CCNA Security Chapter 5 - Implementing Intrusion Prevention ( IPS/IDS )

The security challenges that face today's network administrators cannot be successfully managed by any single application.
Although implementing
 - device hardening,
 - AAA access control,
 - firewall features are all part of a properly secured network,
these features still cannot defend the network against fast-moving Internet worms and viruses.
A network must be able to instantly recognize and mitigate worm and virus threats.

Ciscp IPS presentation

* Hands-on lab for the chapter, Configuring an Intrusion Prevention System (IPS) Using the CLI and CCP.
* Packet Tracer activity, Configure IOS Intrusion Prevention System (IPS) using CLI.

Cisco Intrusion Prevention Systems (IPS) solutions provide protection against common threats such as:
  • Directed attacks
  • Worms
  • Botnets
  • SQL injection attacks and the like
Solutions are available as:
  • Standalone appliances
  • Hardware modules for Cisco Adaptive Security Appliance (ASA) firewalls
  • Hardware modules for Cisco Integrated Services Routers (ISR) and Cisco Catalyst Switches
  • Cisco IOS software-based solutions for ISR routers
More than 700,000 Cisco network devices worldwide send current threat information into Cisco Security Intelligence Operations (SIO). The data is analyzed, correlated, and pushed back to devices worldwide as reputation data and outbreak filters. Contain threats and block malware, including zero-day exploits, with these constant updates. 
    A zero-day attack, sometimes referred to as a zero-day threat, is a computer attack that tries to exploit software vulnerabilities that are unknown or undisclosed by the software vendor. 
    Zero-hour describes the moment when the exploit is discovered.

    IDS / IPS comparison
    Intrusion detection systems (IDS) - passively monitor the traffic on a network
    Intrusion prevention systems (IPS) - the more scalable - copies the traffic stream, and analyzes the monitored traffic rather than the actual forwarded packets.

    The offline IDS implementation is referred to as promiscuous mode (compares the captured traffic stream with known malicious signatures, similar to software that checks for viruses). 

    Advantage IDS of operating with a copy of the traffic:
     - does not negatively affect the actual packet flow of the forwarded traffic.

    Disadvantage IDS of operating on a copy of the traffic:
     - cannot stop malicious single-packet attacks from reaching the target before responding to the attack.

    An Intrusion Prevention System (IPS) builds upon IDS technology.
    Unlike IDS, an IPS device is implemented in inline mode.
    This means that all ingress and egress traffic must flow through it for processing.
    An IPS does not allow packets to enter the trusted side of the network without first being analyzed.
    It can detect and immediately address a network problem as required.

    An IPS monitors Layer 3 and Layer 4 traffic and analyzes the contents and the payload of the packets for more sophisticated embedded attacks that might include malicious data at Layers 2 through 7. Cisco IPS platforms use a blend of detection technologies, including signature-based, profile-based, and protocol analysis intrusion detection.
    This deeper analysis lets the IPS identify, stop, and block attacks that would normally pass through a traditional firewall device. When a packet comes in through an interface on an IPS, that packet is not sent to the outbound or trusted interface until the packet has been analyzed.

    Advantage IPS of operating in inline mode:
    - can stop single-packet attacks from reaching the target system.
    Disadvantage IPS of operating in inline mode:
     -a poorly configured IPS or an inappropriate IPS solution can negatively affect the packet flow of the forwarded traffic.

    The biggest difference between IDS and IPS is that an IPS responds immediately and does not allow any malicious traffic to pass, whereas an IDS might allow malicious traffic to pass before responding.

    An IDS or IPS sensor can be any of the following devices:
     - Router configured with Cisco IOS IPS software,
     - Appliance specifically designed to provide dedicated IDS or IPS services (4200 series),
     - Network module installed in an adaptive security appliance, switch, or router (AIM-IPS or NME-IPS modules)
     - A module on an ASA firewall in the form of the AIP module for IPS
     - A blade that works in a 6500 series multilayer switch.

    Common characteristics of IDS and IPS:
    1. Both technologies are deployed as sensors.
    2. Both technologies use signatures to detect patterns of misuse in network traffic.
    3. Both can detect atomic patterns (single-packet) or composite patterns (multi-packet).

    Type                     Advantages                                      Disadvantages
    IDS (Promiscuous Mode)   No impact on network (latency, jitter)          Response action cannot stop trigger packets
                             No network impact if there is a sensor failure  Correct tuning required for response actions
                             No network impact if there is sensor overload   More vulnerable to network security evasion techn-s

    IPS (Inline Mode)
           Stops trigger packets                           Sensor issues might affect network traffic
                             Can use stream normalization techniques         Sensor overloading impacts the network
                                                                             Some impact on network (latency, jitter)
    A network IDS/IPS can be implemented using:
     ■    A dedicated IPS appliance, such as the 4200 series 
     ■    Software running on the router in versions of IOS that support it (IOS IPS) 
     ■    A module in an IOS router, such as the AIM-IPS or NME-IPS modules 
     ■    A module on an ASA firewall in the form of the AIP module for IPS 
     ■    A blade that works in a 6500 series multilayer switch  

    Hardening is :
    - Network IPS sensors are usually tuned for intrusion prevention analysis,
    - Operating system of the platform on which the IPS module is mounted is stripped of unnecessary network services,
    - Essential services are secured.

    The hardware includes three components.
     - Network interface card (NIC) - The network IPS must be able to connect to any network (Eth, Fast Eth, Gigabit Eth).
     - Processor - Intrusion prevention requires CPU power to perform intrusion detection analysis and pattern matching.
     - Memory - Intrusion detection analysis is memory-intensive. Memory directly affects the ability of a network IPS to efficiently and accurately detect an attack.

    Cisco Integrated Service Routers Generation 2 (ISR G2) - integrating multiple network services into a single platform and providing services that previously required additional hardware to run.

    Not all Cisco IOS images support IPS features. 

    Cisco offers a variety of modular and appliance-based IPS solutions:
    - Cisco IPS Advanced Integration Module (AIM) and Network Module Enhanced (IPS NME) -
    Integrates IPS onto a Cisco ISR used for small and medium-sized business (SMB) and branch office environments. Cisco IOS IPS and Cisco IPS AIM / IPS NME cannot be used together. Cisco IOS IPS must be disabled when the Cisco IPS AIM is installed.
    - Cisco IPS 4200 Series Sensors  - Combines inline intrusion prevention services with innovative technologies that improve accuracy in detecting, classifying, and stopping threats including worms, spyware and adware, and network viruses.
    - Cisco Catalyst 6500 Series Intrusion Detection System Services Module (IDSM-2) - part of the Cisco IPS solution, it works in combination with the other components to efficiently protect the data infrastructure.
    - IPS functionality for the ASAs - The Cisco Adaptive Security Appliance Advanced Inspection and Prevention Security Services Module (ASA AIP-SSM) and the Cisco ASA Advanced Inspection and Prevention Security Services Card (AIP-SSC) use advanced inspection and prevention technology to provide high-performance security services such as intrusion prevention services and advanced anti-X services.

    Network IPS
    There are two types of IPSs: network-based and host-based.
     - Network-based IPSs sit on your network, often in appliance form, and examine packets as they traverse the network.
     - Host-based IPSs reside on servers and workstations; they examine application actions and calls to the system to look for anything prohibited or out of the ordinary.
    Both types stop "bad" activity.

    Most of the host-based IPSs run on both Windows client and server systems. (Internet Security Systems'—ISS's—Proventia family has separate desktop and server versions.) Some of these products also run on other OSs, such as Linux or UNIX variants.

    The attacks that host-based IPSs protect against include viruses, spam, spyware, worms, Trojan horse programs, keyloggers, bots, buffer overflows, rootkits, and Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks. Some vendors claim to protect the entire server or client system; others focus on specific applications, such as Microsoft IIS, Internet Explorer (IE), and Exchange Server.
    Most vendors update their products regularly.
    Network-based intrusion prevention system (NIPS): monitors the entire network for suspicious traffic by analyzing protocol activity.
    Advantages                       Disadvantages
    Is cost-effective                Cannot examine encrypted traffic
    Not visible on the network       Cannot determine whether an attack was successful
    Operating system independent
    Lower level network events seen
    Signatures have three distinctive attributes:
     a) Type
     b) Trigger (alarm)
     c) Action

    a) Signature Types
     - Atomic - the simplest type of signature. It consists of a single packet, activity, or event that is examined to determine if it matches a configured signature. If it does, an alarm is triggered, and a signature action is performed.
    For example, a LAND attack is an atomic signature because it sends a spoofed TCP SYN packet (connection initiation) with the IP address of the target host and an open port as both source and destination. 
    Detecting atomic signatures consumes minimal resources (such as memory) on the IPS or IDS.
     - Composite (also called a stateful signature) - identifies a sequence of operations distributed across multiple hosts over an arbitrary period of time.
    IPS device must maintain state.

    The signature file contains a package of network signatures intended as an update to the signature database resident in a Cisco product with IPS or IDS functions. 

    Cisco IOS software relies on signature micro-engines (SME), which categorize common signatures in groups.
    The available SMEs vary depending on the platform, Cisco IOS version, and version of the signature file.
    For example, before Release 12.4(11)T, the Cisco IPS signature format used version 4.x.
    Since IOS 12.4(11)T, Cisco introduced version 5.x, an improved IPS signature format.
    IPS version 5.x signature format provide benefits over the version 4.x signature format:
     - addition of a signature risk rating, which rates the signature on security risk.

     - support for encrypted signature parameters. 

    Cisco IOS Release 12.4(6)T defines five micro-engines:
    1) Atomic - Signatures that examine simple packets, such as ICMP and UDP.
    2) Service - Signatures that examine the many services that are attacked (DNS, SMTP).
    3) String - Signatures that use regular expression-based patterns to detect intrusions.
    4) Multi-string - Supports flexible pattern matching and Trend Labs signatures.
    5) Other - Internal engine that handles miscellaneous signatures.

    To protect a network, the signature file must be updated regularly.
    New signatures are available from A CCO login is required to retrieve signatures.

    b) Signature Alarms (Triggers)
    The Cisco IDS and IPS sensors (Cisco IPS 4200 Series Sensors and Cisco Catalyst 6500 - IDSM) can use four types of signature triggers:

    Samples of alarms
     - pattern based
    atomic: Detecting an Address Resolution Protocol (ARP) request that has a source Ethernet address of FF:FF:FF:FF:FF:FF
    composite: Searching for the string "confidential" across multiple packets in a TCP session
    - Anomaly-Based Detection
    atomic: Detecting traffic that is going to a destination port that is not in the normal profile
    composite: Verifying protocol compliance for HTTP traffic
    - Policy-Based Detection
    atomic:Detecting abnormally large fragmented packets by examining only the last fragment
    composite: A SUN Unix host sending RPC requests to remote hosts without initially consulting the SUN PortMapper program
     - Honey Pot-Based Detection
    Honey pot-based detection uses a dummy server to attract attacks. The purpose of the honey pot approach is to distract attacks away from real network devices.

    Tuning IPS alarms
    Triggering False Alarms
    Triggering mechanisms can generate alarms that are false positives or false negatives. These alarms must be addressed when implementing an IPS sensor.

    A true positive ++ (GOOD) means that there was malicious traffic and that the sensor saw it and reported on it; if the sensor was an IPS, it may have dropped the malicious traffic based on your current set of rules in place.
    A true negative +- (NORMAL) is also a wonderful thing in that there was normal non-malicious traffic, and the sensor did not generate any type of alert, which is normal sensor behavior regading non-malicious traffic.

    A false positive -+ (NOT SO BAD - tuning needed) is when the sensor generates an alert about traffic and that traffic is not malicious or important as related to the safety of the network. False positives are easy to identify because alerts are generated, and easily viewed.
    A false negative -- (BAD) is when there is malicious traffic on the network, and for whatever reason the IPS/IDS did not trigger an alert, so there is no visual indicator (at least from the IPS/IDS system) that anything negative is going on. In the case of a false negative, you must use some third-party or external system to alert you to the problem at hand, such as syslog messages from a network device.  

    True positive - it was network attack, IPS generate alert.
    True negative - it wasnt network attack, IPS are not generating alers (normal behavior).
    False positive - it wasnt network attack, but IPS generated alert.
    False negative - it was network attack, but IPS didnt see it and not generate alerts.

      A signature is tuned to one of four levels, based on the perceived severity of the signature:
    High - Attacks used to gain access or cause a DoS attack are detected, and an immediate threat is extremely likely.
    Medium - Abnormal network activity is detected that could be perceived as malicious, and an immediate threat is likely.
    Low - Abnormal network activity is detected that could be perceived as malicious, but an immediate threat is not likely.
    Informational - Activity that triggers the signature is not considered an immediate threat, but the information provided is useful information.

    c) Signature Actions
    Whenever a signature detects the activity for which it is configured, the signature triggers one or more actions. Several actions can be performed:
     - Generate an alert.
     - Log the activity (Log attacker packets / Log pair packets / Log victim packets)
     - Drop or prevent the activity (Deny attacker inline/Deny connection inline/Deny packet inline)
     - Reset a TCP connection.
     - Block future activity.
     - Allow the activity.

     The available actions depend on the signature, but the following are the most common actions (configuring with CCP):
     - Deny Attacker Inline - Create an ACL that denies all traffic from the IP address that is considered the source of the attack by the Cisco IOS IPS system.
     - Deny Connection Inline - Drop the packet and all future packets from this TCP flow.
     - Deny Packet Inline - Do not transmit this packet (inline only).
     - Produce Alert - Generate an alarm message.
     - Reset TCP Connection - Send TCP resets to terminate the TCP flow.

    Atomic Alerts - are generated every time a signature triggers.
    Summary Alerts - some IPS solutions enable the administrator to generate summary alerts.
    A summary alert is a single alert that indicates multiple occurrences of the same signature from the same source address or port.

    Manage IPS
    There are four factors to consider when planning a monitoring strategy:
     - Management method (can be managed individually or centrally)
     - Event correlation (NTP server and device enabled)
     - Security staff (security operators tune the IPS and optimize the IPS operation)
     - Incident response plan (compromised system should be restored to the state it was in before the attack)

    Although the CLI can be used to configure an IPS deployment, it is simpler to use a GUI-based device manager.
    Several Cisco device management software solutions are available to help administrators manage an IPS solution. Some provide locally managed IPS solutions while others provide more centrally managed solutions.
    CCP is used on an ISR router to manage an IPS implementation.
    Multiple IPS sensors can be managed using either Cisco IPS Manager Express (IME) or Cisco Security Manager (CSM).

    IPS Best Practices:
     - upgrade sensors with the latest signature.
     - update signature packs automatically rather than manually upgrading each sensor. This gives security operations personnel more time to analyze events.
     - When new signature packs are available, download them to a secure server within the management network. Use another IPS to protect this server from attack by an outside party.
     - Place signature packs on a dedicated FTP server within the management network. If a signature update is not available, a custom signature can be created to detect and mitigate a specific attack.
     - Configure the FTP server to allow read-only access to the files within the directory on which the signature packs are placed.
     - Configure the sensors to regularly check the FTP server for new signature packs.
     - Keep the signature levels that are supported on the management console synchronized with the signature packs on the sensors.

    Cisco IPS includes a security feature called Cisco Global Correlation. With global correlation, Cisco IPS devices receive regular threat updates from a centralized Cisco threat database called the Cisco SensorBase Network. Cisco Global Correlation is available only on the AIP-SSM.

    Implementing IPS

    Matrix for Retired/Unretired/Enabled/Disabled
    Retired   Enabled -
    No memory consumption, and no action related to the signature during packet analysis
                  Disabled - No memory consumption, and no action related to the signature during packet analysis
    Unretired  Enabled -
    Consumes memory, and the signature is considered during packet analysis   
                     Disabled Consumes memory, but no action related to the signature during packet analysis

    Step 1. Download the IOS IPS files. 
    With newer IOS versions, there are no built-in (hard-coded) signatures within the Cisco IOS software. Instead, all signatures are stored in a separate signature file and must be imported.
    These files can be can be downloaded from (requires log in).
    IOS-Sxxx-CLI.pkg - This is the latest signature package. - This is the public crypto key used by IOS IPS.
    Step 2. Create an IOS IPS configuration directory in flash.
    mkdir <directory-name>
    mkdir ips
    dir flash:
    Step 3. Configure an IOS IPS crypto key.
    The key is located in the  (downloaded in step 1).
    The crypto key verifies the digital signature for the master signature file (sigdef-default.xml). The content of the file is signed by a Cisco private key to guarantee its authenticity and integrity.
    To configure the IOS IPS crypto key, open the text file, copy the contents of the file, and paste the contents to the router at the global configuration prompt. T
    crypto key pubkey-chain rsa
      named-key signature
    If the key is configured incorrectly, the key must be removed and then reconfigured. Use the no crypto key pubkey-chain rsa and the no named-key signature commands to reconfigure the key.

    Step 4. Enable IOS IPS.
    Create a rule name.
    SDEE (Security Device Event Exchange) notification is disabled by default and must be explicitly enabled. SDEE - new standard that specifies the format of messages and protocol used to communicate events generated by security devices. SDEE uses HTTP and XML
    ! 1) Identify the IPS rule name and specify the location.
    ! optional ACL - All traffic that is permitted by the ACL is subject to inspection by the IPS

    ip ips name [rule name] [optional ACL]
    ip ips config location flash:directory-name
    ! 2) Enable SDEE and logging event notification.
    ip http server

    ip ips notify sdee   <- enable IPS SDEE event notification
    ip ips notify log     <- enable logging
    ! 3) Configure the signature category (grouped into categories, and the categories are hierarchical)
    ip ips signature-category
    category <category-name>   
    ! SAMPLE 
      ! category all
      !    retired true

      ! OR
    category ios-ips basic

      !    retired false

    ! 4) Apply the IPS rule to a desired interface, and specify the direction

    ip ips <rule-name> [in | out]    <- in the interface config
    Step 5. Load the IOS IPS signature package to the router
    copy ftp://ftp_user:password@Server_IP_address/signature_package idconf
    To verify that the signature package is properly compiled, the administrator uses
    show ip ips signature count
    CCP provides controls for applying Cisco IOS IPS on interfaces, importing and editing signature files from, and configuring the action that Cisco IOS IPS takes if a threat is detected. The tasks for managing routers and security devices are displayed in a task pane on the left side of the CCP home page. Choose Configure > Security > Intrusion Prevention to display the intrusion prevention options in CCP.

    Cisco IOS IPS feature configured with CCP
    Step 1) Configuration-> Security -> Intrusion Prevention
    Create IPS: Launch IPS Rule Wizard
    ('SDEE notification is not enabled' will appear)

    Step 2) IPS Wizard will appear, Select Interfaces (Inbound/Outbound)
    Step 3) Configure Signatures
     - Specify Signature File  (from PC, http/ftp server or Internet)
     - Configure Pulic Key
    '' file is used to verify digital signature of the IPS signature file

    Here’s why: If an attacker distributes a bogus set of signatures and you unknowingly installed them, this could create a security hole in your defenses. To protect against that, Cisco signs the signature files, using its private key to do so, and the only way to verify that signature is to have the public key of the entity that signed it. That is why we are installing the public key from Cisco on the router that needs to   verify the signature on the IPS signature file. The public key information can also be downloaded from 

    Step 4) Config Location and Category
     - Specify the directory path of the IPS config file
     - Choose Category: basic/advanced

    - Configuration files that the router will use to maintain any configurations related to signatures.
    - The Advanced category has more than 1000 signatures enabled, and the Basic category has fewer than 500 signatures enabled. If your router has plenty of memory and CPU resources available, you could use the Advanced category

    Step 5) Summary Window will appear.
    If OK-> Press Finish.

