topic Re: ASK THE EXPERTS - INTRUSION PREVENTION SYSTEMS in Network Security

ASK THE EXPERTS - INTRUSION PREVENTION SYSTEMS

ciscomoderator — Sun, 10 Mar 2019 12:07:33 GMT

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to get an update on Intrusion Prevention System with Scott Fringer. Scott Fringer is a Technical Assistance Center engineer on the intrusion detection system team in Research Triangle Park, North Carolina. His team supports Cisco's various intrusion detection/prevention sensors, the Cisco IOS IPS feature set, Cisco Security MARS, Cisco Security Manager, Cisco Security Agent, and the Cisco Anomaly Detector/Guard products. Fringer has represented the Technical Assistance Center at previous Networkers conferences and currently holds CCSP certification.

Remember to use the rating system to let Scott know if you have received an adequate response.

Scott might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through September 24, 2010. Visit this forum often to view responses to your questions and the questions of other community members.

Re: ASK THE EXPERTS - INTRUSION PREVENTION SYSTEMS

j.miller_32 — Mon, 13 Sep 2010 16:30:41 GMT

My IPS sensor is configured for automatically updating its signatures. Recently the updates stopped occurring, after working successfully. How can I correct this?

Re: ASK THE EXPERTS - INTRUSION PREVENTION SYSTEMS

ROBERTO TACCON — Mon, 13 Sep 2010 16:31:49 GMT

Hello Scott,

may I ask you:

1) if the IPS appliances (as other IPS solutions MCAFEE / TIPPING POINT/ ISS )...can drop and/or block the intruders IP without using "external cisco features products" (VLAN maps / ACLs/ shun /...) ?

2) when does tha IPS module for the ASA5505 will support the version 7.x ?

3) when does the IOS IPS will support the IPv6 IPS feature ?

Thanks in advance

Roberto

Re: ASK THE EXPERTS - INTRUSION PREVENTION SYSTEMS

Scott Fringer — Mon, 13 Sep 2010 17:05:24 GMT

Roberto;

To answer your questions:

1) Yes, Cisco's IPS appliances (and modules) can perform traffic denial actions directly on the sensor when configured for inline operation. These actions can deny a single packet, just the attacker, the attacker/victim pair, or the connection.

2) Current plans are in place for the AIP-SSC-5 to be supported in the 7.0(5) release of IPS software.

3) I am not currently aware of a time-frame to bring IPv6 support to the IOS IPS feature set.

Thanks,

Scott

Re: ASK THE EXPERTS - INTRUSION PREVENTION SYSTEMS

Scott Fringer — Mon, 13 Sep 2010 17:25:14 GMT

Hello;

There are multiple causes for automatic IPS signature updates to stop functioning. Two quick CLI commands can help narrow the troubleshooting process. From the CLI of your sensor, issue the following command:

show version

This command will allow you to check that the IPS sensor has a valid IPS services license. Specifically, you will note output similar to the following:


Cisco Intrusion Prevention System, Version 7.0(2)E3
Host:                                                         
    Realm Keys          key1.0                                
Signature Definition:                                         
    Signature Update    S478.0                   2010-05-20   
OS Version:             2.4.30-IDS-smp-bigphys                
Platform:               IPS-4240-K9                           
Serial Number:          JMX00000NS                           
Licensed, expired:      24-May-2010 UTC

If the license is expired (red text), you will need to work with your Cisco account team or partner to renew the IPS signature support for the IPS sensor. This will allow you to receive a new license key, which should restore signature update functionality.

One other culprit that can be verified from this output is that you are running the most recent analysis engine software for the IPS sensor (green text). Cisco's signature development team writes signatures to the current version of analysis engine. These signatures will not be compatible with older analysis engine releases. If you are not at the most recent analysis engine release, you can upgrade the IPS software to correct this issue.

If the license is not expired and you are running the current analysis engine release, the next command will help determine if there is a credential issue or potential connectivity issue:

show statistics host

At the very end of the output of this command is a section titled,"Auto Update Statistics", you will be able to see the results of the most recent automatic signature update attempt. This output may clearly indicate the credentials are invalid, there was a communication issue or there was not currently an update available (confusingly the output is "Success: No installable auto update package found on server"). Corrective action will need to be tailored to this output.

Scott

Re: ASK THE EXPERTS - INTRUSION PREVENTION SYSTEMS

mikecrowe4ICS_2 — Tue, 14 Sep 2010 00:48:55 GMT

Cisco just recently added AAA authentication support for the IPS. While this is a good start, it's limited to the CLI and IDM, and only supports RADIUS.

Is there any plan to add TACACS+ support in the future?
Is there any plan to add support for AAA authentication (even RADIUS) for IME?

Thanks for all your help here on the forums, Scott!

Re: ASK THE EXPERTS - INTRUSION PREVENTION SYSTEMS

MaseBarnes — Tue, 14 Sep 2010 11:50:56 GMT

Why aren't there any plans to support the CSC AND the IPS module for ASA?

I need a complete UTM solution, comparably to Astaro, Watchguard and so on ...

Re: ASK THE EXPERTS - INTRUSION PREVENTION SYSTEMS

Scott Fringer — Tue, 14 Sep 2010 12:20:25 GMT

I cannot provide insight into the decisions made from a product

development standpoint. My role is that of product support.

Scott

Re: ASK THE EXPERTS - INTRUSION PREVENTION SYSTEMS

hariprasad_n — Tue, 14 Sep 2010 17:54:28 GMT

Hello Scott,

Thanks for doing this. My question is related to Global Correlation feature in IPS ver 7.x.

1. Is there a way to tell how many packets/sessions were actually dropped by this feature in say for example last 24 hrs?

2. Identify the related events generated so I can for example find out which internal machine tried to contact a botnet internet IP?

3. Any other reporting function which would actually indicate global correlation is playing a role in dropping malicious traffic?

The only place I see global correlation info is in the actual event generated but I am looking to see if there is a more generic reporting feature.

thanks,

-Hari

Re: ASK THE EXPERTS - INTRUSION PREVENTION SYSTEMS

Scott Fringer — Tue, 14 Sep 2010 18:48:55 GMT

Hari;

Global correlation brings two methods for responding to potential malicious activity:

global correlation inspection
reputation filtering

When GC inspection is utilized, the IPS sensor will adjust the risk rating of a firing signature event based on the reputation score of the attacker IP address. When this action is taken, the details are included in the signature event details. So, you should be able to discern from the signature event both the GC inspection changes and actions taken by the sensor. This will be reported on a per-signature event basis.

When reputation filtering is utilized, there is no corresponding signature event fired when an attacker is denied; the sensor simply

denies the traffic. You can track the outcome of this activity from the sensor CLI by issuing:

show statistics analysis-engine

The last section of the analysis engine statistics covers global correlation activity. It is titled,"GlobalCorrelationStats" and will provide event counts and hosts that were determined as potentially malicious.

Within the IPS Device Manager GUI (IDM) you can add a gadget to the dashboard which provides a graph/table of the percentage of packets denied due to global correlation. It will present a segment for "Traditional IPS Detection", "Global Correlation Inspection" and "Reputation Filtering".

Scott

Re: ASK THE EXPERTS - INTRUSION PREVENTION SYSTEMS

Scott Fringer — Tue, 14 Sep 2010 19:05:35 GMT

Michael;

Apologies, it appears my earlier reply via email did not post as expected.

At this time, I do no have any insight into the planning for implementation of either feature you mention.

Thanks,

Scott

Re: ASK THE EXPERTS - INTRUSION PREVENTION SYSTEMS

bibhuthi79 — Tue, 14 Sep 2010 21:07:41 GMT

Hi Sir,

I have a 3750 series switch. WS-C3750-48TS-E

Wanted to know, does it support routing. Could you please explain the way we can differntiate the different 3750 series switches to support routing.

Could you please provide me the URL to know much about 3750 series switches.

Thanks,

Bibhuthi

Re: ASK THE EXPERTS - INTRUSION PREVENTION SYSTEMS

Scott Fringer — Tue, 14 Sep 2010 21:20:22 GMT

Bibhuthi;

Unfortunately, the Catalyst 3750 is not my area of expertise. You can find out all about the Catalyst 3750 series switches at the following link:

http://www.cisco.com/go/3750

From the initial details on that page, it does appear the Catalyst 3750 supports various IP routing options.

Scott

Re: ASK THE EXPERTS - INTRUSION PREVENTION SYSTEMS

jzarifyar — Wed, 15 Sep 2010 23:59:07 GMT

I need Ip cache flow source and destination. What command would get an output like this on a switch or router: Source. Destination. Packets. Bytes 10..x.x.x 10..x.x.x 2 76 Thank you in advance Jay

Posted from my mobile device.

Re: ASK THE EXPERTS - INTRUSION PREVENTION SYSTEMS

Partner.bkme — Thu, 16 Sep 2010 10:02:57 GMT

Hi Scott,

Our team is looking at mitigating the risk pertaining to the TLS cipher renegotiation (http://isc.sans.org/diary.html?storyid=7534 ) through a Cisco IPS (7.0(2) E4 on 4240/4275). Would it be possible for you to shed some light on this subject, is there any signature in particular that would do this job.

We are looking at mitigating this risk on any inbound traffic from the internet to our environment.

Thank You

Re: ASK THE EXPERTS - INTRUSION PREVENTION SYSTEMS

Scott Fringer — Thu, 16 Sep 2010 10:40:50 GMT

Jay;

This is not a topic related to Cisco's IPS devices (my area of focus), and is not a question for which I can provide an answer.

Scott

Re: ASK THE EXPERTS - INTRUSION PREVENTION SYSTEMS

Scott Fringer — Thu, 16 Sep 2010 11:38:44 GMT

Ali;

There is not a specific signature for Cisco's IPS sensors to detect an exploit of this vulnerability. Cisco's IntelliShield site (http://www.cisco.com/security) does have a security alert regarding this vulnerability:

http://tools.cisco.com/security/center/viewAlert.x?alertId=19361

To determine if a custom signature could be created would require capturing network traffic of the vulnerability being exploited and reviewing the captures to determine if there is any indentifiable/recurrent patterns.

At this time, the best mitigation looks to be implementing the available patches from each vendor.

Scott

Re: ASK THE EXPERTS - INTRUSION PREVENTION SYSTEMS

lchance — Thu, 16 Sep 2010 14:30:59 GMT

Hello Scott,

I’m new to IPS and have a question (it may be dumb, so forgive me).

Is there any way to tie together multiple signatures as a type of compilation event? That is, when I see two separate signatures fire, 5606/0 and 16297/1, which turns out to be when an internal user gets prompted to log in at a DMZ system which is not part of the Windows Domain. I hope that makes sense enough to warrant an answer.

When I get some training under my belt I'll be dangerous...

Thanks for helping!

Re: ASK THE EXPERTS - INTRUSION PREVENTION SYSTEMS

Scott Fringer — Thu, 16 Sep 2010 14:55:48 GMT

LC;

Not a dumb question at all; and they all warrant an answer.

It is certainly possible to create a signature event based on the occurrence of two separate signatures firing in a specific order. To accomplish this, you will need to make use of the meta signature engine. This engine can combine multiple signatures (meta-components) into a single event when the component signatures fire. You can find out more about the meta engine here:

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_signature_engines.html#wp1014660

So, you can create a new custom signature that is based on the meta engine. Within the signature definition you would add signatures 5606/0 and 16297/1 as components. You would then set various requirements such as component ordering, component count, etc to tune the meta signature to fire based on your requirements.

Good luck with your training and learning - and feel free to come back to the Cisco Support Community with any other questions you may have.

Scott

Re: ASK THE EXPERTS - INTRUSION PREVENTION SYSTEMS

trippi — Fri, 17 Sep 2010 20:53:30 GMT

I want to filter the src IP address on a signature.

Is there a way to say 'not equal to a value'? such as !10.10.0.0/16.

Thanks