Académique Documents
Professionnel Documents
Culture Documents
• The Cisco IOS Intrusion Prevention System (IPS) with inline intrusion
capabilities provides an inline, deep-packet-inspection based IPS solution that
helps enable Cisco routers to effectively mitigate a wide range of network
attacks without compromising traffic forwarding performance.
• Cisco IOS IPS can accurately identify, classify, and stop malicious or
damaging traffic in real time, and is a core component of the Cisco Self-
Defending Network.
• The Cisco IOS IPS acts as an in-line IPS sensor, watching packets and
sessions as they flow through the router, and scanning each packet to match
any of the Cisco IOS IPS signatures.
• When it detects suspicious activity, it responds before network security can be
compromised and logs the event through Syslog or Security Device Event
Exchange (SDEE).
• When packets in a session match a signature, the Cisco IOS IPS can take any
of the following actions, as appropriate:
– send an alarm to a Syslog server or a centralized management interface
– drop the packet
– reset the connection
• The Cisco IOS IPS feature in the latest Cisco IOS 12.4(11)T2 release
also offers the following enhancements:
– Support for encrypted signatures provided by many vendors under
nondisclosure agreement (NDA)
– Risk rating value in IPS alarms for efficient event filtering,
monitoring, and correlation
– Support for the risk-rating-based Signature Event Action Processor
(SEAP) for automated adjustment of signature event actions based
on risk rating, a feature unique to Cisco IPS products
– Individual and category-based signature provisioning capabilities
through the Cisco IOS command-line interface (CLI)
– XML-based IDCONF signature provisioning mechanism (works
securely over HTTPS)
– Automated signature updates (at configurable periodic intervals)
from a local server
10
• Router Performance
– The performance impact of intrusion prevention depends on the
number of signatures enabled, the level of traffic on the router, the
router platform, and other individual features enabled on the router,
such as encryption.
– The IPS process in the router sits directly in the packet path and
searches each packet for signature matches. In some cases, the
entire packet needs to be searched, and state information and even
application state and awareness must be maintained by the router.
11
12
• This figure matches the type of exploit signature with the OSI layer.
Exploit-specific signatures seek to identify network activity or upper-
level protocol transactions that are unique to a specific exploit or attack
tool.
13
14
• As of Release 12.3(8)T, Cisco IOS IPS has 132 built-in signatures available in
the Cisco IOS Software image.
• The built-in signatures are hard-coded into the Cisco IOS Software image for
backward compatibility.
• Each signature can be set to send an alarm, drop the connection, or reset the
connection . Each action is enabled on a per-signature basis. Each signature
has an action assigned by default, based on the severity of the signature.
15
• Cisco IOS IPS has the ability to download IPS signatures without the need for
a Cisco IOS Software image update .
16
17
• Signature Micro-engines
– The IPS mechanism that matches the signatures against data packets is
called a micro-engine.
– An IPS system contains several micro-engines, and each micro-engine
handles a set of signatures, typically grouped together by protocol or some
other common characteristics.
– Cisco IOS IPS uses signature micro-engines (SMEs) to load the SDF and
scan signatures. Each engine categorizes a group of signatures, and each
signature detects patterns of misuse in network traffic.
• For example, all HTTP signatures are grouped under the HTTP engine.
– Signatures contained within the SDF are handled by a variety of SMEs.
The SDF typically contains signature definitions for multiple engines.
– The SME typically corresponds to the protocol in which the signature
occurs and looks for malicious activity in that protocol. A packet is
processed by several SMEs. Each SME scans for various conditions that
can lead to a signature pattern match.
– When an SME scans the packets, it extracts certain values, searching for
patterns within the packet via the regular expression engine.
18
• attack-drop.sdf
– The attack-drop.sdf file is available in flash on all Cisco access routers that are
shipped with Cisco IOS Release 12.3(8)T or later.
– The attack-drop.sdf file can then be loaded directly from flash into the Cisco IOS IPS
system. If flash is erased, the attack-drop.sdf file may also be erased. This may
happen when erasing the contents of flash memory before copying a new Cisco IOS
image to flash. If this occurs, the router will refer to the built-in signatures within the
Cisco IOS image.
– The attack-drop.sdf file can also be downloaded onto the router from the weblink
below. A valid CCO login is required to access the site.
19
20
• Built-in signatures are removed from Cisco IOS IPS starting from Cisco
IOS Software Release 12.4(11)T.
• In previous releases, built-in signatures are predefined signatures
bundled with Cisco IOS Software.
• These built-in signatures exist solely to maintain backward
compatibility with the previous Cisco IOS Intrusion Detection System
(IDS), which has about 135 signatures.
• Cisco does not recommend using built-in signatures.
21
• The basic signature set (in file 128MB.sdf) is the Cisco recommended
signature set for routers with 128 MB or more memory.
• The advanced signature set (in file 256MB.sdf) is the Cisco recommended
signature set for routers with 256 MB or more memory.
• Cisco decommissioned the use of the file attack-drop.sdf. Although it is still
possible to use this file in Cisco IOS Software releases prior to Cisco IOS
Software Release 12.4(11)T, because of the very limited and old attack
coverage the signatures in that file provides, Cisco does not recommend its
use in production environments.
– These files can be downloaded from Cisco.com at
http://www.cisco.com/pcgi-bin/tablebuild.pl/ios-sigup.
22
24
• Verify the configuration. This includes using the available show, clear, and
debug commands for the IOS IPS.
26
• Use this procedure to install the latest Cisco IOS IPS signatures on a router for
the first time. This procedure allows the administrator to load the default, built-
in signatures or the attack-drop.sdf file, but not both .
• To merge the two signature files, the administrator must load the default, built-
in signatures as described in this procedure. Then, the default signatures can
be merged with the attack-drop.sdf file.
27
28
29
30
31
32
33
Router(config)#
ip http server
logging on
logging ip ips log
logging syslog_server_IP
logging trap [warnings | …]
• SDEE Prerequisites
– To use SDEE, the HTTP server must be enabled with the ip http server
command.
– If the HTTP server is not enabled, the router cannot respond to the SDEE
clients because it cannot not see the requests.
• The default number of events is 100. Raising the number of events past 100
may cause memory and performance impacts because each event in the event
queue requires 32 KB of memory.
34
35
39
40
• Built-in signatures are removed from Cisco IOS IPS starting from Cisco
IOS Software Release 12.4(11)T.
• These built-in signatures exist solely to maintain backward
compatibility with the previous Cisco IOS Intrusion Detection System
(IDS), which has about 135 signatures.
• Cisco does not recommend using built-in signatures.
• You must load one of the following images on your router to install
Cisco IOS IPS 5.x: adventerprisek9, advsecurityk9, and
advipservicesk9.
41
• Reference: Getting Started with Cisco IOS IPS with 5.x Format Signatures
42
43
• Mail Guard provides a safe conduit for Simple Mail Transfer Protocol (SMTP)
connections from the outside to an inside e-mail server.
• Mail Guard enables a mail server to be deployed within the internal network
without it being exposed to known security problems with some mail server
implementations.
44
• When configured, Mail Guard allows only seven SMTP commands as specified
in RFC 821 section 4.5.1.
– These commands are HELO, MAIL, RCPT, DATA, RSET, NOOP, and
QUIT.
– Other commands, such as KILL, WIZ, and so forth, are intercepted by the
PIX Security Appliance and are never sent to the mail server inside the
network.
• The PIX responds with an OK even to denied commands, so that attackers will
not know that their attempts are being thwarted.
45
• By default, the PIX Security Appliance inspects port 25 connections for SMTP
traffic.
• If there are SMTP servers on the network that are using ports other than port
25, the fixup protocol smtp command must be used to have the PIX inspect
these other ports for SMTP traffic.
46
48
49
• The fragment size command can be used to set the maximum number of
packets in the fragment database.
• Use the fragment chain command to specify the maximum number of packets
into which a packet can be fragmented, and use the fragment timeout
command to specify the maximum number of seconds the PIX Security
Appliance waits after the first fragment is received before discarding a
fragment waiting for reassembly.
51
• Setting the database-limit of the size option to a large value can make the PIX
Security Appliance more vulnerable to a DoS attack by fragment flooding.
• Do not set the database-limit equal to or greater than the total number of
blocks in the PIX 1550 or 16384 memory pool. See the show blocks
command for more details.
• Use the clear fragment command to reset the fragment databases and
defaults.
52
53
54
• SYN flood attacks, also known as TCP flood or half-open connections attacks,
are common DoS attacks perpetrated against IP servers.
• In PIX Security Appliance Software Version 5.2, the SYN Flood Guard feature
of the static command offers an improved mechanism for protecting systems
reachable via a static ACL from TCP SYN attacks.
55
• TCP Intercept
• For each SYN, the PIX Security Appliance responds on behalf of the server with an
empty SYN/ACK segment.
• The PIX retains pertinent state information, drops the packet, and waits for the
acknowledgement from the client. If the ACK is received, a copy of the client SYN
segment is sent to the server, and the TCP three-way handshake is performed between
the PIX and the server.
• Only if this three-way handshake completes will the connection be allowed to resume as
normal.
56
• SYN Cookies
• In the SYN cookies implementation of TCP, when the server receives a SYN packet, it
responds with a SYN-ACK packet where the ACK sequence number is calculated from
the source address, source port, source sequence number, destination address,
destination port, and a secret seed.
• Then the server releases all state.
• If an ACK returns from the client, the server can recalculate it to determine if it is a
response to a previous SYN-ACK. If so, the server can directly enter the
TCP_ESTABLISHED state and open the connection.
• In this way, the server avoids managing a batch of potentially useless half-open
connections
57
• Use the static command to limit the number of embryonic connections allowed
to the server to protect internal hosts against DoS attacks.
• Use the nat command to protect external hosts against DoS attacks and to
limit the number of embryonic connections from the external host
58
59
60
• With intrusion detection enabled, the PIX can detect signatures and generate a
response when a set of rules is matched to network activity.
• It can monitor packets for more than 55 intrusion detection signatures and can
be configured to send an alarm to a Syslog server or a server running Cisco
Security Monitor, drop the packet, or reset the TCP connection.
• The PIX Security Appliance can detect 2 different types of signatures, these
are informational signatures and attack signatures.
61
62
63
64
65
66
• The shun feature of the PIX Security Appliance allows a PIX, when combined with a
Cisco IDS Sensor, to dynamically respond to an attacking host by preventing new
connections and disallowing packets from any existing connection.
• A Cisco IDS device instructs the PIX to shun sources of traffic when those sources of
traffic are determined to be malicious.
• The shun command, intended for use primarily by a Cisco IDS device, applies a blocking
function to an interface receiving an attack.
67
• Host 172.26.26.45 has been attempting a DNS zone transfer from host 192.168.0.10
using a source port other than the well-known DNS port of TCP 53.
• The offending host (172.26.26.45) has made a connection with the victim (192.168.0.10)
with TCP.
• The connection in the PIX Security Appliance connection table reads as follows:
172.26.26.45, 4000 → 10.0.0.11 PROT TCP
68
69