Cisco Confidential © 2011 Cisco and/or its affiliates. All rights reserved. 1
IPS Workshop Stijn Vanveerdeghem
Technical Marketing
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
• During this workshop you will explore the world of Intrusion Prevention. We will review some key technologies as well as new exciting features which are changing the way IPS protects your network.
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
• IPS Basics
• Cisco IPS Product Portfolio
• IPS Deployment Modes
• ASA With Integrated IPS
• Cisco Security Intelligence Operations (SIO)
• Industrial Control Protection
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 5
Compliance mandates
PCI Compliance (Retail); HIPAA (Healthcare); Sarbanes-Oxley/GLBA (Finance)
Fines for non-compliance
Require high availability and reliability
Minimize risk of security breach
Minimize downtime due to security breach
Reduced patch deployment urgency
Data Loss Prevention
Protection of sensitive or confidential information
Tarnished reputation from security compromises
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Source:cve.mitre.org
50,000
45,000
40,000
35,000
30,000
25,000
20,000
15,000
10,000
5,000
0
1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Vulnerabilities
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
• Overlap of some functions between these two concepts
• Firewall devices focus on stateful packet filtering and application monitoring
• IPS focuses explicitly on pattern-based and anomaly-based network-driven attack detection amongst other techniques
• While a Firewall device is designed to force network activity to adhere to a security policy, an IPS device looks for patterns that indicate a potential network attack or compromise … similar but conceptually different functions
• Both types of devices can drop traffic and mitigate attacks
7 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Signature Based Detection
TCP Normalization
Anomaly Detection
SIO: The power of Global Correlation and Reputation Filtering
Integration with ASA
Industrial Control Protection, a very special kind of signatures
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Forensics Capture
Modular Inspection
Engines
Signature Updates
Engine Updates
Cisco Security Intelligence Operations
Risk-Based Policy Control
Normalizer Module
On-Box Correlation
Engine
Mitigation and Alarm
Virtual Sensor Selection
In Out
GC Network Context
Information
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
• An IPS signature matches a distinctive characteristic of traffic
• Signatures are associated with an engine
• New signatures are being released and signatures are updated continuously.
• Cisco allows customer to write their own “custom” signatures
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
• AIC
Provide Analysis of web traffic
• Atomic
combine layer 3 &4 attributes in 1 signature ( ip & tcp )
• Flood
Detects icmp & udp floods directed at hosts & networks
• Meta
Defines events that occur in a related manner within a sliding time interval. This engine processes events rather than packets
• Multi String
Inspects Layer 4 transport protocols and payloads by matching several strings for one signature. This engine inspects stream-based TCP and single UDP and ICMP packets.
• Normalizer
Configures how the IP and TCP normalizer functions and provides configuration for signature events related to the IP and TCP normalizer. Allows you to enforce RFC compliance.
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
• service
Deals with specific protocols. Service engine has the following protocol types: ftp, dns, http etc
• state
Stateful searches of strings in protocols such as SMTP. The state engine now has a hidden configuration file that is used to define the state transitions so new state definitions can be delivered in a signature update.
• string
Searches on Regex strings based on ICMP, TCP, or UDP protocol. There are three String engines: String ICMP, String TCP, and String UDP.
• sweep
Analyzes sweeps from a single host (ICMP and TCP), from destination ports (TCP and UDP), and multiple ports with RPC requests between two nodes. There are two Sweep engines: Sweep and Sweep Other TCP.
• Traffic Anomaly
Inspects TCP, UDP, and other traffic for worms.
• Trojan
Analyzes traffic from nonstandard protocols, such as BO2K andTFN2K. There are three Trojan engines: Bo2k, Tfn2k, and UDP. There are no user-configurable parameters in these engines.
…
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
• TCP and IP traffic normalization is an additional function of the inspection of inline traffic.
• The Normalization signature engine operates differently than the other pattern-based signature engines.
• The Normalization signatures are a different animal from the other signature engines. These signatures are not designed to stop specific attacks, but rather to prevent abnormal traffic from passing the sensor, to prevent obfuscation of attacks and to “backup” the deny actions of other signature actions during prolonged attacks.
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
• With a default Inline configuration, an Inline IPS device has a requirement to see bidirectional, sequentially ordered full-stream TCP data.
• If TCP data is received only one direction (asymmetric design), the sensor will drop the traffic and disrupt the TCP session.
• If the sensor receives out-of-order TCP data, it will queue it up and wait for the missing TCP packets. Eventually, the queue will fill up and the sensor will start dropping the TCP packets in the buffer, disrupting the TCP session.
• If duplicate TCP packets are received by the same virtual-sensor (i.e., virtual-sensor sees the same packet twice), it will drop the traffic as being out-of-order, and disrupt the TCP session.
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
17
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
• Identify Worms as they attempt to spread (zero-day detection)
• Detects worm infected hosts
• Identify fast spreading worms like Code red and SQL-slammer
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
• AD has 3 modes: Learning Accept, Detect, Inactive.
• Learning Accept Mode: AD’s default mode. It will conduct a minimum 24 hr period of learning (basing lining) the sensor traffic and store this info in the Knowledge Base (KB).
• Detect Mode: is an on going (24x7) operation. It references the KB to determine if an attack is occurring. As it looks for anomalies, it records gradual changes to the KB.
• Inactive Mode: is when AD has been turned off. If sensor is running in asymmetric environment, AD should be inactive.
18
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
• Available in 7.x and higher
• Identifies devices with reputation of malicious activity
• Updates sensors with these device IP addresses
• Denies or allows traffic base on device source IP address
• IPS sends data back to GC database to keep updates current
• Traffic dropped by Reputation Filtering is performed prior to IPS monitoring by signatures
19
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
• The virtual-sensor is the component that is mapped to any sensing interface(s) that should pass traffic received on the interface up for inspection. In other words, the virtual-sensor is the structure that connects the physical Ethernet interfaces and the software performing traffic inspection.
• Each virtual-sensor has a unique name and a list of physical sensing interfaces and/or logical interfaces (inline interface pairs, inline VLAN pairs, or VLAN groups) associated with it.
• Each virtual-sensor is associated with specific signature definition, event action rules, and anomaly detection policies.
• Up to 4 virtual sensors are supported.
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Sensor (VS0)
Sensor (VS1) Sensor (VS2)
Network A
Network B
Network C
Attacker
Internet
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Performance to Meet Growing Needs
IOS IPS
IPS NME
Small Medium Large
IPS 4260
IPS 4270 ASA5510-AIP10
ASA5510-AIP20
ASA5585-P10S10
IDSM2
Catalyst 6500 IDSM2 bundle
Organization Size
ASA5585-P20S20
ASA5585-P40S40
ASA5585-P60S60
IPS 4240
IPS 4255
ASA5520-AIP10
ASA5520-AIP20
ASA5520-AIP40
ASA5540-AIP20
ASA5540-AIP40
ISR
Catalyst 6500
IPS 4200 Series
ASA 5500 Series
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
1. Promiscuous Interface
2. Promiscuous Vlan Groups
3. Inline Interface Pairs
4. Inline Vlan Pairs
5. Module - Parent Chassis Designated
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
• Promiscuous Mode designs send only COPIES of packets to the sensor as the traffic goes by. The original packet is still delivered to the host.
• Variety of mechanisms exist to do this:
1) Ethernet Hub
2) Ethernet Switch doing port mirroring (i.e., SPAN in Cisco Catalyst terminology)
3) Ethernet Taps (third-party solution)
2© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
2© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
Data Flow
SPAN Destination Port
Promiscuous Interface
Ethernet Switch
SPAN Source Ports or Source VLAN
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
• Interface itself assigned to a virtual sensor
• All traffic monitored by the same virtual sensor
• Separate device must send copies of the packets
– Span (or monitor) from a switch
– VACL Capture from a Cat 6500 switch
– Network Taps
• Packets discarded after analysis
• Detection, not prevention
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
• Interface is divided into subinterfaces
• Subinterface type is vlan-group
• 2 Types
1. Range – comma delimited list of vlan ranges: 5,10-15,20,22-25
2. Unassigned – all remaining vlans
• Packets must be tagged with 802.1q headers
• Client and Server packets must be tagged with same 802.1q headers
• Assign vlan-groups to different virtual sensors.
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
3© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
Data Flow
Transparent Interfaces:
No Mac or IP Address
(Sensor is Layer 2 Bridge)
Sensor sits between two physical devices or between two VLANs on a switch
Note: If placed between two VLANs on a switch in standard inline mode, the switch ports connecting to the sensing interfaces need to be access ports with different access VLANs.
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
• 2 Interfaces Paired together
• Interface Pair assigned to a virtual sensor
• All traffic monitored by the same virtual sensor
• Traffic passes Through the sensor
• Good traffic passed through
• Bad traffic Denied
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
• Also known as Inline On A Stick
• Interface is divided into subinterfaces
• Subinterface type is inline-vlan-pair
• 2 vlans Paired together on a 802.1q trunk port
• 250 vlan pairs per interface
• Inline Vlan Pair Subinterface assigned to virtual sensor
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
• ASA-AIP-SSM and ASA-AIP-SSP
ASA configuration determines monitoring method
• ACL created in ASA config to match traffic
• Class created from ACL
• Can be Identity Based
• Policy created, each class can have a different IPS policy
– Promiscuous, inline, or no IPS policy
– Designate virtual sensor
Special packet header added to designate mode and virtual sensor
• AIM-IPS and NME-IPS
ISR Router configuration determines monitoring method
• “ids-service-module-monitoring promiscuous|inline” configured per interface
• Same mode for all monitored interfaces
• ACL can limit packets being monitored
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 35 Teleworker
Branch Office
Internet Edge
ASA 5550
ASA 5580-20
ASA 5580-40
ASA 5505
Cisco ASA 5585 Series: Extends Market-leading ASA 5500 Series Multi-Service Family to the Data Center
Data Center
ASA 5540
ASA 5520
ASA 5510
Campus
ASA 5585-S20P20
ASA 5585-S40P40
ASA 5585-S60P60
Multi-Service
(Firewall, IPS, VPN)
Firewall and VPN
New
New
New
ASA 5585 -S10P10
New
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
Security Service Processors Multi-services capable
Dedicated 64bit multi-core processors
Parallel Multi-threaded packet processing
Scalable to larger numbers of CPUs/Cores
2 RU Chassis 2 x full-slot modules
eUSB 2 GB internal
Redundant Hot Swappable Power
Supply Units
Front to back air flow
GE Ports Up to 8 x 10G SFP+
with OIR support
Up to 16 x 1GbE Cu
SFP/SFP+ slots on all modules
Regex Accelerator High speed inspection
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
1. Traffic enters the adaptive security appliance.
2. Firewall policies are applied(e.g. ACLs,NAT).
3. Traffic is sent to the AIP-SSM/SSO over the backplane,depending upon the AIP-SSM/SSP operating Modes(inline/promiscuous) only a copy of the traffic is sent up in promiscuous mode.
4. The AIP-SSM/SSP applies its security policy to the traffic, and takes appropriate actions.
5. Valid traffic is sent back to the adaptive security appliance over the backplane; if in inline the AIP-SSM/SSP might block some traffic according to its security policy, and that traffic is not passed on.
6. VPN policies are applied (if configured).
7. Traffic exits the adaptive security appliance.
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 43
Domain Owner Information
Server Hosted in China
Domain Registered Two Days Ago
Dynamic IP Address ? HOW ? WHO
? WHERE ? WHEN
? WHAT
100101010 01001010
10010101
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
SensorBase Threat Operations Center Dynamic Updates
4 TB
35%
DATA RECEIVED PER DAY
WORLDWIDE TRAFFIC
$100M
500 ENGINEERS, TECHNICIANS
AND RESEARCHERS
SPENT IN DYNAMIC RESEARCH AND DEVELOPMENT
8M
6,500+ SIGNATURES
RULE UPDATES
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
Fast, Accurate Protection
Cisco AnyConnect
Any Device, Anywhere
Corporate Headquarters
Web
ISP Datacenter
Firewall/IPS
Branch Office
Threat Telemetry
Threat Telemetry
Cisco SIO
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
OS and Network Attacks
DoS
Covert, Sponsored Targeted Attacks
Aurora Stuxnet
Isolated Independent Hackers Hand crafted exploits
Fame and Glory
Easily Detected
Network Evasions Polymorphic Code
Slammer
Worms
Code Red
Botnets
Conficker
Organized Hacker Marketplace Updating Automated Exploit Tools
Profit or Espionage Motive
Difficult to detect
Corporate Office
Attacks
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
Innovations in Threat Management
Data Center Perimeter
Campus
IPS
Attackers
Attacks SIGNATURE TECHNOLOGY
TRAFFIC CLEANSING
GLOBAL CORRELATION INSPECTION
REPUTATION FILTER
Cisco SIO
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
Data Center Perimeter
Campus
Innovations in Threat Management
IPS
Attacks SIGNATURE TECHNOLOGY
TRAFFIC CLEANSING
Cisco SIO
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
GET http://…U/*Con*/NI/*fused*/ON
GET http://…UNION
Traffic Cleansing
Signature Analysis
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 50
Attackers are Just as Important as Attacks
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51
Efficacy of Global Correlation in IPS
• Faster than signatures technology
• 2x the efficacy of signature only
• Real-time updates
• Effective Botnet Detection
Average Results from Live Data
Global Correlation
Local Inspection
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
Innovations in Threat Management
Traffic Cleansing and
Signature Inspection
Identify known behaviors
Global Inspection
Increase Risk Rating for known bad actors
Decision Engine
Block, Alert, Permit, Limit
IPS Reputation Filters
Block worst global attackers
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53
The Challenge of Traditional Signature-Based IPS
What SIGNATURES Find Verdict: UNKNOWN
What?
Ho?
SQL Command Fragments in Web Traffic
?
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54
What?
What SIGNATURES Find
SQL Command Fragments in Web Traffic
Powered by Global Correlation
Verdict: BLOCK
How?
Who?
Where?
Clean Sources Only
First HTTP connection
Dynamic IP Address
Dynamic DNS
History of Web Attacks
Within Heavily Compromised
.Asia Network
History of Botnet Activity
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
Understand the Attackers for better security. Not just the attack.
Same “grey” SMB signature
firing
More context about the attacker
Better Verdicts
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 57
• Known Industry List of Industrial Control Vulnerabilities
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58
• StuxNet
• Illinois Water Utility “hack”
• Increasing concern over Vulnerability of Critical Infrastructure
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 59
Level 5
Level 4
Level 3
Level 2
Level 1
Level 0
Terminal Services
Patch Management AV Server
Application Mirror
Web Services Operations
Application Server
Enterprise Network
Site Business Planning and Logistics Network E-Mail, Intranet, etc.
FactoryTalk Application
Server
FactoryTalk Directory
Engineering Workstation
Domain Controller
FactoryTalk Client
Operator Interface
FactoryTalk Client
Engineering Workstation
Operator Interface
Batch Control
Discrete Control
Drive Control
Continuous Process Control
Safety Control
Sensors Drives Actuators Robots
Enterprise Zone
DMZ
Manufacturing Zone
Cell/Area Zone
Web E-Mail CIP
Firewall
Firewall
Site Manufacturing Operations and Control
Area Supervisory
Control
Basic Control
Process
Pu
rdu
e R
efe
ren
ce
Mo
de
l, IS
A-9
5
ISA
-99
Modbus
Modbus
Root Kit
Root Kit
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 60
Cisco ICP Provides Cost Effective Protection • Minimize risk of unplanned outages due to cyber attack
• Significant cost savings through batching of patch-roll out to field
New Vulnerability
Patch Available?
N (Typical) Y(Rare)
Roll-Out Patch to Field ASAP?
N Y
Remain Vulnerable?
Cost / Time/Effort
Risk of Outage
Remain Vulnerable?
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 61
• Special class of Industrial Control signatures
• Delivered within the normal weekly signature updates
• Separate license for use based on platform
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 64
A global policy-map is configured on the ASA to send traffic from all users, except for users in the “SecOps” and “NetOps” groups to the IPS in inline mode. Traffic from SecOps/NetOps should not be inspected by the IPS.
Verify that non-SecOps/NetOps users cannot access the http://www.threatdlabs.test/admin page, while allowing them to access any internet website as well as the company website at http://www.threatdlabs.test. A custom signature was written to achieve this.