IPS Technologies

IDS and IPS Characteris cs

11.1.1 Zero-Day A acks

Malware can spread across the world in a ma er of minutes. A network must instantly recognize and
mi gate malware threats. Firewalls can only do so much and cannot provide protec on against all
malware and zero-day a acks.

A zero-day a ack, some mes referred to as a zero-day threat, is a cybera ack that tries to exploit
so ware vulnerabili es that are unknown or undisclosed by the so ware vendor, as shown in the
figure. The term zero-day describes the moment when a previously unknown threat is iden fied.

The figure shows a topology illustra ng a zero-day a ack. The zero-day a ack is depicted as a red
skull and crossbones trying to enter a LAN through a firewall

Zero-Day Exploit A ack

During the me it takes the so ware vendor to develop and release a patch, the network is
vulnerable to these exploits, as shown in the figure. Defending against these fast-moving a acks
requires network security professionals to adopt a more sophis cated view of the network
architecture. It is no longer possible to contain intrusions at a few points in the network.

Microso Internet Explorer Zero-Day Vulnerability

11.1.2 Monitor for A acks

One approach to prevent malware exploits is for an administrator to con nuously monitor the
network and analyze the log files generated by network devices. Security opera ons center (SOC)
tools, such as security informa on and event management (SIEM) and security orchestra on,
automa on, and response (SOAR) systems automate the log file gathering and analysis process. It
has become an accepted fact that malware will enter the network despite the best defenses. For this
reason, a mul layered approach to malware protec on must be employed. Logfiles generated by
devices at each layer will help to iden fy whether an exploit has occurred, the diagnos c features of
the exploit, and the extent of the damage within the enterprise. The informa on gathered in logfiles
will also help to inform measures taken in response to the exploit, such as containment and
mi ga on.

Intrusion Detec on Systems (IDS) were implemented to passively monitor the traffic on a network.
The figure shows that an IDS-enabled device copies the traffic stream and analyzes the copied traffic
rather than the actual forwarded packets.

The figure shows a topology illustra ng that an I D S-enabled device copies the traffic stream through
the I D S-enabled sensor, and analyzes the copied traffic with the management console rather than
the actual forwarded packets.

Intrusion Detec on System Opera on

Working offline, the IDS compares the captured traffic stream with known malicious signatures,
similar to so ware that checks for viruses. Working offline means several things:

 The IDS works passively.

 The IDS device is physically posi oned in the network so that traffic must be mirrored in
order to reach it.

 Network traffic does not pass through the IDS unless it is mirrored.

 Very li le latency is added to network traffic flow.

Although the traffic is monitored, logged, and perhaps reported, no ac on is taken on packets by the
IDS. This offline IDS implementa on is referred to as promiscuous mode.

The advantage of opera ng with a copy of the traffic is that the IDS does not nega vely affect the
packet flow of the forwarded traffic. The disadvantage of opera ng on a copy of the traffic is that the
IDS cannot stop malicious single-packet a acks from reaching the target. An IDS o en requires
assistance from other networking devices, such as routers and firewalls, to respond to an a ack.

A be er solu on is to use a device that can immediately detect and stop an a ack. An Intrusion
Preven on System (IPS) performs this func on.

11.1.3 Intrusion Preven on and Detec on Devices

A networking architecture paradigm shi is required to defend against fast-moving and evolving
a acks. This must include cost-effec ve detec on and preven on systems, such as intrusion
detec on systems (IDS) or the more scalable intrusion preven on systems (IPS). The network
architecture integrates these solu ons into the entry and exit points of the network.

When implemen ng IDS or IPS, it is important to be familiar with the types of systems available,
host-based and network-based approaches, the placement of these systems, the role of signature
categories, and possible ac ons that a Cisco IOS router can take when an a ack is detected.

The figure shows how an IPS device handles malicious traffic.

The figure shows a user in the top right corner connected and sending traffic into a cloud. The cloud
connects to a router and sends the traffic through that router. The cloud connects to an i p s enabled
sensor that connects to another router that also has connec ons to a management console and a
laptop labeled target. There is also an icon for a bit bucket to the side of the i p s enabled sensor.
Characteris cs of i d s and i p s include both technologies are deployed as sensors, both technologies
use signatures to detect pa erns of misuse in network traffic, and both can detect atomic pa erns
(single packet) or composite pa erns (mul -packet).

