You are on page 1of 20


25 September 2011 PM 10:28


IDS: Only detect intruders Send alert to admin Take a sample for analyzing Not a inline device Working in promiscuous mode
IPS: Detect and stop intruders Give alert for attack Send a sample for future analysis Can be in a inline

Vulnerability: Weakness in protocol or system Exploit: Mechanism to take advantage of vulnerabilities ALARM: False positive True positive Alert for good data Alert for bad data Wrong
Wrong False negative No Alert for bad data


True negative No Alert for good data Good Promiscuous Vs inline mode: Promiscuous: Promiscuous by default A device will capture a traffic and send copy to IPS Only for analyzing No control over the data
If device failure will never affect traffic flow

Inline: Perform prevention It will be in actual path Effective for worms and atomic attack (attack in single packet) Two interface needed (called inline pair) Transparent layer 2 structure Can be configured for alert only so it will never drop a packet IPS 6.0 support promiscuous and inline simultaneously

Three way detection: 1. Profile 2. Signature 3. Protocol

Approaches to intrusion detection: 1. Anomaly based or profile based Detect activity deviated from normal defined by admin More false positive
security Page 1

More false positive Two types: Statistical Learns traffic pattern of network Non-statistical Uses information coded by vendor
2. Signature based: Pattern matching Have to update, tune to detect attack Compare the packet with most common attack pattern defined by vendor less false positive

3. Policy based: Policy written into IPS If policy violated alarm will be triggered Difference: Signature based

Policy based

Stop common attack Concerned company policy

4. Protocol analysis-based: Similar to signature based Deep inspection of payload More flexible for turning
Evasive technique: Attacking method for IPS: String match: Changing the string case Obfuscation: Control characters, Hexa - characters, Unicode representation in a data

Fragmentation: To many fragment, so IPS will get more resource for reassembling Session: Large no of small packets not a fragmentation Tcp segment reassembly intensive Insertion: Attack data in harmless data IPS will never trigger alarm, pc will process attack data
Evasion: Caused IPS will see different data but PC will receive all data
security Page 2

Caused IPS will see different data but PC will receive all data TTL-Based: Encryption-based: IPS will never detect encrypted data Ensure attacker not having encrypted session
Resource exhaustion or Flooding overwhelm Flooding to many alarm condition For combat evation: Detect the Fragmentation overlaps Fragmentation database timeouts TCP stream or sequence overlaps Out-of-memory errors or unexpected dropping of packets

Cisco products: New features in IPS 6.0 Virtualization support:

New signature

Different policy per segment in single sensor Identify victim OS

For asset management Improved GUI Worm-infected host

Passive OS fingerprint
Risk and threat rating Improved IDM Anomaly detection

External product interface Subscribe event from other device

Sensor family: IDS 4215 sensor IDS 4235 sensor IDS 4250 XL sensor SSM - Security Service Module



security Page 3




Cisco IPS Modules for Cisco 1841, 2800 and 3800 ISR

security Page 4

AIP-SSM - Advanced Inspection and Prevention Security Services Module (AIP-SSM)

Catalyst 6500 IDSM-2

IDS network module for routers

IPS 6.0 architecture: Event store

SSH & Telnet

Storage for event

By default disable

IDAPI - intrusion detection application programming interface

security Page 5

IDAPI - intrusion detection application programming interface



For packet capture and analysis

Management option: For single device: CLI IDM - IPS device manager For multiple device: IPS event viewer Cisco Security manager - CSM MARS

Tools for configuring Cisco IPS 6.1(1)E2 Cisco IME 6.1 - Cisco Intrusion Prevention System Manager Express (IME) IPS CLI 6.1 ASDM 5.2 and above CSM 3.2
Tools for monitoring Cisco IPS 6.1(1)E2 Cisco IME 6.1 MARS 4.2 and 4.3(1) CSM 4.0 Types of IPS: NIPS - Network IPS For many system Implemented in network devices

HIPS - Host IPS For only one system Installed on server or workstation HIPS called as an CISCO SECURITY AGENT (CSA) Protection between Application and OS Deploying sensor: Consideration: Network media Sensor performance Network design IPS design - no's of device protected Multiple sensor in a sensor Topology size, complexity, connection, amount and type of traffic Placement of sensor - entry and exit
Where to place Internet Between Perimeter and internet

Extranet Between Your network and extranet Internal Between data center Remote access Perimeter control
Server farm Between perimeter and HIPS installed server CLI: Cisco is a username and password - need to be change upon first login CLI used for:
security Page 6

CLI used for: To initialize sensor Configure Administer Troubleshoot Monitor Modes: Service mode: For edit service Service service-name
Multi-instance service mode: Service service-name logical-instance-name Initialize sensor: Setup command: 1. Hostname - default sensor 2. Ip address for command and control interface - default 3. Default-gateway - default 4. Telnet - default disabled 5. Web server port - default 443 6. ACL for accessing sensor from admin PC 7. Date and time 8. Sensor interface 9. Virtual sensor - promiscuous & inline interface pair 10. Threat prevention - risk rating 90 - 100 Common CLI task: Ping Trace Banner login Show version Copy /erase source-url destination-url - erase option erase destination file before copy Copy /erase backup-config current-config More keyword Show setting Show events

Using IDM Uses TLS & SSL certificate are used between client and server Java plug-in 1.5 needed http://sensor_ip_address Default IP -
General network setting: Configuration > sensor setup > network SSH key: Configuration > sensor setup > SSH > sensor key Reboot Configuration > reboot Shutdown Configuration > shutdown sensor

SDEE Cisco proprietary Relies on RDEP2 - remote data exchange protocol SDEE is enhanced version of RDEP2 In future RDEP will be removed CIDEE Basic sensor setting: Configure allowed host Configuration > sensor setup > allowed hosts Setting time Configuration > sensor setup > time Configure certificate Certificate will generated when IPS starts. To view or regenerate Configuration > sensor setup > certificates > server certificate Trusted hosts Configuration > sensor setup > certificates > trusted hosts Create User account
security Page 7

Create User account 1. Administrator - higher level privilege 2. Operator - can view all configuration event 3. Viewer - modify configuration except password 4. Service - TAC one per sensor Configuration > sensor setup > users
Only one user at a time can access a device Interface roles Up to 9 monitoring interface Interface can be a 1. Command 2. Control 3. Monitoring 4. Alternate TCP reset interface For promiscuous Cannot send TCP reset packets over the same interface where the attacker was detected

Monitoring interface 4 mode: 1. Promiscuous mode Packet do not flow through sensor 2. Inline mode Packet pass through sensor Must be configured with pair 3. Inline VLAN pair mode 802.1q trunk port Bridge two vlan 4. VLAN group mode One interface can be divided into many for virtualization
Configuring interface Configuration > interface configuration > interface Software and hardware bypass mode: Software bypass will allow traffic even software fail.

Hardware bypass mode: ON Not inspect packet Only in inline mode Acting as a Birding
OFF No data flow if it is failed Fail-open disabled Fail-closed enabled

AUTO No inspection data flow Hardware bypass: Complement for software bypass Available on All interfaces 4-gigabit card used Bypass between 0 to 1 interface 2 to 3 interface Configuration > interface configuration > bypass
Viewing events: Monitoring > events Signatures: Configuring signatures and alerts Configuration > signature definitions > signature configuration Default signature Tuned signature (modified) Custom signature

By default built in signature are used Actions: Deny attacker inline Current and future packet from attacker address will be terminated

Deny attacker service pair inline Current and future packet from attacker address victim port pair will be terminated
security Page 8

Deny attacker service pair inline Current and future packet from attacker address victim port pair will be terminated
Deny attacker victim pair inline Current and future packet from attacker address to particular victim address pair will be terminated

Deny connection inline

Deny packet inline

Current and future packet on the TCP flow will be terminated

Terminate packet

Log attacker packet Log pair packet

Log victim packets

Start IP logging and send alert Start IP logging for victim pair and send alert
Attacker-victim address pair

Modify packet inline

Produce alert

Modify packet data to remove ambiguity about what the end point might do with the packet
Writes event to event store

Produce verbros alert

Request block connection Request block host

Dump of offending packet in alert. Even produce alert action is not selected
Request to a blocking device to block the connection Request to a blocking device to block the host

Request SNMP trap

Request Rate limit

Writes into event store even produce alert not activated

Rate limit Request to ARC. Rate-limting device to be configured to implent this action

Reset TCP connection Many response will deny a attacker

Reset and terminate TCP flow

Manage denied attackers Monitoring > denied attackers Signature engine: Sensor depends on engine Each engine running group of signatures Many engine support entire category of signature Engine include tunable parameter Some parameter is common some are specific
Common parameter: SIG ID Alert severity Signature fidelity rating

Alert frequency: Summary mode Fire once alarm Fire all alarm Summarize consolidates alarm

send alert for first packet

Send all alert Send interval alert

Global summarize consolidates alarm Send global summary alert SIGNATURES: ATOMIC Signature: L3 & L4 attributes ex IP& TCP Support signatures triggered by content of single packet Do not store any state information across packets Atomic engine: ATOMIC ARP - L2 ATOMIC IP - L3 & L4 ATOMIC IPV6

FLOOD signature: Detect ICMP & UDP flooding traffic from attacker to a single or entire network Flood engine: FLOOD.NET FLOOD.HOST SERVICE signature: above L5 Protocol decoding
security Page 9



STRING Support regular expression for pattern matching State info maintained for stream of packets

SWEEP Detect a attacker connection to many host or many ports engine: SWEEP SWEEP other TCP support signature for different flag set TCP packet

TROJAN TRAOJAN BO2K - back office for TCP UDP TROJAN TFN2K - irregular and corrupted header for TCP UDP ICMP TROJAN UDP TRAFFIC Non standard protocol like TFN2K, LOKI and DDOS Engine: TRAFFIC ICMP - for LOKI TRAFFIC - for TCP UDP and other traffic for worms
AIC L4 - L7 for HTTP FTP Detect covert channel Engine: AIC FTP AIC HTTP

Configuration > signature definitions > sig0 > miscellaneous > application policy STATE Various states of login, an LPR format string or SMTP New state can be define in new signature update META Process Event rather packet If event hppen at regular interval this signature will be triggerd Signature events as a input then trigger to indicate the nimada attack for example
NORMALIZER Engine will do Proper packet sequencing and reassembly CUSTOMIZING SIGNATURE For following reason: Reduce background noise - sensor produce lot alarm
security Page 10

Reduce background noise - sensor produce lot alarm Reduce false positive Reduce false negative In increase the IPS aware the needs for network Increase performance Noise reduction: No need to display instead we can log it Modify signature for each system
False positive reduction: Disable alert Match signature close to environment Threshold changing for signature Modify the parameter or string matching False negative reduction: Increase time span to detect scan and sweep Limit the event count if it is happen too high Change setting per-host basics Use MARS Use CSA Use host and firewall log to see what did not fire

Syncing to protected device For window systems For IP reassembly, use reassembly of NT Enable IIS signature if IIS server is present Enable window/NETBIOS signature Deobfucation inside HTTP turned on default. Uses ISS dialect
For Solaris system For IP reassembly, use reassembly of Solaris Enable RPC signature Enable r-services signature Enable general RPC/NFS depends on server role

For Linux For IP reassembly, use reassembly of Linux Enable RPC, r-service, RPC/NFS Focus to policy Detect unauthorized protocol unauthorized application unauthorized actions And enable all signatures
Performance guidance Filter traffic before capture Place IPS behind firewall Selective capture Disable unneeded signature, simplify signature. Unidirectional capture Load-balancing to multiple sensors ADVANCEDCONFIGURATION: Advanced tuning: Information needed before tuning: Network topology Network address space Static and DHCP address in inside Server OS Application on server Security policy

Sensor configuration Location is important for tuning If it is outside firewall avoid assigning high security level to any single event Turn off response action
Many reason for tuning Default configuration makes too noisy to make benefits for admin reduce background noise Reduce false positive Reduce false negative
security Page 11

Reduce false negative Increase performance For tuning enable and disable signature Change signature pattern Create policy for override event action Create event action filters
IPLOGGING Feature for capture raw unaltered packet for confirmation damage assessment and forensic evidence Log file in libcap format Logs in RAM Manual logging: Monitoring > IP logging > add Logging parameter Configuration > signature definitions > sign0 > miscellaneous

REASSEMBLY OPTION Best usage of resource Ip fragment reassembly and TCP fragment reassembly Configuration > signature definitions > sig0 > miscellaneous Target value rating: Used for risk rating for each asset Available value for target Low Medium High Mission critical No value
Configuration > event action rules > rules0 then target value rating Event variable Used in event action filter Used for same value in many different filters

Configuration > event action rules > rules0 then event variables tab Event action overrides Risk rating score as a trigger Event variables used in event action overrides Ex: after certain value denied attacker inline
Configuration > event action rules > rules0 then event action overrides tab Event action filter To remove specific actions from an event or prevent event from firing Configuration > event action rules > rules0 then event action filters tab Risk rating: Used to reduce false alarm To control what causes an alarm Value from 0 to 100 Higher the value greater confidence (not false +ve) It is associated with alert not signature Mechanism to prioitize alert that need user attention Rreported in evIdsAlert

Attack severity Rating (ASR) Derived from severity paramter (informational, low, medium, high) Indicates how dangerous the event detected is
Target Value Rating (TVR) Zero, low, medium, high, mission criticial Importance of network assets Ex; high for server low for desktop node

Event severity Assign to signature

security Page 12

Assign to signature Signature fidelity Rating (SFR) Confidence rating defined by author Asset value criticality of the target system Attack relevancy Rating (ARR) The severity of the attack can be escalated or de-escalated based on the relevance of the attack Relavant, unknown, not relevant Promiscuous Delta (PD) 0 to 30 Per signature Watch List Rating (WLR) 0 to 100 Attacker for the alert is found on the watch list the attacker is added to the rating
Meta event generator Risk rating system: Rating associated with alerts not for signature ATTACK SEVERITY RATING (ASR) Information (25) Low (50) Medium (75) High (100) TARGET VALUE RATING (TVR) Zero (50) Low (75) Medium (100) High (150) Mission critical (200) SIGNATURE FIDELITY RATING - SFR Per signature basis 0 - 100 Accuracy of signature ATTACK RELEVANCY RATING - ARR Derived value Relevant (10) Unknown (0) Not relevant (-10) Buffer overflow attack relevant to Microsoft IIS not for apache

PROMISCUOUS DELTA (PD) Per signature basis 0 - 30 not recommended for change Used only in promiscuous mode Used to lower the risk rating on certain alert
WATCH LIST RATING - WLR 0-35 ASR*TVR*SFR RR = ------------------ + ARR - PD+WLR 10,000 General setting for event action rules How long to deny attacker Max number of denied attacker

Threat rating
Event Action Deny attacker inline Threat Rating 45

Deny attacker victim pair inline 40 Deny attacker service pair inline 40
security Page 13

Deny attacker service pair inline 40 Deny connection inline Deny packet inline
Modify packet inline Request block host

35 35
35 20

Request block connection Reset TCP connection Request rate limit

20 20 20

Threat rating adjustment It adjust risk rating Value subtracted from risk rating If it is disable then threat rating and risk rating are identical Configuration > event action rules > rules0 > general settings

Monitoring alarm IP EVENT VIEWER - IEV Monitoring solution Up to five sensor Email pager notification for 5.x sensor Customized report Used to generate report for top attack top attacker top victim Security management suite For firewall, VPN, IPS, ROUTERS, SWITCHES Two components CSM - cisco security manager MARS - monitoring analysis and response system External product interface To receive host profile Application configuration Security posture Ip address identified as malicious activity Work with Cisco works management center for CSA Configuration > external product interfaces Cisco incident control system - ICS Server based application Work trend micro For deploy policies to devices for block traffic and ports Create reports Log for analyzing Configure notification Clean-up host
Virtual sensor configuration For multiple segment Different policy or configuration for each segment Can assign interfaces, interface pair, inline VLAN pairs, VLAN groups to virtual sensor Signatures can be cloned Event action can be cloned Anomaly detection pane can be cloned

Restriction Sensor must receive traffic with 80.1q header Works only in inline mode Persistent store is limited Must see Both direction in same vlan group Up to 4 virtual sensor Virtual sensor0 (vs0) already exists with sig0, rules0 ad0 this can not be edited
Configuration > analysis engine > virtual sensors Configure advanced features Anomaly detection Looks for single worm-infected host Anomaly detection components
security Page 14

Anomaly detection components Scanner: Source IP generate for multiple destination IP address Scan event: TCP - non-established connection UDP - Uni-directional connection ICMP - uni-directional connection Uses concept ZONES ZONE - set of destination IP address ZONE reducing false-negative Three ZONES: Internal External Illegal
Configuration > anomaly detections > ad0 Two phases Learn phase - takes 24hr detect phase -

Configuration > analysis engine > virtual sensors > edit > learn Configuration > analysis engine > virtual sensors > edit > detect 1. 2. 3. 4. 5. 6. 7. Produce alert Deny attacker inline (inline only) Log attacker Log pair Deny attacker service pair - source and destination port SNMP trap Request block host - request to attack response controller (ARC) to block this host
Steps for anomaly detection: 1. Add the anomaly detection policy to virtual sensor 2. Configure the AD ZONEs protocol and services 3. Set mode to learn 4. Let it run for 24hrs 5. Switch to detect mode 6. Configure detection parameter

Monitoring > anomaly detection Sh statistics anomaly-detection PASSIVE OS FINGERPRINT - POSFP Used to determine the OS of systems Analyze traffic between host and stores type of OS and their IP Inspect TCP SYN and ACK to determine the OS Uses target system OS to compute ARR
Three way to identify IP to OS Configured Imported Learned

Not required to configure feature but can be controlled Define OS mappings: Recommended to configure OS mapping Import OS mapping: Using external product interface Like ciscoworks management center for CSA Define ARR for IP This limits ARR calculation to IP on protected network Define event action rule: Using OS relevancy value to solely filter and alter
Configuration > policies > event action rules > rules0 > OS identifications Monitoring > OS identifications > learned OS

BLOCKING Request initiated by sensor performed by another device

security Page 15

Request initiated by sensor performed by another device Attack response controller - ARC is a blocking application also known as NAC for rate limiting Device management - is ability to configure other device from IPS for blocking Managed device - blocks the traffic IPS is configured to control managed devices Managed interface or vlan - on managed devices where ACL or VACL is applied Active ACL or VACL - applied acl
Blocking devices ARC can control upto 250 devices Can be routers, PIX 500, CAT 6500, CAT 6500 FWSM, ASA 5500 Blocking done with ACL, VACL or shun command in PIX Blocking devices requirement: Sensor and blocking devices communication Access via telnet or SSH between sensor and blocking devices If SSH add blocking devices in known host list Sensor setup > SSH > known host keys

Guidelines Implement ant spoof Indentify host that should be exclude from blocking Identify network entry for blocking Assign block reaction to appropriate signature Determine blocking duration
ARC block action Two event cause ARC initiate block 1. Automatic blocking - is signature for block action Ex: REQUEST BLOCK HOST and REWUEST BLOCK CONNECTION 2. Manual blocking Blocking process Sensor detect the attack and fires a signature Sensor writes ACL on managed routers Internal interface with outbound External interface with inbound

Pre block ACL To permit a traffic not want sensor to block Post block ACL Added after dynamic ACL For addition blocking or permitting in interface or direction
Task: Assign block reaction to signature Assign sensor global blocking properties Create device login profiles Blocking device properties Optional: define a master blocking sensor Configuration > blocking > blocking properties Monitoring > active host blocks Monitoring > network blocks

Master blocking: Any sensor control blocking behalf of another sensor Blocking forwarding sensor send request to Master blocking sensor (MBS) Request can be for max 10 MBS On blocking forwarding sensor: Identify remote host that serves as MBS Add MBS to TLS trusted host table of BFS
On MBS Add BFS IP to allowed host Configuration > blocking > master blocking sensor Additional intrusion detection and prevention devices IDSM-2 Cat 6500 support intrusion detection system service module 2 (IDSM-2) module
security Page 16

Cat 6500 support intrusion detection system service module 2 (IDSM-2) module Overview: Not support virtualization in inline VLAN groups No support sub diving interface in VLAN groups Clock sync with switch automatically Time zone and daylight not sync Use NTP time source Not have clock set command Only two sensing interface Must be native vlan Not having console Many command executed in switch console Having maintained partition. Support full reimage of IDSM-2 Features vary depends on promiscuous or inline
4 logical port Port 1 (system0/1) : TCP reset port for promiscuous mode Port 2 (gi0/2) : command and control port Port 7 (gi0/7, gi0/8) : monitoring ports

Initializing Install on proper slot Use setup command Default username and password is cisco Use session command to access module CLI Configure command and control port to correct VLAN Configure interface for receive traffic Set native VLAN for sensing port Enable BPDU STP filtering on sensing port Configure for inline pair. Sensing port as a port pair. Assign port pair to default virtual sensor
Monitoring: use show module Use upgrade ASA AIP-SSM

AIP-SSM clock sync with ASA automatically No sync with time zone or summertime No clock set command Command and control interface is gigabit0/0 Only one sensing interface Not support altered TCP reset interface Not require two interface in inline Not support inline VLAN pair or inline pair Virtual sensor support from ASA 8.0 No console access Many commands executed from ASA
Supports internal(sensing) - gi0/1 and external(command and control) gi0/0 to ASA 5500 Internal interface is primary IPS data path for both inline and promiscuous External for downloading AIP-SSM software and ASDM access External interface -

To configure fail open or fail close Initialize the module 1. Load ips software if needed. 1. Show module detail 2. Hw module 1 recover command load recovery image from TFTP server 3. Hw module 1 recover boot - initialize download
security Page 17

3. Hw module 1 recover boot - initialize download 4. Hw module 1 recover configure - to define image 2. Setup command for initial setup 3. Configure Security policy on ASA using ASDM Monitoring and maintenance Maintenance Licensing Copy license-key Configuration>licensing




security Page 18


Minor Version Upgrade File IPS-K9-6.1-1-E2.pkg IPS-AIM-K9-6.1-1-E2.pkg

IPS-4270_20-K9-sys-1.1-a-6.1-1-E2.img IPS-AIM-K9-sys-1.1-a-6.1-1-E2.img Upgrade and recovery Three image type 1. Application for operation 2. System for reimaging 3. Recovery is application and installer image for recovery

Upgrade - command for upgrading Reimaging steps: 1. Reboot sensor 2. Escape booting sequence by CTRL+R 3. Check BIOS is 5.1.7 and ROM monitor 1.4 or later 4. Change interface port number 5. Assign IP 6. Assign default-gateway 7. Specify path and filename of TFTP 8. Begin TFTP download
Two method for recovery Recover command Recover image from boot menu Useful when CLI not accessible

Service packs and signature updates Sensor does not download from manually have to download and keep in TFTP, SCP, HTTP, HTTPS servers Configuration>update sensor For auto download from tftp Configuration > auto update FOR UPGRADE sensor(config)# upgrade url/IPS-engine-E2-req-6.1-1.pkg
COPY LICENSE KEY copy scp://user@ license-key Password recovery Restoring Configuration > restore defaults Backup and restore Copy command Use /overwrite for overwriting
security Page 19

Use /overwrite for overwriting Ex: copy /erase current-config. Managing sensors Sensors health The CLI Sh inventory to get product evolution program (PEP) information. Sh statics - internal state for IPS Sh interfaces Sh os-identification Sh ad-knowledge-base Sh tech-support
Sensor monitoring Monitoring > support information > diagnostics report Version status of application upgrade installed and PEP Monitoring > support information > statistics and monitoring > support information > system information For SNMP Configuration > SNMP > SNMP general configuration




IPS CLIGuide7_0


security Page 20