Table 1-4 shows the primary terms that are used to describe the functionality of the Cisco IPS solution.
Table 1-4. Primary IPS Terminology
Examining network traffic while having the ability to stop intrusive traffic from reaching the target system
Passively examining network traffic for intrusive behavior
An engine that supports signatures that share common characteristics (such as the same protocol)
The capability to define meta signatures based on multiple existing signatures
A signature that triggers based on the contents of a single packet
A signature that triggers based on the information contained in a sequence of packets between two systems (such as the packets in a TCP connection)
A signature that triggers when traffic deviates from regular user behavior
A signature that triggers when traffic exceeds a configured normal baseline
A situation in which a detection system fails to detect intrusive traffic although there is a signature designed to catch that activity
A situation in which normal user activity (instead of intrusive activity) triggers an alarm
A situation in which a signature does not fire during normal user traffic on the network
A situation in which a signature fires correctly when intrusive traffic for that signature is detected on the network (The signature correctly identifies an attack launched against the network.)
Decoding protocols and examining entire packets to allow for policy enforcement based on actual protocol traffic (not just a specific port number).
Associating multiple alarms or events with a single attack.
Risk rating (RR)
A threat rating based on numerous factors besides just the attack severity
Cisco provides a hybrid solution that enables you to configure a sensor to operate in promiscuous and inline mode simultaneously.
To help limit false positives, Cisco IPS version 5.0 incorporates a risk rating for alerts. This risk rating is calculated based on the following parameters:
Asset value of target
For IP addresses on your network, you can assign one of the following asset values:
Beginning with version 5.0, you can use the Meta-Event Generator (MEG) to create complex signatures that cause multiple regular signatures to trigger before the meta-event signature triggers.
Cisco IPS version 5.0 also enhances the ability of the sensor to perform deep-packet inspection on network traffic. This enables the sensor to enforce security policies beyond simple port numbers.
Cisco IPS version 5.0 supports the IDSM-2, the network module, and the following appliance sensors:
The sensors marked by * are the newest appliance sensors in the Cisco IPS solution. These sensors are highly reliable because they use flash memory (which has no moving parts), not a regular hard disk, for storage.
Inline mode enables your sensor to act as a layer-2 forwarding device while inspecting network traffic, providing the ability to drop intrusive traffic before it reaches the target system. The following sensors support inline mode:
When your system is running in inline mode, you can configure one of the following software bypass modes:
When deploying sensors on your network, consider the following network boundaries:
Remote access boundaries
Servers and desktops
You must also consider the following when deploying your sensors:
Communication between your Cisco IPS sensors and other network devices involves the following protocols and standards:
Secure Shell (SSH)
Transport Layer Security (TLS)/Secure Sockets Layer (SSL)
Remote Data Exchange Protocol (RDEP)
Security Device Event Exchange (SDEE) Standard
The Cisco sensor software architecture can be broken down into the following main interacting applications or processes: