CCNP Security-IPS

These slides taken from Cisco live 2012 & 3/20/2014
Eng. Mohannad Alhanahnah 1
IPSV7.0
Agenda:
• CCNP Security IPSv7 Exam Topics Review
• Introduction to Intrusion Prevention & Detection
• Installing and Maintaining Cisco IPS Sensors
• Applying Cisco IPS Security Policies
• Deploying Anomaly-based Operation
• Managing & Analyzing Events
• Deploying Virtualization, High Availability, and High
Performance Solutions
• Configuring and Maintaining Specific Cisco IPS Hardware

IPSv7.0 Exam Topics Review:
• Approximately 90 minute exam
• 60-70 questions
• Register with Pearson Vue
–http://www.vue.com/cisco
• Exam cost is $200.00 US
• Question Types
–Multiple-choice single answer
–Multiple-choice multiple answer
–Drag-and-drop
–Fill-in-the-blank
–Testlet / Simlet / Simulations
• Rule out the nonsense
• Look for the best answer when multiple exist
• Look for subtle keys
• Narrow it down
• Relate to how the device works
• Don’t waste too much time

Preparing for the IPS Exam:
• Recommended reading
–CCNP Security IPS 642-627 Official Cert Guide
–CCSP books are still good for reference
–Cisco IPS 7.0 Configuration Guide
• Cisco learning network
www.cisco.com/go/learnnetspace
• Practical experience
–Real equipment
–IDM in demo mode
IPSv7.0 Exam Topics:
• Pre-Production Design
• Choose Cisco IPS technologies to implement High Level Design
• Choose Cisco products to implement High Level Design
• Choose Cisco IPS features to implement High Level Design
• Integrate Cisco network security solutions with other security technologies
• Create and test initial Cisco IPS configurations for new devices/services
• Complex Support Operations
• Optimize Cisco IPS security infrastructure device performance
• Create complex network security rules, to meet the security policy requirements
• Configure and verify the IPS features to identify threats and dynamically block
them from entering the network
• Maintain, update and tune IPS signatures
• Use CSM and MARS for IPS management, deployment, and advanced event
correlation.
• Optimize security functions, rules, and configuration
• Advanced Troubleshooting
• Advanced Cisco IPS security software configuration fault finding and repairing
• Advanced Cisco IPS sensor and module hardware fault finding and repairing

Introduction to Intrusion Prevention and
Detection:
The Evolution of Internet A Shift to Financial Gain
Top-Ten Cyber Security Menaces:
•Sophisticated website attacks
•Increasing botnet sophistication and effectiveness
•Growing cyber espionage
•Emerging mobile phone threats
•Insider attacks
•Advanced identity theft
•Increasingly malicious spyware
•Web application security exploits
•Sophisticated social engineering
•Supply-chain attacks infecting consumer devices

Cisco Intrusion Prevention Services:
•Intelligent Detection
• Vulnerability and Exploit specific Signatures
• Traffic and Protocol Anomaly Detection
• Knowledge base Anomaly Detection
• Reputation Filters
•Precision Response
• Risk Management-based Policy
• Global Correlation adding reputation
• On-box Correlation through Meta Event Generator
• “Trustworthiness” Linkages with the Endpoint
•Flexible Deployment
• Passive and/or Inline with Flexible Response (IDS/IPS)
• Sensor Virtualization
• Physical and logical (VLAN) interface support
• Software and Hardware bypass
Cisco Security Intelligence Operations:

Cisco IPS Intelligent Detection Capabilities: Vulnerability
and Exploit-Based Signatures:
Cisco IPS Product Portfolio: Integrated Security Across the
Network:

Cisco IPS 4200 Series Sensors Comparison:

AIP-SSM Module:
Catalyst 6500 IDSM2:

Cisco IPS Architecture:

Packet Flow in IPS v7.0:
• IPS Reputation Filters block access to IP’s on stolen ‘zombie’
networks or networks controlled entirely by malicious organizations.
• Global Correlation Inspection raises the Risk Rating of events when
the attacker has a negative reputation allowing those events to be
blocked more confidently and more often than an event without
negative reputation.
• IPS Version 7.0 software permits a device to do promiscuous mode
and inline mode simultaneously, which allows some segments to be
monitored for IDS only while other segments use IPS protection.
Overview of Intrusion Detection Systems (IDS):

IDS Option 1: Single Interface:
Spanning traffic to the IPS 4200
IDS option 2: VLAN Groups:

Overview of Intrusion Prevention Systems (IPS):
IPS Option 1 : Interface Pairing:
Interface Pairing
• Bump in the Wire (intelligent wire)
• Two physical Interfaces
• Switch Ports configured as Access Ports or Trunk

IPS Option 2 : VLAN on-a-Stick:
VLAN-on-a-Stick
• VLAN Mapping
• One Physical Interface configured as Trunk
IPS Option 3 : VLAN Groups:

IPS in ASA Appliance:
• ASA redirects traffic to IPS Service Module
• Module can be used as IDS (promiscous) or IPS (inline)
• Virtual Sensor and Failure Policy can be defined
Areas of Network IPS or IDS Deployment:

Key Terms & Acronyms:
Vulnerability: A vulnerability is a weakness that compromises
the security or functionality of a particular system in your
network.
Exploit: An exploit is a mechanism designed to take advantage
of vulnerabilities that exist in your systems.
Signature: A signature is a set of instructions the sensor uses
to identify an unwanted traffic type.
False Alarms: False alarms are IDS/IPS events that you do not
want occurring in your implementation. The two types of false
alarms are false positives and false negatives. Both are
undesirable.
True Alarms: The two types of true alarms in IDS/IPS
terminology are true positive and true negative. Both are
desirable.

Security Controls:
• False Positive
– A false positive means that an alert has been triggered, but it was for
traffic that does not constitute an actual attack.
• False Negative
–A false negative occurs when attack traffic does not trigger an alert on
the IDS/IPS device. This is often viewed as the worst type of
false alarm.
• True Positive
–A true positive means that the IDS/IPS device recognized and
responded to an attack.
• True Negative
–This means that non offending or benign traffic did not trigger an alarm.
Approaches to Intrusion Prevention:
• Signature Based
• Anomaly Based
• Policy Based
• Protocol Analysis Based
• Reputation Based

Version 7.0 of the Cisco IPS Sensor Software adds many new
features, including the following:
■ Virtualization support: Allows different policies for different segments
that are being monitored by a single sensor.
■ New signature engines: Additions that cover Server Message Block and
Transparent Network Substrate traffic.
■ Passive operating system fingerprinting: A set of features that enables
Cisco IPS to identify the operating system of the
victim of an attack.
■ Improved risk and threat rating system: The risk rating helps with
alerts and is now based on many different components
to improve the sensor’s performance and operation.
■ Global correlation: Allows the sensor to take stronger preventive action
against traffic originating from hosts with a negative
reputation score.
■ Reputation filtering: Blocks all network traffic originating from hosts with
the worst reputations.
■ Enhanced health and performance monitoring: Allows the IPS
administrator to better monitor the performance of the
sensors.
■ IPv6 detection and prevention: The ability to analyze both IPv4 and
IPv6 network traffic.
■ Cisco Intrusion Prevention System Manager Express (IME): A new
and improved GUI for management and monitoring
of multiple IPS devices.
■ Anomaly detection: Designed to detect worm-infested hosts.

Cisco Sensor Family
The Cisco sensor family includes the following devices:
■ Cisco IDS 4240 sensor
■ Cisco IPS 4255 sensor
■ Cisco Catalyst 6500 series IDSM-2
■ Cisco ASA AIP-SSM-10
■ Cisco AIM IPS module for ISR routers
■ Cisco NME IPS module for ISR routers
Management Options:
For a single device (element management), options include
the following:
■ Command-line interface (CLI)
■ Cisco IPS Device Manager (IDM)
■ Cisco IPS Manager Express (IME)
For multiple-device management, options include the
following:
■ Cisco IPS Manager Express (IME), for one to ten sensors
■ Cisco Security Manager (CSM), for one or many sensors
■ Cisco Security Monitoring, Analysis, and Response System
(MARS)

