Step 1: Understand the Product

Learn as much as you possibly can about the product you're about to implement before you start. It's tempting to dive right in without taking the time for research, but during your deployment, you have to make important decisions about how to use the product and where to deploy sensors. Your likelihood to make good decisions goes up if you are well-informed. Product documentation is a good place to start, and if you need more assistance, consider instructor-led training.

Note

When researching an IPS product, you need to make sure that you understand its true capabilities, which are sometimes inflated by the basic marketing literature. Product comparisons done by various security groups are usually a source of valuable information on actual product capabilities.

Therefore, the first phase of ACME's NIPS deployment is to learn about Cisco IPS Sensor Software. The goal for its research is to identify which Cisco IPS sensor components and capabilities ACME can use to protect its network. Therefore, it researches the following topics about the Cisco IPS solution:

• Sensors available

• in-line support

• Management and monitoring options

• NIPS capabilities

• Signature database and update schedule

Sensors Available

ACME wants to be sure it identifies where Cisco NIPS devices can be integrated into its network infrastructure. ACME also wants to identify the functionality provided by the various Cisco IPS devices. Therefore, it examines the various Cisco IPS sensors and platforms. Cisco supports a wide variety of sensors, including the following:

• Cisco IPS 4200 Series appliance sensors

• Cisco Catalyst 6500 Series IDS Module (IDSM-2)

• Cisco IDS Network Module

• Cisco IOS IPS sensors

Cisco IPS 4200 Series Appliance Sensors

The core of Cisco NIPS support is the Cisco IPS 4200 series appliance sensors. The major characteristics of the appliance sensors are shown in Table 10-1.

Note

The sensors marked by an "*" are the newest appliance sensors added to the Cisco IPS solution. These sensors provide high reliability by incorporating flash for storage instead of a regular hard disk. Also, the sensors can be managed via the console port in addition to the Ethernet command and control interface.

These appliance sensors can be deployed at various locations throughout your network. Each of these sensors runs the same sensor software. The major differences among the appliance sensors involve the following factors:

• Maximum traffic analysis capability

• Number of interfaces

• Type of interfaces

• Cost

Cisco Catalyst 6500 Series IDS Module

For networks that utilize Catalyst 6500 series switches, Cisco provides the Cisco Catalyst Series IDS Module (IDSM-2). This module plugs directly into the Catalyst switch, which enables the sensor to analyze traffic directly from the switch's backplane. The IDSM-2 provides the following capabilities:

• Merged switching and security into a single chassis

• Ability to monitor multiple VLANs (similar to the appliance sensors)

• No impact on switch performance

• Detection and prevention capabilities equal to appliance sensor

• Utilization of the same code base of the appliance sensor

• Potential operation in in-line mode (running Cisco IPS 5.0 Software or greater)

Note

Running Cisco IPS 5.0 Software, the IDSM-2 is capable of operating in in-line mode only for a single VLAN, because it does not support trunk traffic passing through the blade. This limitation should be removed in a future software release.

The basic characteristics of the IDSM-2 sensor are as follows:

• Performance 600 Mbps

• Monitoring interfaces 2-gigabit interfaces

• Command and control interface 1-gigabit interfaces

• TCP Reset interface 1-gigabit interface

• Optional interface No

Note

The TCP Reset interface is an interface that the IPS Software can use to generate TCP Reset packets in conjunction with the TCP Reset signature action. In some IDSM-2 configurations, the monitoring interfaces can receive only incoming traffic. In these configurations, the TCP Reset interface provides an alternate interface through which to support the TCP Reset action.

Unlike the appliance sensor, the IDSM-2 is a switch card. Therefore, to deploy the IDSM-2, you must have a Catalyst 6500 family switch. Furthermore, to successfully utilize your IDSM-2 as another component in your overall Cisco IPS solution, your switch operating system must match one of the following requirements:

• Catalyst OS 7.5(1) or later (on Supervisor Engine)

• Cisco IOS Release 12.1(19)E or later

Cisco IDS Network Module

The Cisco IDS Network Module for access routers provides sensor functionality that is deployed in access routers such as the Cisco 2600XM, 2691, 3660, and 3700 Series routers. The following are the technical specifications for the Cisco IDS Network Module for access routers:

• Performance Up to 45 Mbps

• Monitoring interface Router internal bus

• Command and control interface 10/10 10/100BASE-TX

• Optional interface No

Note

The Cisco IDS Network Module runs the Cisco IPS 5.0 Software but does not support in-line processing. It can operate only in promiscuous mode.

Cisco IOS IPS Sensors

Certain versions of Cisco IOS Software incorporate intrusion detection functionality into the software. When you use the Cisco IOS IPS functionality, the deployed router is known as a router sensor. Cisco IOS IPS is able to detect a limited subset of attacks compared to the appliance sensor. The software and hardware requirements for Cisco IOS IPS are as follows:

• Cisco IOS Release 12.0(5)T or greater

• Cisco 830, 1700, 1800, 2600, 2800, 3600, 3800, 7100, 7200, and 7500 Series routers

Note

Beginning with Cisco IOS Release 12.3(T), Cisco IOS IPS uses the same signature engines that are available with the appliance sensors. Although you cannot check for all the signatures that an appliance sensor does (because of performance reasons), you can configure a limited set of signatures to watch for (choosing from virtually all the signatures available on the appliance sensor). You can also download pretuned signature definition files (.sdf files) that you can use on routers to optimize the IPS functionality based on the amount of RAM installed on the routers. These ".sdf" files identify a core set of IPS signatures to enable on the router.

