Cisco IOS Inline Intrusion Prevention System (IPS)

Similar documents
Cisco Intrusion Prevention Solutions

Cisco IPS AIM and IPS NME for Cisco 1841 and Cisco 2800 and 3800 Series Integrated Services Routers

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

Activating Intrusion Prevention Service

Cisco Security Manager 4.1: Integrated Security Management for Cisco Firewalls, IPS, and VPN Solutions

Cisco IOS Classic Firewall/IPS: Configuring Context Based Access Control (CBAC) for Denial of Service Protection

Cisco Incident Control System

NetDefend Firewall UTM Services

Symantec Client Security. Integrated protection for network and remote clients.

Cisco ASA 5500 Series IPS Solution

CIH

Cisco ISR G2 Management Overview

Intrusion prevention systems are an important part of protecting any organisation from constantly developing threats.

NETWORK THREATS DEMAN

Securing the Empowered Branch with Cisco Network Admission Control. September 2007

Cisco IPS AIM Deployment, Benefits, and Capabilities

Venusense UTM Introduction

ASA/PIX Security Appliance

ASA Access Control. Section 3

Cisco SR 520-T1 Secure Router

Connection Logging. Introduction to Connection Logging

Cisco Self Defending Network

Cisco Network Admission Control (NAC) Solution

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

2 ZyWALL UTM Application Note

A Unified Threat Defense: The Need for Security Convergence

UTM Firewall Registration & Activation Manual DFL-260/ 860. Ver 1.00 Network Security Solution

Data Sheet: Endpoint Security Symantec Multi-tier Protection Trusted protection for endpoints and messaging environments

Enterprise Network Security. Accessing the WAN Chapter 4

Cisco ASA 5500 Series IPS Edition for the Enterprise

Check Point DDoS Protector Introduction

Behavior-Based IDS: StealthWatch Overview and Deployment Methodology

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Internet Scanner 7.0 Service Pack 2 Frequently Asked Questions

Introduction to Cisco ASA Firewall Services

Connection Logging. About Connection Logging

Symantec Network Security 7100 Series

Network Security Platform Overview

Cisco ACE30 Application Control Engine Module

Exam : Title : Security Solutions for Systems Engineers(SSSE) Version : Demo

Application Intelligence and Integrated Security Using Cisco Catalyst 6500 Supervisor Engine 32 PISA

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

SteelGate Overview. Manage perimeter security and network traffic to ensure operational efficiency, and optimal Quality of Service (QoS)

Deployment Scenarios Microsoft TMG Standard, TMG Enterprise, TMG Branch Office series Appliances

McAfee Endpoint Security

Monitoring the Device

DoS Attacks Malicious Code Attacks Device Hardening Social Engineering The Network Security Wheel

Newer Developments in Firewall Technology. The International Organization for Standardization s Open Systems Interconnect

Compare Security Analytics Solutions

Managing SonicWall Gateway Anti Virus Service

CND Exam Blueprint v2.0

Intrusion Prevention System with 5.x Format Signatures Configuration Example

Vendor: Cisco. Exam Code: Exam Name: Cisco Sales Expert. Version: Demo

WHY SIEMS WITH ADVANCED NETWORK- TRAFFIC ANALYTICS IS A POWERFUL COMBINATION. A Novetta Cyber Analytics Brief

Exam: : VPN/Security. Ver :

2. INTRUDER DETECTION SYSTEMS

Corrigendum 3. Tender Number: 10/ dated

Future-ready security for small and mid-size enterprises

Configuring BIG-IP ASM v12.1 Application Security Manager

Trend Micro Deep Security

Hardening the Education. with NGFW. Narongveth Yutithammanurak Business Development Manager 23 Feb 2012

Training UNIFIED SECURITY. Signature based packet analysis

Seqrite Endpoint Security

SonicWALL TZ 170 Series Prepared by SonicWALL, Inc. 7/6/2004

Deployment Scenarios

Secure Network Design Document

NCIRC Security Tools NIAPC Submission Summary Juniper IDP 200

UNIFIED NETWORK-DEFENSE APPLIANCES... A SOLUTIONS PRIMER

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 3 Protecting Systems

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

NIP6000 Next-Generation Intrusion Prevention System

The IINS acronym to this exam will remain but the title will change slightly, removing IOS from the title, making the new title.

