Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 5 – Implementing Intrusion Prevention.

Published byGerald Price Modified over 8 years ago

Similar presentations

Presentation on theme: "© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 5 – Implementing Intrusion Prevention."— Presentation transcript:

1 © 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 5 – Implementing Intrusion Prevention

2 © 2012 Cisco and/or its affiliates. All rights reserved. 2 Describe the underlying IDS and IPS technology that is embedded in the Cisco host- and network-based IDS and IPS solutions. Configure Cisco IOS IPS using CLI and CCP. Verify Cisco IOS IPS using CLI and CCP.

3 © 2012 Cisco and/or its affiliates. All rights reserved. 3 8.0 Implementing Cisco IPS 8.1 Describe IPS deployment considerations 8.1.3 Placement 8.2 Describe IPS technologies 8.2.1 Attack responses 8.2.2 Monitoring options 8.2.3 Syslog 8.2.4 SDEE 8.2.5 Signature engines 8.2.6 Signatures 8.2.7 Global Correlation and SIO 8.3 Configure Cisco IOS IPS using CCP 8.3.1 Logging 8.3.2 Signatures

4 © 2012 Cisco and/or its affiliates. All rights reserved. 4 IDS passively monitors monitors mirrored traffic offline. IPS operates inline and is able to detect and and respond to an attack in real-time. IPS is deployed in standalone devices, as a daughter card on ISR’s, as network modules in ISR’s and ASA’s, and as dedicated blades on high-end chassis-based switches and routers. The three attributes of signatures are type, trigger, and action. Signature types are atomic or composite. Global Correlation enables Cisco IPS devices to receive real-time threat updates from the Cisco threat SensorBase Network. Alarm types are false positive, false negative, true positive, and true negative. Signature severity levels are high, informational, low, and medium. Signature actions are generate an alert, log the activity, prevent the activity, reset a TCP connection, block future activity, and allow the activity. Cisco IOS IPS can be configured via CLI or CCP.

5 © 2012 Cisco and/or its affiliates. All rights reserved. 5 Chapter 5 Lab A: Configuring an Intrusion Prevention System (IPS) Using the CLI and CCP –Part 1: Basic Router Configuration –Part 2: Use CLI to configure an IOS Intrusion Prevention System (IPS) –Part 3: Configuring an Intrusion Prevention System (IPS) using CCP

6 © 2012 Cisco and/or its affiliates. All rights reserved. 6

7 7

8 8

9 9

10 10

11 © 2012 Cisco and/or its affiliates. All rights reserved. 11

12 © 2012 Cisco and/or its affiliates. All rights reserved. 12 SDM has been replaced by CCP. Host-based IPS content was removed. Cisco Global Correlation via the SensorBase Network is now used to update IPS signatures. Cisco Security Intelligence Operation (SIO) is a security ecosystem, including the SensorBase Network, designed to detect threat activity, research and analyze threats, and provide real-time updates and best practices to keep organizations informed and protected.

13 © 2012 Cisco and/or its affiliates. All rights reserved. 13 Chapter 5 is a fairly even combination of theory and practice. The goal is to introduce students to the major concepts of IPS and how IPS devices and IPS signatures are used to proactively prevent intrusion attempts related to malicious traffic on the network. The lab is designed to teach students to configure IPS using both the CLI and CCP. Students will have used CCP in the lab environment in previous chapters. The same troubleshooting techniques for connecting successfully to the ISR via CCP apply here.

14 © 2012 Cisco and/or its affiliates. All rights reserved. 14 Obtain the signature packages and the public key from Cisco.com. To do this, it is required that you have an active account on Cisco.com. –Download the files at http://www.cisco.com/pcgi-bin/tablebuild.pl/ios- v5sigup: http://www.cisco.com/pcgi-bin/tablebuild.pl/ios- v5sigup –IOS-Sxxx-CLI.pkg: This is the signature package.IOS-Sxxx-CLI.pkg –realm-cisco.pub.key.txt: This is the public crypto key used by IOS IPS.realm-cisco.pub.key.txt The mechanics of preparing for the IPS lab are extensive and the requirements for success are exacting. Ensure that the PCs or VMs in the lab have the appropriate Java updates, that the Java runtime parameters are configured correctly, that appropriate browser versions are installed, that the appropriate signature files are available on the PCs or routers, and that the appropriate image is installed on the routers.

15 © 2012 Cisco and/or its affiliates. All rights reserved. 15 Prepare students to be patient when compiling the IPS signatures for the first time on the router, as it can take quite awhile. After completing the IPS installation in CCP, encourage students to explore the various signature parameters by way of the Edit tab in CCP.

16 © 2012 Cisco and/or its affiliates. All rights reserved. 16 Compare and contrast the role of intrusion prevention solutions versus the role of firewalls. When students are first learning security it is not uncommon for them to confuse the purpose of IPS versus that of a firewall. –Explain that firewalls are not updated regularly as with IPS signatures on ISRs or virus definitions on PCs. –Firewalls permit or deny traffic based on preconfigured parameters. Intrusion prevention responds to detected malicious traffic with an action, such as reset TCP connection or deny packet inline. –IPS solutions are inherently more dynamic than firewalls. Host-based IPS solutions are deprecated in this version of the curriculum, but this does not preclude their introduction in the classroom. In this, case, compare and contrast host-based versus network-based approaches. A combination of these two approaches is ideal. Some philosophy is involved here – security experts often differ on the relative importance of each approach.

17 © 2012 Cisco and/or its affiliates. All rights reserved. 17 Compare and contrast the CLI and CCP implementation methods for Cisco IPS. An open-ended discussion on the merits of each approach is beneficial to practitioners. Compare the advantage and disadvantages of the four types of signatures triggers to minimize common confusion about these:

18 © 2012 Cisco and/or its affiliates. All rights reserved. 18 Compare and contrast IDS solutions and IPS solutions. –What are some advantages of IDS over IPS? –Does IDS require any additional technologies compared to IPS? –What can an IPS device do that an IDS device cannot? Contrast the IPS management options: Cisco IPS Manager Express (IME) or Cisco Security Manager (CSM). Compare and contrast the IPS logging solutions provided by Security Device Event Exchange (SDEE) and syslog.

19 © 2012 Cisco and/or its affiliates. All rights reserved. 19 (Optional) Compare and contrast the Global Correlation method with SensorBase now recommended for IPS implementations with the previous generation of IPS update methods which required more administrator intervention. Describe a hypothetical network with and without IPS implemented. –What types of problems might occur in the network without IPS deployed? –Which types of attacks is a network most susceptible to when IPS is deployed? –What assets are protected by an IPS deployment?

20 © 2012 Cisco and/or its affiliates. All rights reserved. 20 What did network administrators do prior to the availability of IPS solutions? What specific events or trends resulted in the mainstream usage of IPS solutions? How do you determine what IPS actions to implement when signatures for malicious traffic are triggered? How do you decide which IPS signatures to implement, considering the fact that a given device may only reasonably support a certain threshold of signatures? What do you notice regarding the differences between the log output of Syslog versus SDEE?

21 © 2012 Cisco and/or its affiliates. All rights reserved. 21 Research the major historical Internet attacks (some were introduced in Chapter 1). Have students report back as to the role IPS would play (in retrospect) in mitigating these attacks. Ask students to put themselves in the mind of the malicious hacker. What would such a person do to circumvent IPS implementations on a network? What attacks would be used to cause the greatest damage to a network with or without an IPS solution?

22 © 2012 Cisco and/or its affiliates. All rights reserved. 22 http://en.wikipedia.org/wiki/Intrusion_prevention_system http://www.cisco.com/en/US/products/ps5729/Products_Sub_Cat egory_Home.html http://www.cisco.com/en/US/products/ps5729/Products_Sub_Cat egory_Home.html http://csrc.nist.gov/publications/nistpubs/800-94/SP800-94.pdf http://www.cisco.com/en/US/solutions/collateral/ns340/ns394/ns1 71/ns441/lippis-cloud-based.pdf http://www.cisco.com/en/US/solutions/collateral/ns340/ns394/ns1 71/ns441/lippis-cloud-based.pdf http://tools.cisco.com/security/center/home.x http://www.cisco.com/en/US/docs/ios- xml/ios/sec_data_ios_ips/configuration/15-2mt/sec-data-ios-ips- 15-2mt-book.html http://www.cisco.com/en/US/docs/ios- xml/ios/sec_data_ios_ips/configuration/15-2mt/sec-data-ios-ips- 15-2mt-book.html

23 © 2011 Cisco and/or its affiliates. All rights reserved. 23

Download ppt "© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 5 – Implementing Intrusion Prevention."

Similar presentations

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.
Cisco CCNA Security Overview

Cisco CCNA Security Overview
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Intrusion Detection Systems By: William Pinkerton and Sean Burnside.

Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 4 – Implementing Firewall Technologies.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 4 – Implementing Firewall Technologies.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 3 – Authentication, Authorization and Accounting.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 3 – Authentication, Authorization and Accounting.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,

Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.

John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.
Host Intrusion Prevention Systems & Beyond

Host Intrusion Prevention Systems & Beyond
Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.

Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering

Department Of Computer Engineering
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.

Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.

Similar presentations

Ads by Google