IDS and IPS Characteris cs

IDS and IPS technologies are both deployed as sensors. An IDS or IPS sensor can be in the form of
several different devices:

 A router configured with IPS so ware

 A device specifically designed to provide dedicated IDS or IPS services

 A hardware module installed in an adap ve security appliance (ASA), switch, or router

IDS and IPS technologies use signatures to detect pa erns in network traffic. A signature is a set of
rules that an IDS or IPS uses to detect malicious ac vity. Signatures can be used to detect severe
breaches of security, to detect common network a acks, and to gather informa on. IDS and IPS
technologies can detect atomic signature pa erns (single-packet) or composite signature pa erns
(mul -packet).

11.1.4 Advantages and Disadvantages of IDS and IPS

IDS Advantages and Disadvantages

The table summarizes the advantages and disadvantages of IDS and IPS.

Solu on Advantages Disadvantages

 No impact on network (latency,  Response ac on cannot stop trigger

ji er) packets

 No network impact if there is a  Correct tuning required for response

IDS
sensor failure ac ons

 No network impact if there is  More vulnerable to network security

sensor overload evasion techniques

 Stops trigger packets  Sensor issues might affect network traffic

IPS  Can use stream normaliza on  Sensor overloading impacts the network
techniques  Some impact on network (latency, ji er)

IDS Advantages

An IDS is deployed in offline mode and therefore:

 The IDS does not impact network performance. Specifically, it does not introduce latency,
ji er, or other traffic flow issues.

 The IDS does not affect network func onality if the sensor fails. It only affects the ability of
the IDS to analyze the data.

IDS Disadvantages

Disadvantages of an IDS include:

 An IDS sensor cannot stop the packets that have triggered an alert and are less helpful in
detec ng email viruses and automated a acks, such as worms.

 Tuning IDS sensors to achieve expected levels of intrusion detec on can be very me-
consuming. Users deploying IDS sensor response ac ons must have a well-designed security
policy and a good opera onal understanding of their IDS deployments.

 An IDS implementa on is more vulnerable to network security evasion techniques because it

is not inline.
IPS Advantages

Advantages of an IPS include:

 An IPS sensor can be configured to drop the trigger packets, the packets associated with a
connec on, or packets from a source IP address.

 Because IPS sensors are inline, they can use stream normaliza on. Stream normaliza on is a
technique used to reconstruct the data stream when the a ack occurs over mul ple data
segments.

IPS Disadvantages

Disadvantages of an IPS include:

 Because it is deployed inline, errors, failure, and overwhelming the IPS sensor with too much
traffic can have a nega ve effect on network performance.

 An IPS sensor can affect network performance by introducing latency and ji er.

 An IPS sensor must be appropriately sized and implemented so that me-sensi ve

applica ons, such as VoIP, are not adversely affected.

Deployment Considera ons

You can deploy both an IPS and an IDS. Using one of these technologies does not negate the use of
the other. In fact, IDS and IPS technologies can complement each other.

For example, an IDS can be implemented to validate IPS opera on because the IDS can be configured
for deeper packet inspec on offline. This allows the IPS to focus on fewer but more cri cal traffic
pa erns inline.

Deciding which implementa on to use is based on the security goals of the organiza on as stated in
their network security policy.

IPS Implementa ons

11.2.1 Types of IPS

There are two primary kinds of IPS available: host-based IPS and network-based IPS.

Host-based IPS

Host-based IPS (HIPS) is so ware installed on a host to monitor and analyze suspicious ac vity. A
significant advantage of HIPS is that it can monitor and protect opera ng system and cri cal system
processes that are specific to that host. With detailed knowledge of the opera ng system, HIPS can
monitor abnormal ac vity and prevent the host from execu ng commands that do not match typical
behavior. This suspicious or malicious behavior might include unauthorized registry updates, changes
to the system directory, execu ng installa on programs, and ac vi es that cause buffer overflows.
Network traffic can also be monitored to prevent the host from par cipa ng in a denial-of-service
(DoS) a ack or being part of an illicit FTP session.