    Be aware that as this is deployed there will be a very heavy hit on CPU resources while the router compiles all the signatures in the micro-engines that are associated with the Basic category. This could be up to 5 minutes on a low-end router, with CPU utilization near 100% during that time.
    R1# show process cpu sorted | include seconds
    CPU utilization for five seconds: 80%/100%; one minute: 85%; five minutes: 73% 

    Sample setup with CCP generated config 
    ip ips notify SDEE
    ip ips name sdm_ips_rule
    ip ips signature-category
     category all
      retired true
     category ios_ips advanced
      retired false
    interface FastEthernet0/1
     ip ips sdm_ips_rule out
     ip virtual-reassembly
    interface FastEthernet0/0
     ip ips sdm_ips_rule in
     ip virtual-reassembly
    ip ips config location flash:/

    Modify Cisco IOS IPS signatures
    The Cisco IOS CLI can be used to retire or unretire individual signatures or a group of signatures that belong to a signature category.
    Some unretired signatures might not compile because of insufficient memory, invalid parameters, or if the signature is obsolete.
    Retire an individual Signature
    conf t
    ip ips signature-definition
    signature 6130 10   <-   6130=signature ID,  10=subsignature ID
    retired  true

    Unretiring a Signature Category
    conf t
    ip ips signature-category
    category ios_ips basic
    retired  false
    [confirm] Y
    ! Only signatures in the ios_ips basic category will be compiled into memory for scanning.

    The IOS CLI can also be used to change signature actions for one signature or a group of signatures based on signature categories.
    R1(config)# ip ips signature-definition
    R1(config-sigdef)# signature 1002 0
    R1(config-sigdef-sig)# status
    R1(config-sigdef-sig-status)# retired false
    R1(config-sigdef-sig-status)# enabled true
    R1(config-sigdef-sig-status)# exit
    R1(config-sigdef-sig)# engine
    R1(config-sigdef-sig-engine)# event-action produce-alert
    R1(config-sigdef-sig-engine)# event-action deny-packet-in
    R1(config-sigdef-sig-engine)# exit
    R1(config-sigdef-sig)# exit
    R1(config-sigdef)# exit
    Do you want to accept these changes? [confirm] <Enter>
    Verify Cisco IOS IPS
    show ip ips privileged      <- provide specific IPS information (exec)
    show ip ips all             <- displays all IPS configuration data (can be lengthy)
    show ip ips configuration   <- displays additional cfg data that is not displayed with the sh run (the default actions for attack signatures)
    show ip ips interfaces      <- displays interface configuration data
    show ip ips signatures      <- verifies the signature configuration (can be used with the key word details)
    show ip ips statistics      <- number of packets audited and the number of alarms sent (additional keyword are present)
    clear ip ips configuration  <- disable IPS, remove all IPS configuration entries, and release dynamic resources
    clear ip ips statistics     <- resets statistics on packets analyzed and alarms sent
    Monitoring Cisco IOS IPS
    Cisco IOS IPS provides three methods to report IPS intrusion alerts:
     - CCP Security Device Event Exchange (SDEE),
     - Cisco IOS logging via syslog,
     - SNMP.
    ip ips notify [log | sdee]
    The log keyword sends messages in syslog format.
    The sdee keyword sends messages in SDEE format.

    clear ip ips sdee {events | subscription}
    Best Practices When Tuning IPS  
    The following are best practices when tuning IPS:  
     ■    Begin with the basic signature category, and see how much memory and CPU utilization this takes in the production network, before moving to the advanced signature category which will take significantly more CPU and resources from the router.  
     ■    Schedule downtime for the installation and updates.  
     ■    Retire signatures that are irrelevant to your network to save resources on the router.  
     ■    Monitor free memory to ensure that you do not cause harm to your router by loading too many additional services.  
     ■    There are options available that can tell the IOS router to not forward any traffic through an IPS-protected interface if some type of problem causes the signature not to compile. The term for this is   fail closed . The other option, which indicates that if a problem with the IPS signatures not compiling occurs the router should still forward traffic, is called   fail open . Based on the security policy, you want to choose the option that meets the needs for the company. A fail close could cause a failure of the network due to a failure of IPS, but it is   more secure than fail open.  
       ■     For performance reasons, be very careful before unretiring and enabling the All category of signatures.