IPS Feature in Cisco Routers in Cisco IOS Software Release ...9aaa8eb645f... · IPS Feature in...
Transcript of IPS Feature in Cisco Routers in Cisco IOS Software Release ...9aaa8eb645f... · IPS Feature in...
© 2007 Cisco Systems, Inc. All rights reserved. 1Cisco Public
IPS Feature in Cisco Routers
in Cisco IOS Software Release 12.4(11)T1
© 2007 Cisco Systems, Inc. All rights reserved. 2Cisco Public
Cisco Security Router Portfolio
Feature Breadth and Scale at
Highest Performance
Perf
orm
ance
and
Ser
vice
s D
ensi
ty
High Density and Performance for Concurrent Services
Embedded, Advanced Voice, Video, Data, and Security Services
Embedded Wireless, Security, and Data
Cisco 2800 Series Integrated
Services RoutersCisco 1800
Series Integrated Services Routers
Cisco 3800 Series Integrated Services
Routers
Cisco 800 Series Integrated
Services Routers
Branch Office SMBSmall Branch Small Office andTeleworker Head Office
Cisco® 7200 Series and Cisco 7301
Cisco Security RoutersWAN Aggregation
© 2007 Cisco Systems, Inc. All rights reserved. 3Cisco Public
Cisco Security Router Technologies
SDM NetFlow IP SLARole-Based Access
Management and InstrumentationManagement and Instrumentation
Secure Network SolutionsSecure Network Solutions
Secure Voice ComplianceSecure
MobilityBusiness Continuity
Network Admission
ControlAdvanced Firewall
Intrusion Prevention
Integrated Threat DefenseIntegrated Threat Defense
URL Filtering 802.1x
Network Foundation Protection
Flexible Packet
Matching
011111101010101011111101010101
Cisco® Security Routers
Secure ConnectivitySecure Connectivity
GET VPN DMVPN Easy VPN SSL VPN
© 2007 Cisco Systems, Inc. All rights reserved. 4Cisco Public
Cisco IOS IPS Feature Benefit Overview
Provides networkwide, distributed protection from many worms, viruses, and attacks exploiting vulnerabilities in operating systems and applicationsEliminates the need for a standalone IPS device at branch and telecommuter offices as well as small and medium-sized business networksWorks with Cisco IOS® Firewall, control-plane policing, and other Cisco IOS Software security features to protect the router and networks behind the routerOffers field-customizable worm and attack signature set and event actions Supports same signature database available for Cisco Intrusion Prevention System (IPS) appliancesOffers inline inspection of traffic passing through any combination of router LAN and WAN interfaces in both directions
CorporateOfficeServer Farm
Dest: 10.0.0.1 Dest port:25.. Slammer
Dest: 10.0.0.1 Dest port:25..
Branch Office
Zotob
•IOS IPS
© 2007 Cisco Systems, Inc. All rights reserved. 5Cisco Public
Apply IPS and firewall on branch router to protect local servers at the branch from attacks.Avoid need for a separate device to protect servers.
Apply IPS on traffic from branch to HQ to stop worms and attacks from infected branch PCs. Stop the attack before it wastes the WAN bandwidth.
Move Worm Protection to the Network Edge
Protect Branch-Office Servers
Internet
IPsec Tunnel or WAN Link
Corporate Headquarters
Branch Office
Internet
Router IPS and Firewall
Server
Server
Client PCs
www.sports.com
Protect Branch PCs from Internet WormsUse Cisco® IOS IPS in conjunction with Cisco IOS Firewall on Internet connections for worm protection.
Cisco IOS IPS Branch Positioning and Use Cases
© 2007 Cisco Systems, Inc. All rights reserved. 6Cisco Public
(*) Cisco SDM 2.4 will be available in April 2007.
Cisco IOS IPS in Cisco IOS Software Release 12.4(11)T1
Protection from latest threats with minimal user intervention
Automated signature updates from a local TFTP or HTTP(S) server
Offers granular customization and tuning of signatures through custom scripts
Individual and category-based signature provisioning through Cisco IOS CLI
Offers secure provisioning through Cisco Security Manager 3.1 and Cisco Router and Security Device Manager (SDM) 2.4 (*) over HTTPS
IDCONF (XML) signature provisioning mechanism
Quick and automated adjustment of signature event actions based on Risk Rating
Supports Signature Event Action Processor (SEAP)
Enables accurate and efficient IPS event correlation and monitoring
Risk Rating value in IPS alarms based on signature severity, fidelity, and target value rating
Efficient protection against many new vulnerabilities, some even before their public release
NDA (encrypted) signature support
Offers common operations for Cisco IPS appliances and Cisco IOS® IPS
Same signature format as the latest Cisco®
IPS appliances and modules
BenefitFeature
© 2007 Cisco Systems, Inc. All rights reserved. 7Cisco Public
Cisco IOS IPS and Cisco IPS Network Module
YES NoCisco® Security Agent and Cisco IPS collaboration
Yes NoRate limiting
YesYesAutomatic signature updates
Cisco Security ManagerCisco Security ManagerSystem management
Supports all signatures simultaneously
Supports a subset of signatures subject to
available memorySignatures supported
YesNoDedicated CPU and DRAM for IPS
RoadmapYesInline and promiscuous detection and mitigation
IPS CLI, IDMCisco IOS® CLI, Cisco SDMDevice management
IEV, on-box Meta Event Generator, Cisco Security
MARSIEV, Cisco Security MARSEvent monitoring and
correlation
Yes NoIPv6 detection
Yes NoDay-zero anomaly detection
Cisco IPS Network ModuleCisco IOS IPS
© 2007 Cisco Systems, Inc. All rights reserved. 8Cisco Public
Small Satellite Office
Regional Office
CorporateOffice
Branch Office
Telecommuter
WAN
Central Signature File Management with Cisco® Security Manager 3.1
Signature Updates
Cisco IPS Appliance
Prebuilt or Custom Signature Updates Distributed by Cisco Security Manager 3.1
Cisco IOS IPS – Ideal for Distributed Worm and Threat Mitigation
© 2007 Cisco Systems, Inc. All rights reserved. 9Cisco Public
Cisco Countermeasure Research Team
Cisco Countermeasure Research Team
Update PackageUpdate Package
Threats & Vulnerabilities
Threats & Vulnerabilities
Network Viruses
Trend Micro
Network Viruses
Trend Micro
Complete maintenance coverage for IPS appliances, IPS modules for switch, router,
and ASA, and IPS integrated with IOS
Signature file updates and license to install signatures
Around-the-clock, global access to Cisco TAC
Registered access to Cisco.com
Operating system software updates
Advance hardware replacement
Cisco Services for IPSRapid Signature Updates for Emerging Threats
© 2007 Cisco Systems, Inc. All rights reserved. 10Cisco Public
“Cisco Services for IPS" is the annual contract that entitles customers to receive all SMARTnet deliverables plus IPS signature updates released by Cisco at standard intervals.
Option 1 (Router IPS): Cisco sells service to end user:Sell Cisco Services for IPS [One service contract]
E.g. SKU: CON-SU1-C2811 (Cisco brand support is sold)
Option 2: Partner sells Cisco service and their own service to end userBuy Shared [Two service contracts]
SKU: CON-CSSPD-C2811SEC (Shared Support, SKU for partners only)SKU: CON-SUSA-C2811SEC (Cisco Services for IPS, SKU for partners only)
IPS Signature Update Subscription Services
© 2007 Cisco Systems, Inc. All rights reserved. 11Cisco Public
Cisco IOS IPS DeploymentDownload the latest Cisco IPS signature package fromhttp://www.cisco.com/cgi-bin/tablebuild.pl/ios-v5sigup
This package contains a digitally signed default (master) signature file that includes all the signatures used by all Cisco IPS products
Use CLI commands to select one of the two Cisco® recommended signature categories (list of signatures) as the base signature set: IOS-Basic or IOS-Advanced
Use CLI commands to customize your signature list:Select additional signatures as desired Delete signatures not relevant to the applications you’re runningTune actions of individual signatures (e.g., add “drop” action) as desiredTest your custom signature set in a lab setting before actual deployment
For details, see IOS IPS configuration guide at http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124newft/124t/124t11/ips_v5.htm
© 2007 Cisco Systems, Inc. All rights reserved. 12Cisco Public
Option 1: Existing customer is using noncustomized prebuilt signature files (SDFs).– No signature migration is needed. – Signatures in 128MB.sdf will be in IOS-Basic category. – Signatures in 256MB.sdf will be in IOS-Advanced category.
Option 2: Existing customer is using customized prebuilt signature files (SDFs).– Signature migration (TCL) script is available on Cisco.com to convert
customized SDF to 5.0 format.– This migration script will not migrate user-defined (third-party)
signatures.
• Detailed migration procedure and CLI changes are documented in www.cisco.com/go/iosips.
Migrate Signatures from Cisco IOS Software Releases prior to Release 12.4(11)T1
© 2007 Cisco Systems, Inc. All rights reserved. 13Cisco Public
Lifecycle of Security Services for Cisco IPS Solutions
DesignIPS Design Development: Develop design specifications detailing topology, device configurations, hardware and software upgrades, and management.
ImplementIPS Implementation Engineering: Provide installation, configuration, and testing of a pilot or corporatewide implementation.
Operate
Optimize
PlanPlanIPS Readiness Assessment: Assess the network infrastructure to determine IPS readiness.
Plan for a Sound IPS Architecture and Design
Build Scalable, Adaptable, Easy-to-Upgrade IPS Solution
Integrate IPS into the Network Infrastructure
Continually Improve the IPS Solution IPS Optimization: Provide ongoing
consultation to optimize IPS for reliability, efficiency, and scalability.
Services for IPS, Security Remote Operations Services, and IntelliShield: Provide signature updates, up-to-date intelligence, IPS monitoring and management, technical support, software updates, and hardware replacement.
Protect Investment in the IPS Solution
© 2007 Cisco Systems, Inc. All rights reserved. 14Cisco Public
IntelliShield Alert ManagerIPS 6.0 Threat / Signature Correlation
Complete vulnerability and threat information in a single database
Notification of only those vulnerabilities relevant to a pre-defined infrastructure
Actionable alerts in a standardized format based on user-customized profiles
Each vulnerability or threat is analyzed and validated by security analysts
Vulnerability and threat information is vendor-neutral and objectively graded
Comprehensive library of over 10,000 threats and vulnerabilities
Built-in workflow allow easy management of tasks and remediation efforts
For organizations that need rapid delivery of comprehensive, credible and cost-effective security intelligence to help prevent,
mitigate, and quickly remediate potential IT attacks
© 2007 Cisco Systems, Inc. All rights reserved. 15Cisco Public
Cisco IOS IPS Provisioning and Monitoring Options
Cisco Security MARS 4.3.1
Cisco IEV 5.1
Cisco IEV 5.1 (IPS Event Viewer) or Cisco SDM
Same sigs:Multiple Cisco Security Manager 3.1 instances or Cisco SDM 2.4 (*) and Cisco Configuration Engine
Otherwise:Multiple Cisco Security Manager 3.1 instances
Cisco Security Manager 3.1
Cisco SDM 2.4 (*)
More Than 5Up to 51More Than 250 5 to 250 Up to 5
IPS Event Monitoring for N Routers
IPS Signature Provisioning for N Routers
(*) Cisco SDM 2.4 will be available in April 2007
© 2007 Cisco Systems, Inc. All rights reserved. 16Cisco Public
Cisco Security Manager 3.1 Cisco IOS IPS Application Features
Supports Cisco IOS® Software Release 12.4(11)T1 and Later Signature File Auto UpdateCustom Signature TemplatesWizards – Add Signature and Signature UpdatesRollbackCisco® SDM and Cisco® IEV Cross-LaunchFiltering, Copying, and CloningSignature Categories for SDFsIDCONF SupportSEAP Support
© 2007 Cisco Systems, Inc. All rights reserved. 17Cisco Public
Cisco Security Manager 3.1 Cisco IOS IPS Signature List View Sample
© 2007 Cisco Systems, Inc. All rights reserved. 18Cisco Public
Cisco Router and Security Device Manager v2.4
Major IPS Ease of Use Enhancements!Auto-update IPS signatures from Cisco.com
Configure Signature, Risk Rating parameters and Event Action Processor (SEAP) to reduce false positives
Customize IPS signaturesWizard to migrate IPS 4.0 format signatures to IPS 5.x/6.0 format
AvailableApril 2007
© 2007 Cisco Systems, Inc. All rights reserved. 19Cisco Public
Cisco Router and Security Device Manager v2.4 Available
April 2007
© 2007 Cisco Systems, Inc. All rights reserved. 20Cisco Public
Cisco IOS IPS Collateral and ContactsCisco IOS® IPS Websitehttp://www.cisco.com/go/iosips
Cisco IOS IPS enhancements and 5.0 signature format support in Cisco IOS Software Release 12.4(11)T1http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124newft/124t/124t11/ips_v5.htm
Cisco IOS IPS Data Sheethttp://www.cisco.com/en/US/products/ps6634/products_data_sheet0900aecd803137cf.html [actual link may change]
Cisco IOS IPS Deployment Guidehttp://www.cisco.com/en/US/products/ps6634/products_white_paper0900aecd80327257.shtml [actual link may change]
Cisco Services for IPShttp://www.cisco.com/en/US/products/ps6076/serv_group_home.html
Contact: [email protected]