IPS Best Practices
You should follow some configuration best practices to improve IPS efficiency when deploying IPS in your network.
When setting up a large deployment of sensors, automatically update signature packs rather than manually upgrading every sensor. Then security operations personnel have more time to analyze events. When new signature packs are available, download the new signature packs to a secure server within the management network.
Place the signature packs on a dedicated FTP server within the management network. If a signature update is not available, a custom signature can be created to detect and mitigate a specific attack. You should configure the FTP server to allow read-only access to the files within the directory on which the signature packs are placed only from the account that the sensors will use. The sensors can then be configured to automatically check the FTP server periodically, such as once a week on a certain day, to look for the new signature packs and to update the sensors. You can use an IPS to protect this server from attack by an outside party.
You should stagger the time of day when the sensors check the FTP server for new signature packs, perhaps through a predetermined change window. This prevents multiple sensors from overwhelming the FTP server by asking for the same file at the same time. The need to upgrade sensors with the latest signature packs must be balanced against the momentary downtime—and, therefore, the vulnerability to attack—incurred while upgrading them. Finally, the signature levels supported on the management console must remain synchronized with the signature packs on the sensors themselves.
You should group IPS sensors together under a few larger profiles. Every signature upgrade requires that all new signatures be appropriately tuned on every sensor. Tuning signatures for groups of sensors rather than for each sensor on the network significantly reduces configuration time. This administrative advantage must be balanced against the ability to finely tune sensor configuration by establishing a separate profile for each sensor.
Refer to the release notes of signatures to confirm that the new update will not overwrite the tuning you might have performed on a signature.
This is a philosophical debate in which you need to get engaged in for your organization: Should the IPS sensor stop working, do you let the traffic go through or do you stop the traffic? The two opposing philosophies are represented in Figure 6-14, where the network administrator needs to decide whether the traffic will be allowed to flow into the demilitarized zone (DMZ) should the Cisco ASA AIP SSM fail.
It seems that the balance is tilting in favor of the “fail-open” approach with security experts, but each organization has to define and enforce their own policy in this topic.
| Note |
|
Configuring Cisco IOS IPS
Configuring Cisco IOS Intrusion Prevention System (IPS) is a core competency for a network security administrator. In this section, you will learn how to configure Cisco IOS IPS on routers using the Cisco Router and Security Device Manager (SDM). You will also discover that Cisco SDM makes it easy to configure and manage Cisco IOS IPS on routers and security devices.
Cisco IOS IPS Features
Cisco has implemented IPS functions into its Cisco IOS Software. Cisco IOS IPS uses technology from Cisco Intrusion Detection System (IDS) and IPS sensor product lines, including Cisco IPS 4200 series sensors, and Cisco Catalyst 6500 series Intrusion Detection System Services Module (IDSM). Cisco IOS IPS combines existing Cisco IDS and IPS product features with the following three intrusion detection techniques:
- Profile-based intrusion detection: Profile-based intrusion detection generates an alarm when activity on the network goes outside a defined profile. With anomaly detection, profiles are created for each user or user group on your system. These profiles are then used as a baseline to define normal user and network activity. A profile could be created to monitor web traffic.
- Signature-based intrusion detection: Signature-based intrusion detection is less prone to triggering a false alarm when detecting unauthorized activity. A signature is a set of rules pertaining to typical intrusion activity. Signature-based intrusion detection uses signatures that are based on values in IP, TCP, UDP, and ICMP headers. Network engineers research known attacks and vulnerabilities and then develop signatures to detect these attacks and vulnerabilities on the network. These attack signatures encompass specific traffic or activity that is based on known intrusive activity.Cisco IOS IPS implements signatures that can look at every packet going through the network and generate alarms when necessary. A Cisco IOS IPS generates alarms when a specific pattern of traffic is matched or a signature is triggered. You can configure a Cisco IOS IPS to exclude signatures and modify signature parameters to work optimally in your network environment. A pattern-matching approach searches for a fixed sequence of bytes in a single packet. Pattern matching is a rigid approach but is simple to employ. In most cases, the pattern is matched against a packet only if the suspect packet is associated with a particular service or, more precisely, destined to or from a particular port. For example, a signature might be based on a simple pattern-matching approach such as the following: If
and and then . - Protocol analysis-based intrusion detection: Protocol analysis-based intrusion detection is similar to signature-based intrusion detection, but it performs a more in-depth analysis of the protocols specified in the packets. A deeper analysis examines the payloads within TCP and UDP packets, which contain other protocols. For example, a protocol such as DNS is contained within TCP or UDP, which itself is contained within IP.The first step of protocol analysis is to decode the packet IP header information and determine whether the payload contains TCP, UDP, or another protocol. For example, if the payload is TCP, some of the TCP header information within the IP payload is processed before the TCP payload is accessed (for example, DNS data). Similar actions are mapped for other protocols.Protocol analysis requires that the IPS sensor knows how various protocols work so that it can more closely analyze the traffic of those protocols to look for suspicious or abnormal activity. For each protocol, the analysis is based not only on protocol standards, particularly the RFCs, but also on how things are implemented in the real world. Many implementations violate protocol standards. It is important that signatures reflect common and accepted practice rather than the RFC-specified ideal; otherwise, false results can be reported.
The following attributes describe the primary benefits of the Cisco IOS IPS solution:
- Cisco IOS IPS uses the underlying routing infrastructure to provide an additional layer of security with investment protection.
- Because Cisco IOS IPS is inline and is supported on a broad range of routing platforms, attacks can be effectively mitigated to deny malicious traffic from both inside and outside the network.
- When used in combination with Cisco IDS, Cisco IOS Firewall, virtual private network (VPN), and Network Admission Control (NAC) solutions, Cisco IOS IPS provides superior threat protection at all entry points to the network.
- Cisco IOS IPS is supported by easy and effective management tools, such as Cisco SDM, Cisco Security MARS, and Cisco Security Manager.
- Whether threats are targeted at endpoints, servers, or the network infrastructure, Cisco offers pervasive intrusion prevention solutions that are designed to integrate smoothly into the network infrastructure and to proactively protect vital resources.
- Cisco IOS IPS supports around 2000 attack signatures from the same signature database that is available for Cisco IPS appliances.
Table 6-9 describes the features of Cisco IOS IPS-based signatures.
|
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Open table as spreadsheet Configuring Cisco IOS IPS Using Cisco SDM
Cisco IOS IPS allows you to manage intrusion prevention on routers that use Cisco IOS Software Release 12.3(8)T4 or later. Cisco IOS IPS monitors and prevents intrusions by comparing traffic against signatures of known threats and blocking the traffic when a threat is detected. Cisco SDM lets you control the application of Cisco IOS IPS on interfaces, import and edit signature files from Cisco.com, and configure the action that Cisco IOS IPS should take if a threat is detected.
The tasks associated with managing routers and security devices are displayed in a task pane on the left side of the Cisco SDM home page, as shown in Figure 6-15. Choose Configure > Intrusion Prevention to reveal the intrusion prevention options in Cisco SDM. You can use Cisco SDM to configure Cisco IOS IPS on routers and security devices.
Use the tabs at the top of the Intrusion Prevention System (IPS) window to navigate to the area you want to configure or monitor:
- Create IPS: This tab contains the IPS Rule wizard that you use to create a new Cisco IOS IPS rule.
- Edit IPS: This tab allows you to edit Cisco IOS IPS rules and apply or remove them from interfaces.
- Security Dashboard: This tab allows you to view the Top Threats table and deploy signatures associated with those threats.
- IPS Migration: If the router runs a Cisco IOS Software Release 12.4(11)T or later, you can use this tab to migrate Cisco IOS IPS configurations that were created using earlier releases of the Cisco IOS Software.
| Tip |
|
Cisco SDM enables you to create a new rule on a Cisco router in two ways: manually through the Edit IPS tab or automatically using the IPS Rule Wizard. The Cisco IOS IPS Deployment Guide recommends using the IPS Rule Wizard. The wizard that is launched does more than just configure a rule; it performs all the Cisco IOS IPS configuration steps.
Follow these steps to configure Cisco IOS IPS on the router or security device using Cisco SDM:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| Note |
|
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Figure 6-19 shows actual Wizard Summary windows
Configuring Cisco IOS IPS Using CLI
To use the command-line interface (CLI) to specify an IPS rule, use the ip ips name name command in global configuration mode as follows:
To specify the location of the IPS configuration, use the ip ips config location location global configuration command, as demonstrated here:
To specify the method of event notification, use the ip ips notify global configuration command. The following is an example of event notification sent using Security Device Event Exchange (SDEE), which is a standard developed to communicate an event generated by security devices:
| Note |
|
To configure the router to support the default basic signature set use the ip ips signature-category global configuration command as follows:
Router(config-ips-category)# category all
Router(config-ips-category-action)# retired true
Router(config-ips-category-action)# exit
Router(config-ips-category)# category ios_ips basic
Router(config-ips-category-action)# retired false
To apply an IPS rule to an interface, use the ip ips ips_rule_name command in interface configuration mode as demonstrated here:
router(config-if)# ip ips sdm_ips_rule in
Virtual Fragment Reassembly
Virtual Fragment Reassembly (VFR) enables the Cisco IOS Firewall to examine out-of-sequence fragments and reorder the packets into the order. It examines the number of fragments from a same single IP address. When VFR is enabled on a Cisco IOS Firewall, it creates the appropriate dynamic ACLs, thereby protecting the network from various fragmentation attacks. To enable VFR on an interface, use the ip virtual-reassembly command in interface configuration mode, as demonstrated here:
Router(config-if)# ip virtual-reassembly
Example 6-1 provides a combined view of the commands shown in the preceding paragraphs.
