Skip to main content

Introduction to IDS and IPS

IDS and IPS work together to provide a network security solution. An IDS captures packets in real time, processes them, and can respond to threats, but works on copies of data traffic to detect suspicious activity by using signatures. This is called promiscuous mode. In the process of detecting malicious traffic, an IDS allows some malicious traffic to pass before the IDS can respond to protect the network. An IDS analyzes a copy of the monitored traffic rather than the actual forwarded packet. The advantage of operating on a copy of the traffic is that the IDS does not affect the packet flow of the forwarded traffic. The disadvantage of operating on a copy of the traffic is that the IDS cannot stop malicious traffic from single-packet attacks from reaching the target system before the IDS can apply a response to stop the attack. An IDS often requires assistance from other networking devices, such as routers and firewalls, to respond to an attack.

An IPS works inline in the data stream to provide protection from malicious attacks in real time. This is called inline mode. Unlike an IDS, an IPS does not allow packets to enter the trusted side of the network. An IPS monitors traffic at Layer 3 and Layer 4 to ensure that their headers, states, and so on are those specified in the protocol suite. However, the IPS sensor analyzes at Layer 2 to Layer 7 the payload of the packets for more sophisticated embedded attacks that might include malicious data. This deeper analysis lets the IPS identify, stop, and block attacks that would normally pass through a traditional firewall device. When a packet comes in through an interface on an IPS, that packet is not sent to the outbound or trusted interface until the packet has been determined to be clean. An IPS builds upon previous IDS technology; Cisco IPS platforms use a blend of detection technologies, including profile-based intrusion detection, signature-based intrusion detection, and protocol analysis intrusion detection.

The key to differentiating an IDS from an IPS is that an IPS responds immediately and does not allow any malicious traffic to pass, whereas an IDS allows malicious traffic to pass before it can respond.

IDS:
·         Analyzes copies of the traffic stream
·         Does not slow network traffic
·         Allows some malicious traffic into the network
IPS:
·         Works inline in real time to monitor Layer 2 through Layer 7 traffic and content
·         Needs to be able to handle network traffic
·         Prevents malicious traffic from entering the network

IDS and IPS technologies share several characteristics:
  • IDS and IPS technologies are deployed as sensors. An IDS or an IPS sensor can be any of the following devices:
    • A router configured with Cisco IOS IPS Software
    • An appliance specifically designed to provide dedicated IDS or IPS services
    • A network module installed in an adaptive security appliance, switch, or router
  • IDS and IPS technologies typically monitor for malicious activities in two spots:
    • Malicious activity is monitored at the network to detect attacks against a network, including attacks against hosts and devices, using network IDS and network IPS.
    • Malicious activity is monitored on a host to detect attacks that are launched from or on target machines, using host intrusion prevention system (HIPS). Host-based attacks are detected by reading security event logs, checking for changes to critical system files, and checking system registries for malicious entries.
  • IDS and IPS technologies generally use yes, signatures to detect patterns of misuse in network traffic, although other technologies will be introduced later in this chapter A signature is a set of rules that an IDS or IPS uses to detect typical intrusive activity. Signatures are usually chosen from a broad cross section of intrusion detection signatures, and can detect severe breaches of security, common network attacks, and information gathering.
  • IDS and IPS technologies look for the following general patterns of misuse:
    • Atomic pattern: In an atomic pattern, an attempt is made to access a specific port on a specific host, and malicious content is contained in a single packet. An IDS is particularly vulnerable to an atomic attack because until it finds the attack, malicious single packets are being allowed into the network. An IPS prevents these packets from entering at all.
    • Composite pattern: A composite pattern is a sequence of operations distributed across multiple hosts over an arbitrary period of time.


The following are the steps that occur when an attack is launched in an environment monitored by an IDS:
  • Step 1. An attack is launched on a network that has a sensor deployed in IDS mode.
  • Step 2. The switch sends copies of all packets to the IDS sensor (configured in promiscuous mode, which is explained later in this section) to analyze the packets. At the same time, the target machine experiences the malicious attack.
  • Step 3. The IDS sensor, using a signature, matches the malicious traffic to the signature.
  • Step 4. The IDS sensor sends the switch a command to deny access to the malicious traffic.
  • Step 5. The IDS sends an alarm to a management console for logging and other management purposes.
The following are the steps that occur when an attack is launched in an environment monitored by an IPS:
  • Step 1. An attack is launched on a network that has a sensor deployed in IPS mode (configured in inline mode, which is explained later in this section).
  • Step 2. The IPS sensor analyzes the packets as soon as they come into the IPS sensor interface. The IPS sensor, using signatures, matches the malicious traffic to the signature and the attack is stopped immediately. Traffic in violation of policy can be dropped by an IPS sensor.
  • Step 3. The IPS sensor can send an alarm to a management console for logging and other management purposes.
Promiscuous Versus Inline Mode
·         A sensor can be deployed either in promiscuous mode or inline mode. In promiscuous mode, the sensor receives a copy of the data for analysis, while the original traffic still makes its way to its ultimate destination. By contrast, a sensor working inline analyzes the traffic live and therefore can actively block the packets before they reach their destination.
·         It is worth mentioning that Cisco appliances, such as the Cisco ASA AIP SSM (discussed later in the section, “Cisco ASA AIP SSM”), although advertised as IPS device, can work either in promiscuous mode or in inline mode.

