :
• Targeted, mutating, stealth threats are increasingly difficult to detect.
• Attackers have insidious motivations and exploit high-impact targets, often for
financial benefit or economic and political reasons
• Attackers are taking advantage of new ways of communication

IDS:
• Analyzes copies of the traffic stream
• Does not slow network traffic
• Allows some malicious traffic into the network
IPS:
• Works inline in real time to monitor Layer 2 through Layer 7 traffic and content
• Needs to be able to handle network traffic
ã Prevents malicious traffic from entering the network
â 2012 Cisco and/or its affiliates. All rights reserved.

3


IDS and IPS technologies
• IDS and IPS technologies share several characteristics:

• IDS and IPS technologies are deployed as sensors. An IDS or an IPS
sensor can be any of the following devices:
• A router configured with Cisco IOS IPS Software
• An appliance specifically designed to provide dedicated IDS or IPS services
• A network module installed in a Cisco adaptive security appliance, switch, or router

• IDS and IPS technologies typically monitor for malicious activities in two
spots:
• Network:
• Hosts:

• IDS and IPS technologies use signatures to detect patterns of misuse in
network traffic
• IDS and IPS technologies look for the following general patterns of misuse:

ã Atomic pattern
ã Composite pattern

â 2012 Cisco and/or its affiliates. All rights reserved.

4


Intrusion Detection System
• An IDS monitors traffic offline and

generates an alert (log) when it
detects malicious traffic including:
– Reconnaissance attacks
– Access attacks
– Denial of Service attacks
• It is a passive device because it

analyzes copies of the traffic
stream traffic.
– Only requires a promiscuous
interface.
– Does not slow network traffic.
– Allows some malicious traffic into
the network.

© 2012 Cisco and/or its affiliates. All rights reserved.

5



Intrusion Prevention System
• It builds upon IDS technology to

detect attacks.
– However, it can also immediately
address the threat.
• An IPS is an active device

because all traffic must pass
through it.
– Referred to as “inline-mode”, it
works inline in real time to monitor
Layer 2 through Layer 7 traffic and
content.
– It can also stop single-packet
attacks from reaching the target
system (IDS cannot).

© 2012 Cisco and/or its affiliates. All rights reserved.

6


Comparing IDS and IPS Solutions
IDS (Promiscuous Mode)

IPS (Inline Mode)

• No impact on network (latency, jitter).


• Stops trigger
packets.

Adv • No network impact if there is a sensor
anta
failure or a sensor overload.
ges
• Response action cannot stop trigger
packets.
Disa • Correct tuning required for response
actions.
dva
ntag ã More vulnerable to network evasion
es
techniques.

â 2012 Cisco and/or its affiliates. All rights reserved.

• Can use stream
normalization
techniques.
• Some impact on
network (latency,
jitter).
• Sensor failure or
overloading impacts
the network.

7



So, IDS or IPS? Why Not Both?
• The IDS sensor in front of the

firewall is deployed in
promiscuous mode to monitor
traffic in the untrusted network.

© 2012 Cisco and/or its affiliates. All rights reserved.

8


Alarm Types
ã False positive
ã False negative
ã True positive
ã True negative

â 2012 Cisco and/or its affiliates. All rights reserved.

Making Sense of Alarm Types Terminology

9


Types of IDS and IPS Sensors

© 2012 Cisco and/or its affiliates. All rights reserved.


10


IPS Attack Responses
When an IPS sensor detects malicious activity, it can choose
from any or all of the following actions:
• Deny Attacker Inline

• Produce Alert

• Deny Connection Inline

• Produce Verbose Alert

• Deny Packet Inline

• Request Block Connection

• Log Attacker Packets

• Request Block Host

• Log Pair Packets

• Request SNMP Trap

• Log Victim Packets

ã Reset TCP Connection


â 2012 Cisco and/or its affiliates. All rights reserved.

11


IPS Anti-Evasion Techniques
These techniques include the following:
• Traffic fragmentation
• Traffic substitution
ã Protocol-level misinterpretation
ã Timing attacks
ã Encryption and tunneling
ã Resource exhaustion

â 2012 Cisco and/or its affiliates. All rights reserved.

