Sunday, May 16, 2010

CCNA Security 12

In network security, you would encounter both the IDS and the IPS. IDS stands for Intrusion Detection System, and IPS stands for Intrusion Prevention System. From what it sounds like, IDS sounds like it could only detect intrusion, while IPS can actually stop it. This, however, is a misconception.
Both the IDS and IPS can mitigate intrusions. According to Cisco, an IDS is a device that does not sit inline with traffic, and an IPS is a device that does. Since the IPS is inline with the traffic, it would be able to deal with malicious traffic. On the other hand, IDS typically notifies another device to take action when malicious traffic is detected.

Note that being inline means that it is in the direct flow of the traffic. An IPS being inline with traffic means that the traffic actually passes through it. IPS reads the actual data, while IDS reads a mirror of the data. An IDS is said to be running in promiscuous mode.

IDS and IPS identify the traffic based on:
Policy - A configured policy may ban an IP address, port, or URL.
Signature - A signature matches byte patterns of known attacks.
Anomaly - A baseline of "normal" traffic is taken and deviations trigger the device.

Signature matching is the most widely deployed detection method. There are different types of signatures such as DoS signatures, Exploit signatures and Connection signatures (stateful inspection). String signatures make use of regular expression to detect suspicious activity.

Signatures are stored as SDF files (Signature Detection Files). These files are dynamically updated to protect against new threats. You can also use an attack-drop.sdf which are designed to fight the latest network threats. attack-drop.sdf is a static file. You can load SDFs from flash memory or a URL.

A group of related signatures make up an SME. SME stands for Signature MicroEngine. When a packet is deemed malicious, there are a few actions that can be taken:
Drop - Drop the packet
Reset - Reset the TCP session
Block - Block the IP address
Log - Send a syslog, SNMP or SDEE trap. SDEE is an application-layer protocol designed to carry IPS messages between a client and a server.

A signature can be edited in SDM. This is known as signature tuning. Signature tuning is necessary when there are too much false positives. Signatures can be disabled and enabled on an individual basis in SDM.

There are two places you can deploy an IPS: In a network device, or in a host. When deployed in a network device, it's known as a NIPS (Network IPS). Likewise, when deployed in a host, you have a HIPS (Host IPS).

A honeypot is a device created to invite attacks on a server. A honeypot lures attackers away from production servers. A honeypot is also useful for gathering statistics about new attacks and for creating signatures.

IPS requires a minimum of 128MB of memory on your router. In this case, a 2811XM is perfect.

IPS can be configured from the Configure tab. To begin, click on Launch IPS Rule Wizard.

When you first click on Launch IPS Rule Wizard, it would tell you that SDEE will be enabled.

The IPS Policies Wizard will be run. Note the inconsistency of the window names.

Next, you would have to select the outside interface.

The next page would be where you select your SDF files. If you do not add SDF files, it would use the IOS built-in signatures as backup. You can actually load an SDF from a network location.

Note that there is an autosave option. The autosave option will automatically try to save the signature file when there is a signature change.

The commands to enable IPS on a router are:
!Specify the location of the SDF file
ip ips sdf location flash://256MB.sdf

!Enable SDEE notification
ip ips notify SDEE

!Name the IPS rule
ip ips name IPS_RULE

!Enable Virtual Reassembly on interfaces
interface Loopback0
ip virtual-reassembly
interface FastEthernet0/0
ip virtual-reassembly

!Apply IPS rule to F0/1
interface FastEthernet0/1
ip ips IPS_RULE
ip virtual-reassembly

An IDS/IPS would not be able to properly match a signature if an attacker heavily fragments packets. VFR, or otherwise "Virtual Fragmentation Reassembly", is a feature that allows fragmented packets to be reassembled on the device before being forwarded. When the heavily fragmented packets are reassembled on the router, it would allow signatures to be matched. VFR protects against Tiny Fragment attacks, Overlapping Fragment attacks and Buffer Overflow attacks.

When IPS is compiling a new signature for an engine, it allows packets to pass through the router. A well-informed attacker may take the opportunity to slip some packets into the network. To prevent this, you can tell the IPS to block all traffic while the SMEs are being recompiled. To do this, Enable Engine Fail Closed mode from Configure - Intrusion Prevention - Edit IPS - Global Settings - Global Engine.

As mentioned earlier, you can log into SDEE. The SDEE log can be found in Monitor - IPS Status - SDEE Log.

You can also proceed to Monitor - Logging - SDEE Message Log

You can modify certain IPS signature settings from Configure - Intrusion Prevention - Edit IPS.

Notice the severity column. The severity is the severity of the logging.

In IOS, you can see a summary of applied IPS settings using:
show ip ips configuration

Note that IPS Ver 4.x are being discontinued. The new 5.x signature format is in effect as of IOS 12.4(11)T.

No comments :

Post a Comment