cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2789
Views
0
Helpful
9
Replies

IPS and IDS configuration

abouzidzineb
Level 1
Level 1

Hi,

The concepts of IDS and IDS are clear for me. Now I want to understand the difference between IDS and IPS in terms of deployement (does it use the same ports for monitoring and and command and control) and configuration (SPAN...).

Thanks.

9 Replies 9

a.arndt
Level 3
Level 3

I think you meant to say "The concepts of IDS and IPS are clear to me."

Anyway, the differences between deployments are really dependent on how you intend to use it.

The Cisco IPS-4200 series appliances, or IDS-4200 series appliances running IPS v5.0 software, can be deployed either inline or as passive monitoring devices.

Inline deployment is analogous to a TAP. The IPS literally sits as a line device on the physical link between two other devices (say, a router and a switch). As an inline device, it may impact link performance if not properly configured, as it may introduce a fault. That being said, I understand that Cisco has been careful to ensure the default configurations on the IPS-4200 appliances won't cause this sort of problem. Otherwise, it is essentially a layer-2 bridge that has no other impact on your network. The biggest advantage here is that you can take advantage of the advanced features of the IPS software and actually modify the packet flow through the sensor based on your rules.

If you choose to use an IPS-4200 appliance in passive monitoring mode, you can basically deploy it in the same fashion as an IDS-4200 series appliance. SPAN, RSPAN, VSPAN, network TAP or port mirroring (if you have non-Cisco switch gear) can all be used to feed a monitoring interface. Of course, you’ll still have some limited ability to actually respond to traffic (other than producing an alert), but they are not as substantial or sophisticated as an inline IPS.

Now, let’s deal with your ports question. On the IPS-4200 series devices, they are built with predefined monitoring ports and a dedicated management port. If you put the IPS v5.0 software onto an IDS-4200 appliance, you cannot do inline without installing additional interfaces (using part no. INT-4FE=). Interface #2 (aka eth1) remains the dedicated management interface, however Interface #1 (aka eth0) and the new interfaces (int2 through int5) become the monitoring interfaces. If you use the device inline, int0 essentially becomes superfluous, IIRC.

Anyway, I hope this answers your questions. In a nutshell, other than the difference with deploying an IPS inline, using the Cisco sensors as passive monitoring devices is the same, regardless of what version of the software (IDS v4.1 or IPS v5.0) you’re using.

I hope this helps,

Alex Arndt

Thanks Alex,

This is an overview about security and switches devices:

- 2 IPS 4240

- 7 Cisco Switch for all network segment

So what is the configuration I have to put in swithes in order to redirect all datagrams to the ips port? I have no idea about SPAN configuration!

Please if you have any detailed documentation about basic deployement and configuration of Cisco IPS.

mail : abouzidzineb@yahoo.fr

Best Regards

Given this info, I'm going to assume that you don't want to run your IPS-4240 sensors inline...

Is it a safe guess that you're going to use the eight total monitoring interfaces you have to instead passively monitor different legs of the network, and that each switch will be configured to provide that capability via a SPAN on each switch?

BTW, I can't give you specifics on configuring SPAN without knowing which switch platform(s) you're using. In order to perhaps save time, here's some links for configuring SPAN and RSPAN on some more common switch platforms:

2940 series - http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2970/12119ea1/2970scg/swspan.htm

2950 series - http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12119ea1/2950scg/swspan.htm

2970 series - http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2970/12114ea1/2970scg/swspan.htm

3550 series - http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12112cea/3550scg/swspan.htm

3560 series - http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12119ea1/3560scg/swspan.htm

3750 series - http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12119ea1/3750scg/swspan.htm

4000 series - http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/7_5/config/span.htm

6500 series - http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_8_3/confg_gd/span.htm

If you have another switch, just use the string "configure SPAN RSPAN " in the cisco.com search engine and you should find what you need.

Though you want info on deploying the IPS-4240, here's a link with info for all the platforms:

http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/prod_installation_guides_list.html

Finally, here's a link for software configuration itself (varous versions):

http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_installation_and_configuration_guides_list.html

I hope this helps,

Alex Arndt

Hi,

To my knowledge the fact of deciding to install an IPS, automatically we opt to deploy the IPS inline.My question is: does the IPS will play the prevention rôle in a passive deployement and how can it play the prevention role.

You're right, if you want to take full advantage of the intrusion prevention capabilities of Cisco IPS v5.0, you'll have to deploy inline.

That being said, you can still do IPS on four of your links using only two IPS-4240 sensors.

The IPS-4240 is capable of performing inline monitoring and response on two discrete links. Basically, monitoring ports 1 and 2 are the first link, while monitoring ports 3 and 4 are the second.

If you need to watch more than four legs of your network, you're going to need more sensors.

The good thing is that you won't need to do anything special on your switches, like configuring SPAN, if you're deploying inline. The big advantage is that there's no additional processing cost to accommodate copying packets to the SPAN port(s), and no loss of physical ports to SPAN, which leaves all your interfaces available for normal switching.

FYI, you can still do limited response in a passive deployment, but it is essentially limited to either TCP resets or Shunning/IP blocking via a compatible Cisco router or PIX firewall. This is not a thorough or as flexible as inline mode.

I hope this helps,

Alex Arndt

Your message is clear, inline deployment is more secure, easy to do but limits the number of subnets we can monitor.

I have two additional questions:

Q1- My network architecture is composed by

Cisco Router for internet accès

PIX Firewall on failover mode

2*IPS 4220

The VMS server was deployed on a separate DMZ(DMZ for administration).

My goal in this stage is to configure Cisco IDS actions via VMS solution. So What's the most popular action to take: TCP reset or IP blocking. and What's recommended in my case.

NB.: The router is not directly connected to the administrative DMZ.

Q2- What's the main idea to configure the ACL for IP blocking purposes on the level of router and why not on firewall level? (In my opinion the idea is to prevent the spoofing attack)

FYI, either reactive functionality that you can use while deploying a sensor in passive mode is configured on a per-signature basis. I'm not sure if you can reconfigure signature groups en-masse via VMS to use TCP reset or IP block, so I just want to make sure you have this info for your consideration.

Answer to Q1: You can't use IP blocking without a connection to the router from your admin DMZ. Effectively, given your setup, you can only take advantage of TCP reset. As a defensive strategy, TCP reset is not the best, since there are many circumstances where you could conceivably DoS yourself. You should be very selective WRT which signatures you enable this functionality on, IMHO.

Answer to Q2: I always thought you could configure IP blocking on either a Cisco router or selected PIX firewalls, so I'm not sure I follow. Perhaps someone with more experience using IP blocking can wade in here, as I have limited experience with it myself.

Alex Arndt

Excuse me to open this bracket:(To time to time I will go back so it's just to correct me if I miss-understand any thing.)

It's true that the signatute basis is very big to customize case by case. But generally the entreprise communication needs with the external networks are known (for example http, smtp) and we can opt for example to apply the IP blocking policy for just http related signature with high sevirity.

I have two additional questions:

Q3- for IP blocking action, which order the managed device(router or pix firewall) to apply the ACL? the sensor or the director? I mean: which open the telnet session to the managed device and apply the access control list.

Q4- for TCP reset, the sensor order the switch to session. So I want to make a focus under the notion seeion. To my knowledge, traffic on SPAN session is copied from source port to the destination port in a context called "SPAN session". So is it the same session that is reseted?

Answer to Q3: The sensor initiates the communication to the router/PIX and applies the changes. To the router/PIX, it's just another privileged login that is making a configuration change, albeit a scripted one.

Assuming you're running IPS v5.0, here's a link with info on "Configuring Blocking" that might help:

http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_installation_and_configuration_guide_chapter09186a00803eb01e.html

Answer to Q4: There is really nothing special to do here. When you create a SPAN, I believe it is normally configured by default to both receive (that is, send out copies of the packets sent to it from the ports configured to do so when you set up SPAN monitoring) and transmit (which means it will accept packets from the physical NIC connected to that switch port).

When Cisco IDS/IPS performs a TCP reset, it actually crafts packets and sends them out the monitoring interface. It spoofs both ends of the session that triggered the alarm and sends a series of TCP resets in order to tear the offending session down. The sensor will be able to send these resets out through the SPAN port it is connected to, as long as you haven't configured the SPAN destination port with the "no inpkts / inpkts disable" command.

Here’s a link with info on “Configuring Event Action Rules” (IPS v5.0) that might help:

http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_installation_and_configuration_guide_chapter09186a00803eb027.html

I hope this helps,

Alex Arndt

Review Cisco Networking for a $25 gift card