Module 11:

IPS Technologies

Pr C. Leghris
Networking Security v1.0
Module Objectives
Module Title: IPS Technologies

Module Objective: Explain how network-based Intrusion Prevention Systems are used to help secure a
network.
Topic Title Topic Objective
IDS and IPS Characteristics Explain the functions and operations of IDS and IPS systems.
IPS Implementations Explain how network-based IPS are implemented.
IPS on Cisco ISRs Describe the IPS technologies that are available on Cisco ISR routers.
Cisco Switched Port Analyzer Configure Cisco SPAN.

2
11.1 IDS and IPS
Characteristics

3
IDS and IPS Characteristics
Zero-Day Attacks
 A zero-day attack is a cyberattack that tries to exploit software vulnerabilities that are
unknown or undisclosed by the software vendor ;
• The term zero-day describes the moment when a previously unknown threat is identified ;

Microsoft Internet Explore Zero-Day Vulnerability

4
IDS and IPS Characteristics
Monitor for Attacks

 Intrusion Detection Systems (IDS) were

implemented to passively monitor the
traffic on a network ;
 The figure shows that an IDS-enabled
device copies the traffic stream and
analyzes the copied traffic rather than the
actual forwarded packets ;
 A better solution is to use a device that can
immediately detect and stop an attack. An
Intrusion Prevention System (IPS) performs
this function ;

5
IDS and IPS Characteristics
Intrusion Prevention and Detection Devices

6
IDS and IPS Characteristics
Advantages and Disadvantages of IDS and IPS

Solution Advantages Disadvantages

IDS • No Impact on network (latency, jitter) • Response action cannot stop trigger packets
• No Network impact if there is a sensor failure • Correct tuning required for response actions
• No network impact if there is sensor overload • More vulnerable to network security evasion techniques

IPS • Stops trigger packets • Sensor issues might affect network traffic
• Can use stream normalization techniques • Sensor overloading impacts the network
• Some impact on network (latency, jitter)

7
11.2 IPS Implementations

8
IPS Implementations
Types of IPS
 There are two primary kinds of IPS
available: host-based IPS (HIPS) and
network-based IPS ;
• HIPS (Host-based IPS) can be thought of as a
combination of antivirus software, antimalware
software, and a firewall. An example of a HIPS
is Windows Defender. It provides a range of
protection measures for Windows hosts ;
• NIPS (Network-based IPS) can be implemented
using a dedicated or non-dedicated IPS device
such as a router. Network-based IPS
implementations are a critical component of
intrusion prevention. Host-based IDS/IPS Sample IPS Sensor Deployment
solutions must be integrated with a network-
based IPS implementation to ensure a robust
security architecture ; 9
IPS Implementations
Network-Based IPS
 Network-based IPS Sensors can be implemented in several ways:
• On a Cisco Firepower appliance ;
• On an ASA firewall device ;
• On an ISR router ;
• As an NGIPSv for VMware.
 The hardware of all network-based sensors includes three components:
• NIC - The network-based IPS must be able to connect to any network, such as Ethernet, Fast
Ethernet, and Gigabit Ethernet ;
• Processor - Intrusion prevention requires CPU power to perform intrusion detection analysis
and pattern matching ;
• Memory - Intrusion detection analysis is memory-intensive. Memory directly affects the
ability of a network-based IPS to efficiently and accurately detect an attack.)
10
IPS Implementations
Modes of Deployment
Inline Mode
 IDS and IPS sensors
can operate in inline
mode (also known as
inline interface pair
mode) or
promiscuous mode
(also known as
passive mode).
Promiscuous
Mode

11
11.3 IPS on Cisco ISRs

12
IPS on Cisco ISRs
IPS Components  The IPS detection and enforcement engine
that can be implemented depends on the
 An IPS sensor has two components: router platform:
• IPS detection and enforcement engine - To • Cisco IOS Intrusion Prevention System (IPS) ;
validate traffic, the detection engine
• Cisco Snort IPS.
compares incoming traffic with known
attack signatures that are included in the
IPS attack signature package ;
• IPS attack signatures package - This is a list
of known attack signatures that are
contained in one file. The signature pack
is updated frequently as new attacks are
discovered. Network traffic is analyzed for
matches to these signatures.

13
IPS on Cisco ISRs
Cisco IOS IPS

 The network administrator could configure the Cisco IOS IPS

to choose the appropriate response to various threats. For
example, when packets in a session matched a signature,
Cisco IOS IPS could be configured to respond as follows:
• Send an alarm to a syslog server or a centralized management
interface ;
• Drop the packet ;
• Reset the connection ;
• Deny traffic from the source IP address of the threat for a
specified amount of time ;
• Deny traffic on the connection for which the signature was seen
for a specified amount of time.

14
IPS on Cisco ISRs
Snort IPS
 Many of the devices that supported Cisco IOS IPS are no
longer available, or no longer supported. The newer Cisco
4000 Series Integrated Services Routers (ISR) provide IPS
services using the Snort IPS feature. Snort is an open source
network IPS that performs real-time traffic analysis and
generates alerts when threats are detected on IP networks. It
can also perform protocol analysis, content searching or
matching, and detect a variety of attacks and probes, such as
buffer overflows, stealth port scans, etc.
 The Snort engine runs in a virtual service container on Cisco
4000 Series ISRs. A virtual service container is a virtual
machine that runs on the ISR router operating system.
Service containers are applications that can be hosted
directly on Cisco IOS XE routing platforms. The Snort
container is distributed as an Open Virtualization Appliance 15

(OVA) file that is installed on the router.

IPS on Cisco ISRs
Snort Operation

 Snort IPS signatures are delivered automatically to the ISR by Cisco Talos. Snort can
customize rule sets and provide centralized deployment and management capabilities
for 4000 Series ISRs.
 Snort can be enabled in IDS mode or IPS mode:
• IDS mode - Snort inspects the traffic and reports alerts but does not take any action to prevent
attacks ;
• IPS mode - In addition to intrusion detection, actions are taken to prevent attacks.
 In the network intrusion detection and prevention mode, Snort performs the following
actions:
• Monitors network traffic and analyzes against a defined rule set ;
• Performs attack classification ;
• Invokes actions against matched rules.
16
IPS on Cisco ISRs
Snort Features

 The table lists the features and benefits of Snort IPS.

Feature Benefit
Signature-based intrusion detection system Snort open-source IPS, capable of performing real-time traffic analysis and
(IDS) and intrusion prevention system (IPS) packet logging on IP networks, runs on the 4000 Series ISR service container
without the need to deploy an additional device at the branch.

Snort rule set updates Snort rule set updates for 4000 Series ISRs are generated by Cisco Talos, a group
of leading-edge network security experts who work around the clock to
proactively discover, assess, and respond to the latest trends in hacking
activities, intrusion attempts, malware, and vulnerabilities.

Snort rule set pull The router will be able to download rule sets directly from cisco.com or
snort.org to a local server, using one-time commands or periodic automated
updates.
Snort rule set push A centralized management tool can push the rule sets based on preconfigured
policy, instead of the router directly downloading on its own.

Signature allowed listing Allowed listing allows the disabling of certain signatures from the rule set.
Disabled signatures can be reenabled at any time. 17
IPS on Cisco ISRs
Snort System Requirements
 A security K9 license (SEC) is required to activate Snort IPS functionality. Customers also
need to purchase a yearly subscription for the signature package distributed on
cisco.com. To keep current with the latest threat protection, Snort rule sets are term-
based subscriptions, available for one or three years.
 There are two types of term-based subscriptions:
• Community Rule Set - Offers limited coverage against threats, focusing on reactive response to
security threats versus proactive research work. There is 30-day delayed access to updated
signatures in the Community Rule Set, and this subscription does not entitle the customer to
Cisco support ;
• Subscriber Rule Set - Offers the best protection against threats. It includes coverage in advance of
exploits by using the research work of the Cisco Talos security experts. The Subscriber Rule Set
also provides the fastest access to updated signatures in response to a security incident or the
proactive discovery of a new threat. This subscription is fully supported by Cisco ;

18
11.4 Cisco Switched Port
Analyzer

19
Cisco Switched Port Analyzer
Network Monitoring Methods

 The day-to-day operation of a network consists of common patterns of traffic flow,

bandwidth usage, and resource access. Together, these patterns identify normal network
behavior. Security analysts must be intimately familiar with normal network behavior
because abnormal network behavior typically indicates a problem.
 To determine normal network behavior, network monitoring must be implemented using
IDS, packet analyzers, SNMP, NetFlow, and other tools. Some of these tools require
captured network data. There are two common methods used to capture traffic and
send it to network monitoring devices:
• Network taps, sometimes known as test access points (TAPs) ;
• Traffic mirroring using Switch Port Analyzer (SPAN) or other port mirroring approaches.

20
Cisco Switched Port Analyzer
Network Taps

 A network tap is typically a passive

splitting device implemented inline
between a device of interest and
the network.
 A tap forwards all traffic, including
physical layer errors, to an analysis
device while also allowing the traffic
to reach its intended destination ;
 Taps are also typically fail-safe,
which means if a tap fails or loses
power, traffic between the firewall
and internal router is not affected.

21
Cisco Switched Port Analyzer
Traffic Mirroring and SPAN
 Because capturing data for network monitoring requires all traffic to be captured, special
techniques must be employed to bypass the network segmentation imposed by network
switches ;
 Port mirroring is one of these techniques. Port mirroring enables the switch to copy frames
that are received on one or more ports to a Switch Port Analyzer (SPAN) port that is
connected to an analysis device ;
 The table identifies and describes terms used by the SPAN feature.
SPAN Term Description
Ingress traffic Traffic that enters the switch.
Egress traffic Traffic that leaves the switch.
Source (SPAN) port Source ports are monitored as traffic entering them is replicated (mirrored) to
the destination ports.
Destination (SPAN) port A port that mirrors source ports. Destination SPAN ports often connect to
analysis devices such as a packet analyzer or an IDS.
22
Cisco Switched Port Analyzer
Traffic Mirroring and SPAN (Cont.)
 The figure shows a switch that
interconnects two hosts and mirrors
traffic to an intrusion detection device
(IDS) and network management server.

23
Cisco Switched Port Analyzer
Configure Cisco SPAN

 The SPAN feature on Cisco switches sends a copy of each frame entering the source port
out the destination port and toward the packet analyzer or IDS. A session number is used
to identify a SPAN session. The figure shows the monitor session command, used to
associate a source port and a destination port with a SPAN session. A VLAN can be
specified instead of a physical port.

24
Cisco Switched Port Analyzer
Configure Cisco SPAN (cont.)

 In this example, PCA is

connected to F0/1 and an
IDS is connected to F0/2.
The objective is to capture
all the traffic that is sent or
received by PCA on port
F0/1 and send a copy of
those frames to the IDS (or
a packet analyzer) on port
F0/2. The SPAN session on
the switch will copy all the
traffic that it sends and
receives on source port
F0/1 to the destination
port F0/2. 25
Cisco Switched Port Analyzer
Configure Cisco SPAN (cont.)

 The show monitor command is used

to verify the SPAN session.

26
Cisco Switched Port Analyzer
Packet Tracer - Implement a Local SPAN

 In this Packet Tracer, you will complete the following objectives:

• Part 1: Build the Network and Verify Connectivity

• Part 2: Configure Local SPAN and Capture Copied Traffic with Wireshark

27
11.5 Module 11: IPS
Technologies Summary

28
Module 11: IPS Technologies Summary
What Did I learn in this Module?

• IDS and IPS make up part of a multi-layered approach to network security.

• IDS work offline to detect malicious traffic through traffic mirroring.
• IPS devices work inline to prevent network attacks, however they can add latency and slow
network performance.
• IPSs can be host-based (HIPS) or network-based (NIPS).
• A HIPS are installed on network hosts.
• A NIPS can be deployed in two modes.
• In promiscuous mode, a NIPS functions as IDS by monitoring mirrored traffic, alerting personnel
and logging information when attacks occur.
• In inline mode, NIPS processes all traffic that enters a network and checks that traffic at Layers 3
to 7.
• Enabling IPS functionality on routers at the branch level is a cost-effective way to protect networks
with a single device.
• For the 4000 Series ISR, the Cisco Snort IPS has replaced the IOS IPS.
29
Module 11: IPS Technologies Summary
What Did I learn in this Module? (cont.)

• Snort monitors network traffic and analyzes it against a defined-rule set.

• Snort can classify attacks by type and can perform actions against the traffic.
• Snort can be configured to automatically update its rules from an internet source
• SPAN is a technology that enables network monitoring from source ports or VLANs to a destination
port or VLAN that is connected to the monitoring device or IDS.
• Source ports carry the traffic that is to be monitored, and destination ports are connected to the
monitoring devices.
• The configuration of SPAN entails defining the source and destination switchports.

30
IPS Technologies
New Terms and Commands
• zero-day threat • community rule set
• security operations center (SOC) • subscriber rule set
• security information and event management • network tap
(SIEM) • test access points
• security orchestration, automation, and response • ingress traffic
(SOAR)
• egress traffic
• intrusion detection systems (IDS)
• monitor session number source [interface interface |
• intrusion prevention systems (IPS) vlan vlan]
• Host-based IPS (HIPS) • monitor session number destination [interface interface
• Network-based IPS (NIPS) | vlan vlan]
• Switched Port Analyzer (SPAN) • show monitor
• promiscuous mode
• inline mode
• Snort IPS
• IDS mode
• IPS mode 31