Designing Solution with Cisco Intrusion Prevention Systems

Similar documents
Configuring Virtual Sensors

Cisco CISCO Data Center Networking Infrastructure Design Specialist. Practice Test. Version

Chapter 6: IPS. CCNA Security Workbook

Configuring the AIP SSM

Using the Startup Wizard

PrepKing. PrepKing

Cisco Intelligent Traffic Director Deployment Guide with Cisco ASA

IPS 5.X and later/idsm2 : Inline VLAN Pair Mode using CLI and IDM Configuration Example

Interfaces for Firepower Threat Defense

Load Balancing with McAfee Network Security Platform

Security and Virtualization in the Data Center. BRKSEC Cisco Systems, Inc. All rights reserved. Cisco Public

Configuring EtherChannels and Layer 2 Trunk Failover

Interfaces for Firepower Threat Defense

Deploying Intrusion Prevention Systems

Zone-Based Policy Firewall High Availability

Cisco IPS AIM Deployment, Benefits, and Capabilities

Virtual Switching System

Cisco IPS Actual Tests by.dd.152q

Cisco Virtual Office High-Scalability Design

Why can t I just do that with a switch? Joseph Magee Chief Security Officer Top Layer Networks

CIH

Chapter 5: Inter-VLAN Routing. Routing & Switching

Cisco IPS Actual Tests by.dd.160q

Configuring Event Action Rules

Configuring Secure (Router) Mode, Redundancy, Fault Tolerance, and HSRP

Layer 2 Implementation

Traffic Flow, Inspection, and Device Behavior During Upgrade

Configuring EtherChannels and Layer 2 Trunk Failover

Pass-Through Technology

Transparent or Routed Firewall Mode

Device Management Basics

Configuring SPAN and RSPAN

Configuring Virtual Port Channels

Massimiliano Sbaraglia

GUIDE. Optimal Network Designs with Cohesity

Configuring Flex Links

SINGLEstream Link Aggregation Tap (SS-100)

Chapter 5. Enterprise Data Center Design

Configuring EtherChannels and Link-State Tracking

A10 SSL INSIGHT & SONICWALL NEXT-GEN FIREWALLS

School Site Design. Large School Modular Switch Design CHAPTER

Configuring TAP Aggregation and MPLS Stripping

Cisco Next Generation Firewall and IPS. Dragan Novakovic Security Consulting Systems Engineer

Hypervisors networking: best practices for interconnecting with Cisco switches

Configuring Event Action Rules

Question No : 1 Which three options are basic design principles of the Cisco Nexus 7000 Series for data center virtualization? (Choose three.

EtherChannel and Redundant Interfaces

Cisco Intrusion Prevention Solutions

Configuring TAP Aggregation and MPLS Stripping

Configuring Private Hosts

Classic Device Management Basics

Politecnico di Torino Network architecture and management. Outline 11/01/2016. Marcello Maggiora, Antonio Lantieri, Marco Ricca

Implementing Data Center Services (Interoperability, Design and Deployment) BRKDCT , Cisco Systems, Inc. All rights reserved.

3. What could you use if you wanted to reduce unnecessary broadcast, multicast, and flooded unicast packets?

Configuring Tap Aggregation and MPLS Stripping

Service Graph Design with Cisco Application Centric Infrastructure

Configuring SPAN and RSPAN

Configuring Virtual Port Channels

PassTorrent. Pass your actual test with our latest and valid practice torrent at once

Configuring SPAN. Understanding SPAN CHAPTER. This chapter describes how to configure Switched Port Analyzer (SPAN) and on the Catalyst 2960 switch.

Network Intrusion Detection Systems. Beyond packet filtering

Data Center Interconnection

Configuring Traffic Interception

SecBlade Firewall Cards Stateful Failover Configuration Examples

Numerics INDEX. 4GE bypass interface card configuration restrictions 5-9 described 5-8 illustration 5-8

RealCiscoLAB.com. Configure inter-vlan routing with HSRP to provide redundant, fault-tolerant routing to the internal network.

