1. No category

Cisco IPS Modules Technical Overview

Intrusion Prevention
System Modules
for Integrated
Services Routers
Cisco IPS AIM and IPS NME Overview
for Technical Decision Marker
Tina Lam, Product Manager, Cisco Systems
Tom Fulton,, TME,, Cisco Systems
y
C97-494050-00
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
1
Agenda
ƒ IPS Modules Overview
ƒ IPS Architecture and Features
ƒ Benefits and Use Cases
ƒ Management and Monitoring
ƒ Signature Update and Threat Alert
C97-494050-00
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
2
Intrusion Prevention System (IPS)
Ad
Advanced
d IIntegration
t
ti M
Module
d l and
dN
Network
t
kM
Module
d l
® ISR
Incorporates
Network
Admission
Accelerated Threat
Control
for Cisco
NEW
NME-IPS-K9
Cisco 2811, 2821,
2851, 3800
(NAC) appliance
ƒ Enables Inline Control
and promiscuous
Intrusion server
ƒ Enforces security policies,
Prevention (IPS)
S (CIPS
Scans
ffor latest
l 6.x)
t t and
anti-virus
ti enables
i
software
ft
ƒ Runs same software
Prevents
access and
same features as Cisco
IPSunauthorized
4200
spread of viruses on the network
ƒ Performance improvement
p
by
y hardware
S
Supports
t wired,
i d wireless
i l
and
d guestt NAC
acceleration; dedicated CPU and DRAM
into Cisco ISRs
to offload host Integrated
CPU
AIM IPS K9
AIM-IPS-K9
Cisco 1841, 2800, 3800
Cisco IOS® Advanced Security
or above
AIM—12.4(15)XY, 12.4(20)T
NME—12.4(20)YA
AIM-IPS
NME-IPS
C97-494050-00
© 2008 Cisco Systems, Inc. All rights reserved.
AIM—Up to 45ƒ Mbps
Provides size and scale ideal for
remote offices (<100 users)
NME—Up to 75 Mbps
Works
with NAC
appliances
at
ƒ Device management
through
Cisco
IPS
headquarters in a network system
Device Manager
g ((IDM),
), Cisco Configuration
g
ƒ Benefits
of router integration
Professional (CCP);
network-wide
management
Systems
Integration
through Cisco Security
Manager
(CSM)
pp
by
y IPS Lower
Manager
gOperating
Express
p Costs
((IME)) and
ƒ Supported
CS-MARS on event monitoring and correlation
Cisco Confidential
3
Cisco Intrusion Prevention Strategy
C
Comprehensive
h
i Th
Threatt P
Protection
t ti ffor the
th SDN
Cisco ASA 5500
Adaptive Security
Appliance
Cisco Security Cisco Integrated
Agent
Services Routers
Internet
Endpoint
Protection
Branch
Protection
Cisco IPS 4200 Series
Catalyst®
Cisco
Services Modules
Cisco
Security
MARS
Cisco
Security
Manager
Intranet
Perimeter
Protection
Data Center
Protection
Server
Protection
Monitoring and
Correlation
Solution
Management
Integrated
Adaptive
Collaborative
Location
ocat o Matters
atte s
Focused
ocused Protection
otect o
Better
ette Together
oget e
ƒ The most diverse line of IPS
sensors: the right tool for
the right job, anywhere in
the network
ƒ IPS integrated into the
fabric of the network
ƒ B
Built
ilt on Cisco
Ci
security
it and
d
network intelligence
C97-494050-00
© 2008 Cisco Systems, Inc. All rights reserved.
ƒ Modular inspection engines:
Respond rapidly with
minimal downtime
ƒ On-box and networkwide
correlation to provide greater
accuracy and confidence
ƒ Behavioral anomaly
detection: protect against
zero-day attacks
ƒ Endpoint and network
sensors sharing live network
information
ƒ D
Dynamic
i risk-based
i kb
d threat
th
t
rating: adapt threats policy in
real time
ƒ R
Reduced
d
d operational
ti
l costs
t
with a common, solutionbased management interface
Cisco Confidential
4
Cisco IPS Product Portfolio
IPS 4200 Series
Dedicated appliances for
high performance, data
center, and focused
function environments
IPS 4255
IPS 4270
IPS 4240
IPS 4260
Cisco Catalyst 6500 Series
Switch Integrated Service
Modules for data center
and switch integration
IDSM2
Cisco Catalyst 6500
IDSM2 Bundle
ASA 5500 Series
Firewall-integrated for
comprehensive
security and Unified
Threat Management
ASA5540-AIP40
ASA5510-AIP10
ASA5520-AIP20
ISR Series Routers
Remote Office/
Off /
Branch services
for scalable remote
office protection
Cisco IOS IPS
IPS AIM and
IPS NME
Performance
C97-494050-00
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
5
Cisco IPS Architecture
I t lli
Intelligent
t Detection
D t ti and
dP
Precision
i i R
Response
Cisco Threat
Intelligence Services
Signature
Signat
re
Updates
Normalizer
Module
• Layer 3
3–7
7
normalization of
traffic to remove
attempts to hide
an attack
Modular
Inspection
Engines
•
•
•
•
•
On-Box
Correlation
Engine
Vulnerability
Exploit
Behavioral anomaly
Protocol anomaly
Universal engines
Virtual Sensor
Selection
• Traffic directed to
appropriate virtual
sensor by interface
or VLAN
© 2008 Cisco Systems, Inc. All rights reserved.
• Meta event
generator for
event correlation
Forensics
Capture
• Before attack
• During attack
• After
Af attackk
Context
Data
Network
Context
Information
Risk-Based
Policy Control
• Calibrated “risk
risk rating”
rating
computed for each event
• Event action policy
based on risk levels
• Filters for known
benign triggers
Mitigation
and Alarm
• “Threat rating” of event
indicates level of
residual risk
Out
In
C97-494050-00
Engine
Updates
Cisco Confidential
6
Real-Time Anomaly Detection
for Zero
Zero-Day
Day Threats
ƒ Anomaly-detection algorithms to detect and stop zero-day threats
ƒ Real-time learning of normal network behavior
policy-based
y
protection from anomalous threats
p
ƒ Automatic detection and p
to the network
ƒ Result: Protection against attacks for which there is no signature
Traffic Conforms
to Baseline
Traffic Conforms
to Baseline
Internet
Anomalous
Activity Detected,
Detected
Indicating Potential
Zero-Day Attack
C97-494050-00
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
7
Protocol Anomaly Detection
Protocol-Anomaly
Potential Buffer
Overflow Attack
99
Transaction Transaction Transaction
A
B
C
A
B
C
C97-494050-00
Internet
Protocol-anomaly detection
protects against zero-day
zero day attacks
on unknown vulnerabilities
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Web Server Cluster
8
Comparison: Cisco IOS IPS
and Cisco IPS AIM
Cisco IOS IPS
Cisco IPS AIM/NME
No
Yes
No; Inline Mode Only
Yes
Subset of 2200+
Signatures, Subject to
Available Memory
Full Set of Signatures
(3000+)
Automatic Signature Updates
Yes
Yes
Day Zero Anomaly Detection
Day-Zero
No
Yes
Rate Limiting
Cisco Security Agent and
Cisco IPS Collaboration
Meta Event Generator
No
Yes
No
Yes
No
Yes
Syslog, SDEE
SNMP and SDEE
Cisco IOS CLI, CCP
CIPS CLI, CCP, IDM
CSM
CSM
IME, CS-MARS
IME, CS-MARS,
On-Box Meta Event
Generator
Dedicated CPU/DRAM for IPS
Inline and Promiscuous Detection
and Mitigation
Signatures Supported
Event Notification
Device Management
System/Network Management
Event Monitoring and Correlation
Note: Only one IPS service may be active in the router; all others must be removed or disabled
C97-494050-00
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
9
Comparison: Cisco IPS AIM/
Cisco IPS NME
Cisco IPS AIM
Cisco IPS NME
Cisco 1841 ISR and
Ci
d
Above (Except for 1861)
Cisco 2811 ISR
Ci
and Above
No
Yes, with 3845 ISR Only
Performance
Up to 45 Mbps
Up to 75 Mbps
Form Factor
Internal AIM
NME Slot
No External Port
External Ethernet
Management Port
IPS 6.0(4)
IPS 6.1(1)
12.4(15)XY, 12.4(20)T
12.4(20)YA
Support with ISR Models
On-Line Insertion and Removal
Management Port
Initial Cisco IPS Software
Version Support*
