Szerkesztő:LinguisticMystic/ru/безопасность/11
🚨 11.0. Module 11: IPS Technologies Introduction
[szerkesztés]Intrusion Prevention Systems (IPS) are essential security technologies used to detect, analyze, and prevent cyber threats in real time. IPS solutions actively block malicious traffic before it can harm the network.
🌟 1. Why Are IPS Technologies Important?
[szerkesztés]✅ Real-Time Threat Prevention – Blocks attacks before they impact the network.
✅ Deep Packet Inspection (DPI) – Analyzes packet contents for suspicious patterns.
✅ Signature-Based Detection – Identifies known threats using a database of attack patterns.
✅ Anomaly-Based Detection – Detects unusual network behavior to identify new threats.
✅ Complements Firewalls – Works alongside firewalls to provide comprehensive protection.
🔑 2. Intrusion Detection vs. Intrusion Prevention
[szerkesztés]| Feature | Intrusion Detection System (IDS) | Intrusion Prevention System (IPS) |
|---|---|---|
| Primary Function | Monitors & detects attacks | Detects & actively blocks attacks |
| Traffic Handling | Passive – Alerts admins but does not block traffic | Active – Blocks traffic automatically |
| Placement | Inside the network for monitoring | Inline with traffic flow |
| Response | Sends logs & alerts | Blocks malicious packets in real-time |
🔹 IPS is a proactive security solution, while IDS is reactive. Many modern IPS systems combine both detection and prevention features.
🛠️ 3. IPS Deployment Methods
[szerkesztés]| Deployment Model | Description | Example |
|---|---|---|
| Network-Based IPS (NIPS) | Monitors traffic across the entire network. | Protects critical servers and internal networks. |
| Host-Based IPS (HIPS) | Runs on individual devices to prevent local threats. | Protects endpoints, workstations, and servers. |
| Cloud-Based IPS | Analyzes network traffic in the cloud before reaching internal systems. | Protects cloud applications and services. |
🔥 4. IPS Detection Techniques
[szerkesztés]
✅ 1. Signature-Based Detection
[szerkesztés]- Compares network traffic to a database of known attack patterns.
- Works well for detecting well-known attacks (e.g., SQL injection, buffer overflows).
✅ 2. Anomaly-Based Detection
[szerkesztés]- Identifies deviations from normal traffic behavior.
- Useful for detecting zero-day attacks and unknown threats.
✅ 3. Policy-Based Detection
[szerkesztés]- Enforces predefined security policies (e.g., block specific applications).
- Used to prevent unauthorized access to certain network resources.
✅ 4. Reputation-Based Detection
[szerkesztés]- Uses global threat intelligence to block malicious IPs and domains.
- Protects against botnets, malware C2 servers, and phishing sites.
🔍 5. IPS Technologies in Action
[szerkesztés]
✅ Example: IPS Rule to Block SQL Injection Attacks
[szerkesztés]alert tcp any any -> any 80 (msg:"SQL Injection Attempt"; content:"UNION SELECT"; nocase; sid:1000001;)
🔹 Detects and blocks HTTP requests containing SQL injection keywords.
✅ 6. Best Practices for IPS Implementation
[szerkesztés]✔ Deploy IPS Inline with Critical Traffic – Protects key assets in real time.
✔ Regularly Update IPS Signatures – Ensures detection of new threats.
✔ Enable Logging & Alerts – Monitors attack attempts and blocked threats.
✔ Use a Hybrid Approach – Combine signature-based and anomaly-based detection.
✔ Integrate with SIEM Solutions – Helps with incident analysis and response.
🚀 Final Thoughts
[szerkesztés]IPS is a vital security layer that prevents attacks before they cause damage. When combined with firewalls, endpoint security, and SIEM, IPS enhances network security and compliance.
🔥 11.1. IDS and IPS Characteristics
[szerkesztés]Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are critical security tools that help organizations detect, analyze, and prevent cyber threats. While both technologies monitor network traffic for malicious activity, they have key differences in their functionality and response mechanisms.
🌟 1. What is an IDS (Intrusion Detection System)?
[szerkesztés]An Intrusion Detection System (IDS) is a passive monitoring tool that detects and alerts on suspicious or malicious activity but does not take any direct action to block threats.
