Ch02.

Cisco Network
Security – IPSec VPN &
FW, IPS:
Implementing Secure Converged Wide
Area Networks (ISCW) & CCNA Security

§ Origin : Cisco Academic Press

§ Update : 이훈재(李焄宰) HoonJae Lee, 동서대학교
§ e-mail : hjlee@dongseo.ac.kr
§ Homepage : http://kowon.dongseo.ac.kr/~hjlee
http://crypto.dongseo.ac.kr
1

Outline
v Network Threats
v IPSec VPN
ü VPN Overview
ü IPsec Overview
ü ESP and AH
ü Internet Key Exchange
ü Message Authentication and Integrity Check
ü Symmetric vs. Asymmetric Encryption Algorithms
ü PKI Environment
ü Summary

v Firewall
v IPS (Intrusion Prevention System)

1
 Network Threats

The Network Today

2
Threat Capabilities—More
Dangerous and Easier to Use

Network Threats

§ There are four general categories of security threats

to the network:
üUnstructured threats
üStructured threats
Internal
üExternal threats exploitation
Internet Dial-in
üInternal threats exploitation

Compromised
host
6

3
 Four Classes of Network Attacks
üReconnaissance attacks
üAccess attacks
üDenial of service attacks
üWorms, viruses, and Trojan horses

Specific Attack Types

§ All of the following can be used to compromise your system:

üPacket sniffers
üIP weaknesses
üPassword attacks
üDoS or DDoS
üMan-in-the-middle attacks
üApplication layer attacks
üTrust exploitation
üPort redirection
üVirus
üTrojan horse
üOperator error
üWorms

4
 Reconnaissance Attacks(자원조사/정찰)

–Network
üNetwork reconnaissance
reconnaissancerefers
refersto
tothe
the
overall
overallact
actofoflearning
learninginformation
informationabout
aabout
targetanetwork by using
target network bypublicly
using
available information
publicly available and applications.
information and
applications.

Packet Sniffers

Host A Host B
Router A Router B

§ A packet sniffer is a software application that uses a network adapter

card in promiscuous mode(난잡한/문란한) to capture all network
packets. The following are the packet sniffer features:
ØPacket sniffers exploit information passed in clear text. Protocols that
pass information in the clear include the following:
•Telnet
•FTP
•SNMP
•POP
ØPacket sniffers must be on the same collision domain.
10

5
 Packet Sniffer Mitigation

Host A Host B
Router A Router B

§ The following techniques and tools can be used to mitigate

sniffers:
üAuthentication—Using strong authentication, such as one-time passwords,
is a first option for defense against packet sniffers.
üSwitched infrastructure—Deploy a switched infrastructure to counter the
use of packet sniffers in your environment.
üAnti-sniffer tools—Use these tools to employ software and hardware
designed to detect the use of sniffers on a network.
üCryptography—The most effective method for countering packet sniffers
does not prevent or detect packet sniffers, but rather renders them
irrelevant.
11

IP Spoofing
ü IP spoofing occurs when a hacker inside or outside a
network impersonates the conversations of a trusted
computer.
ü Two general techniques are used during IP spoofing:
• A hacker uses an IP address that is within the range of
trusted IP addresses.
• A hacker uses an authorized external IP address that is
trusted.
ü Uses for IP spoofing include the following:
• IP spoofing is usually limited to the injection of malicious
data or commands into an existing stream of data.
• A hacker changes the routing tables to point to the spoofed IP
address, then the hacker can receive all the network packets
that are addressed to the spoofed address and reply just as any
trusted user can.

12

6
 IP Spoofing Mitigation
§ The threat of IP spoofing can be reduced, but not eliminated, through
the following measures:
§Access control—The most common method for preventing IP spoofing is to
properly configure access control.
§RFC 2827 filtering—You can prevent users of your network from spoofing
other networks (and be a good Internet citizen at the same time) by
preventing any outbound traffic on your network that does not have a source
address in your organization's own IP range.
§Additional authentication that does not use IP-based authentication—
Examples of this include the following:
üCryptographic (recommended)
üStrong, two-factor, one-time passwords

13

DoS Attacks

14

7
DDoS Attack Example

15

Password Attacks

§ Hackers can implement

password attacks using
several different
methods:
üBrute-force attacks
üDictionary Attacks
üTrojan horse programs
üIP spoofing
üPacket sniffers

16

8
 Password Attack Example

§ L0phtCrack can take the

hashes of passwords and
generate the clear text
passwords from them.
Passwords are computed
using two different methods:
üDictionary cracking
üBrute force computation

17

Password Attacks Mitigation

§ The following are mitigation techniques:
üDo not allow users to use the same password on multiple systems.
üDisable accounts after a certain number of unsuccessful login attempts.
üDo not use plain text passwords. OTP or a cryptographic password is
recommended.
üUse “strong” passwords. Strong passwords are at least eight characters
long and contain uppercase letters, lowercase letters, numbers, and
special characters.

18

9
 Man-in-the-Middle Attacks

Host A Host B
Data in clear text

Router A Router B
ØA man-in-the-middle attack requires that the hacker have access
to network packets that come across a network.
ØA man-in-the-middle attack is implemented using the following:
üNetwork packet sniffers
üRouting and transport protocols
ØPossible man-in-the-middle attack uses include the following:
üTheft of information
üHijacking of an ongoing session
üTraffic analysis
üDoS
üCorruption of transmitted data
üIntroduction of new information into network sessions

19

Man-in-the-Middle Mitigation

A man-in-the-middle attack
can only see cipher text

IPSec tunnel
Host A Host B

Router A ISP Router B

§ Man-in-the-middle attacks can be effectively mitigated

only through the use of cryptography (encryption).

20

10
 Application Layer Attacks

§ Application layer attacks have the following

characteristics:
üExploit well known weaknesses, such as protocols, that are intrinsic to an
application or system (for example, sendmail, HTTP, and FTP)
üOften use ports that are allowed through a firewall (for example, TCP port
80 used in an attack against a web server behind a firewall)
üCan never be completely eliminated, because new vulnerabilities are
always being discovered

21

Application Layer Attacks Mitigation

§ Some measures you can take to reduce your risks are as
follows:
üRead operating system and network log files, or have them analyzed by
log analysis applications.
üSubscribe to mailing lists that publicize vulnerabilities.
üKeep your operating system and applications current with the latest
patches.
üIDSs can scan for known attacks, monitor and log attacks, and in some
cases, prevent attacks.

22

11
 Trust Exploitation

23

Trust Exploitation Mitigation

ØSystems on the outside of a

firewall should never be
absolutely trusted by
SystemA systems on the inside of a
User = psmith; Pat Smith firewall.
ØSuch trust should be limited
to specific protocols and
Hacker SystemB compromised should be validated by
blocked by a hacker something other than an IP
User = psmith; Pat address where possible.
Smith

Hacker
User = psmith; Pat Smithson

24

12
Port Redirection

25

Unauthorized Access

ØUnauthorized access includes any unauthorized attempt to access a private resource:

üNot a specific type of attack
üRefers to most attacks executed in networks today
üInitiated on both the outside and inside of a network
ØThe following are mitigation techniques for unauthorized access attacks:
üEliminate the ability of a hacker to gain access to a system
üPrevent simple unauthorized access attacks, which is the primary function of a firewall

26

13
Virus and Trojan Horses

uViruses refer to malicious software that are attached to another program

to execute a particular unwanted function on a user’s workstation. End-
user workstations are the primary targets.

uA Trojan horse is different only in that the entire application was written
to look like something else, when in fact it is an attack tool. A Trojan horse
is mitigated by antivirus software at the user level and possibly the
network level.

27

Sophistication of Threats

28

14
 Network Security “Threat”
• A potential danger to information or a system
• An example: the ability to gain unauthorized access to systems or
information in order to commit fraud, network intrusion, industrial
espionage, identity theft, or simply to disrupt the system or network
• There may be weaknesses that greatly increase the likelihood of a
threat manifesting
• Threats may include equipment failure,
structured attacks, natural disasters,
physical attacks, theft, viruses and
many other potential events causing
danger or damage

29

Types of Network Threats

§ Impersonation
§ Eavesdropping
§ Denial-of-service
§ Packet replay
§ Man-in-the-middle
§ Packet modification

30

15
 Types of Attacks
Structured attack
Come from hackers who are more highly motivated and technically
competent. These people know system vulnerabilities and can
understand and develop exploit code and scripts. They understand,
develop, and use sophisticated hacking techniques to penetrate
unsuspecting businesses. These groups are often involved with the
major fraud and theft cases reported to law enforcement agencies.

Unstructured attack
Consists of mostly inexperienced individuals using easily available
hacking tools such as shell scripts and password crackers. Even
unstructured threats that are only executed with the intent of testing
and challenging a hacker’s skills can still do serious damage to a
company.

31

Types of Attacks
External attacks
Initiated by individuals or groups working outside of a company. They
do not have authorized access to the computer systems or network.
They gather information in order to work their way into a network
mainly from the Internet or dialup access servers.

Internal attacks
More common and dangerous. Internal attacks are initiated by
someone who has authorized access to the network. According to the
FBI, internal access and misuse account for 60 to 80 percent of
reported incidents. These attacks often are traced to disgruntled
employees.

32

16
 Types of Attacks

§ Passive Attack
üListen to system passwords
üRelease of message content
üTraffic analysis
üData capturing
§ Active Attack
üAttempt to log into someone else’s account
üWire taps
üDenial of services
üMasquerading
üMessage modifications

33

Specific Network Attacks

§ ARP Attack
§ Brute Force Attack
§ Worms
§ Flooding
§ Sniffers
§ Spoofing
§ Redirected Attacks
§ Tunneling Attack
§ Covert Channels

34

17
 Denial-of-Service Facts

§ Commonly used against information Uh-Oh.

stores like web sites Another DoS
attack!
§ Simple and usually quite effective
§ Does not pose a direct threat to
sensitive data
§ The attacker tries to prevent a service
from being used and making that
service unavailable to legitimate users
§ Attackers typically go for high visibility
targets such as the web server, or for
infrastructure targets like routers and
network links

35

Denial-of-Service Example

If a mail server is capable of receiving and delivering 10

messages a second, an attacker simply sends 20
messages per second. The legitimate traffic (as well as a
lot of the malicious traffic) will get dropped, or the mail
server might stop responding entirely.
üThis type of an attack may be used as a diversion while another
attack is made to actually compromise systems
üIn addition, administrators are likely to make mistakes during an
attack and possibly change a setting that creates a vulnerability
that can be further exploited

36

18
 Types of Denial-of-Service Attacks

§ Buffer Overflow Attacks

§ SYN Flood Attack
§ Teardrop Attacks
§ Smurf Attack
§ DNS Attacks
§ Email Attacks
§ Physical Infrastructure
Attacks
§ Viruses/Worms

37

DoS - Buffer Overflow Attacks

üThe most common DoS attack sends more traffic to a device

than the program anticipates that someone might send Buffer
Overflow.

38

19
 DoS - SYN Flood Attack
§ When connection sessions are initiated between a client
and server in a network, a very small space exists to
handle the usually rapid "hand-shaking" exchange of
messages that sets up a session.
§ The session-establishing packets include a SYN field
that identifies the sequence order.
§ To cause this kind of attack, an attacker can send many
packets, usually from a spoofed address, thus ensuring
that no response is sent.

39

DoS - Teardrop Attack

§ Exploits the way that the Internet

Protocol (IP) requires a packet that is
too large for the next router to handle
be divided into fragments.
§ The fragmented packet identifies an
offset to the beginning of the first
packet that enables the entire packet
to be reassembled by the receiving
system.
§ In the teardrop attack, an attacker's
IP puts a confusing value in the
second or later fragment. If the
receiving operating system cannot
cope with such fragmentation, then it
can cause the system to crash.
40

20
 DoS - Smurf Attack

üThe attacker sends an IP ping

request to a network site.
üThe ping packet requests that it
be broadcast to a number of hosts
within that local network.
üThe packet also indicates that the
request is from a different site, i.e.
the victim site that is to receive the
denial of service.
üThis is called IP Spoofing--the victim site becomes the address
of the originating packet.
üThe result is that lots of ping replies flood back to the victim
host. If the flood is big enough then the victim host will no longer
be able to receive or process "real" traffic.

41

DoS - DNS Attacks

§ A famous DNS attack was

a DDoS "ping" attack. The
attackers broke into
machines on the Internet
(popularly called "zombies")
and sent streams of forged
packets at the 13 DNS
root servers via intermediary
legitimate machines.
§ The goal was to clog the servers, and communication links on the way
to the servers, so that useful traffic was gridlocked. The assault is not
DNS-specific--the same attack has been used against several popular
Web servers in the last few years.

42

21
 DoS - Email Attacks

§ When using Microsoft Outlook, a script reads your

address book and sends a copy of itself to everyone
listed there, thus propagating itself around the Internet.
§ The script then modifies the computer’s registry so that
the script runs itself again when restarted.

43

DoS - Physical Infrastructure Attacks

§ Someone can just simply snip your cables! Fortunately

this can be quickly noticed and dealt with.
§ Other physical infrastructure attacks can include recycling
systems, affecting power to systems and actual
destruction of computers or storage devices.