Deploying Sensors:
Consider these technical factors when selecting sensors for
deployment in an organization:
■ The network media in use.
■ The performance of the sensor.
■ The overall network design.
■ The IPS design: Will the sensor analyze and protect many systems, or
just a few?
■ Virtualization: Will multiple virtual sensors be created in the sensor?
The CLI can be used to
■ Initialize the sensor
■ Configure
■ Administer
■ Troubleshoot
■ Monitor
Initializing the Sensor:
The setup command at the CLI walks you through initialization. You
can do the following:
■ Assign a hostname to the sensor. This is case sensitive. It defaults to
sensor.
■ Assign an IP address to the command and control interface. The default is
10.1.9.201/24.
■ Assign a default gateway. The default is 10.1.9.1.
■ Enable or disable the Telnet server. Telnet is disabled by default.
■ Specify the web server port. The default is 443.
■ Create network access control lists (ACL) that can access the sensor for
management.
■ Configure the date and time.
■ Configure the sensor interfaces.
■ Configure virtual sensors. This enables the configuration of promiscuous
and inline interface pairs.
■ Configure threat prevention. An event action override denies high-risk
network traffic with a risk rating of 90 to 100. This
option lets you disable this feature.

Initial Setup of IPS Appliance:
• CLI wizard performs basic configuration to allow network
connectivity for the GUI.
Threat and Risk Rating:

Calculating Threat and Risk:
• RR = [(ASR x TVR x SFR) / 10,000] + ARR – PD + WLR
Example:
–ASR = 75 , SFR = 90 , PD = 0 (inline mode) , TVR = 100 , ARR =
10 , and WLR = 0
–RR = [ (75 x 100 x 90) / 10,000] + 10 – 0 + 0 = 78
• TR = RR – Threat Rating Adjustment
– Configuration > Policies > Event Action Rules > rules0 pane and
click on General tab
Real-Time Risk-based Policy: Risk Rating and IPS
Policy
• A quantitative measure of each threat before IPS
mitigation.

Threat Rating: Post-policy Evaluation of Incident
Urgency

Where do I configure actions ?
Actions are configured in 3 different places :
– The signature itself where you define the default response if this
signature is triggered
– The Event overwrite will allow the system to add actions depending
of the risk rating
– The Event action filters where the system will be able to remove
actions depending of several parameters like the sig ID, the addresses
of the attacker or victims…
Master engine : Event Actions

Installing and Maintaining Cisco IPS
Sensors:
IPS Deployment Options:
■ Promiscuous mode: In this mode, packets do not flow through
the sensor. Instead, packets are copied to the interface from a
network device. This is also known as IDS mode.
■ Inline Interface Pairing mode: Traffic passes through the sensor,
from one interface to another. Two monitoring interfaces must be
configured as a pair. The sensor functions as a Layer 2 bridge for
this traffic.
■ Inline VLAN Pairing mode: Here, the monitoring interface acts as
an 802.1Q trunk port. The sensor bridges between pairs of VLANs
on the trunk.
■ VLAN Group mode: Each physical interface can be divided into
VLAN group subinterfaces. This enables you to use a sensor with
only a few interfaces as if it had many interfaces.
Cisco IPS Sensor Promiscuous Mode Deployment:

Cisco IPS Sensor Inline Interface Mode Deployment:
Cisco IPS Sensor Inline VLAN Pair Mode Deployment:

Cisco IPS Sensor Inline VLAN Group Mode Deployment:
Cisco IPS Sensor Selective Inline Analysis Mode
Deployment:

Applying Cisco IPS Security Policies:
IPS 4200 Appliance Management Interface:
• IPS 4200 Sensor managed through out-of-band interface
• IPS Management uses SSH or HTTPS ( SDEE )
Assigning Virtual Sensor:
Both IDS and IPS require assignment of Virtual Sensor
....even if only one Virtual Sensor ( e.g. vs0 ) is used !

IPv6 and Cisco IPS:
• IPv6 is default for Windows 2008,
Vista and Windows 7!
• Can analyze native IPv6 Traffic
• Can detect IPv6 tunneled traffic
• IPS Tuning can be done on IPv4
and IPv6 traffic simultaneously
Usage of Dual-Stack on all Engines Service HTTP:

Usage of Dual-Stack on all Engines String TCP with
Custom Signature
Deploying Anomaly-Based Operation:
Signature:
•A Signature is used to detect a potential threat.
•Cisco Signatures are vulnerability focused, not exploit focused
• We need different types of Signatures. To match these
signatures efficiently against the type of traffic, we are using
different Engines.
• There are several signatures status :
• Retired vs. Active
• Disable vs. Enable

Types of Signatures:
• Three types of Signatures
–Default – Included in the sensor software.
– <ID Range is 1,000 – 59,000>
–Tuned – Built in signatures that the user/administrator modifies.
–Custom – New signatures that the user/administrator modifies.
– <Customer ID Range is 60,000-65000>
What Is an Engine ?
•A signature engine is a component of the Cisco IPS that is
designed to support many signatures in a certain category.
•An engine is composed of a parser and an inspector
•Each engine has a set of parameters that have allowable
ranges or sets of values.

