| Table 1-4 shows the primary terms that are used to describe the functionality of the Cisco IPS solution. Table 1-4. Primary IPS TerminologyTerminology | Description |
|---|
Inline mode | Examining network traffic while having the ability to stop intrusive traffic from reaching the target system | Promiscuous mode | Passively examining network traffic for intrusive behavior | Signature engine | An engine that supports signatures that share common characteristics (such as the same protocol) | Meta-Event Generator | The capability to define meta signatures based on multiple existing signatures | Atomic signature | A signature that triggers based on the contents of a single packet | Flow-based signature | A signature that triggers based on the information contained in a sequence of packets between two systems (such as the packets in a TCP connection) | Behavior-based signature | A signature that triggers when traffic deviates from regular user behavior | Anomaly-based signature | A signature that triggers when traffic exceeds a configured normal baseline | False negative | A situation in which a detection system fails to detect intrusive traffic although there is a signature designed to catch that activity | False positive | A situation in which normal user activity (instead of intrusive activity) triggers an alarm | True negative | A situation in which a signature does not fire during normal user traffic on the network | True positive | A situation in which a signature fires correctly when intrusive traffic for that signature is detected on the network (The signature correctly identifies an attack launched against the network.) | Deep-packet inspection | Decoding protocols and examining entire packets to allow for policy enforcement based on actual protocol traffic (not just a specific port number). | Event correlation | Associating multiple alarms or events with a single attack. | Risk rating (RR) | A threat rating based on numerous factors besides just the attack severity |
Cisco provides a hybrid solution that enables you to configure a sensor to operate in promiscuous and inline mode simultaneously. To help limit false positives, Cisco IPS version 5.0 incorporates a risk rating for alerts. This risk rating is calculated based on the following parameters: Event severity Signature fidelity Asset value of target
For IP addresses on your network, you can assign one of the following asset values: Low Medium High Mission critical No value
Beginning with version 5.0, you can use the Meta-Event Generator (MEG) to create complex signatures that cause multiple regular signatures to trigger before the meta-event signature triggers. Cisco IPS version 5.0 also enhances the ability of the sensor to perform deep-packet inspection on network traffic. This enables the sensor to enforce security policies beyond simple port numbers. Cisco IPS version 5.0 supports the IDSM-2, the network module, and the following appliance sensors: IDS 4215 IDS 4235 IDS 4240* IDS 4250 IDS 4250XL IDS 4255*
Note The sensors marked by * are the newest appliance sensors in the Cisco IPS solution. These sensors are highly reliable because they use flash memory (which has no moving parts), not a regular hard disk, for storage. Inline mode enables your sensor to act as a layer-2 forwarding device while inspecting network traffic, providing the ability to drop intrusive traffic before it reaches the target system. The following sensors support inline mode: IDS 4215 IDS 4235 IDS 4240 IDS 4250 IDS 4255 IDSM-2
When your system is running in inline mode, you can configure one of the following software bypass modes: When deploying sensors on your network, consider the following network boundaries: Internet boundaries Extranet boundaries Intranet boundaries Remote access boundaries Servers and desktops
You must also consider the following when deploying your sensors: Communication between your Cisco IPS sensors and other network devices involves the following protocols and standards: Secure Shell (SSH) Transport Layer Security (TLS)/Secure Sockets Layer (SSL) Remote Data Exchange Protocol (RDEP) Security Device Event Exchange (SDEE) Standard
The Cisco sensor software architecture can be broken down into the following main interacting applications or processes: cidWebServer mainApp logApp authentication NAC ctlTransSource sensorApp Event Store cidCLI
|