Introducing Next Generation Symantec AntiVirus: Symantec Endpoint Protection. Bernard Laroche Endpoint security Product marketing

Wireless and Network Security Integration Solution Overview

IC32E - Pre-Instructional Survey

Intelligent Cybersecurity for the Real World Scott Lovett Vice President, Global Security Sales

Security Solutions Portfolio

Symantec Network Access Control Starter Edition

Objectives. Classes of threats to networks. Network Security. Common types of network attack. Mitigation techniques to protect against threats

Cisco Exam Questions & Answers

Cisco Associate-Level Certifications

Cisco Wide Area Application Services: Secure, Scalable, and Simple Central Management

Solution Architecture

Symantec Endpoint Protection

Firewalls for Secure Unified Communications

Seceon s Open Threat Management software

CSE 565 Computer Security Fall 2018

Agile Security Solutions

Cisco Solution Support

Cisco Stealthwatch Improves Threat Defense with Network Visibility and Security Analytics

Pulse Secure Application Delivery

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

Cisco Next Generation Firewall and IPS. Dragan Novakovic Security Consulting Systems Engineer

Cisco 1900 Series Integrated Services Routers

Identity-Based Cyber Defense. March 2017

Data Sheet. DPtech IPS2000 Series Intrusion Prevention System. Overview. Series IPS2000-MC-N. Features

Configuring Antivirus Devices

Snort: The World s Most Widely Deployed IPS Technology

Enterprise D/DoS Mitigation Solution offering

Transcription:

Cisco IOS Inline Intrusion Prevention System (IPS) This data sheet provides an overview of the Cisco IOS Intrusion Prevention System (IPS) solution. Product Overview In today s business environment, network intruders and attackers can come from outside or inside the network. They can launch distributed denial-of-service attacks, they can attack Internet connections, and they can exploit network and host vulnerabilities. At the same time, Internet worms and viruses can spread across the world in a matter of minutes. There is often no time to wait for human intervention the network itself must possess the intelligence to recognize and mitigate these attacks, threats, exploits, worms and viruses. Cisco IOS Intrusion Prevention System (IPS) is an inline, deep-packet inspection-based solution that enables Cisco IOS Software to effectively mitigate a wide range of network attacks. While it is common practice to defend against attacks by inspecting traffic at data centers and corporate headquarters, distributing the network level defense to stop malicious traffic close to its entry point at branch or telecommuter offices is also critical. Cisco IOS IPS: Major Use Cases and Key Benefits IOS IPS helps to protect your network in 5 ways: Key Benefits Provides network-wide, distributed protection from many attacks, exploits, worms and viruses exploiting vulnerabilities in operating systems and applications Eliminates the need for a standalone IPS device at branch and telecommuter offices as well as small and medium-sized business networks 2010 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 6

Unique, risk rating based signature event action processor dramatically improves the ease of management of IPS policies Offers field-customizable worm and attack signature set and event actions Offers inline inspection of traffic passing through any combination of router LAN and WAN interfaces in both directions Works with Cisco IOS Firewall, control-plane policing, and other Cisco IOS Software security features to protect the router and networks behind the router Supports more than 3700 signatures from the same signature database available for Cisco Intrusion Prevention System (IPS) appliances Table 1. Feature Cisco IOS IPS in the Latest IOS Releases Offers the Following Capabilities Advantage/Benefit Capability to download IOS IPS signature packages to the router directly from CCO - Available in 15.1(1)T or later IOS T-Train Releases New Default IOS IPS Category signatures (including some lightweight signatures) is updated frequently by Cisco Signature Team starting with IOS 15.0(1)M Release Lightweight Signature Engines for HTTP, SMTP and FTP protocol signatures and Regular Expression Table chaining available also in 15.0(1)M Release VRF Awareness (Virtual IPS) - Available in 12.4(20)T or later IOS T-Train Releases Easier to use and deploy the feature, eliminating the need (step) to manually download signature updates to a local server first and then to the router Routers that have connection to the Internet can download signature updates automatically in a periodic fashion without human intervention More comprehensive and effective attack coverage by default. Much quicker inclusion of most relevant new threat signatures within the default set (category). Memory efficient traffic scanning for attack signatures consuming less memory on the router. Capability to provide protection for larger number of common threats and vulnerabilities. Allows enterprises to apply IPS on only certain virtual network segments (VRFs) and/or with different inspection rules on each VRF, and distinguish among the IPS alarms/events generated within each virtual segment via VRF ID. Available in 12.4(15)T5 or later IOS T-Train Releases Supports Signatures for Vulnerabilities in Microsoft SMB and MSRPC Protocols as well as Signatures Provided by Vendors under NDA Risk Rating Value in IPS Alarms Based on Signature Severity, Fidelity, and Target Value Rating Supports Signature Event Action Processor (SEAP) Automated Signature Updates from a Local TFTP or HTTP(S) Server IDCONF (XML) Signature Provisioning Mechanism Individual and Category-Based Signature Provisioning through Cisco IOS CLI Same Signature Format and Database as the Latest Cisco IPS Appliances and Modules Efficient protection against many new Microsoft and other vulnerabilities, some even before their public release Allows more accurate and efficient IPS event monitoring by filtering or separating events with low/high Risk Rating Quick and automated adjustment of signature event actions based on calculated Risk Rating of the event Protection from latest threats with minimal user intervention Offers secure provisioning through Cisco Security Manager 3.1 and Cisco Router and Security Device Manager (SDM) 2.4 over HTTPS Offers granular customization and tuning of signatures through custom scripts Offers common deployment and attack signature definitions between Cisco IPS appliances/modules and Cisco IOS IPS Platform Support Cisco IOS IPS is available in certain software feature sets on the 87x routers, Integrated Services Routers, SR520, 720x and 7301 routers listed in Table 2. Starting with IOS 15.0(1)M Release, IOS IPS feature is also supported on the 88x, 89x routers and next generation Integrated Services Routers with an optional license that enables use of that and other features when installed, as shown in Table 3. Table 2. IPS Feature Availability based on IOS Image Types Product Family Platforms Supported IOS Images (Feature Sets) Supported 800 871, 876, 877, 878 Advanced IP Services 1800 1801,1802,1803,1811,1812,1841, 1861 Advanced Security, Advanced Enterprise, and Advanced IP Services 2800 2801, 2811,2821,2851 Advanced Security, Advanced Enterprise, and Advanced IP Services 2010 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 2 of 6

Product Family Platforms Supported IOS Images (Feature Sets) Supported 3800 3825,3845 Advanced Security, Advanced Enterprise, and Advanced IP Services SR520 SR520 Advanced Security and Advanced IP Services 7200 7204VXR, 7206VXR Advanced Security, Advanced Enterprise, and Advanced IP Services 7301 7301 Advanced Security, Advanced Enterprise, and Advanced IP Services Table 3. IPS Feature Availability based on Optional Feature Licenses Product Family Platforms Supported Feature License Supported 800 881, 886, 887, 888, 891, 892 Advanced IP Services 1900 1921, 1941 Security 2900 2901, 2911,2921,2951 Security 3900 3925,3945 Security Basic, Advanced and Default Signature Categories for IOS IPS In Cisco IOS Software Release 12.4(11)T and later T-Train releases, IOS IPS signature provisioning is accomplished by selecting one of two signature categories: Basic or Advanced. Starting with IOS 15.0(1)M Release, a new category called IOS IPS Default will be also supported and released within IPS signature packages. At that time, IOS Advanced category will be changed to contain exactly the same signatures as in the IOS Default category, allowing both category names to be used interchangeably for backward compatibility. Users may also add or remove individual signatures and/or can tune signature parameters via Cisco Configuration Professional (CCP) or Cisco Security Manager (CSM) management or through the command-line interface (CLI) which allows easy scripting to manage signature configuration for a large number of routers. IOS Basic and Advanced/Default signature categories are pre-selected signature sets intended to serve as a good starting set for most users of IOS IPS. They contain the latest high-fidelity (low false positives) worm, virus, IM, or peer-to-peer blocking signatures for detecting security threats, allowing easier deployment and signature management. Cisco IOS IPS also allows selection and tuning of signatures outside those two categories. Signature categories are an integral part of Cisco signature update packages posted at http://tools.cisco.com/support/downloads/go/model.x?mdfid=281442967&mdflevel=software%20family&treename= Security&modelName=Cisco%20IOS%20Intrusion%20Prevention%20System%20Feature%20Software&treeMdfId= 268438162. Users can also access to this link from Cisco Software Download page by clicking on "Security" followed by "Integrated Router/Switch Security" link followed by "Integrated Threat Control" link and finally clicking on "Cisco IOS Intrusion Prevention System Feature Software" link. Those signature update packages are cumulative of all previous Cisco IPS signature updates and can be downloaded to the router from a local PC or server using the router CLI, Cisco Configuration Professional (CCP) or Cisco Security Manager (CSM). Use of Cisco IOS IPS in IOS Mainline and T-Train releases prior to 12.4(11)T is not recommended. No signature updates are provided in the signature format used by IOS IPS Feature in those releases. Also, support for IOS IPS feature in those older releases is very limited. Cisco Services for IPS Entitlement to download and use signature update packages for Cisco IOS IPS feature requires purchase of the appropriate Cisco Services for IPS contract which includes Cisco SMARTnet support deliverables in a single comprehensive service offering. Supported by the Cisco Global Security Intelligence organization, 2010 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 3 of 6

