15.1 Key Terms
IPS
= Intrusion prevention system. Intrusion prevention systems, primarily using
signature matching, can alert administrators about an attack on the network and
can prevent the initial packet from entering the network.
IDS
= Intrusion detection system. Intrusion detection systems, primarily using
signature matching, can alert administrators about an attack on the network,
but cannot prevent the initial packet from entering the network.
risk
rating = A quantitative rating of your network before security measures
are put in place. The IOS IPS also uses a risk rating to calculate the
potential danger of an attack.
attack
severity rating = The amount of damage an attack can cause. It is used
as one property of a signature inside of an IPS/IDS system.
target
value rating (TVR) = User-defined variable in IPS/IDS of the criticality
of a particular target if attacked.
signature
fidelity rating = Signature fidelity rating. An IPS measurement of the
degree of attack certainty related to that signature correctly indicating the
attack on which it is supposed to match.
15.2 Things to
Remember
15.2.1 IDS Versus IPS
Position in the
network flow:
IDS > Off
to the side, the IDS is sent copies of the original packets.
IPS >
Directly inline with the flow of network traffic and touches every packet on
its way through the network.
Also known as:
IDS >
Promiscuous mode, out of band
IPS >
Inline mode
Latency or delay:
IDS > Does
not add delay to the original traffic because it is not inline.
IPS > Adds
a small amount of delay before forwarding it through the network.
Impact caused by
the sensor failing to forward packets:
IDS > There
is no negative impact if the sensor goes down.
IPS > If
the sensor goes down, traffic that would normally flow through the sensor could
be impacted
Ability to prevent
malicious traffic from going into the network:
IDS > By
itself, a promiscuous mode IDS cannot stop the original packet. Options do
exist for a sensor in promiscuous
mode to request assistance from another device that is
inline which may block future packets.
IPS > The
IPS can drop the packet on its own because it is inline. The IPS can also
request assistance from another device to block future packets just as the IDS
does.
Normalization
ability:
IDS >
Because the IDS does not see the original packet, it cannot manipulate any
original inline traffic.
IPS >
Because the IPS is inline, it can normalize (manipulate or modify) traffic
inline based on a current set of rules.
15.2.2 IPS/IDS Method Advantages and Disadvantages
Signature
based
Advantages
> Easy to configure, simple to implement
Disadvantages
> Does not detect attacks outside of the rules. May need to disable
signatures that are creating false positives. Signatures must be updated
periodically to be current.
Policy
based
Advantages
> Simple and reliable, very customizable, only allows policy-based traffic
that could deny unknown attacks, which by default are outside of the policy
being allowed.
Disadvantages
> Policy must be manually created. Implementation of the policy is only as
good as the signatures you manually create
Anomaly
based
Advantages
> Self-configuring baselines, detect worms based on anomalies, even if
specific signatures have not been created yet for that type of traffic.
Disadvantages
> Difficult to accurately profile extremely large networks. May cause false
positives based on significant changes in valid network traffic.
Reputation
based
Advantages
> Leverages enterprise and global correlation, providing information based
on the experience of other systems. Early-warning system
Disadvantages
> Requires timely updates, and requires participation in the correlation
process.
15.2.3 Risk Rating (RR) Calculation Factors
Factor That
Influences Risk Rating > Description
Target
value rating (TVR) > The value that you as an administrator have
assigned to specific destination IP addresses or subnets where the critical
servers/devices live.
Signature
fidelity rating (SFR) > The accuracy of the signature as determined
by the person who created that signature.
Attack
severity rating (ASR) > How critical the attack is as determined by
the person who created that signature.
Attack
relevancy (AR) > This is a minor contributor to the risk rating. A
signature match that is destined to a host where the attack is relevant, such
as a Windows server-based attack, which is going to the destination address of
a known Windows server, is considered a relevant attack, and the risk rating
increases slightly as a result.
Global
correlation > If the sensor is participating in global correlation
and receives information about specific source addresses that are being used to
implement large-scale attacks, attacks coming from the source IP addresses are
also given a slightly increased risk rating value.
15.2.4 IPS/IDS Evasion Techniques
Evasion Method: Traffic fragmentation
Description: The attacker splits malicious traffic into multiple parts with the
intent that any detection system will not see the attack for what it really is.
Cisco Anti-Evasion
Techniques: Complete session reassembly so that the IPS/IDS can see the big
picture.
Evasion Method: Traffic substitution and
insertion
Description: The attacker substitutes characters in the data using different formats
that have the same final meaning. An example is Unicode strings, which an end
station could interpret but perhaps a lesser IPS/IDS might not.
Cisco Anti-Evasion
Techniques: Data normalization and de-obfuscation techniques. Cisco’s
implementation is looking for Unicode, case sensitivity, substitution of spaces
with tabs, and other similar anti-evasion techniques.
Evasion Method: Protocol level misinterpretation
Description: An attacker may attempt to cause a sensor to misinterpret the
end-to-end meaning of a network protocol and so perhaps not catch an attack in
progress.
Cisco Anti-Evasion
Techniques: IP Time-To-Live (TTL) analysis, TCP checksum validation.
Evasion Method: Timing attacks
Description: By
sending packets at a rate low enough so as to not trigger a signature (for
example, a flood signature that triggers at 1000 packets per second, and the
attacker sending packets at 900 packets per second).
Cisco Anti-Evasion
Techniques: Configurable intervals and use of third-party correlation
Evasion Method: Encryption and tunnelling
Description: Encrypted payloads are called encrypted for a reason. If an IPS/IDS
sees only encrypted traffic, the attacker can build a Secure Sockets Layer
(SSL) or IPsec session between himself and the victim and could then send
private data over that virtual private network (VPN)
Cisco Anti-Evasion
Techniques: If traffic is encrypted and passing through the sensor as
encrypted data, the encrypted payload cannot be inspected. For generic routing encapsulation
(GRE) tunnels, there is support for inspection if the data is not encrypted.
Evasion Method: Resource exhaustion
Description: If
thousands of alerts are being generated by distractor attacks, an attacker may
just be trying to disguise the single attack that they are trying to
accomplish. The resource exhaustion could be overwhelming the sensor and
overwhelming the administration team who has to view the events.
Cisco Anti-Evasion
Techniques: Dynamic and configurable event summarization. Here is an
example: 20,000 devices are all under the control of the attacker. All those
devices begin to send the same attack. The sensor summarizes those by showing a
few of the attacks as alerts, and then summaries at regular intervals that
indicate the attack is still in play and how many thousands of times it
occurred over the last interval. This is much better than trying to wade
through thousands
15.2.5 Micro-Engines (Groupings of Signatures)
Signature
Micro-Engine > Signatures in This Grouping
Atomic
> Signatures that can match on a single packet, as compared to a string of
packets
Service
> Signatures that examine application layer services, regardless of the
operating system
String
or Multistring > Supports flexible pattern matching, and can be
identified in a single packet or group of packets, such as a session
Other
> Miscellaneous signatures that may not specifically fit into other
categories
Comments
Post a Comment