Module 1
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Module 1 as PDF for free.
More details
- Words: 3,167
- Pages: 51
Module 1: Intrusion Detection and Prevention Technology Network Security 2 v2.0
1
PDF created with pdfFactory trial version www.pdffactory.com
Overview
2
PDF created with pdfFactory trial version www.pdffactory.com
Extra: Primary IPS Terminology
3
PDF created with pdfFactory trial version www.pdffactory.com
Extra: Primary IPS Terminology
4
PDF created with pdfFactory trial version www.pdffactory.com
Overview of Intrusion Detection and Prevention
5
PDF created with pdfFactory trial version www.pdffactory.com
Introduction to intrusion detection and prevention
•
Intrusion detection is the ability to detect attacks against a network and send logs to a management console and provides the following defense mechanism: – Detection – Identifies malicious attacks on network and host resources. 6
PDF created with pdfFactory trial version www.pdffactory.com
Introduction to intrusion detection and prevention
•
Intrusion prevention is the ability to stop attacks against the network and should provide the following active defense mechanisms: – Detection – Identifies malicious attacks on network and host resources. – Prevention – Stops the detected attack from executing. – Reaction – Immunizes the system from future attacks from a malicious source. 7
PDF created with pdfFactory trial version www.pdffactory.com
Introduction to intrusion detection and prevention
•
Response Options When a signature match is found, the IDS or IPS may perform the following actions: – Alarm – Sends alarms to an internal or external log and then forwards the packet through. – Reset – Sends packets with a reset flag to both session participants if TCP forwards the packet – Drop – Immediately drops the packet – Block – Denies traffic from the source address of the attack 8
PDF created with pdfFactory trial version www.pdffactory.com
Extra: Combining IDS and IPS
• • • •
IDS and IPS are often deployed in parallel in enterprise networks. The IPS actively blocks offending traffic and can be considered another implementation of a firewall system. – The IPS should be tuned to block only known malicious traffic in order to avoid connectivity disruptions. An IDS can verify that the IPS is really blocking offending traffic. The IDS can be configured to send alerts about the “gray area” traffic—data that is neither clearly malicious nor clearly legitimate. 9
PDF created with pdfFactory trial version www.pdffactory.com
Extra: IP Session Logging
• • • •
After a sensor detects an attack, an alarm is generated by the sensor and sent to the management station. The information is saved in a memory-mapped file on both the sensor and the management platform. This memory-mapped file is in binary format file. The sensor uses RDEP to communicate with the external world; so does the IP logging feature. It is an HTTP communication that is client-server and two-way based, whereby the client (sensor) sends an RDEP request, which is answered by the management station with an RDEP response. All RDEP messages consist of two parts: – Header – Entity body 10
PDF created with pdfFactory trial version www.pdffactory.com
Extra: IP Session Logging
• • •
•
Step 1 illustrates the initial attack on the web server. The network IDS notices the attack and sends an alarm to the management server (step 2). The communication between server and sensor is a two-way mechanism. The IP log feature captures the session in a pcap file. Once the event occurs, the IP log response that is sent from the server to the sensor is in HTML/XML format. This response contains an error status code and a description of the event. This response is sent from the server to the sensor. The IP logging feature allows the network administrator to easily archive the data, write scripts for parsing the data, and monitor the attacks. The IP logging feature is helpful to analyze events, but it does impact sensor performance; therefore, disk utilization needs to be watched carefully. 11
PDF created with pdfFactory trial version www.pdffactory.com
Extra: Active ResponseTCP Resets •
•
After a sensor detects an attack, an alarm is generated by the sensor and sent to the management station. The network IDS may terminate the Layer 4 session by sending a TCP RST packet to the attacked server and the host.
12
PDF created with pdfFactory trial version www.pdffactory.com
Extra: Active Response Shunning or Blocking •
•
After a sensor detects an attack, an alarm is generated by the sensor and sent to the management station. The network IDS can shut the attacker out of the network, usually by setting access control rules on a border device such as a router or firewall.
13
PDF created with pdfFactory trial version www.pdffactory.com
Network-based versus host-based
•
Two basic types of IDSs in the market today are: – Host-based IDSs (HIDS) – Network-based IDSs (NIDS)
14
PDF created with pdfFactory trial version www.pdffactory.com
Network-based versus host-based
•
Host-based Intrusion Technology Host-based intrusion response is typically implemented as inline or passive technology depending on the vendor. – The passive technology, which was the first generation technology, is called host-based intrusion detection system (HIDS), which basically sends logs after the attack has occurred and the damage is done. – The inline technology, called host-based intrusion prevention system (HIPS), actually stops the attack and prevents damage and propagation of worms and viruses. 15
PDF created with pdfFactory trial version www.pdffactory.com
Extra: Architecture of the Host Sensor Agent
16
PDF created with pdfFactory trial version www.pdffactory.com
Network-based versus host-based
•
Network-based Intrusion Technology Just like host-based intrusion technology, a network intrusion detection system can be based on active or passive detection. – Sensors are deployed at network entry points that protect critical network segments. The network segments have both internal and external corporate resources. – Sensors capture and analyze the traffic as it traverses the network. Sensors are typically tuned for intrusion detection analysis. The underlying operating system is stripped of unnecessary network services and essential services are secured. – The Sensors report to a central Director server located inside the corporate firewall. 17
PDF created with pdfFactory trial version www.pdffactory.com
Extra: Network-Based IDS Architecture
18
PDF created with pdfFactory trial version www.pdffactory.com
Extra: Benefits of Network-based
•
A network-based intrusion system (compared to a host-based solution) has the following benefits: – Overall network perspective – Does not have to run on every OS on the network. 19
PDF created with pdfFactory trial version www.pdffactory.com
Types of alarms
• •
False Alarms These alarms represent situations in which the IDS fails to accurately indicate what is happening on the network. True Alarms These alarms represent situations in which the IDS accurately indicates what is happening on the network.
20
PDF created with pdfFactory trial version www.pdffactory.com
Types of alarms •
•
False Positives – False positives occur when the IDS generates an alarm based on normal network activity. – False positives force administrators to waste time and resources analyzing phantom attacks. False Negatives – When the IDS fails to generate an alarm for known intrusive activity, it is called a false negative. – False negatives represent actual attacks that the IDS missed even though it is programmed to detect the attack. – Most IDS developers tend to design their systems to prevent false negatives.
21
PDF created with pdfFactory trial version www.pdffactory.com
Types of alarms •
•
True Positives – In the case of true positives, the IDS generates an alarm correctly in response to actually detecting the attack traffic that a signature is designed to detect. – In an ideal world, 100 percent of the alarms generated by an IDS would be true positives, meaning that every alarm corresponds to an actual attack against the network. True Negatives – Like false negatives, true negatives do not represent actual alarms that are generated by the IDS. Instead, a true negative represents a situation in which an IDS signature does not alarm when it is examining normal user traffic. – This is the correct behavior. This makes a true negative the opposite of a false positive.
22
PDF created with pdfFactory trial version www.pdffactory.com
Inspection Engine
23
PDF created with pdfFactory trial version www.pdffactory.com
Extra: Cisco IOS IPS/IDS Triggers
•
IDS and IPS uses any one of four approaches to identifying malicious traffic: – Signature-based (or Misuse Detection) – Policy-based – Anomaly-based – Honeypot-based
24
PDF created with pdfFactory trial version www.pdffactory.com
Signature-based detection • •
•
•
Signature-based detection, at a very basic level, can be compared to virus checking programs. IDS vendors produce and build signatures that the IDS system uses to compare against activity on the network or host. – When a match is found, the IDS takes action. – The actions taken could include logging the event or sending an alarm to a management console . Although many vendors allow users to configure existing signatures and create new ones, customers are primarily dependent on the vendors to provide the latest signatures to keep the IDS up to date. Signature-based detection can also produce false positives, as certain normal network activity can appear to be malicious. 25
PDF created with pdfFactory trial version www.pdffactory.com
Extra: Misuse Detection •
Some of the benefits of misuse detection are as follows: – Signatures are based on known intrusive activity – Attacks detected are well defined – System is easy to understand – Detects attacks immediately after installation
26
PDF created with pdfFactory trial version www.pdffactory.com
Types of signatures
27
PDF created with pdfFactory trial version www.pdffactory.com
28
PDF created with pdfFactory trial version www.pdffactory.com
Anomaly-based detection
• •
•
Anomaly detection is also sometimes referred to as profile-based detection. With anomaly detection, the administrator must build profiles for each user group on the system. This profile incorporates typical user habits, the services that are normally used, and other relevant information. – These profiles can be learned over a period of time or they can be modeled on historical behavior – This profile defines the behavior characteristics for a user group, in essence establishing a baseline for the activities that a normal user routinely does to perform the job. Anytime a user deviates too far from the profile, the IDS generates an alarm.
29
PDF created with pdfFactory trial version www.pdffactory.com
Extra: Anomaly-based detection
• • •
The main advantage of anomaly detection is that the alarms generated are not based on signatures for specific known attacks. Instead, they are based on a profile that defines normal user activity. Therefore, an anomaly-based intrusion system can generate alarms for previously unpublished attacks, as long as the new attack deviates from normal user activity by a significant amount.
30
PDF created with pdfFactory trial version www.pdffactory.com
Extra: Policy-Based IDS and IPS
• •
The policy-based approach uses an algorithm to base alarm decisions on. An example of this type of policy is a policy that is used to detect a port sweep. This policy looks for the presence of a threshold number of unique ports being scanned on a particular machine. The policy may further restrict itself through the specification of the types of packets that the policy is interested in (for example, SYN packets). Additionally, there may be a requirement that all the probes must originate from a single source. 31
PDF created with pdfFactory trial version www.pdffactory.com
Extra: Honeypot-Based IDS and IPS
• • •
Honeypot systems provide a dummy server to attract attacks. The philosophy of the honeypot approach is to distract attacks away from the real network devices. The honeypot offers the possibility of analyzing incoming attacks and malicious traffic patterns in order to be prepared when this type of traffic hits the real network. When implementing honeypots, you dedicate servers that can be sacrificed to being compromised. You should never trust such systems, because the system may have been compromised without you noticing the changes. 32
PDF created with pdfFactory trial version www.pdffactory.com
Cisco IDS and IPS Devices
33
PDF created with pdfFactory trial version www.pdffactory.com
Cisco integrated solutions
• •
Cisco intrusion detection and prevention solutions are part of the Cisco SelfDefending Network. Designed to identify and stop worms, network viruses, and other malicious traffic, these solutions can help protect the network. IOS Intrusion Prevention System (IPS) – Cisco IOS Intrusion Prevention System (IPS) is an in-line, deep-packet inspection-based solution that helps enable Cisco IOS Software to effectively mitigate a wide range of network attacks without compromising router performance . 34
PDF created with pdfFactory trial version www.pdffactory.com
Extra: Cisco IOS IPS
• •
Cisco IOS ISP combines existing Cisco IDS and IPS product features with three different intrusion detection techniques. Cisco IOS IPS uses a blend of Cisco IDS and IPS products from the Cisco IDS and IPS sensor product lines, including Cisco IDS 4200 Series appliances, Cisco Catalyst 6500 Series IDS services modules, and network module hardware IDS appliances. 35
PDF created with pdfFactory trial version www.pdffactory.com
Extra: Protocol Analysis • • •
Protocol analysis-based intrusion detection is similar to signaturebased intrusion detection, but it performs a more in-depth analysis of the protocols specified in the packets. A deeper analysis examines the payloads within TCP and UDP packets, which contain other protocols. For example, a protocol such as Domain Name System (DNS) is contained within TCP or UDP, which itself is contained within IP.
36
PDF created with pdfFactory trial version www.pdffactory.com
Cisco integrated solutions
•
PIX and ASA Security Appliances – The PIX Security Appliance and Adaptive Security Appliances are a key element in the overall Cisco end-to-end security solution. – The Cisco Security Appliances provide integrated in-line intrusion detection and prevention. PIX Software Versions 5.2 and higher support intrusion detection. – The intrusion detection and prevention capabilities of the Adaptive Security Appliance 5500 series can be increased through the addition of a Cisco ASA Advanced Inspection and Prevention Security Services Module (AIP-SSM).
