david7eagle
Member
Posts:
160
Joined:
Fri Sep 24, 2010 4:13 pm
Certs:
A+, Security+, MCP, CCENT, CCNA, and CCNA Security

Chapter 11 - Study Update

Thu Aug 18, 2011 2:12 pm

Here are my notes for Chapter 11:


Chapter 11

IDS and IPS: An Intrusion Detection System analyses copies of traffic it receives. Because traffic does not flow through an IDS, the device is considered passive. On the other hand, an Intrusion Protection System, which can proactively terminate malicious traffic, is considered active.

Detection Methods: There are several approaches to detecting malicious traffic.
• Signature-Based Detection: The primary method of detection, and most used by Cisco, is signature based detection. A series of transmissions in a certain context would constitute a signature.
• Policy-Based Detection: Based on a highly detailed description of what is, and what is not allowed to pass through filtering mechanisms.
• Anomaly-Based Detection: Creates a baseline of what is considered normal and blocks traffic that deviates from this baseline. Statistical anomaly detection system is triggered when traffic appears that is significantly different from the statistical baseline. Nonstatistical anomaly detection allows specific abnormalities to be defined.

Honey Pot Detection: A set of network devices, real or virtual, used to lure attackers away from real targets and to track analyze their malicious actions.

Host and Network Based Solutions: IDS and IPS systems can be implemented on hosts as well as networks.

IDS/IPS Sensors:
• Command and Control Interface: Configured with an IP address and is used to communicate with other network devices for management purposes.
• Monitoring Interface(s): At least one interface to receive traffic that is to be analyzed.
Sensor Operating Modes:
• Promiscuous Mode: A single interface receives a copy of traffic and analyzes it. Typically, a NIDS runs in promiscuous mode and is places out of the direct line of network traffic.
• Inline Mode: Contains at least two interfaces and sits in the direct line of traffic. NIPS are configured in the line of traffic for proactive filtering.

Exploit Signatures at Different OSI Model Layers:
• Layer 7: IPS/IDS can detect/stop DoS attacks, directory traversal attacks, viruses, Trojans, and worms.
• Layer 4: Port scans and session hijacking
• Layer 3: Ping sweeps

Signature Categories: Exploit, connections, string, and DoS

Security Levels for Signatures: High, medium, informative, and low

Signature Actions: denyAttackerInline – denies source IP of attacker. denyFlowInLine – terminates the connection.

Alarms: When triggered, an alarm can be sent and information logged using syslog or the Security Device Event Exchange protocol (SDEE). Responses include:
• Create a Log Entry: Use syslog or SDEE to record that the signature was matched
• Drop the offending packet: Delete the offending transmission
• Reset the TCP connection: Send an RST message
• Block attacker’s IP address: Prevent further transmission from the offending address
• Block traffic from the offending connection: Block traffic associated with the offending connection.

Configuring IPS with the Cisco SDM: The IPS page is launched from Configure>Intrusion Prevention. It has three tabs:
• Create IPS: Contains the Launch IPS Rule Wizard
• Edit IPS: Contains IPS Policies, Global Settings, and Signatures
• Security Dashboard: Overview information

The IPS Policy Wizard performs the following:
• Selects the interface to which IPS rules will be applied
• Selects in which direction traffic will be inspected
• Selects the SDF file(s) that will be used by the IPS engine

Global Settings Tab contains the following:
• Syslog and SDEE
• Global Engine: Contains Enable Engine Fail Closed, which, when enabled, drops traffic when IPS services are unavailable. Also contains default option of using Built-In Signatures as backup and the option to apply an ACL on an interface on which IPS is running.

Editing a Signature:
• In Edit IPS>Signatures, double-click the desired signature to open the Edit Signature window.
• Click the green square to the left of a field to enter custom parameters. Click OK to close the window and then Apply Changes in the Edit IPS window.

User avatar
ristau5741
Post Whore
Posts:
10231
Joined:
Tue Aug 21, 2007 2:15 pm
Certs:
Instanity

Re: Chapter 11 - Study Update

Thu Aug 18, 2011 2:25 pm

might want to go over the IPS/IDS stuff again, I think there are some details missing, specifically what actiomns each can take, i.e. IDS can only monitor traffic, cant take action, IPS can take action. etc.etc.etc. IDS are passive, IPS are active.that sort of stuff

david7eagle
Member
Posts:
160
Joined:
Fri Sep 24, 2010 4:13 pm
Certs:
A+, Security+, MCP, CCENT, CCNA, and CCNA Security

Re: Chapter 11 - Study Update

Thu Aug 18, 2011 3:22 pm

ristau5741 wrote:might want to go over the IPS/IDS stuff again, I think there are some details missing, specifically what actiomns each can take, i.e. IDS can only monitor traffic, cant take action, IPS can take action. etc.etc.etc. IDS are passive, IPS are active.that sort of stuff

Thank you for the tip. I was considering those things the basics that I already learned in Security+. I'll be review it just to make sure.

'

Return to david7eagle - CCNA Security

Who is online

Users browsing this forum: No registered users and 2 guests