Cisco Security Agent and Network IDS/IPS · Presentation_ID © 2006 Cisco Systems, Inc. All rights...

Cisco Security Agent and Network IDS/IPS

Erik LentenTechnical Marketing Engineer

Session objectives

Give an overview of Cisco IDS and IPS technologies

Give an overview on how to deploy IDS and IPS

Explain key features that can help during a deployment

IPS Terminology:The Marketing of IPS/IDS

IDS Intrusion Detection System—typically limited to promiscuous sensors (out of packet stream)

IPS Intrusion Prevention/Protection System—the term most commonly applied to a sensor that sits inline (in the packet stream) and can drop malicious packets, flows or attackers

IDP Intrusion Detection and Prevention—marketing term coined by a vendor for product differentiation

Network IPS vs. Host based IPS

Network IPSSignature Based (so frequent updates)Good description of attackMore difficult to detect/prevent day zero attacks

Host Based IPSBehavior based (less frequent policy updates)Not always a good description of attackExcellent protection against Day Zero AttacksCould be used for data leakage, compliance management and others

Network IPS Terminology:What Is IPS? (Cont.)

“Identical to a wire” is the closest analogy

Inline interfaces have no MAC or IP and cannot be detected directly

Network IPS passes all packets without directly participating in any communications including spanning tree (but spanning tree packets are passed)

Default behavior is to pass all packets even if unknown, (i.e. IPX, Appletalk, etc.) unless specifically denied by policy or detection

IPS Closely Resembles a Layer 2 Bridge or Repeater

Arp Reply ServerClient

IDS/IPS devices within Cisco’s portfolio

Cisco IPS 4200Series Sensor

Cisco Catalyst Switchwith IPS Blade

Cisco Routerwith IPS Software

Cisco RouterCisco ASA 5500 Serieswith AIP module

Network IDS/IPS Components

Network-based sensorsSpecialized software and/or hardware used to collect and analyze network traffic (either in IPS or IDS mode: inline or promiscuous)

Appliances, modules, embedded in network infrastructure (either inline or promiscuous)

Security management and monitoringPerforms configuration and deployment services (Cisco Security Manager)

Performs alert collection, aggregation, and correlation (CS-MARS)

False Positives Defined

False positive is the term most likely used to indicate an event that was incorrectly reported; it is typically mistakenly applied to a broad group of possible results

False positive: a correctly named false positive is one where the sensor has triggered an alert based on a flawed algorithm or an analysis error; normally a fairly rare eventBenign trigger: the case where a sensor has correctly interpreted network traffic as an attack, but the intentions behind the traffic were not malicious; potentially commonFalse alarms (or noise): the case where a sensor has correctly detected than an event has occurred but the event is non-threatening or not applicable to the site being monitored or was not successful; very likely labeled as a false positive, very common

False negatives is the term used to describe when an IPS misses a real attack or event

How to fix the ‘false positive’ issue

Sensor placement (knowing your network)

Cool Cisco features..;-)

Smart management systems

BusinessPartnerAccessExtranet

Connections

Corporate NetworkInternet

Internet Connections

Remote Access Systems

Remote/Branch Office Connectivity

IPS/IDS DeploymentWhat Areas of the Network Are Candidates?

Data CenterManagement

Network

Flexibility in Deploying IDS/IPSComprehensive Deployment Options

Services Allow a Single Device to Be Deployed in the IDS Mode and the IPS Mode, Simultaneously

HYBRID IDS AND IPS

Public Services Segment

Sensor Deployed in IPS ModeSensor Deployed

in IPS Mode

Sensor Deployed in IPS Mode

Main Campus

Service Provider, Partner, or Branch Office Network

Attacker

Internet

Coming soon: Virtualized Policies (IPS 6.0)

Flexible Context Definitions: Ability to define virtualized contexts based on physical interface and VLAN groupingsAssignment of Custom Signature / Policy Settings & response actions to each virtualized contextVirtual policy mapping between ASA and AIP

Customized policy on Virtual Policy based on VLAN groupings

VLAN 1

VLAN 2

VLAN 3

VLAN 4Virtualized Context 1

Virtualized Context 2

Virtualized Policy 1:Interface 1 + 2

Virtualized Policy 2:Interface 3 + 4

Customized policy on Virtual Policy based on Interface groupings

Rating the Risk Allows Users to Confidently Eliminate Malicious Packets Without Dropping

Valid Traffic

Process for Accurate Threat Mitigation:Rating Alarms for Threat Context

Event Severity

Asset Valueof Target

Signature Fidelity

AttackRelevancy

RR (Risk Rating)

Event Severity

Signature Fidelity

AttackRelevancy

RR (Risk Rating)

Alert Severity Defined for the Signature

Event Severity

Signature Fidelity

AttackRelevancy

RR (Risk Rating)

Signature Fidelity Rating Delivers a Confidence Rating of the Signature’s Accuracy

Delivering Greater Insight into Relative Criticality of Target Systems through Asset Value

Designation

Event Severity

Signature Fidelity

AttackRelevancy

RR (Risk Rating)

Event Severity

Signature Fidelity

AttackRelevancy

RR (Risk Rating)

Customizable Risk Rating Thresholds Allow Multiple Automated Event Actions for Each Alarm

IP Addressof Endpoint

Virtual Context Where System Was Discovered

Learned OS ofTarget System

Attack Relevancy Defined: OS Identification (coming in IPS 6.0)

IPS Version 6.0 Anomaly Detection / Network behavioral analysis

Internet

Internal Zone 2

Internal Zone 3

Internal Zone 1

“Illegal” IP addresses

Anomaly detection algorithms to detect and stop Day-Zero threats

False Alarm reduction by learning behavior that is specific to network zones

Auto-learning with dynamic adjustment of AD thresholds

Increased Accuracy through on-box event correlation

Infected Host

Smart Management: Filter per category in CSM

Smart management: CS-MARS

Leverage YOUR existing investment to build “pervasive security”Correlate data from across the Enterprise

NIDS, Firewalls, Routers, Switches, CSASyslog, SNMP, RDEP, SDEE, NetFlow, Endpoint event logs

Rapidly locate and mitigate attacks

Key FeaturesDetermines security incidents based on device messages, events, and “sessions”Incidents are topologically aware for visualization and replayMitigation on L2 ports and L3 chokepointsEfficiently scales for real-time use across the Enterprise

MARS and reducing false positives

Network based correlation

Manual definition of applications on hosts

Build in Nessus

Integration with VA tools

Discovery

SNMPRead Login

Host Scan

You got an alarm…now what?

Logging: Session Capture

Logs traffic associated with a signature trigger (in PCAP format)Generally, only trigger and subsequent packets logged Does impact sensor performanceUsage guidelines:

Tuning: use during sensor tuning for event analysis and subsequent signature tweakingForensics: useful to monitor “critical” signatures/resourcesHandy tip: use with a custom signature to monitor a specific service/server/userDo not log unless you know what you plan to use the log for

Signature UpdatesMuch like anti-virus, network IPSs must be kept up to date

Cisco has a new home for security information including IPS signatures:

tools.cisco.com/MySDN/Intelligence/home.x

Cisco has developed a new partnership with Trend Micro to provide enhanced virus and worm coverage as part of the normal IPS signature updates

CiscoICS

(OPSig)

4–6+ Hrs.Typical Response Time

Cisco ICS

(OPACL)

CiscoServices for IPS

(Multi-SigDatabase)

15 Min.

Standard ServiceStandard Response Times Broad Vulnerability-Based Coverage

Premium ServiceUnmatched Response Times Outbreak Focused Coverage

90 Min.

OtherCompetitive

Solutions

Cisco-Trend ICS Service

Enterprise Network

Cisco-Trend ICS Service

Cisco ICS Server

CiscoSwitch

Cisco IPS 4200Series Sensor

Cisco Catalyst Switchwith IPS Blade

Cisco Routerwith IPS Software

Cisco Router

Cisco ASA 5500 Serieswith AIP module

Line Of Defense: Broad Set of Cisco Devices That Can Become Rapid-Response

Mitigation Nodes

Mitigation Measures:Broad Near Real-Time (15 Min.) ACL High Fidelity (90 Min.) Signature

