Cisco CCIE Security 350-701 – Intrusion Prevention System – IPS

1. Intrusion Prevention System – IPS

My intrusion prevention system is actually a system can be a hardware or software which is going to detect the different types of intrusions in the network, or detect some kind of malicious traffic and then either stop it before it reaches the target. So the main job of the IPS is to identify the different types of malicious traffic, classify them, and if possible, stop or block those malicious traffic in the real time traffic. So how it’s going to do that? It’s going to do some kind of deep packet inspections, either at the network level or at the host level. And it’s going to examine the different traffic flows in the network. It’s going to detect the possible vulnerabilities or the expert which experts used by the attacker.

So the job of the IPS is to make sure that whatever the protocols running in the network are running as per the standards. Like, take an example. If you’re using some kind of UDP traffic and if there is an excess of UDP traffic, which is something not normal, or maybe there is some kind of SNMP traffic which is not working as per the standards, or behaving something differently than the normal behavior. Or maybe you may have a web server. Let’s say the user, the attacker, someone on the Internet is trying to initiate an FTP session for the web server, which is like unusual activity.

So the IPS is capable of monitoring the network traffic and it’s going to detect those unusual traffic on the network. And based on that, it can either stop that particular intrusions because it’s not normal, because attackers will try to use different methods to introduce some attacks. So it’s going to report the intrusion, even identify even the capable of logging that information. Now, based on that information, again, IPS can either send an alarm to the administrator, probably to the administrator, or maybe to a firewall, probably. It can either drop a malicious traffic if it is in the transit, or if it can drop that particular traffic or maybe reset the connections, or maybe it can block the particular traffic from that particular.

2. IDS vs IPS

Now the next thing we need to understand about IDs and IPS IPS stands for Intrusion Prevention system and ideas stands for Intrusion detection system. So ideas are like the now we can say IPS is the successor of the ideas because initially we used to have something called intrusion detection system, which only detects attacks and it can generate some alerts to the management stations based on some kind of attack. If it is happening, any unusual activity is happening in the network and based on that, the management station or the administrator can actually take an action. So the network administrator is responsible for taking action based on the alerts. So either he can drop that particular connection or maybe he can actually block the particular traffic or just reset the connection, it depends.

But the ideas do not have the capability to take any actions, so it doesn’t stop any actions, so it cannot stop actually. So simply detection means only detect. So the IPS, the one which we use intrudes networks, we call them as intrusion prevention system because they are capable of detecting as well as preventing in general. So it can either detect the intrusions in the network and also it can prevent the possible attacks by simply blocking that particular traffic. So it can either drop the particular traffic or block the traffic or reset the connections. Like TCP connections can be resettled or it can also issue a shun command to the firewall.

3. Host Based IPS vs Network Based IPS

Now the IPS technologies can be deployed either at the network level or at the host level. So typically we call it as hostbased IPS or the network based IPS. Now the basic difference is like the hostbased IPS is going to protect that particular endpoint which includes like workstations servers or the end devices like mobile phones. Whereas the network based IPS, it’s something installed in the network as a layer to device. So probably and is responsible for capturing the network traffic and based on the captures it is going to do analyze and find for any kind of suspicious traffic. Now if you just see some more information on the host base, like I said, the host base just protect the endpoints. So typically installed on each and every endpoint it can be a computer or a server or maybe some kind of mobile devices and the hostbased IPS is going to control that particular access to the system resources. Like if you take an example, maybe there is a kind of attack where user is using a word file but this word file is trying to make changes to the system password.

So this is some kind of suspicious activity going in your network. So the host based IPS installed on that machine is going to check whether that particular program or the application is having permissions to make any changes to the system files and if it doesn’t have permissions, probably it’s going to deny that particular activity. So host based IPS majorly protect against some kind of other attacks relating to system memory, like buffer overflow attacks which will attack on the system memory and resources and probably some other attacks like the attacker want to gain.

Access to the computer or specific device so that he can install some kind of malicious traffic into that. And probably he can get the information about all the information on that particular machine, like maybe the database or maybe may get some keystrokes. Whatever the user is typing may get those kind of information. So the host based IPS allows you to detect those kind of modifications and it’s going to prevent those things and even it can actually log those activities in general. So practically host based IPS is like host dependent. But again network based IPS are majorly installed in the network.

Typically we call it as device sensors and these sensors are installed as a layer to device, like a transparent device because these devices are transparently, not seen in general for any device. So no IPRs will be given to these sensors, they are like just a transparent devices. Of course we do have an IP address for management purposes or for sending the log reports but it’s more like a switch where you don’t need to adjust a transparent device. And in the network based IPS we are going to tell either a switch or a router typically to capture the traffic and forward it to the IPS. Or maybe if the IPS is in the transit, it’s going to sense or capture the traffic and then analyze.

And if it finds any kind of malicious or any unauthorized activity in the network, like maybe if you take an example, like you have too much of UDP excess traffic in the network, which is unusual. Or maybe some other protocols like SNMP or any other protocols is normally not behaving properly. Like maybe this SNMP is actually writing down or making some changes to the system files which is not normal in general. Or maybe there is an account computer which is trying to access a remote device, maybe a telephone or any other devices. So network based IPS are responsible for monitoring some suspicious activities in the network and it can take an action based on the configurations. So if you compare these two majorly host based or more host specific protect application, it provides some application level kind of encryption protection in general. Whereas the network based are more cost effective solutions and they are not visible in the network because the host base are actually visible in the network.

That is one of the limitations and they are actually independent of the operating systems, what you run the network based but whereas the host base are based on the operating system dependency. So again, some of the older IPS they cannot examine some of the encrypted traffic. Sometimes you may not be able to know whether the attack was successful or not. So these are some of the limitations but mostly in the networks will be setting up some kind of network based IPS engine.

4. IPS Deployment Modes – INline vs Promiscious

The IPS can be deployed in two different modes, either inline mode or on the promise here’s mode. Now, the basic difference is in the inline mode IPS will be in the actual transit path. So which means when, let’s say there is a traffic coming from the internet. Now this traffic as it moves to the gateway, there is a router or a firewall before it actually reaches the target or any specific host in the network or sends some kind of malicious traffic or whatever it is, it has to pass through the sensors that is your IPS. Now, based on this, the IPS, if it detects any kind of malicious traffic or any kind of traffic where an attacker is trying to gain access to some resources. So once it detects or matches the signatures, it’s going to immediately block that connection.

So all the traffic has to pass through the IPS, so it’s more effective, especially from, again, it’s some worms and atomic attacks and all the traffic has to flow through the IPS. So it takes a packet analyzes with the database and depending upon the content, it will either permit or deny. Of course, one of the drawback with this inland mode is all the traffic has to pass through the sensors, so it may add some delay for most of the valid traffic which needs to be allowed because it has to analyze each and every packet which is moving into the network from the outside network.

So what we can do is we can configure something like Promiscuous mode, also called as passive mode. In the Promiscuous mode, the IPS is not in the transit, so it’s configured somewhere in the network in the Lamb. And when the traffic is coming, it may go directly to the Lamb without going through IPS. But the intermediate device, the switch will configure a feature called span or switch port analyzer where we are going to tell the switch to send a mirror of the copy mirror or simply we can say copy of that traffic which is going from the outside network to the destination targets to the sensors where it is going to analyze the packet. And if it finds any kind of vulnerability, it’s going to trigger an action either to a firewall or it can tell the firewall to simply drop the traffic.

So IPS can generate some alerts and take an action based on the pattern match according to the signature database. Again, same thing, it can detect and send alert just like a normal IPS. But only difference is that captured traffic done by the switch is forwarded to the sensors for detection. Now, depending upon the requirement, you can either configure the IPS in inline mode where it can be in the transit path and all the traffic has to go via sensors.

5. Cisco IPS Solutions

Now Cisco offers wide range of solutions for IPS like initially starting with so we have some dedicated appliance from Cisco, Cisco IPS 4300 series or 400 series. So if you just search for Cisco iOS appliance so majorly you will see next Generation IPS because Cisco is promoting the next generation IPS which supports more advanced threat production. But if I just scroll down to some of the IPS sensors, some of the series you’ll find most of this series are actually end of sale, end of light trades because you have the replacement product of next Generation IPS which is something Cisco you will find Cisco Firepower service next Generation IPS.

So I’ll talk about more on this in the next video, more in detail on what exactly the additional benefits we get compared to the normal IPS. So we have an option of having a dedicated appliance. So if you are in the running in the production’s networks, maybe some IPS models, you can still get some protection or detection probably with these appliances. Or it can be done based on the hardware module or the software models because the IPS we can deploy it as a hardware module in case of ISR G two routers. Like we can typically some 800 series or 2000 3800 series routers.

So we can install different models like IPS Aim which is advanced integrated Model majorly for small size organizations. Or even you can go with some NME IPOs which is network Module enhancement mostly for the big size organizations. So generally it depends upon the weight of different platforms. Like most of the small size routers support this Aim model. Probably some other platforms like two eight double one or 3845 or two nine double one series probably they do support NME IPS modules. So we can add these modules on the Cisco ISR router and we can get the benefits of the IPS through a module or even in the Cisco ASA 55 85 X series we have a separate model called SSP model which stands for Security Service Processor Model which can do the same job as an IPS.

So we can have a dedicated appliance or it can be a model added on the router or on the ASA firewalls or it can also be a software model because some of the ASA model supports a software model. It runs like a separate application from the ASA. So let’s say you got an ASA here, it runs something like an application, almost like a separate component. So the traffic comes, the VPN traffic, let’s say any traffic comes to the ASA, it will encrypt or it will check the firewall policies and then send it back to the IPS. Whether it is a software of the hardware module and then IPS is going to verify and if it is malicious, probably it is going to block. If it is an alert traffic, it is going to send back to the ASA to send back into the inside interface.

So we can run the IPS either in the form of modules or dedicated appliances, or even you can run in some Cisco IBASE versions, you can install an iOS software or the iOS versions which supports the IPS features which provide some deep packet inspection on the Cisco iOS routers. Again, some of the models, like most of the eight ISR series routers, including some iron routers like 7000 series segment platforms, again you can say 7204 and six VXR router. Now, we can always use the Cisco iOS feature navigator to check which platforms and which iOS versions actually support this feature. So as I said, most of these appliances will be updated because Cisco now we have some kind of next generation IPS which is providing more advanced protection when we compare with the existing IPS devices.

• Category: Uncategorized