An Overview of Cisco IPS

January 2009
S	M	T	W	T	F	S
« Dec		Feb »
	1	2	3
4	5	6	7	8	9	10
11	12	13	14	15	16	17
18	19	20	21	22	23	24
25	26	27	28	29	30	31

By Anthony Sequeira, #15626

Here is a portion of some notes that I came across for IPS – instead of wasting away on my hard drive, I figured I would post in case some of you might enjoy. I will post more sections if I receive no hate mail

I. IPS Overview

a. Detection versus Protection

i. Detect can do just that – detect

ii. Prevention systems can detect and prevent – risks include latency, false positives, and the risk of the device being overrun

b. Detection technologies

i. Profile based – anomaly detection – activity deviates from “normal” activity; tough to define normal, prone to a high number of false positives

ii. Signature based – pattern matching – less prone to false positives; this is the primary Cisco technology

iii. Protocol Analysis – similar to sig based but more in-depth analysis; checks the contents of the payload

c. Evasive Techniques

i. Flooding

1. flood network with noise then launch attack

ii. Fragmentation

1. break the attack up into fragments so it is harder to recognize

iii. Encryption

1. send attack through encrypted tunnel

iv. Obfuscation

1. disguise the attack to conceal it using special characters or representations

d. Network Sensors

i. network mod, 4215, AIP-SSM, 4240, 4255, IDS Blade

ii. Legacy 4210, 4235, 4250

e. Sensor Appliances

i. command and control interface – has IP address for management workstation

ii. monitoring interface – no IP address and not visible on the network

1. promiscuous mode – IDS only

2. in-line mode – OS 5.0 or higher; two monitoring interfaces or more; IPS

iii. Reliable IPS (inline IPS features)

1. Risk Rating – event severity, signature fidelity, asset value

2. High availability – HSRP, EtherChannel

3. App firewall features

4. Accurate worm mitigation through event correlation

iv. Defense-in-Depth

1. Host Intrusion Prevention System

v. Terminology

1. False Alarms

a. False Positive

b. False Negative

2. True Alarms

a. True Positive

b. True Negative

vi. IPS Architecture

1. Eventstore

2. Analysis Engine

3. Main App

4. Web Server

5. SSH/Telnet

6. IDAPI – comm. channel between apps

7. NAC – initiates blocking

8. Notification APP – SNMP

9. Sensor Interfaces

Carlos says:

January 7th, 2009 at 5:08 am

Very good for my studies for the written.

Anthony Sequeira says:

January 7th, 2009 at 7:56 am

That is awesome – I will be sure to post more – and I will also enhance the above a bit since I see some elaboration is needed.

links for 2009-01-07 – [LINICKX].com says:

January 7th, 2009 at 5:00 pm

[...] An Overview of Cisco IPS Here is a portion of some notes that I came across for IPS (tags: cisco security ccie reference ids ips) [...]

CCIE Pilot says:

September 10th, 2009 at 10:41 pm

Hi Anthony,

Well if you want hate mail here it is.
I hate if you do not post or share your brain notes to us. Hehehe.

Thanks for sharing. Pls post all your notes if you can. ;-0

-CCIE Pilot

Andrey says:

September 28th, 2009 at 1:43 pm

Nice and quite complete overview on Cisco IPS.

Sor1 says:

January 15th, 2010 at 7:08 am

Thanks a lot!!!
I was just researching of what is the Cisco IPS to write for my uni report. In the Cisco site as usual you have to read here and there a ton of information to make something to resemble an overview :-/

Thanks again for this, now i have better picture of what the IPS can do

Helping you become a Cisco Certified Internetwork Expert

Pages

Categories

Archives

Calendar

Polls

Recent Posts