Foundation Summary


Foundation Summary

Table 1-4 shows the primary terms that are used to describe the functionality of the Cisco IPS solution.

Table 1-4. Primary IPS Terminology

Terminology

Description

Inline mode

Examining network traffic while having the ability to stop intrusive traffic from reaching the target system

Promiscuous mode

Passively examining network traffic for intrusive behavior

Signature engine

An engine that supports signatures that share common characteristics (such as the same protocol)

Meta-Event Generator

The capability to define meta signatures based on multiple existing signatures

Atomic signature

A signature that triggers based on the contents of a single packet

Flow-based signature

A signature that triggers based on the information contained in a sequence of packets between two systems (such as the packets in a TCP connection)

Behavior-based signature

A signature that triggers when traffic deviates from regular user behavior

Anomaly-based signature

A signature that triggers when traffic exceeds a configured normal baseline

False negative

A situation in which a detection system fails to detect intrusive traffic although there is a signature designed to catch that activity

False positive

A situation in which normal user activity (instead of intrusive activity) triggers an alarm

True negative

A situation in which a signature does not fire during normal user traffic on the network

True positive

A situation in which a signature fires correctly when intrusive traffic for that signature is detected on the network (The signature correctly identifies an attack launched against the network.)

Deep-packet inspection

Decoding protocols and examining entire packets to allow for policy enforcement based on actual protocol traffic (not just a specific port number).

Event correlation

Associating multiple alarms or events with a single attack.

Risk rating (RR)

A threat rating based on numerous factors besides just the attack severity


Cisco provides a hybrid solution that enables you to configure a sensor to operate in promiscuous and inline mode simultaneously.

To help limit false positives, Cisco IPS version 5.0 incorporates a risk rating for alerts. This risk rating is calculated based on the following parameters:

  • Event severity

  • Signature fidelity

  • Asset value of target

For IP addresses on your network, you can assign one of the following asset values:

  • Low

  • Medium

  • High

  • Mission critical

  • No value

Beginning with version 5.0, you can use the Meta-Event Generator (MEG) to create complex signatures that cause multiple regular signatures to trigger before the meta-event signature triggers.

Cisco IPS version 5.0 also enhances the ability of the sensor to perform deep-packet inspection on network traffic. This enables the sensor to enforce security policies beyond simple port numbers.

Cisco IPS version 5.0 supports the IDSM-2, the network module, and the following appliance sensors:

  • IDS 4215

  • IDS 4235

  • IDS 4240*

  • IDS 4250

  • IDS 4250XL

  • IDS 4255*

Note

The sensors marked by * are the newest appliance sensors in the Cisco IPS solution. These sensors are highly reliable because they use flash memory (which has no moving parts), not a regular hard disk, for storage.


Inline mode enables your sensor to act as a layer-2 forwarding device while inspecting network traffic, providing the ability to drop intrusive traffic before it reaches the target system. The following sensors support inline mode:

  • IDS 4215

  • IDS 4235

  • IDS 4240

  • IDS 4250

  • IDS 4255

  • IDSM-2

When your system is running in inline mode, you can configure one of the following software bypass modes:

  • Auto

  • Off

  • On

When deploying sensors on your network, consider the following network boundaries:

  • Internet boundaries

  • Extranet boundaries

  • Intranet boundaries

  • Remote access boundaries

  • Servers and desktops

You must also consider the following when deploying your sensors:

  • Sensor placement

  • Sensor management and monitoring options

  • Number of sensors

  • External sensor communications

Communication between your Cisco IPS sensors and other network devices involves the following protocols and standards:

  • Secure Shell (SSH)

  • Transport Layer Security (TLS)/Secure Sockets Layer (SSL)

  • Remote Data Exchange Protocol (RDEP)

  • Security Device Event Exchange (SDEE) Standard

The Cisco sensor software architecture can be broken down into the following main interacting applications or processes:

  • cidWebServer

  • mainApp

  • logApp

  • authentication

  • NAC

  • ctlTransSource

  • sensorApp

  • Event Store

  • cidCLI