Cisco® CCNA Security Exam Notes : Ips Technologies

6. IPS

6.2 IPS Technologies

Intruder Prevention System (IPS): IPS analyses network traffic, can report and take corrective action on traffic that it deems malicious or harmful. This can be implemented as an appliance, as a blade, or as a module in an ASA or IOS router. The primary method for identifying problem traffic is through signature matching.

Cisco Security Manager (CSM): This is an enterprise-level configuration tool that you can use to manage most security devices.

Cisco Security Intelligence Operations (SIO) Service: The SIO researches and analyses threats and provides real-time updates on these threats. There is also an application for smart phones.

The following statements are true about IDS:

1. It works in promiscuous or out-of-band mode

2. It doesn't add any delay to the network traffic because it doesn't inspect packets entering or leaving the network in real time.

3. It doesn't have the ability to stop malicious packets entering the network or leaving the network (assuming that there is an inside attacker) as it works off-line.

4. For the same reason that it works off-line, it doesn't have the ability to manipulate real time traffic.

The following are true about IPS (Intruder Prevention System):

1. It adds some amount of delay to the network traffic, as it scans each packet for any malicious content.

2. Because the IPS is inline, it can normalize (manipulate or modify) traffic inline based on a current set of rules.

3. Unlike IDS (Intruder Detection System), an IPS works inline. So, every packet goes through IPS before being forwarded.

An intruder detection/prevention system may come in one of several varieties. These may come in the form of:

1. A dedicated device, such as 4200 series

2. As a blade that works in a 6500 series multiplayer switch

3. As a module on an ASA firewall

4. As a software running on IOS router

Risk Rating(RR) while implementing IPS/IDS

1. Target value rating (TVR) - This is assigned by the network administrator based on the organizational input as to which IP address/host/subnet are most valuable.

2. Signature fidelity rating (SFR) - this is assigned by the creator of the signature and represents the accuracy of the signature in determining a true attack.

3. Attack severity rating (ASR) - this is also assigned by the creator of the signature, and represents the critical of the attack. Some attacks may be very dangerous in the sense that they may wipe out the hard disk.

4. Attack relevancy (AR) - a minor contributor, signature match that is destined to a host where the attack is relevant, such as an email server attack.

5. Global correlation - assume that the sensor knows about an attack propagating over the network, and knows the potential IP addresses of some network nodes that are propagating the attack. Then the packets transiting the network nodes are given higher score.

There are several ways that an attacker may try to evade being detected by IPS/IDS:

Most frequently used among these are:

1. Traffic fragmentation - here the attacker splits the packets into small size to avoid detection.

2. Traffic substitution and insertion - The attacker substitute's characters in the data using different formats.

3. Protocol level misinterpretation - misrepresent the protocol used, thereby making it difficult to identify the attack.

4. Timing attacks - sending packets very slowly to avoid detection.

5. Encryption and tunnelling - use encryption to reach the victim's computer, thus bypassing the IDS

6. Resource exhaustion - an attacker may try resource exhaustion by sending thousands of packets to avoid detecting his real attack traffic.

Cisco IOS IPS supports the following detection methods:

1. Profile based

2. Signature based

3. Protocol analysis based

However, it does not support anomaly based detection, that sensor based IPS supports

Previous   Contents   Next