We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Modified over 5 years ago
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features
© 2006 Cisco Systems, Inc. All rights reserved. Module 6: Cisco IOS Threat Defense Features Lesson 6.4: Introducing Cisco IOS IPS
© 2006 Cisco Systems, Inc. All rights reserved. Objectives Compare and contrast Intrusion Detection Systems and Intrusion Protection Systems. Describe the Cisco IPS products and technologies. Define IDS and IPS types and options. Compare Network Based and Host Based IPS systems (HIPS and NIPS).
© 2006 Cisco Systems, Inc. All rights reserved. Intrusion Detection System IDS is a passive device: Traffic does not pass through the IDS device. Typically uses only one promiscuous interface. IDS is reactive: IDS generates an alert to notify the manager of malicious traffic. Optional active response: Further malicious traffic can be denied with a security appliance or router. TCP resets can be sent to the source device.
© 2006 Cisco Systems, Inc. All rights reserved. Intrusion Protection System IPS is an active device: All traffic passes through IPS. IPS uses multiple interfaces. Proactive prevention: IPS denies all malicious traffic. IPS sends an alert to the management station.
© 2006 Cisco Systems, Inc. All rights reserved. Combining IDS and IPS IPS actively blocks offending traffic: Should not block legitimate data Only stops “known malicious traffic” Requires focused tuning to avoid connectivity disruption IDS complements IPS: Verifies that IPS is still operational Alerts you about any suspicious data except “known good traffic” Covers the “gray area” of possibly malicious traffic that IPS did not stop
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS IPS Products and Technologies Cisco IOS IPS uses a blend of Cisco IDS and IPS products: Cisco IDS Series appliances Cisco Catalyst Series IDS services modules Cisco network module hardware IDS appliances Cisco IOS IPS uses a blend of technologies: Profile-based intrusion detection Signature-based intrusion detection Protocol analysis-based intrusion detection
© 2006 Cisco Systems, Inc. All rights reserved. CriteriaTypeDescription Deployment Options Network-based Network sensors scan traffic that is destined to many hosts. Host-based Host agent monitors all operations within an operating system. Approaches to Identifying Malicious Traffic Signature-basedA vendor provides a customizable signature database. Policy-basedPolicy definition and description is created. Anomaly-based“Normal” and “abnormal” traffic is defined. Honeypot-basedSacrificial host is set up to lure the attacker. IDS and IPS Types and Options
© 2006 Cisco Systems, Inc. All rights reserved. Network-Based and Host-Based IPS NIPS: Sensor appliances are connected to network segments to monitor many hosts. HIPS: Centrally managed software agents are installed on each host. CSAs defend the protected hosts and report to the central management console. HIPS provides individual host detection and protection. HIPS does not require special hardware.
© 2006 Cisco Systems, Inc. All rights reserved. Comparing HIPS and NIPS Application-level encryption protection Policy enhancement (resource control) Web application protection Buffer overflow Network attack and reconnaissance prevention DoS prevention
© 2006 Cisco Systems, Inc. All rights reserved. NIPS Features Sensors are network appliances that you tune for intrusion detection analysis: The operating system is “hardened.” The hardware is dedicated to intrusion detection analysis. Sensors are connected to network segments. A single sensor can monitor many hosts. Growing networks are easily protected: New hosts and devices can be added without adding sensors. New sensors can be easily added to new networks.
© 2006 Cisco Systems, Inc. All rights reserved. NIDS and NIPS Deployment
© 2006 Cisco Systems, Inc. All rights reserved. Signature-Based IDS and IPS Observes and blocks or alarms if a known malicious event is detected: Requires a database of known malicious patterns. The database must be continuously updated.
© 2006 Cisco Systems, Inc. All rights reserved. Policy-Based IDS and IPS Observes and blocks or alarms if an event outside the configured policy is detected Requires a policy database !!
© 2006 Cisco Systems, Inc. All rights reserved. Anomaly-Based IDS and IPS Observes and blocks or alarms if an event outside known normal behavior is detected: Statistical versus nonstatistical anomaly detection Requires a definition of “normal”
© 2006 Cisco Systems, Inc. All rights reserved. Honeypot-Based IDS and IPS Observes a special system and alarms if any activity is directed at the system: The special system is a trap for attackers and not used for anything else. The special system is well-isolated from the system’s environment. The system is typically used as IDS, not IPS.
© 2006 Cisco Systems, Inc. All rights reserved. Signature Categories Four types of signatures: Exploit signatures match specific known attacks. Connection signatures match particular protocol traffic. String signatures match string sequences in data. DoS signatures match DoS attempts. Signature selection is based on: Type of network protocol Operating system Service Attack type Number of available signatures: About 1500 for IPS sensors, 1200 for IOS IPS
© 2006 Cisco Systems, Inc. All rights reserved. Exploit Signatures Application Presentation Session Transport Network Data Link Physical DNS reconnaissance and DoS Worms, viruses, Trojan horses, adware, malware Port sweeps Port scans TCP SYN attack Fragmentation attacks IP options ICMP reconnaissance and DoS
© 2006 Cisco Systems, Inc. All rights reserved. Signature Examples IDNameDescription 1101Unknown IP Protocol This signature triggers when an IP datagram is received with the protocol field set to 134 or greater. 1307TCP Window Size Variation This signature will fire when the TCP window varies in a suspect manner. 3002TCP SYN Port Sweep This signature triggers when a series of TCP SYN packets have been sent to a number of different destination ports on a specific host. 3227WWW HTML Script Bug This signature triggers when an attempt is made to view files above the HTML root directory.
© 2006 Cisco Systems, Inc. All rights reserved. Summary The intrusion detection system (IDS) is a software- or hardware- based solution that passively listens to network traffic. An intrusion prevention system (IPS) is an active device in the traffic path that listens to network traffic and permits or denies flows and packets into the network. In a network-based system, or network intrusion prevention system (NIPS), the IPS analyses individual packets that flow through a network. In a host-based system, a host-based intrusion prevention system (HIPS) examines the activity on each individual computer or host. IDS and IPS uses any one of four approaches to identifying malicious traffic: Signature-based Policy-based Anomaly-based Honeypot-based
© 2006 Cisco Systems, Inc. All rights reserved. Q and A
© 2006 Cisco Systems, Inc. All rights reserved. Resources Cisco Intrusion Prevention System http://cisco.com/en/US/partner/products/sw/secursw/ps2113/ind ex.html Cisco Intrusion Prevention System Support http://cisco.com/en/US/partner/products/sw/secursw/ps2113/tsd _products_support_series_home.html
© 2006 Cisco Systems, Inc. All rights reserved.
Guide to Network Defense and Countermeasures Second Edition
1 Reading Log Files. 2 Segment Format
Lecture 14 Firewalls modified from slides of Lawrie Brown.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.
Intrusion Detection Systems and Practices
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Intrusion Detection MIS ALTER 0A234 Lecture 3.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 5 Network Defenses.
John Felber. Sources What is an Intrusion Detection System Types of Intrusion Detection Systems How an IDS Works Detection Methods Issues.
Host Intrusion Prevention Systems & Beyond
Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
Computer Security Fundamentals by Chuck Easttom Chapter 9: Computer Security Software.
IDS Mike O’Connor Eric Tallman Matt Yasiejko. Overview IDS defined IDS defined What it does What it does Sample logs Sample logs Why we need it Why we.
© 2020 SlidePlayer.com Inc. All rights reserved.