Firewall Techniques
network layer access control
decisions based on Layers 2 through 4, or the data link, network, and transport layers.
application layer access control
Layers 5 through 7, or the session, presentation, and application layers.
пятница, 29 августа 2014 г.
ASA memo-simple tutorial
network layer access control
decisions based on Layers 2 through 4, or the data link, network, and transport layers.
application layer access control
Layers 5 through 7, or the session, presentation, and application layers.
четверг, 28 августа 2014 г.
IPS False Positives and Negatives
False Positives
False positives are events where the sensor reacts or responds to traffic that is not malicious. This would represent an error in the network environment the sensor is in. For two different networks, the attack might be a false positive in one and correct in the other. It depends on what type of traffic is permitted or acceptable on each network. A false positive can be caused by signatures that are too general in their attack-matching criteria and fire off on both malicious and nonmalicious traffic.
False Negatives
False negatives are events where the sensor doesn’t fire off any alerts, or produce any actions, even when the sensor has seen malicious traffic. One network’s malicious traffic can be a different network’s acceptable traffic. This would represent an error from an IPS perspective and can be caused by a signature that is too specific in its matching criteria. This could also be caused by evasion techniques the attacker is using or by signatures being disabled that might have been able to identify the attack. Table 13-2 shows some examples of false positives.
False positives are events where the sensor reacts or responds to traffic that is not malicious. This would represent an error in the network environment the sensor is in. For two different networks, the attack might be a false positive in one and correct in the other. It depends on what type of traffic is permitted or acceptable on each network. A false positive can be caused by signatures that are too general in their attack-matching criteria and fire off on both malicious and nonmalicious traffic.
False Negatives
False negatives are events where the sensor doesn’t fire off any alerts, or produce any actions, even when the sensor has seen malicious traffic. One network’s malicious traffic can be a different network’s acceptable traffic. This would represent an error from an IPS perspective and can be caused by a signature that is too specific in its matching criteria. This could also be caused by evasion techniques the attacker is using or by signatures being disabled that might have been able to identify the attack. Table 13-2 shows some examples of false positives.
| ICMP Network Sweep w/Echo | ICMP reconnaissance | Network mapping tools being run by management host |
| Failed Login | Brute-force attack or password guessing | Valid user forgot password and was making several attempts |
| UDP Flood | UDP DoS attack | Video or voice calls, using lots of UDP |
воскресенье, 24 августа 2014 г.
IPS Custom Signatures
| Traffic Analysis Method | Cisco IPS Inspection Engines |
| Packet header matching | Atomic |
| Packet content matching | Atomic |
| Stateful content matching | String |
| Protocol decoding | Service |
| Rate analysis | Flood |
| Traffic correlation | Sweep |
| Event correlation | Meta |
Creating Custom Signature Guidelines:
IPS anomaly overview and components
Anomaly Detection Overview
The IPS anomaly detection feature is a statistical anomaly-based system. Its purpose is to identify and prevent scanning network worms. A scanning network worm spreads by blindly scanning a network to find victims and then compromising those victims through network attacks. These attacks are typically against exposed network services.
IPS Traffic normalization and signatures
Understanding Cisco IPS Sensor Inline Traffic Normalization
The Cisco IPS Sensor traffic normalizer is a function performed by the SensorApp application in inline mode. A function of the normalizer identifies and stops users from trying low-level evasive techniques to evade detection. The normalizer ensures low-level (mostly IP and TCP) protocol conformance, tracks session state, modifies ambiguously fragmented traffic to remove ambiguities, and properly orders segments to present normalized data to application layer inspectors.
The inline traffic normalizer enforces all anti-evasion checks to traffic incoming from inline traffic sources by operating in its Strict Evasion Protection mode. The normalizer operates in this mode by default, and it is the recommended mode by Cisco best practices. The normalizer can optionally be switched to Asymmetric Mode Protection. While in Asymmetric Mode Protection, most anti-evasion countermeasures are disabled, but the sensor is able to analyze asymmetric traffic. Also in this mode, the sensor only sees one direction of a session. Asymmetric Mode Protection of the traffic normalizer should only be used if asymmetric traffic flows are being inspected and remediation cannot be done by forcing symmetric traffic flows.
The Cisco IPS Sensor traffic normalizer is a function performed by the SensorApp application in inline mode. A function of the normalizer identifies and stops users from trying low-level evasive techniques to evade detection. The normalizer ensures low-level (mostly IP and TCP) protocol conformance, tracks session state, modifies ambiguously fragmented traffic to remove ambiguities, and properly orders segments to present normalized data to application layer inspectors.