CISCO CATALYST 4500-X SERIES FIXED 10 GIGABIT ETHERNET AGGREGATION SWITCH DATA SHEET

ITdumpsFree. Get free valid exam dumps and pass your exam test with confidence

Configuring IEEE 802.3ad LACP EtherChannels on the Cisco MWR 2941

Configuring the Catena Solution

Configuring Interfaces

Managing Latency in IPS Networks

Configuring Port Channels

Configuring Interface Characteristics

Top-Down Network Design

Configuring SPAN and RSPAN

Configuring TCP State Bypass

Data Center Design IP Network Infrastructure

Introducing Campus Networks

Private Hosts (Using PACLs)

Configuring Interfaces

Configuring WCCPv2. Information About WCCPv2. Send document comments to CHAPTER

Device Management Basics

EC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led

Cisco Designing Cisco Data Center Unified Fabric (DCUFD) v5.0. Download Full Version :

Overview of the Cisco Service Control Value Added Services Feature

Configuring Port Channels

Check Point 4800 with Gigamon Inline Deployment Guide

ITDumpsKR. IT 인증시험한방에패스시키는최신버전시험대비덤프

Multiple Context Mode

Návrh serverových farem

Failover for High Availability

Configuring Anomaly Detection

Configuring QoS CHAPTER

itexamdump 최고이자최신인 IT 인증시험덤프 일년무료업데이트서비스제공

Nexus 1000v Port-Channel Best Practices

Configuring EtherChannels

Sections Describing Standard Software Features

Configuring Interface Characteristics

VMware vshield App Design Guide TECHNICAL WHITE PAPER

Transcription:

Designing Solution with Cisco Intrusion Prevention Systems Petr Růžička, CSE CCIE #20166 1

Session Abstract IPS technology could be placed in many different places in the network and as such it has to be flexible enough to be positioned wherever we want and need. The session will cover possible deployment options of Cisco IPS, from the basic setups and concepts to very complex DC scenarios. We will cover typical solutions and also potential problems. We will not cover basics of security, Cisco IPS technology or terminology. We expect advanced knowledge of networking, design and security concepts. 2

Agenda Design Considerations IPS Virtualization HA EtherChannel VSS DC 3.0 Q & A 3

What is Intrusion Prevention? 1. IPS closely resembles a Layer 2 bridge or repeater 2. Identical to a wire is the closest analogy 3. Inline interfaces have no MAC or IP and cannot be detected directly 4. Network IPS passes all packets without directly participating in any communications including spanning tree (but spanning tree packets are passed) 5. Default Behavior is to pass all packets even if unknown, (ie IPX, Appletalk, etc) unless specifically denied by policy or detection 4

High Level Considerations 5

Planning Points for IPS General Location Decisions (perimeter, internal, zones of trust, etc) Similar considerations as used for IDS deployments Response actions used Specific Location Decisions (Between Router and Firewall, Between two switches, etc) - Different considerations than those used for IDS deployments Re-cabling and other physical requirements Inline Performance Requirements Control and Responsibility Issues for an inline device 6

Planning Points for IPS II IPS is IDS deployed into the packet stream. IPS vs IDS Pros Cons TCP/IP Traffic Normalization Inline Response Actions (Deny Packet) Packet Effects (latency, etc) Network Effects (bandwidth, connection rate, etc) There is little point in deploying inline if you don t take advantage of the situation 7

IPS Virtualization 8

IPS Virtualization 1. From version 6.0 IPS sensor has a ability to create virtual instances of sensors a.k.a. contexts 2. Physical sensor performance is divided between contexts 3. Up to 4 virtual sensors could be created on one physical hardware 4. For AIP-SSM ASA has to run 8.0 or higher software 9

IPS Virtualization Advantage 1. Each context could have it s own 1. Interfaces or VLAN Pairs 2. Signature definition 3. Event Action Rule Policy (filters and overrides) 4. Anomaly Detection Policy 5. Anomaly Detection Operation Mode 6. TCP Session Tracking Mode 2. Some of above points could be shared between contexts 10

Following Combinations Could be Attached to Context 1. Physical Interface 2. VLAN Groups 3. Inline Interface pairs 4. Inline VLAN pairs 11

Physical Interface 1. Single physical interface attached to sensor would be in promiscuous mode 2. You could attach more than one physical interface to the sensor Virtualized Context 1: Interface 1 Virtualized Context 2: Interface 3 Virtualized Context 3: Interface 2 and 4 12

VLAN Groups 1. VLAN Groups mode are like multiple interfaces on one physical interface 2. Group of VLANs are attached to subinterface created on physical interface 3. Up to 255 of subinterfaces (VLAN Groups) can be created Virtualized Context 1: Gi0/0 Subinterface 1: VLANs 50-65, 70 Virtualized Context 2: Gi0/0 Subinterface 2: VLANs 80,90,95 13

Inline Interfaces 1. Traffic flows from one physical interface to the other 2. On 4260 and 4270 we could take advantage of hardware bypass when supported ports are tight together Virtualized Context 1: Interface 1 < - > 2 Virtualized Context 2: Interface 3 < - > 4 14

Inline Interfaces Example trunk 172.16.1.2 Interface pairing Gi0/0 <-> Gi0/1 Interface pairing Gi0/0 <-> Gi0/1 trunk 172.16.1.1 VLAN 10,.10.1 VLAN 20,.20.1 VLAN 10 VLAN 20 VLAN 10 VLAN 20 192.168.10.10 192.168.20.10 192.168.10.10 192.168.20.10 15

