1 / 23

Implementing Secure Converged Wide Area Networks (ISCW)

Implementing Secure Converged Wide Area Networks (ISCW). Module 6: Cisco IOS Threat Defense Features. Module 6: Cisco IOS Threat Defense Features. Lesson 6.4: Introducing Cisco IOS IPS. Objectives. Compare and contrast Intrusion Detection Systems and Intrusion Protection Systems.

kaida
Download Presentation

Implementing Secure Converged Wide Area Networks (ISCW)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features

  2. Module 6: Cisco IOS Threat Defense Features Lesson 6.4: Introducing Cisco IOS IPS

  3. Objectives • Compare and contrast Intrusion Detection Systems and Intrusion Protection Systems. • Describe the Cisco IPS products and technologies. • Define IDS and IPS types and options. • Compare Network Based and Host Based IPS systems (HIPS and NIPS).

  4. Intrusion Detection System • IDS is a passive device: • Traffic does not pass through the IDS device. • Typically uses only one promiscuous interface. • IDS is reactive: • IDS generates an alert to notify the manager of malicious traffic. • Optional active response: • Further malicious traffic can be denied with a security appliance or router. • TCP resets can be sent to the source device.

  5. Intrusion Protection System • IPS is an active device: • All traffic passes through IPS. • IPS uses multiple interfaces. • Proactive prevention: • IPS denies all malicious traffic. • IPS sends an alert to the management station.

  6. Combining IDS and IPS • IPS actively blocks offending traffic: • Should not block legitimate data • Only stops “known malicious traffic” • Requires focused tuning to avoid connectivity disruption • IDS complements IPS: • Verifies that IPS is still operational • Alerts you about any suspicious data except “known good traffic” • Covers the “gray area” of possibly malicious traffic that IPS did not stop

  7. Cisco IOS IPS Products and Technologies • Cisco IOS IPS uses a blend of Cisco IDS and IPS products: • Cisco IDS Series appliances • Cisco Catalyst Series IDS services modules • Cisco network module hardware IDS appliances • Cisco IOS IPS uses a blend of technologies: • Profile-based intrusion detection • Signature-based intrusion detection • Protocol analysis-based intrusion detection

  8. IDS and IPS Types and Options

  9. Network-Based and Host-Based IPS • NIPS: Sensor appliances are connected to network segments to monitor many hosts. • HIPS: Centrally managed software agents are installed on each host. • CSAs defend the protected hosts and report to the central management console. • HIPS provides individual host detection and protection. • HIPS does not require special hardware.

  10. Comparing HIPS and NIPS

  11. NIPS Features • Sensors are network appliances that you tune for intrusion detection analysis: • The operating system is “hardened.” • The hardware is dedicated to intrusion detection analysis. • Sensors are connected to network segments. A single sensor can monitor many hosts. • Growing networks are easily protected: • New hosts and devices can be added without adding sensors. • New sensors can be easily added to new networks.

  12. NIDS and NIPS Deployment

  13. Signature-Based IDS and IPS • Observes and blocks or alarms if a known malicious event is detected: • Requires a database of known malicious patterns. • The database must be continuously updated.

  14. ! ! Policy-Based IDS and IPS • Observes and blocks or alarms if an event outside the configured policy is detected • Requires a policy database

  15. Anomaly-Based IDS and IPS • Observes and blocks or alarms if an event outside known normal behavior is detected: • Statistical versus nonstatistical anomaly detection • Requires a definition of “normal”

  16. Honeypot-Based IDS and IPS • Observes a special system and alarms if any activity is directed at the system: • The special system is a trap for attackers and not used for anything else. • The special system is well-isolated from the system’s environment. • The system is typically used as IDS, not IPS.

  17. Signature Categories • Four types of signatures: • Exploit signatures match specific known attacks. • Connection signatures match particular protocol traffic. • String signatures match string sequences in data. • DoS signatures match DoS attempts. • Signature selection is based on: • Type of network protocol • Operating system • Service • Attack type • Number of available signatures: • About 1500 for IPS sensors, 1200 for IOS IPS

  18. Exploit Signatures • DNS reconnaissance and DoS • Worms, viruses, Trojan horses, adware, malware • Port sweeps • Port scans • TCP SYN attack • Fragmentation attacks • IP options • ICMP reconnaissance and DoS

  19. Signature Examples

  20. Summary • The intrusion detection system (IDS) is a software- or hardware-based solution that passively listens to network traffic. • An intrusion prevention system (IPS) is an active device in the traffic path that listens to network traffic and permits or denies flows and packets into the network. • In a network-based system, or network intrusion prevention system (NIPS), the IPS analyses individual packets that flow through a network. • In a host-based system, a host-based intrusion prevention system (HIPS) examines the activity on each individual computer or host. • IDS and IPS uses any one of four approaches to identifying malicious traffic: • Signature-based • Policy-based • Anomaly-based • Honeypot-based

  21. Q and A

  22. Resources • Cisco Intrusion Prevention System • http://cisco.com/en/US/partner/products/sw/secursw/ps2113/index.html • Cisco Intrusion Prevention System Support • http://cisco.com/en/US/partner/products/sw/secursw/ps2113/tsd_products_support_series_home.html

More Related