how ips works

nataraj_v · ‎09-09-2005

Dear All,

how ips prevents intrusion ?? is it inline ? if it is in promiscous mode how can it prevent ?? in promiscous mode ids can do shun/block using firewall r router ? if ips also doing the same , why this hype ? how its working differs from ids ?

can anybody clear me pls

thanks in advance

nataraj

marcabal · ‎09-09-2005

Most users refer to "intrusion detection" as promiscuous monitoring, and refer to "intrusion prevention" as inline monitoring.

With version 4.1 the sensors were only capable of promiscuous monitoring and so used a product name of "Cisco Intrusion Detection System".

With the release of version 5.0 we added in the capability to do inline monitoring.

To increase marketing on that new feature the product name was changed to "Cisco Intrusion Prevention System".

Where the confusion lies is that the "Cisco Intrusion Prevention Sensor" can act like either a "intrusion detection" sensor is promiscuous mode, or a "intrusion prevention" sensor in inline mode.

When operated in promiscuous mode it is not capable of preventing the attack. As you said it is only capable of shunning/blocking and tcp resets.

BUT when operated in inline mode it Is capable of preventing the intrusion by dropping the packets.

To change from promiscuous to inline mode requires a change in your deployment. Instead of using span or another method to copy the packets to the sensor, you have to put the sensor into the packet path. The actual packets and not copies have to pass through the inline sensor.

An inline deployment is best compared to a transparent firewall or even a 2 port bridge. The sensor will bridge the 2 networks. Any attacks going across that bridge will detected and can be dropped.

Be aware that the sensor does not act like a layer 3 router. It does not route between 2 IP networks. Instead the same IP subnet addressing is used on Both sides of the sensor.

a.arndt · ‎09-09-2005

I didn't see Marcoa's response before I put my more genric one up. I was actually cleaning it up and checking grammar/spelling when he posted his reply...

IMHO, his reply is much more specific and simple.

Feel free to completely disregard my lofty soapboxing that occurs below... =)

Alex Arndt

nataraj_v · ‎09-09-2005

i have few nids 4235 , i want to upgrade them to ips , i got to know that we can upgrade nids 4235 without using 4FE card also. but when we upgrade nids 4235 to ips without using 4FE card how can it act as inline intrusion prevention ?? i mean , its having only 2 ports ( one for sensing n another for control ) . how can we put this device in packet path ??

marcabal · ‎09-11-2005

The version 5.0 software can run on an IDS-4235 with no additional PCI card, but will be limited to running only in promicuous mode.

This is because version 5.0 requires 2 sensing interfaces to be paired for runnining in InLine mode.

The case chassis only has 1 sensing interface.

Up till now the only PCI card supported on the IDS-4235 was a IDS=4FE-INT= (4 10/100 TX interfaces), but being recently fairly soon is also a IDS-TX-INT= (1 10/100/1000 TX interface). One of these 2 cards would have to purchased to add additional sensing interfaces to do InLine monitoring.

This may change in future software versions.

nataraj_v · ‎09-09-2005

thankyou very much

a.arndt · ‎09-09-2005

IPS prevents intrusions by sitting inline on a link (the answer to your second question), blocking traffic (read: not passing it from one interface to the other) that meets specific criteria. If you think of the IPS as a border crossing, the signatures would be analogous to the guard at the gate who is denying you access until they’ve looked at your passport (the IP and TCP/UDP headers, for example) and inspected the trunk of your car (the data payload).

In Cisco IPS land, any traffic that causes a signature to fire, where that signature is configured to block, will be blocked. This is better than "reactive IDS" (the lexicon for what you asked about in your third question) because it can be instantaneous, instead of in a delayed response to traffic that matches a signature.

"Reactive IDS", that is an IDS sensor configured to reconfigure an ACL on either a router or firewall (so the answer is "yes" to your fourth question...) in response to specifically configured signatures being triggered, is different from IPS because of the delay the architecture inherently introduces.

It is far faster for an inline device to stop a malicious IP datagram or TCP/UDP packet than trying to do the same via reactive IDS. The IPS stops it right then and there, where as the IDS puts roadblocks in place as a result of something bad happening. Unfortunately, the evil activity may already have occurred before the IDS can reconfigure the router/firewall it has a partnership with as a result. Even if you now block all traffic from the offending source IP address for 30 minutes, it does very little to prevent the potentially exploited destination IP address from posing a threat to your protected network. In essence, it's about as effective as closing the barn door after the horse has already ran off...

Case in point, a single-packet buffer overflow attack can cause a host to open a reverse shell. If an IPS intercepts this packet, the host never receives the attack because it is blocked (assuming of course that there is a signature matching the attack and that signatures settings allow it to block). If an IDS using the reactive features sees this packet, it will have the router/firewall it controls put an ACL in place blocking all further traffic where the source IP address matches the one that triggered the alarm. This does nothing to stop the host that received the packet containing that buffer overflow from pushing the reverse shell contained in the attack back out. The wily attacker will just configure the attack to use the IP of another system they control to receive that shell, bypassing any ACL the IDS caused to be thrown into place as a result of the attack.

I hope this clarifies. On the surface, the two concepts are similar. Ultimately, however, they are worlds apart. IMHO, Cisco’s efforts with “reactive IDS” provided the foundation upon which the current IPS products where built.

I hope this helps,

Alex Arndt