Here are my notes for Chapter 11:
IDS and IPS: An Intrusion Detection System analyses copies of traffic it receives. Because traffic does not flow through an IDS, the device is considered passive. On the other hand, an Intrusion Protection System, which can proactively terminate malicious traffic, is considered active.
Detection Methods: There are several approaches to detecting malicious traffic.
• Signature-Based Detection: The primary method of detection, and most used by Cisco, is signature based detection. A series of transmissions in a certain context would constitute a signature.
• Policy-Based Detection: Based on a highly detailed description of what is, and what is not allowed to pass through filtering mechanisms.
• Anomaly-Based Detection: Creates a baseline of what is considered normal and blocks traffic that deviates from this baseline. Statistical anomaly detection system is triggered when traffic appears that is significantly different from the statistical baseline. Nonstatistical anomaly detection allows specific abnormalities to be defined.
Honey Pot Detection: A set of network devices, real or virtual, used to lure attackers away from real targets and to track analyze their malicious actions.
Host and Network Based Solutions: IDS and IPS systems can be implemented on hosts as well as networks.
• Command and Control Interface: Configured with an IP address and is used to communicate with other network devices for management purposes.
• Monitoring Interface(s): At least one interface to receive traffic that is to be analyzed.
Sensor Operating Modes:
• Promiscuous Mode: A single interface receives a copy of traffic and analyzes it. Typically, a NIDS runs in promiscuous mode and is places out of the direct line of network traffic.
• Inline Mode: Contains at least two interfaces and sits in the direct line of traffic. NIPS are configured in the line of traffic for proactive filtering.
Exploit Signatures at Different OSI Model Layers:
• Layer 7: IPS/IDS can detect/stop DoS attacks, directory traversal attacks, viruses, Trojans, and worms.
• Layer 4: Port scans and session hijacking
• Layer 3: Ping sweeps
Signature Categories: Exploit, connections, string, and DoS
Security Levels for Signatures: High, medium, informative, and low
Signature Actions: denyAttackerInline – denies source IP of attacker. denyFlowInLine – terminates the connection.
Alarms: When triggered, an alarm can be sent and information logged using syslog or the Security Device Event Exchange protocol (SDEE). Responses include:
• Create a Log Entry: Use syslog or SDEE to record that the signature was matched
• Drop the offending packet: Delete the offending transmission
• Reset the TCP connection: Send an RST message
• Block attacker’s IP address: Prevent further transmission from the offending address
• Block traffic from the offending connection: Block traffic associated with the offending connection.
Configuring IPS with the Cisco SDM: The IPS page is launched from Configure>Intrusion Prevention. It has three tabs:
• Create IPS: Contains the Launch IPS Rule Wizard
• Edit IPS: Contains IPS Policies, Global Settings, and Signatures
• Security Dashboard: Overview information
The IPS Policy Wizard performs the following:
• Selects the interface to which IPS rules will be applied
• Selects in which direction traffic will be inspected
• Selects the SDF file(s) that will be used by the IPS engine
Global Settings Tab contains the following:
• Syslog and SDEE
• Global Engine: Contains Enable Engine Fail Closed, which, when enabled, drops traffic when IPS services are unavailable. Also contains default option of using Built-In Signatures as backup and the option to apply an ACL on an interface on which IPS is running.
Editing a Signature:
• In Edit IPS>Signatures, double-click the desired signature to open the Edit Signature window.
• Click the green square to the left of a field to enter custom parameters. Click OK to close the window and then Apply Changes in the Edit IPS window.