NET-240 (NetAcad Chapter 11)

8. Which Cisco platform supports Cisco Snort IPS?

4000 series ISR

Snort rule set push

A centralized management tool can push the rule sets based on preconfigured policy, instead of the router directly downloading on its own.

11.4.2 Network Taps

A network tap is typically a passive splitting device implemented inline between a device of interest and the network. A tap forwards all traffic, including physical layer errors, to an analysis device while also allowing the traffic to reach its intended destination. The figure displays a sample topology displaying a tap installed between a network firewall and the internal router. InternetInternal NetworksInternal RouterFirewallRX Data StreamTX Data StreamNetwork TapMonitoring Device Notice how the tap simultaneously sends both the transmit (TX) data stream from the internal router and the receive (RX) data stream to the internal router on separate, dedicated channels. This ensures that all data arrives at the monitoring device in real time. Therefore, network performance is not affected or degraded by monitoring the connection. Taps are also typically fail-safe, which means if a tap fails or loses power, traffic between the firewall and internal router is not affected. Search the internet for information on NetScout Taps for copper UTP Ethernet, fiber Ethernet, and serial links.

11.1.3 Intrusion Prevention and Detection Devices

A networking architecture paradigm shift is required to defend against fast-moving and evolving attacks. This must include cost-effective detection and prevention systems, such as intrusion detection systems (IDS) or the more scalable intrusion prevention systems (IPS). The network architecture integrates these solutions into the entry and exit points of the network. When implementing IDS or IPS, it is important to be familiar with the types of systems available, host-based and network-based approaches, the placement of these systems, the role of signature categories, and possible actions that a Cisco IOS router can take when an attack is detected. The figure shows how an IPS device handles malicious traffic. IDS and IPS Characteristics Common Characteristics of IDS and IPS Both technologies are deployed as sensors. Both technologies use signatures to detect patterns of misuse in network traffic. Both can detect atomic patterns (single-packet) or composite patterns (multi-packet). 1. Malicious traffic is sent to the target host that is inside the network. 2. The traffic is routed into the network and received by an IPS-enabled sensor where it is blocked. 3. The IPS-enabled sensor sends logging information regarding the traffic to the network security management console. 4. The IPS-enabled sensor kills the traffic. (It is sent to the "Bit Bucket.") IDS and IPS technologies are both deployed as sensors. An IDS or IPS sensor can be in the form of several different devices: A router configured with IPS software A device specifically designed to provide dedicated IDS or IPS services A hardware module installed in an adaptive security appliance (ASA), switch, or router IDS and IPS technologies use signatures to detect patterns in network traffic. A signature is a set of rules that an IDS or IPS uses to detect malicious activity. Signatures can be used to detect severe breaches of security, to detect common network attacks, and to gather information. IDS and IPS technologies can detect atomic signature patterns (single-packet) or composite signature patterns (multi-packet).

Destination (SPAN) port

A port that mirrors source ports. Destination SPAN ports often connect to analysis devices such as a packet analyzer or an IDS.

IPS Advantages

Advantages of an IPS include: An IPS sensor can be configured to drop the trigger packets, the packets associated with a connection, or packets from a source IP address. Because IPS sensors are inline, they can use stream normalization. Stream normalization is a technique used to reconstruct the data stream when the attack occurs over multiple data segments.

IDS

Advantages: No impact on network (latency, jitter) No network impact if there is a sensor failure No network impact if there is sensor overload Disadvantages: Response action cannot stop trigger packets Correct tuning required for response actions More vulnerable to network security evasion techniques

IPS

Advantages: Stops trigger packets Can use stream normalization techniques Disadvantages: Sensor issues might affect network traffic Sensor overloading impacts the network Some impact on network (latency, jitter)

Signature allowed listing

Allowed listing allows the disabling of certain signatures from the rule set. Disabled signatures can be reenabled at any time.

IDS Advantages

An IDS is deployed in offline mode and therefore: The IDS does not impact network performance. Specifically, it does not introduce latency, jitter, or other traffic flow issues. The IDS does not affect network functionality if the sensor fails. It only affects the ability of the IDS to analyze the data.

IPS on Cisco ISRs 11.3.1 IPS Components

An IPS sensor has two components: IPS detection and enforcement engine - To validate traffic, the detection engine compares incoming traffic with known attack signatures that are included in the IPS attack signature package. IPS attack signatures package - This is a list of known attack signatures that are contained in one file. The signature pack is updated frequently as new attacks are discovered. Network traffic is analyzed for matches to these signatures. As shown in the figure, the IPS detection and enforcement engine that can be implemented depends on the router platform: Cisco IOS Intrusion Prevention System (IPS) - This is available on older Cisco 800, 1900, 2900, and 3900 Series ISRs. IOS IPS is no longer supported and should not be used. Cisco Snort IPS - This is available on the Cisco 4000 Series ISRs and Cisco Cloud Services Routers in the 1000v Series. The Cisco Snort IPS delivers traditional intrusion detection and prevention by comparing network traffic to continually updated databases of known malware and threat signatures. The Cisco IOS IPS signatures are no longer updated. Cisco IPS Options Cisco 800, 1900, 2900, and 3900 Series ISRsCisco 4000 Series ISRs

11.2.4 Check Your Understanding - Compare IDS and IPS Deployment

Check your understanding of IDS and IPS by choosing the correct answer to the following questions.

11.3.7 Check Your Understanding - IPS on Cisco ISRs

Check your understanding of Snort on Cisco ISRs by answering the following questions.

1. Snort IPS is available on which router platform?

Cisco 4000

9. Which device supports the use of SPAN to enable monitoring of malicious activity?

Cisco Catalyst switch

IDS Disadvantages

Disadvantages of an IDS include: An IDS sensor cannot stop the packets that have triggered an alert and are less helpful in detecting email viruses and automated attacks, such as worms. Tuning IDS sensors to achieve expected levels of intrusion detection can be very time-consuming. Users deploying IDS sensor response actions must have a well-designed security policy and a good operational understanding of their IDS deployments. An IDS implementation is more vulnerable to network security evasion techniques because it is not inline.

IPS Disadvantages

Disadvantages of an IPS include: Because it is deployed inline, errors, failure, and overwhelming the IPS sensor with too much traffic can have a negative effect on network performance. An IPS sensor can affect network performance by introducing latency and jitter. An IPS sensor must be appropriately sized and implemented so that time-sensitive applications, such as VoIP, are not adversely affected.

11.3.2 Cisco IOS IPS

Enabling a router to work as an IPS is a cost-effective way to protect branch office networks. Rather than purchasing a router and a dedicated IPS device, combining the functionalities in one device not only saves money but also simplifies network designs and administration. In the past, a Cisco ISR could be enabled as an IPS sensor that scanned packets and sessions to match any of the Cisco IOS IPS signatures. The legacy Cisco IOS IPS operated in RAM as illustrated in the figure. This means that it shared device memory with other Cisco IOS features. When Cisco IOS IPS detected suspicious activity, it responded before network security could be compromised. It logged the event as Cisco IOS syslog messages or through Security Device Event Exchange (SDEE). The network administrator could configure the Cisco IOS IPS to choose the appropriate response to various threats. For example, when packets in a session matched a signature, Cisco IOS IPS could be configured to respond as follows: Send an alarm to a syslog server or a centralized management interface Drop the packet Reset the connection Deny traffic from the source IP address of the threat for a specified amount of time Deny traffic on the connection for which the signature was seen for a specified amount of time Cisco IOS IPS RAM• IOS• IOS IPSCisco 800, 1900, 2900,and 3900 Series ISRs

1. True or False? A HIPS can be configured in either promiscuous or inline mode.

False

3. What is true of a HIPS?

HIPS software combines anti-virus, anti-malware, and firewall functionality.

