© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 5 – Implementing Intrusion Prevention
© 2012 Cisco and/or its affiliates. All rights reserved. 2 Describe the underlying IDS and IPS technology that is embedded in the Cisco host- and network-based IDS and IPS solutions. Configure Cisco IOS IPS using CLI and CCP. Verify Cisco IOS IPS using CLI and CCP.
© 2012 Cisco and/or its affiliates. All rights reserved Implementing Cisco IPS 8.1 Describe IPS deployment considerations Placement 8.2 Describe IPS technologies Attack responses Monitoring options Syslog SDEE Signature engines Signatures Global Correlation and SIO 8.3 Configure Cisco IOS IPS using CCP Logging Signatures
© 2012 Cisco and/or its affiliates. All rights reserved. 4 IDS passively monitors monitors mirrored traffic offline. IPS operates inline and is able to detect and and respond to an attack in real-time. IPS is deployed in standalone devices, as a daughter card on ISR’s, as network modules in ISR’s and ASA’s, and as dedicated blades on high-end chassis-based switches and routers. The three attributes of signatures are type, trigger, and action. Signature types are atomic or composite. Global Correlation enables Cisco IPS devices to receive real-time threat updates from the Cisco threat SensorBase Network. Alarm types are false positive, false negative, true positive, and true negative. Signature severity levels are high, informational, low, and medium. Signature actions are generate an alert, log the activity, prevent the activity, reset a TCP connection, block future activity, and allow the activity. Cisco IOS IPS can be configured via CLI or CCP.
© 2012 Cisco and/or its affiliates. All rights reserved. 5 Chapter 5 Lab A: Configuring an Intrusion Prevention System (IPS) Using the CLI and CCP –Part 1: Basic Router Configuration –Part 2: Use CLI to configure an IOS Intrusion Prevention System (IPS) –Part 3: Configuring an Intrusion Prevention System (IPS) using CCP
© 2012 Cisco and/or its affiliates. All rights reserved. 6
7
8
9
10
© 2012 Cisco and/or its affiliates. All rights reserved. 11
© 2012 Cisco and/or its affiliates. All rights reserved. 12 SDM has been replaced by CCP. Host-based IPS content was removed. Cisco Global Correlation via the SensorBase Network is now used to update IPS signatures. Cisco Security Intelligence Operation (SIO) is a security ecosystem, including the SensorBase Network, designed to detect threat activity, research and analyze threats, and provide real-time updates and best practices to keep organizations informed and protected.
© 2012 Cisco and/or its affiliates. All rights reserved. 13 Chapter 5 is a fairly even combination of theory and practice. The goal is to introduce students to the major concepts of IPS and how IPS devices and IPS signatures are used to proactively prevent intrusion attempts related to malicious traffic on the network. The lab is designed to teach students to configure IPS using both the CLI and CCP. Students will have used CCP in the lab environment in previous chapters. The same troubleshooting techniques for connecting successfully to the ISR via CCP apply here.
© 2012 Cisco and/or its affiliates. All rights reserved. 14 Obtain the signature packages and the public key from Cisco.com. To do this, it is required that you have an active account on Cisco.com. –Download the files at v5sigup: v5sigup –IOS-Sxxx-CLI.pkg: This is the signature package.IOS-Sxxx-CLI.pkg –realm-cisco.pub.key.txt: This is the public crypto key used by IOS IPS.realm-cisco.pub.key.txt The mechanics of preparing for the IPS lab are extensive and the requirements for success are exacting. Ensure that the PCs or VMs in the lab have the appropriate Java updates, that the Java runtime parameters are configured correctly, that appropriate browser versions are installed, that the appropriate signature files are available on the PCs or routers, and that the appropriate image is installed on the routers.
© 2012 Cisco and/or its affiliates. All rights reserved. 15 Prepare students to be patient when compiling the IPS signatures for the first time on the router, as it can take quite awhile. After completing the IPS installation in CCP, encourage students to explore the various signature parameters by way of the Edit tab in CCP.
© 2012 Cisco and/or its affiliates. All rights reserved. 16 Compare and contrast the role of intrusion prevention solutions versus the role of firewalls. When students are first learning security it is not uncommon for them to confuse the purpose of IPS versus that of a firewall. –Explain that firewalls are not updated regularly as with IPS signatures on ISRs or virus definitions on PCs. –Firewalls permit or deny traffic based on preconfigured parameters. Intrusion prevention responds to detected malicious traffic with an action, such as reset TCP connection or deny packet inline. –IPS solutions are inherently more dynamic than firewalls. Host-based IPS solutions are deprecated in this version of the curriculum, but this does not preclude their introduction in the classroom. In this, case, compare and contrast host-based versus network-based approaches. A combination of these two approaches is ideal. Some philosophy is involved here – security experts often differ on the relative importance of each approach.
© 2012 Cisco and/or its affiliates. All rights reserved. 17 Compare and contrast the CLI and CCP implementation methods for Cisco IPS. An open-ended discussion on the merits of each approach is beneficial to practitioners. Compare the advantage and disadvantages of the four types of signatures triggers to minimize common confusion about these:
© 2012 Cisco and/or its affiliates. All rights reserved. 18 Compare and contrast IDS solutions and IPS solutions. –What are some advantages of IDS over IPS? –Does IDS require any additional technologies compared to IPS? –What can an IPS device do that an IDS device cannot? Contrast the IPS management options: Cisco IPS Manager Express (IME) or Cisco Security Manager (CSM). Compare and contrast the IPS logging solutions provided by Security Device Event Exchange (SDEE) and syslog.
© 2012 Cisco and/or its affiliates. All rights reserved. 19 (Optional) Compare and contrast the Global Correlation method with SensorBase now recommended for IPS implementations with the previous generation of IPS update methods which required more administrator intervention. Describe a hypothetical network with and without IPS implemented. –What types of problems might occur in the network without IPS deployed? –Which types of attacks is a network most susceptible to when IPS is deployed? –What assets are protected by an IPS deployment?
© 2012 Cisco and/or its affiliates. All rights reserved. 20 What did network administrators do prior to the availability of IPS solutions? What specific events or trends resulted in the mainstream usage of IPS solutions? How do you determine what IPS actions to implement when signatures for malicious traffic are triggered? How do you decide which IPS signatures to implement, considering the fact that a given device may only reasonably support a certain threshold of signatures? What do you notice regarding the differences between the log output of Syslog versus SDEE?
© 2012 Cisco and/or its affiliates. All rights reserved. 21 Research the major historical Internet attacks (some were introduced in Chapter 1). Have students report back as to the role IPS would play (in retrospect) in mitigating these attacks. Ask students to put themselves in the mind of the malicious hacker. What would such a person do to circumvent IPS implementations on a network? What attacks would be used to cause the greatest damage to a network with or without an IPS solution?
© 2012 Cisco and/or its affiliates. All rights reserved egory_Home.html egory_Home.html /ns441/lippis-cloud-based.pdf 71/ns441/lippis-cloud-based.pdf xml/ios/sec_data_ios_ips/configuration/15-2mt/sec-data-ios-ips- 15-2mt-book.html xml/ios/sec_data_ios_ips/configuration/15-2mt/sec-data-ios-ips- 15-2mt-book.html
© 2011 Cisco and/or its affiliates. All rights reserved. 23