deploy in large networks. Figure shows and describes how anomaly-based IDS and IPS work. Anomaly-based IDSs and IPSs monitor the network for events and content that represents a departure from normal behavior. Anomalies include an unusual increase in a certain type of traffic, an occurrence of some type of traffic that is not usually present on a monitored network, or a malformed message of a known protocol. These are the two types of anomaly-based IDSs and IPSs:

• Statistical anomaly detection: This type of anomaly-based system approach learns about the profile of the monitored network (traffic patterns) from the network itself over a period. After that period, the system can detect if statistical properties of the network traffic deviate enough from the usual pattern. If the properties do deviate from the usual pattern, the system triggers an alarm.
• Nonstatistical anomaly detection: This type of anomaly-based system has a predefined definition of a known good behavior, usually coded by the vendor, and triggers when an event outside such a profile occurs. These are examples of events that can be considered malicious by nonstatistical anomaly IPS or IDS systems:
  • A communication between two devices using Internetwork Package Exchange (IPX) in a network where only TCP/IP protocol is used
  • An occurrence of a routing protocol update originating from a user device
  • A broadcast storm or a network sweep
  • An anomalous packet, such as a “Christmas tree” packet in which all TCP flags are set, or a TCP segment in which the source and destination IP addresses are the same, and the TCP source and destination ports are the same

---

Content 6.4 Introducing Cisco IOS IPS 6.4.8 Honeypot-Based IDS and IPS Honeypot systems provide a dummy server to attract attacks. The philosophy of the honeypot approach is to distract attacks away from the real network devices. The honeypot offers the possibility of analyzing incoming attacks and malicious traffic patterns in order to be prepared when this type of traffic hits the real network. When implementing honeypots, you dedicate servers that can be sacrificed to being compromised. You should never trust such systems, because the system may have been compromised without you noticing the changes. Figure shows and describes how honeypots work. Honeypots are a special type of IDS that you use to lure an attacker either to leave the real targets alone or to give the administrator the time to tighten the network defense. There are two basic philosophies for building honeypots:

• Honeypots can be systems that, to a certain degree, are vulnerable to attackers. Any attacks against a honeypot appear successful to the attacker, giving administrators time to mobilize, log, and track the attacker without ever exposing production systems.
• Honeypots can be very interesting systems or resources to the attackers that are well-hardened against attacks. The systems might appear to be more vulnerable and thus appear more likely to be penetrable. Here are two possible techniques for making a system appear more vulnerable:
  • Allowing more connectivity (less secured access) to the honeypot system
  • Configuring some applications to report a different (vulnerable) application or version number than the one that you actually used

In the event that the honeypot actually does contain some weakness that you may or may not be aware of, the honeypot system or resource must be extremely well-isolated from other devices in the network. This isolation protects other legitimate systems on the network if the honeypot system or resource is used as a springboard for attacks. Examples
A classic honeypot is a UNIX system, which allows the attacker to log in, for example, using weak passwords or no passwords for certain accounts. When the attacker logs in, the administrator usually sets up a fake environment where the administrator can monitor the actions of the attacker. Some people have built so-called spam honeypots. These honeypots are mail servers that appear to be open relays but in fact simply attract and collect spamming e-mail (attracting spam senders) and route the spam to the bit bucket.

---

Content 6.4 Introducing Cisco IOS IPS 6.4.9 IDS and IPS Signatures A signature detects patterns in network traffic that should generate an alarm or drop packets. The IPS mechanism that matches the signatures against data packets is called a microengine. An IPS system contains several microengines, and each microengine handles a set of signatures, typically grouped together by protocol or some other common characteristics. There are four categories of signatures as shown in Figure :

• Exploit signatures: Since exploit signatures typically identify a traffic pattern that is unique to a specific exploit, each exploit variant may require an individual signature. Attackers may be able to bypass detection by slightly modifying the attack payload. Therefore, you often must produce an exploit signature for each attack tool variant.
• Connection signatures: Connection signatures generate an alarm based on the conformity and validity of the network connections and protocols.
• String signatures: The string signature engines support regular expression pattern matching and alarm functionality.
• DoS signatures: DoS signatures contain behavior descriptions that are considered characteristic of a DoS attack.

When malicious traffic passes through the sensor, one or more sensor microengines are activated to inspect the data. Each microengine controls a set of signatures. The sensor must decide which microengine to activate to scan the associated signatures. This selection is based on four criteria:

• The network protocol of the traversing traffic
• The type of operating system a signature is associated with
• The session port
• Type of attack

For IPS sensor platforms, such as the Cisco IPS 4200 Series, there are about 1500 signatures available, while for the Cisco IOS IPS, there are about 1200 signatures available. Cisco IOS IPS uses signature definition files (SDFs) that contain signature descriptions for the most relevant attacks and are updated by Cisco on a regular basis. Exploit Signatures
Figure matches the type of exploit signature with the OSI layer. Exploit-specific signatures seek to identify network activity or upper-level protocol transactions that are unique to a specific exploit or attack tool. The specificity of exploit signatures may provide an analyst with some insight into the methodology of an attacker and may allow the analyst to identify and mitigate targeted vulnerabilities. Exploit signatures are often relatively easy to produce for simple protocols and attacks and are often employed in “pattern matching” IDS and IPS products. Examples of exploit signatures are grouped by OSI layer. These are examples of exploit signatures in the network layer:

• The most common fragmentation attack attempts to exhaust target resources by sending many non-initial fragments and tying up reassembly buffers.
• Target systems can be configured to not accept IP datagrams with certain IP options, such as source routing. Signatures can analyze these datagrams before the datagrams are discarded. The configuration for this analysis is based on the target operating system or the default. This analysis is enabled by default, but may be turned off to enhance performance.
• Distributed DoS (DDoS) attacks are the “next generation” of DoS attacks on the Internet. Examples of DDoS attacks on the network layer include Internet Control Message Protocol (ICMP) echo request floods and ICMP-directed broadcasts (also known as smurf attacks).

These are examples of exploit signatures in the transport layer:

• Port sweep: An attacker scans multiple hosts for specific listening ports. The goal is usually to find