HIPS can be thought of as a combina on of an virus so ware, an malware so ware, and a firewall.
An example of a HIPS is Windows Defender. It provides a range of protec on measures for Windows
hosts. Combined with a network-based IPS, HIPS is an effec ve tool in providing addi onal protec on
for the host.

A disadvantage of HIPS is that it operates only at a local level. It does not have a complete view of the
network, or coordinated events that might be happening across the network. To be effec ve in a
network, HIPS must be installed on every host and have support for every opera ng system. The
table lists the advantages and disadvantages of HIPS.

Advantages Disadvantages

 Provides protec on specific to a host opera ng system  Opera ng system

dependent
 Provides opera ng system and applica on level protec on
 Must be installed on all
 Protects the host a er the message is decrypted hosts

Network-based IPS

A network-based IPS can be implemented using a dedicated or non-dedicated IPS device such as a
router. Network-based IPS implementa ons are a cri cal component of intrusion preven on. Host-
based IDS/IPS solu ons must be integrated with a network-based IPS implementa on to ensure a
robust security architecture.

Sensors detect malicious and unauthorized ac vity in real me and can take ac on when required.
As shown in the figure, sensors are deployed at designated network points. This enables security
managers to monitor network ac vity while it is occurring, regardless of the loca on of the a ack
target.

The figure shows a cloud labeled untrusted network connected to a firewall. The firewall has a
connec on to a sensor that has a web server and d n s server a ached to it. The firewall also
connects to another sensor that has a management server and router a ached. The router has
another connec on to another sensor that connects to laptops. The router, sensor, and laptops are
within a box labeled corporate network.

Sample IPS Sensor Deployment

11.2.2 Network-Based IPS

Network-based IPS Sensors can be implemented in several ways:

 On a Cisco Firepower appliance

 On an ASA firewall device

 On an ISR router

 As a virtual Next-Genera on IPS (NGIPSv) for VMware

An example of a network-based IPS is the Cisco Firepower NGIPS. It is tuned for intrusion preven on
analysis. The underlying opera ng system of the pla orm is stripped of unnecessary network
services, and essen al services are secured. This is known as hardening.

The hardware of all network-based sensors includes three components:

 NIC - The network-based IPS must be able to connect to any network, such as Ethernet, Fast
Ethernet, and Gigabit Ethernet.

 Processor - Intrusion preven on requires CPU power to perform intrusion detec on analysis
and pa ern matching.

 Memory - Intrusion detec on analysis is memory-intensive. Memory directly affects the

ability of a network-based IPS to efficiently and accurately detect an a ack.

Network-based IPS gives security managers real- me security insight into their networks regardless
of growth. Addi onal hosts can be added to protected networks without requiring more sensors.
Addi onal sensors are only required when their rated traffic capacity is exceeded, when their
performance does not meet current needs, or when a revision in security policy or network design
requires addi onal sensors to help enforce security boundaries. When new networks are added,
addi onal sensors are easy to deploy.

11.2.3 Modes of Deployment

IDS and IPS sensors can operate in inline mode (also known as inline interface pair mode) or
promiscuous mode (also known as passive mode).

As shown in the figure, packets do not flow through the sensor in promiscuous mode. The sensor
analyzes a copy of the monitored traffic, not the actual forwarded packet. The advantage of
opera ng in promiscuous mode is that the sensor does not affect the packet flow with the forwarded
traffic. The disadvantage of opera ng in promiscuous mode is that the sensor cannot stop malicious
traffic from reaching its intended target for certain types of a acks, such as atomic a acks (single-
packet a acks). The response ac ons implemented by promiscuous sensor devices are post-event
responses and o en require assistance from other networking devices (for example, routers and
firewalls) to respond to an a ack. Such response ac ons can prevent some classes of a acks.
However, in atomic a acks the single packet has the chance of reaching the target system before the
promiscuous-based sensor can apply an ACL modifica on on a managed device (such as a firewall,
switch, or router). In the figure, Switched Port Analyzer (SPAN) is used to mirror the traffic entering,
going to, and coming from the host.

The figure shows an I D S sensor opera ng in promiscuous mode.