Inline VLAN Pairs 1. Sensor would bridge between two VLANs 2. Up to 255 VLAN pairs could be bridged on one physical interface which acts as trunk port Virtualized Context 1: Gi0/0 Subinterface 1: VLAN Pair 50 < - > 51 Subinterface 2: VLAN Pair 60 < - > 61 16

VLAN Pairing Example 172.16.1.2 172.16.1.2 VLAN pairing 10 <-> 11 172.16.1.1 172.16.1.1 VLAN pairing 10 <-> 11 20 <-> 21 VLAN 10 trunk 192.168.10.1 192.168.20.1 192.168.10.1 192.168.20.1 trunk VLAN 10,20 VLAN 11 VLAN 11 VLAN 20 VLAN 11 VLAN 21 VLAN 11,21 192.168.10.10 192.168.20.10 192.168.10.10 192.168.20.10 17

What is the Normalizer in Cisco IPS? 1. There are easy evasions available to the determined attacker at both the IP and TCP layers 2. First version of Normalizer was designed to prevent the evasions discussed in Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection by Newsham and Ptacek and all other evasions that we could think of that were related to or inspired by the paper. 3. Two general categories: IP Normalizer (12xx sigs) TCP Normalizer (13xx sigs) 18

High Availability 19

High Availability for IPS is Important... 1. Deploying an IPS sensor into the traffic stream introduces a new device to possibly fail and prevent traffic from flowing (It will be the first thing blamed for any problems). 2. High Availability is defined as building into the network, the ability to cope with the loss of a component of that network to ensure that network functionality is preserved 20

HA Solution 1. Fail-open techniques: Hardware or software that functions to detect problems and pass packets through the device without inspection when required 2. Failover: One or more paths through the network to allow packets, in the event of a device failure, to either go through a backup IPS sensor or through a plain wire 3. Load Balancing: Using devices or software features to split a traffic load up across multiple devices. This can achieve both higher data rates and redundant paths in case of failure 21

Reliance on fail-open strategies leaves your network with no protection!!! 22

Inline (Software) Bypass 1. Ability to go around inspection engines 2. Three modes of operation, default is Auto Auto - if analysis engine fails, traffic continues to flow without interruption (but also without any inspection) through sensor Off On - if analysis engine is down, traffic stops flowing through sensor - traffic bypasses analysis engine and is not inspected 3. Useful for failover as well as for troubleshooting 23

Hardware Bypass 1. Both Cisco IPS 4260 and 4270 support HW bypass using 4-port GigabitEthernet cards 2. Bypass is supported only between 0 and 1 and between 2 and 3 IPS-4GE-BP-INT= 24

HW Bypass Check sensor# sh interfaces gigabitethernet0/0 MAC statistics from interface GigabitEthernet0/0 Interface function = Sensing interface Description = Media Type = TX Default Vlan = 0 Inline Mode = Paired with interface GigabitEthernet0/1 Pair Status = Down Hardware Bypass Capable = No Hardware Bypass Paired = N/A Link Status = Down Admin Enabled Status = Enabled 25

Way to Disable HW Bypass 1. Pair unsupported ports together to disable HW bypass ips4270(config)# service interface ips4270(config-int)# inline-interfaces Inside ips4270(config-int-inl)# interface1 GigabitEthernet3/0 ips4270(config-int-inl)# interface2 GigabitEthernet3/3 ips4270(config-int-inl)# exit ips4270(config-int)# exit Apply Changes?[yes]: yes Warning: Hardware bypass functionality is not available on inline-interface Inside because GigabitEthernet3/0 is only capable of hardwarebypass when paired with GigabitEthernet3/1 26

Fail-open and Failover Deployments IPS Appliance Sensor Solutions: 1. Standalone Sensor in Hardware Bypass Deployment 2. Redundant Deployment using Spanning Tree for Active/Passive Failover 3. Redundant Deployment using Spanning Tree for High Availability (along with plain wire) 27

Asymmetric Support for IPS 1. Cisco IPS does not support HA natively (yet) 2. There could be problems with asymmetric flows Check TCP Reassembly Modes Check Normalizer settings 28

Normalizer Mode 29

TCP Reassembly Mode Using IME Configuration -> Signature Definitions > All signatures > Advanced 30

How could you evade IPS sensor using TTL manipulation? 31

Attacker Victim How to Evade IPS (Without Normalizer) I d seq1 TTL=11 timed out f n o seq1 TTL=20 seq2 TTL=9 seq2 TTL=21 timed out f seq1 o z seq3 TTL=10 timed out seq2 o d seq3 TTL=20 seq4 TTL=10 timed out o seq3 d or f?; n or o?; z or o? 32

