250 likes | 385 Views
Chapter 16 Cisco IOS IPS. Securing Networks with IDS and IPS .
E N D
Chapter 16 • Cisco IOS IPS
Securing Networks with IDS and IPS Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) sensors protect your network from malicious traffic. The two systems are deployed differently and scan for malicious traffic in different ways. Each system has strengths and weaknesses when deployed separately, but when used together, IDS and IPS can provide a much richer and deeper level of security
Basic Functions of the Intrusion Detection System (IDS) IDS is typically characterized as a passive listening device. This label is given to these systems because traffic does not have to pass through the system; IDS sensors listen promiscuously to all traffic on the network
Basic Functions of the Intrusion Prevention System (IPS) IPS is characterized as an active device. This is because the device is implemented as an inline sensor. The IPS requires the use of more than one interface, and all traffic must pass through the sensor. Network traffic enters through one interface and exits through another
Using IDS and IPS Together When you think about having one or the other of these sensors on your network, think about the benefits you would get from having both. An IPS sensor is much like a firewall; it can block traffic that is malicious or threatening. It should only block traffic that is known to be a threat, though. IPS should not block legitimate traffic or you could suffer a disruption in legitimate connectivity and find that applications are unable to perform their tasks
Benefits and Drawbacks of IPS/IDS Sensors • A network-based monitoring system has the benefit of easily seeing attacks that are occurring across the entire network • Encryption of the network traffic stream can effectively blind the sensor. Reconstructing fragmented traffic can also be a difficult problem to solve
Types of IDS and IPS Sensors • Network Based (NIPS,NIDS) • Host Based (HIPS,HIDS)
Network Based Intrusion Prevention System (NIPS) • Network-based sensors examine packets and traffic that are traversing through the network for known signs of malicious activity. Because these systems are watching network traffic, any attack signatures detected may succeed or fail. It is usually difficult, if not impossible, for network-based monitoring systems to assess the success or failure of the actual attacks
Host Based Intrusion Prevention System(HIPS) • A host-based sensor examines information at the local host or operating system. The HIPS has full access to the internals of the end station, and can relate incoming traffic to the activity on the end station to understand the context. Host-based sensors can be implemented to a couple of different complexity levels
Malicious Traffic Identification Approaches • Signature-based • Policy-based • Anomaly-based • Honeypot
Signature Types • Exploit signatures • Connection signatures • String signatures • DoS signatures
IPS Alarms An IPS sensor can react in real time when a signature is matched. This allows the sensor to act before network security has been compromised. The sensor can optionally log whatever happened with a syslog message or Security Device Event Exchange (SDEE)
Configuring IOS IPS It is now time to look at the configuration of IOS IPS. This section takes you through the configuration process using the SDM interface. The SDM gives you quite a few configuration capabilities for IOS IPS. You can configure every option through the IPS Edit menu