6. Which network monitoring technology passively monitors network traffic to detect attacks?

IDS

Cannot stop the trigger packet and is not guaranteed to stop a connection

IDS

Deployed in offline mode

IDS

Less helpful in stopping email viruses and automated attacks, such as worms

IDS

More vulnerable to network security evasion techniques enabled by various network attack methods

IDS

Primarily focused on identifying possible incidents, logging information about the incidents, and reporting the incidents

IDS

11.1.4 Advantages and Disadvantages of IDS and IPS

IDS Advantages and Disadvantages The table summarizes the advantages and disadvantages of IDS and IPS. (On cards 5-6).

IPS Technologies Summary 11.5.1 What Did I learn in this Module?

IDS and IPS Characteristics Malware is an ever-increasing threat to network security. New network attacks occur daily. The threat landscape is constantly evolving. Monitoring network logs is one way to know that an exploit has occurred. But by then it is too late. IDS and IPS make up part of a multi-layered approach to network security. IDS work offline to detect malicious traffic through traffic mirroring. IDS can alert security personnel about a potential attack. While the IDS does nothing to stop network attacks, it has no effect on network performance. IPS devices work inline to prevent network attacks, however they can add latency and slow network performance. IDS and IPS devices can be routers equipped with IPS software, dedicated devices, or hardware modules installed in adaptive security appliances, switches or routers. IPS Implementations Intrusion prevention systems can be host-based or network-based. HIPS are installed on network hosts. They monitor activity on the host and can prevent attacks and log suspicious activity. HIPS are like a combination of antimalware and firewall software. HIPS have mostly a local view of the network and are only an effective solution if they are used on all hosts. In addition, they should not be the only security measure taken in a network, but instead are just one layer of security. NIPS can be implemented using a dedicated device or a router with IPS software. Network-based IPS act in real time to block malicious software and network attacks. Network-based IPS can be deployed in two modes. In promiscuous mode, they function as IDS by monitoring mirrored traffic. While they can't stop network attacks, they can alert personnel and log information when attacks occur. An inline mode IPS processes all traffic that enters a network and checks that traffic at Layers 3 to 7. IPS can also check the contents of payloads that are carried in network traffic, such as email attachments. Because inline mode puts the IPS directly into the traffic flow it makes packet-forwarding rates slower by adding latency. Inline mode allows the sensor to stop attacks by dropping malicious traffic before it reaches the intended target. IPS on Cisco ISRs Enabling IPS functionality on routers at the branch level is a cost-effective way to protect networks with a single device. The IPS detection and enforcement engine that ran on legacy router platforms was the Cisco IOS IPS. However, the Cisco IOS IPS is no longer supported. For the 4000 Series ISR, the Cisco Snort IPS has replaced the IOS IPS. Snort runs in a virtual container on the router hardware. The IPS function does not affect the traffic forwarding functions of the router. When running as an IPS, Snort monitors network traffic and analyzes it against a defined-rule set. Snort can classify attacks by type, and can perform actions against the traffic such as sending alerts, logging events, and acting against traffic when attack signatures are matched. Snort can be configured to automatically update its rules from an internet source such as Cisco or snort.org. Problematic signatures can be disabled, and custom rules created. Snort is intended to be run on 4300 ISR and above. It requires 8 GB of DRAM and 8 GB of Flash to run. Resource profiles can be configured to control how Snort uses ISR system resources. Cisco Switched Port Analyzer SPAN is a technology that enables network monitoring and IDS to function in segmented networks. Network traffic is mirrored from source ports or VLANs to a destination port or VLAN that is connected to the monitoring device or IDS. Traffic from the source ports is copied and sent to the destination port. Traffic that enters the switch is called ingress traffic, and traffic exits the switch is called egress traffic. Source ports carry the traffic that is to be monitored, and destination ports are connected to the monitoring devices. The monitored traffic is copied and sent out of the destination port. The configuration of SPAN entails defining the source and destination switchports.

