Foundation Summary

Attackers are continually trying to find ways to bypass the protection barriers in security mechanisms. Understanding the following common IDS evasion techniques helps you ensure that these avenues do not create weaknesses in your overall security posture:

• Flooding

• Fragmentation

• Encryption

• Obfuscation

• TTL manipulation

The following list shows some of the major obfuscation techniques:

• Using control characters

• Using hex representation

• Using Unicode representation

To optimize the effectiveness of your IPS sensors, you need to understand how you can tune the operation of your sensors. When tuning your sensor, you need to consider the following factors:

• Network topology

• Network address space being monitored

• Statically assigned server addresses

• DHCP-assigned addresses

• Operating systems running on your servers

• Applications running on your servers

• Security policy

Tasks involved in tuning your sensors fall into the following three phases based on the length of time that your IPS has been in operation.

• Deployment phase

• Tuning phase

• Maintenance phase

Some of the changes you will likely perform during the deployment phase include the following:

• Enabling and disabling signatures

• Adjusting alert severities

• Creating basic event action filters

Tasks involved in tuning your sensor's global settings fall into the following categories:

• Configuring IP log settings

• Configuring application policy settings

• Configuring reassembly options

• Configuring event processing

You can configure the following IP log settings for your sensor:

• Max IP Log Packets

• IP Log Time

• Max IP Log Bytes

• Maximum Open IP Log Files

Cisco IPS 5.0 provides the capability to perform application policy enforcement for both HTTP and FTP. This functionality is provided by the following two signature engines:

• AIC HTTP

• AIC FTP

To use this functionality, however, you must enable it on your sensor (by default it is disabled).

Reassembly options fall into the following two categories:

• Fragment reassembly

• Stream reassembly

When configuring stream reassembly, you define the following parameters:

• TCP Handshake Required

• TCP Reassemble Mode

Whenever a signature triggers, your sensor generates an alert and, potentially, an event. Besides configuring your signature parameters, you can also configure event parameters on your sensor. These event parameters fall into the following categories:

• Event variables

• Target Value Rating

• Event action override

• Event action filters

The Target Value Rating enables you to assign an asset value rating to specific IP addresses on your network. The target values that you can assign to an IP address or range of IP addresses are as follows:

• Mission Critical

• High

• Medium

• Low

• No Value

In addition to configuring signature actions, you can configure an event action override for each Cisco IPS response action. This override causes actions to be added to signatures if the Risk Rating of the event matches the override definition.

Event action filters enable you to configure your sensor to remove actions from events based on one or more of the following criteria:

• Signature ID

• Subsignature ID

• Attacker address

• Attacker port

• Victim address

• Victim port

• Risk Rating