Promiscuous Mode

As shown in the figure below, opera ng in inline mode puts the IPS directly into the traffic flow and
makes packet-forwarding rates slower by adding latency. Inline mode allows the sensor to stop
a acks by dropping malicious traffic before it reaches the intended target, thus providing a
protec ve service. Not only is the inline device processing informa on on Layers 3 and 4, but it is
also analyzing the contents and payload of the packets for more sophis cated embedded a acks
(Layers 3 to 7). This deeper analysis lets the system iden fy and stop or block a acks that would pass
through a tradi onal firewall device. An IDS sensor could also be deployed inline. The IDS would be
configured so that it only sends alerts and does not drop any packets.

PS on Cisco ISRs
11.3.1 IPS Components

An IPS sensor has two components:

 IPS detec on and enforcement engine - To validate traffic, the detec on engine compares
incoming traffic with known a ack signatures that are included in the IPS a ack signature
package.

 IPS a ack signatures package - This is a list of known a ack signatures that are contained in
one file. The signature pack is updated frequently as new a acks are discovered. Network
traffic is analyzed for matches to these signatures.
As shown in the figure, the IPS detec on and enforcement engine that can be implemented depends
on the router pla orm:

 Cisco IOS Intrusion Preven on System (IPS) - This is available on older Cisco 800, 1900,
2900, and 3900 Series ISRs. IOS IPS is no longer supported and should not be used.

 Cisco Snort IPS - This is available on the Cisco 4000 Series ISRs and Cisco Cloud Services
Routers in the 1000v Series.

The Cisco Snort IPS delivers tradi onal intrusion detec on and preven on by comparing network
traffic to con nually updated databases of known malware and threat signatures. The Cisco IOS IPS
signatures are no longer updated.

The figure depicts i o s i p s is available on Cisco 800, 1900, 2900, and 3900 Series I S Rs. The figure
also depicts Snort i p s is available on the Cisco 4000 Series I S Rs and Cisco Cloud Services Routers in
the 1000v Series

Cisco IPS Op ons

11.3.2 Cisco IOS IPS

Enabling a router to work as an IPS is a cost-effec ve way to protect branch office networks. Rather
than purchasing a router and a dedicated IPS device, combining the func onali es in one device not
only saves money but also simplifies network designs and administra on.

In the past, a Cisco ISR could be enabled as an IPS sensor that scanned packets and sessions to match
any of the Cisco IOS IPS signatures. The legacy Cisco IOS IPS operated in RAM as illustrated in the
figure. This means that it shared device memory with other Cisco IOS features.

When Cisco IOS IPS detected suspicious ac vity, it responded before network security could be
compromised. It logged the event as Cisco IOS syslog messages or through Security Device Event
Exchange (SDEE).

The network administrator could configure the Cisco IOS IPS to choose the appropriate response to
various threats. For example, when packets in a session matched a signature, Cisco IOS IPS could be
configured to respond as follows:

 Send an alarm to a syslog server or a centralized management interface

  Drop the packet

 Reset the connec on

 Deny traffic from the source IP address of the threat for a specified amount of me

 Deny traffic on the connec on for which the signature was seen for a specified amount of
me

The figure is a representa on of a router indica ng that i o s and i o s i p s runs in RAM on Cisco 800,
1900, 2900, and 3900 Series I S Rs

Cisco IOS IPS

11.3.3 Snort IPS

Many of the devices that supported Cisco IOS IPS are no longer available, or no longer supported.
The newer Cisco 4000 Series Integrated Services Routers (ISR) no longer support IOS IPS. Instead,
they provide IPS services using the Snort IPS feature. Snort IPS complements exis ng network
security features of the 4000 Series without the need to deploy a second appliance at branch
loca ons.

Snort is the most widely deployed IPS solu on in the world. It is an open source network IPS that
performs real- me traffic analysis and generates alerts when threats are detected on IP networks. It
can also perform protocol analysis, content searching or matching, and detect a variety of a acks
and probes, such as buffer overflows, stealth port scans, and so on.

The Snort engine runs in a virtual service container on Cisco 4000 Series ISRs. A virtual service
container is a virtual machine that runs on the ISR router opera ng system. Service containers are
applica ons that can be hosted directly on Cisco IOS XE rou ng pla orms. These apps use the Linux
aspects of the IOS XE opera ng system to host both Linux Virtual Containers (LXC) and Kernel virtual
machines (KVM). The Snort container is distributed as an Open Virtualiza on Appliance (OVA) file
that is installed on the router.