The inline traffic normalizer enforces all anti-evasion checks to traffic incoming from inline traffic sources by operating in its Strict Evasion Protection mode. The normalizer operates in this mode by default, and it is the recommended mode by Cisco best practices. The normalizer can optionally be switched to Asymmetric Mode Protection. While in Asymmetric Mode Protection, most anti-evasion countermeasures are disabled, but the sensor is able to analyze asymmetric traffic. Also in this mode, the sensor only sees one direction of a session. Asymmetric Mode Protection of the traffic normalizer should only be used if asymmetric traffic flows are being inspected and remediation cannot be done by forcing symmetric traffic flows.
суббота, 23 августа 2014 г.
Accessing and Using the Cisco IPS Sensor CLI and IDM
You can access the CLI of a sensor appliance in one of three ways:
- SSH (Secure Shell)
- Telnet (disabled by default)
- Serial interface connection
четверг, 21 августа 2014 г.
IPS Deployment
Sensor Deployment Modes
- Promiscuous mode
- Inline interface pair mode
- Inline VLAN pair mode
- Inline VLAN group mode
- Selective inline analysis mode
воскресенье, 17 августа 2014 г.
IPS tutorial, basic concepts and terminology
SITUATIONS
■ True positive: A situation in which a signature fires correctly when intrusive traffic for that signature is detected on the network. The signature correctly identifies an attack against the network. This represents normal and optimal operation.
Атаки обнаруживаются корректно. Нормальный режим работы.
■ False positive: A situation in which normal user activity triggers an alarm or response. This is a consequence of nonmalicious activity. This represents an error and generally is caused by excessively tight proactive controls or excessively relaxed reactive controls.
Ситуация, в которой деятельность обычного пользователя деятельность вызывает тревогу или срабатывание. Это является следствием либо слишком жёстких политик мониторинга либо слишком мягкой политикой регламента работы персонала.
пятница, 15 августа 2014 г.
MPLS-TE
As I promised, a short briefing on the MPLS-TE.
CONFIGURATION CONCEPT
1) Configuring a Device to Support Tunnels
Enable standard CEF operation.
Enables the MPLS traffic engineering tunnel feature on a device.
and additionsRouter(config)# ip cef Router(config)# mpls traffic-eng tunnels
Router(config)#mpls traffic-eng logging lsp setups Router(config)#mpls traffic-eng logging lsp teardowns Router(config)#mpls traffic-eng reoptimize events link-up
среда, 13 августа 2014 г.
MPLS brief
MPLS is a simple protocol for me. But some of my colleagues in the discussion asked me to talk about it in more detail.
Terminology
LSR (Label Switch Router) -- Any router that pushes labels onto packets, pops labels from packets, or
simply forwards labeled packets.
CE -- Customer edge
simply forwards labeled packets.
CE -- Customer edge
PE -- Provider edge
E-LSR (Edge LSR) -- An LSR at the edge of the MPLS network, meaning that this router
processes both labeled and unlabeled packets.
Ingress E-LSR -- For a particular packet, the router that receives an unlabeled packet and then
inserts a label stack in front of the IP header.
Egress E-LSR -- For a particular packet, the router that receives a labeled packet and then
removes all MPLS labels, forwarding an unlabeled packet.
ATM-LSR -- An LSR that runs MPLS protocols in the control plane to set up ATM
virtual circuits. Forwards labeled packets as ATM cells.
ATM E-LSR -- An E-edge LSR that also performs the ATM Segmentation and Reassembly
(SAR) function.
TE -- Traffic Engineering
CEF -- Cisco Express Forwarding
RIB -- Routing Information Base
processes both labeled and unlabeled packets.
Ingress E-LSR -- For a particular packet, the router that receives an unlabeled packet and then
inserts a label stack in front of the IP header.
Egress E-LSR -- For a particular packet, the router that receives a labeled packet and then
removes all MPLS labels, forwarding an unlabeled packet.
ATM-LSR -- An LSR that runs MPLS protocols in the control plane to set up ATM
virtual circuits. Forwards labeled packets as ATM cells.
ATM E-LSR -- An E-edge LSR that also performs the ATM Segmentation and Reassembly
(SAR) function.
TE -- Traffic Engineering
CEF -- Cisco Express Forwarding
RIB -- Routing Information Base
FIB -- Forwarding Information Base
LFIB -- Label Forwarding Information Base
LFIB -- Label Forwarding Information Base
LIB -- Label Information Base. LSRs store labels and related information inside. The LIB essentially
holds all the labels and associated information that could possibly be used to forward packets.
holds all the labels and associated information that could possibly be used to forward packets.
воскресенье, 10 августа 2014 г.
QoS для совсем чайников, вдруг кому поможет :)
| Что такое ToS, DSCP, CoS, QoS. |  |
Для начала расшифруем аббревиатуры.
