Understanding IPS Network Sensing
Network sensing can be accomplished using Cisco IPS sensors (appliances, switch modules, network modules, and SSMs) and Cisco IOS IPS devices (Cisco IOS routers with IPS-enabled images and Cisco ISRs). These sensing platforms are components of the Cisco Intrusion Prevention System and can be managed and configured through Cisco Security Manager. These sensing platforms monitor and analyze network traffic in real time. They do this by looking for anomalies and misuse on the basis of network flow validation, an extensive embedded signature library, and anomaly detection engines. However, these platforms differ in how they can respond to perceived intrusions.
Tip |
Cisco IPS sensors and Cisco IOS IPS devices are often referred to collectively as IPS devices or simply sensors. However, Cisco IOS IPS does not run the full dedicated IPS software, and its configuration does not include IPS device-specific policies. Additionally, the amount of sensing that you can perform with Cisco IOS IPS is more limited. The following sections focus on using dedicated IPS devices, including service modules installed in IOS routers, rather than Cisco IOS IPS. For a discussion focused on Cisco IOS IPS, see Intrusion Prevention System (IPS) Cisco IOS Intrusion Prevention System Deployment Guide on Cisco.com and Configuring IOS IPS Routershttp://www.cisco.com/go/iosips . |
When an IPS device detects unauthorized network activity, it can terminate the connection, permanently block the associated host, and take other actions.
Note |
For more overview information on IPS sensors, including a comparison of the available appliances and service modules and details about device interfaces, see Introducing the Sensor in Installing Cisco Intrusion Prevention System Appliances and Modules . A list of these documents for each IPS release is available at http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/prod_installation_guides_list.html . |
This section contains the following topics:
Capturing Network Traffic
The sensor can operate in either promiscuous or inline mode. The following illustration shows how you can deploy a combination of sensors operating in both inline (IPS) and promiscuous (IDS) modes to protect your network.
The command and control interface is always Ethernet. This interface has an assigned IP address, which allows it to communicate with the manager workstation or network devices (Cisco switches, routers, and firewalls). Because this interface is visible on the network, you should use encryption to maintain data privacy. SSH is used to protect the CLI and TLS/SSL is used to protect the manager workstation. SSH and TLS/SSL are enabled by default on the manager workstations.
When responding to attacks, the sensor can do the following:
-
Insert TCP resets via the sensing interface.
Note |
You should select the TCP reset action only on signatures associated with a TCP-based service. If selected as an action on non-TCP-based services, no action is taken. Additionally, TCP resets are not guaranteed to tear down an offending session because of limitations in the TCP protocol. |
-
Make ACL changes on switches, routers, and firewalls that the sensor manages.
Note |
ACLs may block only future traffic, not current traffic. |
-
Generate IP session logs, session replay, and trigger packets display.
IP session logs are used to gather information about unauthorized use. IP log files are written when events occur that you have configured the appliance to look for.
-
Implement multiple packet drop actions to stop worms and viruses.
Correctly Deploying the Sensor
Before you deploy and configure your sensors, you should understand the following about your network:
-
The size and complexity of your network.
-
Connections between your network and other networks, including the Internet.
-
The amount and type of traffic on your network.
This knowledge will help you determine how many sensors are required, the hardware configuration for each sensor (for example, the size and type of network interface cards), and how many managers are needed.
You should always position the IPS sensor behind a perimeter-filtering device, such as a firewall or adaptive security appliance. The perimeter device filters traffic to match your security policy thus allowing acceptable traffic in to your network. Correct placement significantly reduces the number of alerts, which increases the amount of actionable data you can use to investigate security violations. If you position the IPS sensor on the edge of your network in front of a firewall, your sensor will produce alerts on every single scan and attempted attack even if they have no significance to your network implementation. You will receive hundreds, thousands, or even millions of alerts (in a large enterprise environment) that are not really critical or actionable in your environment. Analyzing this type of data is time consuming and costly.
Tuning the IPS
Tuning the IPS ensures that the alerts you see reflect true actionable information. Without tuning the IPS, it is difficult to do security research or forensics on your network because you will have thousands of benign events, also known as false positives. False positives are a by-product of all IPS devices, but they occur much less frequently in Cisco IPS devices because Cisco IPS devices are stateful, normalized, and use vulnerability signatures for attack evaluation. Cisco IPS devices also provide risk rating, which identifies high risk events, and policy-based management, which lets you deploy rules to enforce IPS signature actions based on risk rating.
Follow these tips when tuning your IPS sensors:
-
Place your sensor on your network behind a perimeter-filtering device.
Proper sensor placement can reduce the number of alerts you need to examine by several thousands a day.
-
Deploy the sensor with the default signatures in place.
The default signature set provides you with a very high security protection posture. The Cisco signature team has spent many hours on testing the defaults to give your sensor the highest protection. If you think that you have lost these defaults, you can restore them.
-
Make sure that the event action override is set to drop packets with a risk rating greater than 90.
This is the default and ensures that high risk alerts are stopped immediately.
-
Filter out known false positives caused by specialized software, such as vulnerability scanner and load balancers by one of the following methods:
-
You can configure the sensor to ignore the alerts from the IP addresses of the scanner and load balancer.
-
You can configure the sensor to allow these alerts and then use Event Viewer to filter out the false positives.
-
-
Filter the Informational alerts.
These low priority events notifications could indicate that another device is doing reconnaissance on a device protected by the IPS. Research the source IP addresses from these Informational alerts to determine what the source is.
-
Analyze the remaining actionable alerts:
-
Research the alert.
-
Fix the attack source.
-
Fix the destination host.
-
Modify the IPS policy to provide more information.
-