Unlike IOS IPS, Snort IPS can use the computer power of the service container to scale security with
the pla orm without affec ng rou ng capabili es or other data plane func onality. The virtual
service supports three resource profiles that indicate how the Snort container uses system CPU,
RAM, and Flash or disk resources.

The figure is a representa on of a router indica ng that the Snort container runs in RAM along with
the i o s on Cisco 4000 series I S Rs

Snort IPS
11.3.4 Snort Opera on

Snort IPS signatures are delivered automa cally to the ISR by Cisco Talos. There are currently more
than 30,000 signatures in the Snort rule set. It also supports the ability to customize rule sets and
provides centralized deployment and management capabili es for 4000 Series ISRs.

Snort can be enabled in either of the following modes:

 IDS mode - Snort inspects the traffic and reports alerts, but does not take any ac on to
prevent a acks.

 IPS mode - In addi on to intrusion detec on, ac ons are taken to prevent a acks.

In the network intrusion detec on and preven on mode, Snort performs the following ac ons:

 Monitors network traffic and analyzes against a defined rule set.

 Performs a ack classifica on.

 Invokes ac ons against matched rules.

The Snort IPS monitors the traffic and reports events to an external log server or the IOS syslog.
Enabling logging to the IOS syslog may impact performance due to the poten al volume of log
messages. External third-party monitoring tools that support Snort logs can be used for log collec on
and analysis.

11.3.5 Snort Features

The table lists the features and benefits of Snort IPS.

Feature Benefit

Signature-based
intrusion detec on Snort open-source IPS, capable of performing real- me traffic analysis and packet
system (IDS) and logging on IP networks, runs on the 4000 Series ISR service container without the
intrusion preven on need to deploy an addi onal device at the branch.
system (IPS)

Snort rule set updates for 4000 Series ISRs are generated by Cisco Talos, a group of
leading-edge network security experts who work around the clock to proac vely
Snort rule set updates
discover, assess, and respond to the latest trends in hacking ac vi es, intrusion
a empts, malware, and vulnerabili es.
 Feature Benefit

The router will be able to download rule sets directly from cisco.com or snort.org
Snort rule set pull
to a local server, using one- me commands or periodic automated updates.

A centralized management tool can push the rule sets based on preconfigured
Snort rule set push
policy, instead of the router directly downloading on its own.

Allowed lis ng allows the disabling of certain signatures from the rule set.
Signature allowed lis ng
Disabled signatures can be reenabled at any me.

11.3.6 Snort System Requirements

To run the service container infrastructure with IDS/IPS func onality, Snort IPS requires an ISR 4000
(i.e., 4300 or higher) with a minimum of 8 GB of memory (DRAM) and 8 GB of flash.

Note: The Cisco 4200 series ISR does not support the default Snort IPS implementa on.

A security K9 license (SEC) is required to ac vate Snort IPS func onality. Customers also need to
purchase a yearly subscrip on for the signature package distributed on cisco.com. To keep current
with the latest threat protec on, Snort rule sets are term-based subscrip ons, available for one or
three years.

There are two types of term-based subscrip ons:

 Community Rule Set - This set offers limited coverage against threats, focusing on reac ve
response to security threats versus proac ve research work. There is 30-day delayed access
to updated signatures in the Community Rule Set, and this subscrip on does not en tle the
customer to Cisco support.

 Subscriber Rule Set - This set offers the best protec on against threats. It includes coverage
in advance of exploits by using the research work of the Cisco Talos security experts. The
Subscriber Rule Set also provides the fastest access to updated signatures in response to a
security incident or the proac ve discovery of a new threat. This subscrip on is fully
supported by Cisco.

PulledPork is a rule management applica on that can be used to automa cally download Snort rule
updates. In order to use PulledPork, you must obtain an authoriza on code, called an oinkcode, from
your snort.org account. The oinkcode is free with registra on.