✅ Key Characteristics of IDS
[szerkesztés]✔ Monitors traffic in real-time but does not stop threats.
✔ Generates alerts/logs for detected malicious activity.
✔ Operates out-of-band (passively listens to network traffic).
✔ Relies on administrators to respond manually to security incidents.
✔ Low impact on network performance (does not interrupt traffic flow).
📌 Example Use Cases for IDS
[szerkesztés]🔹 Detecting reconnaissance scans from attackers looking for vulnerabilities.
🔹 Logging unauthorized login attempts to sensitive systems.
🔹 Alerting on unusual network activity that may indicate a breach.
🌟 2. What is an IPS (Intrusion Prevention System)?
[szerkesztés]An Intrusion Prevention System (IPS) is an active security device that detects and blocks malicious traffic in real-time. Unlike IDS, an IPS is inline with network traffic and can automatically take action to stop attacks.
✅ Key Characteristics of IPS
[szerkesztés]✔ Monitors and blocks malicious traffic in real-time.
✔ Operates in-band (inline) between network devices.
✔ Takes automated actions such as dropping malicious packets, blocking IP addresses, or modifying firewall rules.
✔ Can prevent DoS (Denial of Service) and brute-force attacks.
✔ May introduce slight network latency due to real-time traffic analysis.
📌 Example Use Cases for IPS
[szerkesztés]🔹 Blocking SQL injection and cross-site scripting (XSS) attacks.
🔹 Preventing brute-force login attempts on SSH and RDP servers.
🔹 Stopping malware traffic before it reaches critical systems.
🔑 3. Differences Between IDS and IPS
[szerkesztés]| Feature | Intrusion Detection System (IDS) | Intrusion Prevention System (IPS) |
|---|---|---|
| Function | Detects malicious activity but does not block it. | Detects and blocks threats in real-time. |
| Traffic Handling | Operates out-of-band (passive monitoring). | Operates in-line (actively blocks threats). |
| Response | Generates alerts/logs for security events. | Automatically stops malicious traffic. |
| Performance Impact | Minimal impact on network performance. | May introduce slight latency due to traffic filtering. |
| Action Taken | Requires manual intervention from administrators. | Takes immediate action (drops packets, blocks IPs). |
| Use Case | For monitoring and alerting on suspicious traffic. | For actively preventing cyber threats. |
🔹 IDS is a passive monitoring tool, while IPS actively blocks attacks before they cause damage.
🛠️ 4. How IDS and IPS Work in a Network
[szerkesztés]
✅ Intrusion Detection System (IDS) Deployment
[szerkesztés]- Placed out-of-band (not in the direct traffic path).
- Uses SPAN/Mirror ports on switches to copy traffic.
- Alerts administrators when a threat is detected.
Internet
│
[Firewall] ─── [Switch (SPAN Port)] ─── [IDS]
│
[Internal Network]
🔹 IDS monitors but does not interfere with traffic.
✅ Intrusion Prevention System (IPS) Deployment
[szerkesztés]- Placed in-line between network devices.
- Actively blocks malicious traffic.
- Works with firewalls and SIEM tools for enhanced protection.
Internet
│
[Firewall] ─── [IPS] ─── [Internal Network]
🔹 IPS actively filters and blocks malicious traffic.
🔍 5. IDS and IPS Detection Methods
[szerkesztés]| Detection Method | Description | Example |
|---|---|---|
| Signature-Based Detection | Uses a database of known attack patterns to identify threats. | Detects known malware and exploits. |
| Anomaly-Based Detection | Identifies traffic that deviates from normal network behavior. | Detects zero-day attacks. |
| Heuristic-Based Detection | Uses AI and machine learning to analyze traffic for suspicious activity. | Identifies advanced persistent threats (APTs). |
| Policy-Based Detection | Blocks traffic based on predefined security policies. | Prevents unauthorized access to sensitive resources. |
🔹 Most modern IPS solutions use a combination of these methods to provide comprehensive security.
🔥 6. Example IDS & IPS Configurations
[szerkesztés]
✅ 1. IDS Example: Logging Unauthorized SSH Attempts
[szerkesztés]ip ips name IDS_MONITOR
event-action produce-alert
ip ips signature-category
category all
retired false
!
interface GigabitEthernet0/1
ip ips IDS_MONITOR in
🔹 Generates an alert but does not block traffic.
