CCSP IPS Quick Reference Page Return to Table of Contents Chapter 1: Introducing Intrusion Detection and Prevention Chapter 2: Installation of a Typical Sensor 15 Chapter 3: Cisco Intrusion Detection and Prevention Signatures 21 CCSP IPS Quick Reference Chapter 4: Advanced Configurations 31 Anthony Sequeira Chapter 6: Monitoring and Maintenance 48 Chapter 5: Additional Intrusion Detection and Prevention Devices 43 ciscopress.com CCSP IPS Quick Reference CCSP IPS Quick Reference By Anthony Sequeira ISBN: 9781587055713 Publisher: Cisco Prepared for Tran Huong, Safari ID: thuong@CISCO.COM Press Licensed by Tran Huong Print Publication Date: 2008/01/04 User number: 999108 Copyright 2008, Safari Books Online, LLC This PDF is exclusively for your use in accordance with the Safari Terms of Service No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher Redistribution or other use that violates the fair use priviledge under U.S copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited CCSP IPS Quick Reference Return to Table of Contents Page [2] CCSP IPS Quick Reference by Anthony Sequeira About the Author About the Author Anthony Sequeira (CCIE-R/S #15626) possesses high-level certifications from both Cisco and Microsoft For the past 15 years, he has written and lectured to massive audiences about the latest in networking technologies He is a certified Cisco instructor with Thomson NETg He lives with his wife and daughter in Tampa, Florida About the Technical Editor Ronald Trunk, CCIE, CISSP, is a highly experienced consultant and network architect with a special interest in secure network design and implementation He has designed complex multimedia networks for both government and commercial clients He is the author of several articles on network security and troubleshooting He lives in suburban Washington, D.C © 2008 Cisco Systems Inc All rights reserved This publication is protected by copyright Please see page 52 for more details CCSP IPS Quick Reference CCSP IPS Quick Reference By Anthony Sequeira ISBN: 9781587055713 Publisher: Cisco Prepared for Tran Huong, Safari ID: thuong@CISCO.COM Press Licensed by Tran Huong Print Publication Date: 2008/01/04 User number: 999108 Copyright 2008, Safari Books Online, LLC This PDF is exclusively for your use in accordance with the Safari Terms of Service No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher Redistribution or other use that violates the fair use priviledge under U.S copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited CCSP IPS Quick Reference Return to Table of Contents Page [3] CCSP IPS Quick Reference by Anthony Sequeira CHAPTER Introducing Intrusion Detection and Prevention Introducing Intrusion Detection and Prevention Understanding Intrusion Prevention and Detection Cisco provides for intrusion detection and prevention in a variety of ways in its current security portfolio You might add this powerful tool to your network via a dedicated hardware appliance known as a sensor Or you might add this functionality using a network module inserted into a router or switch However you decide to implement the technology, the goal is the same—to take some action based on an attack introduced into your network This action might be to alert the network administrator via an automated notification, or it might be to prevent the attack from dropping the packet at a device Intrusion Prevention Versus Intrusion Detection Intrusion detection is powerful in that you can be notified when potential problems or attacks are introduced into your network However, detection cannot prevent attacks from occurring Detection cannot prevent attacks because it operates on copies of packets Often these copies of packets are received from another Cisco device (typically a switch) Sensors that operate using intrusion detection are said to run in promiscuous mode Intrusion prevention is more powerful because potential threats and attacks can be stopped from entering your network or a particular network segment The sensor can perform prevention because it operates inline with packet flows © 2008 Cisco Systems Inc All rights reserved This publication is protected by copyright Please see page 52 for more details CCSP IPS Quick Reference CCSP IPS Quick Reference By Anthony Sequeira ISBN: 9781587055713 Publisher: Cisco Prepared for Tran Huong, Safari ID: thuong@CISCO.COM Press Licensed by Tran Huong Print Publication Date: 2008/01/04 User number: 999108 Copyright 2008, Safari Books Online, LLC This PDF is exclusively for your use in accordance with the Safari Terms of Service No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher Redistribution or other use that violates the fair use priviledge under U.S copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited CCSP IPS Quick Reference Return to Table of Contents Page [4] CHAPTER CCSP IPS Quick Reference by Anthony Sequeira Introducing Intrusion Detection and Prevention IPS/IDS Terminology You should be aware of the many security terms that are related to intrusion detection and prevention technologies Vulnerability A vulnerability is a weakness that compromises the security or functionality of a particular system in your network An example of a vulnerability is a web form on your public website that does not adequately filter inputs or guard against improper data entry An attacker might enter invalid characters in an attempt to corrupt the underlying database Exploit An exploit is a mechanism designed to take advantage of vulnerabilities that exist in your systems For example, if poor passwords are in use on your network, a password-cracking package might be the exploit aimed at this vulnerability False Alarms False alarms are IPS events that you not want occurring in your implementation The two types of false alarms are false positives and false negatives Both are undesirable False Positive A false positive means that an alert has been triggered, but it was for traffic that does not constitute an actual attack This type of traffic is often called benign traffic False Negative A false negative occurs when attack traffic does not