Cisco Switched Port Analyzer

11.4.1 Network Monitoring Methods

The day-to-day opera on of a network consists of common pa erns of traffic flow, bandwidth usage,
and resource access. Together, these pa erns iden fy normal network behavior. Security analysts
must be in mately familiar with normal network behavior because abnormal network behavior
typically indicates a problem.
To determine normal network behavior, network monitoring must be implemented. Various tools are
used to help discover normal network behavior including IDS, packet analyzers, SNMP, NetFlow, and
others.

Some of these tools require captured network data. There are two common methods used to
capture traffic and send it to network monitoring devices:

 Network taps, some mes known as test access points (TAPs)

 Traffic mirroring using Switch Port Analyzer (SPAN) or other port mirroring approaches

11.4.2 Network Taps

A network tap is typically a passive spli ng device implemented inline between a device of interest
and the network. A tap forwards all traffic, including physical layer errors, to an analysis device while
also allowing the traffic to reach its intended des na on.

The figure displays a sample topology displaying a tap installed between a network firewall and the
internal router.

No ce how the tap simultaneously sends both the transmit (TX) data stream from the internal router
and the receive (RX) data stream to the internal router on separate, dedicated channels. This ensures
that all data arrives at the monitoring device in real me. Therefore, network performance is not
affected or degraded by monitoring the connec on.

Taps are also typically fail-safe, which means if a tap fails or loses power, traffic between the firewall
and internal router is not affected.

Search the internet for informa on on NetScout Taps for copper UTP Ethernet, fiber Ethernet, and
serial links.

11.4.3 Traffic Mirroring and SPAN

Network switches segment the network by design. This limits the amount of traffic that is visible to
network monitoring devices. Because capturing data for network monitoring requires all traffic to be
captured, special techniques must be employed to bypass the network segmenta on imposed by
network switches. Port mirroring is one of these techniques. Supported by many enterprise switches,
port mirroring enables the switch to copy frames that are received on one or more ports to a Switch
Port Analyzer (SPAN) port that is connected to an analysis device.

The table iden fies and describes terms used by the SPAN feature.

SPAN Term Descrip on

Ingress traffic Traffic that enters the switch.

Egress traffic Traffic that leaves the switch.

Source (SPAN) Source ports are monitored as traffic entering them is replicated (mirrored) to the
port des na on ports.

Des na on A port that mirrors source ports. Des na on SPAN ports o en connect to analysis devices
(SPAN) port such as a packet analyzer or an IDS.

The figure shows a switch that interconnects two hosts and mirrors traffic to an intrusion detec on
device (IDS) and network management server.

The network diagram shows a switch posi oned in the network with two source SPAN ports and a
single des na on SPAN port.

SPAN

The switch will forward ingress traffic on F0/1 and egress traffic on F0/2 to the des na on SPAN port
G0/1 that connects to an IDS.
The associa on between source ports and a des na on port is called a SPAN session. In a single
session, one or mul ple ports can be monitored. On some Cisco switches, session traffic can be
copied to more than one des na on port. Alterna vely, a source VLAN can be specified in which all
ports in the source VLAN become sources of SPAN traffic. Each SPAN session can have ports or VLANs
as sources, but not both.

Note: A varia on of SPAN called Remote SPAN (RSPAN) enables a network administrator to use the
flexibility of VLANs to monitor traffic on remote switches.

11.4.4 Configure Cisco SPAN

The SPAN feature on Cisco switches sends a copy of each frame entering the source port out the
des na on port and toward the packet analyzer or IDS.

A session number is used to iden fy a SPAN session. The examples show the monitor
session command, which is used to associate a source port and a des na on port with a SPAN
session. A separate monitor session command is used for each session. A VLAN can be specified
instead of a physical port.

In the figure below, PCA is connected to F0/1 and an IDS is connected to F0/2. The objec ve is to
capture all the traffic that is sent or received by PCA on port F0/1 and send a copy of those frames to
the IDS (or a packet analyzer) on port F0/2. The SPAN session on the switch will copy all the traffic
that it sends and receives on source port F0/1 to the des na on port F0/2.

