JH

Network Security v1.0 - Module 12 (IPS Operation and Implementation) - Copy

Module 12: IPS Operation and Implementation

Module Objectives:

  • Explain how signatures are used to detect malicious network traffic.

12.1 IPS Signatures

Overview of IPS Signatures:

  • Signatures are used to detect specific malicious traffic patterns and characteristics (e.g., viruses, worms, protocol anomalies).

  • The IPS scans incoming traffic for signatures or abnormal traffic patterns.

Signature Attributes:

  • Type: Determines if the signature is simple (atomic) or complex (composite).

  • Trigger: Defines the event that causes the signature to trigger.

  • Action: Defines the response action of the IPS, such as blocking or logging the detected traffic.

Types of Signatures:

  1. Atomic Signature:

    • Triggered by a single packet, activity, or event.

    • Advantages: Quick and efficient analysis.

    • No state information needed for traffic analysis.

  2. Composite (Stateful) Signature:

    • Requires multiple packets and maintains state information (e.g., IP addresses, port numbers).

    • Advantages: Can detect more complex threats but requires more resources for analysis.

Signature Alarms:

  • Trigger Mechanisms: Signature alarms are triggered based on detection mechanisms:

    • Pattern-based: Matches a known traffic pattern.

    • Anomaly-based: Detects deviations from normal traffic.

    • Policy-based: Based on defined policies for traffic flow.

    • Honey pot-based: Involves deceiving attackers into interacting with a fake system.

Signature Actions:

  • Alert: Generates an alert without taking action.

  • Log: Logs the activity without an alert.

  • Deny: Denies the activity and logs it.

  • Pass: Allows the activity through without logging.

  • Reject: Rejects the traffic, logs it, and sends a reset.

Evaluating Alerts:

  1. True Positive: Correctly identified as malicious. Ideal outcome.

  2. True Negative: Normal traffic correctly identified as benign.

  3. False Positive: Normal traffic mistakenly flagged as malicious. Requires tuning to avoid unnecessary investigation.

  4. False Negative: Malicious traffic not detected. Dangerous, as it leaves the system vulnerable.

12.2 Cisco Snort IPS

Overview of Snort IPS:

  • Cisco Snort IPS is a flexible, open-source IPS solution integrated into Cisco devices, such as ISR 4000 series.

  • Offers both Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) capabilities.

Snort IPS Deployment Options:

  1. Cisco Firepower Next-Generation IPS (NGIPS): Dedicated inline appliances for threat prevention.

  2. Snort IPS on ISR 4000 series: Installed as a service on routers, with a second-generation Snort engine.

  3. External Snort IPS Server: Requires external monitoring through a SPAN switch port.

Snort IPS Features:

  • NGIPS:

    • Built on open-source Snort technology.

    • Includes advanced malware analysis, URL filtering, and sandboxing technology.

    • Integrates with Cisco Talos for real-time threat intelligence.

    • Application Visibility and Control (AVC) and Advanced Malware Protection (AMP) provide additional defense layers.

  • Snort IPS on ISR 4000:

    • Runs on Linux Service Containers within the router.

    • Supports IDS/IPS modes and allows for real-time traffic analysis.

Snort IPS Components and Rules:

  1. Snort Engine: Core detection and enforcement engine.

  2. Snort Rule Software Subscriptions: Term-based subscriptions for rule updates (Community vs. Subscriber Rule Set).

    • Community Rule Set: Free, reactive response, delayed updates (30 days).

    • Subscriber Rule Set: Paid, proactive research, rapid updates, full Cisco support.

Snort Rule Syntax:

  • Rule header includes:

    • Action (e.g., alert, log, pass).

    • Protocol (e.g., TCP, UDP).

    • Source IP and Destination IP (e.g., 192.168.1.1 -> 10.0.0.1).

    • Source port and Destination port (e.g., 80 -> 443).

    • Rule options: Additional conditions (e.g., content matching, IP header options).

12.3 Snort IPS Configuration

Configuring Snort IPS:

  1. Download Snort OVA File: Obtain the latest OVA file for Snort IPS from Cisco's website.

  2. Install Snort OVA: Use the virtual-service install command to deploy the OVA file on the router.

  3. Configure Virtual Port Group (VPG): Define management interfaces (VPG0) for logging and signature updates, and data interfaces (VPG1) for user traffic inspection.

  4. Activate Virtual Services: Set up and configure the virtual service for IPS functionality.

Activate IPS Modes:

  • IPS Mode: Actively blocks malicious traffic.

  • IDS Mode: Only detects and alerts without blocking traffic.

Configure Security Policies:

  • Connectivity Policy: Least protection, prioritizes connectivity.

  • Balanced Policy: Default policy, balances security and performance.

  • Security Policy: Maximum protection, ideal for high-security environments.

Enable IPS Globally or on Interfaces:

  • Enable IPS either globally or on specific interfaces depending on the network setup.

Verify Snort IPS:

  • Use the show commands to verify the Snort IPS configuration, including:

    • show virtual-service list

    • show utd engine standard config

    • show platform hardware qfp active feature utd stats

12.4 IPS Operation and Implementation Summary

Key Takeaways:

  • IPS Signatures have attributes: type (atomic/composite), trigger, and action.

  • True Positive and True Negative are the ideal alarm results.

  • Snort IPS on ISR devices can be configured for IDS or IPS services.

  • Signature Updates are crucial for effective protection against new and evolving threats.

  • Snort Rule Configuration: Snort rules are designed to identify specific threats and can be customized based on traffic patterns.

  • IPS Modes: IPS operates in both detection and prevention modes depending on the security posture.