Module 1: Intrusion Detection and

Prevention Technology

Network Security 2 v2.0

PDF created with pdfFactory trial version www.pdffactory.com

 Overview

PDF created with pdfFactory trial version www.pdffactory.com

 Extra: Primary IPS Terminology

PDF created with pdfFactory trial version www.pdffactory.com

 Extra: Primary IPS Terminology

PDF created with pdfFactory trial version www.pdffactory.com

 Overview of Intrusion Detection and Prevention

PDF created with pdfFactory trial version www.pdffactory.com

 Introduction to intrusion detection and prevention

• Intrusion detection is the ability to detect attacks against a network and

send logs to a management console and provides the following
defense mechanism:
– Detection – Identifies malicious attacks on network and host
resources.

PDF created with pdfFactory trial version www.pdffactory.com

 Introduction to intrusion detection and prevention

• Intrusion prevention is the ability to stop attacks against the network and
should provide the following active defense mechanisms:
– Detection – Identifies malicious attacks on network and host resources.
– Prevention – Stops the detected attack from executing.
– Reaction – Immunizes the system from future attacks from a malicious
source.
7

PDF created with pdfFactory trial version www.pdffactory.com

 Introduction to intrusion detection and prevention

• Response Options
When a signature match is found, the IDS or IPS may perform the following
actions:
– Alarm – Sends alarms to an internal or external log and then forwards the
packet through.
– Reset – Sends packets with a reset flag to both session participants if TCP
forwards the packet
– Drop – Immediately drops the packet
– Block – Denies traffic from the source address of the attack
8

PDF created with pdfFactory trial version www.pdffactory.com

 Extra: Combining IDS and IPS

• IDS and IPS are often deployed in parallel in enterprise networks.

• The IPS actively blocks offending traffic and can be considered another
implementation of a firewall system.
– The IPS should be tuned to block only known malicious traffic in order to
avoid connectivity disruptions.
• An IDS can verify that the IPS is really blocking offending traffic.
• The IDS can be configured to send alerts about the “gray area” traffic—data
that is neither clearly malicious nor clearly legitimate.

PDF created with pdfFactory trial version www.pdffactory.com

 Extra: IP Session Logging

• After a sensor detects an attack, an alarm is generated by the sensor and sent to the management
station.
• The information is saved in a memory-mapped file on both the sensor and the management platform.
This memory-mapped file is in binary format file.
• The sensor uses RDEP to communicate with the external world; so does the IP logging feature. It is
an HTTP communication that is client-server and two-way based, whereby the client (sensor) sends
an RDEP request, which is answered by the management station with an RDEP response.
• All RDEP messages consist of two parts:
– Header
– Entity body
10

PDF created with pdfFactory trial version www.pdffactory.com

 Extra: IP Session Logging

• Step 1 illustrates the initial attack on the web server.

• The network IDS notices the attack and sends an alarm to the management server (step
2).
• The communication between server and sensor is a two-way mechanism. The IP log
feature captures the session in a pcap file. Once the event occurs, the IP log response
that is sent from the server to the sensor is in HTML/XML format. This response contains
an error status code and a description of the event. This response is sent from the server
to the sensor.
• The IP logging feature allows the network administrator to easily archive the data, write
scripts for parsing the data, and monitor the attacks. The IP logging feature is helpful to
analyze events, but it does impact sensor performance; therefore, disk utilization needs
to be watched carefully.
11

PDF created with pdfFactory trial version www.pdffactory.com

 Extra: Active ResponseTCP Resets

• After a sensor detects an

attack, an alarm is
generated by the sensor
and sent to the
management station.
• The network IDS may
terminate the Layer 4
session by sending a TCP
RST packet to the
attacked server and the
host.

12

PDF created with pdfFactory trial version www.pdffactory.com

 Extra: Active Response Shunning or Blocking

• After a sensor
detects an attack, an
alarm is generated by
the sensor and sent
to the management
station.
• The network IDS can
shut the attacker out
of the network,
usually by setting
access control rules
on a border device
such as a router or
firewall.

13

PDF created with pdfFactory trial version www.pdffactory.com

 Network-based versus host-based

• Two basic types of IDSs in

the market today are:
– Host-based IDSs (HIDS)
– Network-based IDSs
(NIDS)

14

PDF created with pdfFactory trial version www.pdffactory.com

 Network-based versus host-based

• Host-based Intrusion Technology

Host-based intrusion response is typically implemented as inline or passive
technology depending on the vendor.
– The passive technology, which was the first generation technology, is
called host-based intrusion detection system (HIDS), which basically sends
logs after the attack has occurred and the damage is done.
– The inline technology, called host-based intrusion prevention system
(HIPS), actually stops the attack and prevents damage and propagation of
worms and viruses.
15

PDF created with pdfFactory trial version www.pdffactory.com

 Extra: Architecture of the Host Sensor Agent

16

PDF created with pdfFactory trial version www.pdffactory.com

 Network-based versus host-based

• Network-based Intrusion Technology

Just like host-based intrusion technology, a network intrusion detection system
can be based on active or passive detection.
– Sensors are deployed at network entry points that protect critical network
segments. The network segments have both internal and external
corporate resources.
– Sensors capture and analyze the traffic as it traverses the network.
Sensors are typically tuned for intrusion detection analysis. The underlying
operating system is stripped of unnecessary network services and
essential services are secured.
– The Sensors report to a central Director server located inside the corporate
firewall.
17

PDF created with pdfFactory trial version www.pdffactory.com

 Extra: Network-Based IDS Architecture

18

PDF created with pdfFactory trial version www.pdffactory.com

 Extra: Benefits of Network-based

• A network-based intrusion system (compared to a host-based solution) has the

following benefits:
– Overall network perspective
– Does not have to run on every OS on the network.

19

PDF created with pdfFactory trial version www.pdffactory.com

 Types of alarms

• False Alarms
These alarms represent situations in which the IDS fails to accurately
indicate what is happening on the network.
• True Alarms
These alarms represent situations in which the IDS accurately
indicates what is happening on the network.

20

PDF created with pdfFactory trial version www.pdffactory.com

 Types of alarms

• False Positives
– False positives occur when the IDS generates an alarm based on
normal network activity.
– False positives force administrators to waste time and resources
analyzing phantom attacks.
• False Negatives
– When the IDS fails to generate an alarm for known intrusive
activity, it is called a false negative.
– False negatives represent actual attacks that the IDS missed even
though it is programmed to detect the attack.
– Most IDS developers tend to design their systems to prevent false
negatives.

21

PDF created with pdfFactory trial version www.pdffactory.com

 Types of alarms

• True Positives
– In the case of true positives, the IDS generates an alarm correctly
in response to actually detecting the attack traffic that a signature is
designed to detect.
– In an ideal world, 100 percent of the alarms generated by an IDS
would be true positives, meaning that every alarm corresponds to
an actual attack against the network.
• True Negatives
– Like false negatives, true negatives do not represent actual alarms
that are generated by the IDS. Instead, a true negative represents a
situation in which an IDS signature does not alarm when it is
examining normal user traffic.
– This is the correct behavior. This makes a true negative the
opposite of a false positive.

22

PDF created with pdfFactory trial version www.pdffactory.com

 Inspection Engine

23

PDF created with pdfFactory trial version www.pdffactory.com

 Extra: Cisco IOS IPS/IDS Triggers

• IDS and IPS uses any one of four approaches to identifying malicious traffic:
– Signature-based (or Misuse Detection)
– Policy-based
– Anomaly-based
– Honeypot-based

24

PDF created with pdfFactory trial version www.pdffactory.com

 Signature-based detection

• Signature-based detection, at a
very basic level, can be
compared to virus checking
programs.
• IDS vendors produce and build
signatures that the IDS system
uses to compare against
activity on the network or host.
– When a match is found,
the IDS takes action.
– The actions taken could
include logging the event
or sending an alarm to a
management console .
• Although many vendors allow
users to configure existing
signatures and create new
ones, customers are primarily
dependent on the vendors to
provide the latest signatures to
keep the IDS up to date.
• Signature-based detection can
also produce false positives, as
certain normal network activity
can appear to be malicious.
25

PDF created with pdfFactory trial version www.pdffactory.com

 Extra: Misuse Detection

• Some of the benefits of misuse detection are as follows:

– Signatures are based on known intrusive activity
– Attacks detected are well defined
– System is easy to understand
– Detects attacks immediately after installation

26

PDF created with pdfFactory trial version www.pdffactory.com

 Types of signatures

27

PDF created with pdfFactory trial version www.pdffactory.com

 28

PDF created with pdfFactory trial version www.pdffactory.com

 Anomaly-based detection

• Anomaly detection is also sometimes referred to as profile-based detection.

• With anomaly detection, the administrator must build profiles for each user
group on the system. This profile incorporates typical user habits, the services
that are normally used, and other relevant information.
– These profiles can be learned over a period of time or they can be modeled
on historical behavior
– This profile defines the behavior characteristics for a user group, in
essence establishing a baseline for the activities that a normal user
routinely does to perform the job.
• Anytime a user deviates too far from the profile, the IDS generates an alarm.

29

PDF created with pdfFactory trial version www.pdffactory.com

 Extra: Anomaly-based detection

• The main advantage of anomaly detection is that the alarms generated

are not based on signatures for specific known attacks.
• Instead, they are based on a profile that defines normal user activity.
• Therefore, an anomaly-based intrusion system can generate alarms for
previously unpublished attacks, as long as the new attack deviates
from normal user activity by a significant amount.

30

PDF created with pdfFactory trial version www.pdffactory.com

 Extra: Policy-Based IDS and IPS

• The policy-based approach uses an algorithm to base alarm decisions on.

• An example of this type of policy is a policy that is used to detect a port sweep.
This policy looks for the presence of a threshold number of unique ports being
scanned on a particular machine. The policy may further restrict itself through
the specification of the types of packets that the policy is interested in (for
example, SYN packets). Additionally, there may be a requirement that all the
probes must originate from a single source.

31

PDF created with pdfFactory trial version www.pdffactory.com

 Extra: Honeypot-Based IDS and IPS

• Honeypot systems provide a dummy server to attract attacks. The philosophy

of the honeypot approach is to distract attacks away from the real network
devices.
• The honeypot offers the possibility of analyzing incoming attacks and malicious
traffic patterns in order to be prepared when this type of traffic hits the real
network.
• When implementing honeypots, you dedicate servers that can be sacrificed to
being compromised. You should never trust such systems, because the
system may have been compromised without you noticing the changes.
32

PDF created with pdfFactory trial version www.pdffactory.com

 Cisco IDS and IPS Devices

33

PDF created with pdfFactory trial version www.pdffactory.com

 Cisco integrated solutions

• Cisco intrusion detection and prevention solutions are part of the Cisco Self-
Defending Network. Designed to identify and stop worms, network viruses, and
other malicious traffic, these solutions can help protect the network.
• IOS Intrusion Prevention System (IPS)
– Cisco IOS Intrusion Prevention System (IPS) is an in-line, deep-packet
inspection-based solution that helps enable Cisco IOS Software to
effectively mitigate a wide range of network attacks without compromising
router performance .
34

PDF created with pdfFactory trial version www.pdffactory.com

 Extra: Cisco IOS IPS

• Cisco IOS ISP combines existing Cisco IDS and IPS product features with
three different intrusion detection techniques.
• Cisco IOS IPS uses a blend of Cisco IDS and IPS products from the Cisco IDS
and IPS sensor product lines, including Cisco IDS 4200 Series appliances,
Cisco Catalyst 6500 Series IDS services modules, and network module
hardware IDS appliances.

35

PDF created with pdfFactory trial version www.pdffactory.com

 Extra: Protocol Analysis

• Protocol analysis-based intrusion detection is similar to signature-

based intrusion detection, but it performs a more in-depth analysis of
the protocols specified in the packets.
• A deeper analysis examines the payloads within TCP and UDP
packets, which contain other protocols.
• For example, a protocol such as Domain Name System (DNS) is
contained within TCP or UDP, which itself is contained within IP.

36

PDF created with pdfFactory trial version www.pdffactory.com

 Cisco integrated solutions

• PIX and ASA Security Appliances

– The PIX Security Appliance and Adaptive Security Appliances are a
key element in the overall Cisco end-to-end security solution.
– The Cisco Security Appliances provide integrated in-line intrusion
detection and prevention. PIX Software Versions 5.2 and higher
support intrusion detection.
– The intrusion detection and prevention capabilities of the Adaptive
Security Appliance 5500 series can be increased through the
addition of a Cisco ASA Advanced Inspection and Prevention
Security Services Module (AIP-SSM).

37

PDF created with pdfFactory trial version www.pdffactory.com

 Extra: Characteristics of Cisco AIP-SSM

• The Cisco AIP SSM helps users stop threats with greater confidence through
the use of:
– Accurate inline prevention technologies -Provides unparalleled ability to
take preventive action against a broader range of threats without the risk of
dropping legitimate traffic. These unique technologies offer intelligent,
automated, contextual analysis of your data and help ensure you
are getting the most out of your intrusion prevention solution.
– Multivector threat identification -Protects your network from policy
violations, vulnerability exploitations, and anomalous activity through
detailed inspection of traffic in Layers 2 through 7.
– Unique network collaboration -Enhances scalability and resiliency
through network collaboration, including efficient traffic capture techniques,
load-balancing capabilities, and visibility into encrypted traffic.
– Powerful management, event correlation, and support services -
Enables a complete solution, including configuration, management, data
correlation, and advanced support services. In particular, the Cisco
Security Monitoring, Analysis, and Response System (Cisco Security
MARS) identifies, isolates, and recommends precision removal of offending
elements, for a networkwide intrusion prevention solution. And the Cisco
Incident Control System (ICS) prevents new worm and virus outbreaks by
enabling the network to rapidly adapt and provide a distributed response.

38

PDF created with pdfFactory trial version www.pdffactory.com

 Extra: Characteristics of Cisco AIP-SSM

39

PDF created with pdfFactory trial version www.pdffactory.com

 Cisco integrated solutions

• Cisco IDS Network Module

– The Cisco IDS Network Module for the Cisco 2600XM, 3600, and 3700
series routers is part of the Cisco IDS Family sensor portfolio and the Cisco
Intrusion Protection System. These IDS sensors work in concert with the
other IDS components, including Cisco IDS Management Console,
CiscoWorks VPN/Security Management Solution, and Cisco IDS Device
Manager, to efficiently protect the data and information infrastructure.
40

PDF created with pdfFactory trial version www.pdffactory.com

 Cisco integrated solutions

• Intrusion Detection System Services Module (IDSM-2)

– The Cisco IDSM-2 protects switched environments by integrating full-
featured IPS functions directly into the network infrastructure through the
Cisco Catalyst chassis.
– This integration allows the user to monitor traffic directly off the switch
backplane.
– The IDSM-2 is a one rack-unit module that can be installed in any one slot
in the Cisco Catalyst 6500/7600 chassis.

41

PDF created with pdfFactory trial version www.pdffactory.com

 Cisco IPS 4200 Series sensors

• Cisco IPS 4200 Series intrusion prevention system sensors are an

important component of the Cisco Self-Defending Network.
• Cisco IPS sensors offer significant protection to the network by helping
to detect, classify, and stop threats including worms, spyware/adware,
network viruses, and application abuse.

42

PDF created with pdfFactory trial version www.pdffactory.com

 Cisco IPS 4200 Series sensors
• Administrators can stop more threats with greater confidence with the help of
the following elements:
– Multivector threat identification – Detailed inspection of Layer 2–7 traffic
protects the network from policy violations, vulnerability exploitations, and
anomalous activity.
– Accurate prevention technologies – Cisco’s innovative Risk Rating
feature and Meta Event Generator provide the confidence to take
preventive actions on a broader range of threats without the risk of
dropping legitimate traffic.
– Unique network collaboration – Network collaboration provides
enhanced scalability, up to 8 Gbps, and resiliency, including efficient traffic
capture techniques, load-balancing capabilities, and visibility into encrypted
traffic.
– Comprehensive deployment and management solutions – Cisco IPS
4200 Series sensors are purpose-built IPS appliances that provide the
following:
• Protection of multiple network subnets through the use of up to eight
interfaces
• Simultaneous, dual operation in both promiscuous and inline modes
• A wide array of performance options, from 80 Mbps to multiple gigabits
• Embedded Web-based management solutions packaged with the
sensor
43

PDF created with pdfFactory trial version www.pdffactory.com

 Extra: Cisco IPS 4200 Series sensors

44

PDF created with pdfFactory trial version www.pdffactory.com

 Extra: Deployment Scenarios

45

PDF created with pdfFactory trial version www.pdffactory.com

 Extra: Cisco IOS IPS Deployment Scenarios

• Cisco IOS IPS has 2 main deployment scenarios:

– Cisco IOS IPS protecting the Internet-facing (untrusted) interface
– Cisco IOS IPS within the internal (trusted) network

46

PDF created with pdfFactory trial version www.pdffactory.com

 Extra: Cisco Sensor Deployment

• Cisco IPS supports various sensor platforms. Each platform has varying capabilities and
is designed to operate in a specific network environment.
• You need to consider the following factors when deciding where to place sensors on your
network:
– Internet boundaries
– Extranet boundaries
– Intranet boundaries
– Remote access boundaries
– Servers and desktops

47

PDF created with pdfFactory trial version www.pdffactory.com

 Extra: Cisco Sensor Deployment

48

PDF created with pdfFactory trial version www.pdffactory.com

 Extra: Cisco Sensor Deployment

49

PDF created with pdfFactory trial version www.pdffactory.com

 Extra: Cisco Sensor Communications Protocols

• Communication between your Cisco IPS sensors and other network

devices involves the following protocols and standards:
– SSH
– TLS/SSL
– RDEP (Remote Data Exchange Protocol)
– SDEE Standard (Security Device Event Exchange Standard)

50

PDF created with pdfFactory trial version www.pdffactory.com

 Summary

• This module introduced the concepts of intrusion detection and

prevention.
• Students should now understand the basic differences between an
intrusion detection system (IDS) and an intrusion prevention system
(IPS).
• The basic types of inspection engines used in were also introduced in
this module. The module concluded with an introduction to the IDS and
IPS devices that are part of the Cisco Self-Defending Network solution.

51

PDF created with pdfFactory trial version www.pdffactory.com