deploying intrusion prevention systemsd2zmdbbm9feqrf.cloudfront.net/2014/usa/pdf/brksec-2030.pdf ·...

Deploying Intrusion Prevention Systems

BRKSEC-2030

Gary Halleen

Consulting Systems Engineer II

© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2030 Cisco Public

Agenda

• Introductions

• Introduction to IPS

• Comparing Cisco IPS Solutions

• IPS Deployment Considerations

• Migration from IPS 7.x to Sourcefire NGIPS

• Conclusion

3


Goal of this Session

1. Understand Cisco’s IDS/IPS Portfolio, including new additions from Sourcefire.

2. Understand options around deploying an IPS solution.

3. Understand options for high availability.

4. Understand strategy around migrating an IPS solution.

4

Introduction to IPS


What is IPS ?

6

111010001000100101000100100100101001010010100111110101101011010111001110110101000101010010010101000101010100001010101000101001010010001001010100001001010000100101000100101001001110011011010001110010100011111001010101001110001110010100110100101010000011010101111101000001111101011100101101110100100100101010101111010101010101010100101010010101010100100100100100111101000111101001011100110010101010011001100110010100100


Intrusion Detection System (IDS)

Internet

Host

Sensing Interface received copies of network

traffic from a SPAN port, hub, tap, or VACL

Capture. It does not sit in the flow of traffic.

Sensor

No IP Address

7

Alert!


Intrusion Prevention System (IPS)

8

Internet

Host

Sensor sits in the traffic path, and has the capability to drop traffic when desired.

Inline Interfaces Do Not Have IP Addresses.

IPS Operates at Layer 2, and Can Be Thought of as a “Smart Wire”

Sensor

No IP Address Block

Alert!


Integrated IPS or IDS

Internet

Host

ASA in Routed

or Transparent

Mode

Traffic is passed, via ASA Backplane, to

sensor as IDS, IPS, or both.

9


Cisco IPS Solutions

Cisco acquired Sourcefire in October, 2013

Cisco is committed to maintaining and contributing to Sourcefire Open Source Projects.

10


Cisco IPS Solutions

Cisco IPS 7.x

• Traditional IPS Solution

• Supported on IPS 4200, 4300, 4500-series appliances, as well as ASA IPS Modules

Cisco Sourcefire IPS

• Next-Generation IPS, Firewall, and Anti-Malware Solution

• Supported on Sourcefire 7000 and 8000-series Appliances

• Supported in VMware ESX

11

Cisco anticipates many Cisco IPS 7 customers will want to migrate to Sourcefire in order to take advantage of its Next-Generation features.


Next-Generation Security

Traditional security appliances rely on 5 Tuples of information to determine traffic, source, and destination:

– (Source Address, Destination Address, Source Port, Destination Port, Protocol)

Next-Generation Security Appliances, like Sourcefire FirePower, enhance traditional security by combining it with much more information, such as:

– User Identity

– Application Protocol

– Application

– Client Application

– Operating System

– Geographic Location of Source or Destination

– URL Category

12

What does “Next-Gen” mean?


Agenda

• Introductions





• Conclusion

13

Comparing Cisco’s IPS Solutions

Hardware


Cisco IPS 7.x: Dedicated IPS Family

16

Pe

rfo

rma

nc

e, S

ca

lab

ilit

y, A

da

pti

vit

y

Campus Internet Edge Branch Office

IPS 4360

IPS 4345

Data Center

IPS 4500-series

IPS 4520-XL

750 Mbps

1.25 Gbps

3 to 5 Gbps

10 Gbps


Cisco IPS 7.x: Integrated IPS Family

17

Pe

rfo

rma

nc

e, S

ca

lab

ilit

y, A

da

pti

vit

y


SOHO

Data Center

ASA5585-X

SSP-40 / SSP-60

ASA5585-X

SSP-10 / SSP-20

ASA5512-X IPS

ASA5515-X IPS ASA5525-X IPS

ASA5545-X IPS ASA5555-X IPS

250 Mbps

400 to 600 Mbps

900 Mbps to 1.3 Gbps

2 to 3 Gbps

5 to 10 Gbps


Sourcefire: Appliance Family

18

Ne

xt-

Ge

ne

rati

on

Se

cu

rity

!


7100-series

7000-series

Data Center

8100-series

8200 and

8300-series

50 to 250 Mbps

500 Mbps to 2 Gbps

2 to 12 Gbps

10 to 60 Gbps


Flexible in Software

– NGIPS, NGFW, AMP

– All of the above (just size appropriately)

Flexible in Hardware

– Modular for options in Interfaces, including 10GE and 40GE

– High-Performance: • 10Gbps with 8250 • 15Gbps with 8350

Cost Effective

– Best in class for IPS by NSS Labs

– Best in class for NGFW by NSS Labs

– Best in class for Breach Detection by NSS Labs

FirePower 8200/8300 Single-pass, high-performance, low-latency

19


8200-series

– 8250 10Gbps

– 2x 8250 = 8260 20Gbps

– 3x 8250 = 8270 30Gbps

– 4x 8250 = 8290 40Gbps

8300-series

– 8350 15Gbps

– 2x 8350 = 8360 30Gbps

– 3x 8350 = 8370 45Gbps

– 4x 8350 = 8390 60Gbps

FirePower 8200/8300 Single-pass, high-performance, low-latency

20


Sourcefire: Virtual Appliance (VMware ESX)

21

Virtual Appliance performance is entirely dependent on the CPU resources and RAM that is allocated it in VMware.

Performance range is typically between 250 Mbps and 2 Gbps.


Cisco IPS Platform Features

22

IPS-4200* IPS-4300 IPS-4500

1GE Interfaces YES YES YES

10GE Interfaces NO NO YES

40GE Interfaces NO NO NO

SFP Ports NO NO YES

Hardware Bypass NO YES NO

Software Bypass YES YES YES

Hardware Fast Pass NO NO NO

L3 Mode NO NO NO

* IPS-4200 series is End of Sale


Sourcefire IPS Platform Features

23

Virtual 7000 7100 8100 8200+

1GE Interfaces YES YES YES YES

10GE Interfaces NO NO YES YES

40GE Interfaces NO NO NO YES

SFP Ports NO YES * YES ** YES **

Hardware Bypass YES YES YES YES

Software Bypass YES YES YES YES YES

Hardware Fast Pass NO NO YES YES

L3 Mode NO YES YES YES YES

* 7115, 7125, and 7150 models only ** Fiber-to-SFP Tranceiver

Management


IPS Management Comparison

25

Cisco Security Manager (CSM)

for Enterprise Management

Cisco IPS 7.x

Features and Limitations:

• Client/Server Windows Application

• Java Application

• Supports Out-of-Band Change Detection

• Manages, Monitors, and Reports for hundreds of Sensors



26

IPS Manager Express (IME)

for Individual or Small Network Management

Cisco IPS 7.x


• Windows Desktop Application

• Written in Java

• Functional for Small Deployments, only



27

Defense Center

for All Deployment Sizes

Sourcefire 5.3


• HTML5 Application

• FireSIGHT provides network visibility and contextual information

• eStreamer Support for 3rd Party Integration

• Available as Hardware Appliance or VM (ESX)

• Manage up to 150 Sourcefire Sensors

• Also Manages Next-Gen Firewall Features!

Sourcefire Defense Center GUI Walkthrough

Software


Software Feature Comparison

43

IPS 7.x SF 5.3

Open IPS Signatures or Rules YES YES

Passive OS Fingerprinting YES YES

User Identity Reporting within Events NO YES

Integrated Firewalling Capability NO YES

Application Control Limited YES

Visibility and Control of Client Applications NO YES

Geo-Location Reporting and Policies NO YES

3rd Party API NO YES

URL Filtering Capability NO YES


Cisco IPS 7.x Risk Rating

RR (ASR TVR SFR)