12


Anti-evasion features
The following anti-evasion features are available on Cisco IPS
sensors:
• Complete session reassembly that supports the string and service
engines that must examine a reliable byte stream between two
network endpoints
• Data normalization (deobfuscation) inside service engines,
• IP Time to Live (TTL) analysis and TCP checksum validation to
guard against end-to-end protocol-level traffic interpretation
• Configurable intervals for correlating signatures• Inspection of

traffic inside Generic Routing Encapsulation (GRE) tunnels to
prevent evasion through tunneling
• Smart and dynamic summarization of events to guard against too
many alarms for high event rates
© 2012 Cisco and/or its affiliates. All rights reserved.

13


Anti-Evasion Techniques Used by Cisco
IPS

© 2012 Cisco and/or its affiliates. All rights reserved.

14


Building a Risk Rating into the Detection Capabilities

© 2012 Cisco and/or its affiliates. All rights reserved.

15


Risk-Based Intrusion Prevention
Using these considerations, risk ratings typically include several
components:
• Potential damage that could be caused by the activity described
by the signature
• Asset value of the target of the attack

• Accuracy of the triggering signature
• Relevancy of the attack to the target
ã Other security countermeasures (controls) in the environment

â 2012 Cisco and/or its affiliates. All rights reserved.

16


IPv6-Aware IPS
• IPv6 awareness is another important consideration for IPS architectures.

Sensors should be IPv6 aware
• Alarms : Alarms fire when specific parameters are met
• You should consider the following factors when implementing alarms that a

signature uses:
• The level assigned to the signature determines the alarm severity level.
• A Cisco IPS signature is assigned one of four severity levels
• Informational
• Low
• Medium
• High

• You can manually adjust the severity level that an alarm produces.
• To minimize false positives, study your existing network traffic patterns
• As an additional source of information, consider implementing NetFlow on

network access devices such as routers and firewalls
© 2012 Cisco and/or its affiliates. All rights reserved.


17


IPS Alarms: Event Monitoring and Management
Event monitoring and management can be divided into the following
two needs:
• Real-time event monitoring and management
• Analysis based on archived information (reporting)
There is an important difference between reporting and monitoring.
Note that archives are often a significant source of data when
producing reports.
• Reporting: Analysis based on archived information
ã Event monitoring: Real-time monitoring

â 2012 Cisco and/or its affiliates. All rights reserved.

18


Device, Enterprise, and Global Correlation

© 2012 Cisco and/or its affiliates. All rights reserved.

19


Global Correlation and Cisco SIO at Work, Preventing Zero-Day Attack

© 2012 Cisco and/or its affiliates. All rights reserved.


20


Examples of IPS Deployments

© 2012 Cisco and/or its affiliates. All rights reserved.

21


IPS Platforms from Cisco

© 2012 Cisco and/or its affiliates. All rights reserved.

22


IPS Best Practices
The following are the recommended practices for designing and deploying IPS
architecture:
• Use a combination of detection technologies.
• Take advantage of multiple form factors to deploy a distributed and cost-effective IPS
architecture.
• Use a “places in the network” approach, which, for Cisco, refers to the building blocks of
a corporate network, such as a data center, a campus, and a branch office.
• Enable anti-evasion techniques.
• Take advantage of local, enterprise, and global correlation.
• Use a risk-based approach to improve accuracy and simplify management.
• When deploying a large number of sensors, automatically update signature packages

instead of manually upgrading every sensor.
• Place the signature packages on a dedicated FTP server within the management
network.
• Tune the IPS architecture constantly.
© 2012 Cisco and/or its affiliates. All rights reserved.

23


Fail-Open or Fail-Close Approach

© 2012 Cisco and/or its affiliates. All rights reserved.

24


Recommended practices
Recommended practices are based on a series of key factors in current IPS
architectures
• Intelligent, distributed detection
• Vulnerability- and exploit-specific signatures
• Protocol anomaly detection
• Knowledge base anomaly detection
• Reputation filters

• Accurate, precise response to relevant attacks
• Risk management–based policy
• Global correlation adding reputation
• On-box correlation
• “Trustworthiness” linkages with the endpoint


• Flexible deployment options
• Passive and/or inline with flexible response (IDS/IPS)
• Sensor virtualization
• Physical and logical (VLAN) interface support
• Software and hardware bypass
© 2012 Cisco and/or its affiliates. All rights reserved.

25