• Aucun résultat trouvé

Implementing Secure Converged Implementing Secure Converged Wide Area Networks (ISCW)Wide Area Networks (ISCW)Cisco IOS IPS

N/A
N/A
Info
Télécharger
Protected

Academic year: 2022

Partager "Implementing Secure Converged Implementing Secure Converged Wide Area Networks (ISCW)Wide Area Networks (ISCW)Cisco IOS IPS"

Copied!
6
0
0

Chargement.... (Voir le texte intégral maintenant)

Texte intégral

(1)

http://www.INE.com

Implementing Secure Converged Implementing Secure Converged

Wide Area Networks (ISCW) Wide Area Networks (ISCW)

Cisco IOS IPS

IDS Overview IDS Overview

• Intrusion Detection System

• Monitors traffic for malicious traffic

• Responds accordingly

– Generate logs/alarms

– Instruct managed device to block traffic – Reset TCP session

• Typically not in the traffic transit path

– i.e. “promiscuous”

• Attack response time an issue

(2)

Copyright

Copyright ©© 2009 Internetwork Expert, Inc 2009 Internetwork Expert, Inc www.INE.com

www.INE.com

Typical IDS Design Typical IDS Design

IPS Overview IPS Overview

• Intrusion Prevention System

• Same as IDS, but directly in the transit path

– i.e. “inline”

• Allows more sophisticated attack responses and faster response times

(3)

Copyright

Copyright ©© 2009 Internetwork Expert, Inc 2009 Internetwork Expert, Inc www.INE.com

www.INE.com

Typical IPS Design Typical IPS Design

Types of IDS/IPS Types of IDS/IPS

• Signature based

– Checks traffic against known database of attacks

• Anomaly based

– Discovers nominal network behavior and adapts to events outside the norm

• Policy based

– Checks for events to breach preconfigured thresholds

– e.g. TCP SYN attack

(4)

Copyright

Copyright ©© 2009 Internetwork Expert, Inc 2009 Internetwork Expert, Inc www.INE.com

www.INE.com

Types of IDS/IPS (cont.) Types of IDS/IPS (cont.)

• Honeypots

– Unprotected systems designed to collect attack patterns for further analysis

• Network based (NIPS)

– IPS appliance in the network transit path

• Host based (HIPS)

– IPS software on the end host

Cisco IPS Devices Cisco IPS Devices

• Hardware based

– IPS 4200 – Catalyst 6500

• Intrusion Detection System Services Module (IDSM)

– ASA 5500

• Advanced Inspection and Prevention Security Services Module (AIP-SSM)

• Software based

– IOS IPS

(5)

Copyright

Copyright ©© 2009 Internetwork Expert, Inc 2009 Internetwork Expert, Inc www.INE.com

www.INE.com

IOS IPS Overview IOS IPS Overview

• Software based inline IPS solution

• Signature based

– Includes built-in signatures

– Downloadable Signature Definition Files (SDFs)

IOS IPS Event Actions IOS IPS Event Actions

• Alarm

– Syslog

– Security Device Event Exchange (SDEE)

• Uses HTTPS

• Drop

• Reset

• Block attacker inline

• Block connection inline

(6)

Copyright

Copyright ©© 2009 Internetwork Expert, Inc 2009 Internetwork Expert, Inc www.INE.com

www.INE.com

IOS IPS CLI Configuration IOS IPS CLI Configuration

• Create IPS rule

• Apply rule to interface

• Retire all signatures

• Specify signature storage location in flash

– Signature configuration not stored in NVRAM

• Install signatures public key

• Compile signatures

• Fail open or closed

• Signature tuning

IOS IPS Configuration Examples IOS IPS Configuration Examples

R3 R4

Fa0/0 102

301 103 201

R1 R2

Fa0/0

S1/0.301 S0/0.102

S0/0.103 200.0.12.0/24

R6

Fa0/0 Fa0/0

Fa0/0.10 Fa0/1 S0/0.102

200.0.13.0/24 200.0.16.0/24

10.0.0.0/24 192.168.2.0/24

172.16.34.0/24 192.168.2.100/24

R5

Fa0/0 Fa0/0.56 10.0.56.0/24

Références

Télécharger maintenant ( PDF - 6 Page - 94.20 KB )

Documents relatifs

Internetwork ExpertInternetwork Expert’’ssCCNP BootcampCCNP BootcampIntroduction

• Demonstrate “the knowledge and skills required to manage the routers and switches that form the network core, as well as edge applications that integrate voice, wireless,

Building Cisco Multilayer Building Cisco Multilayer Switched Networks (BCMSN) Switched Networks (BCMSN) Wireless Client Access

Copyright © © 2009 Internetwork Expert, Inc 2009 Internetwork Expert, Inc

Building Scalable Cisco Building Scalable Cisco Internetworks (BSCI) Internetworks (BSCI) Internet Protocol Version 6 (IPv6)

Copyright © © 2009 Internetwork Expert, Inc 2009 Internetwork Expert, Inc

Implementing Secure Converged Implementing Secure Converged Wide Area Networks (ISCW)Wide Area Networks (ISCW)Basic Teleworker Services

– Design and Implementation of DSL-Based Access Solutions (Cisco Press) ISBN 1- 58705-021-8. – End-to-End DSL Architectures (Cisco Press)

Implementing Secure Converged Implementing Secure Converged Wide Area Networks (ISCW)Wide Area Networks (ISCW)Cisco IOS Firewall

zone-pair security INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE service-policy type inspect INSIDE_TO_OUTSIDE. interface FastEthernet0/0 zone-member

Implementing Secure Converged Implementing Secure Converged Wide Area Networks (ISCW)Wide Area Networks (ISCW)IPsec VPNs

create the secure channel – Phase 2: Negotiate IPsec SA. •

Implementing Secure Converged Implementing Secure Converged Wide Area Networks (ISCW)Wide Area Networks (ISCW)Multi-Protocol Label Switching(MPLS)

– Adds MPLS label on incoming traffic from CE – Removes MPLS label on outgoing traffic to CE – AKA Label Edge Router (LER). • Provider

Implementing Secure Converged Implementing Secure Converged Wide Area Networks (ISCW)Wide Area Networks (ISCW)Network Security Strategies& Cisco Device Hardening

– VLAN hopping – CAM attacks – DHCP starvation – Rogue DHCP – ARP poisoning – IP/MAC spoofing. • What about layer 3