In-Line Support

Beginning with Cisco IPS 5.0 Software, Cisco sensor software supports attack prevention by operating in in-line mode. In-line mode enables your sensor to drop malicious traffic when it is detected. The following Cisco IPS sensors support in-line mode functionality:

• IPS 4215

• IPS 4240

• IPS 4255

• IDSM-2

• IOS IPS sensors

Note

In-line functionality is not supported on the network module. Furthermore, adding this functionality to the network module is not planned.

For more information about network in-line capabilities, refer to Chapter 7, "Network Intrusion Prevention Overview," and Chapter 8, "NIPS Components."

Management and Monitoring Options

After ACME feels that it has a sufficient grasp of the sensor components, it moves on to its network management plan. The Cisco documentation shows that Cisco NIPS can be managed either centrally or on a per device basis. To access the management system for both graphical options, use a web-browser interface.

Command-Line Interface

Each sensor comes with a text-based command-line interface (CLI). This IOS-like interface enables you to configure your sensor and debug its operation. Using the CLI is helpful when you initially set up a sensor and to debug its operation. Although you can configure most sensor parameters using the CLI, most people prefer to use the graphical interfaces to perform most configuration changes. The CLI is accessed using either the console port on the sensor or across the network via the Secure Shell (SSH) protocol.

IPS Device Manager

Each sensor comes with the IPS Device Manager (IDM) software. This software enables you to configure the sensor through a graphical web-based interface. Using IDM, you can also analyze the events that are happening on the sensor and manually initiate IP blocking and logging.

IDM provides a limited monitoring capability. Using this monitoring functionality, you can observe the events that occur on a single sensor. In most situations, however, you want to correlate events from multiple sensors, so you use Cisco Security Monitoring, Analysis and Response (CS-MARS) product to observe IPS events from multiple devices.

Note

Previously, Cisco also had another event-correlation software product called Security Monitor. This software is being replaced by the CS-MARS product.

CiscoWorks Management Center for IPS Sensors

The centralized management approach for Cisco NIPS is the CiscoWorks Management Center for IPS Sensors (IPS MC). IPS MC is a component of the virtual private network (VPN)/Security Management Solution (VMS) software. IPS MC enables you to configure and manage hundreds of IPS sensors across your entire network from a single management system.

Note

VMS is being replaced by Cisco Security Manager (CSM). CSM provides a more scalable graphical interface that enables operators to more efficiently provision their devices and security policies. CSM will play key role in the Cisco Security Management Solution. For more information, refer to Cisco.com.

CS-MARS

When you are deploying a large number of Cisco IPS sensors, you need an efficient way in which to monitor the alerts from these devices. CS-MARS provides this functionality. Using CS-MARS, you can correlate and analyze events from multiple sensors deployed throughout your network through a graphical interface. Additionally, CS-MARS provides correlation with alerts from other network hardware and software devices, including firewalls, routers, switches, host security, NetFlow, antivirus, and more, from various vendors. This type of correlation greatly enhances the accuracy of information provided to the security analyst.

CS-MARS provides numerous features, such as the following:

• Device monitoring

• Web-based monitoring platform

• Custom reporting and correlation capability

• Traffic anomaly detection

• Mitigation recommendations

• Topology awareness

With CS-MARS, you can receive events from a virtually unlimited number of devices, including the following:

• Sensor appliances

• IDS modules

• Router modules

• IOS routers

• PIX firewalls

• NetFlow

• Authentication servers (such as Cisco Secure Access Control Server [ACS])

• Host security software (such as Cisco Security Agent [CSA])

• UNIX hosts

• Windows hosts

Using a standard web browser, you can access the CS-MARS to administer and monitor the alerts from your IPS devices. Furthermore, you can easily use an extensive list of common reports to support your regulatory and other reporting requirements.

NIPS Capabilities

ACME used the Cisco documentation it had, what it had been able to gather from its sales team, and what it learned about Cisco IPS network components to make a list of Cisco NIPS capabilities. ACME checked to be sure that Cisco NIPS solution had all the capabilities commonly available in a robust NIPS product. The major IPS functionality that ACME identified for a robust IPS is as follows:

• Operate in in-line mode and promiscuous

• Support multiple sensor platforms

• Support centralized management

• Support a large signature base

• Support customized signatures

• Provide logging functionality

• Provide IP blocking functionality

• Provide alerting functionality

Next, ACME made the following high-level list of the NIPS functionality that it needs:

• Known network attacks prevention

• Anomalous traffic identification

• Internal attack propagation prevention

• Policy enforcement

• Regulatory requirements enforcement

Note

For more information about NIPS capabilities, refer to Chapter 7 and Chapter 8.

Signature Database and Update Schedule

To be effective, an IPS needs to detect a wide variety of different attacks and security policy requirements. Furthermore, updates to the IPS signature database need to be released regularly. Finally, the IPS vendor must quickly provide signatures for serious attacks once they are identified.

ACME samples the Cisco signature database and identifies that it includes more than 1000 signatures and more than a dozen different signature engines that enable ACME to efficiently develop various custom signatures to support a wide range of signatures unique to ACME's network and security policy. Cisco also regularly releases signature updates to enhance the functionality of the Cisco IPS. Finally, ACME discovers that Cisco released Signature Update S183 (to address the Microsoft "plug-and-play" vulnerability) only 45 minutes after Microsoft released its bulletin outlining the problem.

After reviewing the signature database and signature release history, ACME is comfortable that the Cisco IPS signatures are maintained in a timely manner.