An Overview of Cisco IPS
Here is a portion of some notes that I came across for IPS - instead of wasting away on my hard drive, I figured I would post in case some of you might enjoy. I will post more sections if I receive no hate mail :-)
I. IPS Overview
a. Detection versus Protection
i. Detect can do just that - detect
ii. Prevention systems can detect and prevent - risks include latency, false positives, and the risk of the device being overrun
b. Detection technologies
i. Profile based - anomaly detection - activity deviates from "normal" activity; tough to define normal, prone to a high number of false positives
ii. Signature based - pattern matching - less prone to false positives; this is the primary Cisco technology
iii. Protocol Analysis - similar to sig based but more in-depth analysis; checks the contents of the payload
c. Evasive Techniques
i. Flooding
1. flood network with noise then launch attack
ii. Fragmentation
1. break the attack up into fragments so it is harder to recognize
iii. Encryption
1. send attack through encrypted tunnel
iv. Obfuscation
1. disguise the attack to conceal it using special characters or representations
d. Network Sensors
i. network mod, 4215, AIP-SSM, 4240, 4255, IDS Blade
ii. Legacy 4210, 4235, 4250
e. Sensor Appliances
i. command and control interface - has IP address for management workstation
ii. monitoring interface - no IP address and not visible on the network
1. promiscuous mode - IDS only
2. in-line mode - OS 5.0 or higher; two monitoring interfaces or more; IPS
iii. Reliable IPS (inline IPS features)
1. Risk Rating - event severity, signature fidelity, asset value
2. High availability - HSRP, EtherChannel
3. App firewall features
4. Accurate worm mitigation through event correlation
iv. Defense-in-Depth
1. Host Intrusion Prevention System
v. Terminology
1. False Alarms
a. False Positive
b. False Negative
2. True Alarms
a. True Positive
b. True Negative
vi. IPS Architecture
1. Eventstore
2. Analysis Engine
3. Main App
4. Web Server
5. SSH/Telnet
6. IDAPI - comm. channel between apps
7. NAC - initiates blocking
8. Notification APP - SNMP
9. Sensor Interfaces