IDS/IPS

What is an IDS ?
• An intrusion detection system (IDS) is an
application that monitors network traffic and
searches for known threats and suspicious or
malicious activity.
• The IDS sends alerts to IT and security teams
when it detects any security risks and threats.
 IDS
• An Intrusion Detection System (IDS) is a
monitoring system that detects suspicious
activities and generates alerts when they are
detected.
• Based upon these alerts, a security operations
center (SOC) analyst or incident responder
can investigate the issue and take the
appropriate actions to remediate the threat.
SPAN (Switched Port Analyzer)
 What is Intrusion ?
• Intrusion is an attacker gaining unauthorized
access to a device, network, or system. Cyber
criminals use increasingly sophisticated
techniques and tactics to infiltrate
organizations without being discovered.
 Common Techniques of Intrusion
• Address Spoofing
• Fragmentation
• Pattern Evasion
• Coordinated Attack
 IDS Vs IPS
• Similar to a firewall, IPS is deployed inline to
the traffic flow. IPS is an active network
component that examines every passing
packet and takes the correct remedial action
per its configuration and policy. In contrast,
IDS is a passive component typically not
deployed inline and instead monitors the
traffic flow via span or tap technology to then
raise notifications.
 Firewall Vs IDS/IPS
• The main difference being that firewall performs
actions such as blocking and filtering of traffic
while an IPS/IDS detects and alert a system
administrator or prevent the attack as per
configuration.
• A firewall allows traffic based on a set of rules
configured. It relies on the source, the
destination addresses, and the ports. A firewall
can deny any traffic that does not meet the
specific criteria.
 Types of IDS
• NIDS (Network Intrusion Detection System)
• HIDS (Host Intrusion Detection System)
• SIDS(Signature-based Intrusion Detection
System)
• AIDS (Anomaly-based Intrusion Detection
System)
• PIDS(Perimeter Intrusion Detection System)
 Work
• Monitoring the performance of key firewalls, files, routers,
and servers to detect, prevent, and recover from cyberattacks
• Enabling system administrators to organize and understand
their relevant operating system audit trails and logs that are
often difficult to manage and track
• Providing an easy-to-use interface that allows staff who are
not security experts to help with the management of an
organization’s systems
• Providing an extensive database of attack signatures that can
be used to match and detect known threats Providing a quick
and effective reporting system when anomalous or malicious
activity occurs, which enables the threat to be passed up the
stack
• Generating alarms that notify the necessary individuals, such
as system administrators and security teams, when a breach
NIDS (Network Intrusion Detection System)
HIDS (Host Intrusion Detection System)
 Zero-Day Attacks
Worms and viruses can spread across the world
in minutes.
 Zero-day attack (zero-day threat) is a computer attack that
tries to exploit software vulnerabilities.
 Zero-hour describes the moment when the exploit is
discovered.
 Monitor for Attacks

• IDSs were implemented to passively monitor the

traffic on a network.
• IDS-enabled device copies the traffic stream, and
analyzes the copied traffic rather than the actual
forwarded packets.
• Working offline, it compares the captured traffic
stream with known malicious signatures.
• This offline IDS implementation is referred to as
“promiscuous mode.”
 Monitor for Attacks
• The advantage of operating with a copy of the
traffic is that the IDS does not negatively affect
the actual packet flow.
• The disadvantage of operating on a copy of the
traffic is that the IDS cannot stop malicious
single-packet attacks from reaching the target
before responding to the attack.
• A better solution is to use a device that can
immediately detect and stop an attack. An IPS
performs this function.
 Detect and Stop Attacks
• An IDS monitors traffic offline
and generates an alert (log)
when it detects malicious
traffic including:
• Reconnaissance attacks
• Access attacks
• Denial of Service attacks
• An IDS is a passive device
because it analyzes copies
of the traffic stream.
• Only requires a promiscuous
interface.
• Does not slow network
traffic.
• Allows some malicious
traffic into the network.
 Detect and Stop Attacks Cont.
• An IPS builds upon IDS
technology to detect attacks.
– However, it can also immediately
address the threat.
• An IPS is an active device
because all traffic must pass
through it.
– Referred to as “inline-mode”, it
works inline in real time to
monitor Layer 2 through Layer 7
traffic and content.
– It can also stop single-packet
attacks from reaching the target
system (IDS cannot).
IDS and IPS Characteristics
 IDS and IPS Characteristics Cont.
An IDS or IPS sensor can be any of the following devices:
• Router configured with Cisco IOS IPS software.
• Appliance specifically designed to provide dedicated IDS or IPS services.
• Network module installed in an adaptive security appliance (ASA),
switch, or router.
IDS and IPS technologies use signatures to detect patterns in network
traffic.
A signature is a set of rules that an IDS or IPS uses to detect malicious
activity.
Signatures are used to detect severe security breaches, common network
attacks, and to gather information.
 IDS and IPS Characteristics
Advantages and Disadvantages of IDS and IPS
 Network IPS Sensors
• Implementation analyzes
network-wide activity
looking for malicious
activity.
• Configured to monitor
known signatures, but
can also detect abnormal
traffic patterns.
• Configured on:
• Dedicated IPS appliances
• ISR routers
• ASA firewall appliances
• Catalyst 6500 network
modules
 Network IPS Sensors Cont.
• Sensors are connected to network segments. A single sensor can monitor many
hosts.
• Sensors are network appliances tuned for intrusion detection analysis.
• The OS is stripped of unnecessary services - “hardened.”
• The hardware is dedicated to intrusion detection analysis.
• The hardware includes three components:
• Network interface card (NIC) - Able to connect to any network.
• Processor - Requires CPU power to perform intrusion detection
analysis and pattern matching.
• Memory - Intrusion detection analysis is memory-intensive.
• Growing networks are easily protected.
• New hosts and devices can be added without adding
sensors.
• New sensors can be easily added to new networks.
 Network-Based IPS Implementations

Cisco IPS Solutions

 Network-Based IPS Implementations

Cisco IPS Solutions Cont.

 Network-Based IPS Implementations

Choose an IPS Solution

There are several factors
that affect the IPS sensor
selection and deployment:
• Amount of network traffic
• Network topology
• Security budget
• Available security staff to
manage IPS

Organization Site
 Network-Based IPS Implementations

IPS Advantages and Disadvantages

5.2 IPS Signatures
 IPS Signature Characteristics

Signature Attributes
• Malicious traffic displays distinct characteristics or
“signatures.”
• These signatures uniquely identify specific worms,
viruses, protocol anomalies, or malicious traffic.
• IPS sensors are tuned to look for matching
signatures or abnormal traffic patterns.
• When a sensor matches a signature with a data
flow, it takes action, such as logging the event or
sending an alarm to IDS or IPS.
• Signatures have three distinctive attributes:
• Type
• Trigger (alarm)
• Action
 IPS Signature Characteristics

Signature Types- Atomic Signature

Signature types are categorized as atomic or
composite.
• An atomic signature is the simplest type of
signature. It consists of a single packet,
activity, or event.
• Detecting atomic signatures consumes
minimal resources. These signatures are easy
to identify and understand because they are
compared against a specific event or packet.
 IPS Signature Characteristics

Signature Types- Atomic Signature Cont.

A land attack contains a spoofed TCP SYN packet with the IP address
of the target host as both source and destination, causing the machine
to reply to itself continuously.
 IPS Signature Characteristics

Signature Types - Composite Signature

• A composite signature is also called a stateful
signature.
• A composite signature identifies a sequence of
operations distributed across multiple hosts
over an arbitrary period of time.
• An IPS uses a configured event horizon to
determine how long it looks for a specific
attack signature.
 IPS Signature Characteristics

Signature File
• As new threats are identified, new signatures
must be created and uploaded to an IPS.
• To make this process easier, all signatures are
contained in a signature file and uploaded to
an IPS on a regular basis.
 IPS Signature Characteristics

Signature Micro-Engines
• To make the scanning of
signatures more efficient, the
Cisco IOS software relies on
signature micro-engines (SME),
which categorize common
signatures in groups.
• The Cisco IOS software can then
scan for multiple signatures
based on group characteristics,
instead of one at a time.
• The available SMEs vary
depending on the platform, Cisco
IOS version, and version of the
signature file.
 IPS Signature Characteristics

Acquire the Signature File

• Cisco investigates/creates signatures for new
threats as they are discovered, and publishes them
regularly.
• Lower priority IPS signature files are published biweekly.
• If the threat is severe, Cisco publishes signature files
within hours of identification.
• Update the signature file regularly to protect the
network.
• Each update includes new signatures and all the
signatures in the previous version.
• For example, the IOS-S595-CLI.pkg signature file includes
all signatures in file IOS-S594-CLI.pkg, plus signatures
created for threats discovered subsequently.
• New signatures are downloadable from CCO, and
required a valid CCO login.
 IPS Signature Alarms

Signature Alarm
The heart of any IPS signature is the signature alarm, often referred to as the
signature trigger.
 Signature Alarm

Pattern-Based Detection
Pattern-based detection, also known as signature-
based detection, compares the network traffic to
a database of known attacks and triggers an
alarm, or prevents communication if a match is
found.
 Signature Alarm

Anomaly-Based Detection
• Anomaly-based detection, also known as
profile-based detection, involves first defining a
profile of what is considered normal for the
network or host.
• The signature triggers an action if excessive
activity occurs beyond a specified threshold that
is not included in the normal profile.
 IPS Signature Alarms

Policy-Based Detection
• Policy-based detection is also known as
behavior-based detection.
• The administrator defines behaviors that are
suspicious based on historical analysis.

• Honeypot-based detection uses a dummy server

to attract attacks.
• The honeypot approach is to distract attacks away
from real network devices.
• Honeypot systems are rarely used in production
environments.
 IPS Signature Alarms

Benefits of Implementing an IPS

• IPS use the underlying routing infrastructure to provide
an additional layer of security.
• Since Cisco IOS IPS is inline, attacks can be effectively
mitigated by denying malicious traffic from both inside
and outside the network.
• When used in combination with Cisco IDS, Cisco IOS
Firewall, VPN, and Network Admission Control (NAC)
solutions, Cisco IOS IPS provides threat protection at all
entry points to the network.
• It is supported by easy and effective management tools,
such as the Cisco Configuration Professional.
• The size of the signature database used by the device can
be adapted to the amount of available memory in the
router.
 Tuning IPS Signature Alarms

Trigger False Alarms

• Triggering mechanisms can generate alarms that
are false positives or false negatives.
• These alarms must be addressed when
implementing an IPS sensor.
 Tuning IPS Signature Alarms

Tune Signature
• An administrator must balance the number of
incorrect alarms that can be tolerated with the
ability of the signature to detect actual
intrusions.
• If IPS systems use untuned signatures, they
produce many false positive alarms.
 Tuning IPS Signature Alarms

Tune Signature Cont.

• Low
–Abnormal network activity is detected that could be
perceived as malicious, but an immediate threat is unlikely.
• Medium
–Abnormal network activity is detected that could be
perceived as malicious, and an immediate threat is likely.
• High
–Attacks used to gain access or cause a DoS attack are
detected, and an immediate threat is extremely likely.
• Informational
–Activity that triggers the signature is not considered an
immediate threat, but the information provided is useful
information.
 IPS Signature Actions

Signature Actions
• Whenever a signature detects the activity
for which it is configured, the signature
triggers one or more actions.
• Several actions can be performed:
• Generate an alert.
• Log the activity.
• Drop or prevent the activity.
• Reset a TCP connection.
• Block future activity.
• Allow the activity.
 IPS Signature Actions

Signature Actions Cont.

 IPS Signature Actions

Generate an Alert
• An IPS can be enabled to produce alert or a
verbose alert.
• Atomic alerts are generated every time a
signature triggers
• Some IPS solutions enable the administrator to
generate summary alerts, which indicates
multiple occurrences of the same signature
from the same source address or port.
 IPS Signature Actions

Log the Activity

• Used when an administrator does not
necessarily have enough information to stop an
activity.
• An IPS can be enabled to log the attacker
packets, pair packets, or just the victim packets.
• An administrator can then perform a detailed
analysis, and identify exactly what is taking
place and make a decision as to whether it
should be allowed or denied in the future.
 IPS Signature Actions

Drop or Prevent the Activity

An IPS can be enabled to deny the attacker
packets, deny the connection, or deny the specific
packet.
 IPS Signature Actions

Reset, Block, and Allow Traffic

 Manage and Monitor IPS

Monitor Activity
Monitoring the security-related events on a
network is also a crucial aspect of protecting a
network from attack.
 Manage and Monitor IPS

Monitoring Considerations