Cisco CCIE Security 350-701 – Intrusion Prevention System – IPS Part 2

6. IPS Threat Detection Methods

Now the next thing we’ll discuss about IPS thread detection mechanisms or the methods. Now, IPS will be configured to detect the threads based on some options. And these are the four options. What you can see. Here we’ll go. One by one. So most of the IPS will go with a signature based thread detection. In some IPS vendors it is also called as pattern based. Now in this, the IPS is going to maintain some kind of database. So let’s say the database is going to contain some kind of signatures.

Now, signatures are nothing but different patterns of attacks which can generally occur and probably if there is any traffic coming from the attacker, from the internet. And let’s say one of the pattern is, let’s say if the pattern includes a word called surprise. So that has to be denied by the IPS. So when it moves to the ideas or the IPS device, probably it’s going to detect that this actually includes a word called surprise. So this is a kind of attack. So probably the IPS or the IDs device, it’s going to deny.

So it works more like an antivirus program in your computers. Like the antivirus programs have a predefined database or call signatures and if you try to run any kind of file in the computer, it’s going to automatically deny. Just like exe files with a folder, something like that. So similar way the IPS is going to compare the traffic with its own database and if it matches the pattern or matches the signature, either it is going to generate an alert or it will also stop if the IPS have a mechanism to stop or if it is configured to deny that particular service.

So if the tag matches the small way. But the major drawback with this signature pattern is if the attacker is going to make a small variation in the threat signatures. Like, let’s say this is like surprise, if you change the spelling probably, or maybe he just modify the actual signatures. And if the attacker is trying to introduce the same thing so as it does not match the signatures, there is a possibility that this will be allowed to the company network.

So signature based thread distributions are not efficient if the attack is unknown, if it is not present in the signature database. And again, you need to constantly update the signature database on a daily basis to make sure that the new threats coming into the network probably that will be updated in the signature database as well. So there are some couple of examples. Like there is a kind of land attack. Whenever the administrator or the IPS device detects it looks like a land attack, it is going to deny. So the next thing there are some other threats like animal trade detections. Now, this is typically based on unnormal behavior of the network, like let’s say the normal behavior of the network. Let’s say an example, the UDP traffic. Generally there is a specific amount of traffic coming per day.

But if this UDP traffic is exceeding or there is a too much of UDP traffic that is like unusual traffic or maybe an attacker, there is a web server, probably web server attacker is actually initiating an FTP session to the web server. Or maybe there is a user who can run some specific applications and that user, like an accounts user is trying to modify the system registry files or the files in the Windows operating systems or maybe some kind of SNMP protocol you’re running. And that protocol is not working as per the normal behavior. So generally IPS is going to detect based on unnormal behavior of the specific protocols or other applications and based on that it will detect and based on that it can take an action. Again, the next thing is like policy based detection method. When the policy based detection method the administrator is going to configure some kind of policies and anything matching that policy it’s going to take an action.

So anything, any traffic comes which matches the policy detects and based on that it will generate an alarm or it’s going to block that particular traffic. Like take an example from the internet you configured a policy that telegraph should never enter and from the internet there should not be any kind of SS connections initiated from the outside network. So if it is initiated means it might be an attack or so the next thing is like there is one more thread detection mechanism based on reputation based. Now in this detection method, reputation based generally the detection is done based on the reputation database.

Now this database is like collection of all the I processors which might be sending some kind of threads or the malicious course or maybe a specific URLs or the domains. And these are all updated constantly either by the Cisco probably or multiple vendors. So you have a centralized database on the Internet and this is periodically updated based on the new threads detected and when any kind of traffic is coming, probably the firewall or if you are converting some IPS devices is going to constantly check with this database and if it finds any kind of traffic or the pattern matching the particular source IP addresses or the URLs or the DNS, probably it’s going to drop that particular traffic and which of the traffic which is approved, it will be allowed. So we can also configure the IPS to detect the threads based on the replacement.

7. IPS Signature Alarm Types

Now, next thing we need to understand about IPS signature alarm types. Now generally IPS is going to generate four different types of alarms depending upon what kind of traffic is detected, whether the alarms are generated or not generated, whether it matches the database, the signature database, or it doesn’t match the designature database. Now, mainly here first, before we go ahead with the differences, we need to understand, like whenever you see the word called positive, positive refers to that the signature is actually matched. Okay? So whereas negative means the signature is actually not matched, that’s the basic difference. So the signature matches, it’s nothing, but it’s a positive. If the signature do not match nothing, there is nothing but negative.

And whereas we need to understand something called true. True means a malicious traffic is detected, whereas the false means it’s like normal traffic is detected. So if you want to understand these differences, so true represents the malicious traffic is detected. Like here you can see true malicious traffic is detected and we say positive. Now positive means the malicious traffic is detected, which is nothing but true. And positive refers to the signature is actually matched and the alarm is generated. But whereas when you say true, true means again the malicious traffic is detected, but the signature is actually not matching and there’s no alarm is generated. So generally the alarm is generated only if the signature matches in general. But whereas whenever you say false, false means a normal traffic. So which means in both the cases, normal traffic is detected. Now, the false positive means normal traffic is detected. Now, positive refers to it matches the signature, even though it is a normal traffic, it matches the signature and alarm will be generated. Now, based on the alarm, it will be either blocked or a load, depends upon the configuration on the IPS. And whenever you say in false, false means again the normal traffic is detected, whereas negative means no signature is matching, which means no alarm is generated.