Example 6-1: Cisco IOS IPS CLI Configuration
Router(config)# ip ips config location flash:/ipsdir/ retries 1
Router(config)# ip ips notify SDEE
!
Router(config)# ip ips signature-category
Router(config-ips-category)# category all
Router(config-ips-category-action)# retired true
Router(config-ips-category-action)# exit
Router(config-ips-category)# category ios_ips basic
Router(config-ips-category-action)# retired false
!
Router(config)# interface Serial0/0/0
Router(config-if)# ip ips sdm_ips_rule in
Router(config-if)# ip virtual-reassembly
Configuring IPS Signatures
Cisco IOS IPS prevents intrusion by comparing traffic against the signatures of known attacks. Cisco IOS images that support Cisco IOS IPS have built-in signatures that the router can use, and you can import signatures for the router to use. Imported signatures are stored in a signature file.
IPS signatures are loaded as part of the procedure to create a Cisco IOS IPS rule using the IPS rule wizard. To view the configured Cisco IOS IPS signatures on the router, choose Configure > Intrusion Prevention > Edit IPS > Signatures > All Categories. Because signatures optimize your configuration, confirm that all the correct signatures are loaded on the router or security device. From this window, you can add customized signatures or import signatures that are downloaded from Cisco.com. You can also edit, delete, enable, and disable signatures.
| Note |
|
| Note |
|
The signature tree enables you to filter the signature list according to the type of signature that you want to view. To modify a signature, right-click the signature and choose an option from the pop-up menu, as shown in Figure 6-20. To change the severity of the signature, choose Set Severity To.
| Note |
|
You can tune a signature configuration using Cisco SDM. To tune a signature, choose Configure > Intrusion Prevention > Edit IPS > Signatures > All Categories. A list of available signatures appears.
To modify a signature action, right-click the signature and choose Actions from the pop-up menu. The Assign Actions window appears, as shown in Figure 6-21, and displays the actions that can be taken upon a signature match. The available actions depend on the signature, but the following are the most common actions:
- Deny Attacker Inline: Create an ACL that denies all traffic from the IP address that is considered the source of the attack by the Cisco IOS IPS system.
- Deny Connection Inline: Drop the packet and all future packets from this TCP flow.
- Deny Packet Inline: Do not transmit this packet (inline only).
- Produce Alert: Generate an alarm message.
- Reset TCP Connection: Send TCP resets to terminate the TCP flow.
To access and configure signature parameters, choose the signature and then click the Edit button in the Cisco SDM Configure Signatures window, as shown in Figure 6-22.
In the dialog box that results from clicking the Edit button in the Cisco SDM Configure Signatures window, shown in Figure 6-23, configure the signature parameters.
Different signatures will have different parameters that you can modify. The following are common fields.
- Signature ID: This field displays a unique numerical value that is assigned to this signature. This value allows Cisco IOS IPS to identify a particular signature.
- SubSignature ID: This field displays a unique numeric value that is assigned to this subsignature. A subsig ID identifies a more granular version of a broad signature.
- Alert Severity: This field displays the severity of the alert for this signature.
- Sig Description: This section includes the signature name, alert notes, user comments, alert traits, and release number.
- Engine: This section contains information about what engine the signature uses and characteristics about how the engine operates.
- Event Counter: This section displays the event count, the event count key, and whether an alert interval is to be specified. An alert interval allows you to define special handling for timed events.
- Alert Frequency: (Not shown in Figure 6-23.) This section has settings to define the frequency of the alert.
- Status: (Not shown in Figure 6-23) This section shows whether the signature is enabled and whether the signature is retired.
Monitoring IOS IPS
Figure 6-24 shows how you can use the Security Device Event Exchange (SDEE) protocol and a syslog-based approach to send Cisco IPS alerts. The sensor generates an alarm when an enabled signature is triggered. Alarms are stored on the sensor. A host can pull the alarms from the sensor using SDEE. Pulling alarms from a sensor allows multiple hosts to subscribe to the event “feed” to allow a host or hosts to subscribe on an as-needed basis.
The support for SDEE and syslog in the Cisco IOS IPS solution is as follows:
- Cisco IOS Software supports the SDEE protocol. When Cisco SDEE notification is enabled (by using the ip ips notify sdee command), by default 200 events can be stored in the event buffer, whose size can be increased to hold a maximum of 1000 events. When you disable Cisco SDEE notification, all stored events are lost. A new buffer is allocated when the notifications are reenabled.
- SDEE uses a pull mechanism. That is, requests come from the network management application, and the IDS and IPS router responds.
- SDEE becomes the standard format for all vendors to communicate events to a network management application.
- You must also enable HTTP or HTTPS on the router, using the ip http server command, when you enable SDEE. The use of HTTPS ensures that data is secured as it traverses the network.
- The Cisco IOS IPS router still sends IPS alerts via syslog.
When you use Cisco SDM, you can keep track of alarms that are common in SDEE system messages, including IPS signature alarms. The following is an example of an SDEE system alarm message:
[192.168.121.1:137 ->192.168.121.255:137]
The preceding alarm was triggered by the fact that a packet with a private addresses, as listed in RFC 1918, traversed the IPS sensor.
| Note |
|
To view SDEE alarm messages in Cisco SDM, choose Monitor > Logging > SDEE Message Log, as shown in Figure 6-25.
To view alarms generated by Cisco IOS IPS, choose Monitor > Logging > Syslog, as shown in Figure 6-26.
Verifying IPS Operation
To verify the IPS configuration on the router, choose Configure > Intrusion Prevention > Edit IPS, as shown in Figure 6-27. The Edit IPS tab shows all the interfaces on the router and whether they are configured for Cisco IOS IPS. If Enabled appears in either the Inbound or the Outbound column, Cisco IOS IPS is enabled for that direction of traffic on that interface. If Disabled appears in either the Inbound or the Outbound column, Cisco IOS IPS is disabled for that direction on the interface.
Cisco IOS IPS cannot identify the contents of IP fragments when VFR is not enabled, and it cannot gather port information from the fragment to match it with a signature. Therefore, fragments can pass through the network without being examined or without a dynamic ACL being created on the Cisco IOS Firewall. You will remember that VFR enables the Cisco IOS Firewall to examine out-of-sequence fragments. VFR can create the dynamic ACLs necessary to protect against fragment attacks
The VFR status field shows the status of VFR on an interface. If VFR is enabled on the interface, the column displays On. If VFR is disabled on the interface, the column displays Off.
The Edit IPS tab also contains buttons that enable you to configure and manage Cisco IOS IPS policies, security messages, signatures, and more.
Use the show ip ips configuration command to display additional configuration data that is not displayed with the show running-config command. Example 6-2 shows some sample output from the show ip ips configuration command.
Example 6-2: show ip ips configuration Command Output
IPS Signature File Configuration Status
Configured Config Locations: flash:/ipsdir/
Last signature default load time: 04:39:33 UTC Dec 14 2007
Last signature delta load time: -none-
Last event action (SEAP) load time: -none-
General SEAP Config:
Global Deny Timeout: 3600 seconds
Global Overrides Status: Enabled
Global Filters Status: Enabled
IPS Auto Update is not currently configured
IPS Syslog and SDEE Notification Status
Event notification through syslog is enabled
Event notification through SDEE is enabled
IPS Signature Status
Total Active Signatures: 353
Total Inactive Signatures: 1783
IPS Packet Scanning and Interface Status
IPS Rule Configuration
IPS name sdm_ips_rule
IPS fail closed is disabled
IPS deny-action ips-interface is false
Fastpath ips is enabled
Quick run mode is enabled
Interface Configuration
Interface FastEthernet0/0
Inbound IPS rule is sdm_ips_rule
Outgoing IPS rule is not set
Interface FastEthernet0/1
Inbound IPS rule is sdm_ips_rule
Outgoing IPS rule is not set
IPS Category CLI Configuration:
Category all:
Retire: True
Category ios_ips basic:
Retire: False
Category ios_ips:
Enable: True
Category ios_ips advanced:
Enable: True
Use the show ip ips interface command to display interface configuration data. Example 6-3 displays output from the show ip ips interface command, revealing that the inbound IPS audit rule sdm_ips_rule is applied to FastEthernet 0/0 and FastEthernet 0/1. There is no rule applied for outgoing traffic on either interface.
Example 6-3: show ip ips interface Command Output
Interface Configuration
Interface FastEthernet0/0
Inbound IPS rule is sdm_ips_rule
Outgoing IPS rule is not set
Interface FastEthernet0/1
Inbound IPS rule is sdm_ips_rule
Outgoing IPS rule is not set
Use the show ip ips all command to display additional configuration data that is not displayed with the show ip ips configuration command.
In Example 6-4, the output from the show ip ips all command shows that syslog and SDEE notification is enabled, and that there are 693 active signatures and 1443 inactive signatures on the router.
Example 6-4: show ip ips all Command Output
IPS Signature File Configuration Status
Configured Config Locations: flash:ipsstore/
Last signature default load time: 00:25:35 UTC Dec 6 2007
Last signature delta load time: -none-
Last event action (SEAP) load time: -none-
General SEAP Config:
Global Deny Timeout: 3600 seconds
Global Overrides Status: Enabled
Global Filters Status: Enabled
IPS Auto Update is not currently configured
IPS Syslog and SDEE Notification Status
Event notification through syslog is enabled
Event notification through SDEE is enabled
IPS Signature Status
Total Active Signatures: 693
Total Inactive Signatures: 1443
IPS Packet Scanning and Interface Status
IPS Rule Configuration
IPS name myips
IPS fail closed is disabled
IPS deny-action ips-interface is false
Fastpath ips is enabled
Quick run mode is enabled
Interface Configuration
Interface FastEthernet0/1
Inbound IPS rule is not set
Outgoing IPS rule is myips
IPS Category CLI is not configured
IPS Category CLI is not configured
Summary
This chapter described how intrusion detection system (IDS) and intrusion prevention system (IPS) technology embedded in Cisco host- and network-based IDS and IPS solutions fight Internet worms and viruses in real time. More precisely, you have learned how
- A signature is a set of rules that an IDS and an IPS use to detect typical intrusive activity.
- To use Cisco SDM to configure Cisco IOS IPS on the router or security device, choose Configure > Intrusion Prevention > Create IPS in Cisco SDM and click the Launch IPS Rule Wizard button.
- Cisco IOS IPS combines existing Cisco IDS and IPS product features.
- To configure Cisco IOS IPS on the router or security device, click the Launch IPS Rule Wizard button in Cisco SDM.
- Cisco IOS IPS prevents intrusion by comparing traffic against the signatures of known attacks.
- Cisco IOS IPS alarms are communicated using SDEE and syslog.
- The command show ip ips all displays all the available IPS information.
References
For additional information, refer to these resources:
- Cisco Systems, Inc. Cisco Intrusion Prevention System: Introduction, http://www.cisco.com/go/ips
- Cisco Systems, Inc. Cisco Security Monitoring, Analysis and Response System: Introduction, http://www.cisco.com/go/mars
- Cisco Systems, Inc. Cisco Security Agent: Introduction, http://www.cisco.com/go/csa
- Cisco Systems, Inc. Cisco Intrusion Detection System Event Viewer 3DES Cryptographic Software Download, http://www.cisco.com/cgi-bin/tablebuild.pl/ids-ev
- Cisco Systems, Inc. Cisco IOS Intrusion Prevention System (IPS): Cisco IOS IPS Supported Signature List in 4.x Signature Format, http://www.cisco.com/en/US/partner/products/ps6634/products_white_paper0900aecd8039e2e4.shtml
- Cisco Systems, Inc. Software Download: Cisco IOS IPS, http://www.cisco.com/cgi-bin/tablebuild.pl/ios-sigup
- Cisco Systems, Inc. Software Download: Cisco IDS Management Center - Version 4.x Signature Updates, http://www.cisco.com/cgi-bin/tablebuild.pl/idsmc-ids4-sigup
- Cisco Systems, Inc. Cisco IOS Security Configuration Guide, Release 12.4: Configuring Cisco IOS Intrusion Prevention System (IPS), http://tinyurl.com/3ufo6j
- Cisco System, Inc. Tools & Resources: Software Download, Cisco IOS IPS Signature Package for SDM 2.4, http://www.cisco.com/cgi-bin/tablebuild.pl/ios-v5sigup-sdm
- Cisco System, Inc. Cisco Security Center, http://tools.cisco.com/security/center/home.x
- Cisco Systems, Inc. Cisco IOS Security Configuration Guide, Release 12.4: Configuring Cisco IOS Intrusion Prevention System (IPS), http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a00804453cf.html
- SearchSecurity.com. http://searchsecurity.techtarget.com/
0 comments
Post a Comment