✅ 2. IPS Example: Blocking ICMP (Ping) Attacks
[szerkesztés]access-list 150 deny icmp any any
access-list 150 permit ip any any
ip ips audit-configuration
ip ips apply access-list 150
🔹 Blocks ping scans used for reconnaissance.
✅ 7. Best Practices for IDS & IPS Deployment
[szerkesztés]✔ Use IDS for Visibility & Monitoring – Helps identify attack patterns without impacting traffic.
✔ Deploy IPS for Real-Time Threat Prevention – Blocks malware, DoS, and exploit attempts.
✔ Regularly Update IDS/IPS Signature Databases – Protects against new threats and vulnerabilities.
✔ Enable Logging and Alerts – Helps security teams investigate suspicious activities.
✔ Fine-Tune Detection Rules – Avoid false positives to prevent unnecessary disruptions.
✔ Integrate with SIEM Solutions – Enhances incident response and forensics analysis.
🚀 Final Thoughts
[szerkesztés]IDS and IPS are critical security tools for modern networks. While IDS provides visibility and alerting, IPS actively blocks threats before they cause damage. A layered security approach that integrates both IDS and IPS can significantly improve an organization’s cybersecurity posture.
🔥 11.2. IPS Implementations
[szerkesztés]Intrusion Prevention Systems (IPS) are critical security components that actively detect, analyze, and prevent threats in real time. Implementing an IPS correctly ensures that malicious activity is blocked before it can impact network operations.
🌟 1. Types of IPS Implementations
[szerkesztés]| IPS Implementation | Description | Example Use Case |
|---|---|---|
| Network-Based IPS (NIPS) | Monitors and protects entire networks. | Deployed at the perimeter to filter malicious traffic from the internet. |
| Host-Based IPS (HIPS) | Installed on individual hosts to detect and block attacks. | Used on critical servers to prevent unauthorized access. |
| Cloud-Based IPS | Protects cloud workloads and applications. | Deployed in AWS, Azure, or Google Cloud. |
| Next-Generation IPS (NGIPS) | Uses AI, machine learning, and deep packet inspection (DPI) for advanced threat prevention. | Used in enterprise environments for proactive security. |
🔹 Most organizations use a combination of IPS implementations to secure different parts of their network.
🔑 2. Placement of IPS in a Network
[szerkesztés]| Deployment Model | Placement | Purpose |
|---|---|---|
| Inline Mode (Active) | IPS is placed directly in the traffic path. | Blocks malicious traffic in real time. |
| Promiscuous Mode (Passive) | IPS receives a copy of network traffic via a SPAN/Mirror port. | Detects threats but does not block them. |
✅ Example: IPS Placement in a Network
[szerkesztés] Internet
│
[Firewall] ─── [IPS] ─── [Internal Network]
🔹 Inline IPS actively prevents threats, while promiscuous mode only detects them.
🛠️ 3. Configuring IPS on Cisco Devices
[szerkesztés]
✅ Step 1: Enable IPS on an Interface
[szerkesztés]interface GigabitEthernet0/1
ip ips name SECURE_NET in
🔹 Applies IPS rules to incoming traffic on the interface.
✅ Step 2: Define IPS Rules for Attack Prevention
[szerkesztés]📌 Example: Block Unauthorized SSH Access
ip ips name BLOCK_SSH
event-action deny-attacker-inline
!
ip ips signature-category
category all
retired false
!
interface GigabitEthernet0/0
ip ips BLOCK_SSH in
🔹 Automatically blocks attackers attempting SSH brute-force attacks.
✅ Step 3: Configure IPS to Log Suspicious Traffic
[szerkesztés]📌 Example: Log All Denied Packets
access-list 150 deny ip any any log
ip ips audit-configuration
ip ips apply access-list 150
🔹 Records all blocked traffic for forensic analysis.
🔍 4. Verifying IPS Functionality
[szerkesztés]
✅ Check IPS Status
[szerkesztés]show ip ips signatures
✅ Monitor IPS Alerts
[szerkesztés]show logging | include IPS
✅ Test IPS Blocking (Simulated Attack)
[szerkesztés]nmap -sS -p 22 192.168.1.1
🔹 IPS should detect and block unauthorized SSH scans.
