Module 2

Module 2: Configure Network Intrusion Detection and Prevention

1

PDF created with pdfFactory trial version www.pdffactory.com

Overview

2

PDF created with pdfFactory trial version www.pdffactory.com

Cisco IOS Intrusion Prevention System

3

PDF created with pdfFactory trial version www.pdffactory.com

Cisco IOS Intrusion Prevention System (IPS)

•

•

The Cisco IOS Intrusion Prevention System (IPS) with inline intrusion capabilities provides an inline, deep-packet-inspection based IPS solution that helps enable Cisco routers to effectively mitigate a wide range of network attacks without compromising traffic forwarding performance. Cisco IOS IPS can accurately identify, classify, and stop malicious or damaging traffic in real time, and is a core component of the Cisco SelfDefending Network.

4

PDF created with pdfFactory trial version www.pdffactory.com

Cisco IOS Intrusion Prevention System (IPS)

• •

The Cisco IOS IPS acts as an in-line IPS sensor, watching packets and sessions as they flow through the router, and scanning each packet to match any of the Cisco IOS IPS signatures. When it detects suspicious activity, it responds before network security can be compromised and logs the event through Syslog or Security Device Event Exchange (SDEE).

5

PDF created with pdfFactory trial version www.pdffactory.com

Cisco IOS Intrusion Prevention System (IPS)

•

When packets in a session match a signature, the Cisco IOS IPS can take any of the following actions, as appropriate: – send an alarm to a Syslog server or a centralized management interface – drop the packet – reset the connection

6

PDF created with pdfFactory trial version www.pdffactory.com

Extra: Key Benefits of the Cisco IOS IPS • • • • • • •

Provides network-wide, distributed protection from many attacks, exploits, worms, and viruses exploiting vulnerabilities in operating systems and applications Eliminates the need for a standalone IPS device at branch and telecommuter offices as well as small and medium-sized business networks Unique risk-rating-based signature event action policy processor dramatically improves the ease of management of IPS policy Offers field-customizable worm and attack signature set and event actions Offers inline inspection of traffic passing through any combination of router LAN and WAN interfaces in both directions Works with Cisco IOS Firewall, control-plane policing, and other Cisco IOS Software security features to protect the router and networks behind the router Supports about 2000 attack signatures from the same signature database available for Cisco Intrusion Prevention System (IPS) appliances

7

PDF created with pdfFactory trial version www.pdffactory.com

Extra: Key Benefits of the Cisco IOS IPS •

The Cisco IOS IPS feature in the latest Cisco IOS 12.4(11)T2 release also offers the following enhancements: – Support for encrypted signatures provided by many vendors under nondisclosure agreement (NDA) – Risk rating value in IPS alarms for efficient event filtering, monitoring, and correlation – Support for the risk-rating-based Signature Event Action Processor (SEAP) for automated adjustment of signature event actions based on risk rating, a feature unique to Cisco IPS products – Individual and category-based signature provisioning capabilities through the Cisco IOS command-line interface (CLI) – XML-based IDCONF signature provisioning mechanism (works securely over HTTPS) – Automated signature updates (at configurable periodic intervals) from a local server 8

PDF created with pdfFactory trial version www.pdffactory.com

Cisco IOS Intrusion Prevention System (IPS)

•

Features and benefits of the Cisco IOS IPS 9

PDF created with pdfFactory trial version www.pdffactory.com

Cisco IOS Intrusion Prevention System (IPS) •

Origin of Cisco IOS IPS – Cisco IOS IPS restructures the existing Cisco IOS Software IDS. – The primary difference between Cisco IOS Software IDS and the new, enhanced Cisco IOS IPS is that an intrusion prevention system monitors traffic and sends an alert when suspicious patterns are detected, while an intrusion prevention system can drop traffic, send an alarm, or reset the connection, enabling the router to mitigate and protect against threats in real time. – Cisco IOS IPS inherited the built-in 132 signatures from Cisco IOS Software IDS technology. – With the introduction of inline IPS capability, new signatures can be added by downloading a signature definition file (SDF) into the Flash memory of the router, or administrators can specify the location of the SDF in the Cisco IOS IPS configuration on the router.

10

PDF created with pdfFactory trial version www.pdffactory.com

Cisco IOS Intrusion Prevention System (IPS) •

Router Performance – The performance impact of intrusion prevention depends on the number of signatures enabled, the level of traffic on the router, the router platform, and other individual features enabled on the router, such as encryption. – The IPS process in the router sits directly in the packet path and searches each packet for signature matches. In some cases, the entire packet needs to be searched, and state information and even application state and awareness must be maintained by the router.

11

PDF created with pdfFactory trial version www.pdffactory.com

Extra: Types of Signatures

•

There are 4 categories of signatures : – Exploit signatures: Since exploit signatures typically identify a traffic pattern that is unique to a specific exploit, each exploit variant may require an individual signature. Attackers may be able to bypass detection by slightly modifying the attack payload. Therefore, you often must produce an exploit signature for each attack tool variant. – Connection signatures: Connection signatures generate an alarm based on the conformity and validity of the network connections and protocols. – String signatures: The string signature engines support regular expression pattern matching and alarm functionality. – DoS signatures: DoS signatures contain behavior descriptions that are considered characteristic of a DoS attack. 12

PDF created with pdfFactory trial version www.pdffactory.com

Extra: Types of Signatures

•

This figure matches the type of exploit signature with the OSI layer. Exploit-specific signatures seek to identify network activity or upperlevel protocol transactions that are unique to a specific exploit or attack tool. 13

PDF created with pdfFactory trial version www.pdffactory.com

Extra: Types of Signatures •

These are examples of exploit signatures in the network layer: – The most common fragmentation attack attempts to exhaust target resources by sending many non-initial fragments and tying up reassembly buffers. – Target systems can be configured to not accept IP datagrams with certain IP options, such as source routing. Signatures can analyze these datagrams before the datagrams are discarded. The configuration for this analysis is based on the target operating system or the default. This analysis is enabled by default, but may be turned off to enhance performance. – Distributed DoS (DDoS) attacks are the “next generation” of DoS attacks on the Internet. Examples of DDoS attacks on the network layer include Internet Control Message Protocol (ICMP) echo request floods and ICMP-directed broadcasts (also known as smurf attacks).

14

PDF created with pdfFactory trial version www.pdffactory.com

Cisco IOS IPS signatures

• • •

As of Release 12.3(8)T, Cisco IOS IPS has 132 built-in signatures available in the Cisco IOS Software image. The built-in signatures are hard-coded into the Cisco IOS Software image for backward compatibility. Each signature can be set to send an alarm, drop the connection, or reset the connection . Each action is enabled on a per-signature basis. Each signature has an action assigned by default, based on the severity of the signature.

15

PDF created with pdfFactory trial version www.pdffactory.com

Cisco IOS IPS signatures

Cisco IOS IPS-Version 4 Signatures

•

Cisco IOS IPS has the ability to download IPS signatures without the need for a Cisco IOS Software image update . 16

PDF created with pdfFactory trial version www.pdffactory.com

Cisco IOS IPS signatures •

The Signature Definition File – Cisco IOS IPS uses signature definition files (SDFs) that contain signature descriptions for the most relevant attacks and are updated by Cisco on a regular basis. – The SDF is an Extensible Markup Language (XML) file with a definition of each signature along with relevant configurable actions. – Cisco IOS IPS reads in the SDF, parses the XML, and populates its internal tables with the information necessary to detect each signature. – The SDF contains the signature definition and configuration. Actions such as alarm, drop, or reset can be selected for individual signatures within the SDF. – The SDF can be modified so the router will only detect specific signatures. As a result, it can contain all or a subset of the signatures supported in Cisco IOS IPS. – The administrator specifies the location of the SDF. The SDF can reside on the local Flash file system, this is the recommended option, or on a remote server. Remote servers can be accessed via TFTP, FTP, Secure Copy Protocol (SCP), or Remote Copy Protocol (RCP). After signatures are loaded and complied onto a router running Cisco IOS IPS, the IPS can begin detecting the new signatures immediately.

17

PDF created with pdfFactory trial version www.pdffactory.com

Cisco IOS IPS signatures •

Signature Micro-engines – The IPS mechanism that matches the signatures against data packets is called a micro-engine. – An IPS system contains several micro-engines, and each micro-engine handles a set of signatures, typically grouped together by protocol or some other common characteristics. – Cisco IOS IPS uses signature micro-engines (SMEs) to load the SDF and scan signatures. Each engine categorizes a group of signatures, and each signature detects patterns of misuse in network traffic. • For example, all HTTP signatures are grouped under the HTTP engine. – Signatures contained within the SDF are handled by a variety of SMEs. The SDF typically contains signature definitions for multiple engines. – The SME typically corresponds to the protocol in which the signature occurs and looks for malicious activity in that protocol. A packet is processed by several SMEs. Each SME scans for various conditions that can lead to a signature pattern match. – When an SME scans the packets, it extracts certain values, searching for patterns within the packet via the regular expression engine. 18

PDF created with pdfFactory trial version www.pdffactory.com

Cisco IOS IPS signatures

•

attack-drop.sdf – The attack-drop.sdf file is available in flash on all Cisco access routers that are shipped with Cisco IOS Release 12.3(8)T or later. – The attack-drop.sdf file can then be loaded directly from flash into the Cisco IOS IPS system. If flash is erased, the attack-drop.sdf file may also be erased. This may happen when erasing the contents of flash memory before copying a new Cisco IOS image to flash. If this occurs, the router will refer to the built-in signatures within the Cisco IOS image. – The attack-drop.sdf file can also be downloaded onto the router from the weblink below. A valid CCO login is required to access the site. 19

PDF created with pdfFactory trial version www.pdffactory.com

Extra: Cisco IOS IPS signatures

Cisco IOS IPS-Version 4 Signatures

20

PDF created with pdfFactory trial version www.pdffactory.com

Extra: Built-in signatures • • • •

Built-in signatures are removed from Cisco IOS IPS starting from Cisco IOS Software Release 12.4(11)T. In previous releases, built-in signatures are predefined signatures bundled with Cisco IOS Software. These built-in signatures exist solely to maintain backward compatibility with the previous Cisco IOS Intrusion Detection System (IDS), which has about 135 signatures. Cisco does not recommend using built-in signatures.

21

PDF created with pdfFactory trial version www.pdffactory.com

Extra: The basic and advanced signature sets

• • •

The basic signature set (in file 128MB.sdf) is the Cisco recommended signature set for routers with 128 MB or more memory. The advanced signature set (in file 256MB.sdf) is the Cisco recommended signature set for routers with 256 MB or more memory. Cisco decommissioned the use of the file attack-drop.sdf. Although it is still possible to use this file in Cisco IOS Software releases prior to Cisco IOS Software Release 12.4(11)T, because of the very limited and old attack coverage the signatures in that file provides, Cisco does not recommend its use in production environments. – These files can be downloaded from Cisco.com at http://www.cisco.com/pcgi-bin/tablebuild.pl/ios-sigup.

22

PDF created with pdfFactory trial version www.pdffactory.com

23

PDF created with pdfFactory trial version www.pdffactory.com

• Cisco IOS IPS in Cisco IOS Software Release 12.4(9)T2 or earlier release supports action on a signature can be changed by accessing the device-level application (Cisco SDM 2.2 or later) or network-level application (the CiscoWorks Management Center for IPS Sensors [IPS MC] 2.2). • Action can be set to Alarm, Drop, Reset, denyAttackerInline, or DenyFlowInline. • Cisco IOS IPS in Cisco IOS Software Release 12.4(11)T or later supports signature action configuration using the command-line interface (CLI).

24

PDF created with pdfFactory trial version www.pdffactory.com

25

PDF created with pdfFactory trial version www.pdffactory.com

Cisco IOS IPS configuration tasks

•

Verify the configuration. This includes using the available show, clear, and debug commands for the IOS IPS.

26

PDF created with pdfFactory trial version www.pdffactory.com

Install the Cisco IOS IPS

• •

Use this procedure to install the latest Cisco IOS IPS signatures on a router for the first time. This procedure allows the administrator to load the default, builtin signatures or the attack-drop.sdf file, but not both . To merge the two signature files, the administrator must load the default, builtin signatures as described in this procedure. Then, the default signatures can be merged with the attack-drop.sdf file. 27

PDF created with pdfFactory trial version www.pdffactory.com

Install the Cisco IOS IPS

• •

Whenever signatures are replaced or merged, the router prompt is suspended while the signature engines for the newly added or merged signatures are being built. The router prompt will be available again after the engines are built. Depending on the platform and how many signatures are being loaded, building the engine can take up to several seconds. It is recommended that logging messages are enabled to monitor the engine building status. 28

PDF created with pdfFactory trial version www.pdffactory.com

Install the Cisco IOS IPS

built-in signatures are predefined signatures bundled with Cisco IOS Software

•

Upgrade to the latest SDF An important part of IPS is keeping up with the latest attack signatures. The attack signatures in the router should be kept up to date with the latest IPS signature file, attack-drop.sdf 29

PDF created with pdfFactory trial version www.pdffactory.com

Install the Cisco IOS IPS •

Support for ip auditCommands – The latest IPS image will read and convert all commands that begin with the words ip audit to ip ips. – For example, the ip ips notify command replaces the ip audit notify command. If the ip audit notify command is part of an existing configuration, the IPS will interpret it as the ip ips notify command. – Although IPS will accept the audit keyword, it will generate the ips keyword when the configuration is shown. Also, if the help character (?) is issued, the CLI will display the ips keyword instead of the audit keyword, and the Tab key used for command completion will not recognize the audit keyword.

30

PDF created with pdfFactory trial version www.pdffactory.com

Configure logging using Syslog or SDEE

• •

As of Cisco IOS Release 12.3(11)T, Cisco IOS IPS provides two methods to report IPS intrusion alerts. These methods are Cisco IOS logging, Syslog, and Security Device Event Exchange (SDEE). 31

PDF created with pdfFactory trial version www.pdffactory.com

Configure logging using Syslog or SDEE

•

• •

SDEE is a new standard that specifies the format of messages and protocol used to communicate events generated by security devices, such as the exchange of IPS messages between IPS clients and IPS servers. SDEE utilizes HTTP and XML to provide a standardized interface. The Cisco IOS IPS router will still send IPS alerts via Syslog. 32

PDF created with pdfFactory trial version www.pdffactory.com

Configure logging using Syslog or SDEE

•

•

Storing SDEE Events in the Buffer – When SDEE notification is enabled using the ip ips notify sdee command, 200 hundred events can automatically be stored in the buffer. – When SDEE notification is disabled, all stored events are lost. – A new buffer is allocated when the notifications are re-enabled. When specifying the size of an events buffer, note the following functionality: – It is circular. When the end of the buffer is reached, the buffer will start overwriting the earliest stored events. If overwritten events have not yet been reported, a buffer overflow notice will be received. – If a new, smaller buffer is requested, all events that are stored in the previous buffer will be lost. – If a new, larger buffer is requested, all existing events will be saved. 33

PDF created with pdfFactory trial version www.pdffactory.com

Configure logging using Syslog or SDEE Router(config)# ip http server logging on logging ip ips log logging syslog_server_IP logging trap [warnings | …]

•

•

SDEE Prerequisites – To use SDEE, the HTTP server must be enabled with the ip http server command. – If the HTTP server is not enabled, the router cannot respond to the SDEE clients because it cannot not see the requests. The default number of events is 100. Raising the number of events past 100 may cause memory and performance impacts because each event in the event queue requires 32 KB of memory. 34

PDF created with pdfFactory trial version www.pdffactory.com

Extra: Logging Level

35

PDF created with pdfFactory trial version www.pdffactory.com

36

PDF created with pdfFactory trial version www.pdffactory.com

37

PDF created with pdfFactory trial version www.pdffactory.com

38

PDF created with pdfFactory trial version www.pdffactory.com

Verify the IPS configuration

39

PDF created with pdfFactory trial version www.pdffactory.com

Extra: Verify the IPS version •

To check the current system version, use the show subsys name ips command. – IPS 4.x uses a version format of 2.xxx.xxx – IPS 5.x uses a version format of 3.xxx.xxx

40

PDF created with pdfFactory trial version www.pdffactory.com

Extra: Cisco IOS IPS configuration tasks with 5.x signatures

• • • •

Built-in signatures are removed from Cisco IOS IPS starting from Cisco IOS Software Release 12.4(11)T. These built-in signatures exist solely to maintain backward compatibility with the previous Cisco IOS Intrusion Detection System (IDS), which has about 135 signatures. Cisco does not recommend using built-in signatures. You must load one of the following images on your router to install Cisco IOS IPS 5.x: adventerprisek9, advsecurityk9, and advipservicesk9.

41

PDF created with pdfFactory trial version www.pdffactory.com

Extra: Cisco IOS IPS configuration tasks with 5.x signatures

•

Reference: Getting Started with Cisco IOS IPS with 5.x Format Signatures

42

PDF created with pdfFactory trial version www.pdffactory.com

Configure Attack Guards on the PIX Security Appliance

43

PDF created with pdfFactory trial version www.pdffactory.com

Mail Guard

• •

Mail Guard provides a safe conduit for Simple Mail Transfer Protocol (SMTP) connections from the outside to an inside e-mail server. Mail Guard enables a mail server to be deployed within the internal network without it being exposed to known security problems with some mail server implementations. 44

PDF created with pdfFactory trial version www.pdffactory.com

Mail Guard

•

•

When configured, Mail Guard allows only seven SMTP commands as specified in RFC 821 section 4.5.1. – These commands are HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT. – Other commands, such as KILL, WIZ, and so forth, are intercepted by the PIX Security Appliance and are never sent to the mail server inside the network. The PIX responds with an OK even to denied commands, so that attackers will not know that their attempts are being thwarted. 45

PDF created with pdfFactory trial version www.pdffactory.com

Mail Guard

• •

By default, the PIX Security Appliance inspects port 25 connections for SMTP traffic. If there are SMTP servers on the network that are using ports other than port 25, the fixup protocol smtp command must be used to have the PIX inspect these other ports for SMTP traffic. 46

PDF created with pdfFactory trial version www.pdffactory.com

DNS Guard

• • •

In an attempt to resolve a name to an IP address, a host may query the same DNS server multiple times. The DNS Guard feature of the PIX Security Appliance recognizes an outbound DNS query and allows only the first answer from the server back through the PIX. All other replies from the same source are discarded. DNS Guard closes the UDP conduit opened by the DNS request after the first DNS reply and not wait for the normal UDP timeout. 47

PDF created with pdfFactory trial version www.pdffactory.com

FragGuard and Virtual Reassembly

•

FragGuard and Virtual Reassembly is a PIX Security Appliance feature that provides IP fragment protection. – Virtual reassembly is the process of gathering a set of IP fragments, verifying integrity and completeness, tagging each fragment in the set with the transport header, and not combining the fragments into a full IP packet. – Virtual Reassembly provides the benefits of full reassembly by verifying the integrity of each fragment set and tagging it with the transport header. It also minimizes the buffer space that must be reserved for packet reassembly. – Full reassembly of packets is expensive in terms of buffer space that must be reserved for collecting and combining the fragments. Since combining of fragments is not performed with virtual reassembly, no preallocation of the buffer is needed.

48

PDF created with pdfFactory trial version www.pdffactory.com

FragGuard and Virtual Reassembly

• •

•

By default, the PIX Security Appliance accepts up to 24 fragments to reconstruct a full IP packet. Based on the network security policy, an administrator should consider configuring the PIX to prevent fragmented packets from traversing the PIX by entering the fragment chain 1 interface command on each interface. – Setting the limit to 1 means that all packets must be unfragmented. Note the following regarding fragment configuration: – The default values will limit DoS attacks caused by fragment flooding. – If an interface is not specified, the command applies to all interfaces.

49

PDF created with pdfFactory trial version www.pdffactory.com

FragGuard and Virtual Reassembly

• • •

The fragment command provides management of packet fragmentation and improves the compatibility of the PIX Security Appliance with the Network File System (NFS). NFS is a client-server application that enables a computer user to view and optionally store and update files on a remote computer as though they were on the user’s own computer. In general, the default values of the fragment command should be used . However, if a large percentage of the network traffic through the PIX is NFS, additional tuning may be necessary to avoid database overflow. 50

PDF created with pdfFactory trial version www.pdffactory.com

FragGuard and Virtual Reassembly

• •

The fragment size command can be used to set the maximum number of packets in the fragment database. Use the fragment chain command to specify the maximum number of packets into which a packet can be fragmented, and use the fragment timeout command to specify the maximum number of seconds the PIX Security Appliance waits after the first fragment is received before discarding a fragment waiting for reassembly. 51

PDF created with pdfFactory trial version www.pdffactory.com

FragGuard and Virtual Reassembly

• • •

Setting the database-limit of the size option to a large value can make the PIX Security Appliance more vulnerable to a DoS attack by fragment flooding. Do not set the database-limit equal to or greater than the total number of blocks in the PIX 1550 or 16384 memory pool. See the show blocks command for more details. Use the clear fragment command to reset the fragment databases and defaults. 52

PDF created with pdfFactory trial version www.pdffactory.com

AAA Flood Guard

• •

DoS attacks are based on the premise of utilizing the resources of a device so extensively that other legitimate traffic is crowded out. For example, when AAA is being used in a network for authentication, a common DoS attack is to send many forged authentication requests to the PIX Security Appliance, thus overwhelming AAA resources.

53

PDF created with pdfFactory trial version www.pdffactory.com

AAA Flood Guard •

•

•

The floodguard command enables the PIX Security Appliance to reclaim resources if the user authentication, or uath, subsystem runs out of resources. – If an inbound or outbound uauth connection is being attacked or overused, the PIX actively reclaims TCP resources. – When the resources are depleted, the PIX shows messages indicating that it is out of resources or out of TCP users. If the PIX uauth subsystem is depleted, TCP user resources in different states are reclaimed, depending on urgency, in the following order: – Timewait – FinWait – Embryonic – Idle The floodguard command is enabled by default. 54

PDF created with pdfFactory trial version www.pdffactory.com

SYN Flood Guard

• •

SYN flood attacks, also known as TCP flood or half-open connections attacks, are common DoS attacks perpetrated against IP servers. In PIX Security Appliance Software Version 5.2, the SYN Flood Guard feature of the static command offers an improved mechanism for protecting systems reachable via a static ACL from TCP SYN attacks. 55

PDF created with pdfFactory trial version www.pdffactory.com

SYN Flood Guard

• • • •

TCP Intercept For each SYN, the PIX Security Appliance responds on behalf of the server with an empty SYN/ACK segment. The PIX retains pertinent state information, drops the packet, and waits for the acknowledgement from the client. If the ACK is received, a copy of the client SYN segment is sent to the server, and the TCP three-way handshake is performed between the PIX and the server. Only if this three-way handshake completes will the connection be allowed to resume as normal. 56

PDF created with pdfFactory trial version www.pdffactory.com

SYN Flood Guard

• • • • •

SYN Cookies In the SYN cookies implementation of TCP, when the server receives a SYN packet, it responds with a SYN-ACK packet where the ACK sequence number is calculated from the source address, source port, source sequence number, destination address, destination port, and a secret seed. Then the server releases all state. If an ACK returns from the client, the server can recalculate it to determine if it is a response to a previous SYN-ACK. If so, the server can directly enter the TCP_ESTABLISHED state and open the connection. In this way, the server avoids managing a batch of potentially useless half-open connections 57

PDF created with pdfFactory trial version www.pdffactory.com

Connection limits

• •

Use the static command to limit the number of embryonic connections allowed to the server to protect internal hosts against DoS attacks. Use the nat command to protect external hosts against DoS attacks and to limit the number of embryonic connections from the external host 58

PDF created with pdfFactory trial version www.pdffactory.com

Connection limits

• •

Use the udpudp_max_conns field to set the maximum number of simultaneous UDP connections the local_ip hosts are each allowed to use. Idle connections are closed after the time that is specified by the timeout connection command. 59

PDF created with pdfFactory trial version www.pdffactory.com

Configure Intrusion Prevention on the PIX Security Appliance

60

PDF created with pdfFactory trial version www.pdffactory.com

Intrusion detection and the PIX Security Appliance

• • •

With intrusion detection enabled, the PIX can detect signatures and generate a response when a set of rules is matched to network activity. It can monitor packets for more than 55 intrusion detection signatures and can be configured to send an alarm to a Syslog server or a server running Cisco Security Monitor, drop the packet, or reset the TCP connection. The PIX Security Appliance can detect 2 different types of signatures, these are informational signatures and attack signatures. 61

PDF created with pdfFactory trial version www.pdffactory.com

Configure intrusion detection

62

PDF created with pdfFactory trial version www.pdffactory.com

Configure IDS policies

63

PDF created with pdfFactory trial version www.pdffactory.com

Configure IDS policies

64

PDF created with pdfFactory trial version www.pdffactory.com

Configure IDS policies

65

PDF created with pdfFactory trial version www.pdffactory.com

Configure Shunning on the PIX Security Appliance

66

PDF created with pdfFactory trial version www.pdffactory.com

Overview of shunning

• • •

The shun feature of the PIX Security Appliance allows a PIX, when combined with a Cisco IDS Sensor, to dynamically respond to an attacking host by preventing new connections and disallowing packets from any existing connection. A Cisco IDS device instructs the PIX to shun sources of traffic when those sources of traffic are determined to be malicious. The shun command, intended for use primarily by a Cisco IDS device, applies a blocking function to an interface receiving an attack. 67

PDF created with pdfFactory trial version www.pdffactory.com

Example of shunning an attacker

• • •

Host 172.26.26.45 has been attempting a DNS zone transfer from host 192.168.0.10 using a source port other than the well-known DNS port of TCP 53. The offending host (172.26.26.45) has made a connection with the victim (192.168.0.10) with TCP. The connection in the PIX Security Appliance connection table reads as follows: 172.26.26.45, 4000 → 10.0.0.11 PROT TCP 68

PDF created with pdfFactory trial version www.pdffactory.com

Summary • • •

This module expanded upon the idea that network security is a constant cycle of securing, monitoring, testing, and improving, centered on a security policy. This module discussed a number of methods that administrators can use to secure a network. The initialization and configuration of a Firewall IPS router was discussed and the student gained hands-on experience by configuring an IPS router through lab activities.

69

PDF created with pdfFactory trial version www.pdffactory.com