10,000 ARR PDGC

If relevant added by 10

If irrelevant reduced by 10 only in promiscuous

Ris

k R

atin

g

Alert Severity

Signature

Fidelity

Attack

Relevancy

Promiscuous

Delta

Informational = 25 , Low = 50, Medium = 75, High = 100

Given by Cisco per signature

Low value = 75, Medium = 100

High value = 150, Mission Critical = 200 Target Value

Between 0 and 30

Global

Correlation Depending on the reputation

44

http://images.google.com/imgres?imgurl=http://www.ehs.washington.edu/images/BIOSGN2.jpg&imgrefurl=http://www.ehs.washington.edu/Manuals/BSManual/AppendixA.pdf&h=1028&w=850&sz=124&tbnid=HeNi2BPYUAgJ:&tbnh=149&tbnw=124&start=14&prev=/images?q=biohazard&hl=en&lr=&safe=off


Risk Rating and IPS Policy

Event

Severity

Signature

Fidelity

Attack

Relevancy

Asset

Value of

Target

Urgency of threat?

How Prone to false

positive?

Important to attack

target?

How critical is this

destination host?

+

+

+

Risk Rating IPS Policy Action

RR < 34 Default Action

35 <RR< 90 Verbose Alert

RR > 90 Deny Packet Inline

Global

Correlation + What is the Attacker’s

Reputation?

45


Sourcefire Priority Levels

46

Priority Level:

“How Dangerous is the Attack?”


Sourcefire Impact Levels

47

Impact Level:

“Are my hosts VULNERABLE to the attack?”


Sourcefire Impact Levels

48

Impact

Level

Vulnerable

? Definition

0 Unknown Neither the Source or Destination Hosts exists on a network monitored by network

discovery.

1 Vulnerable Either the Source or Destination is vulnerable to the attack, or a Host is

compromised by Malware.

2 Potentially

Vulnerable Either the Source or Destination is running the Port or Protocol used in the Attack.

3 Not

Vulnerable The Port or Protocol used in the Attack is not running on the Host.

4 Unknown The Host is on a monitored network, but doesn’t appear to exist.


Sourcefire search Levels and Impacts

49

Indicators of Compromise


Sourcefire IOC

51

Indicators of Compromise: New to SF 5.3

Wouldn’t it be nice if your IPS console could tell you if you appeared to have a compromised host?

For example:

oHas the host connected to an exploit kit?

oHas the host been involved in an Impact 1 event?

oHas the host downloaded malware?

oDid the malware execute?

oHas the host connected to a CNC server?


Sourcefire IOC

52

Configurable Settings


• Because IOCs enable a quick way of classifying a host’s potentially compromised state, having this data on a dashboard is desirable

IOC Dashboard Widget

Host Number of IOCs set against the host

Click to expand

53


IOC Host Profile View

54


Agenda

• Introductions





• Conclusion

55

IPS Deployment Considerations

Connectivity


Connectivity

58

Promiscuous Mode IDS

– Promiscuous interface

Inline Mode IPS

– Inline Interface Pairs

– Inline VLAN Pairs

Integrated IPS/IDS

– Inline

– Promiscuous

How should the Sensor be Connected?


SPAN Destination Port

or VACL Capture

Promiscuous Interface

Ethernet Switch

Connectivity

59

• Only copies of the packets are sent to the sensor

• Mostly detection, limited protection

• Optional prevention through external blocking

• Separate device must send copies of the packets

– Span (or monitor) from a switch

– VACL capture from a switch

– Network Taps

Promiscuous Interface


Connectivity

60

o Two physical interfaces paired together

o Multiple Pairs can be configured on same sensor

o IPS between two access-ports on the same switch or between two different switches

o Traffic passes through the sensor

o Pass Good Traffic, and Block Bad

o Redundancy can be provided with STP or additional sensor.

o Fail-open can be provided with hardware-bypass interfaces

Transparent Interfaces

Sensor is Layer 2 Bridge

Sensor sits between two physical ports on a

switch or two different switches

Inline Interface Pairs


Connectivity

61

o Two or more physical or VLAN interfaces defined as routable interfaces

o Traffic passes through the sensor

o Pass Good Traffic, and Drop Bad

o Redundancy can be provided through SFRP to a standby sensor

o Fail-open can is NOT supported with hardware-bypass interfaces

o Routed Interfaces are most commonly used in a NGFW deployment

Routed Interfaces

Sensor is Layer 3 Router

Inline Routed Interfaces (Sourcefire)


Connectivity

62

o IPS sits on a trunk between two VLANs on switch, if using Cisco IPS.

o Traffic passes through IPS and gets inspected and retagged or dropped.

o Supported with ECLB high-availability deployments.

o Redundancy can be provided with STP deployments.

o Fail open can be provided with a redundant wire.

VLAN10

VLAN20

HostA

HostB

Trunk Sensor rewrites 802.1Q header

Inline VLAN Pairs (Cisco IPS 7.x)


Connectivity

63

o Virtual Switch is defined within Sensor

o Two or more Physical Interfaces or VLANs are assigned to the Virtual Switch

o Traffic passes through IPS and gets inspected

o Redundancy can be provided with STP deployments.

o Fail open can be provided with a redundant wire.

VLAN10

VLAN20

HostA

HostB

Switched Deployment Mode (Sourcefire)


Connectivity

64

o Dedicated IPS behind the firewall

o Dedicated IPS in front of the firewall

o Integrated IPS inside the firewall

Relationship to the Firewall


+ Most organizations place the IPS behind the Firewall.

+ Firewall blocks all inbound traffic unless addressed to server or response to an earlier request.

- IPS’s visibility is limited to what the Firewall allows in.

+ Best of breed functionality.

Connectivity

65 65

Intranet Internet

Dedicated IPS Behind the Firewall


+ Provides better visibility into attacks from the internet

- Increases Noise

- IPS handles more state and may become a bottleneck during DDoS attack

Connectivity

Intranet Internet

Dedicated IPS In Front of the Firewall

66


Integrated IPS inside the Firewall

+ Placing IPS inside the firewall provides all the benefits of ASA + full IPS functionality

+ Flexible IPS/IDS Policy selection based on 5-tuple, User-ID, SXP

+ ASA Provides traffic symmetry, normalization resiliency (failover) and scaling (clustering) to IPS

+ IPS inspection of traffic from VPN-tunnels terminated on ASA

Connectivity

Intranet Internet

67

Performance


Performance

Interface Types and Speeds:

o 1GE, 10GE, 40GE?

o Fiber or Copper?

Connections:

o Interface speed is important, but traffic type is more important.

oHow many CONNECTIONS do you need to support?

69


Fixed Interface Models

70

Model Firewall (w/o Inspection)

IPS Connections CPS Size (Rack Units)

3D7030 500 Mbps 250 Mbps 500,000 5,000 1

IPS-4345 750 Mbps 750,000 30,000 1

3D7115 1.5 Gbps 750 Mbps 1,500,000 27,500 1

IPS-4360 1.25 Gbps 1,700,000 45,000 1

3D7125 2.5 Gbps 1.25 Gbps 2,500,000 42,500 1

AMP-7150 * 500 Mbps * 500 Mbps * 2,500,000 42,500 1

IPS-4510 3 Gbps 3,800,000 72,000 2

IPS-4520 5 Gbps 8,400,000 100,000 2

IPS-4520-XL 10 Gbps 16,800,000 200,000 2

* AMP Appliances are sized with ALL features enabled Not All Models are Listed


Modular Models

71

Model Firewall (w/o Inspection)

IPS Connections CPS Size (Rack Units)

3D8120 4 Gbps 2 Gbps 3,000,000 45,000 1

3D8150 * 2 Gbps * 2 Gbps * 3,000,000 45,000 1

3D8130 8 Gbps 4 Gbps 4,500,000 70,000 1

3D8140 10 Gbps 6 Gbps 7,000,000 100,000 1

3D8250 20 Gbps 10 Gbps 12,000,000 180,000 2

3D8350 30 Gbps 15 Gbps 12,000,000 180,000 2

3D8360 60 Gbps 30 Gbps 24,000,000 360,000 4

3D8370 90 Gbps 45 Gbps 36,000,000 540,000 6

3D8390 120 Gbps 60 Gbps 48,000,000 720,000 8

* AMP Appliances are sized with ALL features enabled Not All Models are Listed

Availability


Availability

73

Integrated ASA+IPS IDS Appliance IPS Appliance

Network

Availability ASA/IPS Fail-Open N/A

• Software Bypass

• Hardware Bypass

• STP and redundant cable

Security

Availability ASA Failover

Multiple IDS connected to

multiple Monitor Ports

• STP and redundant sensor

• Port-channel with 2 or more

sensors

• IPS Clustering (Sourcefire)

What should happen if the IPS fails?


Availability

74

Description

Interface Pairing

Inline Deployment Redundancy

Traffic passes through either Sensor. Mid-Session Pickup allows established

flows to pass. Spanning-Tree typically places one in Blocking state.

VLAN Pairing

Switched Deployment Redundancy Spanning-Tree Protocol is used to determine redundancy.

Layer 3 Mode

Routed Deployment Redundancy SFRP (similar to VRRP) creates an Active/Passive deployment.

IDS Mode

Passive Deployment Redundancy

Same as having multiple standalone IDS appliances, except duplicate events

are suppressed.

What is Sourcefire’s Clustering?


Availability

75

o Sensors between 2 switches or 2 VLANs on the same switch

o STP determines FW/Blocking path

o SW-bypass configured to off for “always inspect” requirement

o Sensor failure cause STP to place other sensor in forwarding state

o UDLD supported for failure-detection

Eth

ern

et

Sw

itch

Eth

ern

et S

witc

h

Data Flow

Sensors with Spanning-Tree Protocol


Availability

• Active/Active, Active/Standby, and Clustering

• ASA synchronizes connection table

• ASA configuration automatically synched.

• IPS Configuration Synchronization using CSM Policy-bundle, or through Sourcefire Defense Center.

ASA Failover

76


Agenda

• Introductions





• Conclusion

82


Migrating from Cisco IPS 7 to Sourcefire

Think about the existing deployment:

o Speed and latency needs?

o Interface needs?

oHave HA needs been considered?

oHave you backed up any custom IPS signatures?

83

Before the Migration

oWhich migration strategy makes sense to your organization?



1. Cut over to Inline IPS Mode

• Replace Cisco IPS 7 with Sourcefire in IPS mode. Monitor closely, and adjust the policy. Most risky option for Legitimate Traffic.

2. Cut over to Inline Audit Mode

• Replace Cisco IPS 7 with Sourcefire in Audit mode. Monitor traffic and alerts, and then put sensor in IPS mode. Most risky option vs malicious traffic and for compliance.

3. Run Both Temporarily

• Install Sourcefire in IDS Mode, connected to a SPAN port or other method of capturing network traffic. Sourcefire should be placed on the UNTRUSTED side of the Cisco IPS sensor, while leaving Cisco IPS in place. Monitor the sensor and adjust policy accordingly. When sensor is tuned, complete migration with either Step 1 or 2, above. This is the best option for most organizations.

84

Migration Strategies, based on Risk Assessment



1. Before Migration: Running Cisco IPS 7

2. During Migration: Running both Cisco IPS 7 and Sourcefire

3. After Migration: Running only Sourcefire

85

For most organizations…


Agenda

• Introductions





• Conclusion

86


Participate in the “My Favorite Speaker” Contest

• Promote your favorite speaker through Twitter and you could win $200 of Cisco Press products (@CiscoPress)

• Send a tweet and include

– Your favorite speaker’s Twitter handle <@GaryHalleen>

– Two hashtags: #CLUS #MyFavoriteSpeaker

• You can submit an entry for more than one of your “favorite” speakers

• Don’t forget to follow @CiscoLive and @CiscoPress

• View the official rules at http://bit.ly/CLUSwin

Promote Your Favorite Speaker and You Could be a Winner

87

http://bit.ly/CLUSwin


Complete Your Online Session Evaluation

• Give us your feedback and you could win fabulous prizes. Winners announced daily.

• Complete your session evaluation through the Cisco Live mobile app or visit one of the interactive kiosks located throughout the convention center.

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

88

https://www.ciscolive.com/online


Continue Your Education

• Demos in the Cisco Campus

• Walk-in Self-Paced Labs

• Table Topics

• Meet the Engineer 1:1 meetings

89

deploying intrusion prevention systemsd2zmdbbm9feqrf.cloudfront.net/2014/usa/pdf/brksec-2030.pdf ·...

Documents