Policy Control: Cisco ICS Server Administers and Delivers Virus and Worm Related Solutions

Outbreak Intelligence:Trendlabs’ Worldwide Real-time Monitoring and Signature Development Infrastructure

IOS IPS routers: distributed IPS mitigation

Enables new concept – distributed, in-line IPS for new levels of Threat Defense

Small Division

Small BusinessSmall Satellite Office

Cisco 870

Regional Office

Cisco2800/3800

CorporateOfficeCisco 7x00

Branch/Retail

Cisco 1800

Telecommuter

Cisco 850

Cisco1800/2800

Internet

Enterprise

Service Provider

Central SDF file management

Full Control of IPS Signature Tuning

Do not attempt to load all supported signatures on a single routerIOS IPS is designed as a Distributed Mitigationsolution not as a scanner with all signatures loadedSDM and CSM support full tuning of IOS IPS signatures

Enabling IOS IPS

Available in IOS 12.3.(11)T Security image

aaa new-modelaaa authentication login default local username cisco password 5 cisco

ip ips sdf builtinip ips name IPSRULE1 interface FastEthernet0ip ips IPSRULE1 in

ip http secure-serverip ips notify SDEE

Latest Pre-Built Signature Description Files (V6)

Basic Signature Set (128MB.sdf)340 signatures - consume ~15 MB DRAM

Advanced Signature Set (256MB.sdf)572 signatures - consume ~50 MB DRAM

Selected mostly from appliance signatures enabled by default

Very good MetaSploit attack coverage

All signatures use the default parameters (currently alarm-only)

Posted on 8/29/06 at:http://www.cisco.com/cgi-bin/tablebuild.pl/ios-sigup

Recommended release: 12.4(9)T1 or 12.4(8b)

Impact of Attack Traffic on IOS IPS Performance

Goal: Find CPU impact when IOS IPS is under attack

Nessus v3.0.3 used for generating attack traffic (52 signatures firing)

Configuration: Bi-directional IPS + FW + PAT; 256MB.sdf V5 signature file

Traffic: real world traffic at 9.6 Mbps

Results:

Firewall+PAT+IPS with no attack traffic: 50% CPU

Firewall+PAT+IPS with attack traffic: 57% CPU

Impact of attack traffic on CPU: 7%

G0/1Reflector

Real World Server

Avalanche Real World Client

Cisco 3825

Attack

FW+PAT+IPS enabled with 50% CPU

Image: 12.4(9)T

Cisco Security Agent

Target

Penetrate

Persist

Propagate

Paralyze

• Ping addresses• Scan ports• Guess passwords• Guess mail users

• Mail attachments• Buffer overflows• ActiveX controls• Network installs• Compressed messages• Backdoors

• Create new files• Modify existing files• Weaken registry

security settings• Install new services• Register trap doors

• Mail copy of attack• Web connection• IRC• FTP• Infect file shares

• Delete files• Modify files• Drill security hole• Crash computer• Denial of service• Steal secrets

Malicious Behavior

Most damagingChanges very slowlyInspiration for the CSA solution

Rapidly mutatingContinual signatureupdatesInaccurate

Zero-Day Protection

Cisco defines Host-Based Intrusion Prevention as the ability to stop Zero-Day malicious code without reconfiguration or update.CSA has the industry’s best record of stopping Zero Day exploits, worms, and viruses over past 4 years:

2001 – Code Red, Nimda (all 5 exploits), Pentagone (Gonner)2002 – Sircam, Debploit, SQL Snake, Bugbear, 2003 – SQL Slammer, So Big, Blaster/Welchia, Fizzer2004 – MyDoom, Bagle, Sasser, JPEG browser exploit (MS04-028), RPC-DCOM exploit (MS03-039), Buffer Overflow in Workstation service (MS03-049)2005 – Internet Explorer Command Execution Vulnerability, Zotob

