© 2005 Cisco Systems, Inc. All rights reserved. IPS v Lesson 9 Tuning the Sensor
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Tuning the Sensor
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Sensor Tuning Tuning is the process of configuring your sensor so that it provides the desired level of information to efficiently monitor and protect your network.
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Sensor Tuning (Cont.) To tune sensors successfully, you must have a good understanding of the following: –Your network and the individual devices being protected –The protocols inspected by the signatures you are tuning This knowledge enables you to recognize normal versus abnormal network activity.
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Tuning Considerations Important information to gather before you begin tuning: The network topology The network address space under observation and protection Which inside addresses are statically assigned to servers and which are DHCP addresses The operating system running on each server Applications running on the servers The security policy
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Sensor Location The location of the sensor is important to tuning for the following reasons: The nature of the traffic that a sensor monitors varies. The security policy with which the sensor interacts varies. Inside Internet Inside of Firewall? Outside of Firewall?
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Phases of Tuning The phases of tuning listed here correspond to the length of time the sensor has been running at the current location: Deployment phase Tuning phase Maintenance phase
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Methods of Tuning Some tuning methods involve configuring the sensor while others involve configuring your monitoring application. On the sensor: –Enabling and disabling signatures –Changing alarm severity up or down –Changing the parameters of signatures –Creating policies to override event action –Creating event action filters On the monitoring application: –Specifying the events you want to view
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Global Sensor Tuning Guidelines for maximizing the efficiency of your sensor via settings for the following: –Individual signatures –Target systems –Monitoring applications Guidelines for the following settings, which apply to the sensor globally and ensure that valuable system resources are not wasted: –IP logging –IP fragment reassembly –TCP stream reassembly
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Logging
© 2005 Cisco Systems, Inc. All rights reserved. IPS v IP Logging IP logs are generated in two ways. –You add IP logs on the Add IP Logging dialog box –You select one of the following as the event action for a signature: Log Attacker Packets Log Pair Packets Log Victim Packets The IP log file is in libpcap format. The IPS 4240 and 4255 are diskless systems that store IP logs in RAM.
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring Manual IP Logging Monitoring IP Logging Add Stop
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring Manual IP Logging (Cont.) Duration IP Address Packets Bytes Apply
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Viewing IP Logs Monitoring IP Logging Download
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Reassembly Options
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Reassembly Overview You can configure sensor reassembly settings for both IP fragments and TCP streams. Reassembly settings affect the sensors overall sensing function but are not necessarily specific to a particular signature or set of signatures. Reassembly settings ensure that valuable system resources are not wasted.
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring Reassembly Options Configuration Signature Definition Miscellaneous Fragment Reassembly Stream Reassembly IP Reassembly Mode TCP Reassembly Mode TCP Handshake Required
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Event Action Rules
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Action is the same for all systems. IDS Version 4. x Alert is always generated. Severity level of signature is primary indicator of threat level. System B System A
© 2005 Cisco Systems, Inc. All rights reserved. IPS v IPS version 5.0 With IPS version 5.0, it is now possible for the sensor to take an action without generating an alert and to take actions according to specific configured policies.
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Event Action Rules You can use event action rules to create a policy that granularly controls the actions taken by your sensor. Your policy can specify the following rules: Components of an event risk rating (target value ratings) Actions to be taken in addition to those configured for a signature if an event with a specified risk rating occurs (event action overrides) Actions to be filtered if an event with a specified risk rating occurs (event action filters)
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Calculating the Risk Rating A risk rating is a value between 0 and 100 that represents a numerical quantification of the risk associated with a particular event on the network. These values are used to calculate the risk rating for a particular event: –Attack severity rating –Signature fidelity rating –Target value rating
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Event Action Overrides Event action overrides enable the sensor to take actions based on a risk rating in addition to actions assigned to a signature. DenyLogAlert
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Event Action Filters Event action filters remove actions from an event based on the following: SIGID and SubSig ID Attacker and victim addresses Attacker and victim ports Risk rating DenyLogAlert X
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Event Variables
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring Event Variables Configuration Event Action Rules Event Variables Add
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring Event Variables (Cont.) Type Name Value
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Target Value Ratings
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Target Value Ratings LowMission CriticalMedium You can assign a target value rating to your network assets. The target value rating is one of the factors used to calculate the risk rating value for each alert. No ValueHigh
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring Target Value Ratings Configuration Event Action Rules Target Value Rating Add
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring Target Value Ratings (Cont.) Target Value Rating Target IP Addresses
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Event Action Overrides
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Event Action Overrides You can add an event action override to change the actions associated with an event based on specific details about that event. DenyLogAlert
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring Event Action Overrides Configuration Add Event Action Rules Event Action Overrides Configuration Use Event Action Overrides
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring Event Action Overrides (Cont.) Event Action Enabled Risk Rating
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Event Action Filters
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring Event Action Filters Configuration Event Action Rules Event Action Filters Add Insert Before Insert After Enable Disable Move Up Move Down
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring Event Action Filters (Cont.) Signature ID SubSignature ID Attacker Address Attacker Port Victim Address Victim Port Risk Rating Actions to Subtract Stop on Match Enabled Comments
© 2005 Cisco Systems, Inc. All rights reserved. IPS v General Settings
© 2005 Cisco Systems, Inc. All rights reserved. IPS v General Settings You can configure general settings that apply to the event action rules, such as whether you want to use the summarizer and the meta event generator. You can also configure how long you want to deny attackers, the maximum number of denied attackers, and how long you want blocks to last.
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring General Settings Configuration Event Action Rules General Settings Use Summarizer Use Meta Event Generator Deny Attacker Duration Block Action Duration Maximum Denied Attackers
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Summary
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Summary Cisco IPS signatures use anti-evasive mechanisms to defeat IP fragmentation and obfuscation. To maximize your sensors efficiency, configure the following on your sensor according to the needs of your particular network: –Signature parameters –IP logging –Reassembly options –Alarm channel event filters You should also configure your monitoring application for optimal functionality in your particular network. IP fragment reassembly options and TCP stream reassembly options apply to sensors globally and enable you to conserve valuable system resources.
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Summary (Cont.) IP logging is capturing raw, unaltered IP packets that can be used for confirmation, damage assessment, and forensic evidence. You can configure a sensor to automatically generate an IP log when it detects an attack. You can also configure the sensor to log all IP traffic to and from a specified address whether there is an attack or not. Event variables facilitate the use and modification of values in event filters. Event filtering enables you to reduce the number of false positives and the number of security events reported.
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Lab Exercise
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Lab Visual Objective Q Q Web FTP RBB Q P.0.4 sensorQ Student PC 10.0.Q.12 RTS sensorP Student PC 10.0.P.12 RTS P.0 routerProuterQ e0/0 e0/1 e0/0 e0/1 e0/0 e0/1 e0/ P.0 prQ prP