Cisco Services for IPS delivers continuously updated, comprehensive, and accurate detection technology to identify and block fast-moving and emerging threats before they damage your network assets. Starting with IOS 15.0(1)M1 Release, a valid IOS IPS Signature Subscription license is required to be installed on 88x, 89x, 19xx, 29xx and 39xx routers to be able to load signature packages released after a certain date (to be announced). To obtain and install this license, the customer needs to purchase the Cisco Services for IPS contract SKU relevant to the router model as well as the type and level of the associated SMARTnet deliverables desired. For more information about Cisco Services for IPS, visit http://www.cisco.com/go/services/ips Signature Micro Engines Cisco IOS IPS uses Signature Micro-Engines (SMEs) to load (into the router s memory) and scan for a set of attack signatures. Each engine is customized for inspecting a Layer 4 or 7 protocol and its fields/arguments. Within each packet carrying data for that protocol, it looks for a set of legal parameters that have allowable ranges or sets of values. It also scans for malicious activity specific to that protocol using a parallel signature scanning technique to scan for multiple patterns within an SME at any given time. Attack Mitigation Cisco IOS IPS can protect your network more than 3700 attacks, exploits, worms and viruses. Some examples of attacks that can be detected and stopped by Cisco IOS IPS include many Microsoft Windows OS and application vulnerability exploits, viruses and worms. Actions for Detected Signatures Each individual signature or category of signatures selected to scan traffic for matching attacks can be configured to take any combination of the following 5 actions when triggered: 1. Send an alarm via syslog message or log an alarm in SDEE (Secure Device Event Exchange) format 2. Drop malicious packet 3. Send TCP-Reset packets to both ends of the connection to terminate the session 4. Deny all packets from the attacker (source address) temporarily 5. Deny further packets belonging to the same TCP session (connection) from the attacker (source address). Configuration and Signature Provisioning The router CLI or Cisco Configuration Professional (CCP) version 1.1 or later can be used for configuration of IOS IPS as well as highly granular provisioning and tuning of IPS signatures on a single router running Cisco IOS 12.4(11)T2 or later releases. In addition, Cisco Security Manager (CSM) version 3.2 or later may be used for management of IPS policies and signature sets on multiple routers running Cisco IOS 12.4(11)T2 or later releases. Use of IOS IPS in IOS releases prior to 12.4(11)T or IOS Mainline releases is NOT recommended. Event Monitoring Upon detecting an attack signature, Cisco IOS IPS can send a syslog message or log an alarm in Secure Device Event Exchange (SDEE) format. CCP may be used to monitor events generated by a single router and Cisco IPS Manager Express (IME) may be used to monitor IPS events generated by up to 5 routers. For monitoring events from more than 5 routers, Cisco highly recommends the Cisco Security Monitoring, Analysis, and Response System (MARS) appliance for network wide monitoring and correlation of IPS alarms, although any compatible monitoring application or device supporting syslog and/or SDEE may be used. 2010 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 4 of 6

For More Information For more information about Cisco IOS IPS, visit http://www.cisco.com/go/iosips or contact your local Cisco account representative. 2010 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 5 of 6

Printed in USA C78-381294-06 02/10 2010 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 6 of 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback