CCNA Security 1.1 Instructional...

© 2012 Cisco and/or its affiliates. All rights reserved. 1

CCNA Security 1.1 Instructional Resource Chapter 5 – Implementing Intrusion Prevention


• Describe the underlying IDS and IPS technology that is embedded in the Cisco host- and network-based IDS and IPS solutions.

• Configure Cisco IOS IPS using CLI and CCP.

• Verify Cisco IOS IPS using CLI and CCP.


8.0 Implementing Cisco IPS

8.1 Describe IPS deployment considerations

8.1.3 Placement

8.2 Describe IPS technologies

8.2.1 Attack responses

8.2.2 Monitoring options

8.2.3 Syslog

8.2.4 SDEE

8.2.5 Signature engines

8.2.6 Signatures

8.2.7 Global Correlation and SIO

8.3 Configure Cisco IOS IPS using CCP

8.3.1 Logging

8.3.2 Signatures


• IDS passively monitors monitors mirrored traffic offline.

• IPS operates inline and is able to detect and and respond to an attack in real-time.

• IPS is deployed in standalone devices, as a daughter card on ISR’s, as network modules in ISR’s and ASA’s, and as dedicated blades on high-end chassis-based switches and routers.

• The three attributes of signatures are type, trigger, and action.

• Signature types are atomic or composite.

• Global Correlation enables Cisco IPS devices to receive real-time threat updates from the Cisco threat SensorBase Network.

• Alarm types are false positive, false negative, true positive, and true negative.

• Signature severity levels are high, informational, low, and medium.

• Signature actions are generate an alert, log the activity, prevent the activity, reset a TCP connection, block future activity, and allow the activity.

• Cisco IOS IPS can be configured via CLI or CCP.


• Chapter 5 Lab A: Configuring an Intrusion Prevention System (IPS) Using the CLI and CCP

– Part 1: Basic Router Configuration

– Part 2: Use CLI to configure an IOS Intrusion Prevention System (IPS)

– Part 3: Configuring an Intrusion Prevention System (IPS) using CCP


Anomaly-based Detection

Involves defining a profile of what is considered normal for the

network or host, learned by monitoring activity on the network

or specific applications on the host over a period of time. An

anomaly-based signature triggers an action if excessive

activity occurs beyond a specified threshold that is not

included in the normal profile.

ASA AIP-SSM

ASA Advanced Inspection and Prevention Security Services

Module is a network module added to ASA devices for

dedicated IPS support.

Atomic Alert IPS alert generated every time a signature triggers.

Atomic Signature Simplest type of signature, consisting of a single packet,

activity, or event that is examined.

Composite Signature

Stateful signature which identifies a sequence of operations

distributed across multiple hosts over an arbitrary period of

time. Unlike atomic signatures, the stateful properties of

composite signatures usually require several pieces of data to

match an attack signature.

Crypto Key Key which verifies the digital signature for the master

signature file (sigdef-default.xml) which is signed by a Cisco

private key to guarantee its authenticity and integrity.


CSM Cisco Security Manager (CSM) centrally provisions device

configurations and security policies for firewalls, VPNs, and

IPS devices.

Event Correlation

Process of correlating attacks and other events that are

happening simultaneously at different points across a network.

NTP is used by devices to derive the time from an NTP server,

enabling alerts generated by the IPS to be accurately time-

stamped.

False Negative Alarm Result which occurs when an IPS fails to generate an alarm

after processing attack traffic that the IPS is configured to

detect.

False Positive Alarm Expected but undesired result, which occurs when an IPS

generates an alarm after processing normal user traffic that

should not have triggered an alarm.

Global Correlation Cisco IPS feature enabling IPS devices to receive regular

threat updates from the Cisco SensorBase Network.

High Severity Level IPS measure of attacks used to gain access or cause a DoS

attack are detected, and an immediate threat is extremely

likely.


Honey Pot-based Detection

IPS mechanism of using a dummy server to attract attacks in

order to distract attacks away from real network devices. By

staging different types of vulnerabilities in the honey pot

server, administrators can analyze incoming types of attacks

and malicious traffic patterns.

Host-based IPS Software installed on an end-system that integrates with

centralized servers to provide intrusion prevention.

IDS

Intrusion Detection Systems (IDS) passively monitor the traffic

on a network. An IDS-enabled device copies the traffic stream,

and analyzes the monitored traffic rather than the actual

forwarded packets.

IDSM-2 IDS Services Module installs in a Catalyst 6500 switch to

provide IPS functionality.

IME Cisco IPS Manager Express (IME) is an all-in-one GUI-based

configuration and management tool for IPS appliances.

Incident Response Plan A plan to be implemented when a system is compromised.

The compromised system should be restored to the state it

was in before the attack.

Informational Severity Level IPS measure of activity that triggers the signature is not

considered an immediate threat, but the information provided

is useful information.


IOS-Sxxx-CLI.pkg Cisco IOS signature package.

IPS

Intrusion Prevention Systems (IPS) build on IDS technology.

IPS devices are implemented in inline mode: all traffic must

flow through it for processing. IPS devices can detect and

immediately address a network problem as required.

IPS 4200 Series Sensor IPS 4200 Series Sensor are standalone Cisco devices

providing dedicated IPS functionality.

IPS AIM IPS Advanced Integration Module is a daughter card added to

an ISR to provide IPS functionality.

IPS NME IPS Network Module Enhanced is a module which installs in

an ISR to provide IPS functionality.

Low Severity Attack IPS measure of abnormal network activity is detected that

could be perceived as malicious, but an immediate threat is

not likely.

Medium Severity Attack IPS measure of abnormal network activity is detected that

could be perceived as malicious, and an immediate threat is

likely.

Network-based IPS IPS sensor installed as a network device or integrated within a

network device to provide intrusion prevention.


Pattern-based Detection IPS mechanism of matching pre-defined traffic patterns.

Policy-based Detection IPS mechanism based on administrator-defined behaviors

deemed suspicious based on historical analysis.

realm-cisco.pub.key.txt Text file containing the public crypto key used by IOS IPS.

Reset TCP Connection Action used to terminate TCP connections by generating a

packet for the connection with the TCP RST flag set.

SDEE

Secure Device Event Exchange (SDEE) is an alarm format

developed to improve communication of events generated by

security devices. It primarily communicates IDS events, but

the is intended to be extensible and allows additional event

types to be included as they are defined.

SensorBase Network Centralized Cisco threat database that contains real-time,

detailed information about known threats on the Internet.

Signature

A description of characteristics associated with a known

attack. A malicious packet flow has a specific type of activity

and signature. An IDS or IPS sensor examines the data flow

using signatures. When a sensor matches a signature with a

data flow, it takes action, such as logging the event or sending

an alarm to IDS or IPS management software.


SIO

Cisco Security Intelligence Operation (SIO) is a security

ecosystem, including the SensorBase Network, designed to

detect threat activity, research and analyze threats, and

provide real-time updates and best practices to keep

organizations informed and protected.

Summary Alert Single IPS alert that indicates multiple occurrences of the

same signature from the same source address or port.

Trigger Traffic behavior that signals an intrusion or policy violation.

True Negative Alarm Describes situation in which normal network traffic does not

generate an alarm.

True Positive Alarm Describes situation in which an IPS generates an alarm

response to known attack traffic.


• SDM has been replaced by CCP.

• Host-based IPS content was removed.

• Cisco Global Correlation via the SensorBase Network is now used to update IPS signatures.

• Cisco Security Intelligence Operation (SIO) is a security ecosystem, including the SensorBase Network, designed to detect threat activity, research and analyze threats, and provide real-time updates and best practices to keep organizations informed and protected.


• Chapter 5 is a fairly even combination of theory and practice.

• The goal is to introduce students to the major concepts of IPS and how IPS devices and IPS signatures are used to proactively prevent intrusion attempts related to malicious traffic on the network.

• The lab is designed to teach students to configure IPS using both the CLI and CCP.

• Students will have used CCP in the lab environment in previous chapters. The same troubleshooting techniques for connecting successfully to the ISR via CCP apply here.


• Obtain the signature packages and the public key from Cisco.com. To do this, it is required that you have an active account on Cisco.com.

– Download the files at http://www.cisco.com/pcgi-bin/tablebuild.pl/ios-v5sigup:

– IOS-Sxxx-CLI.pkg: This is the signature package.

– realm-cisco.pub.key.txt: This is the public crypto key used by IOS IPS.

