Module 12: IPS Operation and

Implementation

Instructor Materials

Networking Security v1.0

(NETSEC)
Instructor Materials – Module 12 Planning Guide

This PowerPoint deck is divided in two parts:

• Instructor Planning Guide
• Information to help you become familiar with the module
• Teaching aids
• Instructor Class Presentation
• Optional slides that you can use in the classroom
• Begins on slide # 9
Note: Remove the Planning Guide from this presentation before sharing with anyone.
For additional help and resources go to the Instructor Home Page and Course
Resources for this course. You also can visit the professional development site on
netacad.com, the official Cisco Networking Academy Facebook page, or Instructor
Only FB group.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Module 12: Activities

What activities are associated with this module?

Page # Activity Type Activity Name Optional?

12.1.6 Check Your Understanding IPS Signature Actions Recommended

12.2.10 Check Your Understanding Snort IPS Recommended

12.3.9 Syntax Checker Configure Snort IPS Recommended

12.3.10 Check Your Understanding Implementing Snort IPS Recommended

12.4.2 Module Quiz IPS Operation and Implementation Recommended

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Module 12: IPS Operation
and Implementation

Networking Security v1.0

(NETSEC)
Module Objectives
Module Title: IPS Operation and Implementation

Module Objective: Explain how signatures are used to detect malicious network traffic.

Topic Title Topic Objective

IPS Signatures Describe IPS signatures.
Cisco Snort IPS Explain how the Cisco Snort IPS provides network security services.
Configure Snort IPS Explain how to configure Snort IPS on a Cisco ISR G2.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
12.1 IPS Signatures

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
IPS Signatures
IPS Signature Attributes

The network must be able to identify incoming malicious traffic in order to stop it. Fortunately,
malicious traffic displays distinct characteristics or “signatures”. Signatures uniquely identify specific
viruses, worms, protocol anomalies, and malicious traffic.

PS sensors must be tuned to look for matching signatures or abnormal traffic patterns. As sensors
scan network packets, they use signatures to detect known attacks and respond with predefined
actions. An IDS or IPS sensor examines the data flow using many different signatures.

Signatures have three distinctive attributes:

• Type - Atomic or Composite
• Trigger - Also called the alarm
• Action - What the IPS will do

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
IPS Signatures
Types of Signatures
Some threats can be identified in one packet while other threats may require many packets
and their state information (i.e., IP addresses, port numbers, and more) to identify a threat.

There are two types of signatures:

• Atomic Signature - This is the simplest type of signature because a single packet,
activity, or event identifies an attack. The IPS does not need to maintain state
information and traffic analysis can usually be performed very quickly and efficiently.
• Composite Signature - Also called a stateful signature because the IPS requires
several pieces of data to match an attack signature. The IPS must also maintain state
information which is referred to as the event horizon. The length of an event horizon
varies from one signature to the next.

The heart of any IPS signature is the signature alarm, which is often referred to as the
signature trigger.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
IPS Signatures
IPS Signature Alarms
Every IPS incorporates signatures that use one or more of these basic triggering mechanisms to trigger signature
actions. There are four general IPS signature trigger categories as listed in the table.
Detection Type Advantages
Pattern-Based Detection • Also known as signature-based detection.
• Simplest triggering mechanism as it searches for a specific and pre-defined atomic or composite pattern.
• A IPS sensor compares the network traffic to a database of known attacks, and triggers an alarm or prevents
communication if a match is found.

Anomaly-Based Detection • Also known as profile-based detection.

• Involves first defining a profile of what is considered normal network or host activity.
• This normal profile is usually defined by monitoring traffic and establishing a baseline.
• Once defined, any activity beyond a specified threshold in the normal profile will generate a signature trigger and action.

Policy-Based Detection • Also known as behavior-based detection.

• Although similar to pattern-based detection, an administrator manually defines behaviors that are suspicious based on
historical analysis.
• The use of behaviors enables a single signature to cover an entire class of activities without having to specify each
individual situation.

Honey Pot-Based Detection • Honey pot-based detection uses a server as a decoy server to attract attacks.
• The purpose of a decoy server is to lure attacks away from production devices.
• Allows administrators time to analyze incoming attacks and malicious traffic patterns to tune their sensor signatures.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
IPS Signatures
IPS Signature Actions
Alert Category Specific Action Description
Generate an alert Produce alert The IPS sends events as alerts.
Generate an alert Produce verbose alert The IPS sends a detailed event alert.

Log the activity Log attacker packets Logs packets from the attacker IP address and sends an alert.
Log the activity Log pair packets Logs packets from the victim and attacker IP addresses and sends an alert.

Log the activity Log victim packets Logs packets from the victim IP address and sends an alert.

Deny the activity Deny attacker inline Terminates the current packet and future packets from this attacker address for a
specified period of time.
Deny the activity Deny connection inline Logs packets from the victim IP address and sends an alert.

Deny the activity Deny packet inline Terminates the current packet and future packets from this attacker address for a
specified period of time.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
IPS Signatures
IPS Signature Actions (Cont.)

Alert Category Specific Action Description

Reset the TCP connection Reset TCP connection Sends TCP resets to hijack and terminate the
TCP flow.
Block future activity Request block connection Sends a request to a blocking device to block
this connection.
Block future activity Request block host Sends a request to a blocking device to block
this attacker host.
Block future activity Request SNMP trap Sends a request to the notification application
component of the sensor to perform SNMP
notification.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
IPS Signatures
Evaluating Alerts
The table summarizes the following four types of alarms.
Alarm Type Network Activity IPS Activity Outcome
True positive Attack traffic Alarm generated Ideal setting
True negative Normal user traffic No alarm generated Ideal setting
False positive Normal user traffic Alarm generated Tune alarm
False negative Attack traffic No alarm generated Tune alarm

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
IPS Signatures
Evaluating Alerts (Cont.)
Alerts can be classified as follows:

True positive - (Desirable) This is used when the IPS generates an alarm because it detected know attack
traffic. The alert has been verified to be an actual security incident and also indicates that the IPS rule worked
correctly.

True negative - (Desirable) This is used when normal network traffic does not generate an alarm. No alerts
are issued because the traffic that is passing through the system is clear of threats.

False positive - (Undesirable) This is used when an IPS generates an alarm after processing normal user
traffic that should not have triggered an alarm. The IPS must be tuned to change these alarm types to true
negatives. The alert does not indicate an actual security incident. Benign activity that results in a false
positive is sometimes referred to as a benign trigger. False positives are costly because they must be
investigated.

False negative - (Dangerous) This is used when an IPS fails to generate an alarm and known attacks are not
being detected. This means that exploits are not being detected by the security systems that are in place.
These incidents could go undetected for a long time, and ongoing data loss and damage could result. The
goal is for these alarm types to generate true positive alarms. © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
12.2 Cisco Snort IPS

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Cisco Snort IPS
Cisco IPS

Organizations now have three options available to provide intrusion prevention services.

• Cisco Firepower Next-Generation IPS (NGIPS) - These are dedicated in-line

threat prevention appliances that provide industry leading effectiveness against
both known and unknown threats.
• Cisco Snort IPS - This is an IPS service that can be enabled on a second
generation ISR (ISR G2) (i.e., ISR 4000s). Note that Cisco 4000 ISRs no longer
support Cisco IOS IPS.
• External Snort IPS Server - This is similar to the Cisco Snort IPS solution but
requires a promiscuous (i.e., a SPAN switch port) port and an external Snort
IDS/IPS.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Cisco Snort IPS
NGIPS
NGIPS are dedicated IPS appliances. They are built on the core open technology of
Snort and use vulnerability-focused IPS rules and embedded IP-, URL-, and DNS-based
security intelligence that is provided by Cisco’s Talos Security Intelligence and Research
Group.

NGIPS features include:

• IPS rules that identify and block attack traffic that target network vulnerabilities
• Tightly integrated defense against advanced malware incorporating advanced
analysis of network and endpoint activity
• Sandboxing technology that uses hundreds of behavioral indicators to identify
zero-day and evasive attacks
• Also includes Application Visibility and Control (AVC), Cisco Advanced Malware
Protection (AMP) for Networks, and URL Filtering

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Cisco Snort IPS
Snort IPS

Snort is an open source network IPS that performs real-time traffic analysis and generates alerts
when threats are detected on IP networks. It can also perform protocol analysis, content
searching or matching, and detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, and so on.

Snort IPS on the 4000 Series ISR provides the following functionalities:
• Intrusion detection system (IDS) and IPS mode
• Three signature levels
• An allowed list
• Snort health monitoring
• Fail open and close
• Signature update
• Event logging

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Cisco Snort IPS
Snort Components and Rules
Snort IPS for 4000 Series ISRs consists of two components:
• Snort engine - This is the IPS detection and enforcement engine that is included in the SEC license
for 4000 Series ISRs.
• Snort rule software subscriptions for signature updates - Snort rule sets to keep current with the
latest threat protection are term-based subscriptions, available for one or three years.

To address the rapidly evolving threat landscape, it is important to ensure that signatures are as up-to-
date as possible.

There are two types of term-based subscriptions:

• Community Rule Set - Available for free, the rules that are provided offer limited coverage against
threats. The community rule set focuses on reactive response to security threats versus proactive
research work. There is also a 30-day delayed access to updated signatures meaning that newest rule
will be a minimum of 30 days old. In addition, there is no Cisco customer support available.
• Subscriber Rule Set - Available for a fee, this service provides the best protection against threats. It
includes coverage of advance of exploits by using the research work of the Cisco Talos security
experts. The Subscriber Rule Set also provides the fastest access to updated signatures in response
to a security incident or the proactive discovery of a new threat. This subscription is fully supported by
Cisco. © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Cisco Snort IPS
ISR Container Applications

Routers were initially packet processing devices. Routers have acquired so much processing power
that server applications can now be hosted inside the router using service containers.

Service containers are virtual machines that run on the routers. Applications such as Snort IPS can
be uploaded and hosted on these routers. Service containers are supported on most IOS XE
platforms. IOS XE is based on the Linux architecture and supports virtual machine hosting.

The Snort engine runs as a Linux Service Container application on the ISR 4000. This provides it
with dedicated computing resources that run independently of the data plane CPU load. It also
makes it easier for the Snort engine to be regularly updated.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Cisco Snort IPS
Snort IPS Rule Alarms

In Snort IPS, signatures are configured using “rules”. These rules serve as the signature alarms
by comparing incoming traffic to the Snort rules. Traffic matching a rule header generates an
action. A rule header is conceptually similar to an access control list (ACL) statement (i.e., ACE).
It is a one line statement that identifies malicious traffic.

The basic rule header command

syntax is:

[action] [protocol] [sourceIP]

[sourceport] -> [destIP] [destport]
([Rule options])

Refer to the figure for more

information regarding the rule
header command syntax.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Cisco Snort IPS
Snort IPS Rule Actions
Snort can be enabled in IDS mode or in IPS mode.

Snort IDS mode can perform the following three actions:

• Alert - Generate an alert using the selected alert method, and then log the packet.
• Log - Log the packet.
• Pass - Ignore the packet.

Snort IPS mode can perform all of the IDS actions plus the following:

• Drop - Block and log the packet.

• Reject - Block the packet, log it, and then send a TCP reset if the protocol is TCP or an ICMP
port unreachable message if the protocol is UDP.
• Sdrop - Block the packet but do not log it.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Cisco Snort IPS
Snort IPS Header Rule Options
A Snort rule header also contains rule options (fields) to provide additional information for the rule.
Options are separated by semicolons (;) and the rule option keywords are separated from their
arguments using colons (:).

The table describes the common general rule and the detection rule options in the sample rule
header.
Rule Option Specific Action
msg: This is a simple text string that provides a meaningful message to output when the rule matches.
flow: Specifies the direction of network traffic.
content: A detection rule option that allows the user to set rules that search for specific content in the packet payload
and trigger response based on that data. The option data can contain mixed text and binary data
distance: / offset: Detection rule keywords that allow the rule writer to specify where to start searching relative to the beginning
of the payload or the beginning of a content match.
within: / depth: Detection rule keywords that allow the rule write to specify how far forward to search relative to the end of a
previous content match and, once that content match is found, how far to search for it.
pcre A detection rule keyword that allows rules to be written using “perl compatible regular expressions” which
allows for more complex matches.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Cisco Snort IPS
Snort IPS Header Rule Options (Cont.)

The table describes the common general rule and the detection rule options in the
sample rule header.

Rule Option Specific Action

byte_test A detection rule keyword that allows a rule to test a number of bytes
against a specific value in binary.
metadata: Allows a rule writer to embed additional information about the rule.
reference: Allows rules to include references to external sources of information.
classtype: Identifies the potential effect of what a successful attack would be.
sid / rev The sid is a unique identifier for each rule making them easy to
identify. It should be used with the rev (revision) keyword.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Cisco Snort IPS
Snort IPS Operation

Packets arriving on Snort enabled interfaces are inspected as follows:

1. Cisco IOS Software forwards the packets to be inspected to the Snort IPS engine using
an internal virtual port group (VPG) interface.
2. Snort IPS inspects the traffic and takes necessary action.
3. Snort drops the packets associated with bad flows (IPS mode). Good flow packets are
returned back to the router for further processing.

Packet exchange between the container applications and the IOS data plane is done using VPG
interfaces. These routed interfaces are connected through the router back plane. The
corresponding interface on the container side will appear as virtual Ethernet ports.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Cisco Snort IPS
Snort IPS Operation
Snort IPS requires two VPG interfaces:

• Management interface - This is the

interface that is used to source logs to
the log collector and for retrieving
signature updates from Cisco.com. For
this reason, this interface requires a
routable IP address.
• Data interface - This is the interface that
is used to send user traffic between the
Snort virtual container service and the
router forwarding plane.
In the figure, VPG0 is used for Snort management traffic while VPG1 is used for user traffic to be
inspected. User traffic to be inspected is forwarded to the Snort engine using VPG1 as shown. Traffic is
then inspected and either rejected (dropped) or forwarded back to the router.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
12.3 Configure Snort IPS

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Configure Snort IPS
Snort IPS Configuration Steps

To deploy Snort IPS on supported devices, perform the following tasks:

1. Download the Snort OVA file.

2. Install the OVA file.
3. Configure VirtualPortGroup interfaces.
4. Activate the virtual services.
5. Configure Snort specifics (e.g., IPS or IDS mode, policy, reporting of events to
an external alert/log server or IOS syslog or both, and the Signature update
method.
6. Enable IPS globally or on desired interfaces.
7. Verify Snort.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Configure Snort IPS
Step 1. Download the Snort OVA File

An Open Virtualization Archive (OVA) is a file that contains a compressed, installable version
of a virtual machine.

The service OVA file is not bundled with the Cisco IOS XE Release images installed on the
router. although the OVA files may be preinstalled in the flash of the router, it is recommended
that the latest OVA file be downloaded from Cisco.com.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Configure Snort IPS
Step 2. Install the Snort OVA File
The OVA file must be downloaded and saved in a file location available to the ISR router (e.g.,
Flash).
To install, the OVA file, use the virtual-service install name virtual-service-name package file-url
media file-system privilege EXEC command to install the OVA file to the router. The length of the
name is 20 characters and the complete path to the OVA file must be specified.

An example configuration is shown below.

Use the show virtual-service list command to display the status of the installation of all applications
installed on the virtual service container. © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Configure Snort IPS
Step 3. Configure Virtual Port Group Interfaces
Two VirtualPortGroup (VPG) interfaces must then be configured along with their guest IP
addresses.

In our example, the VPG interfaces will be configured as follows:

• VGP0 - This is for management traffic to exchange information with IPS servers.
The guest IP address needs to be routable to connect to the signature update
server and external log server. It is also used to log traffic to log collectors.
• VPG1 - This is for user traffic marked that should be inspected. This should not
be routable and therefore use a non-routable private IP address.

This is a sample configuration of

VPG0 and VPG1.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Configure Snort IPS
Step 4. Activate Virtual Services
The next step is to configure guest IPs on the same
subnet for the container side and activate the virtual
service.

• The virtual-service MYIPS command configures the

logical name that is used to identify the virtual
container service.
• The vnic gateway VirtualPortGroup interface-
number command creates a virtual network interface
card (vNIC) gateway interface for the virtual
container service.
• The guest ip address command configures a guest
vNIC address for the vNIC gateway interface.
• Finally, the activate command activates the
application installed in a virtual container service.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
Configure Snort IPS
Step 5. Configure Snort Specifics
The utd engine standard command configures
the united threat defense (UTD) standard engine
and enters UTD standard engine configuration
mode.

The logging host and logging syslog

commands enable the logging of emergency
messages to a server.

The threat-inspection command configures

threat inspection for the Snort engine. From here
you can specify which mode Snort will be in:
• threat protection - Snort will be in IPS
mode.
• threat detection - Snort will be in IDS
mode.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
Configure Snort IPS
Step 5. Configure Snort Specifics (Cont.)

The utd engine standard command configures the united threat defense (UTD) standard engine
and enters UTD standard engine configuration mode.

The logging host and logging syslog commands enable the logging of emergency messages to
a server.

The threat-inspection command configures threat inspection for the Snort engine. From here you
can specify which mode Snort will be in:
• threat protection - Snort will be in IPS mode.
• threat detection - Snort will be in IDS mode.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
Configure Snort IPS
Step 5. Configure Snort Specifics (Cont.)
The policy command specifies three security policies that can be used by Snort. These are base
policies provided by Cisco Talos. The three policy settings in order from least protection to most
protection are:

• connectivity - This provides the least protection as it prioritizes connectivity over security.
Approximately 1,000 rules are pre-loaded using this policy.

• balanced - This is the default policy. It is recommended for initial deployments. This policy
attempts to balance security needs and performance characteristics of the network.
Approximately 8,000 rules are pre-loaded using this policy.

• security - This provides the most protection. It is designed for organizations that are
exceptionally concerned about security. Customers deploy this policy in protected
networks, that have a lower bandwidth requirements, but much higher security
requirements. Approximately 12,000 rules are pre-loaded using this policy.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
Configure Snort IPS
Step 6. Enable IPS Globally or on Desired Interfaces
Globally Selected Interfaces

You can enable UTD

globally on all interfaces
or on selected interface.

You can also enable the

UTD allowed list feature.
This enables you to
identify IPS signature IDs
to be suppressed (not
used)
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
Configure Snort IPS
Step 7. Verify Snort IPS

After Snort IPS is implemented, it is necessary to verify the configuration to ensure correct
operation.

There are several show commands that can be used to verify the Snort IPS configuration and
operation.
• show virtual-service list - The command displays an overview of resources that are
utilized by the applications.
• show virtual-service detail - The command displays a list of resources that are
committed to a specified application, including attached devices.
• show utd engine standard config - The command displays the UTD configuration.
• show utd engine standard status - The command displays the status of the UTD
engine.
• show platform hardware qfp active feature utd stats - The command checks the data
plane. It verifies increments for encap, decap, redirect, and reinject and displays a health
of "Green".
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
12.4 IPS Operation and
Implementation Summary

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
IPS Operation and Implementation Summary
What Did I Learn in this Module?
• IPS signatures have three attributes: type, trigger, and action.
• The signature type can be atomic or composite.
• The signature alarms can use pattern-based detection, anomaly-based detection, policy-
based detection, or honey pot-based detection.
• The are a variety of IPS signature actions including generate an alert, log the activity, deny
the activity, and others.
• Triggering mechanisms can generate results such as true positive, true positive, false
negatives, and false negatives.
• Snort IPS on ISR device can provide both IDS or IPS services.
• Snort IPS consists of a Snort engine and Snort rule set.
• To configure Snort IPS, configure VPG interfaces, activate the virtual services, configure
Snort IPS specifics, and enable UTD.
• Use show commands to verify its operation.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
IPS Operation and Implementation
New Terms and Commands
• atomic signature • virtual-service install name virtual-service-name
• composite signature package file-url media file-system
• pattern-based detection • virtual-service virtual-service-name
• anomaly-based detection • vnic gateway VirtualPortGroup interface-number
• policy-based detection • guest ip address ip-address
• honey pot-based detection • utd engine standard, and then logging host ip-address,
and logging syslog
• true positive
true negative • threat-inspection, and then threat protection, policy
• balanced, signature update, and signature update
• false positive server
• false negative • utd, and then all-interfaces
• Snort community rule set • engine standard, and then fail close
• Snort subscriber rule set • utd enable
• virtual port group (VPG) interface • utd threat-inspection whitelist, and then signature
• Open Virtualization Archive (OVA)

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
IPS Operation and Implementation
New Terms and Commands (cont.)
• show virtual-service list
• show virtual-service detail
• show utd engine standard config
• show utd engine standard status
• show platform hardware qfp active feature utd
stats

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45