ips workshop - cisco.com · capture modular inspection engines signature updates engine updates...

Cisco Confidential © 2011 Cisco and/or its affiliates. All rights reserved. 1

IPS Workshop Stijn Vanveerdeghem

Technical Marketing

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

• During this workshop you will explore the world of Intrusion Prevention. We will review some key technologies as well as new exciting features which are changing the way IPS protects your network.


• IPS Basics

• Cisco IPS Product Portfolio

• IPS Deployment Modes

• ASA With Integrated IPS

• Cisco Security Intelligence Operations (SIO)

• Industrial Control Protection


Compliance mandates

PCI Compliance (Retail); HIPAA (Healthcare); Sarbanes-Oxley/GLBA (Finance)

Fines for non-compliance

Require high availability and reliability

Minimize risk of security breach

Minimize downtime due to security breach

Reduced patch deployment urgency

Data Loss Prevention

Protection of sensitive or confidential information

Tarnished reputation from security compromises


Source:cve.mitre.org

50,000

45,000

40,000

35,000

30,000

25,000

20,000

15,000

10,000

5,000

0

1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010

Vulnerabilities


• Overlap of some functions between these two concepts

• Firewall devices focus on stateful packet filtering and application monitoring

• IPS focuses explicitly on pattern-based and anomaly-based network-driven attack detection amongst other techniques

• While a Firewall device is designed to force network activity to adhere to a security policy, an IPS device looks for patterns that indicate a potential network attack or compromise … similar but conceptually different functions

• Both types of devices can drop traffic and mitigate attacks

7 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID


Signature Based Detection

TCP Normalization

Anomaly Detection

SIO: The power of Global Correlation and Reputation Filtering

Integration with ASA

Industrial Control Protection, a very special kind of signatures


Forensics Capture

Modular Inspection

Engines

Signature Updates

Engine Updates

Cisco Security Intelligence Operations

Risk-Based Policy Control

Normalizer Module

On-Box Correlation

Engine

Mitigation and Alarm

Virtual Sensor Selection

In Out

GC Network Context

Information


• An IPS signature matches a distinctive characteristic of traffic

• Signatures are associated with an engine

• New signatures are being released and signatures are updated continuously.

• Cisco allows customer to write their own “custom” signatures


• AIC

Provide Analysis of web traffic

• Atomic

combine layer 3 &4 attributes in 1 signature ( ip & tcp )

• Flood

Detects icmp & udp floods directed at hosts & networks

• Meta

Defines events that occur in a related manner within a sliding time interval. This engine processes events rather than packets

• Multi String

Inspects Layer 4 transport protocols and payloads by matching several strings for one signature. This engine inspects stream-based TCP and single UDP and ICMP packets.

• Normalizer

Configures how the IP and TCP normalizer functions and provides configuration for signature events related to the IP and TCP normalizer. Allows you to enforce RFC compliance.


• service

Deals with specific protocols. Service engine has the following protocol types: ftp, dns, http etc

• state

Stateful searches of strings in protocols such as SMTP. The state engine now has a hidden configuration file that is used to define the state transitions so new state definitions can be delivered in a signature update.

• string

Searches on Regex strings based on ICMP, TCP, or UDP protocol. There are three String engines: String ICMP, String TCP, and String UDP.

• sweep

Analyzes sweeps from a single host (ICMP and TCP), from destination ports (TCP and UDP), and multiple ports with RPC requests between two nodes. There are two Sweep engines: Sweep and Sweep Other TCP.

• Traffic Anomaly

Inspects TCP, UDP, and other traffic for worms.

• Trojan

Analyzes traffic from nonstandard protocols, such as BO2K andTFN2K. There are three Trojan engines: Bo2k, Tfn2k, and UDP. There are no user-configurable parameters in these engines.

…


• TCP and IP traffic normalization is an additional function of the inspection of inline traffic.

• The Normalization signature engine operates differently than the other pattern-based signature engines.

• The Normalization signatures are a different animal from the other signature engines. These signatures are not designed to stop specific attacks, but rather to prevent abnormal traffic from passing the sensor, to prevent obfuscation of attacks and to “backup” the deny actions of other signature actions during prolonged attacks.


• With a default Inline configuration, an Inline IPS device has a requirement to see bidirectional, sequentially ordered full-stream TCP data.

• If TCP data is received only one direction (asymmetric design), the sensor will drop the traffic and disrupt the TCP session.

• If the sensor receives out-of-order TCP data, it will queue it up and wait for the missing TCP packets. Eventually, the queue will fill up and the sensor will start dropping the TCP packets in the buffer, disrupting the TCP session.

• If duplicate TCP packets are received by the same virtual-sensor (i.e., virtual-sensor sees the same packet twice), it will drop the traffic as being out-of-order, and disrupt the TCP session.


17

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

• Identify Worms as they attempt to spread (zero-day detection)

• Detects worm infected hosts

• Identify fast spreading worms like Code red and SQL-slammer


• AD has 3 modes: Learning Accept, Detect, Inactive.

• Learning Accept Mode: AD’s default mode. It will conduct a minimum 24 hr period of learning (basing lining) the sensor traffic and store this info in the Knowledge Base (KB).

• Detect Mode: is an on going (24x7) operation. It references the KB to determine if an attack is occurring. As it looks for anomalies, it records gradual changes to the KB.

• Inactive Mode: is when AD has been turned off. If sensor is running in asymmetric environment, AD should be inactive.

18


• Available in 7.x and higher

• Identifies devices with reputation of malicious activity

• Updates sensors with these device IP addresses

• Denies or allows traffic base on device source IP address

• IPS sends data back to GC database to keep updates current

• Traffic dropped by Reputation Filtering is performed prior to IPS monitoring by signatures

19


• The virtual-sensor is the component that is mapped to any sensing interface(s) that should pass traffic received on the interface up for inspection. In other words, the virtual-sensor is the structure that connects the physical Ethernet interfaces and the software performing traffic inspection.

• Each virtual-sensor has a unique name and a list of physical sensing interfaces and/or logical interfaces (inline interface pairs, inline VLAN pairs, or VLAN groups) associated with it.

• Each virtual-sensor is associated with specific signature definition, event action rules, and anomaly detection policies.

• Up to 4 virtual sensors are supported.


Sensor (VS0)

Sensor (VS1) Sensor (VS2)

Network A

Network B

Network C

Attacker

Internet


Performance to Meet Growing Needs

IOS IPS

IPS NME

Small Medium Large

IPS 4260

IPS 4270 ASA5510-AIP10

ASA5510-AIP20

ASA5585-P10S10

IDSM2

Catalyst 6500 IDSM2 bundle

Organization Size

ASA5585-P20S20

ASA5585-P40S40

ASA5585-P60S60

IPS 4240

IPS 4255

ASA5520-AIP10

ASA5520-AIP20

ASA5520-AIP40

ASA5540-AIP20

ASA5540-AIP40

ISR

Catalyst 6500

IPS 4200 Series

ASA 5500 Series


1. Promiscuous Interface

2. Promiscuous Vlan Groups

3. Inline Interface Pairs

4. Inline Vlan Pairs

5. Module - Parent Chassis Designated


• Promiscuous Mode designs send only COPIES of packets to the sensor as the traffic goes by. The original packet is still delivered to the host.

• Variety of mechanisms exist to do this:

1) Ethernet Hub

2) Ethernet Switch doing port mirroring (i.e., SPAN in Cisco Catalyst terminology)

3) Ethernet Taps (third-party solution)

2© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID



Data Flow

SPAN Destination Port

Promiscuous Interface

Ethernet Switch

SPAN Source Ports or Source VLAN


• Interface itself assigned to a virtual sensor

• All traffic monitored by the same virtual sensor

• Separate device must send copies of the packets

– Span (or monitor) from a switch

– VACL Capture from a Cat 6500 switch

– Network Taps

• Packets discarded after analysis

• Detection, not prevention


• Interface is divided into subinterfaces

• Subinterface type is vlan-group

• 2 Types

1. Range – comma delimited list of vlan ranges: 5,10-15,20,22-25

2. Unassigned – all remaining vlans

• Packets must be tagged with 802.1q headers

• Client and Server packets must be tagged with same 802.1q headers

• Assign vlan-groups to different virtual sensors.



Data Flow

Transparent Interfaces:

No Mac or IP Address

(Sensor is Layer 2 Bridge)

Sensor sits between two physical devices or between two VLANs on a switch

Note: If placed between two VLANs on a switch in standard inline mode, the switch ports connecting to the sensing interfaces need to be access ports with different access VLANs.


• 2 Interfaces Paired together

• Interface Pair assigned to a virtual sensor

• All traffic monitored by the same virtual sensor

• Traffic passes Through the sensor

• Good traffic passed through

• Bad traffic Denied


• Also known as Inline On A Stick

• Interface is divided into subinterfaces

• Subinterface type is inline-vlan-pair

• 2 vlans Paired together on a 802.1q trunk port

• 250 vlan pairs per interface

• Inline Vlan Pair Subinterface assigned to virtual sensor


• ASA-AIP-SSM and ASA-AIP-SSP

ASA configuration determines monitoring method

• ACL created in ASA config to match traffic

• Class created from ACL

• Can be Identity Based

• Policy created, each class can have a different IPS policy

– Promiscuous, inline, or no IPS policy

– Designate virtual sensor

Special packet header added to designate mode and virtual sensor

• AIM-IPS and NME-IPS

ISR Router configuration determines monitoring method

• “ids-service-module-monitoring promiscuous|inline” configured per interface

• Same mode for all monitored interfaces

• ACL can limit packets being monitored

Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 35 Teleworker

Branch Office

Internet Edge

ASA 5550

ASA 5580-20

ASA 5580-40

ASA 5505

Cisco ASA 5585 Series: Extends Market-leading ASA 5500 Series Multi-Service Family to the Data Center

Data Center

ASA 5540

ASA 5520

ASA 5510

Campus

ASA 5585-S20P20

ASA 5585-S40P40

ASA 5585-S60P60

Multi-Service

(Firewall, IPS, VPN)

Firewall and VPN

New

New

New

ASA 5585 -S10P10

New


Security Service Processors Multi-services capable

Dedicated 64bit multi-core processors

Parallel Multi-threaded packet processing

Scalable to larger numbers of CPUs/Cores

2 RU Chassis 2 x full-slot modules

eUSB 2 GB internal

Redundant Hot Swappable Power

Supply Units

Front to back air flow

GE Ports Up to 8 x 10G SFP+

with OIR support

Up to 16 x 1GbE Cu

SFP/SFP+ slots on all modules

Regex Accelerator High speed inspection


1. Traffic enters the adaptive security appliance.

2. Firewall policies are applied(e.g. ACLs,NAT).

3. Traffic is sent to the AIP-SSM/SSO over the backplane,depending upon the AIP-SSM/SSP operating Modes(inline/promiscuous) only a copy of the traffic is sent up in promiscuous mode.

4. The AIP-SSM/SSP applies its security policy to the traffic, and takes appropriate actions.

5. Valid traffic is sent back to the adaptive security appliance over the backplane; if in inline the AIP-SSM/SSP might block some traffic according to its security policy, and that traffic is not passed on.

6. VPN policies are applied (if configured).

7. Traffic exits the adaptive security appliance.


Who:

What To Do:


Gartner


Domain Owner Information

Server Hosted in China

Domain Registered Two Days Ago

Dynamic IP Address ? HOW ? WHO

? WHERE ? WHEN

? WHAT

100101010 01001010

10010101


SensorBase Threat Operations Center Dynamic Updates

4 TB

35%

DATA RECEIVED PER DAY

WORLDWIDE TRAFFIC

$100M

500 ENGINEERS, TECHNICIANS

AND RESEARCHERS

SPENT IN DYNAMIC RESEARCH AND DEVELOPMENT

8M

6,500+ SIGNATURES

RULE UPDATES


Fast, Accurate Protection

Cisco AnyConnect

Any Device, Anywhere

Email

Corporate Headquarters

Web

ISP Datacenter

Firewall/IPS

Branch Office

Threat Telemetry

Threat Telemetry

Cisco SIO


OS and Network Attacks

DoS

Covert, Sponsored Targeted Attacks

Aurora Stuxnet

Isolated Independent Hackers Hand crafted exploits

Fame and Glory

Easily Detected

Network Evasions Polymorphic Code

Slammer

Worms

Code Red

Botnets

Conficker

Organized Hacker Marketplace Updating Automated Exploit Tools

Profit or Espionage Motive

Difficult to detect

Corporate Office

Attacks


Innovations in Threat Management

Data Center Perimeter

Campus

IPS

Attackers

Attacks SIGNATURE TECHNOLOGY

TRAFFIC CLEANSING

GLOBAL CORRELATION INSPECTION

REPUTATION FILTER

Cisco SIO


Data Center Perimeter

Campus


IPS

Attacks SIGNATURE TECHNOLOGY

TRAFFIC CLEANSING

Cisco SIO


GET http://…U/*Con*/NI/*fused*/ON

GET http://…UNION

Traffic Cleansing

Signature Analysis


Attackers are Just as Important as Attacks


Efficacy of Global Correlation in IPS

• Faster than signatures technology

• 2x the efficacy of signature only

• Real-time updates

• Effective Botnet Detection

Average Results from Live Data

Global Correlation

Local Inspection



Traffic Cleansing and

Signature Inspection

Identify known behaviors

Global Inspection

Increase Risk Rating for known bad actors

Decision Engine

Block, Alert, Permit, Limit

IPS Reputation Filters

Block worst global attackers


The Challenge of Traditional Signature-Based IPS

What SIGNATURES Find Verdict: UNKNOWN

What?

Ho?

SQL Command Fragments in Web Traffic

?


What?

What SIGNATURES Find

SQL Command Fragments in Web Traffic

Powered by Global Correlation

Verdict: BLOCK

How?

Who?

Where?

Clean Sources Only

First HTTP connection

Dynamic IP Address

Dynamic DNS

History of Web Attacks

Within Heavily Compromised

.Asia Network

History of Botnet Activity


Understand the Attackers for better security. Not just the attack.

Same “grey” SMB signature

firing

More context about the attacker

Better Verdicts


• Known Industry List of Industrial Control Vulnerabilities


• StuxNet

• Illinois Water Utility “hack”

• Increasing concern over Vulnerability of Critical Infrastructure


Level 5

Level 4

Level 3

Level 2

Level 1

Level 0

Terminal Services

Patch Management AV Server

Application Mirror

Web Services Operations

Application Server

Enterprise Network

Site Business Planning and Logistics Network E-Mail, Intranet, etc.

FactoryTalk Application

Server

FactoryTalk Directory

Engineering Workstation

Domain Controller

FactoryTalk Client

Operator Interface

FactoryTalk Client

Engineering Workstation

Operator Interface

Batch Control

Discrete Control

Drive Control

Continuous Process Control

Safety Control

Sensors Drives Actuators Robots

Enterprise Zone

DMZ

Manufacturing Zone

Cell/Area Zone

Web E-Mail CIP

Firewall

Firewall

Site Manufacturing Operations and Control

Area Supervisory

Control

Basic Control

Process

Pu

rdu

e R

efe

ren

ce

Mo

de

l, IS

A-9

5

ISA

-99

Modbus

Modbus

Root Kit

Root Kit


Cisco ICP Provides Cost Effective Protection • Minimize risk of unplanned outages due to cyber attack

• Significant cost savings through batching of patch-roll out to field

New Vulnerability

Patch Available?

N (Typical) Y(Rare)

Roll-Out Patch to Field ASAP?

N Y

Remain Vulnerable?

Cost / Time/Effort

Risk of Outage

Remain Vulnerable?


• Special class of Industrial Control signatures

• Delivered within the normal weekly signature updates

• Separate license for use based on platform

Thank you.


A global policy-map is configured on the ASA to send traffic from all users, except for users in the “SecOps” and “NetOps” groups to the IPS in inline mode. Traffic from SecOps/NetOps should not be inspected by the IPS.

Verify that non-SecOps/NetOps users cannot access the http://www.threatdlabs.test/admin page, while allowing them to access any internet website as well as the company website at http://www.threatdlabs.test. A custom signature was written to achieve this.

http://www.threatdlabs/admin

http://www.threatdlabs.test

ips workshop - cisco.com · capture modular inspection engines signature updates engine updates...

Documents