An Overview of Cisco IPS
    06 January 09

    An Overview of Cisco IPS

    Posted byINE

    Here is a portion of some notes that I came across for IPS - instead of wasting away on my hard drive, I figured I would post in case some of you might enjoy. I will post more sections if I receive no hate mail :-)

    I. IPS Overview

    a. Detection versus Protection

    i. Detect can do just that - detect

    ii. Prevention systems can detect and prevent - risks include latency, false positives, and the risk of the device being overrun

    b. Detection technologies

    i. Profile based - anomaly detection - activity deviates from "normal" activity; tough to define normal, prone to a high number of false positives

    ii. Signature based - pattern matching - less prone to false positives; this is the primary Cisco technology

    iii. Protocol Analysis - similar to sig based but more in-depth analysis; checks the contents of the payload

    c. Evasive Techniques

    i. Flooding

    1. flood network with noise then launch attack

    ii. Fragmentation

    1. break the attack up into fragments so it is harder to recognize

    iii. Encryption

    1. send attack through encrypted tunnel

    iv. Obfuscation

    1. disguise the attack to conceal it using special characters or representations

    d. Network Sensors

    i. network mod, 4215, AIP-SSM, 4240, 4255, IDS Blade

    ii. Legacy 4210, 4235, 4250

    e. Sensor Appliances

    i. command and control interface - has IP address for management workstation

    ii. monitoring interface - no IP address and not visible on the network

    1. promiscuous mode - IDS only

    2. in-line mode - OS 5.0 or higher; two monitoring interfaces or more; IPS

    iii. Reliable IPS (inline IPS features)

    1. Risk Rating - event severity, signature fidelity, asset value

    2. High availability - HSRP, EtherChannel

    3. App firewall features

    4. Accurate worm mitigation through event correlation

    iv. Defense-in-Depth

    1. Host Intrusion Prevention System

    v. Terminology

    1. False Alarms

    a. False Positive

    b. False Negative

    2. True Alarms

    a. True Positive

    b. True Negative

    vi. IPS Architecture

    1. Eventstore

    2. Analysis Engine

    3. Main App

    4. Web Server

    5. SSH/Telnet

    6. IDAPI - comm. channel between apps

    7. NAC - initiates blocking

    8. Notification APP - SNMP

    9. Sensor Interfaces

    Hey! Don’t miss anything - subscribe to our newsletter!

    © 2022 INE. All Rights Reserved. All logos, trademarks and registered trademarks are the property of their respective owners.
    instagram Logofacebook Logotwitter Logolinkedin Logoyoutube Logo