• The mechanics of preparing for the IPS lab are extensive and the requirements for success are exacting. Ensure that the PCs or VMs in the lab have the appropriate Java updates, that the Java runtime parameters are configured correctly, that appropriate browser versions are installed, that the appropriate signature files are available on the PCs or routers, and that the appropriate image is installed on the routers.

http://www.cisco.com/pcgi-bin/tablebuild.pl/ios-v5sigup







http://www.cisco.com/pcgi-bin/Software/Tablebuild/doftp.pl?ftpfile=cisco/crypto/3DES/ciscosecure/ids/sigup/5.0/ios/IOS-S259-CLI.pkg&app=Tablebuild&status=showC2A





http://www.cisco.com/pcgi-bin/Software/Tablebuild/doftp.pl?ftpfile=cisco/crypto/3DES/ciscosecure/ids/sigup/5.0/ios/realm-cisco.pub.key.txt&app=Tablebuild&status=showC2A




• Prepare students to be patient when compiling the IPS signatures for the first time on the router, as it can take quite awhile.

• After completing the IPS installation in CCP, encourage students to explore the various signature parameters by way of the Edit tab in CCP.


• Compare and contrast the role of intrusion prevention solutions versus the role of firewalls. When students are first learning security it is not uncommon for them to confuse the purpose of IPS versus that of a firewall.

– Explain that firewalls are not updated regularly as with IPS signatures on ISRs or virus definitions on PCs.

– Firewalls permit or deny traffic based on preconfigured parameters. Intrusion prevention responds to detected malicious traffic with an action, such as reset TCP connection or deny packet inline.

– IPS solutions are inherently more dynamic than firewalls.

• Host-based IPS solutions are deprecated in this version of the curriculum, but this does not preclude their introduction in the classroom. In this, case, compare and contrast host-based versus network-based approaches. A combination of these two approaches is ideal. Some philosophy is involved here – security experts often differ on the relative importance of each approach.


• Compare and contrast the CLI and CCP implementation methods for Cisco IPS. An open-ended discussion on the merits of each approach is beneficial to practitioners.

• Compare the advantage and disadvantages of the four types of signatures triggers to minimize common confusion about these:


• Compare and contrast IDS solutions and IPS solutions.

– What are some advantages of IDS over IPS?

– Does IDS require any additional technologies compared to IPS?

– What can an IPS device do that an IDS device cannot?

• Contrast the IPS management options: Cisco IPS Manager Express (IME) or Cisco Security Manager (CSM).

• Compare and contrast the IPS logging solutions provided by Security Device Event Exchange (SDEE) and syslog.


• (Optional) Compare and contrast the Global Correlation method with SensorBase now recommended for IPS implementations with the previous generation of IPS update methods which required more administrator intervention.

• Describe a hypothetical network with and without IPS implemented.

– What types of problems might occur in the network without IPS deployed?

– Which types of attacks is a network most susceptible to when IPS is deployed?

– What assets are protected by an IPS deployment?


• What did network administrators do prior to the availability of IPS solutions?

• What specific events or trends resulted in the mainstream usage of IPS solutions?

• How do you determine what IPS actions to implement when signatures for malicious traffic are triggered?

• How do you decide which IPS signatures to implement, considering the fact that a given device may only reasonably support a certain threshold of signatures?

• What do you notice regarding the differences between the log output of Syslog versus SDEE?


• Research the major historical Internet attacks (some were introduced in Chapter 1). Have students report back as to the role IPS would play (in retrospect) in mitigating these attacks.

• Ask students to put themselves in the mind of the malicious hacker. What would such a person do to circumvent IPS implementations on a network? What attacks would be used to cause the greatest damage to a network with or without an IPS solution?


• http://en.wikipedia.org/wiki/Intrusion_prevention_system

• http://www.cisco.com/en/US/products/ps5729/Products_Sub_Category_Home.html

• http://csrc.nist.gov/publications/nistpubs/800-94/SP800-94.pdf

• http://www.cisco.com/en/US/solutions/collateral/ns340/ns394/ns171/ns441/lippis-cloud-based.pdf

• http://tools.cisco.com/security/center/home.x

• http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_ios_ips/configuration/15-2mt/sec-data-ios-ips-15-2mt-book.html

http://en.wikipedia.org/wiki/Encryption





http://www.cisco.com/en/US/products/ps5729/Products_Sub_Category_Home.html







http://csrc.nist.gov/publications/nistpubs/800-94/SP800-94.pdf










http://www.nist.gov/computer-security-portal.cfm























http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_ios_ips/configuration/15-2mt/sec-data-ios-ips-15-2mt-book.html

























CCNA Security 1.1 Instructional...

Documents

Transcript of CCNA Security 1.1 Instructional...