+ All Categories
Home > Documents > IPS Feature in Cisco Routers in Cisco IOS Software Release ...9aaa8eb645f... · IPS Feature in...

IPS Feature in Cisco Routers in Cisco IOS Software Release ...9aaa8eb645f... · IPS Feature in...

Date post: 24-Apr-2018
Category:
Upload: doanminh
View: 261 times
Download: 5 times
Share this document with a friend
21
© 2007 Cisco Systems, Inc. All rights reserved. 1 Cisco Public IPS Feature in Cisco Routers in Cisco IOS Software Release 12.4(11)T1
Transcript

© 2007 Cisco Systems, Inc. All rights reserved. 1Cisco Public

IPS Feature in Cisco Routers

in Cisco IOS Software Release 12.4(11)T1

© 2007 Cisco Systems, Inc. All rights reserved. 2Cisco Public

Cisco Security Router Portfolio

Feature Breadth and Scale at

Highest Performance

Perf

orm

ance

and

Ser

vice

s D

ensi

ty

High Density and Performance for Concurrent Services

Embedded, Advanced Voice, Video, Data, and Security Services

Embedded Wireless, Security, and Data

Cisco 2800 Series Integrated

Services RoutersCisco 1800

Series Integrated Services Routers

Cisco 3800 Series Integrated Services

Routers

Cisco 800 Series Integrated

Services Routers

Branch Office SMBSmall Branch Small Office andTeleworker Head Office

Cisco® 7200 Series and Cisco 7301

Cisco Security RoutersWAN Aggregation

© 2007 Cisco Systems, Inc. All rights reserved. 3Cisco Public

Cisco Security Router Technologies

SDM NetFlow IP SLARole-Based Access

Management and InstrumentationManagement and Instrumentation

Secure Network SolutionsSecure Network Solutions

Secure Voice ComplianceSecure

MobilityBusiness Continuity

Network Admission

ControlAdvanced Firewall

Intrusion Prevention

Integrated Threat DefenseIntegrated Threat Defense

URL Filtering 802.1x

Network Foundation Protection

Flexible Packet

Matching

011111101010101011111101010101

Cisco® Security Routers

Secure ConnectivitySecure Connectivity

GET VPN DMVPN Easy VPN SSL VPN

© 2007 Cisco Systems, Inc. All rights reserved. 4Cisco Public

Cisco IOS IPS Feature Benefit Overview

Provides networkwide, distributed protection from many worms, viruses, and attacks exploiting vulnerabilities in operating systems and applicationsEliminates the need for a standalone IPS device at branch and telecommuter offices as well as small and medium-sized business networksWorks with Cisco IOS® Firewall, control-plane policing, and other Cisco IOS Software security features to protect the router and networks behind the routerOffers field-customizable worm and attack signature set and event actions Supports same signature database available for Cisco Intrusion Prevention System (IPS) appliancesOffers inline inspection of traffic passing through any combination of router LAN and WAN interfaces in both directions

CorporateOfficeServer Farm

Dest: 10.0.0.1 Dest port:25.. Slammer

Dest: 10.0.0.1 Dest port:25..

Branch Office

Zotob

•IOS IPS

© 2007 Cisco Systems, Inc. All rights reserved. 5Cisco Public

Apply IPS and firewall on branch router to protect local servers at the branch from attacks.Avoid need for a separate device to protect servers.

Apply IPS on traffic from branch to HQ to stop worms and attacks from infected branch PCs. Stop the attack before it wastes the WAN bandwidth.

Move Worm Protection to the Network Edge

Protect Branch-Office Servers

Internet

IPsec Tunnel or WAN Link

Corporate Headquarters

Branch Office

Internet

Router IPS and Firewall

Server

Server

Client PCs

www.sports.com

Protect Branch PCs from Internet WormsUse Cisco® IOS IPS in conjunction with Cisco IOS Firewall on Internet connections for worm protection.

Cisco IOS IPS Branch Positioning and Use Cases

© 2007 Cisco Systems, Inc. All rights reserved. 6Cisco Public

(*) Cisco SDM 2.4 will be available in April 2007.

Cisco IOS IPS in Cisco IOS Software Release 12.4(11)T1

Protection from latest threats with minimal user intervention

Automated signature updates from a local TFTP or HTTP(S) server

Offers granular customization and tuning of signatures through custom scripts

Individual and category-based signature provisioning through Cisco IOS CLI

Offers secure provisioning through Cisco Security Manager 3.1 and Cisco Router and Security Device Manager (SDM) 2.4 (*) over HTTPS

IDCONF (XML) signature provisioning mechanism

Quick and automated adjustment of signature event actions based on Risk Rating

Supports Signature Event Action Processor (SEAP)

Enables accurate and efficient IPS event correlation and monitoring

Risk Rating value in IPS alarms based on signature severity, fidelity, and target value rating

Efficient protection against many new vulnerabilities, some even before their public release

NDA (encrypted) signature support

Offers common operations for Cisco IPS appliances and Cisco IOS® IPS

Same signature format as the latest Cisco®

IPS appliances and modules

BenefitFeature

© 2007 Cisco Systems, Inc. All rights reserved. 7Cisco Public

Cisco IOS IPS and Cisco IPS Network Module

YES NoCisco® Security Agent and Cisco IPS collaboration

Yes NoRate limiting

YesYesAutomatic signature updates

Cisco Security ManagerCisco Security ManagerSystem management

Supports all signatures simultaneously

Supports a subset of signatures subject to

available memorySignatures supported

YesNoDedicated CPU and DRAM for IPS

RoadmapYesInline and promiscuous detection and mitigation

IPS CLI, IDMCisco IOS® CLI, Cisco SDMDevice management

IEV, on-box Meta Event Generator, Cisco Security

MARSIEV, Cisco Security MARSEvent monitoring and

correlation

Yes NoIPv6 detection

Yes NoDay-zero anomaly detection

Cisco IPS Network ModuleCisco IOS IPS

© 2007 Cisco Systems, Inc. All rights reserved. 8Cisco Public

Small Satellite Office

Regional Office

CorporateOffice

Branch Office

Telecommuter

WAN

Central Signature File Management with Cisco® Security Manager 3.1

Signature Updates

Cisco IPS Appliance

Prebuilt or Custom Signature Updates Distributed by Cisco Security Manager 3.1

Cisco IOS IPS – Ideal for Distributed Worm and Threat Mitigation

© 2007 Cisco Systems, Inc. All rights reserved. 9Cisco Public

Cisco Countermeasure Research Team

Cisco Countermeasure Research Team

Update PackageUpdate Package

Threats & Vulnerabilities

Threats & Vulnerabilities

Network Viruses

Trend Micro

Network Viruses

Trend Micro

Complete maintenance coverage for IPS appliances, IPS modules for switch, router,

and ASA, and IPS integrated with IOS

Signature file updates and license to install signatures

Around-the-clock, global access to Cisco TAC

Registered access to Cisco.com

Operating system software updates

Advance hardware replacement

Cisco Services for IPSRapid Signature Updates for Emerging Threats

© 2007 Cisco Systems, Inc. All rights reserved. 10Cisco Public

“Cisco Services for IPS" is the annual contract that entitles customers to receive all SMARTnet deliverables plus IPS signature updates released by Cisco at standard intervals.

Option 1 (Router IPS): Cisco sells service to end user:Sell Cisco Services for IPS [One service contract]

E.g. SKU: CON-SU1-C2811 (Cisco brand support is sold)

Option 2: Partner sells Cisco service and their own service to end userBuy Shared [Two service contracts]

SKU: CON-CSSPD-C2811SEC (Shared Support, SKU for partners only)SKU: CON-SUSA-C2811SEC (Cisco Services for IPS, SKU for partners only)

IPS Signature Update Subscription Services

© 2007 Cisco Systems, Inc. All rights reserved. 11Cisco Public

Cisco IOS IPS DeploymentDownload the latest Cisco IPS signature package fromhttp://www.cisco.com/cgi-bin/tablebuild.pl/ios-v5sigup

This package contains a digitally signed default (master) signature file that includes all the signatures used by all Cisco IPS products

Use CLI commands to select one of the two Cisco® recommended signature categories (list of signatures) as the base signature set: IOS-Basic or IOS-Advanced

Use CLI commands to customize your signature list:Select additional signatures as desired Delete signatures not relevant to the applications you’re runningTune actions of individual signatures (e.g., add “drop” action) as desiredTest your custom signature set in a lab setting before actual deployment

For details, see IOS IPS configuration guide at http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124newft/124t/124t11/ips_v5.htm

© 2007 Cisco Systems, Inc. All rights reserved. 12Cisco Public

Option 1: Existing customer is using noncustomized prebuilt signature files (SDFs).– No signature migration is needed. – Signatures in 128MB.sdf will be in IOS-Basic category. – Signatures in 256MB.sdf will be in IOS-Advanced category.

Option 2: Existing customer is using customized prebuilt signature files (SDFs).– Signature migration (TCL) script is available on Cisco.com to convert

customized SDF to 5.0 format.– This migration script will not migrate user-defined (third-party)

signatures.

• Detailed migration procedure and CLI changes are documented in www.cisco.com/go/iosips.

Migrate Signatures from Cisco IOS Software Releases prior to Release 12.4(11)T1

© 2007 Cisco Systems, Inc. All rights reserved. 13Cisco Public

Lifecycle of Security Services for Cisco IPS Solutions

DesignIPS Design Development: Develop design specifications detailing topology, device configurations, hardware and software upgrades, and management.

ImplementIPS Implementation Engineering: Provide installation, configuration, and testing of a pilot or corporatewide implementation.

Operate

Optimize

PlanPlanIPS Readiness Assessment: Assess the network infrastructure to determine IPS readiness.

Plan for a Sound IPS Architecture and Design

Build Scalable, Adaptable, Easy-to-Upgrade IPS Solution

Integrate IPS into the Network Infrastructure

Continually Improve the IPS Solution IPS Optimization: Provide ongoing

consultation to optimize IPS for reliability, efficiency, and scalability.

Services for IPS, Security Remote Operations Services, and IntelliShield: Provide signature updates, up-to-date intelligence, IPS monitoring and management, technical support, software updates, and hardware replacement.

Protect Investment in the IPS Solution

© 2007 Cisco Systems, Inc. All rights reserved. 14Cisco Public

IntelliShield Alert ManagerIPS 6.0 Threat / Signature Correlation

Complete vulnerability and threat information in a single database

Notification of only those vulnerabilities relevant to a pre-defined infrastructure

Actionable alerts in a standardized format based on user-customized profiles

Each vulnerability or threat is analyzed and validated by security analysts

Vulnerability and threat information is vendor-neutral and objectively graded

Comprehensive library of over 10,000 threats and vulnerabilities

Built-in workflow allow easy management of tasks and remediation efforts

For organizations that need rapid delivery of comprehensive, credible and cost-effective security intelligence to help prevent,

mitigate, and quickly remediate potential IT attacks

© 2007 Cisco Systems, Inc. All rights reserved. 15Cisco Public

Cisco IOS IPS Provisioning and Monitoring Options

Cisco Security MARS 4.3.1

Cisco IEV 5.1

Cisco IEV 5.1 (IPS Event Viewer) or Cisco SDM

Same sigs:Multiple Cisco Security Manager 3.1 instances or Cisco SDM 2.4 (*) and Cisco Configuration Engine

Otherwise:Multiple Cisco Security Manager 3.1 instances

Cisco Security Manager 3.1

Cisco SDM 2.4 (*)

More Than 5Up to 51More Than 250 5 to 250 Up to 5

IPS Event Monitoring for N Routers

IPS Signature Provisioning for N Routers

(*) Cisco SDM 2.4 will be available in April 2007

© 2007 Cisco Systems, Inc. All rights reserved. 16Cisco Public

Cisco Security Manager 3.1 Cisco IOS IPS Application Features

Supports Cisco IOS® Software Release 12.4(11)T1 and Later Signature File Auto UpdateCustom Signature TemplatesWizards – Add Signature and Signature UpdatesRollbackCisco® SDM and Cisco® IEV Cross-LaunchFiltering, Copying, and CloningSignature Categories for SDFsIDCONF SupportSEAP Support

© 2007 Cisco Systems, Inc. All rights reserved. 17Cisco Public

Cisco Security Manager 3.1 Cisco IOS IPS Signature List View Sample

© 2007 Cisco Systems, Inc. All rights reserved. 18Cisco Public

Cisco Router and Security Device Manager v2.4

Major IPS Ease of Use Enhancements!Auto-update IPS signatures from Cisco.com

Configure Signature, Risk Rating parameters and Event Action Processor (SEAP) to reduce false positives

Customize IPS signaturesWizard to migrate IPS 4.0 format signatures to IPS 5.x/6.0 format

AvailableApril 2007

© 2007 Cisco Systems, Inc. All rights reserved. 19Cisco Public

Cisco Router and Security Device Manager v2.4 Available

April 2007

© 2007 Cisco Systems, Inc. All rights reserved. 20Cisco Public

Cisco IOS IPS Collateral and ContactsCisco IOS® IPS Websitehttp://www.cisco.com/go/iosips

Cisco IOS IPS enhancements and 5.0 signature format support in Cisco IOS Software Release 12.4(11)T1http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124newft/124t/124t11/ips_v5.htm

Cisco IOS IPS Data Sheethttp://www.cisco.com/en/US/products/ps6634/products_data_sheet0900aecd803137cf.html [actual link may change]

Cisco IOS IPS Deployment Guidehttp://www.cisco.com/en/US/products/ps6634/products_white_paper0900aecd80327257.shtml [actual link may change]

Cisco Services for IPShttp://www.cisco.com/en/US/products/ps6076/serv_group_home.html

Contact: [email protected]

© 2007 Cisco Systems, Inc. All rights reserved. 21Cisco Public


Recommended