Cisco Security Agent and Network IDS/IPS · Presentation_ID © 2006 Cisco Systems, Inc. All rights...

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1

Cisco Security Agent and Network IDS/IPS

Erik LentenTechnical Marketing Engineer


Session objectives

Give an overview of Cisco IDS and IPS technologies

Give an overview on how to deploy IDS and IPS

Explain key features that can help during a deployment


IPS Terminology:The Marketing of IPS/IDS

IDS Intrusion Detection System—typically limited to promiscuous sensors (out of packet stream)

IPS Intrusion Prevention/Protection System—the term most commonly applied to a sensor that sits inline (in the packet stream) and can drop malicious packets, flows or attackers

IDP Intrusion Detection and Prevention—marketing term coined by a vendor for product differentiation


Network IPS vs. Host based IPS

Network IPSSignature Based (so frequent updates)Good description of attackMore difficult to detect/prevent day zero attacks

Host Based IPSBehavior based (less frequent policy updates)Not always a good description of attackExcellent protection against Day Zero AttacksCould be used for data leakage, compliance management and others


Network IPS Terminology:What Is IPS? (Cont.)

“Identical to a wire” is the closest analogy

Inline interfaces have no MAC or IP and cannot be detected directly

Network IPS passes all packets without directly participating in any communications including spanning tree (but spanning tree packets are passed)

Default behavior is to pass all packets even if unknown, (i.e. IPX, Appletalk, etc.) unless specifically denied by policy or detection

IPS Closely Resembles a Layer 2 Bridge or Repeater

Arp

Arp Reply ServerClient


IDS/IPS devices within Cisco’s portfolio

Cisco IPS 4200Series Sensor

Cisco Catalyst Switchwith IPS Blade

Cisco Routerwith IPS Software

Cisco RouterCisco ASA 5500 Serieswith AIP module


Network IDS/IPS Components

Network-based sensorsSpecialized software and/or hardware used to collect and analyze network traffic (either in IPS or IDS mode: inline or promiscuous)

Appliances, modules, embedded in network infrastructure (either inline or promiscuous)

Security management and monitoringPerforms configuration and deployment services (Cisco Security Manager)

Performs alert collection, aggregation, and correlation (CS-MARS)


False Positives Defined

False positive is the term most likely used to indicate an event that was incorrectly reported; it is typically mistakenly applied to a broad group of possible results

False positive: a correctly named false positive is one where the sensor has triggered an alert based on a flawed algorithm or an analysis error; normally a fairly rare eventBenign trigger: the case where a sensor has correctly interpreted network traffic as an attack, but the intentions behind the traffic were not malicious; potentially commonFalse alarms (or noise): the case where a sensor has correctly detected than an event has occurred but the event is non-threatening or not applicable to the site being monitored or was not successful; very likely labeled as a false positive, very common

False negatives is the term used to describe when an IPS misses a real attack or event


How to fix the ‘false positive’ issue

Sensor placement (knowing your network)

Cool Cisco features..;-)

Smart management systems


BusinessPartnerAccessExtranet

Connections

Corporate NetworkInternet

Internet Connections

Remote Access Systems

Remote/Branch Office Connectivity

IPS/IDS DeploymentWhat Areas of the Network Are Candidates?

Data CenterManagement

Network


Flexibility in Deploying IDS/IPSComprehensive Deployment Options

Services Allow a Single Device to Be Deployed in the IDS Mode and the IPS Mode, Simultaneously

HYBRID IDS AND IPS

Public Services Segment

Sensor Deployed in IPS ModeSensor Deployed

in IPS Mode

Sensor Deployed in IPS Mode

Main Campus

Service Provider, Partner, or Branch Office Network

Attacker

Internet


Coming soon: Virtualized Policies (IPS 6.0)

Flexible Context Definitions: Ability to define virtualized contexts based on physical interface and VLAN groupingsAssignment of Custom Signature / Policy Settings & response actions to each virtualized contextVirtual policy mapping between ASA and AIP

Customized policy on Virtual Policy based on VLAN groupings

VLAN 1

VLAN 2

VLAN 3

VLAN 4Virtualized Context 1

Virtualized Context 2

Virtualized Policy 1:Interface 1 + 2

Virtualized Policy 2:Interface 3 + 4

Customized policy on Virtual Policy based on Interface groupings


Rating the Risk Allows Users to Confidently Eliminate Malicious Packets Without Dropping

Valid Traffic

Process for Accurate Threat Mitigation:Rating Alarms for Threat Context

Event Severity

Asset Valueof Target

Signature Fidelity

AttackRelevancy

RR (Risk Rating)

+ + +


Event Severity


Signature Fidelity

AttackRelevancy

RR (Risk Rating)

+ + +

Alert Severity Defined for the Signature



Event Severity


Signature Fidelity

AttackRelevancy

RR (Risk Rating)

+ + +

Signature Fidelity Rating Delivers a Confidence Rating of the Signature’s Accuracy



Delivering Greater Insight into Relative Criticality of Target Systems through Asset Value

Designation


Event Severity


Signature Fidelity

AttackRelevancy

RR (Risk Rating)

+ + +


Event Severity


Signature Fidelity

AttackRelevancy

RR (Risk Rating)

+ + +

Customizable Risk Rating Thresholds Allow Multiple Automated Event Actions for Each Alarm



IP Addressof Endpoint

Virtual Context Where System Was Discovered

Learned OS ofTarget System

Attack Relevancy Defined: OS Identification (coming in IPS 6.0)


IPS Version 6.0 Anomaly Detection / Network behavioral analysis

Internet

Internal Zone 2

Internal Zone 3

Internal Zone 1

“Illegal” IP addresses

Anomaly detection algorithms to detect and stop Day-Zero threats

False Alarm reduction by learning behavior that is specific to network zones

Auto-learning with dynamic adjustment of AD thresholds

Increased Accuracy through on-box event correlation

Infected Host


Smart Management: Filter per category in CSM


Smart management: CS-MARS

Leverage YOUR existing investment to build “pervasive security”Correlate data from across the Enterprise

NIDS, Firewalls, Routers, Switches, CSASyslog, SNMP, RDEP, SDEE, NetFlow, Endpoint event logs

Rapidly locate and mitigate attacks

Key FeaturesDetermines security incidents based on device messages, events, and “sessions”Incidents are topologically aware for visualization and replayMitigation on L2 ports and L3 chokepointsEfficiently scales for real-time use across the Enterprise


MARS and reducing false positives

How:

Network based correlation

Manual definition of applications on hosts

Build in Nessus

Integration with VA tools

Discovery

SNMPRead Login

Host Scan


You got an alarm…now what?


Logging: Session Capture

Logs traffic associated with a signature trigger (in PCAP format)Generally, only trigger and subsequent packets logged Does impact sensor performanceUsage guidelines:

Tuning: use during sensor tuning for event analysis and subsequent signature tweakingForensics: useful to monitor “critical” signatures/resourcesHandy tip: use with a custom signature to monitor a specific service/server/userDo not log unless you know what you plan to use the log for


Signature UpdatesMuch like anti-virus, network IPSs must be kept up to date

Cisco has a new home for security information including IPS signatures:

tools.cisco.com/MySDN/Intelligence/home.x

Cisco has developed a new partnership with Trend Micro to provide enhanced virus and worm coverage as part of the normal IPS signature updates


Fide

lity

of S

igna

ture

Low

High

0

CiscoICS

(OPSig)

4–6+ Hrs.Typical Response Time

Cisco ICS

(OPACL)

CiscoServices for IPS

(Multi-SigDatabase)

15 Min.

Standard ServiceStandard Response Times Broad Vulnerability-Based Coverage

Premium ServiceUnmatched Response Times Outbreak Focused Coverage

90 Min.

OtherCompetitive

Solutions

Cisco-Trend ICS Service


Enterprise Network

Cisco-Trend ICS Service

Cisco ICS Server

CiscoSwitch

Cisco IPS 4200Series Sensor

Cisco Catalyst Switchwith IPS Blade

Cisco Routerwith IPS Software

Cisco Router

Cisco ASA 5500 Serieswith AIP module

Line Of Defense: Broad Set of Cisco Devices That Can Become Rapid-Response

Mitigation Nodes

Mitigation Measures:Broad Near Real-Time (15 Min.) ACL High Fidelity (90 Min.) Signature

Policy Control: Cisco ICS Server Administers and Delivers Virus and Worm Related Solutions

Outbreak Intelligence:Trendlabs’ Worldwide Real-time Monitoring and Signature Development Infrastructure


IOS IPS routers: distributed IPS mitigation

Enables new concept – distributed, in-line IPS for new levels of Threat Defense

Small Division

Small BusinessSmall Satellite Office

Cisco 870

Regional Office

Cisco2800/3800

CorporateOfficeCisco 7x00

Branch/Retail

Cisco 1800

Telecommuter

Cisco 850

Cisco1800/2800

Internet

Enterprise

Service Provider

Central SDF file management


Full Control of IPS Signature Tuning

Do not attempt to load all supported signatures on a single routerIOS IPS is designed as a Distributed Mitigationsolution not as a scanner with all signatures loadedSDM and CSM support full tuning of IOS IPS signatures


Enabling IOS IPS

Available in IOS 12.3.(11)T Security image

aaa new-modelaaa authentication login default local username cisco password 5 cisco

ip ips sdf builtinip ips name IPSRULE1 interface FastEthernet0ip ips IPSRULE1 in

ip http secure-serverip ips notify SDEE


Latest Pre-Built Signature Description Files (V6)