Management Console
·         The term management console, requires some explanation. A management console is a separate workstation equipped with software to configure, monitor, and report on events. The section, “Monitoring IOS IPS,” introduces some of Cisco’s IPS management solutions.

Advantages and Limitations of IDS and IPS Modes
Advantages
Limitations
IDS (Promiscuous Mode)
No impact on network (latency, jitter)
Response action cannot stop trigger packets

No network impact if there is a sensor failure
Correct tuning required for response actions

No network impact if there is sensor overload
Must have a well-thought out security policy


More vulnerable to network evasion techniques
IPS (Inline Mode)
Stops trigger packets
Sensor issues might affect network traffic

Can use stream normalization techniques
Sensor overloading impacts the network


Must have a well-thought out security policy


Some impact on network (latency, jitter)







Labels:

Comments

Post a Comment

Popular posts from this blog

Basic Rules of Checkpoint Firewall

Managing the Firewall Rule Base: Explicit and Implied Rules These are the types of rules in the Rule Base: Explicit rules - Rules that you create to configure which connections the Firewall allows Implied rules - Rules that are based on settings in the Global Properties menu Implied rules allow connections for different services that the Security Gateway uses. For example, the Accept Control Connections option allows packets that control these services: ·          Installing the security policy on a Security Gateway ·          Sending logs from a Security Gateway to the Security Management server ·          Connecting to third party applications, such as RADIUS and TACACS authentication servers Order of Rule Enforcement: Make sure that you understand the importance of the order of rule enforcement to maximize the security of the Firewall. The Firewall always enforces the first rule that matches a connection. It does not enforce later rules tha
Post a Comment
Read more

ASA TCP Connection Flags

When troubleshooting TCP connections through the ASA, the connection flags shown for each TCP connection provide a wealth of information about the state of TCP connections to the ASA. This information can be used to troubleshoot problems with the ASA, as well as problems elsewhere in the network. Here is the output of the show conn protocol tcp command, which shows the state of all TCP connections through the ASA. These connections can also be seen with the show conn command. ASA# show conn protocol tcp 101 in use, 5589 most used TCP outside 10.23.232.59:5223 inside 192.168.1.3:52419, idle 0:00:11, bytes 0, flags saA TCP outside 192.168.3.5:80 dmz 172.16.103.221:57646, idle 0:00:29, bytes 2176, flags UIO TCP outside 10.23.232.217:443 inside 192.168.1.3:52427, idle 0:01:02, bytes 4504, flags TCP outside 10.23.232.217:5223 inside 192.168.1.3:52425, idle 0:00:10, bytes 0, flags saAUIO TCP outside 10.23.232.57:5223 inside 192.168.1.3:52412, idle 0:00:23, bytes 0, flag
Post a Comment
Read more

How to Set Up an IPSec Tunnel On PAN-OS - Palo Alto Firewalls

Set Up an IPSec Tunnel  The IPSec tunnel configuration allows you to authenticate and/or encrypt the data (IP packet) as it traverses across the tunnel.  If you are setting up the Palo Alto Networks firewall to work with a peer that supports policy-based VPN, you must define Proxy IDs. Devices that support policy-based VPN use specific security rules/policies or access-lists (source addresses, destination addresses and ports) for permitting interesting traffic through an IPSec tunnel. These rules are referenced during quick mode/IKE phase 2 negotiation, and are exchanged as Proxy-IDs in the first or the second message of the process. So, if you are configuring the Palo Alto Networks firewall to work with a policy-based VPN peer, for a successful phase 2 negotiation you must define the Proxy-ID so that the setting on both peers is identical. If the Proxy-ID is not configured, because the Palo Alto Networks firewall supports route-based VPN, the default values used as Proxy-ID are source
Post a Comment
Read more