Cisco SPAN Configura on

The show monitor command is used to verify the SPAN session. The command displays the type of
the session, the source ports for each traffic direc on, and the des na on port. In the example
below, the session number is 1, the source port for both traffic direc ons is F0/1, and the des na on
port is F0/2. The ingress SPAN is disabled on the des na on port, so only traffic that leaves the
des na on port is copied to that port.
Note: Remote SPAN (RSPAN) can be used when the packet analyzer or IDS is on a different switch
than the traffic being monitored. RSPAN extends SPAN by enabling remote monitoring of mul ple
switches across the network. The traffic for each RSPAN session is carried over a user-specified
RSPAN VLAN that is dedicated (for that RSPAN session) in all par cipa ng switches.

11.4.5 Syntax Checker - Configure and Verify SPAN

Use this Syntax Checker to configure and verify SPAN.

IPS Technologies Summary

11.5.1 What Did I learn in this Module?

IDS and IPS Characteris cs

Malware is an ever-increasing threat to network security. New network a acks occur daily. The
threat landscape is constantly evolving. Monitoring network logs is one way to know that an exploit
has occurred. But by then it is too late. IDS and IPS make up part of a mul -layered approach to
network security. IDS work offline to detect malicious traffic through traffic mirroring. IDS can alert
security personnel about a poten al a ack. While the IDS does nothing to stop network a acks, it
has no effect on network performance. IPS devices work inline to prevent network a acks, however
they can add latency and slow network performance. IDS and IPS devices can be routers equipped
with IPS so ware, dedicated devices, or hardware modules installed in adap ve security appliances,
switches or routers.
IPS Implementa ons
Intrusion preven on systems can be host-based or network-based. HIPS are installed on network
hosts. They monitor ac vity on the host and can prevent a acks and log suspicious ac vity. HIPS are
like a combina on of an malware and firewall so ware. HIPS have mostly a local view of the
network and are only an effec ve solu on if they are used on all hosts. In addi on, they should not
be the only security measure taken in a network, but instead are just one layer of security.

NIPS can be implemented using a dedicated device or a router with IPS so ware. Network-based IPS
act in real me to block malicious so ware and network a acks. Network-based IPS can be deployed
in two modes. In promiscuous mode, they func on as IDS by monitoring mirrored traffic. While they
can’t stop network a acks, they can alert personnel and log informa on when a acks occur. An
inline mode IPS processes all traffic that enters a network and checks that traffic at Layers 3 to 7. IPS
can also check the contents of payloads that are carried in network traffic, such as email
a achments. Because inline mode puts the IPS directly into the traffic flow it makes packet-
forwarding rates slower by adding latency. Inline mode allows the sensor to stop a acks by dropping
malicious traffic before it reaches the intended target.

IPS on Cisco ISRs

Enabling IPS func onality on routers at the branch level is a cost-effec ve way to protect networks
with a single device. The IPS detec on and enforcement engine that ran on legacy router pla orms
was the Cisco IOS IPS. However, the Cisco IOS IPS is no longer supported. For the 4000 Series ISR, the
Cisco Snort IPS has replaced the IOS IPS. Snort runs in a virtual container on the router hardware. The
IPS func on does not affect the traffic forwarding func ons of the router. When running as an IPS,
Snort monitors network traffic and analyzes it against a defined-rule set. Snort can classify a acks by
type, and can perform ac ons against the traffic such as sending alerts, logging events, and ac ng
against traffic when a ack signatures are matched. Snort can be configured to automa cally update
its rules from an internet source such as Cisco or snort.org. Problema c signatures can be disabled,
and custom rules created. Snort is intended to be run on 4300 ISR and above. It requires 8 GB of
DRAM and 8 GB of Flash to run. Resource profiles can be configured to control how Snort uses ISR
system resources.

Cisco Switched Port Analyzer

SPAN is a technology that enables network monitoring and IDS to func on in segmented networks.
Network traffic is mirrored from source ports or VLANs to a des na on port or VLAN that is
connected to the monitoring device or IDS. Traffic from the source ports is copied and sent to the
des na on port. Traffic that enters the switch is called ingress traffic, and traffic exits the switch is
called egress traffic. Source ports carry the traffic that is to be monitored, and des na on ports are
connected to the monitoring devices. The monitored traffic is copied and sent out of the des na on
port. The configura on of SPAN entails defining the source and des na on switchports.