✅ 5. Best Practices for IPS Implementations
[szerkesztés]✔ Deploy IPS at Key Network Locations – Perimeter, DMZ, and internal network segments.
✔ Use Inline Mode for Active Prevention – Ensures real-time blocking of threats.
✔ Enable Regular IPS Signature Updates – Protects against new and emerging threats.
✔ Fine-Tune IPS Rules to Reduce False Positives – Prevents legitimate traffic from being blocked.
✔ Integrate IPS with SIEM Solutions – Enhances security monitoring and incident response.
🚀 Final Thoughts
[szerkesztés]Intrusion Prevention Systems (IPS) are critical for modern cybersecurity. Properly implementing an IPS helps prevent unauthorized access, malware, and network attacks before they cause damage.
🔥 11.3. IPS on Cisco ISRs (Integrated Services Routers)
[szerkesztés]Cisco Integrated Services Routers (ISRs) support Intrusion Prevention Systems (IPS) to detect, prevent, and block threats in real-time. This built-in security feature allows ISRs to function as firewall, router, and IPS in a single device.
🌟 1. Why Use IPS on Cisco ISRs?
[szerkesztés]✅ Real-Time Threat Prevention – Detects and blocks malware, DoS attacks, and unauthorized access.
✅ Integrated Security – Eliminates the need for separate IPS appliances.
✅ Network-Wide Protection – Filters malicious traffic at the network perimeter.
✅ Reduced Latency – Inspects packets directly on the router, improving efficiency.
✅ Cost-Effective – Provides enterprise-level security without additional hardware.
🔑 2. How IPS Works on Cisco ISRs
[szerkesztés]
🔹 IPS on Cisco ISRs Functions By:
[szerkesztés]✔ Inspecting incoming and outgoing traffic for suspicious patterns.
✔ Using signature-based and anomaly detection to identify threats.
✔ Blocking or alerting on malicious activity in real time.
✔ Logging and reporting security incidents for further analysis.
✅ Network Placement Example
[szerkesztés] Internet
│
[ISP Router]
│
[ISR with IPS] <--- Analyzes traffic, blocks threats
│
[Internal Network]
🔹 IPS inspects and filters traffic before it reaches internal systems.
🛠️ 3. Configuring IPS on a Cisco ISR
[szerkesztés]
✅ Step 1: Enable IPS on the Router
[szerkesztés]ip ips name MY_IPS_RULES
ip ips signature-category
category all
retired false
!
interface GigabitEthernet0/1
ip ips MY_IPS_RULES in
🔹 IPS is applied to incoming traffic on the interface.
✅ Step 2: Enable Signature-Based Detection
[szerkesztés]ip ips signature-definition
category all
retired false
🔹 This enables predefined attack signatures for detection.
✅ Step 3: Block Attackers Automatically
[szerkesztés]ip ips name BLOCK_ATTACKS
event-action deny-attacker-inline
🔹 Automatically blocks IPs involved in malicious activity.
✅ Step 4: Configure IPS Logging
[szerkesztés]logging buffered 100000
logging trap notifications
logging console informational
logging monitor debugging
🔹 Stores security events for monitoring and forensic analysis.
🔍 4. Verifying IPS Operation on Cisco ISR
[szerkesztés]
✅ Check IPS Status
[szerkesztés]show ip ips statistics
🔹 Displays IPS activity, blocked attacks, and alerts.
✅ Monitor IPS Logs for Alerts
[szerkesztés]show logging | include IPS
✅ Test IPS Blocking (Simulated Attack)
[szerkesztés]nmap -sS -p 22 192.168.1.1
🔹 IPS should detect and block unauthorized SSH scans.
✅ 5. Best Practices for IPS on Cisco ISRs
[szerkesztés]✔ Deploy IPS at the Perimeter – Protects against external threats.
✔ Use Stateful Inspection – Filters only suspicious traffic to minimize performance impact.
✔ Enable Regular IPS Signature Updates – Protects against new attack patterns.
✔ Fine-Tune IPS Rules – Avoid false positives that block legitimate users.
✔ Integrate IPS with SIEM Solutions – Improves security monitoring and incident response.
🚀 Final Thoughts
[szerkesztés]Cisco ISR IPS provides strong security, preventing threats at the network edge. With real-time traffic inspection, automatic blocking, and logging, IPS on ISRs enhances network security without requiring additional hardware.
