Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

IPS CONFIGURATion of devices. Information security

Download as PPT, PDF
U
uselessacclmaoo

This document discusses IPS configuration and deployment. It covers network sensing using IPS sensors and devices, capturing network traffic in promiscuous or inline modes, and tuning IPS to filter alerts and focus on actionable data. The procedure has 12 steps that cover installing the device, configuring interfaces and policies, signatures and event actions, blocking hosts, and maintaining the device. It also discusses identifying allowed hosts, configuring SNMP, and IPS user accounts.

1 of 26
IPS CONFIGURATION
IPS Network Sensing • Network sensing - accomplished using Cisco IPS sensors and Cisco IOS IPS devices. • Cisco IPS sensors and Cisco IOS IPS devices - IPS devices or sensors.
Capturing Network Traffic • sensor can operate in either promiscuous or inline mode.
IPS DEPLOYMENT
Capturing Network Traffic • When responding to attacks, the sensor can do the following: – Insert TCP resets via the sensing interface. – Make ACL changes on switches, routers, and firewalls that the sensor manages. – Generate IP session logs, session replay, and trigger packets display.
Capturing Network Traffic • IP session logs are used to gather information about unauthorized use. • Implement multiple packet drop actions to stop worms and viruses.
Correctly Deploying the Sensor • Before deploy and configure the sensors, check: – The size and complexity of your network. – Connections between your network and other networks, including the Internet. – The amount and type of traffic on your network. • Always position the IPS sensor behind a perimeter- filtering device. • Correct placement significantly reduces the number of alerts, which increases the amount of actionable data you can use to investigate security violations.
Tuning the IPS • Ensures that the alerts you see, reflect true actionable information. • Tips: – Place your sensor on your network behind a perimeter-filtering device. – Deploy the sensor with the default signatures in place. – Make sure that the event action override is set to drop packets with a risk rating greater than 90.
Tuning the IPS – Filter out known false positives caused by specialized software, such as vulnerability scanner and load balancers – Filter the Informational alerts. – Analyse the remaining actionable alerts: • Research the alert. • Fix the attack source. • Fix the destination host. • Modify the IPS policy to provide more information
IPS Configuration Procedure Step 1: Install and connect the device to your network. Install the device software and perform basic device configuration. Install the licenses required for all of the services running on the device. Step 2: Add the device to the Security Manager device inventory. Step 3: Configure the interfaces as described in Configuring Interfaces. Step 4: Use the Virtual Sensors policy to assign interfaces to the virtual sensors. Step 5: Configure basic device access platform policies. Step 6: Configure basic server access platform policies. Step 7: Configure the Logging policy if you want non-default logging.
Procedure Step8 : Configure IPS signatures and event actions. Step 9: Configure blocking or rate limiting hosts. Step 10: Configure other desired advanced IPS services. Step 11: Maintain the device Step 12: Monitor the device
Identifying Allowed Hosts Step 1: Do one of the following to open the Allowed Hosts policy: - (Device view) Select Platform > Device Admin > Device Access > Allowed Hosts from the Policy selector. - (Policy view) Select IPS > Platform > Device Admin > Allowed Hosts, then select an existing policy or create a new one.
Identifying Allowed Hosts Step 2: Do one of the following: - To add an entry, click the Add Row button and fill in the Access List dialog box. - You can add up to 512 entries. - To edit an entry, select it and click the Edit Row button. - To delete an entry, select it and click the Delete Row button.
Identifying Allowed Hosts Step 3: When adding or editing an entry, specify the host or network address in the Add or Modify Access List dialog box, then click OK. You can enter addresses using the following formats: - Host address—A simple IP address, such as 10.100.10.10. - Network address—A network address and mask, such as 10.100.10.0/24 or 10.100.10.0/255.255.255.0.
Identifying Allowed Hosts - A network/host policy object—Click Select to select an existing object or to create a new one. To use the object in this policy, it must have a single value, either a single network or a single host.
Configuring SNMP Step 1: Do one of the following to open the SNMP policy: - (Device view) Select Platform > Device Admin > Device Access > SNMP from the Policy selector. - (Policy view) Select IPS > Platform > Device Admin > Device Access > SNMP, then select an existing policy or create a new one.
Configuring SNMP Step 2: On the General Configuration tab, configure at least the following options. – Enable SNMP Gets/Sets – Read-Only Community String – Read-Write Community String Step 3: If you want to configure SNMP traps, click the SNMP Trap Configuration tab and configure at least the following options. - Enable Notifications - Trap Destinations
Configuring SNMP Step 4: If you configure trap destinations, you must also ensure that the desired alerts include the Request SNMP Trap action. You have the following options for adding this action: - Easy way - Precise way Step 5: Add the SNMP management stations to the Allowed Hosts policy. The management stations must be allowed hosts to access the sensor.
IPS user accounts, and Security Manager discovery and deployment considerations
• Understanding IPS User Roles • Understanding Managed and Unmanaged IPS Passwords • Understanding How IPS Passwords are Discovered and Deployed • Configuring IPS User Accounts • Configuring User Password Requirements • Configuring AAA Access Control for IPS Devices
Understanding IPS User Roles • Four User Roles: – Viewer – Operator – Administrator – Service
Understanding Managed and Unmanaged IPS Passwords • The status of a password is indicated in the Is Password Managed? column of the Platform > Device Admin > Device Access > User Accounts policy: - No - the password for this account is not configured in Security Manager. - Yes - the password for this account was configured or updated in Security Manager.
Understanding How IPS Passwords are Discovered and Deployed • Discovery – Active – Expired – Locked • Deployment
Configuring IPS User Accounts • The user accounts policy should have at least these accounts: – Cisco – An administrator account – Cisco IOS IPS devices use the same user accounts that are defined for the router
Configuring User Password Requirements • To configure IPS password requirements, select one of the following policies: – Device view Select Platform > Device Admin > Device Access > Password Requirements from the Policy selector. – Policy view Select IPS > Platform > Device Admin > Password Requirements from the Policy Type selector, then select an existing policy or create a new one.
Configuring AAA Access Control for IPS Devices • When you configure the AAA server object, you must adhere to the following restrictions: – Host – Timeout – Protocol – Key – Port

More Related Content

IPS CONFIGURATion of devices. Information security

  • 2. IPS Network Sensing • Network sensing - accomplished using Cisco IPS sensors and Cisco IOS IPS devices. • Cisco IPS sensors and Cisco IOS IPS devices - IPS devices or sensors.
  • 3. Capturing Network Traffic • sensor can operate in either promiscuous or inline mode.
  • 5. Capturing Network Traffic • When responding to attacks, the sensor can do the following: – Insert TCP resets via the sensing interface. – Make ACL changes on switches, routers, and firewalls that the sensor manages. – Generate IP session logs, session replay, and trigger packets display.
  • 6. Capturing Network Traffic • IP session logs are used to gather information about unauthorized use. • Implement multiple packet drop actions to stop worms and viruses.
  • 7. Correctly Deploying the Sensor • Before deploy and configure the sensors, check: – The size and complexity of your network. – Connections between your network and other networks, including the Internet. – The amount and type of traffic on your network. • Always position the IPS sensor behind a perimeter- filtering device. • Correct placement significantly reduces the number of alerts, which increases the amount of actionable data you can use to investigate security violations.
  • 8. Tuning the IPS • Ensures that the alerts you see, reflect true actionable information. • Tips: – Place your sensor on your network behind a perimeter-filtering device. – Deploy the sensor with the default signatures in place. – Make sure that the event action override is set to drop packets with a risk rating greater than 90.
  • 9. Tuning the IPS – Filter out known false positives caused by specialized software, such as vulnerability scanner and load balancers – Filter the Informational alerts. – Analyse the remaining actionable alerts: • Research the alert. • Fix the attack source. • Fix the destination host. • Modify the IPS policy to provide more information
  • 10. IPS Configuration Procedure Step 1: Install and connect the device to your network. Install the device software and perform basic device configuration. Install the licenses required for all of the services running on the device. Step 2: Add the device to the Security Manager device inventory. Step 3: Configure the interfaces as described in Configuring Interfaces. Step 4: Use the Virtual Sensors policy to assign interfaces to the virtual sensors. Step 5: Configure basic device access platform policies. Step 6: Configure basic server access platform policies. Step 7: Configure the Logging policy if you want non-default logging.
  • 11. Procedure Step8 : Configure IPS signatures and event actions. Step 9: Configure blocking or rate limiting hosts. Step 10: Configure other desired advanced IPS services. Step 11: Maintain the device Step 12: Monitor the device
  • 12. Identifying Allowed Hosts Step 1: Do one of the following to open the Allowed Hosts policy: - (Device view) Select Platform > Device Admin > Device Access > Allowed Hosts from the Policy selector. - (Policy view) Select IPS > Platform > Device Admin > Allowed Hosts, then select an existing policy or create a new one.
  • 13. Identifying Allowed Hosts Step 2: Do one of the following: - To add an entry, click the Add Row button and fill in the Access List dialog box. - You can add up to 512 entries. - To edit an entry, select it and click the Edit Row button. - To delete an entry, select it and click the Delete Row button.
  • 14. Identifying Allowed Hosts Step 3: When adding or editing an entry, specify the host or network address in the Add or Modify Access List dialog box, then click OK. You can enter addresses using the following formats: - Host address—A simple IP address, such as 10.100.10.10. - Network address—A network address and mask, such as 10.100.10.0/24 or 10.100.10.0/255.255.255.0.
  • 15. Identifying Allowed Hosts - A network/host policy object—Click Select to select an existing object or to create a new one. To use the object in this policy, it must have a single value, either a single network or a single host.
  • 16. Configuring SNMP Step 1: Do one of the following to open the SNMP policy: - (Device view) Select Platform > Device Admin > Device Access > SNMP from the Policy selector. - (Policy view) Select IPS > Platform > Device Admin > Device Access > SNMP, then select an existing policy or create a new one.
  • 17. Configuring SNMP Step 2: On the General Configuration tab, configure at least the following options. – Enable SNMP Gets/Sets – Read-Only Community String – Read-Write Community String Step 3: If you want to configure SNMP traps, click the SNMP Trap Configuration tab and configure at least the following options. - Enable Notifications - Trap Destinations
  • 18. Configuring SNMP Step 4: If you configure trap destinations, you must also ensure that the desired alerts include the Request SNMP Trap action. You have the following options for adding this action: - Easy way - Precise way Step 5: Add the SNMP management stations to the Allowed Hosts policy. The management stations must be allowed hosts to access the sensor.
  • 19. IPS user accounts, and Security Manager discovery and deployment considerations
  • 20. • Understanding IPS User Roles • Understanding Managed and Unmanaged IPS Passwords • Understanding How IPS Passwords are Discovered and Deployed • Configuring IPS User Accounts • Configuring User Password Requirements • Configuring AAA Access Control for IPS Devices
  • 21. Understanding IPS User Roles • Four User Roles: – Viewer – Operator – Administrator – Service
  • 22. Understanding Managed and Unmanaged IPS Passwords • The status of a password is indicated in the Is Password Managed? column of the Platform > Device Admin > Device Access > User Accounts policy: - No - the password for this account is not configured in Security Manager. - Yes - the password for this account was configured or updated in Security Manager.
  • 23. Understanding How IPS Passwords are Discovered and Deployed • Discovery – Active – Expired – Locked • Deployment
  • 24. Configuring IPS User Accounts • The user accounts policy should have at least these accounts: – Cisco – An administrator account – Cisco IOS IPS devices use the same user accounts that are defined for the router
  • 25. Configuring User Password Requirements • To configure IPS password requirements, select one of the following policies: – Device view Select Platform > Device Admin > Device Access > Password Requirements from the Policy selector. – Policy view Select IPS > Platform > Device Admin > Password Requirements from the Policy Type selector, then select an existing policy or create a new one.
  • 26. Configuring AAA Access Control for IPS Devices • When you configure the AAA server object, you must adhere to the following restrictions: – Host – Timeout – Protocol – Key – Port