CCNP ISCW Notes

1 Apr 2008

Chapter 23: Implementing Cisco IDS and IPS

Intrusion Detection System (IDS) - Does not sit in the traffic path; cannot block traffic itself
Intrusion Prevention System (IPS) - Sits in the traffic path; configured to actively deny malicious traffic

IDS/IPS categories:

Network (NIDS/NIPS) - A dedicated device on the network; unable to assess the effectiveness of an attack
Host (HIDS/HIPS) - Software running on end hosts
Signature-based - Matches a specific byte pattern or content
Policy-based - Configurable policy to allow or deny certain traffic types and sources/destinations
Anomaly-based - Looks for traffic patterns which deviate from the norm

A honeypot is a device deployed with the intention of attracting attackers, possibly to distract them from legitimate devices.

Attack categories:

Denial of Service (DoS) - An attack on resources such as bandwidth and CPU power
Distributed DoS (DDoS) - A DoS attack sourced from multiple, likely spoofed sources
Reconnaissance - An attempt to gather information about the network

Signatures:

Cisco IOS uses signatures stored in Signature Definition Files (SDFs). SDFs can be moved, modified, and merged together.

Signature reaction:

Generate an alarm - Via syslog or SNMP; usually accompanied by other actions
Drop the packet - Traffic is blocked
Reset the connection - Only works with connection-oriented protocols (TCP)
Time-limited block from source - All traffic from the source IP is blocked for a specified amount of time
Time-limited block on connection - Blocks all traffic in a particular TCP session

Specify the location of the SDF:

Router(config)# ip ips sdf {builtin | location}

Configure the failure parameter:

Router(config)# ip ips fail closed

Create an IPS rule:

Router(config)# ip ips name <name> [list <ACL>]

Apply the IPS rule to an interface:

Router(config-if)# ip ips <name> {in | out}