The Different Engine Families:
•Atomic engine – looking at attacks in a single packet
•Flooding – Specialised in attacks that involve flooding of
hosts with packets
•String – Looking for Patterns across several packets
•Sweep – Specialised in attacks that involve scanning of
hosts and ports
•Anomaly detection – Baselining the traffic first and looking
for threshholds
•Services Engines – Specialised engines looking at
services like DNS, HTTP, FTP,…
•And many others....
• ATOMIC signature engines are
■ ATOMIC ARP
■ ATOMIC IP
■ ATOMIC IP ADVANCED
■ ATOMIC IPv6
• The FIXED engines are
■ STRING ICMP
■ STRING TCP
■ STRING UDP
• FLOOD signature engines are
■ FLOOD NET
■ FLOOD HOST

• SERVICE signature engines are
■ SERVICE DNS
■ SERVICE FTP
■ SERVICE FTP V2
■ SERVICE GENERIC
■ SERVICE GENERIC ADVANCED
■ SERVICE H225
■ SERVICE HTTP and etc…
• The STRING engines are
■ STRING ICMP
■ STRING ICMP XL
■ STRING TCP
■ STRING TCP XL
■ STRING UDP
■ STRING UDP XL
■ MULTI STRING
What is the difference between STRING and FIXED engines?
FIXED differs from STRING signatures in that FIXED signatures
watch all TCP/UDP ports, whereas STRING watch only defined ports.
• The SWEEP engines are
■ SWEEP
■ SWEEP OTHER TCP
• TROJAN engines are:
■ TROJAN BO2K examines UDP and TCP traffic for Back Orifice.
■ TROJAN TFN2K examines UDP, TCP, or ICMP traffic for irregular
traffic patterns and corrupted headers.
■ TROJAN UDP examines UDP traffic for Trojan attacks.

Normalizer Module:
Normalizer Engine Signatures:
• The normalizer signatures are designed for inline mode only
• These signatures perform several tasks, including:
–Watch for packets with illegal combinations of flags
–Watch for bad checksums
–Watch for TCP segment overrides
–Watch for fragmented traffic
–Much more
• The normalizer denies or fixes abnormal packets

TCP Normalization – How:
Layer 4 protection
• Strict tracking of TCP state
• Strict tracking of sequence numbers (including support for
PAWS checks)
• Best effort tracking of previous data seen for un-acked
inspected content (prevents/detects overwrites in the TCP
sequence space)
• Checksums and invalid TCP flags
• Ability to modify TTLs to monotonically decrease or remain
steady over the life of the flow
• URG pointer normalization
Real-Time Anomaly Detection for Day Zero Threats:
• Anomaly Detection algorithms to detect and stop Day-Zero
threats
• Real-time learning of normal network behavior
• Automatic detection and policy-based protection from
anomalous threats to the network
• Result: Protection against attacks for which there is no
signature

Protocol-Anomaly Detection:

Managing and Analyzing Events:
Cisco IPS Manager Express (IME) All-inOne IPS
Management Application for up to 10 IPS Sensors

CSM 4.3 – IPS Configuration:
• Centrally manage multiple physical and virtual Sensors
• Tune policies
• Create custom Signatures
• Track Policy Change
• Update Signatures and Software for IPS Sensors

CSM 4.3 – Event logging and filtering:
• Log and monitor all IPS Events
• Granular Filtering and searching through events
• Customizable view
• Event to Policy mapping

CSM 4.3 – Reporting:
• Tactical Reporting
• Export to PDF or CSV
• Schedule Reports
• Customizable Graph and Data

CSM 4.3 – Health Monitoring:
• Monitor IPS Systems for throughput, CPU, memory,
number of events, status of hardware,...
• Get Alert when status is changing
IPS Sensor Management:

Deploying Virtualization, High Availability,
and High Performance Solutions
Flexible Deployment: Sensor Virtualization:

How to place a Sensor into such an Environment ?

