CCNA Security 18

There are two types of security appliances used to monitor packets, an IPS and an IDS. There are two types of IPS: The IPS and the HIPS. IDS, the Intrusion Detection System, is the first product to come into the market. The IDS, however, is not very popular and is not widely employed.
What we want nowadays is an automatic system. Such a system should ideally notify the administrator AND stop the intrusion. The IPS stands for the Intrusion Prevention System.

The IDS and IPS has two things in common: Detection. They detect packets with three methods:

-Profile - The device will monitor the network to establish a profile. This profile is used as a baseline. If this baseline is violated, an anomaly is said to occur and the traffic is logged or stopped. This is unreliable because if a group of people someone does something different for a day, it may cause a network blackhole.

-Signature - Signature detection matches how the packets behave. There are a few kinds of signatures, some may require more matches. This is the most reliable matching mechanism and it has the least false alarms.

-Protocol - Protocol definitions will force the device to make sure that protocols follow the standard. If someone crafts packets in a way that does not conform to the RFC standard, the packets will be alerted or stopped.

There are many ways to avoid being caught. The easiest way to avoid detection is through flooding. The attacker attempts to overwhelm the device's CPU or memory to a point where the device no longer checks for packets.

Another way to avoid detection is through fragmentation. In this way, a packet is fragmented so much that it actually passes through an IDS undetected because the signatures didn't match. This is where technologies like virtual-reassembly come in.

Encryption also works to get through an IDS/IPS, but will require you to somehow set up security associations with an inside device to begin with.

Hiding by obfuscation also may work by hiding attacks by using control characters. Earlier devices are easily tricked by these special characters.

IDS/IPS are installed into either existing devices, or come as a dedicated appliance. For modular routers (26xx, 28xx, etc.), we can use the NM-CIDS which adds hardware-accelerated detection functionality to the routers (by default, detection is done in software).

The first real standalone IPS appliance is the 4215 Sensor Appliance. It uses the same chassis as the 2800 series routers and allows 80Mbit/s processing throughput (as opposed to 45Mbit/s for the NM-CIDS). The 4215 also supports up to 5 sniffing interfaces (it comes with 1 by default). Sniffing interfaces are the interfaces that the IDS actually listens to.

The ASA series has support for a new module known as the ASA Security Service Module. The ASA already does hardware-accelerated IDS by default, but adding this allows up to 450Mbps throughput. All data is stored in flash inside the module.

The fastest IDS devices are the 4240 and 4255 appliances. These appliances uses the same chassis as the ASA and support up to 600Mbps of throughput. The only thing that can match this performance is the IDSM-2 module designed for the 6500 series switch.

The appliance can be run in promiscuous mode or inline mode. Promiscuous mode sensors are also known as IDS sensors. Sensors in promiscuous mode operate off-band from the traffic. Typically a switch is set up to use SPAN which mirrors the traffic to the IDS. IDS cannot stop single-packet attacks, and may miss some critical packets before it is able to notify other devices.

An IPS on the other hand sits inline with the traffic. The traffic actually goes THROUGH it, so it is able to prevent single-packet attacks.

Cisco uses the IDS 5.x system. This system has four major features:
-Risk categorizing - This allows the administrator to categorize events into severity levels. You can also categorize signature matches into different severity levels depending on their accuracy.

-Better Uptime - HRSP support is added to prevent blackholes. Software bypass has also been added, which allows the appliance to turn into a bridge when the software fails. This prevents a blackhole as well.

-Application-layer inspection - This allows deep inspection of the packets to determine the application that created it. This allows filtering of peer-to-peer applications. This is similar to NBAR. Such an inspection can even go down to inspecting things like file types by extension, etc.

-More intelligent detection - Overall much less false positives.

An IPS is deployed as a network device. There is another variant of IPS deployed in end devices. Such a variant is known as HIPS (Host IPS). HIPS can protect a system from vectors which an IPS cannot. Examples are buffer overflows and execution space protection. HIPS is not virus protection, but rather more of operating system protection.