Basic Signature Set (128MB.sdf)340 signatures - consume ~15 MB DRAM

Advanced Signature Set (256MB.sdf)572 signatures - consume ~50 MB DRAM

Selected mostly from appliance signatures enabled by default

Very good MetaSploit attack coverage

All signatures use the default parameters (currently alarm-only)

Posted on 8/29/06 at:http://www.cisco.com/cgi-bin/tablebuild.pl/ios-sigup

Recommended release: 12.4(9)T1 or 12.4(8b)


Impact of Attack Traffic on IOS IPS Performance

Goal: Find CPU impact when IOS IPS is under attack

Nessus v3.0.3 used for generating attack traffic (52 signatures firing)

Configuration: Bi-directional IPS + FW + PAT; 256MB.sdf V5 signature file

Traffic: real world traffic at 9.6 Mbps

Results:

Firewall+PAT+IPS with no attack traffic: 50% CPU

Firewall+PAT+IPS with attack traffic: 57% CPU

Impact of attack traffic on CPU: 7%

G0/1Reflector

Real World Server

Avalanche Real World Client

G0/0

Cisco 3825

Attack

FW+PAT+IPS enabled with 50% CPU

Image: 12.4(9)T


Cisco Security Agent


Target

123

45

Probe

Penetrate

Persist

Propagate

Paralyze

• Ping addresses• Scan ports• Guess passwords• Guess mail users

• Mail attachments• Buffer overflows• ActiveX controls• Network installs• Compressed messages• Backdoors

• Create new files• Modify existing files• Weaken registry

security settings• Install new services• Register trap doors

• Mail copy of attack• Web connection• IRC• FTP• Infect file shares

• Delete files• Modify files• Drill security hole• Crash computer• Denial of service• Steal secrets

Malicious Behavior

Most damagingChanges very slowlyInspiration for the CSA solution

Rapidly mutatingContinual signatureupdatesInaccurate


Zero-Day Protection

Cisco defines Host-Based Intrusion Prevention as the ability to stop Zero-Day malicious code without reconfiguration or update.CSA has the industry’s best record of stopping Zero Day exploits, worms, and viruses over past 4 years:

2001 – Code Red, Nimda (all 5 exploits), Pentagone (Gonner)2002 – Sircam, Debploit, SQL Snake, Bugbear, 2003 – SQL Slammer, So Big, Blaster/Welchia, Fizzer2004 – MyDoom, Bagle, Sasser, JPEG browser exploit (MS04-028), RPC-DCOM exploit (MS03-039), Buffer Overflow in Workstation service (MS03-049)2005 – Internet Explorer Command Execution Vulnerability, Zotob

No signatures, reconfiguration or binary updates required


Intercepting Operating System Calls

The Cisco Security Agent intercepts application OS calls and invokes an allow/deny response

Interceptors monitor calls for resource access:

File system

Network (inbound/outbound)

Registry

Execution (process creation, library access, executable invocation)

“Zero Update” architecture – behavior based control means you don’t need a new signature to stop the next attack


Correlation on Manager• Higher accuracy• Fewer “False Negative”

events• Stops attack before it

reaches targets

Example: Distributed “Ping Scans”, Network Worm propagation

Global Correlation

ManagementCenter

Agent

AgentCorrelation on Agent• Higher accuracy• Fewer “False Positive”

events

Cisco Security Agent offers unique agent and management level correlation

Agent

AgentAgent


Deployment Example – Data Leakage

1. Create group and attach “Data Leakage” policy

Time

Prot

ectio

n

Packet Tagging

Track data fromkey servers

USB/Removable device restrictions

Clipboard abuse

Location controlBlock


Wireless Control Goals

Disable wireless NIC when wired is active

Connection restrictions -certain SSIDs, encryption, ad-hoc

Require VPN connection when out of the office


Cisco is about integration


CSA + IPS Collaborationwith Cisco Network IPS Version 6.0

- Enhanced contextual analysis of endpoint

Service Provider

Management Console

OS = WindowsXP

Elevate Risk RatingDeny 10.1.10.1

- Ability to use CSA inputs to influence IPS actions- Correlation of info. contained in CSA watch list

- Host Quarantining




Service Provider

Management Console

CSA Watch List10.1.10.1

Elevate Risk RatingDeny 10.1.10.1


- Host Quarantining




Service Provider

Management Console


Source 10.1.10.2 initiates a port scan destined for internal servers

Port Scan from IP not in Watch List:

Alarm Only

- Host Quarantining


Watch List Source 10.1.10.1 initiates a port scan destined for internal servers



Service Provider

Management Console


Port Scan from IP on Watch List:Drop Packet

- Host Quarantining

Cisco Security Agent and Network IDS/IPS · Presentation_ID © 2006 Cisco Systems, Inc. All rights...

Documents

Transcript of Cisco Security Agent and Network IDS/IPS · Presentation_ID © 2006 Cisco Systems, Inc. All rights...