Router Cisco IOS Software
Version Support
*Both stay current with the latest IPS OS available with IPS 4200 product family
C97-494050-00
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
10
Integrating IPS Modules with Cisco IOS
Security Technologies
ƒ Cisco IOS Firewall and IPS Modules are
complementary technologies
Cisco IOS Firewall blocks unwanted traffic from entry into the
network, ensures that applications traffic is legitimate
IPS Modules inspect traffic the FW has allowed, as well as
traffic from the trusted network, to prevent attacks
ƒ Cisco IOS Firewall provides SYN Flood attack defense
ƒ Cisco IOS Firewall and IPS Modules maintain separate
state tables for TCP traffic
Resets from one state table force session timeouts in the other
C97-494050-00
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
11
Integrating IPS Modules with Cisco IOS
Security Technologies
ƒ Cisco IOS IPS must be disabled when using
IPS Module
ƒ IPSec and SSL VPN traffic can be inspected
after decryption
ƒ Th
The IPS Modules
M d l workk with
ith NAC ttechnologies
h l i
to inspect trusted network traffic
ƒF
Frees up CPU and
d memory resources ffor
other services
C97-494050-00
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
12
Benefits of Integrated IPS on ISR
42xx IPS Sensor
SMB Network
Corporate Office
MSSP CE Router
AIM IPS
CS-MARS
Internet/
SP Network
ISR
Cisco
Security
Manager
NME IPS
AIM IPS
Small Branch
Large Branch
ƒ Full feature, high performance threat protection in the Branch or SMB network
ƒ Requires no additional foot print, cabling, and power requirements
ƒ Systems integration with data,
data security and voice features on ISR
ƒ Supports any routed WAN link—transport agnostic: T1/E1, T3/E3, Ethernet, xDSL,
MPLS, 3G WWAN
ƒ P
Provides
id d
defense-in-depth
f
i d th tto th
the perimeter
i t off the
th network:
t
k ICSA-certified
ICSA
tifi d Cisco
Ci
IOS
Firewall, IPSec and SSL VPN, NAC, URL Filtering
C97-494050-00
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
13
Use Case 1
P t t WAN Link
Protect
Li k and
dC
Corporate
t Offi
Offices
ƒ Branch office LANs are prone to attacks
from Internet by split tunnels, contaminated
laptops and rogue APs
ƒ Moves attack protection to the network edge
ƒ Helps to secure less secure devices
ƒ Stops worms and trojan horses before they
enter corporate or SP network
Servers
192.168.3.14-16/24
Threat
Protect WAN Link and
Upstream Corporate
Resources
IPSec
Tunnel
Employees
192.168.1.x/24
Internet
Threat
ISR with IPS AIM
or IPS NME
Corporate
p
Office
Threat
Wireless Guests
192.168.2.x/24
C97-494050-00
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
14
Use Case 2
P t t Servers
Protect
S
att Remote
R
t Sites
Sit
ƒ Branch office LANs are prone to attacks from Internet by split tunnels
tunnels,
contaminated laptops and rogue APs
ƒ Stops worms and trojan horses before they enter corporate or SP network
Servers
192.168.3.14-16/24
Servers Hosted
Separately in DMZ
IPSec
Tunnel
Employees
192.168.1.x/24
Internet
Corporate
p
Office
ISR with IPS AIM
or IPS NME
Wireless Guests
192.168.2.x/24
C97-494050-00
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
15
Use Case 3
Enhances
E
h
C
Corporate
t C
Compliance
li
R
Requirements
i
t
PCI Compliance (Retail); HIPAA (Healthcare);
Sarbanes-Oxley/GLBA
Sarbanes
Oxley/GLBA (Finance)
POS Cash
Register
ƒ Provides Intrusion Prevention in
depth, as part of PCI Compliant
Self Defending Network
POS Server
CSA
Mobile
POS
ƒ Enhances PCI Requirement 11
ƒ Event correlation provides
audit trail for tests and
validation exercises
ƒ Integrates with Cisco IOS FW,
IPSec, SSL VPN and other
Cisco IOS security technologies
f complete
for
l t solution
l ti
ASA
WAP
Internet
Cisco
Catalyst
Switch
ISR with IPS AIM
or IPS NME
ƒ Offloads all IPS inspection
from router CPU
ƒ Filters inspected traffic
via ACLs
WAP
Store
Worker PC
Wireless
Device
C97-494050-00
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
16
Managing and Monitoring IPS Modules
ƒ Configuration and deployment services
ƒ Alert collection, aggregation, and correlation
g
and inspection
p
updates
p
ƒ Signature
ƒ Threat mitigation
Device-Level Management
Multi-Device Management
ƒ Small Deployment
(One to Five Sensors)
ƒ Medium/Large Deployments
(Hundreds to Thousands of
Security Devices)
IPS Device Manager
Cisco Security Manager
IPS Manager
g Express