Термин QoS объединяет три термина: 1) ToS 2) DSCP 3) CoS. QoS - в построении и обработке очереди пакетов с разным приоритетом по одному из алгоритмов
QoS Layer 3 (ToS , DSCP)
Аббревиатуры ToS и DSCP родственны - используются для обозначения специального байта данных стандартного заголовка IP-пакета. Этот байт несет информацию о приоритете трафика, который в бизнес-трафике обычно назначается для пакетов IP-телефонии (третий сетевой уровень L3). Поскольку этот один и тот же байт иногда интерпретируется по-разному (либо как ToS байт, либо как DS/DSCP байт), получается некоторая путаница, хотя смысл и принцип технологии приоритезации не меняется - пакеты, помеченные более высоким приоритетом, передаются быстрее (менее приоритетные становятся в очередь). Накладывание на пакеты битов приоритета еще называют "маркированием" трафика, и чтобы приоритезация действительно работала, на всем пути прохождения трафика биты приоритета должны быть проанализированы и обработаны на активном сетевом оборудовании (настраиваемые роутеры и коммутаторы). На рисунке показано расположение бит байта маркировки трафика (красным помечена наиболее важная, серым - неиспользуемая часть).  Когда используют терминологию ToS, то в контексте приоретизации имеют в виду 3 старшие бита P2..P0, кодирующие уровень приоритета от 0 (минимальный приоритет) до 7 (максимальный приоритет). Для IP-телефонии применяется уровень приоритета: 5 (critical, ToS-байт равен 0xA0 или 10100000b). Для обычного трафика уровень проритета: 0 (routine, ToS-байт равен 0x00 или 00000000b) . У Cisco есть для каждого уровня приоритета специальное имя (precedence critical, precedence flash и т. д., см. таблицу). IP Precedence Value
Когда используют терминологию DSCP, имеются в виду 6 старших бит DS5..DS0, где DS5..DS3 кодируют уровень класса обслуживания от 0 (минимальный приоритет) до 7 (максимальный приоритет) и приоритет удаления (от 0, когда приоритет удаления максимальный, до 7, когда приоритет удаления минимальный - кодирование приоритета удаления “обратное”). В итоге получается число от 0 до 63, кодирующее приоритет (чем больше число, тем трафик важнее). Такое многоуровневое кодирование приоритета часто оказывается избыточным, и поэтому используются только биты DS5..DS3. При IP-телефонии применяется класс сервиса 5 (DS-байт равен 0xA0 или 10100000b) Для обычного трафика класс сервиса 0 (DS-байт равен 0x00 или 00000000b). Сравните с ToS - изменилась только терминология, а значение байта передается то же самое. Буквенные мнемонические коды величины DSCP можно посмотреть командой: Router(config)# class-map match-all VOIP 1751-uut1(config-cmap)# match ip dscp ? <0-63> Differentiated services codepoint value af11 Match packets with AF11 dscp (001010) af12 Match packets with AF12 dscp (001100) af13 Match packets with AF13 dscp (001110) af21 Match packets with AF21 dscp (010010) af22 Match packets with AF22 dscp (010100) af23 Match packets with AF23 dscp (010110) af31 Match packets with AF31 dscp (011010) af32 Match packets with AF32 dscp (011100) af33 Match packets with AF33 dscp (011110) af41 Match packets with AF41 dscp (100010) af42 Match packets with AF42 dscp (100100) af43 Match packets with AF43 dscp (100110) cs1 Match packets with CS1(precedence 1) dscp (001000) cs2 Match packets with CS2(precedence 2) dscp (010000) cs3 Match packets with CS3(precedence 3) dscp (011000) cs4 Match packets with CS4(precedence 4) dscp (100000) cs5 Match packets with CS5(precedence 5) dscp (101000) cs6 Match packets with CS6(precedence 6) dscp (110000) cs7 Match packets with CS7(precedence 7) dscp (111000) default Match packets with default dscp (000000) ef Match packets with EF dscp (101110) Router1(config-cmap)# match ip dscp af31 Эти коды используются также при назначении трафику маркировки, при конфигурировании policy-map: !создается карта политики Police-GE0/1 policy-map Police-GE0/1 class Voice-GE0/1 priority 5000 set dscp ef class Route-GE0/1 set dscp cs6 priority 1000 class Signal-GE0/1 set dscp cs3 priority 4500 class class-default fair-queue
QoS Layer 2(CoS)
Когда используется термин CoS, то обычно имеется в виду перенос информации о приоритете на втором сетевом уровне L2 (MAC-адреса). При этом для кодирования приоритета используются 3 бита (получаются уровни от 0 до 7). Расположение этих бит в потоке данных зависит типа магистрального канала L2. Источник: http://microsin.net/adminstuff/cisco/tos-dscp-cos-qos.html |
Подписаться на:
Сообщения (Atom)