11.2.3 Modes of Deployment

IDS and IPS sensors can operate in inline mode (also known as inline interface pair mode) or promiscuous mode (also known as passive mode). As shown in the figure, packets do not flow through the sensor in promiscuous mode. The sensor analyzes a copy of the monitored traffic, not the actual forwarded packet. The advantage of operating in promiscuous mode is that the sensor does not affect the packet flow with the forwarded traffic. The disadvantage of operating in promiscuous mode is that the sensor cannot stop malicious traffic from reaching its intended target for certain types of attacks, such as atomic attacks (single-packet attacks). The response actions implemented by promiscuous sensor devices are post-event responses and often require assistance from other networking devices (for example, routers and firewalls) to respond to an attack. Such response actions can prevent some classes of attacks. However, in atomic attacks the single packet has the chance of reaching the target system before the promiscuous-based sensor can apply an ACL modification on a managed device (such as a firewall, switch, or router). In the figure, Switched Port Analyzer (SPAN) is used to mirror the traffic entering, going to, and coming from the host. Promiscuous Mode SPAN port sending copies of trafficIDS-enabled SensorManagement Server As shown in the figure below, operating in inline mode puts the IPS directly into the traffic flow and makes packet-forwarding rates slower by adding latency. Inline mode allows the sensor to stop attacks by dropping malicious traffic before it reaches the intended target, thus providing a protective service. Not only is the inline device processing information on Layers 3 and 4, but it is also analyzing the contents and payload of the packets for more sophisticated embedded attacks (Layers 3 to 7). This deeper analysis lets the system identify and stop or block attacks that would pass through a traditional firewall device. An IDS sensor could also be deployed inline. The IDS would be configured so that it only sends alerts and does not drop any packets. Inline Mode IPS Sensor

3. In which operating mode does Snort IDS inspect traffic and report alerts, but does not take any action to prevent attacks?

IDS mode

Can affect network performance by introducing latency and jitter

IPS

Can be configured to perform a packet drop to stop the trigger packet

IPS

Can use stream normalization techniques to reduce or eliminate many of the network security evasion capabilities that exist

IPS

Must be deployed inline, and traffic must be able to pass through it

IPS

Must be implemented so that time-sensitive applications are not adversely affected

IPS

11.4.6 Packet Tracer - Implement a Local SPAN

In this lab, you will complete the following objectives: Part 1: Build the Network and Verify Connectivity Part 2: Configure Local SPAN and Capture Copied Traffic with Wireshark Implement a Local SPAN Implement a Local SPAN

2. What is true of a NIPS that is running in inline mode?

It can add latency to the network.

5. What is a feature of an IPS?

It can stop malicious packets.

3. What is a characteristic of an IPS operating in inline-mode?

It can stop malicious traffic from reaching the intended target.

10. What is a host-based intrusion detection system (HIDS)?

It combines the functionalities of antimalware applications with firewall protection.

4. What is a zero-day attack?

It is a computer attack that exploits unreported software vulnerabilities.

1. What is an IPS signature?

It is a set of rules used to detect typical intrusive activity.

IDS and IPS Characteristics 11.1.1 Zero-Day Attacks

Malware can spread across the world in a matter of minutes. A network must instantly recognize and mitigate malware threats. Firewalls can only do so much and cannot provide protection against all malware and zero-day attacks. A zero-day attack, sometimes referred to as a zero-day threat, is a cyberattack that tries to exploit software vulnerabilities that are unknown or undisclosed by the software vendor, as shown in the figure. The term zero-day describes the moment when a previously unknown threat is identified. Zero-Day Exploit Attack Remote WorkerVPNRemote BranchVPNVPNFirewallLANWeb ServerEmail ServerDNS ServerZero-day attack During the time it takes the software vendor to develop and release a patch, the network is vulnerable to these exploits, as shown in the figure. Defending against these fast-moving attacks requires network security professionals to adopt a more sophisticated view of the network architecture. It is no longer possible to contain intrusions at a few points in the network. Microsoft Internet Explorer Zero-Day Vulnerability

11.3.3 Snort IPS

Many of the devices that supported Cisco IOS IPS are no longer available, or no longer supported. The newer Cisco 4000 Series Integrated Services Routers (ISR) no longer support IOS IPS. Instead, they provide IPS services using the Snort IPS feature. Snort IPS complements existing network security features of the 4000 Series without the need to deploy a second appliance at branch locations. Snort is the most widely deployed IPS solution in the world. It is an open source network IPS that performs real-time traffic analysis and generates alerts when threats are detected on IP networks. It can also perform protocol analysis, content searching or matching, and detect a variety of attacks and probes, such as buffer overflows, stealth port scans, and so on. The Snort engine runs in a virtual service container on Cisco 4000 Series ISRs. A virtual service container is a virtual machine that runs on the ISR router operating system. Service containers are applications that can be hosted directly on Cisco IOS XE routing platforms. These apps use the Linux aspects of the IOS XE operating system to host both Linux Virtual Containers (LXC) and Kernel virtual machines (KVM). The Snort container is distributed as an Open Virtualization Appliance (OVA) file that is installed on the router. Unlike IOS IPS, Snort IPS can use the computer power of the service container to scale security with the platform without affecting routing capabilities or other data plane functionality. The virtual service supports three resource profiles that indicate how the Snort container uses system CPU, RAM, and Flash or disk resources. Snort IPS RAM•IOSContainerCisco 4000 Series ISRs

11.4.3 Traffic Mirroring and SPAN

Network switches segment the network by design. This limits the amount of traffic that is visible to network monitoring devices. Because capturing data for network monitoring requires all traffic to be captured, special techniques must be employed to bypass the network segmentation imposed by network switches. Port mirroring is one of these techniques. Supported by many enterprise switches, port mirroring enables the switch to copy frames that are received on one or more ports to a Switch Port Analyzer (SPAN) port that is connected to an analysis device. The table identifies and describes terms used by the SPAN feature. (On cards 52-55). 11.4.3 ends on card 56.

11.2.2 Network-Based IPS

Network-based IPS Sensors can be implemented in several ways: On a Cisco Firepower appliance On an ASA firewall device On an ISR router As a virtual Next-Generation IPS (NGIPSv) for VMware An example of a network-based IPS is the Cisco Firepower NGIPS. It is tuned for intrusion prevention analysis. The underlying operating system of the platform is stripped of unnecessary network services, and essential services are secured. This is known as hardening. The hardware of all network-based sensors includes three components: NIC - The network-based IPS must be able to connect to any network, such as Ethernet, Fast Ethernet, and Gigabit Ethernet. Processor - Intrusion prevention requires CPU power to perform intrusion detection analysis and pattern matching. Memory - Intrusion detection analysis is memory-intensive. Memory directly affects the ability of a network-based IPS to efficiently and accurately detect an attack. Network-based IPS gives security managers real-time security insight into their networks regardless of growth. Additional hosts can be added to protected networks without requiring more sensors. Additional sensors are only required when their rated traffic capacity is exceeded, when their performance does not meet current needs, or when a revision in security policy or network design requires additional sensors to help enforce security boundaries. When new networks are added, additional sensors are easy to deploy.

11.1.2 Monitor for Attacks

One approach to prevent malware exploits is for an administrator to continuously monitor the network and analyze the log files generated by network devices. Security operations center (SOC) tools, such as security information and event management (SIEM) and security orchestration, automation, and response (SOAR) systems automate the log file gathering and analysis process. It has become an accepted fact that malware will enter the network despite the best defenses. For this reason, a multilayered approach to malware protection must be employed. Logfiles generated by devices at each layer will help to identify whether an exploit has occurred, the diagnostic features of the exploit, and the extent of the damage within the enterprise. The information gathered in logfiles will also help to inform measures taken in response to the exploit, such as containment and mitigation. Intrusion Detection Systems (IDS) were implemented to passively monitor the traffic on a network. The figure shows that an IDS-enabled device copies the traffic stream and analyzes the copied traffic rather than the actual forwarded packets. Intrusion Detection System Operation 1132 SwitchIDS-enabled SensorManagement ConsoleTarget Working offline, the IDS compares the captured traffic stream with known malicious signatures, similar to software that checks for viruses. Working offline means several things: The IDS works passively. The IDS device is physically positioned in the network so that traffic must be mirrored in order to reach it. Network traffic does not pass through the IDS unless it is mirrored. Very little latency is added to network traffic flow. Although the traffic is monitored, logged, and perhaps reported, no action is taken on packets by the IDS. This offline IDS implementation is referred to as promiscuous mode. The advantage of operating with a copy of the traffic is that the IDS does not negatively affect the packet flow of the forwarded traffic. The disadvantage of operating on a copy of the traffic is that the IDS cannot stop malicious single-packet attacks from reaching the target. An IDS often requires assistance from other networking devices, such as routers and firewalls, to respond to an attack. A better solution is to use a device that can immediately detect and stop an attack. An Intrusion Prevention System (IPS) performs this function.

12. What network monitoring tool can be used to copy packets moving through one port, and send those copies to another port for analysis?

SPAN

The figure shows a switch that interconnects two hosts and mirrors traffic to an intrusion detection device (IDS) and network management server.

SPAN F0/1F0/2G0/1 SPAN port sending copies of trafficIDS SensorManagement ServerIngress TrafficEgress TrafficSource SPAN PortSource SPAN PortDestination SPAN Port The switch will forward ingress traffic on F0/1 and egress traffic on F0/2 to the destination SPAN port G0/1 that connects to an IDS. The association between source ports and a destination port is called a SPAN session. In a single session, one or multiple ports can be monitored. On some Cisco switches, session traffic can be copied to more than one destination port. Alternatively, a source VLAN can be specified in which all ports in the source VLAN become sources of SPAN traffic. Each SPAN session can have ports or VLANs as sources, but not both. Note: A variation of SPAN called Remote SPAN (RSPAN) enables a network administrator to use the flexibility of VLANs to monitor traffic on remote switches.

11.1.5 Check Your Understanding - Compare IDS and IPS Characteristics

Select the corresponding delivery method for each characteristic.

7. Which open source network monitoring technology performs real-time traffic analysis and generates alerts when threats are detected on IP networks?

Snort IPS

11.3.4 Snort Operation

Snort IPS signatures are delivered automatically to the ISR by Cisco Talos. There are currently more than 30,000 signatures in the Snort rule set. It also supports the ability to customize rule sets and provides centralized deployment and management capabilities for 4000 Series ISRs. Snort can be enabled in either of the following modes: IDS mode - Snort inspects the traffic and reports alerts, but does not take any action to prevent attacks. IPS mode - In addition to intrusion detection, actions are taken to prevent attacks. In the network intrusion detection and prevention mode, Snort performs the following actions: Monitors network traffic and analyzes against a defined rule set. Performs attack classification. Invokes actions against matched rules. The Snort IPS monitors the traffic and reports events to an external log server or the IOS syslog. Enabling logging to the IOS syslog may impact performance due to the potential volume of log messages. External third-party monitoring tools that support Snort logs can be used for log collection and analysis.

Signature-based intrusion detection system (IDS) and intrusion prevention system (IPS)

Snort open-source IPS, capable of performing real-time traffic analysis and packet logging on IP networks, runs on the 4000 Series ISR service container without the need to deploy an additional device at the branch.

Snort rule set updates

Snort rule set updates for 4000 Series ISRs are generated by Cisco Talos, a group of leading-edge network security experts who work around the clock to proactively discover, assess, and respond to the latest trends in hacking activities, intrusion attempts, malware, and vulnerabilities.

Source (SPAN) port

Source ports are monitored as traffic entering them is replicated (mirrored) to the destination ports.

11.4.4 Configure Cisco SPAN

The SPAN feature on Cisco switches sends a copy of each frame entering the source port out the destination port and toward the packet analyzer or IDS. A session number is used to identify a SPAN session. The examples show the monitor session command, which is used to associate a source port and a destination port with a SPAN session. A separate monitor session command is used for each session. A VLAN can be specified instead of a physical port. Switch(config)# monitor session number source [interface interface | vlan vlan] Switch(config)# monitor session number destination [interface interface | vlan vlan] In the figure below, PCA is connected to F0/1 and an IDS is connected to F0/2. The objective is to capture all the traffic that is sent or received by PCA on port F0/1 and send a copy of those frames to the IDS (or a packet analyzer) on port F0/2. The SPAN session on the switch will copy all the traffic that it sends and receives on source port F0/1 to the destination port F0/2. Cisco SPAN Configuration S1F0/1F0/2 PCAPacket AnalyzerIDS SensororSPAN port sending copies of traffic S1(config)# monitor session 1 source interface fastethernet 0/1 S1(config)# monitor session 1 destination interface fastethernet 0/2 The show monitor command is used to verify the SPAN session. The command displays the type of the session, the source ports for each traffic direction, and the destination port. In the example below, the session number is 1, the source port for both traffic directions is F0/1, and the destination port is F0/2. The ingress SPAN is disabled on the destination port, so only traffic that leaves the destination port is copied to that port. S1# show monitor Session 1 --------- Type : Local Session Source Ports : Both : Fa0/1 Destination Ports : Fa0/2 Encapsulation : Native Ingress : Disabled S1# Note: Remote SPAN (RSPAN) can be used when the packet analyzer or IDS is on a different switch than the traffic being monitored. RSPAN extends SPAN by enabling remote monitoring of multiple switches across the network. The traffic for each RSPAN session is carried over a user-specified RSPAN VLAN that is dedicated (for that RSPAN session) in all participating switches.

Cisco Switched Port Analyzer 11.4.1 Network Monitoring Methods

The day-to-day operation of a network consists of common patterns of traffic flow, bandwidth usage, and resource access. Together, these patterns identify normal network behavior. Security analysts must be intimately familiar with normal network behavior because abnormal network behavior typically indicates a problem. To determine normal network behavior, network monitoring must be implemented. Various tools are used to help discover normal network behavior including IDS, packet analyzers, SNMP, NetFlow, and others. Some of these tools require captured network data. There are two common methods used to capture traffic and send it to network monitoring devices: Network taps, sometimes known as test access points (TAPs) Traffic mirroring using Switch Port Analyzer (SPAN) or other port mirroring approaches

Snort rule set pull

The router will be able to download rule sets directly from cisco.com or snort.org to a local server, using one-time commands or periodic automated updates.

11.3.5 Snort Features

The table lists the features and benefits of Snort IPS. (On cards 37-41).

IPS Implementations 11.2.1 Types of IPS

There are two primary kinds of IPS available: host-based IPS and network-based IPS. Host-based IPS Host-based IPS (HIPS) is software installed on a host to monitor and analyze suspicious activity. A significant advantage of HIPS is that it can monitor and protect operating system and critical system processes that are specific to that host. With detailed knowledge of the operating system, HIPS can monitor abnormal activity and prevent the host from executing commands that do not match typical behavior. This suspicious or malicious behavior might include unauthorized registry updates, changes to the system directory, executing installation programs, and activities that cause buffer overflows. Network traffic can also be monitored to prevent the host from participating in a denial-of-service (DoS) attack or being part of an illicit FTP session. HIPS can be thought of as a combination of antivirus software, antimalware software, and a firewall. An example of a HIPS is Windows Defender. It provides a range of protection measures for Windows hosts. Combined with a network-based IPS, HIPS is an effective tool in providing additional protection for the host. A disadvantage of HIPS is that it operates only at a local level. It does not have a complete view of the network, or coordinated events that might be happening across the network. To be effective in a network, HIPS must be installed on every host and have support for every operating system. The table lists the advantages and disadvantages of HIPS. Advantages Provides protection specific to a host operating system Provides operating system and application level protection Protects the host after the message is decrypted Disadvantages Operating system dependent Must be installed on all hosts Network-based IPS A network-based IPS can be implemented using a dedicated or non-dedicated IPS device such as a router. Network-based IPS implementations are a critical component of intrusion prevention. Host-based IDS/IPS solutions must be integrated with a network-based IPS implementation to ensure a robust security architecture. Sensors detect malicious and unauthorized activity in real time and can take action when required. As shown in the figure, sensors are deployed at designated network points. This enables security managers to monitor network activity while it is occurring, regardless of the location of the attack target. Sample IPS Sensor Deployment Corporate NetworkSensorSensorSensorManagementServerWeb ServerDNS ServerUntrusted NetworkFirewall

