not be blocked by IPS because legitimate
connectivity would be interrupted, but the alerts you receive
about this traffic can provide valuable insight into potential
problems or attack techniques when configured properly.
Cisco IOS IPS
Cisco has implemented IPS functions
into its internetwork operating system, Cisco IOS software.
Figure summarizes the Cisco IOS IPS features. Cisco IOS ISP
combines existing Cisco IDS and IPS product features with three
different intrusion detection techniques. - Cisco IOS
IPS uses a blend of Cisco IDS and IPS products from the Cisco
IDS and IPS sensor product lines, including Cisco IDS 4200
Series appliances, Cisco Catalyst 6500 Series IDS services
modules, and network module hardware IDS appliances.
-
Cisco IOS IPS uses a blend of the following detection
techniques:
- Profile-based intrusion detection:
Profile-based intrusion detection generates an alarm when
activity on the network goes outside a defined profile. With
anomaly detection, profiles are created for each user or user
group on your system. These profiles are then used as a
baseline to define normal user and network activity. A profile
could be created to monitor web traffic.
-
Signature-based intrusion detection: Signature-based
intrusion detection is less prone to triggering a false alarm
when detecting unauthorized activity. A signature is a set of
rules pertaining to typical intrusion activity. A Cisco IOS IPS
implements signatures that can look at every packet going
through the network and generate alarms when necessary. A Cisco
IOS IPS generates alarms when a specific pattern of traffic is
matched or a signature is triggered. You can configure a Cisco
IOS IPS to exclude signatures and modify signature parameters
to work optimally in your network environment.
-
Protocol analysis-based intrusion detection: Protocol
analysis-based intrusion detection is similar to
signature-based intrusion detection, but it performs a more
in-depth analysis of the protocols specified in the packets. A
deeper analysis examines the payloads within TCP and UDP
packets, which contain other protocols. For example, a protocol
such as Domain Name System (DNS) is contained within TCP or
UDP, which itself is contained within IP.
Content 6.4 Introducing Cisco IOS
IPS 6.4.2 Types of IDS and IPS Systems
Figure describes IDS and IPS solutions, grouping the types of
IDS and IPS solutions into solutions based on their deployment
within a network and how they identify offending traffic.
There are two possible deployment options for IDS and IPS
solutions: IDS and IPS uses any one of four approaches to
identifying malicious traffic: - Signature-based
- Policy-based
- Anomaly-based
-
Honeypot-based
Content 6.4
Introducing Cisco IOS IPS 6.4.3 Network-Based
and Host-Based IPS Figure illustrates the concept of
network- and host-based approaches to IDS and IPS. -
Host-based IPS: In a host-based system, a host-based
intrusion prevention system (HIPS) examines the activity on
each individual computer or host. The HIPS has full access to
the internal information of the end station and can relate
incoming traffic to the activity on the end station to
understand the context of the traffic. In VPN environments,
where encrypted traffic flows through the network, the HIPS is
the only option to examine traffic in plaintext. However, HIPS
typically applies to a specific operating system and does not
protect against lower level attacks, such as attacks targeting
Layers 1 to 3 of the Open System Interconnection (OSI) model.
Another disadvantage of HIPS is that the attacker, after
sufficient reconnaissance, can detect the host existence and
possibly even discover that the host is being protected by
HIPS.
- Network-based IPS: In a network-based
system, or network intrusion prevention system (NIPS), the IPS
analyzes individual packets that flow through a network. NIPS
can detect malicious packets that are overlooked by simplistic
filtering rules of a firewall. NIPS is placed inside the
network and allows verification of all network traffic, or at
least of the critical areas in the network. NIPS can prevent
lower-level attacks but cannot investigate encrypted traffic
that passes through the sensor. NIPS must analyze attacks when
the attacks are taken out of context. NIPS does not have the
ability to look at attacks that are inside the host, because
NIPS is only able to see things from the perspective of the
network. NIPS may think something is an attack that is actually
not, due to this limited perspective. This aspect of NIPS can
limit correlation capabilities and severity judgment.
Comparing HIPS and NIPS
IPS systems can differ
in their operational scope. Monitoring intrusive activity can
occur at two locations: - Network-based IPS
(NIPS): Instead of looking for intrusive activity at the
host level, network-based monitoring systems examine packets
that are traveling through the network for known signs of
malicious activity. Because these systems are watching network
traffic, any attack signatures that the system detects may
succeed or fail. It is usually difficult or impossible for
network-based monitoring systems to assess the success or
failure of actual attacks. Theses systems only indicate the
presence of intrusive activity.
- Host-based IPS
(HIPS): A host-based monitoring system examines information
at the local host or operating system. The HIPS can be complex
and examine actual system calls or can be simple and just
examine system log files. Some host-based monitoring systems
can halt attacks before the attacks can succeed, whereas other
systems report only on what has already happened. Cisco
implementation of HIPS uses software packages called Cisco
Security Agents (CSAs) that you deploy on the protected hosts,
and the CSAs then report their actions to the central
management console, called Cisco Security Agent Management
Center (CSA MC).
Note
The classification
into network-based and host-based systems applies to IDS in the
same way that the classification applies to IPS. For
simplicity, the lesson refers to IPS only, because Cisco IPS
encompasses a wider functionality than IDS encompasses.
Comparing HIPS and NIPS
Figure shows how NIPS and
HIPS complement each other. The two-ended arrow represents the
relative weight that each of these systems places on specific
functions. As a general statement, NIPS focuses on detecting
buffer overflows, attacks on web servers, network
reconnaissance, and denial of service (DoS) attacks, while HIPS
focuses on application and host resource protection. A
significant advantage of HIPS is that HIPS can monitor
operating system processes and protect critical system
resources, including files that may exist only on a specific
host. HIPS combines behavioral analysis and signature filters.
HIPS can also combine the best features of antivirus, network
firewalls, and application firewalls in one package. A simple
form of HIPS enables system logging and log analysis on the
host. However, this approach can be extremely labor-intensive.
HIPS requires software such as the CSA to be installed on each
host to monitor activity that is performed on and against the
host. The CSA performs the intrusion prevention analysis and
protects the host.
Content 6.4
Introducing Cisco IOS IPS 6.4.4 NIPS
Features Figure describes the features of a NIPS. NIPS
involves deploying monitoring devices, or sensors, throughout a
network to capture and analyze traffic. Sensors detect
malicious and unauthorized activity in real time and can take
action when required. Sensors are deployed at designated
network points, enabling security managers to monitor network
activity while the activity occurs, regardless of the location
of the target of the attack. NIPS sensors are tuned for