trigger an alert on the IPS device This is often viewed as the worst type of false alarm—for obvious reasons © 2008 Cisco Systems Inc All rights reserved This publication is protected by copyright Please see page 52 for more details CCSP IPS Quick Reference CCSP IPS Quick Reference By Anthony Sequeira ISBN: 9781587055713 Publisher: Cisco Prepared for Tran Huong, Safari ID: thuong@CISCO.COM Press Licensed by Tran Huong Print Publication Date: 2008/01/04 User number: 999108 Copyright 2008, Safari Books Online, LLC This PDF is exclusively for your use in accordance with the Safari Terms of Service No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher Redistribution or other use that violates the fair use priviledge under U.S copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited CCSP IPS Quick Reference Return to Table of Contents Page [5] CHAPTER CCSP IPS Quick Reference by Anthony Sequeira Introducing Intrusion Detection and Prevention True Alarms The two types of true alarms in IPS terminology are true positive and true negative Both are desirable True Positive A true positive means that the IPS device recognized and responded to an attack True Negative This means that nonoffending or benign traffic did not trigger an alarm Promiscuous Versus Inline Mode IDS/IPS sensors operate in promiscuous mode by default This means that a device (often a switch) captures traffic for the sensor and forwards a copy for analysis to the sensor Because the device works with a copy of the traffic, the device performs IDS It can detect an attack and send an alert (as well as take other actions), but it does not prevent the attack from entering the network or a network segment It cannot prevent the attack because it does not operate on traffic inline in the forwarding path Figure shows a promiscuous mode IDS implementation © 2008 Cisco Systems Inc All rights reserved This publication is protected by copyright Please see page 52 for more details CCSP IPS Quick Reference CCSP IPS Quick Reference By Anthony Sequeira ISBN: 9781587055713 Publisher: Cisco Prepared for Tran Huong, Safari ID: thuong@CISCO.COM Press Licensed by Tran Huong Print Publication Date: 2008/01/04 User number: 999108 Copyright 2008, Safari Books Online, LLC This PDF is exclusively for your use in accordance with the Safari Terms of Service No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher Redistribution or other use that violates the fair use priviledge under U.S copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited CCSP IPS Quick Reference Return to Table of Contents Page [6] CHAPTER CCSP IPS Quick Reference by Anthony Sequeira Introducing Intrusion Detection and Prevention FIGURE Promiscuous mode (IDS) Attack Copy of Attack Management System If a Cisco IPS device operates in inline mode (see Figure 2), it can perform prevention as opposed to mere detection This is because the IPS device is in the actual traffic path This makes the device more effective against worms and atomic attacks (attacks that are carried out by a single packet) © 2008 Cisco Systems Inc All rights reserved This publication is protected by copyright Please see page 52 for more details CCSP IPS Quick Reference CCSP IPS Quick Reference By Anthony Sequeira ISBN: 9781587055713 Publisher: Cisco Prepared for Tran Huong, Safari ID: thuong@CISCO.COM Press Licensed by Tran Huong Print Publication Date: 2008/01/04 User number: 999108 Copyright 2008, Safari Books Online, LLC This PDF is exclusively for your use in accordance with the Safari Terms of Service No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher Redistribution or other use that violates the fair use priviledge under U.S copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited CCSP IPS Quick Reference Return to Table of Contents Page [7] CHAPTER CCSP IPS Quick Reference by Anthony Sequeira Introducing Intrusion Detection and Prevention FIGURE Inline mode (IPS) Attack Management System To configure inline mode, you need two monitoring interfaces that are defined in the sensor as an inline pair This pair of interfaces acts as a transparent Layer structure that can drop an attack that fires a signature Keep in mind that a sensor could be configured inline and could be set up so that it only alerts and doesn’t drop packets This would be an example of an inline configuration where only IDS is performed IPS version 6.0 software permits a device to promiscuous mode and inline mode simultaneously This would allow one segment to be monitored for IDS only while another segment features IPS protection © 2008 Cisco Systems Inc All rights reserved This publication is protected by copyright Please see page 52 for more details CCSP IPS Quick Reference CCSP IPS Quick Reference By Anthony Sequeira ISBN: 9781587055713 Publisher: Cisco Prepared for Tran Huong, Safari ID: thuong@CISCO.COM Press Licensed by Tran Huong Print Publication Date: 2008/01/04 User number: 999108 Copyright 2008, Safari Books Online, LLC This PDF is exclusively for your use in accordance with the Safari Terms of Service No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher Redistribution or other use that violates the fair use priviledge under U.S copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited CCSP IPS Quick Reference Return to Table of Contents Page [8] CHAPTER CCSP IPS Quick Reference by Anthony Sequeira Introducing Intrusion Detection and Prevention Approaches to Intrusion Prevention Signature-Based Although Cisco uses a blend of detection and prevention technologies, signature-based IPS is the primary tool that Cisco IPS solutions use Cisco releases signatures that are added to the device; they identify a pattern that the most common attacks present This tool is much less prone to false positives and ensures that the IPS devices stop common threats This type of approach is also called pattern matching As different types of attacks are created, these signatures can be added, tuned, and updated to deal with the new attacks Anomaly-Based This type of intrusion prevention technology is often called profile-based It attempts to discover activity that deviates from what an engineer defines as “normal.” Because it can be so difficult to define what is “normal” activity for a given network, this approach tends to be prone to a high number of false positives The two common types of anomaly-based IPSs are statistical anomaly detection and nonstatistical The statistical approach learns about the traffic patterns on the network itself, and the nonstatistical approach uses information coded by the vendor Policy-Based With this type of technology, the security policy is “written” into the IPS device Alarms are triggered if activities are detected that violate the security policy coded by the organization Notice how this differs from signature-based Signature-based focuses on stopping common attacks, and policy-based is more concerned with enforcing the organization’s security policy © 2008 Cisco Systems Inc All rights reserved This publication is protected by copyright Please see page 52 for more details CCSP IPS Quick Reference CCSP IPS Quick Reference By Anthony Sequeira ISBN: 9781587055713 Publisher: Cisco Prepared for Tran Huong, Safari ID: thuong@CISCO.COM Press Licensed by Tran Huong Print Publication Date: 2008/01/04 User number: 999108 Copyright 2008, Safari Books Online, LLC This PDF is exclusively for your use in accordance with the Safari Terms of Service No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher Redistribution or other use that violates the fair use priviledge under U.S copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited CCSP IPS Quick Reference Return to Table of Contents Page 10 [9] CHAPTER CCSP IPS Quick Reference by Anthony Sequeira Introducing Intrusion Detection and Prevention Protocol Analysis-Based This approach is very similar to signature-based, but it looks deeper into packets because of a protocol-based inspection of the packet payload that can occur Whereas most signatures examine rather common settings, protocol analysis-based can much deeper packet inspection and is more flexible at finding some types of attacks Exploring Evasive Techniques Because attackers are aware of IPS technologies, they have developed methods of countering these devices in an attempt to continue attacks on network systems String Match In this type of attack, strings in the data are changed in minor ways in an attempt to evade detection Obfuscation is one method, in which control characters, hexadecimal representation, or Unicode representation help disguise the attack Another string-match type of evasive technique is to simply change the string’s case Fragmentation With this evasive measure, the attacker breaks the attack packets into fragments so that they are more difficult to recognize Fragmentation adds a layer of complexity for the sensor, which now must engage in the resource-intensive process of reassembling the packets Session In this type of attack, the attacker spreads the attack using a large number of very small packets, not using fragmentation in the approach TCP segment reassembly can be used to combat this evasive measure © 2008 Cisco Systems Inc All rights reserved This publication is protected by copyright Please see page 52 for more details CCSP IPS Quick Reference CCSP IPS Quick Reference By Anthony Sequeira ISBN: 9781587055713 Publisher: Cisco Prepared for Tran Huong, Safari ID: thuong@CISCO.COM Press Licensed by Tran Huong Print Publication Date: 2008/01/04 User number: 999108 Copyright 2008, Safari Books Online, LLC This PDF is exclusively for your use in accordance with the Safari Terms of Service No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher Redistribution or other use that violates the fair use priviledge under U.S copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited CCSP IPS Quick Reference Return to Table of Contents Page 11 [ 10 ] CHAPTER CCSP IPS Quick Reference by Anthony Sequeira Introducing Intrusion Detection and Prevention Insertion In this evasive technique, the attacker inserts data that is harmless along with the attack data The IPS sensor does not fire an alert because of the harmless data The end system ignores the harmless data and processes only the attack data Evasion With this type of evasive technique, the attacker causes the sensor to see a different data stream than the intended victim Unlike the insertion attack, the end system sees more data than the sensor, which results in an attack TTL-Based One way to implement an insertion attack is to manipulate fragments’ time-to-live value With this evasive procedure, the IPS sensor sees a different data stream than the end system because of the manipulation of the TTL field in the IP header Encryption-Based This is a very effective means of having attacks enter the network The attacker sends the attack via an encrypted session The IPS device cannot detect the encrypted attack Because this method of foiling the IPS device exists, care must be taken to ensure that attackers cannot establish encrypted sessions Resource Exhaustion Another evasive approach is to simply overwhelm the sensor Often, attackers simply try to overwhelm the physical device or the staff in charge of monitoring by flooding the device with alarm conditions © 2008 Cisco Systems Inc All rights reserved This publication is protected by copyright Please see page 52 for more details CCSP IPS Quick Reference CCSP IPS Quick Reference By Anthony Sequeira ISBN: 9781587055713 Publisher: Cisco Prepared for Tran Huong, Safari ID: thuong@CISCO.COM Press Licensed by Tran Huong Print Publication Date: 2008/01/04 User number: 999108 Copyright 2008, Safari Books Online, LLC This PDF is exclusively for your use in accordance with the Safari Terms of Service No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher Redistribution or other use that violates the fair use priviledge under U.S copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited CCSP IPS Quick Reference Return to Table of Contents Page 38 [ 37 ] CHAPTER CCSP IPS Quick Reference by Anthony Sequeira Advanced Configurations n The persistent store is limited n The sensor must see both directions of traffic in the same VLAN group n Thanks to the Signature Definitions pane, you can add, clone, or delete signature definition policy for your virtual sensors n In the Event Action Rules pane, you can add, clone, or delete event action rules policy for your virtual sensors n In the Anomaly Detections pane, you can add, clone, or delete event action rules policy for your virtual sensors n You can define up to four virtual sensors Note that the vs0 virtual sensor already exists and uses sig0, rules0, and ad0 You cannot delete or modify this sensor To add a virtual sensor, choose Configuration > Analysis Engine > Virtual Sensors Configuring Advanced Features Anomaly Detection A new feature of version 6.0 is its ability to detect worm-infected hosts This component allows the sensor to learn about normal activity, send alerts, and take response actions for behavior that deviates from the norm You should note that this feature cannot protect against e-mail-based worms such as Melissa Anomaly detection looks for a single worm-infected host that enters the network and starts scanning, and a network that becomes congested with worm traffic Anomaly Detection Components Anomaly detection uses the following components: n Scanner: A source IP that generates scan events on the same service for multiple destination IP addresses n Scan event: TCP: Nonestablished connections UDP: Unidirectional connections ICMP or other: Unidirectional connections © 2008 Cisco Systems Inc All rights reserved This publication is protected by copyright Please see page 52 for more details CCSP IPS Quick Reference CCSP IPS Quick Reference By Anthony Sequeira ISBN: 9781587055713 Publisher: Cisco Prepared for Tran Huong, Safari ID: thuong@CISCO.COM Press Licensed by Tran Huong Print Publication Date: 2008/01/04 User number: 999108 Copyright 2008, Safari Books Online, LLC This PDF is exclusively for your use in accordance with the Safari Terms of Service No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher Redistribution or other use that violates the fair use priviledge under U.S copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited CCSP IPS Quick Reference Return to Table of Contents Page 39 [ 38 ] CHAPTER CCSP IPS Quick Reference by Anthony Sequeira Advanced Configurations The anomaly detection feature uses the concept of zones A zone is a set of destination IP addresses By subdividing the network into zones, you can achieve a lower false-negative rate There are three types of zones, each with its own thresholds: internal, external, and illegal You configure anomaly detection by choosing Configuration > Anomaly Detections > ad0 Learning is the process that anomaly detection uses to detect the normal state of the network The two phases are Learn mode and Detect mode Learn mode takes at least 24 hours To set the operation mode to learning, choose Configuration > Analysis Engine > Virtual Sensors > Edit > Learn To move to Detect mode, choose Configuration > Analysis Engine > Virtual Sensors > Edit > Detect The following anomaly detection event actions are possible: n Produce alert writes the event to the Event Store n Deny attacker inline (inline only) does not transmit this packet and future packets originating from the attacker address for a specified period of time n Log attacker pairs starts IP logging for packets that contain the attacker address n Log pair packets starts IP logging for packets that contain the attacker and victim address pair n Deny attacker service pair inline blocks the source IP address and the destination port n Request SNMP trap sends a request to NotificationApp to perform Simple Network Management Protocol (SNMP) notification n Request block host sends a request to the Attack Response Controller (ARC) to block this host (the attacker) To configure anomaly detection fully, you the following: n Add the anomaly detection policy to your virtual sensor n Configure the AD zones, protocols, and services © 2008 Cisco Systems Inc All rights reserved This publication is protected by copyright Please see page 52 for more details CCSP IPS Quick Reference CCSP IPS Quick Reference By Anthony Sequeira ISBN: 9781587055713 Publisher: Cisco Prepared for Tran Huong, Safari ID: thuong@CISCO.COM Press Licensed by Tran Huong Print Publication Date: 2008/01/04 User number: 999108 Copyright 2008, Safari Books Online, LLC This PDF is exclusively for your use in accordance with the Safari Terms of Service No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher Redistribution or other use that violates the fair use priviledge under U.S copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited CCSP IPS Quick Reference Return to Table of Contents Page 40 [ 39 ] CHAPTER CCSP IPS Quick Reference by Anthony Sequeira Advanced Configurations n Set the anomaly detection operation mode to Learn n Let the sensor run in this mode for at least 24 hours n Switch to detect mode n Configure the anomaly detection parameter To monitor anomaly detection, choose Monitoring > Anomaly Detection Also, the command show statistics anomalydetection was added to Cisco IPS Sensor Software version 6.0(1) and higher Passive Operating System Fingerprinting (POSFP) POSFP lets the sensor determine which operating system hosts are running The sensor analyzes network traffic between hosts and stores the type of operating system of these hosts with their IP addresses The sensor inspects TCP SYN and ACK packets exchanged on the network to determine the operating system type The sensor then uses the target host operating system to compute the Attack Relevancy Rating (ARR) component of the risk rating The sensor has three ways to associate an IP address with an operating system identity: Configured, Imported, and Learned You are not required to configure this feature, but you can control the following: n Define operating system mappings: It is recommended that you configure OS mappings to define the identity of OSs running on critical systems n Import OS mappings: This is done through the external product interfaces You import the mappings from CiscoWorks Management Center for Cisco Security