Previous Page Next Page

Cisco IPS Sensor Software

The Cisco IPS Sensor OS Software runs on the Linux operating system. The underlying Linux OS has been secured and hardened by removing unnecessary packages from the OS, disabling unused services, restricting network access, and removing access to the shell.

Sensor Software—System Architecture

Figure 20-6 illustrates the system design and architecture of the Cisco IPS Sensor Software system.

Figure 20-6. Cisco IPS Sensor Software System Design

Figure 20-6, which shows the IPS system architecture, is taken from Cisco documentation on "Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface 6.0" at http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a00807517f1.html.


Cisco IPS Sensor OS Software is made up of multiple application components as shown in Figure 20-6. These components are defined with their functions in the list that follows:

Sensor Software—Communication Protocols

The sensor OS applications, illustrated in Figure 20-6, communicate with each other through a common API called IDAPI. External remote applications (such as other sensors, management applications, and third-party software) communicate with the sensor through RDEP2 and SDEE protocols. The following section describes the various communication protocols used by the Cisco IPS sensor software.

Sensor Software—User Roles

The CLI for the sensor software OS permits multiple users to connect to the sensor at the same time. Users can be created locally in the sensor configuration. Each user is associated with a specific role that controls the user privileges and an established boundary of what the user can and cannot do.

The CLI supports four user roles, described in the list that follows. Each user has a different privilege level; therefore, the menus and available commands vary for each role:

Note

The service account allows switching to the Linux OS root user account by executing the su- command. The root password is synchronized to the service account password.


Sensor Software—Partitions

The IPS sensor software has the following three partitions:

Sensor Software—Signatures and Signature Engines

Signatures and signature engines are the foundation of Cisco IPS solution architecture. The network-based IPS sensor monitors network traffic with a collection of predefined (built-in signatures) and user-defined signatures that can be grouped into various signature engines.

A signature is a description of a network traffic pattern that attackers use while conducting network-based attacks. The IPS sensor monitors network traffic and generates alerts when it detects malicious activity by matching the traffic to specific signatures. Cisco IPS Sensor Software is preloaded with a wide range of signatures for varying protocols. Cisco IPS Sensor Software Version 6.0 contains more than 1,000 built-in default signatures. The sensor software also supports the configuration of user-defined custom signatures.

A signature engine is a categorized group of a collection of like signatures, each of which inspects for a specific type of activity. The sensor software uses the signature engines to examine network traffic for intrusive activity with similar characteristics. For example, the TCP-based string engine handles signatures that search for specific textual strings in TCP traffic only. The signature engines are designed to perform a wide range of functions, such as pattern matching, stateful pattern matching, protocol decoding, deep-packet inspection, and other heuristic methods. Each signature engine has a specific set of parameters that have allowable ranges or sets of values.

Table 20-3 lists the Cisco IPS Signature Engines available in the IPS Sensor Software Version 6.0.

Table 20-3. IPS Signature Engines
Signature EngineDescription of the Engine
Application Inspection and Control (AIC) EngineProvides thorough analysis of web-based traffic. The AIC engine provides granular control over HTTP sessions to prevent abuse of the HTTP protocol. It allows administrative control over applications, such as instant messaging, that try to tunnel over specified web ports, such as HTTP port 80. The AIC engine can also be used to inspect FTP traffic and control the commands being issued in FTP sessions. There are two main AIC engines: AIC FTP and AIC HTTP.
Atomic EngineThe atomic engines are now combined into two engines with multilevel selections to detect single-packet conditions. Atomic engine can combine Layer 3 and Layer 4 attributes within one signature—for example, IP and TCP. There are three basic subtypes for Atomic engine: Atomic ARP, which inspects Layer 2 ARP protocol; Atomic IP, which inspects IP protocol packets and associated Layer 4 transport protocols; and Atomic IPv6, which detects two IOS vulnerabilities that are stimulated by malformed IPv6 traffic.
Flood EngineDetects ICMP and UDP floods directed at hosts and networks. There are two types of flood engines: Flood Host and Flood Net.
Meta EngineMeta signatures are based on multiple individual signatures that define events that occurred in a related manner within a sliding time interval. This engine processes events rather than packets.
Multistring EngineInspects Layer 4 transport protocols and payloads by matching several strings for one signature. This engine inspects stream-based TCP and single User Datagram Protocol (UDP) and Internet Control Message Protocol (ICMP) packets.
Normalizer EngineConfigures how the IP and TCP normalizer functions and provides configuration for signature events related to the IP and TCP normalizer. Normalizer engine allows enforcing Request for Comments (RFC) compliance.
Service EngineInspects services at OSI Layers 5, 6, and 7 that require detailed protocol analysis. Inspects all standard system and application-level protocols. Service engine is capable of inspecting a wide range of protocol types, such as DNS, FTP, H225, HTTP, IDENT, MSRPC, MSSQL, NTP, RPC, SMB, SNMP, SSH, and TNS.
State EngineStateful searches of strings in protocols such as Simple Mail Transfer Protocol (SMTP). The state engine now has a hidden configuration file that is used to define the state transitions, so new state definitions can be delivered in a signature update.
String EngineSearches on Regex strings based on ICMP, TCP, or UDP. There are three types of string engines: String ICMP, String TCP, and String UDP.
Sweep EngineAnalyzes sweeps to detect network reconnaissance scans from a single host (Internet Control Message Protocol [ICMP] and TCP), from destination ports (TCP and UDP), and multiple ports with remote-procedure call (RPC) requests between two nodes. There are two types of sweep engines: Sweep and Sweep Other TCP.
Traffic Anomaly EngineInspects TCP, UDP, and other traffic for worms.
Traffic ICMP EngineAnalyzes nonstandard protocols, such as TFN2K, LOKI, and DDOS. There are only two signatures with configurable parameters in this engine.
Trojan EngineAnalyzes traffic from nonstandard protocols, such as BO2K and TFN2K. There are three types of Trojan engines: Bo2k, Tfn2k, and UDP. There are no user-configurable parameters in these engines.


Note

The information in Table 20-3 is compiled from Cisco product documentation on "Installing and Using Cisco Intrusion Prevention System Device Manager 6.0" at http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a0080618a2e.html.


Similar to the antivirus software model, the network-based IPS sensor software must be kept up-to-date and signatures must be updated regularly. Cisco provides frequent signature updates.

Cisco has launched the Cisco Security Center, a portal that provides the latest signature updates, vendor-neutral security intelligence, exploit detection and mitigation strategies, security news, and Cisco product alerts.

The Cisco Security Center draws together the vast resources within Cisco to offer intelligence and security solutions in one location. Cisco Security Center provides around-the-clock threat and vulnerability information.

http://tools.cisco.com/security/center/home.x

Note

Use the following Cisco URL to download Cisco IPS software and signature updates: http://www.cisco.com/kobayashi/sw-center/ciscosecure/ids/crypto/.


Tip

Use the following Cisco URL to search for various types of signatures: http://tools.cisco.com/MySDN/Intelligence/searchSignatures.x.


Note

For more details on the signature engines and their detailed parameters, refer to the following Cisco documentation URL: http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a0080618a2e.html.


Sensor Software—IPS Events

The Cisco IPS sensor software's system applications shown in Figure 20-6 generate various IPS events to report the occurrence of some stimulus. Every event is a data representation—for example, the alerts generated by SensorApp or errors generated by any application.

IPS events are generated on demand by the application instances within the sensor OS. There is no specific request from any other application instance to generate a particular event. They usually do not have a specific destination. They are stored locally and then retrieved by one or more application instances as needed.

The following seven types of data are communicated by the various functional units in the sensor software:

These types of data are collectively referred to as IPS data.

These collections of IPS events can be categorized into five basic types:

Each IPS event is stored in the local sensor database known as the Event Store, as shown in Figure 20-6. Each event is stored with a time stamp and a unique, monotonic, ascending ID. SensorApp is the only application that writes "alert" events into the Event Store. All other applications write log, status, and error events into the Event Store.

Sensor Software—IPS Event Actions

An IPS event action is triggered when a signature is matched and an action is required to mitigate the situation.

Table 20-4 lists the basic IPS event actions available in the sensor software OS that can be configured per individual signatures. Most of the following event actions belong to each signature engine unless they are not supported or appropriate for that particular engine. For example, the ICMP signature engine cannot be configured for TCP Reset action.

Table 20-4. IPS Event Actions
Event ActionDescription of the Action
Deny Attacker InlineDoes not transmit this packet and future packets originating from the attacker address for a specified period. This is the most severe of the deny actions. It denies current and future packets from a single attacker address. (Available for inline mode only).
Deny Attacker Service Pair InlineDoes not transmit this packet and future packets on the attacker address victim port pair for a specified period. (Available for inline mode only).
Deny Attacker Victim Pair InlineDoes not transmit this packet and future packets on the attacker/victim address pair for a specified period of time. (Available for inline mode only).
Deny Connection InlineDoes not transmit this packet and future packets on the TCP flow. (Available for inline mode only).
Deny Packet InlineDoes not transmit this packet. (Available for inline mode only).
Log Attacker PacketsStarts IP logging packets containing the attacker address.
Log Pair PacketsStarts IP logging packets containing the attacker-victim address pair.
Log Victim PacketsStarts IP logging packets containing the victim address.
Modify Packet InlineModifies packet data to remove ambiguity about what the end point might do with the packet.
Produce AlertWrites the event to the Event Store as an alert.
Produce Verbose AlertIncludes an encoded dump of the offending packet in the alert.
Request Block ConnectionSends a request to Attack Response Controller (ARC) to block this connection. Configure the blocking devices parameters appropriately for this action to work properly.
Request Block HostSends a request to Attack Response Controller (ARC) to block this attacker host.
Request Rate LimitSends a rate limit request to Attack Response Controller (ARC) to perform rate limiting. Rate-limiting devices must be configured appropriately to implement this action.
Request SNMP TrapSends a request to NotificationApp to perform SNMP notification.
Reset TCP ConnectionSends TCP resets to hijack and terminate the TCP flow. Reset TCP Connection works only on TCP-based signatures that analyze a single connection. It does not work for sweeps or floods.


Note

The information in Table 20-4 is compiled from Cisco product documentation on "Installing and Using Cisco Intrusion Prevention System Device Manager 6.0" at http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a0080618a2e.html.


Sensor Software—IPS Risk Rating (RR)

The IPS sensor software offers a unique Risk Rating (RR) numerical integer that allows users to make informed decisions on the IPS inline drop actions and provides users with greater confidence by enhancing the reliability of the inline deployment. RR is primarily used internally and is a locally significant number (within the sensor) to determine the proper action to take on an event.

RR is a multidimensional formula that is applied on a per-signature basis. The RR is calculated from several components, some of which are configured, some collected, and some derived. RR has a value between 0 and 100; the higher the RR value, the greater the confidence that the event detected is an indication of malicious activity (and not a false positive).

RR represents a numerical quantification of the risk associated with a particular event on the network. The calculation takes into account the value of the network asset being attacked (for example, a server), so it is configured on a per-signature basis (Attack Severity Rating (ASR) and Signature Fidelity Rating (SFR)) and on a per-server basis Target Value Rating (TVR).

Note

The RR is associated with alerts, not signatures.


RR is a mechanism used to prioritize alerts that need user attention. These RR factors take into consideration the severity of the attack, whether it was successful, the fidelity of the signature, and the overall value of the target host. The RR is reported in the evIdsAlert.

The following values are used to calculate the RR for a particular event:

The formula to calculate the RR follows:

RR = ((ASR*TVR*SFR)/10000)+ARR-PD+WLR

Sensor Software—IPS Threat Rating

Threat Rating (TR) is an RR value that has been lowered by event actions that have been taken. All event actions have a specific TR adjustment. The largest TR from all of the event actions taken is subtracted from the RR.

Table 20-5 lists the event actions with the corresponding TR values.

Table 20-5. Threat Rating Value for Event Actions
Event ActionThreat Rating
Deny attacker inline45
Deny attacker victim pair inline40
Deny attacker service pair inline40
Deny connection inline35
Deny packet inline35
Modify packet inline35
Request block host20
Request block connection20
Reset TCP connection20
Request rate limit20


Sensor Software—IPS Interfaces

Cisco IPS sensor software supports the following two main types of interface roles:

Table 20-7. Interface Support
Sensor ModelAdded PCI CardsInterfaces Supporting Inline VLAN Pairs (Sensing Ports)Combinations Supporting Inline Interface PairsInterfaces Not Supporting Inline (Command and Control Port)
IDS-4215FastEthernet0/1N/AFastEthernet0/0
IDS-42154FEFastEthernet0/1

FastEthernetS/0

FastEthernetS/1

FastEthernetS/2

FastEthernetS/3
1/0<->1/1

1/0<->1/2

1/0<->1/3

1/1<->1/2

1/1<->1/3

1/2<->1/3

0/1<->1/0

0/1<->1/1

0/1<->1/2

0/1<->1/3
FastEthernet0/0
IDS-4235GigabitEthernet0/0N/AGigabitEthernet0/1
IDS-42354FEGigabitEthernet0/0

FastEthernetS/0

FastEthernetS/1

FastEthernetS/2

FastEthernetS/3
1/0<->1/1

1/0<->1/2

1/0<->1/3

1/1<->1/2

1/1<->1/3

1/2<->1/3
GigabitEthernet0/1
IDS-4235TX (GE)GigabitEthernet0/0

GigabitEthernet1/0

GigabitEthernet2/0
0/0<->1/0 0/0<->2/0GigabitEthernet0/1
IDS-4250GigabitEthernet0/0N/AGigabitEthernet0/1
IDS-42504FEGigabitEthernet0/0

FastEthernetS/0

FastEthernetS/1

FastEthernetS/2

FastEthernetS/3
1/0<->1/1

1/0<->1/2

1/0<->1/3

1/1<->1/2

1/1<->1/3

1/2<->1/3
GigabitEthernet0/1
IDS-4250TX (GE)GigabitEthernet0/0

GigabitEthernet1/0

GigabitEthernet2/0
0/0<->1/0 0/0<->2/0GigabitEthernet0/1
IDS-4250SXGigabitEthernet0/0 GigabitEthernet1/0N/AGigabitEthernet0/1
IDS-4250SX + SXGigabitEthernet0/0

GigabitEthernet1/0

GigabitEthernet2/0
1/0<->2/0GigabitEthernet0/1
IDS-4250XLGigabitEthernet0/0

GigabitEthernet2/0

GigabitEthernet2/1
2/0<->2/1GigabitEthernet0/1
IDSM-2GigabitEthernet0/7 GigabitEthernet0/80/7<->0/8GigabitEthernet0/2
IPS-4240GigabitEthernet0/0

GigabitEthernet0/1

GigabitEthernet0/2

GigabitEthernet0/3
0/0<->0/1

0/0<->0/2

0/0<->0/3

0/1<->0/2

0/1<->0/3

0/2<->0/3
Management0/0
IPS-4255GigabitEthernet0/0

GigabitEthernet0/1

GigabitEthernet0/2

GigabitEthernet0/3
0/0<->0/1

0/0<->0/2

0/0<->0/3

0/1<->0/2

0/1<->0/3

0/2<->0/3
Management0/0
IPS-4260GigabitEthernet0/1N/AManagement0/0
IPS-42604GE-BPGigabitEthernet0/1 Management0/0
 Slot 1GigabitEthernet2/0

GigabitEthernet2/1

GigabitEthernet2/2

GigabitEthernet2/3
2/0<->2/1 2/2<->2/3 
 Slot 2GigabitEthernet3/0

GigabitEthernet3/1

GigabitEthernet3/2

GigabitEthernet3/3
3/0<->3/1 3/2<->3/3 
IPS-42602SXGigabitEthernet0/1All sensing ports can be paired togetherManagement0/0
 Slot 1GigabitEthernet2/0 GigabitEthernet2/1  
 Slot 2GigabitEthernet3/0 GigabitEthernet3/1  
IPS 4270-20GigabitEthernet0/1N/AManagement0/0 Management0/1
IPS 4270-204GE-BPGigabitEthernet0/1 Management0/0 Management0/1
 Slot 1GigabitEthernet2/0

GigabitEthernet2/1

GigabitEthernet2/2

GigabitEthernet2/3
2/0<->2/1 2/2<->2/3 
 Slot 2GigabitEthernet3/0

GigabitEthernet3/1

GigabitEthernet3/2

GigabitEthernet3/3
3/0<->3/1 3/2<->3/3 
IPS 4270-202SXGigabitEthernet0/1All sensing ports can be paired togetherManagement0/0 Management0/1
 Slot 1GigabitEthernet2/0

GigabitEthernet2/1

GigabitEthernet2/2

GigabitEthernet2/3
  
 Slot 2GigabitEthernet3/0

GigabitEthernet3/1

GigabitEthernet3/2

GigabitEthernet3/3
  
AIP-SSM-10GigabitEthernet0/1 by security context instead of VLAN pair or inline interface pairGigabitEthernet0/1 by security context instead of VLAN pair or inline interface pairGigabitEthernet0/0
AIP-SSM-20GigabitEthernet0/1 by security context instead of VLAN pair or inline interface pairGigabitEthernet0/1 by security context instead of VLAN pair or inline interface pairGigabitEthernet0/0


Note

S indicates the slot number. IDS 4FE card can be installed in either slot 1 or 2.

Table 20-7 can be found at the following Cisco documentation URL: http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_installation_guide_chapter09186a0080757abc.html#wp522729.


Sensor Software—IPS Interface Modes

The IPS Sensor software OS expands the sensing interface roles into various modes of implementation. There are four basic types of interface modes:

Sensor Software—IPS Blocking (Shun)

Cisco IPS Sensor software supports dynamic response action by blocking the offending traffic during an attack. The Attack Response Controller (ARC) function in the sensor software is responsible for managing network devices to respond to suspicious events by blocking (shunning) network access from attacking hosts and networks. The ARC is part of the MainApp application, as shown in Figure 20-6.

There are three basic types of blocking:

The ARC enforces the blocking on Cisco routers and Catalyst 6500 series switches by using ACL or VACL functions. Each ACL or VACL contains permit and deny conditions that apply to IP addresses. Other non-IOS devices and security appliances that do not support ACL or VACL use the shun function to enforce blocking instead.

The ARC controls the devices by using the IP address of the managed devices that are configured. It connects to all the managed devices in the list and sends the block (shun) instructions to every device. ARC will keep track of block time and undo the restrictions after the block time has expired.

The following parameters need to be configured on the sensor for ARC function to manage a device and issue block instructions:

Note

In the previous IPS Sensor software versions, ARC was formerly known as Network Access Controller. The new Cisco IPS Sensor software Version 6.0 has been updated; however, IDM and the CLI may contain references to Network Access Controller, nac, and network-access.


Sensor Software—IPS Rate Limiting

In addition to blocking, which was described earlier, the Cisco IPS Sensor software also supports dynamic response action by rate limiting traffic in protected networks for specified traffic classes on network devices. Similar to blocking, the Attack Response Controller (ARC) function in the sensor software is responsible for rate limiting.

The rate limiting feature provides the capability of reducing the effect of a denial of service (DoS) attack or network attack, instead of blocking it entirely. This is similar to the Committed Access Rate (CAR) function in Cisco IOS.

Rate-limit responses are supported for the Host Flood and Net Flood engines and the TCP half-open SYN signature.

The following parameters are required to implement rate limit:

Rate-limit parameters can be tuned on individual signatures. To implement rate limit, select the event action type Request Rate Limit (Table 20-4) to enforce rate limiting and set the percentage for these signatures.

Note

Cisco IOS Software Version 12.3 or later is required for ARC to successfully implement rate limit on Cisco routers.


Sensor Software—IPS Virtualization

As discussed previously, the IPS sensor software uses the Analysis Engine to perform packet analysis and alert detection. The sensor monitors traffic that flows through specified interfaces mentioned previously.

The IPS Sensor Software OS Version 6.0 introduces the concept of virtualization, whereby virtual sensors can be created in the Analysis Engine. Version 6.0 supports up to four virtual sensors.

Virtual sensors can be effectively used to monitor multiple data streams, apply different configurations to different sets of traffic, monitor two network segments with overlapping IP spaces with one sensor, or monitor concurrently both the inside and outside of a firewall with one sensor.

Multiple virtual sensors can be hosted on the same appliance, each configured with different signature behavior and traffic feeds. Each virtual sensor has its own set of unique settings and configurations, such as a unique name with a list of interfaces, inline interface pairs, inline VLAN pairs, and VLAN groups associated with it.

Each virtual sensor is associated with a specifically named signature definition, event action rules, and anomaly detection configuration.

The sensor can receive data inputs from one or many monitored data streams. These monitored data streams can either be physical interface ports or virtual interface ports.

Note

For more information on the IPS Virtual Sensor feature and detailed configuration parameters, refer to the following Cisco documentation URL: http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a00807517a5.html.


Sensor Software—IPS Security Policies

The IPS Sensor Software OS allows the creation of multiple security policies and the application of those multiple policies to the individual virtual sensors that were discussed previously.

A security policy configuration contains three components:

Cisco IPS sensor software OS version 6.0 contains a default signature definition policy called sig0, a default event action rules policy called rules0, and a default anomaly detection policy called ad0. These default policies or customized user-defined new policies can be associated with the newly defined virtual sensor (discussed earlier) as required.

Multiple security policies can be customized and created for multiple virtual sensors based on different requirements and can be applied per VLAN or physical interface.

Tip

Refer to the following Cisco documentation URL to configure signature definition policies: http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a0080618a2a.html.


Tip

Refer to the following Cisco documentation URL to configure event action rules policies: http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a0080618a28.html.


Tip

Refer to the following Cisco documentation URL to configure anomaly detection policies: http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a0080618916.html.


Sensor Software—IPS Anomaly Detection (AD)

The IPS Sensor Software OS Version 6.0 introduces the revolutionary Anomaly Detection (AD) function built in to the sensor software architecture. The AD solution detects worm-infected hosts and worm-based attacks. AD detects the following two situations:

The AD works by subdividing the network into various zones, thereby enabling it to characterize the traffic patterns. This also helps reduce false negatives. A zone is a set of destination IP addresses. The following are the three zones, each with its own thresholds:

The sensor does not depend on signatures. Instead, it learns primarily normal activity and establishes the network baseline for predictable behavior patterns.

Initially, the AD conducts a learning process when the most normal state of the network is reflected. Using this baseline, AD derives a set of policy thresholds that best fit the normal network.

After a normal network baseline is established, the sensor can detect any anomalies that deviated from the normal behavior pattern and take dynamic response actions accordingly.

Caution

AD assumes it gets traffic from both directions. If the sensor is configured to see only one direction of traffic, AD identifies all traffic as having incomplete connections—for example, scanners—and sends alerts for all such traffic flows.


The AD has the following three modes:

Note

Refer to the following Cisco documentation URL for IPS Anomaly Detection (AD) technique and configuration parameters: http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a00807517a1.html.


Previous Page Next Page