EtherChannel 33

EtherChannel Load Balancing Fault tolerant architecture that dynamically reconfigures the cluster on a HW or SW failure Scalable Performance Allows up to 8 sensors deployed inspecting the same data set Relies on EC algorithm to split flows amongst the different blades 8 8 34

EtherChannel Load Balancing 1. Can only maximize performance based on specific powers of 2: 2, 4 or 8 devices 2. Total Bandwidth (capacity of IPS) multiplied by (2, 4 or 8) is the max amount you can balance ( split ) 3. Performance will only be maximized with 2, 4 or 8 IPS devices 4. 3, 5, 6, 7 IPS will NOT improve performance only provides (additional) failover 35

ECLB Scenarios:Performance Design 8G Traffic 4G & 4G Total capacity 8G No failover! 2x4270 36

ECLB Scenarios: Redundant Design 8G Traffic 4G & 2G & 2G 3x4270 Total capacity 8 G If any one fails, traffic balances across remaining Each of the remaining gets rest 37

ECLB Scenarios: BAD Design 12G Traffic (3 IPSx4G) Traffic goes to 4 buckets 6G & 3G & 3G 2G gets lost 3x4270 38

VSS 39

VSS Service Module Integration IDSM2 Service Module High Availability IDSM2 does not support session failover mechanisms, however more than one active IDSM2 is supported in a Virtual Switching System. Traffic Load-balancing in VSS is similar to standalone containing multiple IDSMs in a single chassis, it is achieved using Etherchannel configuration* Switch-1 (VSS Active) Virtual Switch DomainSwitch-2 (VSS Standby) Control Plane Active VSL Control Plane Hot Standby Data Plane Active Data Plane Active IDSM Active IDSM Active 40

How could you evade sensor using RST/FIN plus sequence numbers manipulation? 41

How to Evade IPS (Without Normalizer) II 1. Establish TCP connection across IPS 2. Torn connection with FIN or RST packet but use wrong sequence numbers (SN) 3. If IPS doesn t check SN S/SA/A RST with wrong SN 42

DC 3.0 43

Physical Solution Topology Core Layer Catalyst 6500 Catalyst 6500 Aggregation Layer Nexus 7000 Nexus 7000 ACE Module ASA 5580 ASA 5580 ACE Module WAAS ACE WAF Services Layer IDS/IPS IDS/IPS Access Layer Catalyst 6500s Catalyst 4900s Catalyst 6500s VSS Nexus 5000s Catalyst 3100 VBS 44

N7k1-VDC1 Security Service Flow Client-to-Server ASA1 1 VLAN 161 SVI-161 10.8.162.3 hsrp.1 Interface VLAN 190 IP: 10.8.190.2 Input Service Policy: L4_LB_VIP_HTTP_POLICY VIP:10.8.162.200 2 SVI-151 10.8.152.3 WAF Cluster IPS1 vs0 IPS2 vs0 WAF Devices IP: 10.8.190.210 IP: 10.8.190.211 4 VLAN 190 5 6 VLANs 163,164 Po2 VLAN 163 ACE SS1 3 VLAN 162 7 N7k1-VDC2 hsrp.7 vrf1 vrf2 10.8.162.5 10.8.152.5 Server VLANs 8 Bridged VLANs Interface VLAN 162 IP: 10.8.190.2 Input Service Policy: AGGREGATE_SLB_POLICY VIP:10.8.162.200 45

Global Correlation 46

Cisco IPS Global Correlation Network IPS to Global IPS Coverage Twice the effectiveness of traditional IPS Accuracy Reputation analysis decreases false positives Timeliness 100x faster than traditional signature-only methods IPS Reputation Filtering powered by Global Correlation 47

Agenda Design Consideration IPS Virtualization HA Etherchannel VSS DC 3.0 Q & A 48

49

Interesting Links Security Inteligence Operations http://www.cisco.com/security/ Cisco SAFE Reference Guide http://www.cisco.com/en/us/docs/solutions/enterprise/security/safe_rg/safe_rg.html Enterprise Campus 3.0 Architecture: Overview and Framework http://www.cisco.com/en/us/docs/solutions/enterprise/campus/campover.html#wp709388 Design Zone http://www.cisco.com/go/designzone Insertion, Evasion, and Denial of Service: Eluding Nework Intrusion Detection http://insecure.org/stf/secnet_ids/secnet_ids.pdf 50

Registrujte se za Cisco Networkers 25-28. januar 2010. Barselona 28-31. mart 2010. Bahrein 51

52

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback