What to Expect in this Module

 To facilitate learning, the following features within the GUI may be included in this module:

Feature Description

Animations Expose learners to new skills and concepts.

Expose learners to new skills and concepts.
Videos
Check Your Per topic online quiz to help learners gauge content understanding.
Understanding(CYU)

Interactive Activities A variety of formats to help learners gauge content understanding.

Small simulations that expose learners to Cisco command line to practice
Syntax Checker configuration skills.
Simulation and modeling activities designed to explore, acquire, reinforce, and
PT Activity expand skills.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Module 11: IPS
Technologies

Networking Security v1.0

(NETSEC)
Module Objectives
Module Title: IPS Technologies

Module Objective: Explain how network-based Intrusion Prevention Systems are used to help secure a
network.
Topic Title Topic Objective
IDS and IPS Characteristics Explain the functions and operations of IDS and IPS systems.
IPS Implementations Explain how network-based IPS are implemented.
IPS on Cisco ISRs Describe the IPS technologies that are available on Cisco ISR routers.
Cisco Switched Port Analyzer Configure Cisco SPAN.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
11.1 IDS and IPS
Characteristics

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
IDS and IPS Characteristics
Zero-Day Attacks
A zero-day attack is a cyberattack that tries to exploit software vulnerabilities that are unknown or undisclosed
by the software vendor. The term zero-day describes the moment when a previously unknown threat is
identified.

Microsoft Internet Explore Zero-Day Vulnerability

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
IDS and IPS Characteristics
Monitor for Attacks

Intrusion Detection Systems (IDS) were

implemented to passively monitor the
traffic on a network. The figure shows that
an IDS-enabled device copies the traffic
stream and analyzes the copied traffic
rather than the actual forwarded packets. A
better solution is to use a device that can
immediately detect and stop an attack. An
Intrusion Prevention System (IPS)
performs this function.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
IDS and IPS Characteristics
Intrusion Prevention and Detection Devices

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
IDS and IPS Characteristics
Advantages and Disadvantages of IDS and IPS

Solution Advantages Disadvantages

IDS • No Impact on network (latency, jitter) • Response action cannot stop trigger packets
• No Network impact if there is a sensor failure • Correct tuning required for response actions
• No network impact if there is sensor overload • More vulnerable to network security evasion techniques
IPS • Stops trigger packets • Sensor issues might affect network traffic
• Can use stream normalization techniques • Sensor overloading impacts the network
• Some impact on network (latency, jitter)

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
11.2 IPS Implementations

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
IPS Implementations
Types of IPS
There are two primary kinds of IPS available: host-
Sample IPS Sensor Deployment
based IPS (HIPS) and network-based IPS.

HIPS can be thought of as a combination of

antivirus software, antimalware software, and a
firewall. An example of a HIPS is Windows
Defender. It provides a range of protection
measures for Windows hosts.

A network-based IPS can be implemented using a

dedicated or non-dedicated IPS device such as a
router. Network-based IPS implementations are a
critical component of intrusion prevention. Host-
based IDS/IPS solutions must be integrated with a
network-based IPS implementation to ensure a
robust security architecture.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
IPS Implementations
Network-Based IPS
Network-based IPS Sensors can be implemented in several ways:
• On a Cisco Firepower appliance
• On an ASA firewall device
• On an ISR router
• As an NGIPSv for VMware

The hardware of all network-based sensors includes three components:

• NIC - The network-based IPS must be able to connect to any network, such as Ethernet, Fast
Ethernet, and Gigabit Ethernet.
• Processor - Intrusion prevention requires CPU power to perform intrusion detection analysis and
pattern matching.
• Memory - Intrusion detection analysis is memory-intensive. Memory directly affects the ability of a
network-based IPS to efficiently and accurately detect an attack.)

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
IPS Implementations
Modes of Deployment
Inline Mode
IDS and IPS sensors
can operate in inline
mode (also known as
inline interface pair
mode) or promiscuous
mode (also known as
passive mode).

Promiscuous
Mode

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
11.3 IPS on Cisco ISRs

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
IPS on Cisco ISRs
IPS Components The IPS detection and enforcement engine that can be
implemented depends on the router platform:
An IPS sensor has two components: • Cisco IOS Intrusion Prevention System (IPS)
• IPS detection and enforcement engine - • Cisco Snort IPS
To validate traffic, the detection engine
compares incoming traffic with known attack
signatures that are included in the IPS
attack signature package.
• IPS attack signatures package - This is a
list of known attack signatures that are
contained in one file. The signature pack is
updated frequently as new attacks are
discovered. Network traffic is analyzed for
matches to these signatures.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
IPS on Cisco ISRs
Cisco IOS IPS

The network administrator could configure the Cisco IOS IPS to choose
the appropriate response to various threats. For example, when packets
in a session matched a signature, Cisco IOS IPS could be configured to
respond as follows:
• Send an alarm to a syslog server or a centralized management
interface.
• Drop the packet.
• Reset the connection.
• Deny traffic from the source IP address of the threat for a specified
amount of time.
• Deny traffic on the connection for which the signature was seen for a
specified amount of time.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
IPS on Cisco ISRs
Snort IPS
Many of the devices that supported Cisco IOS IPS are no longer available,
or no longer supported. The newer Cisco 4000 Series Integrated Services
Routers (ISR) provide IPS services using the Snort IPS feature. Snort is an
open source network IPS that performs real-time traffic analysis and
generates alerts when threats are detected on IP networks. It can also
perform protocol analysis, content searching or matching, and detect a
variety of attacks and probes, such as buffer overflows, stealth port scans,
etc.

The Snort engine runs in a virtual service container on Cisco 4000 Series
ISRs. A virtual service container is a virtual machine that runs on the ISR
router operating system. Service containers are applications that can be
hosted directly on Cisco IOS XE routing platforms. The Snort container is
distributed as an Open Virtualization Appliance (OVA) file that is installed on
the router.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
IPS on Cisco ISRs
Snort Operation

Snort IPS signatures are delivered automatically to the ISR by Cisco Talos. Snort can customize rule
sets and provide centralized deployment and management capabilities for 4000 Series ISRs.
Snort can be enabled in IDS mode or IPS mode:
• IDS mode - Snort inspects the traffic and reports alerts but does not take any action to prevent
attacks.
• IPS mode - In addition to intrusion detection, actions are taken to prevent attacks.

In the network intrusion detection and prevention mode, Snort performs the following actions:
• Monitors network traffic and analyzes against a defined rule set.
• Performs attack classification.
• Invokes actions against matched rules.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
IPS on Cisco ISRs
Snort Features
The table lists the features and benefits of Snort IPS.
Feature Benefit
Signature-based intrusion detection system (IDS) Snort open-source IPS, capable of performing real-time traffic analysis and packet logging
and intrusion prevention system (IPS) on IP networks, runs on the 4000 Series ISR service container without the need to deploy
an additional device at the branch.

Snort rule set updates Snort rule set updates for 4000 Series ISRs are generated by Cisco Talos, a group of
leading-edge network security experts who work around the clock to proactively discover,
assess, and respond to the latest trends in hacking activities, intrusion attempts, malware,
and vulnerabilities.

Snort rule set pull The router will be able to download rule sets directly from cisco.com or snort.org to a
local server, using one-time commands or periodic automated updates.
Snort rule set push A centralized management tool can push the rule sets based on preconfigured policy,
instead of the router directly downloading on its own.
Signature allowed listing Allowed listing allows the disabling of certain signatures from the rule set. Disabled
signatures can be reenabled at any time.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
IPS on Cisco ISRs
Snort System Requirements
A security K9 license (SEC) is required to activate Snort IPS functionality. Customers also need to
purchase a yearly subscription for the signature package distributed on cisco.com. To keep current
with the latest threat protection, Snort rule sets are term-based subscriptions, available for one or
three years.

There are two types of term-based subscriptions:

• Community Rule Set - Offers limited coverage against threats, focusing on reactive response to
security threats versus proactive research work. There is 30-day delayed access to updated
signatures in the Community Rule Set, and this subscription does not entitle the customer to
Cisco support.
• Subscriber Rule Set - Offers the best protection against threats. It includes coverage in advance
of exploits by using the research work of the Cisco Talos security experts. The Subscriber Rule
Set also provides the fastest access to updated signatures in response to a security incident or
the proactive discovery of a new threat. This subscription is fully supported by Cisco.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
11.4 Cisco Switched Port
Analyzer

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Cisco Switched Port Analyzer
Network Monitoring Methods

The day-to-day operation of a network consists of common patterns of traffic flow,

bandwidth usage, and resource access. Together, these patterns identify normal network
behavior. Security analysts must be intimately familiar with normal network behavior
because abnormal network behavior typically indicates a problem.

To determine normal network behavior, network monitoring must be implemented using

IDS, packet analyzers, SNMP, NetFlow, and other tools. Some of these tools require
captured network data. There are two common methods used to capture traffic and send
it to network monitoring devices:

• Network taps, sometimes known as test access points (TAPs)

• Traffic mirroring using Switch Port Analyzer (SPAN) or other port mirroring
approaches.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Cisco Switched Port Analyzer
Network Taps

A network tap is typically a passive

splitting device implemented inline
between a device of interest and the
network. A tap forwards all traffic,
including physical layer errors, to an
analysis device while also allowing the
traffic to reach its intended destination.
Taps are also typically fail-safe, which
means if a tap fails or loses power,
traffic between the firewall and internal
router is not affected.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Cisco Switched Port Analyzer
Traffic Mirroring and SPAN
Because capturing data for network monitoring requires all traffic to be captured,
special techniques must be employed to bypass the network segmentation imposed by
network switches. Port mirroring is one of these techniques. Port mirroring enables the
switch to copy frames that are received on one or more ports to a Switch Port Analyzer
(SPAN) port that is connected to an analysis device.

The table identifies and describes terms used by the SPAN feature.
SPAN Term Description
Ingress traffic Traffic that enters the switch.
Egress traffic Traffic that leaves the switch.
Source (SPAN) port Source ports are monitored as traffic entering them is replicated (mirrored) to
the destination ports.
Destination (SPAN) port A port that mirrors source ports. Destination SPAN ports often connect to
analysis devices such as a packet analyzer or an IDS.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Cisco Switched Port Analyzer
Traffic Mirroring and SPAN (Cont.)
The figure shows a switch that
interconnects two hosts and mirrors
traffic to an intrusion detection device
(IDS) and network management server.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Cisco Switched Port Analyzer
Configure Cisco SPAN

The SPAN feature on Cisco switches sends a copy of each frame entering the source port out
the destination port and toward the packet analyzer or IDS. A session number is used to
identify a SPAN session. The figure shows the monitor session command, used to associate
a source port and a destination port with a SPAN session. A VLAN can be specified instead of
a physical port.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Cisco Switched Port Analyzer
Configure Cisco SPAN (cont.)

In this example, PCA is

connected to F0/1 and an IDS is
connected to F0/2. The
objective is to capture all the
traffic that is sent or received by
PCA on port F0/1 and send a
copy of those frames to the IDS
(or a packet analyzer) on port
F0/2. The SPAN session on the
switch will copy all the traffic
that it sends and receives on
source port F0/1 to the
destination port F0/2.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Cisco Switched Port Analyzer
Configure Cisco SPAN (cont.)

The show monitor command is used to

verify the SPAN session.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Cisco Switched Port Analyzer
Packet Tracer - Implement a Local SPAN

In this Packet Tracer, you will complete the following objectives:

• Part 1: Build the Network and Verify Connectivity

• Part 2: Configure Local SPAN and Capture Copied Traffic with Wireshark

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
11.5 Module 11: IPS
Technologies Summary

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
Module 11: IPS Technologies Summary
What Did I learn in this Module?

• IDS and IPS make up part of a multi-layered approach to network security.

• IDS work offline to detect malicious traffic through traffic mirroring.
• IPS devices work inline to prevent network attacks, however they can add latency and slow
network performance.
• IPSs can be host-based (HIPS) or network-based (NIPS).
• A HIPS are installed on network hosts.
• A NIPS can be deployed in two modes.
• In promiscuous mode, a NIPS functions as IDS by monitoring mirrored traffic, alerting personnel
and logging information when attacks occur.
• In inline mode, NIPS processes all traffic that enters a network and checks that traffic at Layers 3
to 7.
• Enabling IPS functionality on routers at the branch level is a cost-effective way to protect networks
with a single device.
• For the 4000 Series ISR, the Cisco Snort IPS has replaced the IOS IPS.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
Module 11: IPS Technologies Summary
What Did I learn in this Module? (cont.)

• Snort monitors network traffic and analyzes it against a defined-rule set.

• Snort can classify attacks by type and can perform actions against the traffic.
• Snort can be configured to automatically update its rules from an internet source
• SPAN is a technology that enables network monitoring from source ports or VLANs to a
destination port or VLAN that is connected to the monitoring device or IDS.
• Source ports carry the traffic that is to be monitored, and destination ports are connected to the
monitoring devices.
• The configuration of SPAN entails defining the source and destination switchports.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
IPS Technologies
New Terms and Commands
• zero-day threat • community rule set
• security operations center (SOC) • subscriber rule set
• security information and event management • network tap
(SIEM) • test access points
• security orchestration, automation, and response • ingress traffic
(SOAR)
• egress traffic
• intrusion detection systems (IDS) monitor session number source [interface interface |
•
• intrusion prevention systems (IPS) vlan vlan]
• Host-based IPS (HIPS) • monitor session number destination [interface interface
• Network-based IPS (NIPS) | vlan vlan]
• Switched Port Analyzer (SPAN) • show monitor
• promiscuous mode
• inline mode
• Snort IPS
• IDS mode
• IPS mode

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40