Sensor Deployment Modes
- Promiscuous mode
- Inline interface pair mode
- Inline VLAN pair mode
- Inline VLAN group mode
- Selective inline analysis mode
Deploying Sensors in Promiscuous Mode
The simplest deployment mode for Cisco IPS sensors is typically promiscuous mode.
Packets in promiscuous mode don’t flow through the Cisco IPS sensor. The sensor receives
a copy of network traffic and analyzes copied packets to determine whether they
contain signs of suspicious or malicious activity. In addition to being simple to deploy, it
typically doesn’t impact network performance because the sensor sees only a copy of network
traffic.
The monitor session command actions (stack of swithes or standalone):
- Limit or filter SPAN source traffic to specific VLANs
- Start a new SPAN session
- Start a new RSPAN source or destination session
- Add or delete interfaces or VLANs to/from an existing SPAN or RSPAN session
- Start a flow-based SPAN or FSPAN session
- Start a flow-based RSPAN or FRSPAN source/destination session
- Enable ingress traffic on the destination port for a network security device, includinga Cisco ASA or IPS sensor appliance
Example 1: Copy traffic interface-to-interface
MLS configuration
monitor session 1 source interface Fa1/0 monitor session 1 destination interface Fa1/2
Result in interface Fa1/2:
Next, we can see additional components
Add .1Q headers on the SPAN port to indicate source VLAN to the sensor.
------------------Add .1Q headers on the SPAN port to indicate source VLAN to the sensor.
monitor session 10 source vlan 11, 13 rx monitor session 10 destination fa 1/2 encapsulation replicate
Flow-Based SPAN (FSPAN) is a feature that enables more granularity of captures on LAN
switches using access control list (on Layer 3and Layer 4 )
ip access-list standard Capture_ACL permit ip any host 10.1.1.1 permit ip host 10.1.1.1 any ! monitor session 1 source vlan 11, 12 rx monitor session 1 destination GigabitEthernet 0/40 ingress monitor session 1 filter ip access-group Capture_ACL
----------------
ip access-list standard Capture_ACL permit ip any host 10.1.1.1 permit ip host 10.1.1.1 any ! vlan access-map CAPTURE-MAP 10 match ip address Capture_ACL action forward capture vlan access-map CAPTURE-MAP 20 match ip address ANY-ACL action forward vlan filter map CAPTURE-MAP vlan-list 10 ! interface GigabitEthernet 0/1 switchport capture
VLAN access control list (VACL)
The vlan access-map command in global configuration mode creates a VLAN access map
or puts the administrator/user in VLAN access map command mode.
|
Vlan filter command in global configuration mode applies a VLAN access map.
| map-name | VLAN access map tag. |
| vlan-list vlan-list | VLAN list; valid values are from 1 to 4094. |
| interface interface | Specifies the interface type; valid values are pos, atm, or serial. |
| interface-number | Interface number. |
----------------
AIM-IPS or NME-IPS
ip access-list standard Capture_ACL permit ip any host 10.1.1.1 permit ip host 10.1.1.1 any ! interface GigabitEthernet 0/1 ids-service-module monitoring promiscuous access-list Capture_ACL
| promiscuous | Specifies that the module inspects traffic in promiscuous mode (optional) |
| inline | Specifies that the module inspects traffic in inline mode (optional) |
| access-list | Specifies a numbered or extended ACL to the inspected interface |
| number | ACL number |
----------------
AIP-SSC or AIP-SSM
Cisco ASA (Adaptive Security Appliance) 5500 Series, Cisco ASA AIP SSC (Advanced Inspection and Prevention Security Services Card), and Cisco ASA AIP SSM (Advanced Inspection and Prevention Security Services Modules) all provide high-performance IPS analysis that is independent of the main processing on the Cisco ASA. Using the Modular Policy Framework (MPF) command-line interface, the Cisco ASA can selectively copy transit traffic to the Cisco IPS module. A key difference between FSPAN or VACL capture and Cisco ASA or Cisco router IPS module promiscuous mode integration is stateful traffic selection.ip access-list standard Capture_ACL permit ip any host 10.1.1.1 eq 80 ! class-map IDS match access-group Capture_ACL ! policy-map global_policy class IDS ips promiscuous fail-close
The class-map command in global configuration mode (without the type keyword) identifies the Layer 3 or 4 traffic to which the actions are meant to be applied using the MPF.
| class_map_name | The name of the class for the class map. The name can be a maximum of 40 alphanumeric characters. The class name is used for the class map and to configure a policy for the class in the policy map. |
The policy-map command in global configuration mode assigns actions to the traffic identified with a Layer 3/4 class map when using the MPF.
| policy_map_name | Specifies the name for this policy map up to 40 characters in length. All types of policy maps use the same name space, so the reuse of a name already used by another type of policy map isn’t supported. |
The ips command in class configuration mode diverts traffic from the Cisco ASA to the Cisco ASA AIP SSC or Cisco ASA AIP SSM module for inspection.
| inline | Directs packets to the Cisco ASA AIP SSC or Cisco AIP SSM module. The packet might be dropped as a result of IPS operation. |
| promiscuous | Duplicates packets for the Cisco ASA AIP SSC or Cisco ASA AIP SSM module. The original packet cannot be dropped by the Cisco ASA AIP SSC or Cisco AIP SSM module. |
| fail-close | Blocks traffic if the Cisco ASA AIP SSC or Cisco ASA AIP SSM module fails. |
| fail-open | Permits traffic if the Cisco ASA AIP SSC or Cisco ASA AIP SSM module fails. |
| sensor [sensor_name | mapped_name] | Sets the virtual sensor name for this traffic. If virtual sensors are used, the Cisco AIP SSC or Cisco ASA AIP SSM module supports specifying a sensor name using this argument. |
Global Features
■ Promiscuous delta: An adjustable numeric value that influences reported event severity. This feature can be used to automatically lower the reported event confidence for promiscuous mode sensors.
■ VLAN tag recognition: The ability to recognize VLAN tags received by the sensor and report them inside alarms to indicate the source of malicious or suspicious activity.
■ Integration with network devices: As discussed in previous chapters, Cisco offers
a variety of appliances and modules that allow flexible traffic selection at the traffic
source without the need for additional filtering devices.
■ Multi-interface analysis: The Cisco IPS sensor can use multiple LAN-sensing interfaces
to capture traffic while presenting all aggregate traffic to the analysis engine as
if it were coming from a single interface.
Deploying Sensors in Inline Interface Pair Mode
All Cisco IPS sensors are forwarding devices when deployed in inline mode. One of the simplest and most commonly deployed is the inline interface pair mode. In this mode, a sensor uses a pair of network interfaces to interconnect physical or logical (VLAN) networks and essentially acts as a wire between two network segments. All IPv4 and IPv6 traffic that is forwarded over the interface pair is inspected by Cisco IPS sensors, whereas all non-IP traffic passes through uninspected. Physical separation between networks is maintained in this mode and can’t be bypassed by misconfiguration of the LAN switch.
The major benefits
■ Improved accuracy and enhanced protection with the ability to modify traffic in real time (also known as normalization) to remove malicious traffic characteristics and ambiguities
■ Rich preventive responses available with the sensor in traffic-forwarding mode (dropping of suspicious or malicious packets, blocking a traffic source or destination, and reliable TCP resets)
■ Oversubscription of the sensor that doesn’t lead to false negatives (network performance can be impacted, though)
The limitations include the following:
■ Impact to network performance (especially if not correctly dimensioned)
■ Impact to network reliability upon sensor failure (if path or device redundancy is notprovided)
Connecting two physically separate networks or infrastructures
Connecting two vlans
Deploying Sensors in Inline VLAN Pair Mode
Another inline deployment mode commonly used by administrators, enterprises, and operators is known as inline VLAN pair mode. In this mode, the sensor acts as an 802.11q trunk port and also acts as a wire, performing VLAN translation between pairs of VLANs on this trunk interface/port. All traffic is inspected as it is received on each VLAN in each pair, and then can either forward the packets on the other VLAN in the pair or drop the packet if an intrusion attempt is detected. The sensor replaces the VLAN ID in the 802.1q header of each received packet with the ID of the egress VLAN on which the sensor forwards the packet. All packets are dropped if they are received on any VLANs that aren’t assigned to the inline pair(s). Traffic can only use up to half the bandwidth made available by the trunk interface fundamentally because all packets cross the trunk interface twice (inbound and outbound over the same physical sensor interface).
Inline VLAN pair mode has the following features:
■ Support for up to 255 different VLAN pairs: The Cisco IPS sensor can be configured to simultaneously bridge up to 255 VLAN pairs on each sensing interface and the Cisco IDSM-2 Catalyst switch blade to bridge up to 255 VLAN pairs total.
■ Interface shutdown on software failure: The Cisco IPS sensor has the ability to shut down network interfaces on Cisco IPS Software failure and reroute traffic over redundant links or paths.
Deploying Sensors in Inline VLAN Group Mode
A commonly deployed inline mode, where a pair of sensing interfaces can be selectively divided or virtualized into multiple logical “wires,” is known as inline VLAN group mode. In this mode, each logical wire or instance can be analyzed separately. Each physical interface in this mode can be divided into VLAN group subinterfaces, which consist of a group of VLANs on that physical interface or port. Cisco IPS sensors and modules support multiple virtual sensors on their analysis engines (the exact number supported varies by model and licenses purchased; see the datasheets available on Cisco.com). These virtual sensors can monitor traffic on one or more of these VLAN groups or subinterfaces simultaneously or separately. This gives an administrator the flexibility to apply multiple policies to the same sensor. This mode of inline deployment is often advantageous for enterprises or providers, because it allows them to use a sensor with a fewinterfaces as if it hadmany interfaces and gives them the ability to apply granular policies on trunked interfaces.
Inline VLAN group mode has the following features:
■ Support for up to 255 VLAN groups per interface pair: The Cisco IPS sensor can be configured to identify each VLAN group subinterface by using a number between 1 and 255. Subinterface 0 is a reserved subinterface number used to represent the entire unvirtualized physical or logical interface. Subinterface 0 cannot be created, deleted, or modified, and no statistics are reported for it.
■ Support for unassigned VLAN groups: The Cisco IPS sensor supports an unassigned VLAN group that contains all VLANs that are not specifically assigned to another VLAN group. These VLANs can’t be specified directly, but when VLANs are added or deleted from another VLAN group subinterface, the unassigned group is updated accordingly.
■ Support for native VLANs: The Cisco IPS sensor supports packets of the native VLAN being associated with a particular VLAN group if interesting traffic is forwarded from this VLAN. Typically packets in the native VLAN of an 802.1q trunk do not have 802.1q encapsulation headers to identify the VLAN number to which the packets belong. Default VLAN variables are associated with each physical interface. Cisco recommends setting these variables to the VLAN number of the native VLAN or to 0.
■ Interfaces can either be part of inline VLAN groups or pairs, but not both: The Cisco IPS sensor with an interface part of inline VLAN pairs cannot be used for VLAN groups.
Deploying Sensors in Selective Inline Analysis Mode
Selective inline analysis mode enables the enterprise or provider to granularly determine which traffic requires inline treatment, giving the flexibility to engineer the network for an optimal balance of performance and security. All other benefits of inline analysis mode are provided, but performance and availability limitations of an inline analysis can suffer if not engineered properly. The host chassis or device eliminates the limitations of high-availability and various load-balancing methods when using the selective inline analysis mode. The Cisco ASA AIP SSC module, Cisco ASA AIP SSM module, Cisco ISR AIP-IPS and NME-IPS modules, and the Cisco ISR G2 AIM-IPS and NME-IPS modules all support the selective inline analysis mode.
| class-map class_map_name | Applies class map actions after the Layer 3 or Layer 4 traffic type is defined in MPF. |
| policy-map policy_map_name | Specifies the name for this policy map up to 40 characters in length. All types of policy maps use the same name space, so you cannot reuse a name already used by another type of policy map. |
| ips [inline | promiscuous] [fail-close | failopen] sensor [sensor_name | mapped_name] | Used in class configuration mode to divert traffic from the Cisco ASA to the Cisco IPS module being used by the administrator. |
Комментариев нет:
Отправить комментарий