Chapter 11: Intrusion Prevention Systems

Intrusion Prevention SystemsThis chapter describes the functions and operations of intrusion detection systems (IDS) and intrusion prevention systems (IPS). • The fundamentals of intrusion prevention, comparing IDS and IPS• The building blocks of IPS, introducing the underlying technologies and deployment options• The use of signatures in intrusion prevention, highlighting the benefits and drawbacks• The need for IPS alarm monitoring, evaluating the options for event managers• Analyzing the design considerations in deploying IPSContents Introducing IDS and IPS :• Targeted, mutating, stealth threats are increasingly difficult to detect.• Attackers have insidious motivations and exploit high-impact targets, often for financial benefit or economic and political reasons• Attackers are taking advantage of new ways of communicationIDS:• Analyzes copies of the traffic stream• Does not slow network traffic• Allows some malicious traffic into the networkIPS:• Works inline in real time to monitor Layer 2 through Layer 7 traffic and content• Needs to be able to handle network traffic• Prevents malicious traffic from entering the networkIPS FundamentalsIDS and IPS technologies share several characteristics:• IDS and IPS technologies are deployed as sensors. An IDS or an IPS sensor can be any of the following devices:• A router configured with Cisco IOS IPS Software• An appliance specifically designed to provide dedicated IDS or IPS services• A network module installed in a Cisco adaptive security appliance, switch, or router• IDS and IPS technologies typically monitor for malicious activities in two spots:• Network:• Hosts: • IDS and IPS technologies use signatures to detect patterns of misuse in network traffic• IDS and IPS technologies look for the following general patterns of misuse:• Atomic pattern• Composite patternIDS and IPS technologies Intrusion Detection SystemAn IDS monitors traffic offline and generates an alert (log) when it detects malicious traffic including:Reconnaissance attacksAccess attacksDenial of Service attacksIt is a passive device because it analyzes copies of the traffic stream traffic.Only requires a promiscuous interface.Does not slow network traffic.Allows some malicious traffic into the network.Intrusion Prevention SystemIt builds upon IDS technology to detect attacks.However, it can also immediately address the threat.An IPS is an active device because all traffic must pass through it.Referred to as “inline-mode”, it works inline in real time to monitor Layer 2 through Layer 7 traffic and content.It can also stop single-packet attacks from reaching the target system (IDS cannot). IDS (Promiscuous Mode)IPS (Inline Mode)AdvantagesNo impact on network (latency, jitter).No network impact if there is a sensor failure or a sensor overload.Stops trigger packets.Can use stream normalization techniques.DisadvantagesResponse action cannot stop trigger packets.Correct tuning required for response actions.More vulnerable to network evasion techniques.Some impact on network (latency, jitter).Sensor failure or overloading impacts the network.Comparing IDS and IPS SolutionsThe IDS sensor in front of the firewall is deployed in promiscuous mode to monitor traffic in the untrusted network. So, IDS or IPS? Why Not Both?• False positive• False negative• True positive• True negativeAlarm TypesMaking Sense of Alarm Types TerminologyTypes of IDS and IPS Sensors• Deny Attacker Inline• Deny Connection Inline• Deny Packet Inline• Log Attacker Packets• Log Pair Packets• Log Victim Packets• Produce Alert• Produce Verbose Alert• Request Block Connection• Request Block Host• Request SNMP Trap• Reset TCP ConnectionIPS Attack ResponsesWhen an IPS sensor detects malicious activity, it can choose from any or all of the following actions:These techniques include the following: • Traffic fragmentation• Traffic substitution• Protocol-level misinterpretation• Timing attacks• Encryption and tunneling• Resource exhaustionIPS Anti-Evasion TechniquesThe following anti-evasion features are available on Cisco IPS sensors:• Complete session reassembly that supports the string and service engines that must examine a reliable byte stream between two network endpoints• Data normalization (deobfuscation) inside service engines, • IP Time to Live (TTL) analysis and TCP checksum validation to guard against end-to-end protocol-level traffic interpretation• Configurable intervals for correlating signatures• Inspection of traffic inside Generic Routing Encapsulation (GRE) tunnels to prevent evasion through tunneling• Smart and dynamic summarization of events to guard against too many alarms for high event ratesAnti-evasion featuresAnti-Evasion Techniques Used by Cisco IPSBuilding a Risk Rating into the Detection CapabilitiesUsing these considerations, risk ratings typically include several components:• Potential damage that could be caused by the activity described by the signature• Asset value of the target of the attack• Accuracy of the triggering signature• Relevancy of the attack to the target• Other security countermeasures (controls) in the environmentRisk-Based Intrusion PreventionIPv6 awareness is another important consideration for IPS architectures. Sensors should be IPv6 awareAlarms : Alarms fire when specific parameters are metYou should consider the following factors when implementing alarms that a signature uses:The level assigned to the signature determines the alarm severity level.A Cisco IPS signature is assigned one of four severity levels• Informational• Low• Medium• HighYou can manually adjust the severity level that an alarm produces.To minimize false positives, study your existing network traffic patternsAs an additional source of information, consider implementing NetFlow on network access devices such as routers and firewallsIPv6-Aware IPSEvent monitoring and management can be divided into the following two needs:• Real-time event monitoring and management• Analysis based on archived information (reporting)There is an important difference between reporting and monitoring. Note that archives are often a significant source of data when producing reports.• Reporting: Analysis based on archived information• Event monitoring: Real-time monitoringIPS Alarms: Event Monitoring and ManagementDevice, Enterprise, and Global CorrelationGlobal Correlation and Cisco SIO at Work, Preventing Zero-Day AttackExamples of IPS DeploymentsIPS Platforms from CiscoThe following are the recommended practices for designing and deploying IPS architecture:• Use a combination of detection technologies.• Take advantage of multiple form factors to deploy a distributed and cost-effective IPS architecture.• Use a “places in the network” approach, which, for Cisco, refers to the building blocks of a corporate network, such as a data center, a campus, and a branch office.• Enable anti-evasion techniques.• Take advantage of local, enterprise, and global correlation.• Use a risk-based approach to improve accuracy and simplify management.• When deploying a large number of sensors, automatically update signature packages instead of manually upgrading every sensor.• Place the signature packages on a dedicated FTP server within the management network.• Tune the IPS architecture constantly.IPS Best PracticesFail-Open or Fail-Close ApproachRecommended practices are based on a series of key factors in current IPS architectures• Intelligent, distributed detection• Vulnerability- and exploit-specific signatures• Protocol anomaly detection• Knowledge base anomaly detection• Reputation filters• Accurate, precise response to relevant attacks• Risk management–based policy• Global correlation adding reputation• On-box correlation• “Trustworthiness” linkages with the endpoint• Flexible deployment options• Passive and/or inline with flexible response (IDS/IPS)• Sensor virtualization• Physical and logical (VLAN) interface support• Software and hardware bypassRecommended practicesCisco IPS ArchitectureCisco IOS IPS• Profile-based intrusion detection• Signature-based intrusion detection• Protocol analysis–based intrusion detectionCisco IOS IPS FeaturesScenario: Protecting the Branch Office Against Inside AttackCisco IOS IPS Signature FeaturesA signature package has definitions for each signature it contains. After signatures are loaded and compiled onto a router running Cisco IOS IPS, IPS can begin detecting the new signatures immediately. Routers access signature definition information through a directory in flash that contains three configuration files—the default configuration, the delta configuration, and the Signature Event Action Processor (SEAP) configuration. SEAP is the control unit responsible for coordinating the data flow of a signature event.Signature file• Encrypted signature support• Lightweight signatures• Direct download from Cisco.com capability• Tuning per top-level categories• Signature tuning inheritanceSignature ManagementSummary of Types of Supported Signature EnginesDetails on Signature MicroenginesSignature TuningSignatures Interactions with Cisco IOSSignature StatesCombinations of Signature Compilations and StatesThe following list summarizes the guidelines for planning an efficient and effective Cisco IOS IPS signature definition:• The number of signatures that can be compiled depends on the free memory available on the router.• For routers with 128 MB of flash, start with the basic signature category.• For routers with 256 MB+ of flash, start with the advanced signature category.• Retire risk-irrelevant signatures according to your needs.• Monitor free memory when retiring or unretiring signatures.• In restrictive policies, define a fail-closed action if signatures fail to compile. This setting instructs the router to drop all packets until the signature engine is built and ready to scan traffic. If this command is issued, one of the following scenarios occurs:• If IPS fails to load the signature package, all packets are dropped—unless the user specifies an access control list (ACL) for packets to send to IPS.• If IPS successfully loads the signature package, but fails to build a signature engine, all packets that are destined for that engine are dropped.• If this command is not issued, all packets are passed without scanning if the signature engine fails to build.• Disabled signatures are still scanned and processed, and will consume resources.• Never unretire the “All” signature category.Combinations of Signature Compilations and StatesMonitoring IPS Alarms and Event ManagementCisco IOS IPS Alarms MonitoringSupport for SDEE and SyslogThe support for SDEE and syslog in the Cisco IOS IPS solution is as follows:• Cisco IOS Software supports the SDEE protocol. • SDEE uses a pull mechanism. That is, requests come from the network management application, and the IDS and IPS router responds.• SDEE becomes the standard format for all vendors to communicate events to a network management application.• You must also enable HTTP or HTTPS on the router, using the ip http server command, when you enable SDEE. The use of HTTPS ensures that data is secured as it traverses the network.• The Cisco IOS IPS router still sends IPS alerts via syslogSDEE and syslog• Local event management and correlation• Cisco Configuration Professional• IPS Device Manager• IPS Manager Express• Enterprise event management and correlation• Cisco Security Manager• Third-party ecosystem partner SIEM systems• Global event management and correlation• Cisco Security Intelligence Operations (SIO)Event ManagementFollowing are the configuration steps to deploy Cisco IOS IPS using CCP:Step 1. Download the latest Cisco IOS IPS signature package to a local PC using Cisco Configuration Professional Auto Update.Step 2. Launch the IPS Policies Wizard to configure Cisco IOS IPS.Step 3. Verify that Cisco IOS IPS configuration and signatures are properly loaded.Step 4. Perform signature tuning.Step 5. Verify alarms.Configuring Cisco IOS IPS Using Cisco Configuration ProfessionalStep 1: Download Cisco IOS IPS Signature PackageStep 2: Launch IPS Policies WizardCreating an IPS Policy by Launching the IPS Policies Wizard in CCPIPS Policies Wizard: Selecting the InterfacesIPS Policies Wizard: Selecting the Signature FileIPS Policies Wizard: Downloading and Installing Cisco’s Public KeyIPS Policies Wizard: Storing Signature InformationIPS Policies Wizard: Configuring Location and Signature CategoryIPS Policies Wizard: Summary ConfigurationStep 3: Verify Configuration and Signature FilesReviewing IPS Configuration and Interface StatusReviewing IPS SignaturesStep 4: Perform Signature TuningEnable, Disable, Retire, or Unretire SignaturesChanging Action of Signatures• Total Signatures• Total Enabled Signatures• Total Retired Signatures• Total Compiled SignaturesStep 5: Verify AlarmsMonitoring IPS Signature Statistics from CCPMonitoring IPS Alarms from CCPIPS Signature StatisticsAlert Color CodingConfiguring Cisco IOS IPS Using the CLIRouter(config)# ip ips name sdm_ips_ruleRouter(config)# ip ips config location flash:/ips/retries 1Router(config)# ip ips notify SDEERouter(config)# interface FastEthernet0/0Router(config-if)# ip ips sdm_ips_rule inTo configure the router to support the default basic signature set, use the ip ips signature-category Router(config)# ip ips signature-categoryRouter(config-ips-category)# category allRouter(config-ips-category-action)# retired trueRouter(config-ips-category-action)# exitRouter(config-ips-category)# category ios_ips basicRouter(config-ips-category-action)# retired falseConfiguring Cisco IOS IPS Using the CLIshow ip ips configuration Command Output%%IPS-6-ENGINE_READY:SERVICE.HTTP – 183136 ms - packets for this engine will be scanned%IPS-5-PACKET_DROP:SERVICE.DNS – packets dropped while engine is building%IPS-4-SIGNATURE:Sig:1107 Subsig:0 Sev:2 RFC1918 address [192.168.121.1:137 ->192.168.121.255:137]system log messagesCisco.com Resources“Cisco IOS IPS Q&A,” IOS Security Configuration Guide, Release 12.4, “Configuring Cisco IOS Intrusion Prevention System (IPS),” Security Information Event Management Deployment Guide, “Getting Started with IOS IPS A Step-by-Step Guide,” “Intrusion Prevention System,”