deploy in large networks. Figure shows and
describes how anomaly-based IDS and IPS work. Anomaly-based
IDSs and IPSs monitor the network for events and content that
represents a departure from normal behavior. Anomalies include
an unusual increase in a certain type of traffic, an occurrence
of some type of traffic that is not usually present on a
monitored network, or a malformed message of a known protocol.
These are the two types of anomaly-based IDSs and IPSs:
- Statistical anomaly detection: This type of
anomaly-based system approach learns about the profile of the
monitored network (traffic patterns) from the network itself
over a period. After that period, the system can detect if
statistical properties of the network traffic deviate enough
from the usual pattern. If the properties do deviate from the
usual pattern, the system triggers an alarm.
-
Nonstatistical anomaly detection: This type of
anomaly-based system has a predefined definition of a known
good behavior, usually coded by the vendor, and triggers when
an event outside such a profile occurs. These are examples of
events that can be considered malicious by nonstatistical
anomaly IPS or IDS systems:
- A communication between
two devices using Internetwork Package Exchange (IPX) in a
network where only TCP/IP protocol is used
- An
occurrence of a routing protocol update originating from a user
device
- A broadcast storm or a network sweep
- An anomalous packet, such as a “Christmas tree” packet in
which all TCP flags are set, or a TCP segment in which the
source and destination IP addresses are the same, and the TCP
source and destination ports are the same
Content 6.4 Introducing Cisco IOS
IPS 6.4.8 Honeypot-Based IDS and IPS
Honeypot systems provide a dummy server to attract attacks. The
philosophy of the honeypot approach is to distract attacks away
from the real network devices. The honeypot offers the
possibility of analyzing incoming attacks and malicious traffic
patterns in order to be prepared when this type of traffic hits
the real network. When implementing honeypots, you dedicate
servers that can be sacrificed to being compromised. You should
never trust such systems, because the system may have been
compromised without you noticing the changes. Figure shows and
describes how honeypots work. Honeypots are a special type of
IDS that you use to lure an attacker either to leave the real
targets alone or to give the administrator the time to tighten
the network defense. There are two basic philosophies for
building honeypots: - Honeypots can be systems that, to
a certain degree, are vulnerable to attackers. Any attacks
against a honeypot appear successful to the attacker, giving
administrators time to mobilize, log, and track the attacker
without ever exposing production systems.
- Honeypots
can be very interesting systems or resources to the attackers
that are well-hardened against attacks. The systems might
appear to be more vulnerable and thus appear more likely to be
penetrable. Here are two possible techniques for making a
system appear more vulnerable:
- Allowing more
connectivity (less secured access) to the honeypot system
- Configuring some applications to report a different
(vulnerable) application or version number than the one that
you actually used
In the event that the
honeypot actually does contain some weakness that you may or
may not be aware of, the honeypot system or resource must be
extremely well-isolated from other devices in the network. This
isolation protects other legitimate systems on the network if
the honeypot system or resource is used as a springboard for
attacks. Examples
A classic honeypot is a UNIX
system, which allows the attacker to log in, for example, using
weak passwords or no passwords for certain accounts. When the
attacker logs in, the administrator usually sets up a fake
environment where the administrator can monitor the actions of
the attacker. Some people have built so-called spam honeypots.
These honeypots are mail servers that appear to be open relays
but in fact simply attract and collect spamming e-mail
(attracting spam senders) and route the spam to the bit
bucket.
Content 6.4 Introducing Cisco
IOS IPS 6.4.9 IDS and IPS Signatures A
signature detects patterns in network traffic that should
generate an alarm or drop packets. The IPS mechanism that
matches the signatures against data packets is called a
microengine. An IPS system contains several microengines, and
each microengine handles a set of signatures, typically grouped
together by protocol or some other common characteristics.
There are four categories of signatures as shown in Figure :
- Exploit signatures: Since exploit signatures
typically identify a traffic pattern that is unique to a
specific exploit, each exploit variant may require an
individual signature. Attackers may be able to bypass detection
by slightly modifying the attack payload. Therefore, you often
must produce an exploit signature for each attack tool
variant.
- Connection signatures: Connection
signatures generate an alarm based on the conformity and
validity of the network connections and protocols.
-
String signatures: The string signature engines support
regular expression pattern matching and alarm
functionality.
- DoS signatures: DoS signatures
contain behavior descriptions that are considered
characteristic of a DoS attack.
When malicious
traffic passes through the sensor, one or more sensor
microengines are activated to inspect the data. Each
microengine controls a set of signatures. The sensor must
decide which microengine to activate to scan the associated
signatures. This selection is based on four criteria:
- The network protocol of the traversing traffic
-
The type of operating system a signature is associated
with
- The session port
- Type of attack
For IPS sensor platforms, such as the Cisco IPS 4200
Series, there are about 1500 signatures available, while for
the Cisco IOS IPS, there are about 1200 signatures available.
Cisco IOS IPS uses signature definition files (SDFs) that
contain signature descriptions for the most relevant attacks
and are updated by Cisco on a regular basis. Exploit
Signatures
Figure matches the type of exploit signature
with the OSI layer. Exploit-specific signatures seek to
identify network activity or upper-level protocol transactions
that are unique to a specific exploit or attack tool. The
specificity of exploit signatures may provide an analyst with
some insight into the methodology of an attacker and may allow
the analyst to identify and mitigate targeted vulnerabilities.
Exploit signatures are often relatively easy to produce for
simple protocols and attacks and are often employed in “pattern
matching” IDS and IPS products. Examples of exploit signatures
are grouped by OSI layer. These are examples of exploit
signatures in the network layer: - The most common
fragmentation attack attempts to exhaust target resources by
sending many non-initial fragments and tying up reassembly
buffers.
- Target systems can be configured to not
accept IP datagrams with certain IP options, such as source
routing. Signatures can analyze these datagrams before the
datagrams are discarded. The configuration for this analysis is
based on the target operating system or the default. This
analysis is enabled by default, but may be turned off to
enhance performance.
- Distributed DoS (DDoS) attacks
are the “next generation” of DoS attacks on the Internet.
Examples of DDoS attacks on the network layer include Internet
Control Message Protocol (ICMP) echo request floods and
ICMP-directed broadcasts (also known as smurf attacks).
These are examples of exploit signatures in the transport
layer: - Port sweep: An attacker scans multiple
hosts for specific listening ports. The goal is usually to find