No signatures, reconfiguration or binary updates required

Intercepting Operating System Calls

The Cisco Security Agent intercepts application OS calls and invokes an allow/deny response

Interceptors monitor calls for resource access:

File system

Network (inbound/outbound)

Registry

Execution (process creation, library access, executable invocation)

“Zero Update” architecture – behavior based control means you don’t need a new signature to stop the next attack

Correlation on Manager• Higher accuracy• Fewer “False Negative”

events• Stops attack before it

reaches targets

Example: Distributed “Ping Scans”, Network Worm propagation

Global Correlation

ManagementCenter

AgentCorrelation on Agent• Higher accuracy• Fewer “False Positive”

events

Cisco Security Agent offers unique agent and management level correlation

AgentAgent

Deployment Example – Data Leakage

1. Create group and attach “Data Leakage” policy

Packet Tagging

Track data fromkey servers

USB/Removable device restrictions

Clipboard abuse

Location controlBlock

Wireless Control Goals

Disable wireless NIC when wired is active

Connection restrictions -certain SSIDs, encryption, ad-hoc

Require VPN connection when out of the office

Cisco is about integration

CSA + IPS Collaborationwith Cisco Network IPS Version 6.0

- Enhanced contextual analysis of endpoint

Service Provider

Management Console

OS = WindowsXP

Elevate Risk RatingDeny 10.1.10.1

- Ability to use CSA inputs to influence IPS actions- Correlation of info. contained in CSA watch list

- Host Quarantining

Service Provider

Management Console

CSA Watch List10.1.10.1

Elevate Risk RatingDeny 10.1.10.1

- Host Quarantining

Service Provider

Management Console

Source 10.1.10.2 initiates a port scan destined for internal servers

Port Scan from IP not in Watch List:

Alarm Only

- Host Quarantining

Watch List Source 10.1.10.1 initiates a port scan destined for internal servers

Service Provider

Management Console

Port Scan from IP on Watch List:Drop Packet

- Host Quarantining

Cisco Security Agent and Network IDS/IPS · Presentation_ID © 2006 Cisco Systems, Inc. All rights...

Documents

Los IDS y los IPS

Snort IPS - cisco.com · Snort IPS TheSnortIPSfeatureenablesIntrusionPreventionSystem(IPS)orIntrusionDetectionSystem(IDS)for

IDS vs IPS

Introduction to IDS & IPS - Part 1

IDS and IPS - KTH

Release Notes for Cisco Intrusion Prevention System … · Caution The BIOS on Cisco IDS/IPS sensors is specific to Cisco IDS/IPS sensors and must only be upgraded ... All configuration

Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system

Snort IDS/IPS Basics

Configuring Network-based IDS and IPS Devices · † Cisco IDS 4.0, IPS 5.x, and IPS 6.x Sensors, page 7-5 † IPS Signature Dynamic Update Settings, page 7-11 † Custom IPS Signature

Ids Ips Mikrotik

Baudoin karle-ids-ips

Snort IPS · Snort IPS TheSnortIPSfeatureenablesIntrusionPreventionSystem(IPS)orIntrusionDetectionSystem(IDS)for

Firewall and IDS/IPS - PoliTO

14 IDS IPS Firewalls

IDS/IPS and Centralized Alert Management System Deployment · SUPERVISION NETWORK FIELD NETWORK NOT TRUSTED IDS/IPS MANAGEMENT NETWORK Event Manager IDS/IPS and Centralized Alert

Welcome to Your Cisco Connect & Grow Series: Heat Up · PDF fileWelcome to Your Cisco Connect & Grow Series: ... Email . Endpoints . Networks . IPS . ... Site to Site VPN, IDS/IPS

Understanding Ips Ids Ips Ids Defense in Depth 1381

Snort Ids/Ips en Appliance Pfsense

IDS IPS e Entropia

Global IDS IPS Market 2015-2019