Network Security v1.0 - Module 12 (IPS Operation and Implementation) - Copy

Module 12: IPS Operation and Implementation

Module Objectives:

• Explain how signatures are used to detect malicious network traffic.

12.1 IPS Signatures

Overview of IPS Signatures:

• Signatures are used to detect specific malicious traffic patterns and characteristics (e.g., viruses, worms, protocol anomalies).

• The IPS scans incoming traffic for signatures or abnormal traffic patterns.

Signature Attributes:

• Type: Determines if the signature is simple (atomic) or complex (composite).

• Trigger: Defines the event that causes the signature to trigger.

• Action: Defines the response action of the IPS, such as blocking or logging the detected traffic.

Types of Signatures:

1. Atomic Signature:

   • Triggered by a single packet, activity, or event.

   • Advantages: Quick and efficient analysis.

   • No state information needed for traffic analysis.

2. Composite (Stateful) Signature:

   • Requires multiple packets and maintains state information (e.g., IP addresses, port numbers).

   • Advantages: Can detect more complex threats but requires more resources for analysis.

Signature Alarms:

• Trigger Mechanisms: Signature alarms are triggered based on detection mechanisms:

  • Pattern-based: Matches a known traffic pattern.

  • Anomaly-based: Detects deviations from normal traffic.

  • Policy-based: Based on defined policies for traffic flow.

  • Honey pot-based: Involves deceiving attackers into interacting with a fake system.

Signature Actions:

• Alert: Generates an alert without taking action.

• Log: Logs the activity without an alert.

• Deny: Denies the activity and logs it.

• Pass: Allows the activity through without logging.

• Reject: Rejects the traffic, logs it, and sends a reset.

Evaluating Alerts:

1. True Positive: Correctly identified as malicious. Ideal outcome.

2. True Negative: Normal traffic correctly identified as benign.

3. False Positive: Normal traffic mistakenly flagged as malicious. Requires tuning to avoid unnecessary investigation.

4. False Negative: Malicious traffic not detected. Dangerous, as it leaves the system vulnerable.

12.2 Cisco Snort IPS

Overview of Snort IPS:

• Cisco Snort IPS is a flexible, open-source IPS solution integrated into Cisco devices, such as ISR 4000 series.

• Offers both Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) capabilities.

Snort IPS Deployment Options:

1. Cisco Firepower Next-Generation IPS (NGIPS): Dedicated inline appliances for threat prevention.

2. Snort IPS on ISR 4000 series: Installed as a service on routers, with a second-generation Snort engine.

3. External Snort IPS Server: Requires external monitoring through a SPAN switch port.

Snort IPS Features:

• NGIPS:

  • Built on open-source Snort technology.

  • Includes advanced malware analysis, URL filtering, and sandboxing technology.

  • Integrates with Cisco Talos for real-time threat intelligence.

  • Application Visibility and Control (AVC) and Advanced Malware Protection (AMP) provide additional defense layers.

• Snort IPS on ISR 4000:

  • Runs on Linux Service Containers within the router.

  • Supports IDS/IPS modes and allows for real-time traffic analysis.

Snort IPS Components and Rules:

1. Snort Engine: Core detection and enforcement engine.

2. Snort Rule Software Subscriptions: Term-based subscriptions for rule updates (Community vs. Subscriber Rule Set).

   • Community Rule Set: Free, reactive response, delayed updates (30 days).

   • Subscriber Rule Set: Paid, proactive research, rapid updates, full Cisco support.

Snort Rule Syntax:

• Rule header includes:

  • Action (e.g., alert, log, pass).

  • Protocol (e.g., TCP, UDP).

  • Source IP and Destination IP (e.g., 192.168.1.1 -> 10.0.0.1).

  • Source port and Destination port (e.g., 80 -> 443).

  • Rule options: Additional conditions (e.g., content matching, IP header options).

12.3 Snort IPS Configuration

Configuring Snort IPS:

1. Download Snort OVA File: Obtain the latest OVA file for Snort IPS from Cisco's website.

2. Install Snort OVA: Use the virtual-service install command to deploy the OVA file on the router.

3. Configure Virtual Port Group (VPG): Define management interfaces (VPG0) for logging and signature updates, and data interfaces (VPG1) for user traffic inspection.

4. Activate Virtual Services: Set up and configure the virtual service for IPS functionality.

Activate IPS Modes:

• IPS Mode: Actively blocks malicious traffic.

• IDS Mode: Only detects and alerts without blocking traffic.

Configure Security Policies:

• Connectivity Policy: Least protection, prioritizes connectivity.

• Balanced Policy: Default policy, balances security and performance.

• Security Policy: Maximum protection, ideal for high-security environments.

Enable IPS Globally or on Interfaces:

• Enable IPS either globally or on specific interfaces depending on the network setup.

Verify Snort IPS:

• Use the show commands to verify the Snort IPS configuration, including:

  • show virtual-service list

  • show utd engine standard config

  • show platform hardware qfp active feature utd stats

12.4 IPS Operation and Implementation Summary

Key Takeaways:

• IPS Signatures have attributes: type (atomic/composite), trigger, and action.

• True Positive and True Negative are the ideal alarm results.

• Snort IPS on ISR devices can be configured for IDS or IPS services.

• Signature Updates are crucial for effective protection against new and evolving threats.

• Snort Rule Configuration: Snort rules are designed to identify specific threats and can be customized based on traffic patterns.

• IPS Modes: IPS operates in both detection and prevention modes depending on the security posture.