Cisco Configuration Professional
(X-launch IDM)
ƒ Low Alarm Rates
ƒ High Alarm Rates
CS-MARS
IPS Manager Express
C97-494050-00
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
17
Cisco IPS Manager Express (IME)
NEW
All-in-One IPS Management Application
for up to Five IPS SensorsAt-A-Glance
At A Glance Dashboard
ƒ Startup Wizard:
Get up and running in
just minutes
ƒ Dashboard:
Put needed information
at your fingertips
ƒ Configuration:
Save time with intuitive
interface
ƒ Reporting:
Create and share security
and compliance reports
ƒ Monitoring:
See what’s happening with
real time and historical
real-time
security events
C97-494050-00
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
18
Cisco Security Manager
I t
Integrated
t d Security
S
it Configuration
C fi
ti Management
M
t
Firewall Management
ƒ Support for PIX®,
ASA, FWSM, and
Cisco IOS Routers
ƒ Rich FW rule
definition: shared
objects, rule
grouping, and
inheritance
ƒ Powerful analysis
tools: conflict
detection rule
detection,
combiner, hit
counts, …
C97-494050-00
VPN Management
IPS Management
ƒ Support for PIX,
ASA, VPNSM, VPN
SPA, and Cisco
IOS Routers
ƒ Support for IPS
Sensors, modules
and Cisco IOS IPS
ƒ Support for wide
array of VPN
technologies such
as, DMVPN, Easy
VPN, and SSL VPN
ƒ VPN Wizard
for Three-Step
Three Step
Point-and-Click
VPN Creation
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
ƒ Automatic policy
based IPS Sensor
software and
signature updates
ƒ Signature Update
Wizard allowing
easy review/editing
prior to deployment
Reduce OpEx
ƒ Unified security
management for
Cisco devices
supporting FW,
VPN, and IPS
ƒ Efficiently manage
up to 5000 devices
per server
ƒ Multiple views for
task optimization
D i Vi
Device
View
Policy View
Topology View
19
Cisco Services for IPS
R id Si
Rapid
Signature
t
U
Updates
d t ffor E
Emerging
i Th
Threats
t
Vulnerabilities
and Threats
Cisco IPS Signature
R&D Team
Updated Signature
Package
ƒ Follow-the-Sun Research:
Extensive around the clock
research capability gathers,
identifies and classifies
vulnerabilities and threats
p Response:
p
ƒ Rapid
Signatures are created to
mitigate the vulnerabilities
within hours of classification
ƒ Human Intelligence:
Applied Intelligence Reports
provide
id iinsight
i ht and
d guidance
id
on using IPS technology to
protect yourself
C97-494050-00
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
20
Cisco Security IntelliShield Alert
Manager Service
Now Includes IPS Signature-to-Threat Correlation
ƒ Complete vulnerability and threat
information in a single database
ƒ Notification of only those vulnerabilities
relevant to a p
pre-defined infrastructure
ƒ Actionable alerts in a standardized format
based on user-customized profiles
ƒ Each vulnerability or threat is analyzed and
validated by security analysts
ƒ Vulnerability and threat information is
vendor-neutral
vendor
neutral and objectively graded
ƒ Comprehensive library of over 10,000
threats and vulnerabilities
ƒ B
Built-in
ilt i workflow
kfl
allow
ll
easy managementt
of tasks and remediation efforts
C97-494050-00
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
21
Cisco License Manager
ƒ Automates license management for IPS AIM
AIM, IPS NME and more
ƒ Increased productivity
Rapidly roll out new services—500 licenses deployed in two minutes
Scales to 30,000 devices
ƒ Enhanced Security and Virtualization
Role-Based Access Control via user roles
Access Control Lists limit access to PAKs and Devices
ƒ Reduced complexity
Automated licensing workflows
License reports aid in audit compliance
ƒ Investment protection
Full-functionality Java and Perl Software Development Kits (SDK)
to integrate with existing applications
ƒ Faster failure recovery
Restore device licenses from database backup
Resend all licenses from Cisco.com and deploy them with quickly
C97-494050-00
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
22
Activation Workflow
With CLM
S
Service
C
Contract Tied to S
Serial Number
Place Order
Services
Ordering
Tool
Cisco.com
License Portal
Send Serial Numbers
Cisco
Ci
License
Manager
Receive IPS License Keys
Initiated by:
Customer
C
t
CLM
Cisco.com
C97-494050-00
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
23
C97-494050-00
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
24

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz