CCNA Security – Chapter 5 (IPS)

>>>| https://www.dropbox.com/s/62das8ukgzy5jqx/CCNA_Security_%E2%80%93_Chapter_5_%28IPS%29.mp4

A zero-day attack, sometimes referred to as a zero-day threat, is a computer attack that tries to exploit software vulnerabilities that are unknown or undisclosed by the software vendor. The term zero-hour describes the moment when the exploit is discovered.
!
The disadvantage of operating on a copy of the traffic is that the IDS cannot stop malicious single-packet attacks from reaching the target before responding to the attack. An IDS often requires assistance from other networking devices, such as routers and firewalls, to respond to an attack.
!
An IPS monitors Layer 3 and Layer 4 traffic and analyzes the contents and the payload of the packets for more sophisticated embedded attacks that might include malicious data at Layers 2 through 7.
!
The advantage of operating in inline mode is that the IPS can stop single-packet attacks from reaching the target system.!
!
The biggest difference between IDS and IPS is that an IPS responds immediately and does not allow any malicious traffic to pass, whereas an IDS might allow malicious traffic to pass before responding.
!
A signature is a set of rules that an IDS or IPS uses to detect typical intrusive activity. Signatures can be used to detect severe breaches of security, common network attacks, and information gathering. IDS and IPS technologies can detect atomic signature patterns (single-packet) or composite signature patterns (multi-packet).
!
!
A network IPS can be implemented using a dedicated IPS appliance, such as the IPS 4200 series. Alternatively, it can be added to an ISR router, an ASA firewall appliance, or Catalyst 6500 switch.
!
Cisco IOS IPS and Cisco IPS AIM / IPS NME cannot be used together. Cisco IOS IPS must be disabled when the Cisco IPS AIM is installed.
!
Cisco IPS Sensor Software Version 5.1 includes enhanced detection capabilities and improved scalability, resiliency, and performance features.
!
There are several factors that affect the IPS sensor selection and deployment:
!!!
Amount of network traffic
Network topology
Security budget
Available security staff to manage IPS
!
There are also disadvantages of network IPS. If network data is encrypted this can essentially blind network IPS, allowing attacks to go undetected. Another problem is that IPS has a difficult time reconstructing fragmented traffic for monitoring purposes.
!
IPS signatures are conceptually similar to the virus.dat file used by virus scanners.
!
An atomic signature is the simplest type of signature. It consists of a single packet, activity, or event that is examined to determine if it matches a configured signature. If it does, an alarm is triggered, and a signature action is performed. Because these signatures can be matched on a single event, they do not require an intrusion system to maintain state information.
!
Detecting atomic signatures consumes minimal resources (such as memory) on the IPS or IDS device.
a LAND attack is an atomic signature because it sends a spoofed TCP SYN packet (connection initiation) with the IP address of the target host and an open port as both source and destination. The reason a LAND attack works is because it causes the machine to reply to itself continuously.
!
A composite signature is also called a stateful signature. This type of signature identifies a sequence of operations distributed across multiple hosts over an arbitrary period of time.
!
The length of time that the signatures must maintain state is known as the event horizon.
!—————-
LAND attack is identified in the “Impossible IP Packet” signature (signature 1102.0).
!————————-
To make the scanning of signatures more efficient, Cisco IOS software relies on signature micro-engines (SME), which categorize common signatures in groups.
!
Since IOS 12.4(11)T, Cisco introduced version 5.x, an improved IPS signature format. The new version supports encrypted signature parameters and other features such as signature risk rating, which rates the signature on security risk.
!
The Cisco IDS and IPS sensors (Cisco IPS 4200 Series Sensors and Cisco Catalyst 6500 – IDSM) can use four types of signature triggers:
!
Pattern-based detection
Anomaly-based detection
Policy-based detection
Honey pot-based detection
!
!
Honey pot systems are rarely used in production environments. Antivirus and other security vendors tend to use them for research.
!
CCP is used on an ISR router to manage an IPS implementation. Multiple IPS sensors can be managed using either Cisco IPS Manager Express (IME) or Cisco Security Manager (CSM).
!
!
When participating in global correlation, the Cisco SensorBase Network provides information to the IPS sensor about IP addresses with a reputation. The sensor uses this information to determine which actions, if any, to perform when potentially harmful traffic is received from a host with a known reputation.
!
!
Communication between sensors and the SensorBase Network involves an HTTPS request and response over TCP/IP. Network participation requires a network connection to the Internet. There are three modes for network participation: off, partial participation and full participation.
!
!
!
!
The crypto key verifies the digital signature for the master signature file (sigdef-default.xml). The content of the file is signed by a Cisco private key to guarantee its authenticity and integrity.
If the key is configured incorrectly, the key must be removed and then reconfigured. Use the no crypto key pubkey-chain rsa and the no named-key realm-cisco.pub signature commands to reconfigure the key.
!
!
!
!
!
no crypto key pubkey-chain rsa
no named-key realm-cisco.pub signature
!
ip ips name IOSIPS
ip ips name IOSIPSACL list 6
access-list 6 permit 192.168.4.0 0.0.0.255 ! –(ACL) can be configured to filter the scanned traffic
access-list 6 deny any
!
ip ips config location flash:/
!
ip http secure-server
ip ips notify sdee
ip ips notify log
logging 192.168.180.6
logging on
!
Retiring a signature means that IOS IPS does not compile that signature into memory for scanning. Unretiring a signature instructs IOS IPS to compile the signature into memory and use it to scan traffic.
!
!
ip ips signature-category
category all
retired true
exit
category ios_ips basic
retired false
exit
exit
exit
!
!
If multiple categories are configured and a signature belongs to more than one of them, IOS IPS uses the signature’s properties in the last configured categor
!
!
interface fa0/0
ip ips IOSIPSACL in
exit
!
!
copy certificate of the signature file
copy tftp://192.168.180.1/IOS-S636-CLI.pkg idconf
!
!
show ip ips signature count
!
For the CCP host computer, a minimum Java memory heap size of 256MB is required to configure IOS IPS.
-Xmx256m
!
The Cisco IOS IPS signature file contains default signature information. Any changes made to this configuration are not saved to the signature file but rather in a special file called the delta file. The delta file is saved to router flash memory. For security, the delta file must be digitally signed by a key which is also obtained from Cisco.com.
!
!
The basic signature category is appropriate for routers with less than 128 MB of flash memory, and the advanced signature category is appropriate for routers with more than 128 MB of flash memory.
!
!
ip ips signature-definition
signature 6130 10
status
retired true
exit
exit
exit
!
ip ips signature-category
category ios_ips basic
retired false
exit
exit
!
!
ip ips signature-definition
signature 6130 10
engine
event-action produce-alert
event-action deny-packet-inline
event-action reset-tcp-connection
exit
exit
!
ip ips signature-category
category ios_ips basic
event-action produce-alert
event-action deny-packet-inline
event-action reset-tcp-connection
exit
exit
!
!
show ip ips all
show ip ips configuration
show ip ips interfaces
show ip ips signatures [detail]
show ip ips statistics [reset]
!
clear ip ips configuration
clear ip ips statistics
!

Responder

Introduce tus datos o haz clic en un icono para iniciar sesión:

Logo de WordPress.com

Estás comentando usando tu cuenta de WordPress.com. Cerrar sesión / Cambiar )

Imagen de Twitter

Estás comentando usando tu cuenta de Twitter. Cerrar sesión / Cambiar )

Foto de Facebook

Estás comentando usando tu cuenta de Facebook. Cerrar sesión / Cambiar )

Google+ photo

Estás comentando usando tu cuenta de Google+. Cerrar sesión / Cambiar )

Conectando a %s