CCNA Security Chapter 5 筆記

CCNA Security Chapter 5 筆記

IDS and IPS Characteristics 

Internet worms and viruses can spread across the world in a matter of minutes. A network must instantly recognize and mitigate worm and virus threats. Firewalls can only do so much and cannot protect against malware and zero-day attacks.

Intrusion Detection System

1. An attack is launched on a network that has a sensor deployed in promiscuous IDS mode. Copies all packets are sent to the IDS sensor for packet analysis. However, the target machine will experience the malicious attack.
2.  The IDS sensor matches the malicious traffic to a signature and sends the switch command to deny access the malicious traffic.
3. The IDS sends an alarm to a management console for logging and other management purposes.

Intrusion Prevention System

1. An attack is launched on a network that has a sensor deployed in IPS inline mode
2. The IPS sensor analyzes the packets they enter the IPS sensor interface. The IPS sensor match the malicious traffic to a signature and the attack stopped immediately.
3. The IPS sensor can send an alarm to the management console for logging and other management purposes.
4. Traffic by violation can be dropped by IPS sensor.

Common characteristics of IDS and IPS:

1.  Both technologies are deployed as sensors.
2.  Both technologies use signatures to detect patterns of misuse in network traffic.
3.  Both can detect atomic patterns (single-packet) or composite patterns (multi-packet).

IDS Advantages and Disadvantages

• Advantages 
• No impact on network (latency, jitter)
• No network impact if there is a sensor failure
• No network impact if there is sensor overload
• Disadvantages
• Response action cannot stop trigger packets
• Correct tuning required for response actions
• More vulnerable to network security evasion techniques

IPS Advantages and Disadvantages

• Advantages 
• Stops trigger packets
• Can use stream normalization techniques
• Disadvantages
• Sensor issues might affect network traffic
• Sensor overloading impacts the network
• Some impact on network (latency, jitter)

IPS Signature Characteristics

Signatures have three distinctive attributes:

• Type
• Trigger (alarm) 
• Action

Signature Types

Signature types are generally categorized as atomic or composite.

Atomic

An atomic signature is the simplest type of signature. It consists of a single packet, activity, or event that is examined to determine if it matches a configured signature. If it does, an alarm is triggered, and a signature action is performed. Because these signatures can be matched on a single event, they do not require an intrusion system to maintain state information. State refers to situations in which multiple packets of information are required that are not necessarily received at the same time. For example, if there was a requirement to maintain state, it would be necessary for the IDS or IPS to track the three-way handshake of established TCP connections. With atomic signatures, the entire inspection can be accomplished in an atomic operation that does not require any knowledge of past or future activities. 

Detecting atomic signatures consumes minimal resources (such as memory) on the IPS or IDS device. These signatures are easy to identify and understand because they are compared against a specific event or packet. Traffic analysis for these atomic signatures can usually be performed very quickly and efficiently. For example, a LAND attack is an atomic signature because it sends a spoofed TCP SYN packet (connection initiation) with the IP address of the target host and an open port as both source and destination. The reason a LAND attack works are because it causes the machine to reply to itself continuously. One packet is required to identify this type of attack. An IDS is particularly vulnerable to an atomic attack because, until it finds the attack, malicious single packets are allowed into the network. However, an IPS prevents these packets from entering the network altogether.

Composite

A composite signature is also called a stateful signature. This type of signature identifies a sequence of operations distributed across multiple hosts over an arbitrary period of time. Unlike atomic signatures, the stateful properties of composite signatures usually require several pieces of data to match an attack signature, and an IPS device must maintain state. The length of time that the signatures must maintain state is known as the event horizon. 

The length of an event horizon varies from one signature to another. An IPS cannot maintain state information indefinitely without eventually running out of resources. Therefore, an IPS uses a configured event horizon to determine how long it looks for a specific attack signature when an initial signature component is detected. Configuring the length of the event horizon is a tradeoff between consuming system resources and being able to detect an attack that occurs over an extended period of time.

Signature Alarm

The heart of any IPS signature is the signature alarm, often referred to as the signature trigger. Consider a home security system. The triggering mechanism for a burglar alarm could be a motion detector that detects the movement of an individual entering a room protected by an alarm. 

The Cisco IDS and IPS sensors can use four types of signature triggers.

• Pattern-based detection
• Anomaly-based detection
• Policy-based detection
• Honey pot-based detection

Pattern-Based Detection

Pattern-based detection, also known as signature-based detection, is the simplest triggering mechanism because it searches for a specific, pre-defined pattern. A signature-based IDS or IPS sensor compares the network traffic to a database of known attacks and triggers an alarm or prevents communication if a match is found. 

Anomaly-Based Detection

Anomaly-based detection, also known as profile-based detection, involves first defining a profile of what is considered normal for the network or host. This normal profile can be learned by monitoring activity on the network or specific applications on the host over a period of time. It can also be based on a defined specification, such as an RFC. After defining normal activity, the signature triggers an action if excessive activity occurs beyond a specified threshold that is not included in the normal profile.

Policy-Based Detection

Policy-based detection, also known as behavior-based detection, is similar to pattern-based detection, but instead of trying to define specific patterns, the administrator defines behaviors that are suspicious based on historical analysis. 

Honey Pot-Based Detection

Honey pot-based detection uses a dummy server to attract attacks. The purpose of the honey pot approach is to distract attacks away from real network devices. By staging different types of vulnerabilities in the honey pot server, administrators can analyze incoming types of attacks and malicious traffic patterns. They can then use this analysis to tune their sensor signatures to detect new types of malicious network traffic. Honey pot systems are rarely used in production environments. Antivirus and other security vendors tend to use them for research.

Signature Action

A signature detects the activity for which it is configured, the signature triggers one or more actions. Several actions can be performed:

• Generate an alert.
• Log the activity.
• Drop or prevent the activity.
• Reset a TCP connection.
• Block future activity.
• Allow the activity.

Generating an Alert

Monitoring the alerts generated by network-based and host-based IPS systems is vital to understanding the attacks being launched against the network. If an attacker causes a flood of bogus alerts, examining these alerts can overload the security analysts. Both network- and host-based IPS solutions incorporate two types of alerts to enable an administrator to efficiently monitor the operation of the network: atomic alerts and summary alerts. Understanding these types of alerts is critical to providing the most effective protection for a network. 

Logging the Activity

In some situations, an administrator does not necessarily have enough information to stop an activity. Therefore, logging the actions or packets that are seen so that they can be analyzed later in more detail is very important. By performing a detailed analysis, an administrator can identify exactly what is taking place and make a decision as to whether it should be allowed or denied in the future.

Dropping or Preventing the Activity

One of the most powerful actions that an IPS device can perform is to drop packets or prevent an activity from occurring. This action enables the device to stop an attack before it has the chance to perform malicious activity. Unlike a traditional IDS device, the IPS device actively forwards packets across two of its interfaces. The analysis engine determines which packets should be forwarded and which packets should be dropped.

Resetting a TCP Connection

The TCP Reset Signature Action is a basic action that can be used to terminate TCP connections by generating a packet for the connection with the TCP RST flag set. Many IPS devices use the TCP reset action to abruptly end a TCP connection that is performing unwanted operations. The reset TCP connection action can be used in conjunction with deny packet and deny connection actions. Deny packet and deny flow actions do not automatically cause TCP reset actions to occur.

Blocking Future Activity

Most IPS devices have the capability to block future traffic by having the IPS device update the access control lists (ACLs) on one of the infrastructure devices. The ACL stops traffic from an attacking system without requiring the IPS to consume resources analyzing the traffic. After a configured period of time, the IPS device removes the ACL. Network IPS devices usually provide this blocking functionality along with other actions such as dropping unwanted packets. One advantage of the blocking action is that a single IPS device can stop traffic at multiple locations throughout the network, regardless of the location of the IPS device. For example, an IPS device located deep within the network can apply ACLs at the perimeter router or firewall.

Allowing the Activity

The final action is the Allow Signature action. It might seem a little confusing, because most IPS devices are designed to stop or prevent unwanted traffic on a network. The allow action is necessary so that an administrator can define exceptions to configured signatures. When an IPS device is configured to disallow certain activities, sometimes there is a need to allow a few systems or users to be exceptions to the configured rule. Configuring exceptions enables administrators to take a more restrictive approach to security because they can first deny everything and then allow only the activities that are needed.