Agent n Define the ARR for a specific IP address This limits the ARR calculations to IP addresses on the protected network n Define event action rules filters using the target OS relevancy value This provides a way to filter alerts solely on OS relevancy © 2008 Cisco Systems Inc All rights reserved This publication is protected by copyright Please see page 52 for more details CCSP IPS Quick Reference CCSP IPS Quick Reference By Anthony Sequeira ISBN: 9781587055713 Publisher: Cisco Prepared for Tran Huong, Safari ID: thuong@CISCO.COM Press Licensed by Tran Huong Print Publication Date: 2008/01/04 User number: 999108 Copyright 2008, Safari Books Online, LLC This PDF is exclusively for your use in accordance with the Safari Terms of Service No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher Redistribution or other use that violates the fair use priviledge under U.S copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited CCSP IPS Quick Reference Return to Table of Contents Page 41 [ 40 ] CHAPTER CCSP IPS Quick Reference by Anthony Sequeira Advanced Configurations Configuration can be done by choosing Configuration > Policies > Event Action Rules > rules0 > OS Identifications For monitoring, choose Monitoring > OS Identifications > Learned OS Blocking To fully understand blocking, you should be familiar with the following terms: n Blocking prevents packets from reaching their destination Blocking is initiated by a sensor and is performed by another Cisco device at the sensor’s request n The Attack Response Controller (ARC) is the sensor’s blocking application ARC, formerly known as Network Access Controller (NAC), is also used in rate limiting n Device management is the sensor’s ability to interact with a Cisco device and dynamically reconfigure the Cisco device to block the source of an attack in real time n The managed device is the Cisco device that actually blocks the attack n The blocking sensor is configured to control a managed device n The managed interface or VLAN is the interface or VLAN on the managed device where the sensor applies the dynamically created ACL or VLAN ACL (VACL) n The active ACL or VACL is the ACL or VACL that is dynamically created and maintained by the sensor and that is applied to the managed interface or VLAN Blocking Devices The ARC can control up to 250 supported devices These can be Cisco routers, PIX 500 Series Security Appliances, Cat 6500, Cat 6500 Firewall Services Modules, or ASA 5500 Series Adaptive Security Appliances © 2008 Cisco Systems Inc All rights reserved This publication is protected by copyright Please see page 52 for more details CCSP IPS Quick Reference CCSP IPS Quick Reference By Anthony Sequeira ISBN: 9781587055713 Publisher: Cisco Prepared for Tran Huong, Safari ID: thuong@CISCO.COM Press Licensed by Tran Huong Print Publication Date: 2008/01/04 User number: 999108 Copyright 2008, Safari Books Online, LLC This PDF is exclusively for your use in accordance with the Safari Terms of Service No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher Redistribution or other use that violates the fair use priviledge under U.S copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited CCSP IPS Quick Reference Return to Table of Contents Page 42 [ 41 ] CHAPTER CCSP IPS Quick Reference by Anthony Sequeira Advanced Configurations Blocking is done with ACLs, VACLs, or the shun command All the Cisco PIX security appliance models that support the shun command can be used as blocking devices Blocking Device Requirements n The sensor must be able to communicate with the blocking device via IP n Network access must exist between the sensor and the blocking device using Telnet or SSH (the default) n If you’re using SSH, add the blocking device to the sensor known host list by choosing Sensor Setup > SSH > Known Host Keys Guidelines n Implement antispoofing n Identify hosts that should be excluded n Identify network entry points that will participate in blocking n Assign a block reaction to the appropriate signatures n Determine the appropriate blocking duration ARC Block Actions Two events can cause the ARC to initiate a block: n Automatic blocking is a signature configured with a block action Examples are REQUEST BLOCK HOST and REQUEST BLOCK CONNECTION n Manual blocking is a manually configured block action © 2008 Cisco Systems Inc All rights reserved This publication is protected by copyright Please see page 52 for more details CCSP IPS Quick Reference CCSP IPS Quick Reference By Anthony Sequeira ISBN: 9781587055713 Publisher: Cisco Prepared for Tran Huong, Safari ID: thuong@CISCO.COM Press Licensed by Tran Huong Print Publication Date: 2008/01/04 User number: 999108 Copyright 2008, Safari Books Online, LLC This PDF is exclusively for your use in accordance with the Safari Terms of Service No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher Redistribution or other use that violates the fair use priviledge under U.S copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited CCSP IPS Quick Reference Return to Table of Contents Page 43 [ 42 ] CHAPTER CCSP IPS Quick Reference by Anthony Sequeira Advanced Configurations Blocking Process n An attack is launched against a server n The sensor detects the attack and fires a signature that is configured to block n The sensor writes a new ACL on the managed router n ACLs n For an external interface, prefer an inbound ACL direction This would be the opposite for an internal interface The sensor takes full control of ACLs on the managed interface A preblock ACL is an existing ACL These override the deny lines resulting from blocks Preblock ACLs are used to permit what you not want the sensor to block You can also have postblock ACLs that are added after the dynamically created ACL These are used for additional blocking or permitting of what you want to occur on an interface or direction Configuration Tasks n Assign a block reaction to a signature n Assign the sensor global blocking properties n Create the device login profiles n Define the blocking device properties n Optional: Define a master blocking sensor To configure