Chapter 9. Deploying Network Intrusion Prevention

This chapter covers steps to deploy the third layer of defense in depth. This layer is called intrusion prevention.

This chapter addresses the following topics:

• The Importance of Intrusion Prevention This section describes why intrusion prevention is important and how it can add additional security to your network.

• Deploying Intrusion Prevention This section addresses how you can use ASDM to deploy intrusion prevention in your network.

As outlined in Chapter 2, "Principles of Network Defense," intrusion prevention is a key component in the defense-in-depth strategy for protecting your network from Internet-based network attacks.

Chapter 7, "Deploying Authentication," and Chapter 8, "Deploying Perimeter Protection," addressed deploying authentication and perimeter security on your security appliance. Authentication enforces who can get into your network, whereas perimeter security enforces what traffic can get into your network. The problem that now exists is that, even though the inbound traffic has been restricted and filtered, this filtering isn't enough to stop all attacks. Hackers have tools to detect the traffic you are letting into your network, and it's that traffic they will try to exploit to compromise your systems. You don't need to look further than the major attacks of the past few years to verify this: Code Red, Nimda, Sasser, Slammer, and Blaster all exploited valid traffic.

This chapter explains the features that the PIX security appliance and ASA 5500 series security appliance have in place to stop known attacks from getting into your network. You learn how to deploy intrusion prevention with a step-by-step procedure similar to previous chapters.

This chapter includes information about the new ASA 5500 series of security appliances with the Security Services Module (SSM). The SSM is a card that you can insert inside the ASA 5500 series to provide additional Internet service provider (ISP) features. Because this appliance is so new, there are no step-by-step implementation guidelines as of the original publishing of this book. After public introduction of this product, there will be a section on the Cisco website dedicated to information regarding this device. If you have any additional questions about the features or deployment of the ASA/SSM, you should be able to find the answers on this website.

This chapter references two distinctly different intrusion prevention technologies: IPS and IP Audit. Don't get confused by this; it's pretty straightforward, as follows:

• IP Audit IP Audit is the default intrusion protection built in to both the PIX and the ASA security appliance. This prevention mechanism drops traffic but is limited to 51 commonly seen Internet attacks.

• IPS IPS stands for Intrusion Prevention System. IPS is available only with the ASA 5500 series security appliance with an SSM installed. It includes more than 1500 signatures and, as described in this chapter, has much more advanced features than what is available on the PIX security appliance.

You can configure the features of the SSM modules the same way as you configure the security appliance, by using ASDM and browsing to the device. If you have the SSM installed, you will see an additional icon in the Features panel labeled IPS.