Lesson 2

Explaining Intrusion
Prevention

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—2-1

Intrusion Detection Versus
Intrusion Prevention

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—2-2

 Intrusion Detection Systems

An intrusion detection system has the

capability to detect misuse and abuse of, and
unauthorized access to, networked
resources.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—2-3

 Intrusion Prevention Systems

An intrusion prevention system has the

capability to detect and prevent misuse and
abuse of, and unauthorized access to,
networked resources.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—2-4

Intrusion Detection
Technologies

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—2-5

 Profile-Based Intrusion Detection

• Is also known as anomaly detection because

activity detected deviates from the profile of
normal activity
• Requires creation of statistical user and network
profiles
• Is prone to high number of false positives; difficult
to define “normal” activity

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—2-6

 Signature-Based Intrusion Detection

• Is also known as misuse detection or pattern

matching; matches pattern of malicious activity
• Requires creation of signatures
• Is less prone to false positives; based on the
signature’s ability to match malicious activity

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—2-7

 Protocol Analysis

Intrusion detection analysis is performed on

the protocol specified in the data stream.
• Examines the protocol to determine the validity of
the packet
• Checks the content of the payload (pattern
matching)

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—2-8

Intrusion Detection Evasive
Technique

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—2-9

 Evasive Techniques

• Attempts to elude intrusion prevention and

detection use evasive techniques such as the
following:
– Flooding
– Fragmentation
– Encryption
– Obfuscation

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—2-10

 Flooding

Saturating the network with “noise” traffic

while also trying to launch an attack against
the target is referred to as flooding.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—2-11

 Fragmentation

Splitting malicious packets into smaller

packets to avoid detection and prevention is
known as fragmentation.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—2-12

 Encryption

SSL Session

• Launching an attack via an encrypted session can

avoid network-based intrusion detection and
prevention.
• This type of evasive technique assumes that the
attacker has already established a secure session
with the target network or host.
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—2-13
 Obfuscation

Disguising an attack by using special

characters to conceal it from a sensor is
commonly referred to as obfuscation. The
following are forms of obfuscation:
– Control characters
– Hex representation
– Unicode representation

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—2-14

Cisco Network Sensors

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—2-15

 Cisco Sensor Family

600
Performance (Mbps)

250 IDSM-2

IDS 4255

200 IPS 4240

80
AIP-SSM

45
IPS 4215
NM-CIDS
10/100/1000 TX
10/100/1000 TX 10/100 10/100/1000 TX 10/100/1000 TX Switched/1000
1000 SX
TX

Network Media
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—2-16
 Cisco 4200 Series Appliance

• Appliance solution focused on

protecting network devices,
services, and applications
• Sophisticated attack detection:
– Network attacks
– Application attacks
– DoS attacks
– Fragmented attacks
– Whisker attacks
• Intrusion prevention capability

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—2-17

Advanced Inspection and Prevention
Security Services Module

• High-performance module
designed to provide additional
security services to the Cisco
Adaptive Security Appliance
• Diskless design for improved
reliability
• External 10/100/1000 Ethernet
interface for management and
software downloads
• Intrusion prevention capability
• Runs the same software
image as the sensor
appliances

© 2005 Cisco Systems, Inc. All rights reserved. 18

IPS v5.0—2-18
 Cisco Catalyst 6500 IDSM-2

• Switch-integrated intrusion
protection module delivering a
high-value security service in
the core network fabric device
• Supports unlimited number of
VLANs
• Intrusion prevention capability
• Runs same software image as
sensor appliances

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—2-19

IDS Network Module

• Integrates IDS into Cisco 2600XM, 2691,

3660, 3725, and 3745 access routers and
the 2811, 2821, 2851, 3825, and 3845
integrated services routers
• Provides full-featured intrusion protection
• Is able to monitor traffic from all router
interfaces
• Is able to inspect GRE and IPSec traffic
that has been decrypted at the router
• Delivers comprehensive intrusion
protection at branch offices, isolating
threats from corporate network
• Runs same software image as sensor
appliances

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—2-20

Sensor Appliances

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—2-21

 Sensor Appliance Interfaces

Untrusted
Network

Monitoring Interface

Router

Switch

Sensor Router

Protected
Network
Command and
Control
Interface

Management System
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—2-22
 Cisco 4215 Sensor Front Panel

Monitoring 
Network 
Interface 
Card LED

Command and 
Power LED Control Network 
Interface Card 
LED

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—2-23

 Cisco 4215 Sensor Back Panel

Optional 
Monitoring Console 
Interfaces Port

Command 
Monitoring 
and Control
 Interface
Interface

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—2-24

 Cisco 4240 Sensor Front Panel

Power  Status  Flash 

Indicator Indicator Indicator

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—2-25

 Cisco 4240 Sensor Back Panel

Console 
Monitoring 
Command and  Compact  Port
Interfaces
Control  Flash 
Interface Indicators Power 
Connector

Auxiliary  Indicator 
Expansion  USB 
Port Light
Slot Ports

Power  Status  Flash  Power 

Indicator Indicator Indicator Switch

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—2-26

 Cisco 4255 Sensor Front Panel

Power  Status  Flash 

Indicator Indicator Indicator

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—2-27

 Cisco 4255 Sensor Back Panel

Monitoring  Compact  Console 

Command  Interfaces Flash  Port
and Control 
Interface Indicators

Power 
Expansion  Power  Connector
Slot Indicator Auxiliary 
Port Indicator 
USB 
Light
Ports
Status  Flash  Power 
Indicator Indicator Switch

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—2-28

Promiscuous-Mode IDS
and Inline-Mode IPS

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—2-29

 Promiscuous-Mode Protection: IDS

1
A network device sends copies
of packets to the sensor for analysis.

2
If the traffic matches a signature,
the signature fires.
Switch

32
The sensor can send an alarm
to a management console and
take a response action such as Sensor
resetting the connection.

Management Target
System

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—2-30

 Inline-Mode Protection: IPS

The sensor resides in the

data forwarding path.

Sensor
An alert can be
If a packet triggers a
sent to the
signature, it can be
management console.
dropped before it
reaches its target.

Management Target
System

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—2-31

 Reliable IPS

IPS 5.0 software contains several features

that enable you to use inline deny actions
with confidence. Among these features are
the following:
• Risk rating
• Software bypass mode
• Application firewall
• Meta event generator

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—2-32

Cisco Defense in Depth

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—2-33

 Network IPS

• Sensors are connected to network segments. A

single sensor can monitor many hosts.
• Growth of a network is easily protected. New hosts
and devices can be added to the network without
additional sensors.
• The sensors are network appliances tuned for
intrusion detection analysis.
– The operating system is “hardened.”
– The hardware is dedicated to intrusion detection
analysis.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—2-34

 Network IPS (Cont.)

Corporate
Network

Firewall
Switch Router
Switch
Untrusted
Network
Sensor

Management
Server

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—2-35

 Host Intrusion Prevention System

• Consists of agent software installed on each host

• Provides individual host detection and protection
• Does not require special hardware

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—2-36

 Host Intrusion Prevention System (Cont.)

Corporate
Network

Agent Application
Server
Agent
  Firewall
Untrusted
Network

Agent
Agent Agent Agent
SMTP Agent Agent Agent
Server Console WWW DNS
Server Server

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—2-37

 Defense in Depth: A Layer Solution

Host-Focused
Technology
• Application-level encryption
protection
• Policy enforcement (resource
control)
• Web application protection
• Buffer overflow
• Network attack and
reconnaissance detection
• DoS detection
Network-Focused
Technology

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—2-38

Sensor Deployment

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—2-39

 Sensor Selection Factors

• Network media: Ethernet, Fast Ethernet, or Gigabit

Ethernet
• Intrusion detection analysis performance: bits per
second
• Network environment: T1/E1, switched, multiple
T3/E3, or gigabit

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—2-40

 IDS and IPS Deployment Considerations

• Deploy an IDS sensor in areas where you cannot

deploy an inline device or where you do not plan to
use deny actions.
• Deploy an IPS sensor in those areas where you
need and plan to use deny actions.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—2-41

 Sensor Deployment Considerations

• Number of sensors
• Sensor placement
• Management and monitoring options
• External sensor communications

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—2-42

 Deploying IDS and IPS

Branch
Corporate
Network
NM­CIDS

Router Firewall
Untrusted
Sensor
Network

IDSM2 Sensor

Management
Server CSA Agent CSA Agent

WWW DNS
Server Server

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—2-43

 IDS and IPS Sensor Placement
Inside

Attacker

Internet

Sensor on Outside: Sensor on Inside:

• Sees all traffic destined for • Sees only traffic
your network permitted by firewall
• Has high probability of • Has lower probability of
false positives false positives
• Does not detect internal • Requires immediate
attacks response to alarms
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—2-44
IPS Terminology

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—2-45

 Vulnerabilities and Exploits

• A vulnerability is a weakness that compromises

either the security or the functionality of a system.
– Poor passwords
– Improper input handling
– Insecure communications
• An exploit is the mechanism used to leverage a
vulnerability.
– Password guessing tools
– Shell scripts
– Executable code

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—2-46

 False Alarms

• False positive: Normal traffic or a benign action

causes the signature to fire.
• False negative: A signature is not fired when
offending traffic is detected. An actual attack is not
detected.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—2-47

 True Alarms

• True positive: A signature is fired properly when

the offending traffic is detected. An attack is
detected as expected.
• True negative: A signature is not fired when
nonoffending traffic is detected. Normal traffic or a
benign action does not cause an alarm.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—2-48

Cisco IPS Software
Architecture

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—2-49

 Software Architecture Overview

These are the primary components of the IPS

software architecture:
• Event Store provides storage for all events.
• Analysis Engine is the monitoring application.
• MainApp is the core application.
• Web server runs within mainApp and services all
web and SSL requirements.
• SSH and Telnet services SSH and Telnet
requirements for the CLI application.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—2-50

 Software Architecture Overview (Cont.)

• IDAPI provides the communication channel

between applications.
• Network Access Controller runs within mainApp
and is used to initiate the blocking response action
on network devices.
• NotificationApp supports SNMP gets.
• Sensor interfaces serve as the traffic inspection
points. Sensor interfaces are also used for TCP
resets and IP logging.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—2-51

Summary

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—2-52

 Summary

• An intrusion detection system has the ability to

detect misuse and abuse of, and unauthorized
access to, networked resources.
• An intrusion prevention system has the ability to
detect and prevent misuse and abuse of, and
unauthorized access to, networked resources.
• Profile-based intrusion detection notes activity
considered outside of “normal” activity.
• Signature-based intrusion prevention matches
patterns of malicious activity.
• Cisco offers a wide variety of IDS and IPS
appliances and modules.
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—2-53
 Summary (Cont.)

• Cisco offers two types of intrusion detection and

prevention systems: promiscuous-mode IDS and
inline IPS.
• An HIPS provides individual host protection and
detection.
• A network IDS or IPS provides broader protection by
monitoring network segments.
• There are several factors to consider when deploying
intrusion detection and intrusion prevention.
• Cisco’s software architecture is an integrated
application that runs on the Linux operating system.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—2-54

 Summary (Cont.)

• A defense-in-depth security solution is focused on

providing multiple layers of security beyond a
single device or technology.
• Selection of network sensors depends on the
following factors: network media, intrusion
detection analysis performance, and network
environment.
• Sensor deployment considerations include the
following: number of sensors needed, sensor
placement, management and monitoring options,
and external sensor communications.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—2-55