blocking, choose Configuration > Blocking > Blocking Properties To configure manual blocking, choose Monitoring > Active Host Blocks For network blocks, choose Monitoring > Network Blocks © 2008 Cisco Systems Inc All rights reserved This publication is protected by copyright Please see page 52 for more details CCSP IPS Quick Reference CCSP IPS Quick Reference By Anthony Sequeira ISBN: 9781587055713 Publisher: Cisco Prepared for Tran Huong, Safari ID: thuong@CISCO.COM Press Licensed by Tran Huong Print Publication Date: 2008/01/04 User number: 999108 Copyright 2008, Safari Books Online, LLC This PDF is exclusively for your use in accordance with the Safari Terms of Service No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher Redistribution or other use that violates the fair use priviledge under U.S copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited CCSP IPS Quick Reference Return to Table of Contents Page 44 [ 43 ] CCSP IPS Quick Reference by Anthony Sequeira CHAPTER Additional Intrusion Detection and Prevention Devices Master Blocking A master blocking sensor is any sensor that controls blocking on a device on behalf of another sensor A blocking forwarding sensor sends block requests to a Master Blocking Sensor (MBS) A sensor can forward block requests to a maximum of 10 MBS To have a sensor initiate blocking on behalf of another sensor, you must configure both sensors On the blocking forwarding sensor, the following: n Identify the remote host that serves as the MBS n Add the MBS to the blocking forwarding sensor TLS trusted host table n On the MBS, add the blocking forwarding sensor IP address to the allowed host configuration n Choose Configuration > Blocking > Master Blocking Sensor Additional Intrusion Detection and Prevention Devices IDSM-2 The Cisco Catalyst 6500 Series switches support the Intrusion Detection System Services Module (IDSM-2) This is a powerful option for adding IPS capabilities to the network, because it leverages the existing Cisco network infrastructure The IDSM-2 also benefits from the power of the 6500 series switches © 2008 Cisco Systems Inc All rights reserved This publication is protected by copyright Please see page 52 for more details CCSP IPS Quick Reference CCSP IPS Quick Reference By Anthony Sequeira ISBN: 9781587055713 Publisher: Cisco Prepared for Tran Huong, Safari ID: thuong@CISCO.COM Press Licensed by Tran Huong Print Publication Date: 2008/01/04 User number: 999108 Copyright 2008, Safari Books Online, LLC This PDF is exclusively for your use in accordance with the Safari Terms of Service No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher Redistribution or other use that violates the fair use priviledge under U.S copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited CCSP IPS Quick Reference Return to Table of Contents Page 45 [ 44 ] CHAPTER CCSP IPS Quick Reference by Anthony Sequeira Additional Intrusion Detection and Prevention Devices Overview You should be aware of some key differences between this module and a typical Cisco IPS sensor (such as the 4200 series): n It does not support sensor virtualization using inline VLAN groups n It does not support subdividing inline interfaces or VLAN groups n It automatically synchronizes its clock with the switch n It does not have a clock set command n It has only two sensing interfaces n It must be configured with a native VLAN n It does not have console access n Several of the IDSM-2-related commands are executed on the 6500 switch n It has a maintenance partition This allows for a simple full system reimage of the IDSM-2 n Features vary, depending on whether promiscuous mode or inline mode is used The IDSM-2 has four logical ports: n Port (System0/1): TCP reset port for promiscuous mode n Port (Gi0/2): Command and control port n Ports and (Gi0/7, Gi0/8): Monitoring ports © 2008 Cisco Systems Inc All rights reserved This publication is protected by copyright Please see page 52 for more details CCSP IPS Quick Reference CCSP IPS Quick Reference By Anthony Sequeira ISBN: 9781587055713 Publisher: Cisco Prepared for Tran Huong, Safari ID: thuong@CISCO.COM Press Licensed by Tran Huong Print Publication Date: 2008/01/04 User number: 999108 Copyright 2008, Safari Books Online, LLC This PDF is exclusively for your use in accordance with the Safari Terms of Service No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher Redistribution or other use that violates the fair use priviledge under U.S copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited CCSP IPS Quick Reference Return to Table of Contents Page 46 [ 45 ] CHAPTER CCSP IPS Quick Reference by Anthony Sequeira Additional Intrusion Detection and Prevention Devices Time Configuration You can use one of the following options: n Configure time synchronization with the switch Only UTC is synched You still must configure time zone and daylight saving settings n Configure the module to use an NTP time source Installing Use the following procedure: n Physically install into the chosen slot n Initialize using the setup command The default username and password are both cisco Use the session command at the switch to access the module CLI n Configure the switch for command and control access Assign the command and control port to the correct VLAN n Configure the interfaces to receive traffic Set the native VLAN for the sensing ports Clear all VLANs from the sensing ports except for the native VLAN Enable BPDU STP filtering on the sensing port n Configure for inline operation using an inline pair Configure the sensing ports as a port pair Assign the port pair to the default virtual sensor Monitoring You can use the show module command at the switch CLI to display module status and information You can use the upgrade command to apply image upgrades, service packs, and signature updates to the IDSM-2 © 2008 Cisco Systems Inc All rights reserved This publication is protected by copyright Please see page 52 for more details CCSP IPS Quick Reference CCSP IPS Quick Reference By Anthony Sequeira ISBN: 9781587055713 Publisher: Cisco Prepared for Tran Huong, Safari ID: thuong@CISCO.COM Press Licensed by Tran Huong Print Publication Date: 2008/01/04 User number: 999108 Copyright 2008, Safari Books Online, LLC This PDF is exclusively for your use in accordance with the Safari Terms of Service No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher Redistribution or other use that violates the fair use priviledge under U.S copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited CCSP IPS Quick Reference Return to Table of Contents Page 47 [ 46 ] CHAPTER CCSP IPS Quick Reference by Anthony Sequeira Additional Intrusion Detection and Prevention Devices ASA AIP-SSM Another powerful IPS option for your network is the Cisco Adaptive Security Appliance Advanced Inspection and Prevention Security Services Module (ASA AIP-SSM) This module, shown in Figure 5, works in conjunction with a Cisco Adaptive Security Appliance FIGURE AIP-SSM ASA AIP-SSM Status Power Link/Act Speed Link/Act Speed Cisco ASA AIP-SSM Ethernet Port Status Power Overview You should be aware of the major differences between this device and a 4200 series sensor: n The AIP-SSM automatically synchronizes its clock with the Cisco ASA, but it does not synchronize time zone or summertime settings n The AIP-SSM has no clock set command n The command and control interface is GigabitEthernet0/0 n The AIP-SSM has only one sensing interface © 2008 Cisco Systems Inc All rights reserved This publication is protected by copyright Please see page 52 for more details CCSP IPS Quick Reference CCSP IPS Quick Reference By Anthony Sequeira ISBN: 9781587055713 Publisher: Cisco Prepared for Tran Huong, Safari ID: thuong@CISCO.COM Press Licensed by Tran Huong Print Publication Date: 2008/01/04 User number: 999108 Copyright 2008, Safari Books Online, LLC This PDF is exclusively for your use in accordance with the Safari Terms of Service No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher Redistribution or other use that violates the fair use priviledge under U.S copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited CCSP IPS Quick Reference Return to Table of Contents Page 48 [ 47 ] CHAPTER CCSP IPS Quick Reference by Anthony Sequeira Additional Intrusion Detection and Prevention Devices n The AIP-SSM does not support an alternate TCP reset interface n It does not require two interfaces to be in inline mode n It does not support inline VLAN pairs or inline pairs n The AIP-SSM supports sensor virtualization starting with Cisco ASA Software Version 8.0 n It has no console access n Many AIP-SSM commands are executed from the Cisco ASA command-line interface The AIP-SSM supports an internal (sensing) Gigabit Ethernet (GigabitEthernet0/1) and an external (command and control) Gigabit Ethernet (GigabitEthernet0/0) interface to the ASA 5500 Series Adaptive Security Appliance main card The internal interface is the primary IPS data path interface for both inline and promiscuous IPS packets The external 10/100/1000 Ethernet interface is used primarily for downloading AIP-SSM software and for ASDM access The external 10/100/1000 Ethernet interface has an IP address configured (10.1.9.201/24) You must configure whether the device fails open or fails closed Fail-open allows traffic to continue to flow even if the AIP-SSM fails Initializing the Module You must initialize the device as follows: Load the IPS software if necessary Use the show module detail command to see the software state If the software load is required, use the hw module recover command to load a recovery software image to the AIP-SSM from a TFTP server Use the hw module recover boot command to initiate the TFTP download of the image defined in the hw module recover configure command Configure the initial setup of the AIP-SSM using the setup command Configure a security policy on the ASA using the ASDM graphical user interface © 2008 Cisco Systems Inc All rights reserved This publication is protected by copyright Please see page 52 for more details CCSP IPS Quick Reference CCSP IPS Quick Reference By Anthony Sequeira ISBN: 9781587055713 Publisher: Cisco Prepared for Tran Huong, Safari ID: thuong@CISCO.COM Press Licensed by Tran Huong Print Publication Date: 2008/01/04 User number: 999108 Copyright 2008, Safari Books Online, LLC This PDF is exclusively for your use in accordance with the Safari Terms of Service No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher Redistribution or other use that violates the fair use priviledge under U.S copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited CCSP IPS Quick Reference Return to Table of Contents Page 49 [ 48 ] CCSP IPS Quick Reference by Anthony Sequeira CHAPTER Monitoring and Maintenance Monitoring and Maintenance Maintaining the Sensor You need to be able to perform several maintenance tasks using the sensor Licensing Remember that licensing is extremely important when it comes to the sensor modules and devices Licensing dictates exactly what features and performance capabilities are possible Apply for the appropriate license at http://www.cisco.com/go/license Use the copy command with the keyword license-key to install If you’re using the IDM, choose Configuration > Licensing Upgrade and Recovery These are the three sensor image types: n Application is used for operation n System is used for reimaging n Recovery is the application image plus an installer used for recovery Use the upgrade command to apply image upgrades, service packs, and signature updates © 2008 Cisco Systems Inc All rights reserved This publication is protected by copyright Please see page 52 for more details CCSP IPS Quick Reference CCSP IPS Quick Reference By Anthony Sequeira ISBN: 9781587055713 Publisher: Cisco Prepared for Tran Huong, Safari ID: thuong@CISCO.COM Press Licensed by Tran Huong Print Publication Date: 2008/01/04 User number: 999108 Copyright 2008, Safari Books Online, LLC This PDF is exclusively for your use in accordance with the Safari Terms of Service No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher Redistribution or other use that violates the fair use priviledge under U.S copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited CCSP IPS Quick Reference Return to Table of Contents Page 50 [ 49 ] CHAPTER CCSP IPS Quick Reference by Anthony Sequeira Monitoring and Maintenance For a full system reimage, you can use the CD-ROM drive if it’s available If it isn’t, use the network Follow these steps: Place the image on a TFTP server Verify access Reboot the sensor Escape the boot sequence by pressing Ctrl-R Verify that the IPS Sensor BIOS is 5.1.7 or later and that the ROM monitor version is 1.4 or later Change the interface port number if necessary Specify the sensor’s IP address Specify the IP address of the sensor default gateway Specify the path and filename of the TFTP server 10 Begin the TFTP download If your IPS sensor application image becomes corrupted, you can recover it using one of two methods: n Use the recover command n Choose the Cisco IPS recovery image from the boot menu during bootup This method also retains your sensor IP address, subnet mask, and default gateway settings It’s useful if you are unable to access the CLI Service Packs and Signature Updates From the IDM Update Sensor panel, you can immediately apply service pack and signature updates The sensor does not download service pack and signature updates from Cisco.com You must download them from Cisco.com to an FTP, SCP, HTTP, or HTTPS server and then configure the sensor to download them from your server Choose Configuration > Update Sensor © 2008 Cisco Systems Inc All rights reserved This publication is protected by copyright Please see page 52 for more details CCSP IPS Quick Reference CCSP IPS Quick Reference By Anthony Sequeira ISBN: 9781587055713 Publisher: Cisco Prepared for Tran Huong, Safari ID: thuong@CISCO.COM Press Licensed by Tran Huong Print Publication Date: 2008/01/04 User number: 999108 Copyright 2008, Safari Books Online, LLC This PDF is exclusively for your use in accordance with the Safari Terms of Service No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher Redistribution or other use that violates the fair use priviledge under U.S copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited CCSP IPS Quick Reference Return to Table of Contents Page 51 [ 50 ] CHAPTER CCSP IPS Quick Reference by Anthony Sequeira Monitoring and Maintenance You can configure automatic updates to have service pack or signature updates that reside on a local FTP or SCP server downloaded and applied to your sensor Choose Configuration > Auto Update Password Recovery For most Cisco IPS sensor platforms, you can now recover the password on the sensor rather than using the service account or reimaging the sensor Password recovery implementations vary according to Cisco IPS sensor platform requirements Restoring To restore a sensor to its original configuration, choose Configuration > Restore Defaults in the Cisco IDM Backup and Restore To back up and restore configurations, use the copy command at the CLI You can use the /overwrite switch to overwrite one configuration with another For example, to overwrite the current configuration with the backup configuration, you would issue the command copy /erase ftp://100.20.34.15/mybackup-config current-config Managing Sensors You should also monitor and manage the sensor’s health The CLI Use the show inventory command to obtain Cisco Product Evolution Program (PEP) information This will help you electronically inventory your Cisco equipment and simplify product identification © 2008 Cisco Systems Inc All rights reserved This publication is protected by copyright Please see page 52 for more details CCSP IPS Quick Reference CCSP IPS Quick Reference By Anthony Sequeira ISBN: 9781587055713 Publisher: Cisco Prepared for Tran Huong, Safari ID: thuong@CISCO.COM Press Licensed by Tran Huong Print Publication Date: 2008/01/04 User number: 999108 Copyright 2008, Safari Books Online, LLC This PDF is exclusively for your use in accordance with the Safari Terms of Service No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher Redistribution or other use that violates the fair use priviledge under U.S copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited CCSP IPS Quick Reference Return to Table of Contents Page 52 [ 51 ] CHAPTER CCSP IPS Quick Reference by Anthony Sequeira Monitoring and Maintenance Use the show statistics command with additional keywords to provide a snapshot of the current internal state of sensor services Use show interfaces for interface statistics To display operating system IDs associated with the IP addresses learned by the sensor through passive analysis, use the show os-identification command Use the show ad-knowledge-base command to display the anomaly detection knowledge base files available for a virtual sensor Use the show tech-support command to capture all status and configuration information on the sensor Sensor Monitoring Choose Monitoring > Support Information > Diagnostics Report to obtain important diagnostic information about your sensor Also, you can choose Monitoring > Support Information > Statistics and Monitoring > Support Information > System Information to see a wealth of information about your device This includes versions, status of applications, upgrades installed, and PEP information Also, you should consider monitoring with Cisco Security Manager or SNMP for enhanced capabilities and more manageability For SNMP configuration of the sensor, choose Configuration > SNMP > SNMP General Configuration © 2008 Cisco Systems Inc All rights reserved This publication is protected by copyright Please see page 52 for more details CCSP IPS Quick Reference CCSP IPS Quick Reference By Anthony Sequeira ISBN: 9781587055713 Publisher: Cisco Prepared for Tran Huong, Safari ID: thuong@CISCO.COM Press Licensed by Tran Huong Print Publication Date: 2008/01/04 User number: 999108 Copyright 2008, Safari Books Online, LLC This PDF is exclusively for your use in accordance with the Safari Terms of Service No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher Redistribution or other use that violates the fair use priviledge under U.S copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited