book

Intrusion Prevention Fundamentals

Name: Intrusion Prevention Fundamentals
ISBN: 1587052393

by Earl Carter, Jonathan Hogue

January 2006

Beginner

312 pages

6h 37m

English

Cisco Press

Read now

Unlock full access

Copyright
Dedications
About the Authors
About the Technical Reviewers
Acknowledgments
Icons Used in This Book
Command Syntax ConventionsIntroductionGoals and MethodsThis Book’s AudienceHow This Book Is Organized
I. Intrusion Prevention Overview
1. Intrusion Prevention Overview
Evolution of Computer Security ThreatsTechnology AdoptionClient-Server ComputingThe InternetWireless ConnectivityMobile ComputingTarget ValueInformation TheftZombie SystemsAttack CharacteristicsAttack Delivery MechanismAttack ComplexityAttack TargetAttack ImpactAttack ExamplesReplacement LoginThe Morris WormCIH VirusLoveletter VirusNimdaSQL SlammerEvolution of Attack MitigationHostAntivirusPersonal FirewallsHost-Based Intrusion DetectionNetworkSystem Log AnalysisPromiscuous MonitoringInline PreventionIPS CapabilitiesAttack PreventionRegulatory ComplianceSummaryTechnology AdoptionTarget ValueAttack Characteristics
2. Signatures and Actions
Signature TypesAtomic SignaturesAtomic Signature ConsiderationsHost-Based ExamplesNetwork-Based ExamplesStateful SignaturesStateful Signature ConsiderationsHost-Based ExamplesNetwork-Based ExamplesSignature TriggersPattern DetectionPattern Matching ConsiderationsHost-Based ExamplesNetwork-Based ExamplesAnomaly-Based DetectionAnomaly-Based Detection ConsiderationsHost-Based ExamplesNetwork-Based ExamplesBehavior-Based DetectionBehavior-Based Detection ConsiderationsHost-Based ExamplesNetwork-Based ExamplesSignature ActionsAlert Signature ActionAtomic AlertsSummary AlertsDrop Signature ActionLog Signature ActionBlock Signature ActionTCP Reset Signature ActionAllow Signature ActionSummary
3. Operational Tasks
Deploying IPS Devices and ApplicationsDeploying Host IPSThreat Posed by Known ExploitsCriticality of the SystemsAccessibility of the SystemsSecurity Policy RequirementsIdentifying Unprotected SystemsDeploying Network IPSSecurity Policy RequirementsMaximum Traffic VolumeNumber and Placement of SensorsBusiness Partner LinksRemote AccessIdentifying Unprotected SegmentsConfiguring IPS Devices and ApplicationsSignature TuningEvent ResponseDenyAlertBlockLogSoftware UpdatesConfiguration UpdatesDevice FailureInline Sensor FailureManagement Console FailureMonitoring IPS ActivitiesManagement MethodEvent CorrelationSecurity StaffIncident Response PlanSecuring IPS CommunicationsManagement CommunicationOut-of-Band ManagementSecure ProtocolsDevice-to-Device CommunicationSummary
4. Security in Depth
Defense-in-Depth ExamplesExternal Attack Against a Corporate DatabaseLayer 1: The Internet Perimeter RouterLayer 2: The Internet Perimeter FirewallLayer 3: The DMZ FirewallLayer 4: Network IPSLayer 5: NetFlowLayer 6: AntivirusLayer 7: Host IPSInternal Attack Against a Management ServerLayer 1: The SwitchLayer 2: Network IPSLayer 3: EncryptionLayer 4: Strong AuthenticationLayer 5: Host IPSThe Security PolicyThe Future of IPSIntrinsic IPSCollaboration Between LayersEnhanced AccuracyBetter Detection CapabilityAutomated Configuration and ResponseSummary

II. Host Intrusion Prevention
5. Host Intrusion Prevention Overview
Host Intrusion Prevention CapabilitiesBlocking Malicious Code ActivitiesNot Disrupting Normal OperationsDistinguishing Between Attacks and Normal EventsStopping New and Unknown AttacksProtecting Against Flaws in Permitted ApplicationsHost Intrusion Prevention BenefitsAttack PreventionPatch ReliefInternal Attack Propagation PreventionPolicy EnforcementAcceptable Use Policy EnforcementRegulatory RequirementsHost Intrusion Prevention LimitationsSubject to End User TamperingLack of Complete CoverageAttacks That Do Not Target HostsSummaryReferences in This Chapter
6. HIPS Components
Endpoint AgentsIdentifying the Resource Being AccessedNetworkMemoryApplication ExecutionFilesSystem ConfigurationAdditional Resource CategoriesGathering Data About the OperationHow Data Is GatheredKernel ModificationSystem Call InterceptionVirtual Operating SystemsNetwork Traffic AnalysisWhat Data Is GatheredDetermining the StateLocation StateUser StateSystem StateConsulting the Security PolicyAnomaly-BasedAtomic Rule-BasedPattern-BasedBehavioralAccess Control MatrixTaking ActionManagement InfrastructureManagement CenterDatabaseEvent and Alert HandlerPolicy ManagementManagement InterfaceSummary
III. Network Intrusion Prevention
7. Network Intrusion Prevention Overview
Network Intrusion Prevention CapabilitiesDropping a Single PacketDropping All Packets for a ConnectionDropping All Traffic from a Source IPNetwork Intrusion Prevention BenefitsTraffic NormalizationSecurity Policy EnforcementNetwork Intrusion Prevention LimitationsHybrid IPS/IDS SystemsShared IDS/IPS CapabilitiesGenerating AlertsInitiating IP LoggingLogging Attacker TrafficLogging Victim TrafficLogging Traffic Between Attacker and VictimResetting TCP ConnectionsInitiating IP BlockingSummary
8. NIPS Components
Sensor CapabilitiesSensor Processing CapacitySensor InterfacesSensor Form FactorStandalone Appliance SensorsBlade-Based SensorsIPS Software Integrated into the OS on Infrastructure DevicesCapturing Network TrafficCapturing Traffic for In-line ModeCapturing Traffic for Promiscuous ModeTraffic Capture DevicesCisco Switch Capture MechanismsAnalyzing Network TrafficAtomic OperationsStateful OperationsProtocol Decode OperationsAnomaly OperationsNormalizing OperationsResponding to Network TrafficAlerting ActionsLogging ActionsBlocking ActionsDropping ActionsSensor Management and MonitoringSmall Sensor DeploymentsLarge Sensor DeploymentsSummary
IV. Deployment Solutions
9. Cisco Security Agent Deployment
Step1: Understand the ProductComponentsCisco Security AgentsCSA ManagementCapabilitiesStep 2: Predeployment PlanningReview the Security PolicyDefine Project GoalsBalanceProblems to SolveSelect and Classify Target HostsSelect Target HostsClassify Selected HostsPlan for Ongoing ManagementChoose the Appropriate Management ArchitectureStep 3: Implement ManagementInstall and Secure the CSA MCUnderstand the MCConfigure GroupsPolicy GroupsSecondary GroupsConfigure PoliciesStep 4: PilotScopeObjectivesStep 5: TuningStep 6: Full DeploymentStep 7: Finalize the ProjectSummaryUnderstand the ProductPredeployment PlanningImplement ManagementPilotTuningFull DeploymentFinalize the Project
10. Deploying Cisco Network IPS
Step 1: Understand the ProductSensors AvailableCisco IPS 4200 Series Appliance SensorsCisco Catalyst 6500 Series IDS ModuleCisco IDS Network ModuleCisco IOS IPS SensorsIn-Line SupportManagement and Monitoring OptionsCommand-Line InterfaceIPS Device ManagerCiscoWorks Management Center for IPS SensorsCS-MARSNIPS CapabilitiesSignature Database and Update ScheduleStep 2: Predeployment PlanningReview the Security PolicyDefine Deployment GoalsSecurity PostureProblems to SolveSelect and Classify Sensor Deployment LocationsAustin Headquarters SiteLarge Sales Office SitesManufacturing SitesSmall Sales Office SitesPlan for Ongoing ManagementChoose the Appropriate Management ArchitectureStep 3: Sensor DeploymentUnderstand Sensor CLI and IDMInstall SensorsConfiguring the SensorCabling the SensorInstall and Secure the IPS MC and Understand the Management CenterStep 4: TuningIdentify False PositivesConfigure Signature FiltersConfigure Signature ActionsStep 5: Finalize the ProjectSummaryUnderstand the ProductPredeployment PlanningSensor DeploymentTuningFinalize the Project
11. Deployment Scenarios
Large EnterpriseLimiting FactorsSecurity Policy GoalsHIPS ImplementationTarget HostsManagement ArchitectureAgent ConfigurationNIPS ImplementationSensor DeploymentNIPS ManagementBranch OfficeLimiting FactorsSecurity Policy GoalsHIPS ImplementationTarget HostsManagement ArchitectureAgent ConfigurationNIPS ImplementationSensor DeploymentNIPS ManagementMedium Financial EnterpriseLimiting FactorsSecurity Policy GoalsHIPS ImplementationTarget HostsManagement ArchitectureAgent ConfigurationNIPS ImplementationSensor DeploymentNIPS ManagementMedium Educational InstitutionLimiting FactorsSecurity Policy GoalsHIPS ImplementationTarget HostsManagement ArchitectureAgent ConfigurationNIPS ImplementationSensor DeploymentNIPS ManagementSmall OfficeLimiting FactorsSecurity Policy GoalsHIPS ImplementationTarget HostsManagement ArchitectureAgent ConfigurationNIPS ImplementationHome OfficeLimiting FactorsSecurity Policy GoalsHIPS ImplementationManagement ArchitectureAgent ConfigurationNIPS ImplementationSummaryLarge EnterpriseBranch OfficeMedium Financial EnterpriseMedium Educational InstitutionSmall OfficeHome Office
V. Appendix
A. Sample Request for Information (RFI) Questions
SolutionSupportTrainingLicensingNetwork Intrusion PreventionFunctionalityManagementOperationsCompatibilityHost Intrusion PreventionFunctionalityManagementOperationsCompatibility
Glossary

Content preview from Intrusion Prevention Fundamentals

Appendix . Glossary

access control list (ACL): A method that limits the use of a resource to authorized entities.
Address Resolution Protocol (ARP): A protocol that translates IP addresses to physical Ethernet addresses.
aggregation switch: A switch that you use to combine multiple traffic flows into a single flow. This single traffic flow can then be analyzed by your intrusion devices running in promiscuous mode. An aggregation switch is commonly used in conjunction with a network tap.
anomaly signature: A signature that triggers when a defined normal level is exceeded (for example, exceeding a defined amount of Internet Control Message Protocol [ICMP] traffic on the network).
atomic signature: A signature that triggers on the contents of a single packet or ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

The State of the Art in Intrusion Prevention and Detection

Publisher Resources

ISBN: 1587052393Purchase book

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Intrusion Prevention Fundamentals

by Earl Carter, Jonathan Hogue

Appendix . Glossary

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.