chapter 16x

decisioncrunchNetworking and Communications

Nov 20, 2013 (3 years and 9 months ago)

83 views

C
HAPTER

16


C
ISCO

IOS IPS




S
ECURING

N
ETWORKS

WITH

IDS
AND

IPS



Intrusion Detection System (IDS) and Intrusion
Prevention System (IPS) sensors protect your network
from malicious traffic. The two systems are deployed
differently and scan for malicious traffic in different
ways. Each system has strengths and weaknesses when
deployed separately, but when used together, IDS and
IPS can provide a much richer and deeper level of
security

2

B
ASIC

F
UNCTIONS

OF

THE

I
NTRUSION

D
ETECTION

S
YSTEM

(IDS)


IDS is typically characterized as a passive listening
device. This label is given to these systems because
traffic does not have to pass through the system; IDS
sensors listen promiscuously to all traffic on the
network

3

B
ASIC

F
UNCTIONS

OF

THE

I
NTRUSION

P
REVENTION

S
YSTEM

(IPS)



IPS is characterized as an active device. This is
because the device is implemented as an inline
sensor. The IPS requires the use of more than one
interface, and all traffic must pass through the
sensor. Network traffic enters through one interface
and exits through another

4

U
SING

IDS
AND

IPS T
OGETHER




When you think about having one or the other of these
sensors on your network, think about the benefits you
would get from having both. An IPS sensor is much
like a firewall; it can block traffic that is malicious or
threatening. It should only block traffic that is known
to be a threat, though. IPS should not block legitimate
traffic or you could suffer a disruption in legitimate
connectivity and find that applications are unable to
perform their tasks

5

B
ENEFITS

AND

D
RAWBACKS

OF

IPS/IDS
S
ENSORS


A network
-
based monitoring system has the
benefit of easily seeing attacks that are occurring
across the entire network



Encryption of the network traffic stream can
effectively blind the sensor. Reconstructing
fragmented traffic can also be a difficult problem
to solve

6

T
YPES

OF

IDS
AND

IPS S
ENSORS




Network Based (NIPS,NIDS)



Host Based (HIPS,HIDS)

7

N
ETWORK

B
ASED

I
NTRUSION

P
REVENTION

S
YSTEM

(NIPS)



Network
-
based sensors examine packets and
traffic that are traversing through the network
for known signs of malicious activity. Because
these systems are watching network traffic, any
attack signatures detected may succeed or fail. It
is usually difficult, if not impossible, for network
-
based monitoring systems to assess the success
or failure of the actual attacks

8

H
OST

B
ASED

I
NTRUSION

P
REVENTION

S
YSTEM
(HIPS)



A host
-
based sensor examines information at the
local host or operating system. The HIPS has full
access to the internals of the end station, and can
relate incoming traffic to the activity on the end
station to understand the context. Host
-
based
sensors can be implemented to a couple of
different complexity levels

9

M
ALICIOUS

T
RAFFIC

I
DENTIFICATION

A
PPROACHES




Signature
-
based



Policy
-
based



Anomaly
-
based



Honeypot


10

S
IGNATURE

T
YPES



Exploit signatures



Connection signatures



String signatures



DoS

signatures

11

IPS A
LARMS



An IPS sensor can react in real time when a
signature is matched. This allows the sensor to act
before network security has been compromised. The
sensor can optionally log whatever happened with a
syslog

message or Security Device Event Exchange
(SDEE)

12

C
ONFIGURING

IOS IPS



It is now time to look at the configuration of IOS IPS.
This section takes you through the configuration
process using the SDM interface. The SDM gives you
quite a few configuration capabilities for IOS IPS.
You can configure every option through the IPS Edit
menu

13

SDM H
OME

S
CREEN


14

D
EFAULT

C
ONFIGURATION

S
CREEN


15

D
EFAULT

IPS S
CREEN

16

SDEE E
NABLE

N
OTIFICATION

17

IPS W
IZARD

W
ELCOME

S
CREEN

18

S
ELECT

I
NTERFACES

S
CREEN


19

SDF L
OCATIONS

S
CREEN


20

A
DD

A

S
IGNATURE

L
OCATION

D
IALOG

B
OX



21

SDF L
OCATIONS

WITH

F
ILE

A
DDED

22

W
IZARD

S
UMMARY

P
AGE

23

S
UMMARY

24