37
PDF created with pdfFactory trial version www.pdffactory.com
Extra: Characteristics of Cisco AIP-SSM •
The Cisco AIP SSM helps users stop threats with greater confidence through the use of: – Accurate inline prevention technologies -Provides unparalleled ability to take preventive action against a broader range of threats without the risk of dropping legitimate traffic. These unique technologies offer intelligent, automated, contextual analysis of your data and help ensure you are getting the most out of your intrusion prevention solution. – Multivector threat identification -Protects your network from policy violations, vulnerability exploitations, and anomalous activity through detailed inspection of traffic in Layers 2 through 7. – Unique network collaboration -Enhances scalability and resiliency through network collaboration, including efficient traffic capture techniques, load-balancing capabilities, and visibility into encrypted traffic. – Powerful management, event correlation, and support services Enables a complete solution, including configuration, management, data correlation, and advanced support services. In particular, the Cisco Security Monitoring, Analysis, and Response System (Cisco Security MARS) identifies, isolates, and recommends precision removal of offending elements, for a networkwide intrusion prevention solution. And the Cisco Incident Control System (ICS) prevents new worm and virus outbreaks by enabling the network to rapidly adapt and provide a distributed response. 38
PDF created with pdfFactory trial version www.pdffactory.com
Extra: Characteristics of Cisco AIP-SSM
39
PDF created with pdfFactory trial version www.pdffactory.com
Cisco integrated solutions
•
Cisco IDS Network Module – The Cisco IDS Network Module for the Cisco 2600XM, 3600, and 3700 series routers is part of the Cisco IDS Family sensor portfolio and the Cisco Intrusion Protection System. These IDS sensors work in concert with the other IDS components, including Cisco IDS Management Console, CiscoWorks VPN/Security Management Solution, and Cisco IDS Device Manager, to efficiently protect the data and information infrastructure. 40
PDF created with pdfFactory trial version www.pdffactory.com
Cisco integrated solutions
•
Intrusion Detection System Services Module (IDSM-2) – The Cisco IDSM-2 protects switched environments by integrating fullfeatured IPS functions directly into the network infrastructure through the Cisco Catalyst chassis. – This integration allows the user to monitor traffic directly off the switch backplane. – The IDSM-2 is a one rack-unit module that can be installed in any one slot in the Cisco Catalyst 6500/7600 chassis. 41
PDF created with pdfFactory trial version www.pdffactory.com
Cisco IPS 4200 Series sensors
• •
Cisco IPS 4200 Series intrusion prevention system sensors are an important component of the Cisco Self-Defending Network. Cisco IPS sensors offer significant protection to the network by helping to detect, classify, and stop threats including worms, spyware/adware, network viruses, and application abuse. 42
PDF created with pdfFactory trial version www.pdffactory.com
Cisco IPS 4200 Series sensors •
Administrators can stop more threats with greater confidence with the help of the following elements: – Multivector threat identification – Detailed inspection of Layer 2–7 traffic protects the network from policy violations, vulnerability exploitations, and anomalous activity. – Accurate prevention technologies – Cisco’s innovative Risk Rating feature and Meta Event Generator provide the confidence to take preventive actions on a broader range of threats without the risk of dropping legitimate traffic. – Unique network collaboration – Network collaboration provides enhanced scalability, up to 8 Gbps, and resiliency, including efficient traffic capture techniques, load-balancing capabilities, and visibility into encrypted traffic. – Comprehensive deployment and management solutions – Cisco IPS 4200 Series sensors are purpose-built IPS appliances that provide the following: • Protection of multiple network subnets through the use of up to eight interfaces • Simultaneous, dual operation in both promiscuous and inline modes • A wide array of performance options, from 80 Mbps to multiple gigabits • Embedded Web-based management solutions packaged with the sensor 43
PDF created with pdfFactory trial version www.pdffactory.com
Extra: Cisco IPS 4200 Series sensors
44
PDF created with pdfFactory trial version www.pdffactory.com
Extra: Deployment Scenarios
45
PDF created with pdfFactory trial version www.pdffactory.com
Extra: Cisco IOS IPS Deployment Scenarios
•
Cisco IOS IPS has 2 main deployment scenarios: – Cisco IOS IPS protecting the Internet-facing (untrusted) interface – Cisco IOS IPS within the internal (trusted) network 46
PDF created with pdfFactory trial version www.pdffactory.com
Extra: Cisco Sensor Deployment
• •
Cisco IPS supports various sensor platforms. Each platform has varying capabilities and is designed to operate in a specific network environment. You need to consider the following factors when deciding where to place sensors on your network: – Internet boundaries – Extranet boundaries – Intranet boundaries – Remote access boundaries – Servers and desktops 47
PDF created with pdfFactory trial version www.pdffactory.com
Extra: Cisco Sensor Deployment
48
PDF created with pdfFactory trial version www.pdffactory.com
Extra: Cisco Sensor Deployment
49
PDF created with pdfFactory trial version www.pdffactory.com
Extra: Cisco Sensor Communications Protocols •
Communication between your Cisco IPS sensors and other network devices involves the following protocols and standards: – SSH – TLS/SSL – RDEP (Remote Data Exchange Protocol) – SDEE Standard (Security Device Event Exchange Standard)
50
PDF created with pdfFactory trial version www.pdffactory.com
Summary • • •
This module introduced the concepts of intrusion detection and prevention. Students should now understand the basic differences between an intrusion detection system (IDS) and an intrusion prevention system (IPS). The basic types of inspection engines used in were also introduced in this module. The module concluded with an introduction to the IDS and IPS devices that are part of the Cisco Self-Defending Network solution.
51
PDF created with pdfFactory trial version www.pdffactory.com
1
PDF created with pdfFactory trial version www.pdffactory.com
Overview
2
PDF created with pdfFactory trial version www.pdffactory.com
Extra: Primary IPS Terminology
3
PDF created with pdfFactory trial version www.pdffactory.com
Extra: Primary IPS Terminology
4
PDF created with pdfFactory trial version www.pdffactory.com
Overview of Intrusion Detection and Prevention
5
PDF created with pdfFactory trial version www.pdffactory.com
Introduction to intrusion detection and prevention
•
Intrusion detection is the ability to detect attacks against a network and send logs to a management console and provides the following defense mechanism: – Detection – Identifies malicious attacks on network and host resources. 6
PDF created with pdfFactory trial version www.pdffactory.com
Introduction to intrusion detection and prevention
•
Intrusion prevention is the ability to stop attacks against the network and should provide the following active defense mechanisms: – Detection – Identifies malicious attacks on network and host resources. – Prevention – Stops the detected attack from executing. – Reaction – Immunizes the system from future attacks from a malicious source. 7
PDF created with pdfFactory trial version www.pdffactory.com
Introduction to intrusion detection and prevention
•
Response Options When a signature match is found, the IDS or IPS may perform the following actions: – Alarm – Sends alarms to an internal or external log and then forwards the packet through. – Reset – Sends packets with a reset flag to both session participants if TCP forwards the packet – Drop – Immediately drops the packet – Block – Denies traffic from the source address of the attack 8
PDF created with pdfFactory trial version www.pdffactory.com
Extra: Combining IDS and IPS
• • • •
IDS and IPS are often deployed in parallel in enterprise networks. The IPS actively blocks offending traffic and can be considered another implementation of a firewall system. – The IPS should be tuned to block only known malicious traffic in order to avoid connectivity disruptions. An IDS can verify that the IPS is really blocking offending traffic. The IDS can be configured to send alerts about the “gray area” traffic—data that is neither clearly malicious nor clearly legitimate. 9
PDF created with pdfFactory trial version www.pdffactory.com
Extra: IP Session Logging
• • • •
After a sensor detects an attack, an alarm is generated by the sensor and sent to the management station. The information is saved in a memory-mapped file on both the sensor and the management platform. This memory-mapped file is in binary format file. The sensor uses RDEP to communicate with the external world; so does the IP logging feature. It is an HTTP communication that is client-server and two-way based, whereby the client (sensor) sends an RDEP request, which is answered by the management station with an RDEP response. All RDEP messages consist of two parts: – Header – Entity body 10
PDF created with pdfFactory trial version www.pdffactory.com
Extra: IP Session Logging
• • •
•
Step 1 illustrates the initial attack on the web server. The network IDS notices the attack and sends an alarm to the management server (step 2). The communication between server and sensor is a two-way mechanism. The IP log feature captures the session in a pcap file. Once the event occurs, the IP log response that is sent from the server to the sensor is in HTML/XML format. This response contains an error status code and a description of the event. This response is sent from the server to the sensor. The IP logging feature allows the network administrator to easily archive the data, write scripts for parsing the data, and monitor the attacks. The IP logging feature is helpful to analyze events, but it does impact sensor performance; therefore, disk utilization needs to be watched carefully. 11
PDF created with pdfFactory trial version www.pdffactory.com
Extra: Active ResponseTCP Resets •
•
After a sensor detects an attack, an alarm is generated by the sensor and sent to the management station. The network IDS may terminate the Layer 4 session by sending a TCP RST packet to the attacked server and the host.
12
PDF created with pdfFactory trial version www.pdffactory.com
Extra: Active Response Shunning or Blocking •
•
After a sensor detects an attack, an alarm is generated by the sensor and sent to the management station. The network IDS can shut the attacker out of the network, usually by setting access control rules on a border device such as a router or firewall.
13
PDF created with pdfFactory trial version www.pdffactory.com
Network-based versus host-based
•
Two basic types of IDSs in the market today are: – Host-based IDSs (HIDS) – Network-based IDSs (NIDS)
14
PDF created with pdfFactory trial version www.pdffactory.com
Network-based versus host-based
•
Host-based Intrusion Technology Host-based intrusion response is typically implemented as inline or passive technology depending on the vendor. – The passive technology, which was the first generation technology, is called host-based intrusion detection system (HIDS), which basically sends logs after the attack has occurred and the damage is done. – The inline technology, called host-based intrusion prevention system (HIPS), actually stops the attack and prevents damage and propagation of worms and viruses. 15
PDF created with pdfFactory trial version www.pdffactory.com
Extra: Architecture of the Host Sensor Agent
16
PDF created with pdfFactory trial version www.pdffactory.com
Network-based versus host-based
•
Network-based Intrusion Technology Just like host-based intrusion technology, a network intrusion detection system can be based on active or passive detection. – Sensors are deployed at network entry points that protect critical network segments. The network segments have both internal and external corporate resources. – Sensors capture and analyze the traffic as it traverses the network. Sensors are typically tuned for intrusion detection analysis. The underlying operating system is stripped of unnecessary network services and essential services are secured. – The Sensors report to a central Director server located inside the corporate firewall. 17
PDF created with pdfFactory trial version www.pdffactory.com
Extra: Network-Based IDS Architecture
18
PDF created with pdfFactory trial version www.pdffactory.com
Extra: Benefits of Network-based
•
A network-based intrusion system (compared to a host-based solution) has the following benefits: – Overall network perspective – Does not have to run on every OS on the network. 19
PDF created with pdfFactory trial version www.pdffactory.com
Types of alarms
• •
False Alarms These alarms represent situations in which the IDS fails to accurately indicate what is happening on the network. True Alarms These alarms represent situations in which the IDS accurately indicates what is happening on the network.
20
PDF created with pdfFactory trial version www.pdffactory.com
Types of alarms •
•
False Positives – False positives occur when the IDS generates an alarm based on normal network activity. – False positives force administrators to waste time and resources analyzing phantom attacks. False Negatives – When the IDS fails to generate an alarm for known intrusive activity, it is called a false negative. – False negatives represent actual attacks that the IDS missed even though it is programmed to detect the attack. – Most IDS developers tend to design their systems to prevent false negatives.
21
PDF created with pdfFactory trial version www.pdffactory.com
Types of alarms •
•
True Positives – In the case of true positives, the IDS generates an alarm correctly in response to actually detecting the attack traffic that a signature is designed to detect. – In an ideal world, 100 percent of the alarms generated by an IDS would be true positives, meaning that every alarm corresponds to an actual attack against the network. True Negatives – Like false negatives, true negatives do not represent actual alarms that are generated by the IDS. Instead, a true negative represents a situation in which an IDS signature does not alarm when it is examining normal user traffic. – This is the correct behavior. This makes a true negative the opposite of a false positive.
22
PDF created with pdfFactory trial version www.pdffactory.com
Inspection Engine
23
PDF created with pdfFactory trial version www.pdffactory.com
Extra: Cisco IOS IPS/IDS Triggers
•
IDS and IPS uses any one of four approaches to identifying malicious traffic: – Signature-based (or Misuse Detection) – Policy-based – Anomaly-based – Honeypot-based
24
PDF created with pdfFactory trial version www.pdffactory.com
Signature-based detection • •
•
•
Signature-based detection, at a very basic level, can be compared to virus checking programs. IDS vendors produce and build signatures that the IDS system uses to compare against activity on the network or host. – When a match is found, the IDS takes action. – The actions taken could include logging the event or sending an alarm to a management console . Although many vendors allow users to configure existing signatures and create new ones, customers are primarily dependent on the vendors to provide the latest signatures to keep the IDS up to date. Signature-based detection can also produce false positives, as certain normal network activity can appear to be malicious. 25
PDF created with pdfFactory trial version www.pdffactory.com
Extra: Misuse Detection •
Some of the benefits of misuse detection are as follows: – Signatures are based on known intrusive activity – Attacks detected are well defined – System is easy to understand – Detects attacks immediately after installation
26
PDF created with pdfFactory trial version www.pdffactory.com
Types of signatures
27
PDF created with pdfFactory trial version www.pdffactory.com
28
PDF created with pdfFactory trial version www.pdffactory.com
Anomaly-based detection
• •
•
Anomaly detection is also sometimes referred to as profile-based detection. With anomaly detection, the administrator must build profiles for each user group on the system. This profile incorporates typical user habits, the services that are normally used, and other relevant information. – These profiles can be learned over a period of time or they can be modeled on historical behavior – This profile defines the behavior characteristics for a user group, in essence establishing a baseline for the activities that a normal user routinely does to perform the job. Anytime a user deviates too far from the profile, the IDS generates an alarm.
29
PDF created with pdfFactory trial version www.pdffactory.com
Extra: Anomaly-based detection
• • •
The main advantage of anomaly detection is that the alarms generated are not based on signatures for specific known attacks. Instead, they are based on a profile that defines normal user activity. Therefore, an anomaly-based intrusion system can generate alarms for previously unpublished attacks, as long as the new attack deviates from normal user activity by a significant amount.
30
PDF created with pdfFactory trial version www.pdffactory.com
Extra: Policy-Based IDS and IPS
• •
The policy-based approach uses an algorithm to base alarm decisions on. An example of this type of policy is a policy that is used to detect a port sweep. This policy looks for the presence of a threshold number of unique ports being scanned on a particular machine. The policy may further restrict itself through the specification of the types of packets that the policy is interested in (for example, SYN packets). Additionally, there may be a requirement that all the probes must originate from a single source. 31
PDF created with pdfFactory trial version www.pdffactory.com
Extra: Honeypot-Based IDS and IPS
• • •
Honeypot systems provide a dummy server to attract attacks. The philosophy of the honeypot approach is to distract attacks away from the real network devices. The honeypot offers the possibility of analyzing incoming attacks and malicious traffic patterns in order to be prepared when this type of traffic hits the real network. When implementing honeypots, you dedicate servers that can be sacrificed to being compromised. You should never trust such systems, because the system may have been compromised without you noticing the changes. 32
PDF created with pdfFactory trial version www.pdffactory.com
Cisco IDS and IPS Devices
33
PDF created with pdfFactory trial version www.pdffactory.com
Cisco integrated solutions
• •
Cisco intrusion detection and prevention solutions are part of the Cisco SelfDefending Network. Designed to identify and stop worms, network viruses, and other malicious traffic, these solutions can help protect the network. IOS Intrusion Prevention System (IPS) – Cisco IOS Intrusion Prevention System (IPS) is an in-line, deep-packet inspection-based solution that helps enable Cisco IOS Software to effectively mitigate a wide range of network attacks without compromising router performance . 34
PDF created with pdfFactory trial version www.pdffactory.com
Extra: Cisco IOS IPS
• •
Cisco IOS ISP combines existing Cisco IDS and IPS product features with three different intrusion detection techniques. Cisco IOS IPS uses a blend of Cisco IDS and IPS products from the Cisco IDS and IPS sensor product lines, including Cisco IDS 4200 Series appliances, Cisco Catalyst 6500 Series IDS services modules, and network module hardware IDS appliances. 35
PDF created with pdfFactory trial version www.pdffactory.com
Extra: Protocol Analysis • • •
Protocol analysis-based intrusion detection is similar to signaturebased intrusion detection, but it performs a more in-depth analysis of the protocols specified in the packets. A deeper analysis examines the payloads within TCP and UDP packets, which contain other protocols. For example, a protocol such as Domain Name System (DNS) is contained within TCP or UDP, which itself is contained within IP.
36
PDF created with pdfFactory trial version www.pdffactory.com
Cisco integrated solutions
•
PIX and ASA Security Appliances – The PIX Security Appliance and Adaptive Security Appliances are a key element in the overall Cisco end-to-end security solution. – The Cisco Security Appliances provide integrated in-line intrusion detection and prevention. PIX Software Versions 5.2 and higher support intrusion detection. – The intrusion detection and prevention capabilities of the Adaptive Security Appliance 5500 series can be increased through the addition of a Cisco ASA Advanced Inspection and Prevention Security Services Module (AIP-SSM).
37
PDF created with pdfFactory trial version www.pdffactory.com
Extra: Characteristics of Cisco AIP-SSM •
The Cisco AIP SSM helps users stop threats with greater confidence through the use of: – Accurate inline prevention technologies -Provides unparalleled ability to take preventive action against a broader range of threats without the risk of dropping legitimate traffic. These unique technologies offer intelligent, automated, contextual analysis of your data and help ensure you are getting the most out of your intrusion prevention solution. – Multivector threat identification -Protects your network from policy violations, vulnerability exploitations, and anomalous activity through detailed inspection of traffic in Layers 2 through 7. – Unique network collaboration -Enhances scalability and resiliency through network collaboration, including efficient traffic capture techniques, load-balancing capabilities, and visibility into encrypted traffic. – Powerful management, event correlation, and support services Enables a complete solution, including configuration, management, data correlation, and advanced support services. In particular, the Cisco Security Monitoring, Analysis, and Response System (Cisco Security MARS) identifies, isolates, and recommends precision removal of offending elements, for a networkwide intrusion prevention solution. And the Cisco Incident Control System (ICS) prevents new worm and virus outbreaks by enabling the network to rapidly adapt and provide a distributed response. 38
PDF created with pdfFactory trial version www.pdffactory.com
Extra: Characteristics of Cisco AIP-SSM
39
PDF created with pdfFactory trial version www.pdffactory.com
Cisco integrated solutions
•
Cisco IDS Network Module – The Cisco IDS Network Module for the Cisco 2600XM, 3600, and 3700 series routers is part of the Cisco IDS Family sensor portfolio and the Cisco Intrusion Protection System. These IDS sensors work in concert with the other IDS components, including Cisco IDS Management Console, CiscoWorks VPN/Security Management Solution, and Cisco IDS Device Manager, to efficiently protect the data and information infrastructure. 40
PDF created with pdfFactory trial version www.pdffactory.com
Cisco integrated solutions
•
Intrusion Detection System Services Module (IDSM-2) – The Cisco IDSM-2 protects switched environments by integrating fullfeatured IPS functions directly into the network infrastructure through the Cisco Catalyst chassis. – This integration allows the user to monitor traffic directly off the switch backplane. – The IDSM-2 is a one rack-unit module that can be installed in any one slot in the Cisco Catalyst 6500/7600 chassis. 41
PDF created with pdfFactory trial version www.pdffactory.com
Cisco IPS 4200 Series sensors
• •
Cisco IPS 4200 Series intrusion prevention system sensors are an important component of the Cisco Self-Defending Network. Cisco IPS sensors offer significant protection to the network by helping to detect, classify, and stop threats including worms, spyware/adware, network viruses, and application abuse. 42
PDF created with pdfFactory trial version www.pdffactory.com
Cisco IPS 4200 Series sensors •
Administrators can stop more threats with greater confidence with the help of the following elements: – Multivector threat identification – Detailed inspection of Layer 2–7 traffic protects the network from policy violations, vulnerability exploitations, and anomalous activity. – Accurate prevention technologies – Cisco’s innovative Risk Rating feature and Meta Event Generator provide the confidence to take preventive actions on a broader range of threats without the risk of dropping legitimate traffic. – Unique network collaboration – Network collaboration provides enhanced scalability, up to 8 Gbps, and resiliency, including efficient traffic capture techniques, load-balancing capabilities, and visibility into encrypted traffic. – Comprehensive deployment and management solutions – Cisco IPS 4200 Series sensors are purpose-built IPS appliances that provide the following: • Protection of multiple network subnets through the use of up to eight interfaces • Simultaneous, dual operation in both promiscuous and inline modes • A wide array of performance options, from 80 Mbps to multiple gigabits • Embedded Web-based management solutions packaged with the sensor 43
PDF created with pdfFactory trial version www.pdffactory.com
Extra: Cisco IPS 4200 Series sensors
44
PDF created with pdfFactory trial version www.pdffactory.com
Extra: Deployment Scenarios
45
PDF created with pdfFactory trial version www.pdffactory.com
Extra: Cisco IOS IPS Deployment Scenarios
•
Cisco IOS IPS has 2 main deployment scenarios: – Cisco IOS IPS protecting the Internet-facing (untrusted) interface – Cisco IOS IPS within the internal (trusted) network 46
PDF created with pdfFactory trial version www.pdffactory.com
Extra: Cisco Sensor Deployment
• •
Cisco IPS supports various sensor platforms. Each platform has varying capabilities and is designed to operate in a specific network environment. You need to consider the following factors when deciding where to place sensors on your network: – Internet boundaries – Extranet boundaries – Intranet boundaries – Remote access boundaries – Servers and desktops 47
PDF created with pdfFactory trial version www.pdffactory.com
Extra: Cisco Sensor Deployment
48
PDF created with pdfFactory trial version www.pdffactory.com
Extra: Cisco Sensor Deployment
49
PDF created with pdfFactory trial version www.pdffactory.com
Extra: Cisco Sensor Communications Protocols •
Communication between your Cisco IPS sensors and other network devices involves the following protocols and standards: – SSH – TLS/SSL – RDEP (Remote Data Exchange Protocol) – SDEE Standard (Security Device Event Exchange Standard)
50
PDF created with pdfFactory trial version www.pdffactory.com
Summary • • •
This module introduced the concepts of intrusion detection and prevention. Students should now understand the basic differences between an intrusion detection system (IDS) and an intrusion prevention system (IPS). The basic types of inspection engines used in were also introduced in this module. The module concluded with an introduction to the IDS and IPS devices that are part of the Cisco Self-Defending Network solution.
51
PDF created with pdfFactory trial version www.pdffactory.com
Related Documents
Module 1
November 2019 40
Module 1
May 2020 22
Module 1
May 2020 22
Module 1
November 2019 38
Module 1
June 2020 14
