Cisco Cisco IPS 4510 Sensor Libro blanco
40
Intrusion Prevention
August 2012 Series
40
Intrusion Prevention
Business Overview
Internet services have become a key part of day-to-day operations for many
organizations today. Providing secure Internet access, while preventing
malicious content from entering an organization is critical to maintaining
employee productivity. In addition to client access to the Internet, orga-
nizations have near-universal need to have a web presence available for
partners and clients to access information about the organization. Placing
corporate information on the Internet runs a risk of exposure of data through
an attack on the public-facing services. For an organization to utilize the
Internet effectively, solutions must be found for all of these concerns.
organizations today. Providing secure Internet access, while preventing
malicious content from entering an organization is critical to maintaining
employee productivity. In addition to client access to the Internet, orga-
nizations have near-universal need to have a web presence available for
partners and clients to access information about the organization. Placing
corporate information on the Internet runs a risk of exposure of data through
an attack on the public-facing services. For an organization to utilize the
Internet effectively, solutions must be found for all of these concerns.
Technology Overview
Worms, viruses, and botnets pose a substantial threat to organizations.
To minimize the impact of network intrusions, you can deploy intrusion
prevention systems (IPSs) in order to provide additional protection for the
organization from the traffic that is permitted through the Internet edge
firewall. Cisco IPS technology complements the firewall and inspects traffic
permitted by the firewall policy, for attacks.
To minimize the impact of network intrusions, you can deploy intrusion
prevention systems (IPSs) in order to provide additional protection for the
organization from the traffic that is permitted through the Internet edge
firewall. Cisco IPS technology complements the firewall and inspects traffic
permitted by the firewall policy, for attacks.
Cisco IPS devices come in two formats: standalone appliances and hard-
ware or software modules inside a Cisco ASA firewall. The differences
between the devices generally revolve around how the devices get the
traffic they inspect. An appliance uses physical interfaces that exist as part
of the network. A module receives traffic from the ASA firewall in which it
resides, according to the policy defined on the firewall.
ware or software modules inside a Cisco ASA firewall. The differences
between the devices generally revolve around how the devices get the
traffic they inspect. An appliance uses physical interfaces that exist as part
of the network. A module receives traffic from the ASA firewall in which it
resides, according to the policy defined on the firewall.
With either type of device, there are two deployment modes available:
promiscuous (IDS) or inline (IPS). There are specific reasons for each
deployment mode, based on risk tolerance and fault tolerance. Inline or
promiscuous (IDS) or inline (IPS). There are specific reasons for each
deployment mode, based on risk tolerance and fault tolerance. Inline or
IPS mode means that the IPS device sits inline on the traffic flow in order to
inspect the actual packets, and if an alert is triggered that includes a drop
action, the IPS device can drop the actual malicious packet. Promiscuous or
inspect the actual packets, and if an alert is triggered that includes a drop
action, the IPS device can drop the actual malicious packet. Promiscuous or
IDS mode (note that an IPS device can operate in IDS mode) means that an
external device is copying the packets to the IPS device. For an appliance,
the way packets get copied is generally a network tap or a switch running a
SPAN session. For a module, the copying happens at the Cisco ASA firewall
external device is copying the packets to the IPS device. For an appliance,
the way packets get copied is generally a network tap or a switch running a
SPAN session. For a module, the copying happens at the Cisco ASA firewall
and is controlled by the ASA configuration. Because inline and promiscuous
are operating modes, an IPS device can inspect traffic at multiple places,
and each inspection point could be set up independently as inline or
promiscuous.
are operating modes, an IPS device can inspect traffic at multiple places,
and each inspection point could be set up independently as inline or
promiscuous.
Using inline mode means that network traffic flows through an IPS device,
and if the device fails or misbehaves, it will impact production traffic. The
advantage inline mode offers is that when the sensor detects malicious
behavior, the sensor can simply drop it. This allows the IPS device a much
greater capacity to actually prevent attacks.
and if the device fails or misbehaves, it will impact production traffic. The
advantage inline mode offers is that when the sensor detects malicious
behavior, the sensor can simply drop it. This allows the IPS device a much
greater capacity to actually prevent attacks.
Using promiscuous mode means that the IPS device must use another inline
enforcement device in order to stop malicious traffic. This means that for
activity such as single-packet attacks (slammer worm over User Datagram
Protocol), an IDS sensor could not prevent the attack from occurring.
However, an IDS sensor can offer great value when identifying and cleaning
up infected hosts.
enforcement device in order to stop malicious traffic. This means that for
activity such as single-packet attacks (slammer worm over User Datagram
Protocol), an IDS sensor could not prevent the attack from occurring.
However, an IDS sensor can offer great value when identifying and cleaning
up infected hosts.
This design uses the Cisco ASA 5500 Series IPS Solution (software module
inside an ASA) at the Internet edge. The design offers several options that
are based on the performance requirements of the organization. It is impor-
tant to remember that the Internet edge firewall and IPS have more than just
employee Internet traffic going through the box. Internal traffic to servers in
the DMZ, wireless guest traffic, site-to-site VPN, and remote-access VPN
traffic all combine to make the throughput requirements for the Internet
edge firewall and IPS much higher than Internet connection speed.
inside an ASA) at the Internet edge. The design offers several options that
are based on the performance requirements of the organization. It is impor-
tant to remember that the Internet edge firewall and IPS have more than just
employee Internet traffic going through the box. Internal traffic to servers in
the DMZ, wireless guest traffic, site-to-site VPN, and remote-access VPN
traffic all combine to make the throughput requirements for the Internet
edge firewall and IPS much higher than Internet connection speed.
You will also deploy the standalone Cisco IPS 4300 Series Sensors in pro-
miscuous mode. The ability to deploy a sensor internally on the network in
order to watch traffic on any distribution switch can be very valuable. These
sensors can be used to watch traffic going to and from the WAN network,
traffic on the wireless network, or even traffic on a B2B network to a partner.
miscuous mode. The ability to deploy a sensor internally on the network in
order to watch traffic on any distribution switch can be very valuable. These
sensors can be used to watch traffic going to and from the WAN network,
traffic on the wireless network, or even traffic on a B2B network to a partner.