So the ideal traffic flow or the ideal alarms in your network will be like the ideal settings will be always it has to be true positive. So which means the true means it matches the database, right? That’s what the true positive means. Sorry, true positive is nothing, but malicious traffic is detected and you need to generate the alarm. So that is the ideal setting. So whenever you see any malicious traffic in the network, you definitely want the signatures to be matched and alarm should be generated. So this is one of the ideal settings you always expect in your IPS, the behavior and the other ideal is going to be like the other one true negative, where.

8. IPS Signature Actions

Now the IPS can be configured to generate some or take some actions depending upon the traffic when it matches the signatures. Like let’s say there is some traffic coming from untrusted source and you got some sensors in the path and it matches the particular traffic against the signatures. Now we can configure these sensors to take an appropriate action. Now these are the different actions can generate. Like the first one is like generating an alert message.

Now this is like alert message to an administrator or maybe an alert, maybe there is some kind of summary alerts it can generate. Now these summary alerts are like indicating the multiple occurrence of the same signature from the same source address. So let’s say there’s a source of 51 one and it is generating a multiple traffic and it matches the database and based on that it is going to generate an alerts and based on that IPS can take an action or it can trigger to the management server or to the firewall to take some appropriate action. Now the other possibility is logging the activity. Like IPS can also be configured to take an action of logging the specific activity like lock the attacker packets or maybe a pair of packets from the attacker or just the packets of the victim. So it can be the packet of the victim or the packet of the attacker as well.

So based on the logs and these logs will be used by the administrator to perform some kind of detailed analysis and then identify and make sure that it can either allow or deny this particular traffic pattern in the future. So this will be useful for monitoring kind of thing. Now the other option is like IPS can also be configured with an action of dropping or preventing the activity. Like IPS can be enabled to deny the attacker packets or simply deny the connection. Like let’s say the attacker is initiating some kind of TCP connection, the sensors can be configured to deny if it matches this pattern. Now the other possibility is like resetting the connections. Now resetting connections mostly based on the TCP TCP flow connections where the sensors can be configured to reset the connection or request a block of that particular connection in the future as well.

Or even initiate that the connection should be blocked from that particular source IP address. Or maybe you can also configure the sensors to generate an SNM bitch messages to the monitoring station about this kind of activity so that the administrator will come to know about this activity again. Some other options like blocking this same activity in the future or maybe sometime.

9. IPS Evasion Methods – CounterMeasures

IPS evasion mechanisms or the techniques. Now these are like the different methods used by an attacker to bypass the intrusion detection system or the intrusion prevention systems. So it’s like you configured an IPS in the network but probably some traffic may actually bypass the IPS mechanisms. Like one of the common method used by the attacker is encrypting and tunneling. Now in encryption probably the network sensors will totally rely on the traffic which is coming and going in a clear text and the traffic is actually encrypted, so it will not be able to detect some kind of malicious traffic going inside that particular connection as an encrypted packet. So typically like remote VPN connections or it can be some kind of tunnel connections between side to sides. So that is one issue. Of course we have a solution for that. The other possibility is like timing attacks.

Now in this timing attacks, the attacker actually can bypass this IPS by delaying the actions slower than normal. So it’s like sending the attacker packets which doesn’t exceed the threshold value and sending within the time range or time windows size, probably not sending too many attacking packets. Like one of the examples like slow recognizes attacks, that is one of the example. The other possibilities like resource exhaustion probably in the resource exhaustion attacker used some specific tools and these tools can be used to create a large number of alarms.

Like you got an IPS configured here. So the attacker is going to send some fake traffic, which is some kind of attacking attacker traffic, and then IPS is going to send some alarms. And most of the resources of the IPS will be utilized to generate these alarms and which can consume lot of resources of the IPS. And also it will prevent most of these events actually from being locked. So whereas as it adds delay in the services. So where the attacker intention is to generate some false alarms and then resource and then make sure that the resources are exhausted on the IPS and most of the events may not get logged due to those resource exhaustion, traffic fragmentation. This is like attacker will try to split the malicious traffic into small packets probably to avoid the detection.

One kind of IPS evasion technique and there are some more options like protocol level misinterpretation. Now this is like attacker will actually intentionally corrupt some of the TCP checksum values of specific packets, whereas the IPS will think that there is some issue with a checksum. Probably it is actually a valid packet with a false checksum value. And then the IPS will think that there is a false checksum value. Not. It’s still a valid packet. And then later on attacker will send with a proper checksum value. But it’s an invalid packet. So as there is a similarity between these two, the IPS may think that it might be the same packet. So it just allows.

So that is what protocol misinterpret interpretation where IPS may interpret thinking that the malicious traffic might be like a valid packet because it has already checked the similar packet previous it was valid and it will think the next packet was also valid because it carries the same values or look like same packet. Now other options like traffic substitution insertion option in this attacker attempts to substitute the payload with other data like the payload is going to replace by the attacker and almost it looks like the same meaning, just like substituting a different packets which look similar or which has the same meaning. Now, there are different tools available on the internet which can be used by the attackers to introduce this kind of attacks.

So our focus is not on that particular part where how this attacks works or how exactly to introduce these attacks, but we need to make sure that we can take some proper quantum measures to overcome this kind of threats or the evasion methods. Typically these are the tools what can be used for traffic fragmentation and of course the Cisco IPS and the Evasion features has to be enabled to overcome this kind of techniques used by the attacker to bypass the IPS.

Like to overcome this traffic fragmentation, you need to make sure that you have full session reassembly in the string and service engines to overcome this attack. Probably you need to normalize the data by using inside the service engines. And for misinterpretation you need to make sure that your Ipttl validation and the checksum validation options for timing attacks, you need to use some kind of CS mask, some similar tools for verifying the intervals.

• Category: Uncategorized