Professional Documents
Culture Documents
CCNASv2 InstructorPPT CH5
CCNASv2 InstructorPPT CH5
CCNASv2 InstructorPPT CH5
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
Section 5.1:
IPS Technologies
Upon completion of this section, you should be able to:
• Explain zero-day attacks.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Topic 5.1.1:
IDS and IPS Characteristics
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Zero-Day Attacks
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Monitor for Attacks
Advantages of an IDS:
• Works passively
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Detect and Stop Attacks
IPS:
• Implemented in an inline mode
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Similarities Between IDS and IPS
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Advantages and Disadvantages of IDS and
IPS
Advantages IDS: Advantages IPS:
• No impact on network • Stops trigger packets
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Topic 5.1.2:
Network-Based IPS Implementations
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Host-Based and Network-Based IPS
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Network-Based IPS Sensors
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Cisco’s Modular and Appliance-Based IPS Solutions
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Choose an IPS Solution
Factors affecting the IPS sensor selection and deployment:
• Amount of network traffic
• Network topology
• Security budget
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
IPS Advantages and Disadvantages
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Modes of Deployment
Promiscuous Mode
Inline Mode
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Topic 5.1.3:
Cisco Switched Port Analyzer
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Port Mirroring
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Cisco SPAN
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Configuring Cisco SPAN Using Intrusion
Detection
Cisco SPAN Commands:
• Monitor session command – used to associate a source port and a destination
port with a SPAN session.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Section 5.2:
IPS Signatures
Upon completion of the section, you should be able to:
• Understand IPS signature characteristics
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Topic 5.2.1:
IPS Signature Characteristics
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Signature Attributes
A signature is a set of rules that an IDS and an IPS use to detect typical
intrusion activity.
Signatures have three distinct attributes:
• Type
• Trigger (alarm)
• Action
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Signature Types
Signatures are categorized as either:
• Atomic – this simplest type of signature consists of a single packet, activity, or
event that is examined to determine if it matches a configured signature. If
yes, an alarm is triggered and a signature action is performed.
• Composite – this type of signature identifies a sequence of operations
distributed across multiple hosts over an arbitrary period of time.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Signature File
• As new threats are identified, new signatures must be created and
uploaded to an IPS.
• A signature file contains a package of network signatures.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Signature Micro-Engines
Cisco IOS defines five micro-engines:
• Atomic – Signatures that examine simple packets.
• Service – Signatures that examine the many services that are attacked.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Download a Signature File
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Topic 5.2.2:
IPS Signature Alarms
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Signature Alarm
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Pattern-Based Detection
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Anomaly-Based Detection
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Policy-Based and Honey Pot-Based Detection
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Benefits of the Cisco IOS IPS Solution
Benefits:
• It uses underlying routing
infrastructure to provide an
additional layer of security.
• It is inline and is supported on a
broad range of routing platforms.
• It provides threat protection at all
entry points to the network when
used in combination with Cisco
IDS, Cisco IOS Firewall, VPN,
and NAC solutions
• The size of the signature
database used by the devices can
be adapted to the amount of
available memory in the router.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Alarm Triggering Mechanisms
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Topic 5.2.3:
IPS Signature Actions
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Signature Actions
Summary of Action Categories:
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Manage Generated Alerts
Generating an Alert:
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Log Activities for Later Analysis
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Deny the Activity
Dropping or Preventing the Activity:
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Reset, Block, and Allow Traffic
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Topic 5.2.4:
Manage and Monitor IPS
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Monitor Activity
IPS Planning and Monitoring Considerations:
• Management method
• Event correlation
• Security staff
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Monitoring Considerations
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Secure Device Event Exchange
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
IPS Configuration Best Practices
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Topic 5.2.5:
IPS Global Correlation
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Cisco Global Correlation
Goals of global correlation:
• Dealing intelligently with alerts to improve effectiveness
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Cisco SensorBase Network
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Cisco Security Intelligence Operation
Network participation gathers the following data:
• Signature ID
• Attacker IP address
• Attacker port
• Victim IP address
• Victim port
• Signature version
• Reputation score
• Risk rating
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Reputations, Blacklists, and Traffic Filters
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Reputations, Blacklists, and Traffic Filters
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Section 5.3:
Implement IPS
Upon completion of this section, you should be able to:
• Understand how to configure Cisco IOS IPS with CLI
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Topic 5.3.1:
Configure Cisco IOS IPS with CLI
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Implement IOS IPS
Step 1. Download the IOS IPS files.
Step 2. Create an IOS IPS configuration directory in Flash.
Step 3. Configure an IOS IPS crypto key.
Step 4. Enable IOS IPS.
Step 5. Load the IOS IPS signature package to the router.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Download the IOS IPS Files
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
IPS Crypto Key
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Enable IOS IPS
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Enable IOS IPS
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Load the IPS Signature Package in RAM
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Load the IPS Signature Package in RAM
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Retire and Unretire Signatures
Retiring an Individual Signature:
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Topic 5.3.2:
Modifying Cisco IOS IPS Signatures
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Change Signature Actions
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Topic 5.3.3:
Verify and Monitor IPS
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Verify IOS IPS
Show commands to verify the IOS IPS configuration:
• show ip ips
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Report IPS Alerts
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Enable SDEE
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Section 5.4:
Summary
Chapter Objectives:
• Describe IPS technologies and how they are implemented.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Thank you.
Instructor Resources
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 70