44

22
 DoS - Viruses/Worms

§ Viruses or worms, which replicate across a network in

various ways, can be viewed as denial-of-service attacks
where the victim is not usually specifically targeted but
simply a host unlucky enough to get the virus.
§ Available bandwidth can become saturated as the
virus/worm attempts to replicate itself and find new
victims.

45

Malicious Code Attacks

§ Malicious code attacks refers to

viruses, worms, Trojan horses,
logic bombs, and other
uninvited software
§ Damages personal computers,
but also attacks systems that
are more sophisticated
§ Actual costs attributed to the
presence of malicious code
have resulted primarily from
system outages and staff time
involved in repairing the
systems
§ Costs can be significant

46

23
 Packet Sniffing Attacks

§ Most organization LANs are Ethernet networks

§ On Ethernet-based networks, any machine on the network can see
the traffic for every machine on that network
§ Sniffer programs exploit this characteristic, monitoring all traffic and
capturing the first 128 bytes or so of every unencrypted FTP or Telnet
session (the part that contains user passwords)

47

Information Leakage Attacks

§ Attackers can sometimes get data without having to
directly use computers
§ Exploit Internet services that are intended to give out
information
§ Induce these services to reveal extra information or to
give it out to unauthorized people
§ Many services designed for use on local area networks
do not have the security needed for safe use across the
Internet
§ Thus these services become the means for important
information leakage

48

24
 Social Engineering Attacks
§ Hacker-speak for tricking a person into revealing some
confidential information
§ Social Engineering is defined as an attack based on
deceiving users or administrators at the target site
§ Done to gain illicit access to systems or useful information
§ The goals of social engineering are fraud, network
intrusion, industrial espionage, identity theft, etc.

49

VPN Overview

50

25
VPN overview

§ Virtual Private Network (VPN) is defined as network connectivity

deployed on a shared infrastructure with the same policies and security
as a private network. ★ Physically Public-, but Logically Private-Network ★
§ A VPN can be between two end systems, or it can be between two or
more networks.
§ A VPN can be built using tunnels and encryption. VPNs can occur at
any layer of the OSI protocol stack.
§ A VPN is an alternative WAN infrastructure that replaces or augments
existing private networks that use leased-line or enterprise-owned
Frame Relay or ATM networks.
51

VPN overview

VPNs provide three critical functions:

§ Confidentiality (encryption) – The sender can encrypt the packets
before transmitting them across a network.
–By doing so, no one can access the communication without
permission.
–If intercepted, the communications cannot be read.
§ Data integrity – The receiver can verify that the data was transmitted
through the Internet without being altered.
§ Origin authentication – The receiver can authenticate the source of
the packet, guaranteeing and certifying the source of the information.52

26
VPN overview

The primary benefits include:

§ VPNs offer lower cost than private networks.
–LAN-to-LAN connectivity costs are typically reduced by 20 to 40
percent over domestic leased-line networks.
§ VPNs offer flexibility for enabling the Internet economy.
–VPNs are inherently more flexible and scalable network architectures
than classic WANs. 53

VPN overview

The primary benefits include:

§ VPNs offer simplified management burdens compared to owning and
operating a private network infrastructure.
§ VPNs provide tunneled network topologies that reduce management
burdens.
–An IP backbone eliminates static permanent virtual circuits (PVCs)
associated with connection-oriented protocols such as Frame Relay
and ATM. 54

27
 VPN usage scenarios

55

VPN Overview
§ There are many different approaches to securing your
network.
§ Application layer scenario
–Almost any web banking scenario.
–Access your web banking from any PC in the world.
–Creates an SSL connection between two applications and transports
the data.
–As long as web browser and web server have same standard
implementation of SSL.
–Disadvantage: Software based encryption which adds processing
time and additional CPU cycles.

56

28
 VPN Overview
§ Another solution: Data Link Layer encryption
–Solves the problems of using CPU cycles on the PC.
–Does not allow you to scale to an ISP-sized environment very easily.
–Everything from Layer 2 through Layer 7 is encrypted including the
network address.
–Makes it impossible to route the packet until the information is
decrypted.
–Can’t use if crossing any type of public WAN.

57

VPN Overview
§ Another solution: Encryption at network and transport
layers.
– Examples: CET (Cisco Encryption Technology) and IPSec
– Disadvantage of CET: proprietary (only Cisco equipment)
– Three necessary components to a good VPN and part of IPSec:
1. Authentication
2. Data Integrity
3. Payload encryption

58

29
Encryption
Algorithms

§ Some qualities to consider in a good encryption algorithm:

–Security against cryptographic attacks
–Scalable, variable length keys
–Any change to the clear-text input should result in a large change to
the encrypted output
–No restrictions on import of export

59

Encryption Algorithms

Symmetrical Asymmetrical

§ Symmetrical algorithm – A shared key algorithm that is used

to encrypt and decrypt a message.
–Use the same key to encrypt and decrypt the message.
§ Asymmetrical algorithm – Uses a pair of keys to secure
encrypt and decrypt a message.
–Uses one key to encrypt and a different, but related, key to decrypt.
60

30
Encryption
Algorithms

§ Common Symmetrical algorithms

– 56 bit Data Encryption Standard (DES)
– 112-bit 3DES, “triple DES”
– 128 or 192, 256 bit Advanced Encryption Standard (AES)
– 128 or 192, 256 bit ARIA, SEED (Korean Standards)
§ Advantages of Symmetrical algorithms
– Speed, fast
– Mathematical computations are easy to implement in hardware
– Good for large amounts of data
§ Disadvantage of Symmetrical algorithms
– Sender and receiver share same passwords.
– There is the problem of how to share the password (key management)
61

Encryption
Algorithms

§ Common Asymmetrical algorithms

–RSA, ElGamal, eliptic curves (ECC)
§ Advantages of ASymmetrical algorithms
–No problems with key management, one key is kept private and the other key is public
and given to anyone that needs to encrypt data.
–Great for authentication because you are the only one with the private key used to
decrypt the data.
–Can be used for digital signatures, authenticated key exchanges, email or small
amounts of data.
–Based on very hard mathematical equations.
§ Disadvantage of ASymmetrical algorithms
–Slower in encrypting than symmetrical algorithms 62

31
 Hashing

§ Hashing is used for data integrity.

