Jan
06

Here is a portion of some notes that I came across for IPS - instead of wasting away on my hard drive, I figured I would post in case some of you might enjoy. I will post more sections if I receive no hate mail :-)

I. IPS Overview

a. Detection versus Protection

i. Detect can do just that - detect

ii. Prevention systems can detect and prevent - risks include latency, false positives, and the risk of the device being overrun

b. Detection technologies

i. Profile based - anomaly detection - activity deviates from "normal" activity; tough to define normal, prone to a high number of false positives

ii. Signature based - pattern matching - less prone to false positives; this is the primary Cisco technology

iii. Protocol Analysis - similar to sig based but more in-depth analysis; checks the contents of the payload

c. Evasive Techniques

i. Flooding

1. flood network with noise then launch attack

ii. Fragmentation

1. break the attack up into fragments so it is harder to recognize

iii. Encryption

1. send attack through encrypted tunnel

iv. Obfuscation

1. disguise the attack to conceal it using special characters or representations

d. Network Sensors

i. network mod, 4215, AIP-SSM, 4240, 4255, IDS Blade

ii. Legacy 4210, 4235, 4250

e. Sensor Appliances

i. command and control interface - has IP address for management workstation

ii. monitoring interface - no IP address and not visible on the network

1. promiscuous mode - IDS only

2. in-line mode - OS 5.0 or higher; two monitoring interfaces or more; IPS

iii. Reliable IPS (inline IPS features)

1. Risk Rating - event severity, signature fidelity, asset value

2. High availability - HSRP, EtherChannel

3. App firewall features

4. Accurate worm mitigation through event correlation

iv. Defense-in-Depth

1. Host Intrusion Prevention System

v. Terminology

1. False Alarms

a. False Positive

b. False Negative

2. True Alarms

a. True Positive

b. True Negative

vi. IPS Architecture

1. Eventstore

2. Analysis Engine

3. Main App

4. Web Server

5. SSH/Telnet

6. IDAPI - comm. channel between apps

7. NAC - initiates blocking

8. Notification APP - SNMP

9. Sensor Interfaces

INE Instructor
About INE Instructor

Subscribe to INE Blog Updates