Scribd
Upload
67 views5 pages

08-Introduction To IPS

IPS (intrusion prevention systems) like Cisco IDS and IPS are used to protect networks from malicious traffic by identifying, classifying, and stopping threats before they impact networks. IPS can be deployed in different modes like inline, span/tap, with inline mode being able to actively monitor, analyze, and block traffic. There are also network-based and host-based IPS options, with network-based IPS normally installed inline to monitor traffic while host-based IPS uses agents on systems. Placement of IPS within networks also requires consideration of factors like criticality of zones and generation of false alarms.

Uploaded by

gfd
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
67 views5 pages

08-Introduction To IPS

IPS (intrusion prevention systems) like Cisco IDS and IPS are used to protect networks from malicious traffic by identifying, classifying, and stopping threats before they impact networks. IPS can be deployed in different modes like inline, span/tap, with inline mode being able to actively monitor, analyze, and block traffic. There are also network-based and host-based IPS options, with network-based IPS normally installed inline to monitor traffic while host-based IPS uses agents on systems. Placement of IPS within networks also requires consideration of factors like criticality of zones and generation of false alarms.

Uploaded by

gfd
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

IPS (Intrusion Prevention Systems):

o Cisco IDS and IPS are used as part of a defense-in-depth approach to protect network.
o We install and configure IPS/IDS to monitor malicious traffic or activities on our network.
o Basically, Cisco IDS and IPS are used to protect the network against the malicious traffic.
o IDSs focus on detection whereas IPSs focus on threat or unauthorized access prevention.
o Biggest difference between Cisco IDS and Cisco IPS is that an IPS responds immediately.
o IPS does not allow malicious traffic to pass, whereas IDS, allow malicious traffic to pass.

Describe IPS Deployment Considerations:


o In today's organizations, attacks come from everywhere it can be from inside or outside.
o By deploying Cisco IPS, organizations are able to identify, classify, & stop malicious traffic.
o Including worms, spyware, adware, network viruses & application abuse before they affect.
o Intrusion Prevention Systems can be deployed in either span\tap mode, inline IPS on stick.
o In span\tap mode, an IPS sensor receives a copy of every packet and can alert on attacks.
o But in Span mode and Tap mode an Intrusion Prevention Systems cannot block the attack.
o This is good for when initially testing system and fine-tuning policies before deploying it.
o Inline is where IPS sits in-line with the network and is able to block and alert on attacks.

Network-Based IPS vs. Host-Based IPS:


o There are two types of Intrusion Prevention Systems network-based IPS & Host-Based IPS.
o In Host-Based IPS the agents installed on every LAN systems that needs to be monitored.
o The agents monitored various aspects of the host operation for signs of suspicious activity.
o Agents report detections to central management console or write event activity to system.
o Host-based IPS can detect intrusions that utilize encrypted communications & information.
o A Network-Based IPS does not normally have visibility into encrypted traffic & info streams.
o Normally, installed in-line & is used to actively monitor, analyze, and block malicious traffic.

1 | P a g e Created by Kushal Kabi E-Mail: kushalkabi@gmail.com ,Mobile: +91 7890466296


Modes of Deployment (Inline, Promiscuous - SPAN, Tap):
There are several options for deploying a network Cisco IPS and Cisco IDS sensor in network.
Deploying in promiscuous mode or passive mode, inline mode, SPAN mode, and Tap mode.

Inline Mode:
o Normally, installed in-line & is used to actively monitor, analyze, and block malicious traffic.
o Analyzes live traffic that is forced to come in one port and out a second port of the IPS.
o So, all ingress and egress traffic must flow through the Cisco IPS Sensor for processing.
o Sensor is in the data path and the Sensor analyzes actual network traffic and analyzes.
o Sensor can drop malicious traffic before it reaches to intended target system or service.

Promiscuous Mode:
o IPS mode which sensor analyzes copy of monitored traffic rather than actual data packet.
o In Promiscuous Mode of Intrusion Prevention System (IPS) the sensor is not in data path.
o The IPS Sensor analyzes copy of network traffic not original, original traffic bypasses sensor.
o Promiscuous Mode of Intrusion Prevention System, sensor has limited preventive capability.

2 | P a g e Created by Kushal Kabi E-Mail: kushalkabi@gmail.com ,Mobile: +91 7890466296


SPAN Mode:
o SPAN (Switched Port Analyzer) or Port Mirroring, sends a copy of all network packets.
o SPAN port seen on one port to another port, where the packets can be analyzed by IPS.
o In this mode IPS sensor receives copy of every packet & can alert on attacks but can’t block.

TAP Mode:
o Cisco IPS a TAP is a hardware device that allows you to capture packets flowing.
o TAPs transmit both send & receive data streams on separate dedicated channels.
o The TAP ensuring all data arrives at the monitoring or security device in real time.
o Network tap is inserted directly between two devices and allows the IPS to tap into.

3 | P a g e Created by Kushal Kabi E-Mail: kushalkabi@gmail.com ,Mobile: +91 7890466296


Placement (Positioning of the IPS within the Network):
o Can be place at any position in network but deploy everywhere in network is not feasible.
o Placement decisions must be made, and each scenario will have different requirements.
o An IPS sensor could be placed In-line between the firewall and any of the three zones.
o If place IPS sensor on outside network high number of False Positive Alarms will generates.
o Placing sensor in DMZ data less critical but more vulnerable than data on inside systems.
o Places IPS inside of internet firewall protecting both Internal Network and DMZ segments.
o Places the IPS functionality inside the Internet Firewall protecting both Internal Network.
o Paces the IPS in inside DMZ segments without a separate appliance may be the best option.

4 | P a g e Created by Kushal Kabi E-Mail: kushalkabi@gmail.com ,Mobile: +91 7890466296


False Positives, False Negatives, True Positives, True Negatives:
o Simple method of remembering: “True means the IPS did the right thing (Passed).
o Simple method of remembering: False means the IPS did the wrong thing (Failed).
o Positive means IPS generated an alert. Negative means IPS did not generated an alert.”

True Positive (Good):


o A True Positive occurs when the Cisco IDS and Cisco IPS signature is correctly fired.
o The Cisco IDS and Cisco IPS generated an alarm when malicious traffic is detected.

True Negative (Normal):


o True Negative is there was normal non-malicious traffic & sensor did not generate alert.
o Means non-malicious traffic passed through and the IDS/IPS did not generate any alarm.

False Positive (Tuning Needed):


o A False Positive occurs when the IDS/IPS sensor generates an alert by normal traffic.
o When non-malicious traffic passes through network but IDS/IPS falsely generates alarm.

False Negative (BAD):


o False Negative occurs when IDS/IPS signature is not fired when malicious traffic is detected.
o When malicious traffic passes through the network but IDS/IPS did not generating an alarm.

5 | P a g e Created by Kushal Kabi E-Mail: kushalkabi@gmail.com ,Mobile: +91 7890466296

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy