Documente Academic
Documente Profesional
Documente Cultură
Prevention Technology
• Intrusion prevention is the ability to stop attacks against the network and
should provide the following active defense mechanisms:
– Detection – Identifies malicious attacks on network and host resources.
– Prevention – Stops the detected attack from executing.
– Reaction – Immunizes the system from future attacks from a malicious
source.
7
• Response Options
When a signature match is found, the IDS or IPS may perform the following
actions:
– Alarm – Sends alarms to an internal or external log and then forwards the
packet through.
– Reset – Sends packets with a reset flag to both session participants if TCP
forwards the packet
– Drop – Immediately drops the packet
– Block – Denies traffic from the source address of the attack
8
• After a sensor detects an attack, an alarm is generated by the sensor and sent to the management
station.
• The information is saved in a memory-mapped file on both the sensor and the management platform.
This memory-mapped file is in binary format file.
• The sensor uses RDEP to communicate with the external world; so does the IP logging feature. It is
an HTTP communication that is client-server and two-way based, whereby the client (sensor) sends
an RDEP request, which is answered by the management station with an RDEP response.
• All RDEP messages consist of two parts:
– Header
– Entity body
10
12
• After a sensor
detects an attack, an
alarm is generated by
the sensor and sent
to the management
station.
• The network IDS can
shut the attacker out
of the network,
usually by setting
access control rules
on a border device
such as a router or
firewall.
13
14
16
18
19
• False Alarms
These alarms represent situations in which the IDS fails to accurately
indicate what is happening on the network.
• True Alarms
These alarms represent situations in which the IDS accurately
indicates what is happening on the network.
20
• False Positives
– False positives occur when the IDS generates an alarm based on
normal network activity.
– False positives force administrators to waste time and resources
analyzing phantom attacks.
• False Negatives
– When the IDS fails to generate an alarm for known intrusive
activity, it is called a false negative.
– False negatives represent actual attacks that the IDS missed even
though it is programmed to detect the attack.
– Most IDS developers tend to design their systems to prevent false
negatives.
21
• True Positives
– In the case of true positives, the IDS generates an alarm correctly
in response to actually detecting the attack traffic that a signature is
designed to detect.
– In an ideal world, 100 percent of the alarms generated by an IDS
would be true positives, meaning that every alarm corresponds to
an actual attack against the network.
• True Negatives
– Like false negatives, true negatives do not represent actual alarms
that are generated by the IDS. Instead, a true negative represents a
situation in which an IDS signature does not alarm when it is
examining normal user traffic.
– This is the correct behavior. This makes a true negative the
opposite of a false positive.
22
23
• IDS and IPS uses any one of four approaches to identifying malicious traffic:
– Signature-based (or Misuse Detection)
– Policy-based
– Anomaly-based
– Honeypot-based
24
• Signature-based detection, at a
very basic level, can be
compared to virus checking
programs.
• IDS vendors produce and build
signatures that the IDS system
uses to compare against
activity on the network or host.
– When a match is found,
the IDS takes action.
– The actions taken could
include logging the event
or sending an alarm to a
management console .
• Although many vendors allow
users to configure existing
signatures and create new
ones, customers are primarily
dependent on the vendors to
provide the latest signatures to
keep the IDS up to date.
• Signature-based detection can
also produce false positives, as
certain normal network activity
can appear to be malicious.
25
26
27
29
30
31
33
• Cisco intrusion detection and prevention solutions are part of the Cisco Self-
Defending Network. Designed to identify and stop worms, network viruses, and
other malicious traffic, these solutions can help protect the network.
• IOS Intrusion Prevention System (IPS)
– Cisco IOS Intrusion Prevention System (IPS) is an in-line, deep-packet
inspection-based solution that helps enable Cisco IOS Software to
effectively mitigate a wide range of network attacks without compromising
router performance .
34
• Cisco IOS ISP combines existing Cisco IDS and IPS product features with
three different intrusion detection techniques.
• Cisco IOS IPS uses a blend of Cisco IDS and IPS products from the Cisco IDS
and IPS sensor product lines, including Cisco IDS 4200 Series appliances,
Cisco Catalyst 6500 Series IDS services modules, and network module
hardware IDS appliances.
35
36
37
• The Cisco AIP SSM helps users stop threats with greater confidence through
the use of:
– Accurate inline prevention technologies -Provides unparalleled ability to
take preventive action against a broader range of threats without the risk of
dropping legitimate traffic. These unique technologies offer intelligent,
automated, contextual analysis of your data and help ensure you
are getting the most out of your intrusion prevention solution.
– Multivector threat identification -Protects your network from policy
violations, vulnerability exploitations, and anomalous activity through
detailed inspection of traffic in Layers 2 through 7.
– Unique network collaboration -Enhances scalability and resiliency
through network collaboration, including efficient traffic capture techniques,
load-balancing capabilities, and visibility into encrypted traffic.
– Powerful management, event correlation, and support services -
Enables a complete solution, including configuration, management, data
correlation, and advanced support services. In particular, the Cisco
Security Monitoring, Analysis, and Response System (Cisco Security
MARS) identifies, isolates, and recommends precision removal of offending
elements, for a networkwide intrusion prevention solution. And the Cisco
Incident Control System (ICS) prevents new worm and virus outbreaks by
enabling the network to rapidly adapt and provide a distributed response.
38
39
41
42
44
45
46
• Cisco IPS supports various sensor platforms. Each platform has varying capabilities and
is designed to operate in a specific network environment.
• You need to consider the following factors when deciding where to place sensors on your
network:
– Internet boundaries
– Extranet boundaries
– Intranet boundaries
– Remote access boundaries
– Servers and desktops
47
48
49
50
51