O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Intrusion Prevention Fundamentals

Intrusion Prevention Fundamentals

by Jonathan Hogue, Earl Carter
Publisher: Cisco Press
Release Date: January 2006
ISBN: 1587052393
View table of contents
Start reading

Book Description

An introduction to network attack mitigation with IPS

  • Where did IPS come from? How has it evolved?

  • How does IPS work? What components does it have?

  • What security needs can IPS address?

  • Does IPS work with other security products? What is the “big picture”?

  • What are the best practices related to IPS?

  • How is IPS deployed, and what should be considered prior to a deployment?

Intrusion Prevention Fundamentals offers an introduction and in-depth overview of Intrusion Prevention Systems (IPS) technology. Using real-world scenarios and practical case studies, this book walks you through the lifecycle of an IPS project–from needs definition to deployment considerations. Implementation examples help you learn how IPS works, so you can make decisions about how and when to use the technology and understand what “flavors” of IPS are available. The book will answer questions like:

Whether you are evaluating IPS technologies or want to learn how to deploy and manage IPS in your network, this book is an invaluable resource for anyone who needs to know how IPS technology works, what problems it can or cannot solve, how it is deployed, and where it fits in the larger security marketplace.

  • Understand the types, triggers, and actions of IPS signatures

  • Deploy, configure, and monitor IPS activities and secure IPS communications

  • Learn the capabilities, benefits, and limitations of host IPS

  • Examine the inner workings of host IPS agents and management infrastructures

  • Enhance your network security posture by deploying network IPS features

  • Evaluate the various network IPS sensor types and management options

  • Examine real-world host and network IPS deployment scenarios

This book is part of the Cisco Press® Fundamentals Series. Books in this series introduce networking professionals to new networking technologies, covering network topologies, example deployment concepts, protocols, and management techniques.

Includes a FREE 45-Day Online Edition

Table of Contents

  1. Copyright
    1. Dedications
  2. About the Authors
  3. About the Technical Reviewers
  4. Acknowledgments
  5. Icons Used in This Book
    1. Command Syntax Conventions
    2. Introduction
      1. Goals and Methods
      2. This Book’s Audience
      3. How This Book Is Organized
  6. I. Intrusion Prevention Overview
    1. 1. Intrusion Prevention Overview
      1. Evolution of Computer Security Threats
        1. Technology Adoption
          1. Client-Server Computing
          2. The Internet
          3. Wireless Connectivity
          4. Mobile Computing
        2. Target Value
          1. Information Theft
          2. Zombie Systems
        3. Attack Characteristics
          1. Attack Delivery Mechanism
          2. Attack Complexity
          3. Attack Target
          4. Attack Impact
        4. Attack Examples
          1. Replacement Login
          2. The Morris Worm
          3. CIH Virus
          4. Loveletter Virus
          5. Nimda
          6. SQL Slammer
      2. Evolution of Attack Mitigation
        1. Host
          1. Antivirus
          2. Personal Firewalls
          3. Host-Based Intrusion Detection
        2. Network
          1. System Log Analysis
          2. Promiscuous Monitoring
          3. Inline Prevention
      3. IPS Capabilities
        1. Attack Prevention
        2. Regulatory Compliance
      4. Summary
        1. Technology Adoption
        2. Target Value
        3. Attack Characteristics
    2. 2. Signatures and Actions
      1. Signature Types
        1. Atomic Signatures
          1. Atomic Signature Considerations
          2. Host-Based Examples
          3. Network-Based Examples
        2. Stateful Signatures
          1. Stateful Signature Considerations
          2. Host-Based Examples
          3. Network-Based Examples
      2. Signature Triggers
        1. Pattern Detection
          1. Pattern Matching Considerations
          2. Host-Based Examples
          3. Network-Based Examples
        2. Anomaly-Based Detection
          1. Anomaly-Based Detection Considerations
          2. Host-Based Examples
          3. Network-Based Examples
        3. Behavior-Based Detection
          1. Behavior-Based Detection Considerations
          2. Host-Based Examples
          3. Network-Based Examples
      3. Signature Actions
        1. Alert Signature Action
          1. Atomic Alerts
          2. Summary Alerts
        2. Drop Signature Action
        3. Log Signature Action
        4. Block Signature Action
        5. TCP Reset Signature Action
        6. Allow Signature Action
      4. Summary
    3. 3. Operational Tasks
      1. Deploying IPS Devices and Applications
        1. Deploying Host IPS
          1. Threat Posed by Known Exploits
          2. Criticality of the Systems
          3. Accessibility of the Systems
          4. Security Policy Requirements
          5. Identifying Unprotected Systems
        2. Deploying Network IPS
          1. Security Policy Requirements
          2. Maximum Traffic Volume
          3. Number and Placement of Sensors
          4. Business Partner Links
          5. Remote Access
          6. Identifying Unprotected Segments
      2. Configuring IPS Devices and Applications
        1. Signature Tuning
        2. Event Response
          1. Deny
          2. Alert
          3. Block
          4. Log
        3. Software Updates
        4. Configuration Updates
        5. Device Failure
          1. Inline Sensor Failure
          2. Management Console Failure
      3. Monitoring IPS Activities
        1. Management Method
        2. Event Correlation
        3. Security Staff
        4. Incident Response Plan
      4. Securing IPS Communications
        1. Management Communication
          1. Out-of-Band Management
          2. Secure Protocols
        2. Device-to-Device Communication
      5. Summary
    4. 4. Security in Depth
      1. Defense-in-Depth Examples
        1. External Attack Against a Corporate Database
          1. Layer 1: The Internet Perimeter Router
          2. Layer 2: The Internet Perimeter Firewall
          3. Layer 3: The DMZ Firewall
          4. Layer 4: Network IPS
          5. Layer 5: NetFlow
          6. Layer 6: Antivirus
          7. Layer 7: Host IPS
        2. Internal Attack Against a Management Server
          1. Layer 1: The Switch
          2. Layer 2: Network IPS
          3. Layer 3: Encryption
          4. Layer 4: Strong Authentication
          5. Layer 5: Host IPS
      2. The Security Policy
      3. The Future of IPS
        1. Intrinsic IPS
        2. Collaboration Between Layers
          1. Enhanced Accuracy
          2. Better Detection Capability
          3. Automated Configuration and Response
      4. Summary
  7. II. Host Intrusion Prevention
    1. 5. Host Intrusion Prevention Overview
      1. Host Intrusion Prevention Capabilities
        1. Blocking Malicious Code Activities
        2. Not Disrupting Normal Operations
        3. Distinguishing Between Attacks and Normal Events
        4. Stopping New and Unknown Attacks
        5. Protecting Against Flaws in Permitted Applications
      2. Host Intrusion Prevention Benefits
        1. Attack Prevention
        2. Patch Relief
        3. Internal Attack Propagation Prevention
        4. Policy Enforcement
        5. Acceptable Use Policy Enforcement
        6. Regulatory Requirements
      3. Host Intrusion Prevention Limitations
        1. Subject to End User Tampering
        2. Lack of Complete Coverage
        3. Attacks That Do Not Target Hosts
      4. Summary
      5. References in This Chapter
    2. 6. HIPS Components
      1. Endpoint Agents
        1. Identifying the Resource Being Accessed
          1. Network
          2. Memory
          3. Application Execution
          4. Files
          5. System Configuration
          6. Additional Resource Categories
        2. Gathering Data About the Operation
          1. How Data Is Gathered
            1. Kernel Modification
            2. System Call Interception
            3. Virtual Operating Systems
            4. Network Traffic Analysis
          2. What Data Is Gathered
        3. Determining the State
          1. Location State
          2. User State
          3. System State
        4. Consulting the Security Policy
          1. Anomaly-Based
          2. Atomic Rule-Based
          3. Pattern-Based
          4. Behavioral
          5. Access Control Matrix
        5. Taking Action
      2. Management Infrastructure
        1. Management Center
          1. Database
          2. Event and Alert Handler
          3. Policy Management
        2. Management Interface
      3. Summary
  8. III. Network Intrusion Prevention
    1. 7. Network Intrusion Prevention Overview
      1. Network Intrusion Prevention Capabilities
        1. Dropping a Single Packet
        2. Dropping All Packets for a Connection
        3. Dropping All Traffic from a Source IP
      2. Network Intrusion Prevention Benefits
        1. Traffic Normalization
        2. Security Policy Enforcement
      3. Network Intrusion Prevention Limitations
      4. Hybrid IPS/IDS Systems
      5. Shared IDS/IPS Capabilities
        1. Generating Alerts
        2. Initiating IP Logging
          1. Logging Attacker Traffic
          2. Logging Victim Traffic
          3. Logging Traffic Between Attacker and Victim
        3. Resetting TCP Connections
        4. Initiating IP Blocking
      6. Summary
    2. 8. NIPS Components
      1. Sensor Capabilities
        1. Sensor Processing Capacity
        2. Sensor Interfaces
        3. Sensor Form Factor
          1. Standalone Appliance Sensors
          2. Blade-Based Sensors
          3. IPS Software Integrated into the OS on Infrastructure Devices
      2. Capturing Network Traffic
        1. Capturing Traffic for In-line Mode
        2. Capturing Traffic for Promiscuous Mode
          1. Traffic Capture Devices
          2. Cisco Switch Capture Mechanisms
      3. Analyzing Network Traffic
        1. Atomic Operations
        2. Stateful Operations
        3. Protocol Decode Operations
        4. Anomaly Operations
        5. Normalizing Operations
      4. Responding to Network Traffic
        1. Alerting Actions
        2. Logging Actions
        3. Blocking Actions
        4. Dropping Actions
      5. Sensor Management and Monitoring
        1. Small Sensor Deployments
        2. Large Sensor Deployments
      6. Summary
  9. IV. Deployment Solutions
    1. 9. Cisco Security Agent Deployment
      1. Step1: Understand the Product
        1. Components
          1. Cisco Security Agents
          2. CSA Management
        2. Capabilities
      2. Step 2: Predeployment Planning
        1. Review the Security Policy
        2. Define Project Goals
          1. Balance
          2. Problems to Solve
        3. Select and Classify Target Hosts
          1. Select Target Hosts
          2. Classify Selected Hosts
        4. Plan for Ongoing Management
        5. Choose the Appropriate Management Architecture
      3. Step 3: Implement Management
        1. Install and Secure the CSA MC
        2. Understand the MC
        3. Configure Groups
          1. Policy Groups
          2. Secondary Groups
        4. Configure Policies
      4. Step 4: Pilot
        1. Scope
        2. Objectives
      5. Step 5: Tuning
      6. Step 6: Full Deployment
      7. Step 7: Finalize the Project
      8. Summary
        1. Understand the Product
        2. Predeployment Planning
      9. Implement Management
        1. Pilot
        2. Tuning
        3. Full Deployment
        4. Finalize the Project
    2. 10. Deploying Cisco Network IPS
      1. Step 1: Understand the Product
        1. Sensors Available
          1. Cisco IPS 4200 Series Appliance Sensors
          2. Cisco Catalyst 6500 Series IDS Module
          3. Cisco IDS Network Module
          4. Cisco IOS IPS Sensors
        2. In-Line Support
        3. Management and Monitoring Options
          1. Command-Line Interface
          2. IPS Device Manager
          3. CiscoWorks Management Center for IPS Sensors
          4. CS-MARS
        4. NIPS Capabilities
        5. Signature Database and Update Schedule
      2. Step 2: Predeployment Planning
        1. Review the Security Policy
        2. Define Deployment Goals
          1. Security Posture
          2. Problems to Solve
        3. Select and Classify Sensor Deployment Locations
          1. Austin Headquarters Site
          2. Large Sales Office Sites
          3. Manufacturing Sites
          4. Small Sales Office Sites
        4. Plan for Ongoing Management
        5. Choose the Appropriate Management Architecture
      3. Step 3: Sensor Deployment
        1. Understand Sensor CLI and IDM
        2. Install Sensors
          1. Configuring the Sensor
          2. Cabling the Sensor
        3. Install and Secure the IPS MC and Understand the Management Center
      4. Step 4: Tuning
        1. Identify False Positives
        2. Configure Signature Filters
        3. Configure Signature Actions
      5. Step 5: Finalize the Project
      6. Summary
        1. Understand the Product
        2. Predeployment Planning
        3. Sensor Deployment
        4. Tuning
        5. Finalize the Project
    3. 11. Deployment Scenarios
      1. Large Enterprise
        1. Limiting Factors
        2. Security Policy Goals
        3. HIPS Implementation
          1. Target Hosts
          2. Management Architecture
          3. Agent Configuration
        4. NIPS Implementation
          1. Sensor Deployment
          2. NIPS Management
      2. Branch Office
        1. Limiting Factors
        2. Security Policy Goals
        3. HIPS Implementation
          1. Target Hosts
          2. Management Architecture
          3. Agent Configuration
        4. NIPS Implementation
          1. Sensor Deployment
          2. NIPS Management
      3. Medium Financial Enterprise
        1. Limiting Factors
        2. Security Policy Goals
        3. HIPS Implementation
          1. Target Hosts
          2. Management Architecture
          3. Agent Configuration
        4. NIPS Implementation
          1. Sensor Deployment
          2. NIPS Management
      4. Medium Educational Institution
        1. Limiting Factors
        2. Security Policy Goals
        3. HIPS Implementation
          1. Target Hosts
          2. Management Architecture
          3. Agent Configuration
        4. NIPS Implementation
          1. Sensor Deployment
          2. NIPS Management
      5. Small Office
        1. Limiting Factors
        2. Security Policy Goals
        3. HIPS Implementation
          1. Target Hosts
          2. Management Architecture
          3. Agent Configuration
        4. NIPS Implementation
      6. Home Office
        1. Limiting Factors
        2. Security Policy Goals
        3. HIPS Implementation
          1. Management Architecture
          2. Agent Configuration
        4. NIPS Implementation
      7. Summary
        1. Large Enterprise
        2. Branch Office
        3. Medium Financial Enterprise
        4. Medium Educational Institution
        5. Small Office
        6. Home Office
  10. V. Appendix
    1. A. Sample Request for Information (RFI) Questions
      1. Solution
      2. Support
      3. Training
      4. Licensing
      5. Network Intrusion Prevention
        1. Functionality
        2. Management
        3. Operations
        4. Compatibility
      6. Host Intrusion Prevention
        1. Functionality
        2. Management
        3. Operations
        4. Compatibility
  11. Glossary