Introducing Cisco Nexus 1000V for VMware ESX
Simplifying Virtual Machine & Network policy
management:
• Policy Based VM Connectivity
–Mobility of Network & Security Properties
• Virtual Center integration for server administrators
• Cisco NX-OS environment for Network administrators
• Ensures visibility & policy enforcement during VMotion
• Compatible with any switching platform
SPAN Technologies Overview:
• Local SPAN Mirrors traffic from one or more interfaces or VLANs
on the switch to one or more other interfaces (or a service
module) on the same switch.
• Remote SPAN (RSPAN) Mirrors traffic from one or more
interfaces or VLANs on the switch to a special RSPAN VLAN,
which carries the traffic across a Layer 2 switched network to one
or more other switches. The other switches mirror the traffic from
the RSPAN VLAN to one or more of their local interfaces (or
service modules).
• Encapsulated Remote SPAN (ERSPAN) Mirrors traffic from one
or more interfaces or VLANs on the switch into an IP GRE
tunnel, which carries the traffic across an arbitrary Layer 3
network to another device. If the destination is another ERSPAN-
capable switch, it decapsulates the monitored packets and
mirrors them to one or more of its local interfaces (or service
modules).

How to place a Sensor into such an Environment ?
Server Virtualization IDS and ERSPAN:
Ethernet Network Policy
•Take a Copy of Traffic from Servers and Switch to Appliance
•IPS appliances analyze Server traffic and log activity
Nexus 1000v Makes this possible
• ERSPAN Set Port-Profile w/ Switch port SPAN session IP SPAN traffic
to 6500
• SPAN to connected 4200-IPS
• Permit protocol type header “0x88BE” for ERSPAN GRE

ERSPAN:
Sample Config for ERSPAN on N1K:

IPS in virtualized DC:
• Use cases
– Protect Serverfarms through IPS
– Monitoring / Alarming through IPS in IDS Mode
• Products
–Cisco IPS 4260 / 4270 Appliance as:
IPS: via external Service Chassis
IDS: via SPAN Technology
–Cisco ASA IPS SSM for ASA 5585-X as IPS-only
–Cisco IDSM2 Switchmodule as
IPS: via external Service Chassis
IDS: via Switch internal SPAN Session
IDSM2 only availabe for Cat6K, no N7K module
High Availability and Scaling:
•Fail-open (Fail-Safe) techniques: Hardware or software
that functions to detect problems and pass packets through
the device without inspection when required
•Fail-secure (Fail-Closed) techniques: Hardware or
software techniques that will stop forwarding any packets if
IPS fails
•Failover: One or more paths through the network to allow
packets, in the event of a device failure, to either go
through a backup IPS sensor or through a plain wire
•Load Balancing: Using devices or software features to
split a traffic load up across multiple devices. This can
achieve both higher data rates and redundant paths in case
of failure

Configuring and Maintaining Specific
Cisco IPS Hardware
Cisco IPS Sensor Initial Setup and Management:
•Using basic Cisco IPS CLI features.
•Configure and verify basic Cisco IPS sensor parameters.
•Configuring and Verify the Cisco IDM features and properties.
•Troubleshoot the initial configuration of the sensor.
•Troubleshoot basic Cisco IPS hardware problems.
•Restoring the Cisco IPS to it’s default configuration.
•Managing Cisco Licenses and Software
•Software Upgrade and Recovery
•Updates and Installation of IPS Signatures
•Managing Access & Password Recovery on the Cisco IPS Sensor.
•Using the CLI & IDM to perform sensor management and monitoring.
Applying Cisco IPS Security Policies:
•Deploying and managing Cisco IPS Sensor basic traffic
analysis.
•Virtual sensor setup
•Traffic Normalization
•IPv6 Support
•Bypass mode
•Deploying and Managing basic aspects of Cisco IPS signatures
and responses.
•Signatures (types, features, properties, and actions).
•IP Logging and Filters
•Evaluating the Cisco IPS signature engines and built-in
signature database.
•Deploying and managing Cisco IPS anomaly-based detection
features.

CCNP Security-IPS

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (12)

Similar to CCNP Security-IPS

Similar to CCNP Security-IPS (20)

Recently uploaded

Recently uploaded (20)

CCNP Security-IPS