🔍 11.4. Cisco Switched Port Analyzer (SPAN)
[szerkesztés]The Cisco Switched Port Analyzer (SPAN) feature allows network administrators to monitor and analyze network traffic by mirroring it from one switch port (or VLAN) to another. SPAN is commonly used for Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), and network troubleshooting.
🌟 1. Why Use SPAN?
[szerkesztés]✅ Traffic Monitoring – Captures network packets for security analysis.
✅ IDS/IPS Integration – Sends mirrored traffic to security appliances for real-time threat detection.
✅ Network Troubleshooting – Helps diagnose latency issues, packet loss, and anomalies.
✅ Non-Disruptive Monitoring – No impact on the normal operation of network traffic.
✅ Performance Optimization – Analyzes bandwidth usage and application behavior.
🔑 2. How SPAN Works
[szerkesztés]SPAN works by copying traffic from a source interface or VLAN and sending it to a destination port where a monitoring tool (e.g., Wireshark, IDS, IPS) can analyze it.
✅ SPAN Traffic Flow Example
[szerkesztés][Source Port] ---> [SPAN Session] ---> [Destination Port (Monitor)]
🛠️ 3. Configuring SPAN on a Cisco Switch
[szerkesztés]
✅ Step 1: Define a SPAN Session
[szerkesztés]monitor session 1 source interface GigabitEthernet0/1
monitor session 1 destination interface GigabitEthernet0/2
🔹 Mirrors traffic from Gig0/1 (source) to Gig0/2 (destination).
✅ Step 2: Configure VLAN-Based SPAN (VSPAN)
[szerkesztés]monitor session 2 source vlan 10
monitor session 2 destination interface GigabitEthernet0/3
🔹 Mirrors all traffic from VLAN 10 to Gig0/3.
✅ Step 3: Configure Remote SPAN (RSPAN) for Traffic Across Switches
[szerkesztés]🔹 RSPAN allows mirroring traffic between different switches over a VLAN.
1️⃣ Create an RSPAN VLAN
[szerkesztés]vlan 999
remote-span
2️⃣ Configure the Source SPAN Session on Switch A
[szerkesztés]monitor session 3 source interface GigabitEthernet0/1
monitor session 3 destination remote vlan 999
3️⃣ Configure the Destination SPAN Session on Switch B
[szerkesztés]monitor session 4 source remote vlan 999
monitor session 4 destination interface GigabitEthernet0/2
🔹 Traffic from Gig0/1 on Switch A is mirrored to Gig0/2 on Switch B over VLAN 999.
🔍 4. Verifying SPAN Configuration
[szerkesztés]
✅ Check SPAN Sessions
[szerkesztés]show monitor session 1
🔹 Displays active SPAN sessions and mirrored interfaces.
✅ Monitor Traffic Using Wireshark or IDS/IPS
[szerkesztés]- Connect a laptop or security appliance to the SPAN destination port.
- Use Wireshark or an IDS/IPS to analyze captured traffic.
✅ 5. Best Practices for SPAN Configuration
[szerkesztés]✔ Limit SPAN Traffic Volume – Avoid high traffic loads that could impact switch performance.
✔ Use RSPAN for Remote Monitoring – Enables traffic analysis across multiple switches.
✔ Monitor Only Necessary Ports/VLANs – Reduces unnecessary traffic duplication.
✔ Integrate with IDS/IPS for Security – Enhances real-time threat detection and prevention.
✔ Verify SPAN Performance – Ensure SPAN sessions do not overload the switch CPU.
🚀 Final Thoughts
[szerkesztés]Cisco SPAN is a powerful tool for network traffic monitoring, security analysis, and troubleshooting. It enables real-time visibility into network activity and supports IDS/IPS integration for proactive threat detection.
🔥 11.5. IPS Technologies Summary
[szerkesztés]Intrusion Prevention Systems (IPS) play a crucial role in network security by detecting, analyzing, and blocking threats in real-time. IPS technologies are used to prevent cyberattacks, unauthorized access, and malicious traffic from impacting an organization’s network.
🌟 1. Why Are IPS Technologies Important?
[szerkesztés]✅ Proactive Threat Prevention – Blocks malware, DoS/DDoS attacks, and exploits before they reach network resources.
✅ Real-Time Detection & Response – Automatically identifies and mitigates threats based on predefined security rules.
✅ Minimizes Security Risks – Reduces exposure to network vulnerabilities and attack surfaces.
✅ Improves Compliance & Security Posture – Helps meet NIST, PCI-DSS, ISO 27001, and HIPAA security standards.
✅ Enhances Network Visibility – Provides detailed insights into network traffic and security events.
🔑 2. Types of IPS Implementations
[szerkesztés]| IPS Type | Description | Example Use Case |
|---|---|---|
| Network-Based IPS (NIPS) | Monitors and protects network traffic at key points (e.g., perimeter, DMZ). | Deployed at the network edge to filter internet traffic. |
| Host-Based IPS (HIPS) | Installed on individual hosts (e.g., servers, workstations) to detect and prevent threats. | Used on critical servers to block unauthorized access. |
| Cloud-Based IPS | Provides IPS-as-a-Service to monitor and secure cloud environments. | Used in AWS, Azure, and Google Cloud deployments. |
| Next-Generation IPS (NGIPS) | Uses AI, machine learning, and behavior-based detection to identify complex threats. | Stops zero-day attacks and advanced persistent threats (APTs). |
🔍 3. IDS vs. IPS: Key Differences
[szerkesztés]| Feature | Intrusion Detection System (IDS) | Intrusion Prevention System (IPS) |
|---|---|---|
| Function | Monitors & detects threats, but does not block them. | Detects and blocks malicious activity. |
| Traffic Handling | Operates out-of-band (passive monitoring). | Operates inline (actively prevents threats). |
| Response | Generates alerts/logs for administrators. | Automatically blocks malicious traffic. |
| Impact on Performance | Minimal network impact. | May introduce slight latency due to real-time filtering. |
🔹 IDS is passive (alerts only), while IPS actively blocks threats.
🛠️ 4. Key IPS Detection Methods
[szerkesztés]| Detection Method | Description | Example |
|---|---|---|
| Signature-Based Detection | Matches traffic against a database of known attack patterns. | Detects malware and exploits. |
| Anomaly-Based Detection | Identifies traffic that deviates from normal network behavior. | Detects zero-day attacks. |
| Heuristic-Based Detection | Uses AI and machine learning to predict threats. | Identifies evasive malware. |
| Policy-Based Detection | Blocks traffic based on predefined security policies. | Prevents unauthorized access to sensitive resources. |
🔹 Most modern IPS solutions use a combination of these methods for enhanced security.
🔥 5. IPS Deployment on Cisco Devices
[szerkesztés]
✅ 1. IPS on Cisco ISRs (Integrated Services Routers)
[szerkesztés]ip ips name BLOCK_ATTACKS
event-action deny-attacker-inline
interface GigabitEthernet0/1
ip ips BLOCK_ATTACKS in
🔹 Automatically blocks malicious traffic on the router.
✅ 2. IPS on Cisco Firepower (NGIPS)
[szerkesztés]firepower-threat-defense
enable intrusion prevention
policy enforce strict
🔹 Activates advanced IPS protection with deep packet inspection.
✅ 3. Using SPAN for IPS Monitoring
[szerkesztés]monitor session 1 source interface GigabitEthernet0/1
monitor session 1 destination interface GigabitEthernet0/2
🔹 Mirrors traffic for analysis by an external IPS system.
✅ 6. Best Practices for IPS Deployment
[szerkesztés]✔ Deploy IPS at Critical Network Locations – Perimeter, DMZ, and core networks.
✔ Use Inline Mode for Active Threat Prevention – Ensures real-time blocking.
✔ Regularly Update IPS Signatures – Protects against new and emerging threats.
✔ Fine-Tune IPS Rules to Reduce False Positives – Prevents unnecessary disruptions.
✔ Integrate IPS with Firewalls & SIEM Solutions – Improves incident response and forensics.
✔ Monitor IPS Logs for Suspicious Activity – Helps identify attack trends and security incidents.
🚀 Final Thoughts
[szerkesztés]IPS technologies are critical for modern network security. They provide proactive protection against cyber threats, malware, and zero-day exploits. By deploying IPS effectively, organizations can ensure real-time threat prevention and improve overall security posture.