Intrusion Detection and Intrusion Prevention Systems (IDS/IPS)
In Chapter 1, "Overview of Network Security Technologies," you learned the basics about IDS and IPS systems. IDSs are devices that in promiscuous mode detect malicious activity within the network. IPS devices are capable of detecting all these security threats; however, they are also able to drop noncompliant packets inline. Traditionally, IDS systems have provided excellent application layer attack-detection capabilities; however, they were not able to protect against day-zero attacks using valid packets. The problem is that most attacks today use valid packets. On the other hand, now IPS systems such as the Cisco IPS software Version 6.x and later offer anomaly-based capabilities that help you detect such attacks. This is a big advantage, since it makes the IPS devices less dependent on signature updates for protection against DDoS, worms, and any day-zero threats. Just like any other anomaly detection systems, the sensors need to learn what is "normal." In other words, they need to create a baseline of legitimate behavior.
The Importance of Signatures Updates
Traditionally, IPS and IDS systems depend on signatures to operate. Because of this, it is extremely important to tune the IPS/IDS device accordingly and to develop policies and procedures to continuously update the signatures. The Cisco IPS software allows you to automatically download signatures from a management station. Signature updates are posted to Cisco.com almost on a weekly basis. In Chapter 2, you learned about the Cisco Security Center (historically named mySDN or my Self Defending Network). This is an excellent resource to obtain information about the latest IPS signatures and other security intelligence information.
The Cisco IPS Device Manager (IDM) is a web-based configuration utility used to manage individual IPS sensors, Catalyst 6500 IPS modules, and the Advanced Inspection and Prevention Security Services Module (AIP-SSM) for the Cisco ASA. You can configure the IPS device via IDM to automatically obtain and install signatures from an FTP or SCP server.
Complete the following steps to configure IDM to automatically download signatures from your FTP or SCP server.
- Step 1 Log in to IDM with an administrator account and navigate to Configuration > Auto Update.
- Step 2 Select the Enable Auto Update check box.
- Step 3 Enter the IP address of the remote server where the signature update or service packs are saved.
- Step 4 Select either FTP or SCP for your transport mechanism/server type.
- Step 5 Enter the path to the directory on the remote server where the updates are located in the Directory Path.
- Step 6 Enter the username and password of the account in your FTP or SCP server.
- Step 7 You can configure the IPS device to check for updates hourly or on a weekly basis. If you want your IPS device to check for updates hourly, check the Hourly check box. Then enter the time you want the updates to start and the hour interval at which you want the IPS device to contact your remote server for updates. The IPS sensor checks the directory you specified for new files in your server. Only one update is installed per cycle even if there are multiple available files.
- Step 8 Check the Daily check box if you want the IPS device to automatically check for updates on a daily basis. Then enter the time you want the updates to start and check the days you want the IPS device to check for updates in your SCP or FTP server.
- Step 9 To save and apply your configuration, click Apply.
The Importance of Tuning
Chapter 1 showed you the important factors to consider when tuning your IPS/IDS devices. Each IPS/IDS device comes with a preset number of signatures enabled. These signatures are suitable in most cases; however, it is important that you tune your IPS/IDS devices when you first deploy them and then tune them again periodically. You could receive numerous false positive events (false alarms), which could cause you to overlook real security incidents. The initial tuning will probably take more time than any subsequent tuning. The initial tuning process is hard to perform manually, especially in large environments where several IPS/IDS devices are deployed and hundreds of events are generated in short periods. This is why it is important to use event correlation systems to alleviate this process and save numerous hours. CS-MARS is used in the following example to perform initial tuning and event analysis.
In this example, several IPS devices are sending their events to a CS-MARS. The administrator completes the following steps to perform initial tuning:
- Step 1 Log in to the CS-MARS via the web interface.
- Step 2 Click Query/Reports tab.
- Step 3 Select the Activity: All–Top Event Types (Peak View) option from the second pull-down menu under the Load Report as On-Demand Query with Filter section, as shown in Figure 3-14.
Figure 3-14 CS-MARS Query/Reports
- Step 4 Click the Edit button to select the time interval for the query and enter 1 day under the Filter by time section to trigger the CS-MARS to display the top event types in the past 24 hours, as shown in Figure 3-15.
Figure 3-15 Selecting the Query Time Interval
- Step 5 Click Apply and Submit Inline in the next screen to obtain the report. The report in Figure 3-16 is shown. In this report, the administrator notices that there have been more than 480 ARP Reply-to-Broadcast events detected in the past 24 hours.
Figure 3-16 Top Event Types
- Step 6 Click the event to obtain more information and read the following from the CS-MARS details screen: "This signature detects an ARP Reply packet where the destination MAC address in the ARP payload is a layer 2 broadcast address. This is not normal traffic and can indicate an ARP poisoning attack."
- Step 7 Click q by the event and select Source IP Address Ranking under the Result format section to investigate the source, as shown in Figure 3-17.
Figure 3-17 Verifying Sources
- Step 8 Click Apply and Submit Inline in the following screen to obtain the new report, including the source IP addresses for the ARP Reply-to-Broadcast events. The report is shown as illustrated in Figure 3-18.
Figure 3-18 IP Sources Report
Anomaly Detection Within Cisco IPS Devices
When you configure a Cisco IPS device running Versions 6.x and later with anomaly detection services, the IPS device initially goes through a learning process. This is done to configure a set of policy thresholds based on the normal behavior of your network. Three different modes of operation take place when an IPS device is configured with anomaly detection:
- Learning mode
- Detect mode
- Inactive mode
The initial learning mode is performed over a period of 24 hours, by default. The initial baseline is referred to as the knowledge base (KB) of your traffic.
To configure the IPS sensor using IDM to start the learning mode, go to Configuration > Policies > Anomaly Detections > ad0 > Learning Accept Mode and select the Automatically accept learning knowledge base check box. In that section, you can also specify the learning period length.
After the learning process, a KB is created that replaces the initial KB. The IPS device then automatically goes into detect mode. Any traffic flows that violate thresholds in the KB trigger the IPS device to generate alerts. The IPS device also keeps track of gradual changes to the KB that do not violate the thresholds and adjusts its configuration.
You can turn off the anomaly detection functionality on your IPS device. This is called being in inactive mode. In certain circumstances, this is needed. An example is when you have an asymmetric environment and the IPS device gets traffic from different directions, causing it to operate incorrectly.
Similarly to the Cisco TAD XT, the anomaly detection feature in Cisco IPS devices uses zones. The purpose of configuring zones is to make sure that you do not have false positives and false negatives. A zone is a set of destination IP addresses. Three different zones exist:
- Internal: You configure this zone with the IP address range of your internal network.
- Illegal: You configure this zone with IP address ranges that should never be seen in normal traffic. Here you should use unallocated IP addresses or bogon IP addresses.
- External: This is the default zone. By default, it has the Internet range of 0.0.0.0-255.255.255.255.
To configure the Internal zone in your IPS device using IDM, complete the following steps:
- Step 1 Navigate to Configuration > Policies > Anomaly Detections > ad0 > Internal Zone. The Internal Zone tab appears.
- Step 2 Click the General tab.
- Step 3 Select the Enable the Internal Zone check box.
- Step 4 Enter your internal subnets/IP address range in the Service Subnets field. IDM also allows you to configure protocol and other specific thresholds.