Community Rule Set

This set offers limited coverage against threats, focusing on reactive response to security threats versus proactive research work. There is 30-day delayed access to updated signatures in the Community Rule Set, and this subscription does not entitle the customer to Cisco support.

Subscriber Rule Set

This set offers the best protection against threats. It includes coverage in advance of exploits by using the research work of the Cisco Talos security experts. The Subscriber Rule Set also provides the fastest access to updated signatures in response to a security incident or the proactive discovery of a new threat. This subscription is fully supported by Cisco.

11.3.6 Snort System Requirements

To run the service container infrastructure with IDS/IPS functionality, Snort IPS requires an ISR 4000 (i.e., 4300 or higher) with a minimum of 8 GB of memory (DRAM) and 8 GB of flash. Note: The Cisco 4200 series ISR does not support the default Snort IPS implementation. A security K9 license (SEC) is required to activate Snort IPS functionality. Customers also need to purchase a yearly subscription for the signature package distributed on cisco.com. To keep current with the latest threat protection, Snort rule sets are term-based subscriptions, available for one or three years. There are two types of term-based subscriptions: (On cards 43-44). PulledPork is a rule management application that can be used to automatically download Snort rule updates. In order to use PulledPork, you must obtain an authorization code, called an oinkcode, from your snort.org account. The oinkcode is free with registration.

11. Which network monitoring capability is provided by using SPAN?

Traffic exiting and entering a switch is copied to a network monitoring device.

Ingress traffic

Traffic that enters the switch.

Egress traffic

Traffic that leaves the switch.

11.4.5 Syntax Checker - Configure and Verify SPAN

Use this Syntax Checker to configure and verify SPAN. Complete the following steps to configure SPAN on S1: Enter global configuration mode. Issue the SPAN command to monitor the traffic on source port fastethernet 0/1. Use 1 for the session number. Capture the session 1 monitored traffic on destination port fastethernet 0/2. Exit global configuration mode. S1# configure terminal Enter configuration commands, one per line. End with CNTL/Z. S1(config)#monitor session 1 source interface fastethernet 0/1 S1(config)#monitor session 1 destination interface fastethernet 0/2 S1(config)#exit *Mar 1 00:19:53.908: %SYS-5-CONFIG_I: Configured from console by console S1# Verify that SPAN has been configured to monitor source port F0/1 with captured traffic being sent to F0/2. S1#show monitor Session 1 --------- Type : Local Session Source Ports : Both : Fa0/1 Destination Ports : Fa0/2 Encapsulation : Native Ingress : Disabled S1# You have successfully configured and verified SPAN.

4. What is an example of a HIPS?

Windows Defender

Deployment Considerations

You can deploy both an IPS and an IDS. Using one of these technologies does not negate the use of the other. In fact, IDS and IPS technologies can complement each other. For example, an IDS can be implemented to validate IPS operation because the IDS can be configured for deeper packet inspection offline. This allows the IPS to focus on fewer but more critical traffic patterns inline. Deciding which implementation to use is based on the security goals of the organization as stated in their network security policy.

2. Which network technology uses a passive splitting device that forwards all traffic, including Layer 1 errors, to an analysis device?

network trap

2. Where does the Snort engine run?

service container