§ Hashing algorithms is a one-way algorithm that produces a fixed-length output, no matter
what the size of the input is.
§ Analogy:
–Blender with 3 small oranges and 3 big oranges
–Blend it and make one cup of juice
–Your neighbor can do the exact same thing
–You can never reverse-engineer the output to get the input.
–You can’t determine that 3 big and 3 small oranges were used to make the one glass
of juice.
63

Hashing

§ Two common hashing algorithms:

–MD5: fixed-length 128 bit output
–SHA-1: fixed-length 160 bit output (preferred, less likely to result in a
collision (two different inputs giving the same output).
§ Qualities in a good hashing algorithm:
–High resistance to cryptographic attack
–Any change to the clear-text input results in a large change in the
encrypted output.
64
–The probability of collision is low.

32
Diffie-Hellman
algorithm YA YB

§ In a VPN network, fast, strong encryption is a must.

§ This is why most implementations use a symmetrical
algorithm to do payload encryption.
§ Problem with symmetrical algorithms is key management.
§ Diffie-Hellman helps solve this.
§ Used for automatic secure key exchange of symmetrical
“shared” keys (and other types of keys) across an insecure
network for IPSec. 65

IPsec Overview

66

33
What Is IPsec?
Is an IETF standard that employs cryptographic mechanisms on
the network layer:
Ø Authentication of every IP packet
Ø Verification of data integrity for each packet
Ø Confidentiality of packet payload
Consists of open standards for securing private
communications
Scales from small to very large networks
Is available in Cisco IOS software version 11.3(T) and later
Is included in PIX Firewall version 5.0 and later

67

IPsec Security Features

§ IPsec is the only standard Layer 3 technology that provides:

Ø Confidentiality
Ø Data integrity
Ø Authentication
Ø Replay detection

34
 IPSec Overview

§ IPSec was designed to work at Layers 3 and 4.

§ Using different options can:
–Authenticate
–Check for data integrity
–Encrypt the payload portion of IP
§ IPSec can be used between:
–Two gateways
–Two hosts
–Host and its gateway
§ Two primary protocols:
–Authentication Header (AH)
69
–Encapsulation Security Protocol (ESP)

AH – Authentication Header

IP Header Other headers and payload Secret Session Key

HMAC such as MD5

IP Header AH Other headers and payload

§ AH provides:
–data integrity
–authentication
§ Does not provide encryption
§ Uses one-way hash function (also called an HMAC) to guarantee data integrity and origin
of the packet.
§ Entire IP packet put through one-way hash.
§ Includes IP header which could lead to problems.
§ TTL must be “zeroized: to give a “standard header”
§ Produces a new AH header for the packet to be transmitted.
70
§ AH may be applied alone, in combination with the IP ESP.

35
ESP – Encapsulating
Security Protocol

§ ESP is primarily used to provide payload encryption.

§ With current revisions of the RFC, it also includes the ability for authentication
and integrity.
§ Because ESP can include all three services, authentication, integrity, and
encryption, most implementations do not include an AH options.
§ IPSec can use different algorithms for payload encryption such as:
–DES
–3DES
–AES 71

IPsec Protocols

§ IPsec uses three main protocols to create a security

framework:
Ø Internet Key Exchange (IKE):
üProvides framework for the negotiation of security
parameters
üEstablishment of authenticated keys
Ø Encapsulation Security Protocol (ESP):
üProvides framework for the encrypting, authenticating, and
securing of data
Ø Authentication Header (AH):
üProvides framework for the authenticating and securing of
data
72

36
IPsec Headers

§ IPsec ESP provides:

üAuthentication and data integrity (MD5 or SHA-1 HMAC) with AH and ESP
üConfidentiality (DES, 3DES, or AES) only with ESP

Peer Authentication

§ Peer authentication methods:

üUsername and password
üOTP (Pin/Tan)
üBiometric
üPre-shared keys
üDigital certificates

37
 ESP and AH

75

ESP and AH

IPsec protocols:
ESP or AH
ESP uses IP protocol number 50
AH uses IP protocol number 51
IPsec modes:
Tunnel or transport mode
Tunnel mode creates a new IP header
Transport mode authenticates the whole packet

76

38
ESP and AH Header

ESP allows encryption and authenticates the original packet.

AH authenticates the whole packet (including the header) and
does not allow encryption.

AH Authentication and Integrity

78

39
ESP Protocol

Provides confidentiality with encryption

Provides integrity with authentication

Tunnel and Transport Mode

80

40
 Tunnel Mode versus Transport Mode
AH ESP
Authenticated Header and Data

AH ESP
Hdr
Hdr

Everything is Authenticated

New IP AH New IP ESP

Header Header Hdr
Hdr

§ Both AH and ESP can operate in two modes:

–Transport Mode ~~~~~~~~~à End-to-End Encryption
–Tunnel Mode (default) ~~~~~~à Link Encryption
§ Transport Mode – The original IP packet is put through the ESP and/or AH
options and then the original IP header is reused with the packet, which would
be the original packet plus added information from ESP and/or AH.
§ Tunnel mode – The original IP packet is put through the ESP and/or AH options
and the a new IP header is created for the new packet, which is a combination
81
of the original packet plus ESP and/or AH information plus a new IP header.

Transport Mode

AH ESP
Authenticated Header and Data

AH ESP
Hdr Hdr

Everything is Authenticated

AH
Hdr
§ Transport mode
–Current IP header has been used in the hashing algorithm and
therefore cannot be changed from sender to receiver.
–If the packet goes through any device that performs NAT/PAT, then a
portion of the IP header is changed and you will never get the same
hash output, because of different inputs at the sender and receiver
ends.
–Therefore, the packet will never be validated at the receiving end.
82

41
Transport Mode

AH ESP
Authenticated Header and Data

AH ESP
Hdr Hdr

Everything is Authenticated

AH
Hdr

§ Transport mode
–Should only be used if:
•You have control of the network from end to end
•Guarantee no IP packet manipulation will take place.

83

Tunnel Mode

AH ESP
Authenticated Header and Data

AH
Hdr

Everything is Authenticated

New IP
AH New IP ESP
Header Hdr Header Hdr

§ Tunnel mode
– A new IP header is used from gateway device to gateway device, and the original packet is
tunneled inside.
– Once the receiving end receives the packet:
•Removes the new IP header
•Decrypts original header
•A new tunnel header can be added, which can get manipulated (NAT) throughout the network
without affecting the tunneled protocol.
84

42
 Tunnel Mode versus Transport Mode

§ In transport mode end hosts do IPSec encapsulation of their own

data (host-to-host) therefore IPSec has to be implemented on each of
the end-hosts.
–The application endpoint must be also the IPSec endpoint.
–ESP transport mode is used between hosts.
§ In tunnel mode IPSec gateways provide IPSec services to other hosts
in peer-to-peer tunnels, and end-hosts are not aware of IPSec being
used to protect their traffic. 85

SA - Security
Associations

§ Before an IPSec tunnel/transport can be created, certain parameters must be

negotiated and kept track of.
§ Security Associations (SAs) represent a policy contract between two peers or
hosts, and describe how the peers will use IPSec security services to protect
network traffic.
§ SAs contain all the security parameters needed to securely transport packets
between the peers or hosts, and define the security policy used in IPSec.
§ Every VPN device has to have some form of security policy database (SPD),
referred to as a Security Associate (SA).
§ VPN devices store all their active SAs in a local database called the SA
database (SADB).
86

43
SA - Security
Associations

§ An SA is a single connection and all the parameters associated with it

that are agree upon by the two devices participating in the exchange.
§ Each SA is unidirectional.
§ There will always be at least two SAs in your SPD, one for A to B and B
to A.
§ Possible to have multiple peers in a VPN network (NAS).
§ Each SA gets a unique 32 bit Security Parameter Index (SPI) number
that is sent in every packet pertaining to the specific SA.

87

SA - Security
Associations

§ The SA keeps track of general information such as :

–source IP
–destination IP
–IPSec protocols used
–SPI, encryption and authentication algorithms
–key lifetime (sets the amount of time and/or byte count that a key is
valid for; longer the time, the more vulnerable the data is.)

88

44
Internet Key Exchange

89

Internet Key Exchange

§ IKE solves the problems of

manual and unscalable
implementation of IPsec by
automating the entire key
exchange process:
üNegotiation of SA
characteristics
üAutomatic key generation
üAutomatic key refresh
üManageable manual
configuration

45
IKE Phases
Phase 1:
Authenticate the peers
Negotiate a bidirectional SA
Main mode or aggressive mode
Phase 1.5:
Xauth
Mode config
Phase 2:
IPsec SAs/SPIs
Quick mode

91

IKE Modes

92

46
IKE – Internet Key
Exchange

§ Internet Key Exchange (IKE) is used to establish all the information

needed for a VPN tunnel.
§ Within IKE:
–Security policies are negotiated
–SAs are established
–Create and exchange keys that will be used by other algorithms such
as DES
93
§ There are two phases to IKE…

IKE – Phase One

§ Phase One
–Used to negotiate policy sets
–Authenticate peers
–Create a secure channel between peers
§ Parameter
Standard policy set: Strong Stronger
Encryption algorithm DES 3DES
Hash algorithm MD5 SHA-1
Authentication method Preshared RSA signatures
Key exchange Diffie-Hellman group 1 Diffie-Hellman group 2
IKE SA lifetime 86,400 seconds Less than 86,400 secs. 94

47
IKE – Phase One

§ Phase One
–Main mode: three different and distinct exchanges take place to add
to the security of the tunnel.
–Aggressive mode: Everything is sent in a single exchange.
Parameter Strong Stronger
Encryption algorithm DES 3DES
Hash algorithm MD5 SHA-1
Authentication method Preshared RSA signatures
Key exchange Diffie-Hellman group 1 Diffie-Hellman group 2
IKE SA lifetime 86,400 seconds Less than 86,400 secs. 95

IKE – Phase Two

§ Phase Two
–Used to:
•Negotiate the IPSec security parameters
•Establish SAs
•Optionally perform Diffie-Hellman Key exchanges
–Has one mode, quick mode, which happens after Phase One.

96

48
Preparing for IKE
and IPSec

§ Step 1 – Define interesting traffic that should be protected.

§ Step 2 – Perform IKE phase 1 – negotiate the security
policy, etc.
§ Step 3 – Perform IKE phase 2 – negotiate SAs, etc.
§ Step 4 – Transfer data – encrypt interesting traffic and send
it to peer devices,.
§ Step 5 – Tear down the tunnel. 97

Identify IPSec peers

98

49
 IPSec policy example

§ The figure shows a summary of IPSec encryption policy details that will
be configured in examples in this module.
§ Details about IPSec transforms are covered in a later section in this
module.
§ The example policy specifies that TCP traffic between the hosts should
be encrypted by IPSec using DES. 99

Test and Verify IPSec

100

50
Message Authentication
and Integrity Check

101

Message Authentication and

Integrity Check Using Hash

A MAC is used for message authentication and integrity check.

Hashes are widely used for this purpose (HMAC).

51
Commonly Used Hash Functions

MD5 provides 128-bit output.

SHA1 provides 160-bit output (only first 96 bits used in IPsec).
SHA1 is computationally slower than MD5, but more secure.

Symmetric vs.
Asymmetric Encryption
Algorithms

104

52
Symmetric vs. Asymmetric
Encryption Algorithms
Symmetric algorithm:
Secret key
cryptography
Encryption and
decryption use
the same key
Typically used to
encrypt the content of a
message
Examples: DES, 3DES,
AES
Asymmetric algorithm:
Public key
cryptography
Encryption and
decryption
use different keys
Typically used in digital
certification and key
management
Example: RSA

Key Lengths of Symmetric vs.

Asymmetric Encryption Algorithms

• Comparable key lengths required for asymmetric keys compared

to symmetric keys

Symmetric Key Length Asymmetric Key Length

80 1,024à 1,369

112 2,048

128 3,072

192 7,680

256 15,360

106

53
Security Level of Cryptographic
Algorithms

Security Level Work Factor Algorithms

Weak O(240) DES, MD5

Legacy O(264) RC4, SHA1

Baseline O(280) 3DES

Standard O(2128) AES-128, SHA-256

High O(2192) AES-192, SHA-384

Ultra O(2256) AES-256, SHA-512

107

Symmetric Encryption: DES

Symmetric key encryption algorithm

Block cipher: Works on 64-bit data block, use 56-bit key (last bit
of each byte used for parity)
Mode of operation: How to apply DES to encrypt blocks of data

54
Symmetric Encryption: 3DES

168-bit total key length

Mode of operation decides how to process DES three times
Normally: encrypt, decrypt, encrypt
3DES requires more processing than DES

Symmetric Encryption: AES

Formerly known as ‘Rijndael’
Successor to DES and 3DES
Symmetric key block cipher
Strong encryption with long expected life
AES can support 128-, 192-, and 256-bit keys; 128-bit key is
considered safe

110

55
Asymmetric Encryption: RSA

Based on Diffie-Hellman key exchange (IKE) principles

Public key to encrypt data, and to verify digital signatures
Private key to decrypt data, and to sign with a digital signature
Perfect for insecure communication channels

Diffie-Hellman Key Exchange

112

56
Diffie-Hellman Key Exchange (Cont.)

113

PKI Environment

114

57
PKI Environment

115

Certificate Authority
The trust basis of a PKI system
Verifies user identity, issues certificates by binding identity of a
user to a public key with a digital certificate
Revokes certificates and publish Certificate Revocation List
(CRL)
In-house implementation or outsourcing

116

58
X.509 v3 Certificate

117

PKI Message Exchange

118

59
PKI Credentials

§ How to store PKI credentials:

RSA keys and certificates
NVRAM
eToken:
Cisco 871, 1800, 2800, 3800 series router
IOS Release 12.3(14)T image
Cisco USB eToken
A k9 image

119

Site-to-Site IPsec VPN

Operations

120

60
Five Steps of IPsec

121

Step 1: Interesting Traffic

122

61
Step 2: IKE Phase 1

123

IKE Transform Sets

Negotiates matching IKE transform

sets to protect IKE exchange

62
Diffie-Hellman Key Exchange

125

Authenticate Peer Identity

§ Peer authentication methods:

Pre-shared keys
RSA signatures
RSA encrypted nonces

63
Step 3: IKE Phase 2

Negotiates IPsec security parameters, IPsec transform sets

Establishes IPsec SAs
Periodically renegotiates IPsec SAs to ensure security
Optionally, performs an additional Diffie-Hellman exchange

IPsec Transform Sets

A transform set is a combination

of algorithms and protocols that
enact a security policy for traffic.

64
Security Associations

SA database:
Destination IP
address
SPI
Protocol (ESP
or AH)
Security policy
database:
Encryption
algorithm
Authentication
algorithm
Mode
Key lifetime

SA Lifetime

Data transmitted-based Time-based

130

65
Step 4: IPsec Session

SAs are exchanged between peers.

The negotiated security services are applied to the traffic.

Step 5: Tunnel Termination

A tunnel is terminated by one of the following:

By an SA lifetime timeout
If the packet counter is exceeded
IPsec SA is removed

66
 Module 4. Implementing Firewall
Technologies
- @ cisco flash v1.0 -

CCNA Security v1.0

module 1
Cisco flash v1.0

Dongseo University
HoonJae Lee 133

Firewalls

§ A firewall is a system that enforces an access control

policy between network
§ Common properties of firewalls:
ØThe firewall is resistant to attacks
ØThe firewall is the only transit point between networks
ØThe firewall enforces the access control policy

134

67
 Benefits of Firewalls§ Firewalls prevent malicious data
§ Prevents exposing sensitive from being sent to servers and
hosts and applications to clients.
untrusted users
§ Properly configured firewalls
§ Prevent the exploitation of make security policy
protocol flaws by sanitizing the enforcement simple, scalable,
protocol flow and robust.
§ A firewall reduces the
complexity of security
management by offloading most
of the network access control to
a couple of points in the
network.

135

Types of Filtering Firewalls

§ Packet-filtering firewall—is typically a router that has the

capability to filter on some of the contents of packets
(examines Layer 3 and sometimes Layer 4 information)
§ Stateful firewall—keeps track of the state of a connection:
whether the connection is in an initiation, data transfer, or
termination state
§ Application gateway firewall (proxy firewall) —filters
information at Layers 3, 4, 5, and 7. Firewall control and
filtering done in software.
§ Address-translation firewall—expands the number of IP
addresses available and hides network addressing
design.
136

68
 Types of Filtering Firewalls

§ Host-based (server and personal) firewall—a PC or

server with firewall software running on it.
§ Transparent firewall—filters IP traffic between a pair of
bridged interfaces.
§ Hybrid firewalls—some combination of the above
firewalls. For example, an application inspection firewall
combines a stateful firewall with an application gateway
firewall.

137

Packet-Filtering Firewall
Advantages

§ Are based on simple permit or deny rule set

§ Have a low impact on network performance
§ Are easy to implement
§ Are supported by most routers
§ Afford an initial degree of security at a low network layer
§ Perform 90% of what higher-end firewalls do, at a much
lower cost

138

69
 Packet-Filtering Firewall
Disadvantages

§ Packet filtering is susceptible to IP spoofing. Hackers

send arbitrary packets that fit ACL criteria and pass
through the filter.
§ Packet filters do not filter fragmented packets well.
Because fragmented IP packets carry the TCP header in
the first fragment and packet filters filter on TCP header
information, all fragments after the first fragment are
passed unconditionally.
§ Complex ACLs are difficult to implement and maintain
correctly.
§ Packet filters cannot dynamically filter certain services.
§ Packet filters are stateless.

Stateful Firewall

10.1.1.1 200.3.3.3

source port 1500 destination port 80

Inside ACL Outside ACL

(Outgoing Traffic)
permit ip 10.0.0.0 0.0.0.255 any
(Incoming Traffic)
Dynamic: permit tcp host 200.3.3.3
eq 80 host 10.1.1.1 eq 1500
permit tcp any host 10.1.1.2 eq 25
permit udp any host 10.1.1.2 eq 53
deny ip any any

140

70
 Stateful Firewalls
Advantages/Disadvantages
• Often used as a primary means of defense by filtering unwanted,
unnecessary, or undesirable traffic.
Advantages

• Strengthens packet filtering by providing more stringent control

over security than packet filtering
• Improves performance over packet filters or proxy servers.
• Defends against spoofing and DoS attacks
• Allows for more log information than a packet filtering firewall

• Cannot prevent application layer attacks because it does not

Disadvantages

examine the actual contents of the HTTP connection

• Not all protocols are stateful, such UDP and ICMP
• Some applications open multiple connections requiring a whole
new range of ports opened to allow this second connection
• Stateful firewalls do not support user authentication

Cisco Systems Firewall Solutions

§ IOS Firewall
–Zone-based policy framework for intuitive management
–Instant messenger and peer-to-peer application filtering
–VoIP protocol firewalling
–Virtual routing and forwarding (VRF) firewalling
–Wireless integration
–Stateful failover
–Local URL whitelist and blacklist support
–Application inspection for web and e-mail traffic
§ PIX 500 Series
§ ASA 5500 Series

142

71
Design with DMZ

Private-DMZ
Policy DMZ
DMZ-Private
Policy Public-DMZ
Policy

Trusted Internet Untrusted

Private-Public
Policy

143

Layered Defense Scenario

Endpoint security:
Provides identity and device security
policy compliance

Communications security: Provides

information assurance

Network
Perimeter security:
Core
Secures boundaries between zones

Core network security:

Protects against malicious software
and traffic anomalies, enforces
network policies, and ensures
survivability
Disaster recovery:
Offsite storage and redundant architecture

144

72
 Firewall Best Practices

§ Position firewalls at security boundaries.

§ Firewalls are the primary security device. It is unwise to
rely exclusively on a firewall for security.
§ Deny all traffic by default. Permit only services that are
needed.
§ Ensure that physical access to the firewall is controlled.
§ Regularly monitor firewall logs.
§ Practice change management for firewall configuration
changes.
§ Remember that firewalls primarily protect from technical
attacks originating from the outside.
145

Design Example

Internet
R
2

Cisco
Serial Serial0/0/1 Router
Cisco Router 0/0/0 F0/ F0/ with
with 0 0 IOS
IOS Firewall R R Firewall
F0/ 1 3 F0/
1 1

F0/ F0/
5 5
S S
F0/6 1 3 F0/1
F0/1 8
F0/1 S
F0/1 2
8

PC A PC
(RADIUS/TACACS+) C

146

73
 Introduction to CBAC

§ Provides four main functions:

§ Filters TCP and UDP packets
based on application layer
protocol session information
§ Provides stateful application
layer filtering
üTraffic Filtering
üTraffic Inspection
üIntrusion Detection
üGeneration of Audits and Alerts

147

CBAC Capabilities

Monitors TCP Connection Setup

Examines TCP Sequence Numbers

Inspects DNS Queries and Replies

Inspects Common ICMP Message Types

Supports Applications with Multiple Channels, such as
FTP and Multimedia
Inspects Embedded Addresses

Inspects Application Layer Information

148

74
CBAC Overview

149

Step-by-Step

1. Examines the fa0/0 inbound 2. IOS compares packet type

ACL to determine if telnet to inspection rules to
requests are permitted to leave determine if Telent should
the network. be tracked.

Request Telnet 209.x.x.x

Fa0/0
S0/0/0

3. Adds information to the 4. Adds a dynamic entry to the

state type to track the inbound ACL on s0/0/0 to allow
Telnet session. reply packets back into the
internal network.

5. Once the session is terminated by the client, the router

will remove the state entry and dynamic ACL entry.

150

75
CBAC TCP Handling

151

CBAC UDP Handling

152

76
 CBAC Example

153

Configuration of CBAC
Four Steps to Configure
§ Step 1: Pick an Interface
§ Step 2: Configure IP ACLs at the Interface
§ Step 3: Define Inspection Rules
§ Step 4: Apply an Inspection Rule to an Interface

154

77
 Module 5. Implementing Intrusion
Prevention
- @ cisco flash v1.0 -

CCNA Security v1.0

module 5
Cisco flash v1.0

Dongseo University
HoonJae Lee 155

Intrusion Detection Systems (IDSs)

1. An attack is launched on a network

that has a sensor deployed in
promiscuous IDS mode; therefore
copies of all packets are sent to
the IDS sensor for packet analysis.
However, the target machine will Switch
experience the malicious attack.
1
2. The IDS sensor, matches the
malicious traffic to a signature and
sends the switch a command to 2
deny access to the source of the
malicious traffic.
Sensor
3. The IDS can also send an alarm to
a management console for logging 3
and other management purposes.

Management Target
Console

78
 Intrusion Prevention Systems (IPSs)
1
1. An attack is launched on a network
that has a sensor deployed in IPS
mode (inline mode).
2. The IPS sensor analyzes the
packets as they enter the IPS
sensor interface. The IPS sensor
matches the malicious traffic to a 2
signature and the attack is stopped Sensor
4
immediately.
3. The IPS sensor can also send an
alarm to a management console for
logging and other management Bit Bucket
purposes.
4. Traffic in violation of policy can be 3
dropped by an IPS sensor.

Target
Management
Console

Common characteristics of
IDS and IPS

ü Both technologies are deployed using

sensors.
ü Both technologies use signatures to detect
patterns of misuse in network traffic.
ü Both can detect atomic patterns (single-
packet) or composite patterns (multi-
packet).

158

79
 Comparing IDS and IPS Solutions

Advantages Disadvantages
§ Response action cannot
§ No impact on network stop trigger packets
Promiscuous Mode

(latency, jitter) § Correct tuning required for

§ No network impact if there is a response actions
IDS

sensor failure § Must have a well thought-

§ No network impact if there is out security policy
sensor overload § More vulnerable to network
evasion techniques

Comparing IDS and IPS Solutions

Advantages Disadvantages
§ Sensor issues might affect
network traffic
Inline Mode

§ Sensor overloading
§ Stops trigger packets
impacts the network
IPS

§ Can use stream normalization

§ Must have a well thought-
techniques
out security policy
§ Some impact on network
(latency, jitter)

80
Network-Based Implementation

CSA MARS

VPN

Remote Worker
Firewall

VPN
IPS

CSA

VPN Iron Port

Remote Branch CSA
CSA CSA

Web Email
Server Server DNS

161

Host-Based Implementation
CSA

CSA MARS

VPN Management Center for

Cisco Security Agents
Remote Worker
Firewall

VPN
IPS

CSA

VPN
Agent
Iron Port
Remote Branch CSA
CSA
CSA CSA
CSA
CSA

Web Email
Server Server DNS

162

81
Cisco Security Agent

Corporate
Network
Application
Server
Agent Agent
Firewall
Untrusted
Network

Agent Agent Agent Agent

SMTP Agent Agent Agent

Server
Web DNS
Server Server
Management Center for
Cisco Security Agents

video
163

Host-Based Solutions
Advantages and Disadvantages of HIPS

Advantages Disadvantages
§ The success or failure of an § HIPS does not provide a
attack can be readily complete network picture.
determined.
§ HIPS has a requirement to
§ HIPS does not have to worry support multiple operating
about fragmentation attacks systems.
or variable Time to Live (TTL)
attacks.
§ HIPS has access to the traffic
in unencrypted form.

164

82
 Network-Based Solutions
Corporate
Network

Sensor Firewall
Router
Untrusted
Network
Sensor

Management
Server Sensor

Web DNS
Server Server
165

Cisco IPS Solutions

AIM and Network Module Enhanced

§ Integrates IPS into the Cisco 1841 (IPS AIM only), 2800 and 3800
ISR routers
§ IPS AIM occupies an internal AIM slot on router and has its own CPU
and DRAM
§ Monitors up to 45 Mb/s of traffic
§ Provides full-featured intrusion protection
§ Is able to monitor traffic from all router interfaces
§ Can inspect GRE and IPsec traffic that has been decrypted at the
router
§ Delivers comprehensive intrusion protection at branch offices,
isolating threats from the corporate network
§ Runs the same software image as Cisco IPS Sensor Appliances

166

83
 Cisco IPS Solutions
ASA AIP-SSM
§ High-performance module designed to provide additional
security services to the Cisco ASA 5500 Series Adaptive
Security Appliance
§ Diskless design for improved reliability
§ External 10/100/1000 Ethernet interface for management
and software downloads
§ Intrusion prevention capability
§ Runs the same software image as the Cisco IPS Sensor
appliances

167

Cisco IPS Solutions

4200 Series Sensors

§ Appliance solution focused on protecting network

devices, services, and applications
§ Sophisticated attack detection is provided.

168

84
 Cisco IPS Solutions
Cisco Catalyst 6500 Series IDSM-2

§ Switch-integrated intrusion protection module delivering a

high-value security service in the core network fabric
device
§ Support for an unlimited number of VLANs
§ Intrusion prevention capability
§ Runs the same software image as the Cisco IPS Sensor
Appliances

169

IPS Sensors
§ Factors that impact IPS sensor selection and deployment:
ØAmount of network traffic
ØNetwork topology
ØSecurity budget
ØAvailable security staff
§ Size of implementation
ØSmall (branch offices)
ØLarge
ØEnterprise

170

85
 Comparing HIPS and Network IPS

Advantages Disadvantages
§ Is host-specific § Operating system
dependent
§ Protects host after decryption
HIPS § Lower level network events
§ Provides application-level
not seen
encryption protection
§ Host is visible to attackers
§ Is cost-effective § Cannot examine encrypted
traffic
§ Not visible on the network
§ Does not know whether an
Network § Operating system attack was successful
IPS independent
§ Lower level network events
seen

Signature Characteristics

Hey, come look § An IDS or IPS sensor

at this. This
looks like the matches a signature with a
signature of a
LAND attack. data flow
§ The sensor takes action
§ Signatures have three
distinctive attributes
ØSignature type
ØSignature trigger
ØSignature action

86
 Signature Types
§ Atomic
ØSimplest form
ØConsists of a single packet, activity, or event
ØDoes not require intrusion system to maintain state information
ØEasy to identify
§ Composite
ØAlso called a stateful signature
ØIdentifies a sequence of operations distributed across multiple
hosts
ØSignature must maintain a state known as the event horizon

173

Signature File

174

87
 Signature Micro-Engines

Version 4.x Version 5.x

Description
SME Prior 12.4(11)T Atomic – Examine simple packets
SME 12.4(11)T and later

ATOMIC.IP ATOMIC.IP Provides simple Layer 3 IP alarms

Provides simple Internet Control Message Protocol (ICMP) alarms based on the following parameters: type, code,
ATOMIC.ICMP ATOMIC.IP
sequence, and ID

ATOMIC.IPOPTIONS ATOMIC.IP Provides simple alarms based on the decoding of Layer 3 options

Provides simple User Datagram Protocol (UDP) packet alarms based on the following parameters: port, direction, and
ATOMIC.UDP ATOMIC.IP
data length

ATOMIC.TCP Service – Examine the many services that are attacked

ATOMIC.IP Provides simple TCP packet alarms based on the following parameters: port, destination, and flags

SERVICE.DNS SERVICE.DNS Analyzes the Domain Name System (DNS) service

SERVICE.RPC SERVICE.RPC Analyzes the remote-procedure call (RPC) service

SERVICE.SMTP STATE Inspects Simple Mail Transfer Protocol (SMTP)

SERVICE.HTTP SERVICE.HTTP Provides HTTP protocol decode-based string engine that includes ant evasive URL de-obfuscation

SERVICE.FTP
String – Use expression-based patterns to detect intrusions
SERVICE.FTP Provides FTP service special decode alarms

STRING.TCP STRING.TCP Offers TCP regular expression-based pattern inspection engine services

STRING.UDP STRING.UDP Offers UDP regular expression-based pattern inspection engine services

STRING.ICMP
Multi-String Supports flexible pattern matching
STRING.ICMP Provides ICMP regular expression-based pattern inspection engine services

MULTI-STRING MULTI-STRING Supports flexible pattern matching and supports Trend Labs signatures

OTHER NORMALIZER Provides internal engine to handle miscellaneous signatures

Other – Handles miscellaneous signatures

175

Cisco Signature List

176

88
 Signature Triggers

Advantages Disadvantages
• Easy configuration • No detection of unknown signatures
Pattern-based • Fewer false positives • Initially a lot of false positives
Detection • Good signature design • Signatures must be created, updated, and
tuned

Anomaly- • Simple and reliable • Generic output

based • Customized policies • Policy must be created

Detection • Can detect unknown attacks
• Easy configuration • Difficult to profile typical activity in large
Policy-based networks
• Can detect unknown attacks
Detection • Traffic profile must be constant
• Window to view attacks • Dedicated honey pot server
Honey Pot- • Distract and confuse attackers • Honey pot server must not be trusted
Based
• Slow down and avert attacks
Detection
• Collect information about attack

Pattern-based Detection

Signature Type
Trigger
Atomic Signature Stateful Signature
No state required to Must maintain state or examine
Pattern-
examine pattern to multiple items to determine if
based
determine if signature signature action should be
detection
action should be applied applied
Detecting for an Address Searching for the string
Resolution Protocol confidential across multiple
Example (ARP) request that has a packets in a TCP session
source Ethernet address
of FF:FF:FF:FF:FF:FF

89
 Anomaly-based Detection

Signature Type
Trigger
Atomic Signature Stateful Signature
No state required to
Anomaly- State required to identify
identify activity that
based activity that deviates from
deviates from normal
detection normal profile
profile
Detecting traffic that is
going to a destination port Verifying protocol compliance
Example
that is not in the normal for HTTP traffic
profile

Policy-based Detection

Signature Signature Type

Trigger Atomic Signature
Policy- No state required to
based identify undesirable
detection behavior
Detecting abnormally
large fragmented packets
Example
by examining only the last
fragment
Stateful Signature
Previous activity (state)
required to identify undesirable
behavior
A SUN Unix host sending RPC
requests to remote hosts
without initially consulting the
SUN PortMapper program.

90
 Honey Pot-based Detection

§ Uses a dummy server to attract attacks

§ Distracts attacks away from real network devices
§ Provides a means to analyze incoming types of attacks
and malicious traffic patterns
§ Is useful for finding common attacks on network
resources and implementing patches/fixes for real
network purposes

181

Cisco IOS IPS Solution Benefits

§ Uses the underlying routing infrastructure to provide an additional
layer of security with investment protection
§ Attacks can be effectively mitigated to deny malicious traffic from both
inside and outside the network
§ Provides threat protection at all entry points to the network when
combined with other Cisco solutions
§ Is supported by easy and effective management tools
§ Offers pervasive intrusion prevention solutions that are designed to
integrate smoothly into the network infrastructure and to proactively
protect vital resources
§ Supports approximately 2000 attack signatures from the same
signature database that is available for Cisco IPS appliances

182

91
183

92