Chapter Five;-

Implementing Intrusion Prevention

Major Concepts:-
• Describe the purpose and operation of network-based and host-based
Intrusion Prevention Systems (IPS)
• Describe how IDS and IPS signatures are used to detect malicious network
traffic
• Implement Cisco IOS IPS operations using CLI and SDM
• Verify and monitor the Cisco IOS IPS operations using CLI and SDM

**Firewalls cannot protect against malware and zero-

day attacks.

A zero-day attack, sometimes referred to as a zero-day threat, is a computer

attack that tries to exploit software vulnerabilities that are unknown or
undisclosed by the software vendor.

IDS:*** An IDS-enabled device copies the traffic stream, and analyzes the
monitored traffic rather than the actual forwarded packets. It compares the
captured traffic stream with known malicious signatures in an offline
manner similar to software that checks for viruses. This offline IDS
implementation is referred to as promiscuous mode.

IPS:*** An attack is launched on a network that has a sensor

deployed in IPS mode (inline mode).
The IPS sensor analyzes the packets as they enter the IPS sensor
interface. The IPS sensor matches the malicious traffic to a signature
and the attack is stopped immediately.
Cisco IPS platforms use a blend of detection technologies, including
signature-based, profile-based, and protocol analysis intrusion
detection.
****The biggest difference between IDS and IPS is that an IPS
responds immediately and does not allow any malicious traffic to pass,
 whereas an IDS might allow malicious traffic to pass before
responding.
Common characteristics of IDS and IPS:-
✔ Both technologies are deployed using sensors.
✔ Both technologies use signatures to detect patterns of misuse in network
traffic.
✔ Both can detect atomic patterns (single-packet) or composite patterns (multi-
packet).

Comparing IDS and IPS Solutions:-

IDS Promiscuous Mode:-Advantages:-

 No impact on network (latency, jitter)

 No network impact if there is a sensor failure
 No network impact if there is sensor overload

Disadvantages:-
 Response action cannot stop trigger packets
 Correct tuning required for response actions
 Must have a well thought-out security policy
 More vulnerable to network evasion techniques

IPS Inline Mode Advantages:-

 Stops trigger packets
 Can use stream normalization techniques

Disadvantages:-

 Sensor issues might affect network traffic

 Sensor overloading impacts the network

 Must have a well thought-out security policy

 Some impact on network (latency, jitter)

**********The protection against viruses and threats requires an end-to-end

solution. For this reason, IDS and IPS technologies are typically deployed using
two implementations: network-based and host-based.
Network-Based Implementation:-

Network-based IPS implementations analyse network-wide activity looking for malicious

activity.
• Network devices such as ISR routers, ASA firewall appliances, Catalyst 6500 network
modules, or dedicated IPS appliances are configured to monitor known signatures.

• They can also detect abnormal traffic patterns.

Host-Based Implementation:-

• Host-based implementations are installed on individual computers

using host intrusion prevention system (HIPS) software such as Cisco
Security Agent (CSA).

• HIPS audits host log files, host file systems, and resources.

• A significant advantage of HIPS is that it can monitor operating system

processes and protect critical system resources, including files that
may exist only on that specific host.

• It combines behavioral analysis and signature filters with the best

features of anti-virus software, network firewalls, and application
firewalls in one package.

***Cisco Security Agent:-

CSA provides host security to enterprises by deploying agents that defend against the
proliferation of attacks across networks. These agents operate using a set of policies that
are selectively assigned to each system node on the network by the network
administrator.
CSA contains two components:
Management Center - Installed on a central server and is managed by a network
administrator.
Security Agent - Installed and runs on a host system. It displays the agent flag icon (small
red flag) in the system tray.
*A warning message appears when CSA detects a Problem.
CSA maintains a log file allowing the user to verify problems and learn more
information.
Host-Based Solutions:-

Advantages:-

 The success or failure of an attack can be readily determined.

 HIPS does not have to worry about fragmentation attacks or variable

Time to Live (TTL) attacks.
 HIPS has access to the traffic in unencrypted form.

Disadvantages:-

 HIPS does not provide a complete network picture.

HIPS has a requirement to support multiple operating systems

*****Host-based and network-based IPS implementations complement one
another by securing the multiple ingress and egress locations of the network.

**IPS Sensors:-
• Factors that impact IPS sensor selection and deployment:
– Amount of network traffic
– Network topology
– Security budget
– Available security staff

Comparing HIPS and Network IPS:-

HIPS
Advantages:-
 Is host-specific
 Protects host after decryption
 Provides application-level encryption protection
Disadvantages:-
 Operating system dependent
 Lower level network events not seen
 Host is visible to attackers

Network IPS
Advantages:-
 Is cost-effective
 Not visible on the network
 Operating system independent
 Lower level network events seen
Disadvantages:-
 Cannot examine encrypted traffic
 Does not know whether an attack was successful

Signature Characteristics:-

• A signature is a set of rules that an IDS and an IPS use to detect

typical intrusive activity, such as DoS attacks.

• These signatures uniquely identify specific worms, viruses,

protocol anomalies, or malicious traffic.

• IPS sensors are tuned to look for matching signatures or

abnormal traffic patterns.

• IPS signatures are conceptually similar to the virus.dat file used

by virus scanners.

• An IDS or IPS sensor matches a signature with a data flow

• The sensor takes action
• Signatures have three distinctive attributes
• Signature type
• Signature trigger
• Signature action