Detecting DDoS Attack

Diverting traffic directed at victim to a Cisco appliance for treatment

Analyzing & filtering bad traffic flows from good traffic flows and forwarding only good flows.

Learns normal traffic pattern for a protected network area or zone.

Establishes network traffic baseline

Construct DDoS mitigation policies and thresholds.

Typically by updating BGP routing table, static routes, and policy-based routes.

What is the goal of NAC?

What prerequisite application does it require?

Network Admission Control

(also Cisco Clean Access)

Ensure all devices accessing network resources are adequately protected from network security threats.

Enforce compliance to security policies for devices.

Requires ACS

1. Device attempting network connection requests a security profile of endpoint device

2. Profile info compared to network security policy

3. NAC will permit, deny, or restrict access by redirecting to less exposed network segment; can also quarantine non-compliant devices

1. unauthenticated - default system role for unauth. users; web login users placed here while network scanning is being performed

2. normal login  - authenticated users

3. client posture assessment:

   3a. agent temporary - agent users when requirements are still being checked

   3b. quarantine - placed here when network scanning detects vulnerabilities

Adaptive Security Device Manager

Standalone or java based applet

Tool to setup, config, monitor the ASA

Installed as separate software image on the appliance and stored in flash of all FW (post 7.0)

Cisco Security Manager

Used to configure security devices (up to 5000)

- configure ACL rules for multiple interfaces/devices

- sharing policy between multiple devices

- analysis on ACL rules

- place & configure devices on toplogy map

Intrusion Detection Services Module

Switching module on Cat6k; part of Cisco IDS

- captures network packets on VACL or SPAN port

- reassembles and compares against signatures

- generates alarms through the backplane to IDS Director or CSPM

Firewall Services Module

Card on Cat6k; high performance FW solution

Secures traffic flowing between multiple VLANs on network.

integrates FW functionality and switching

MSFC as inside router

MSFC as outside router

MSFC not directly connected to FWSM

Monitoring, Analysis, and Response System

Security monitoring for security devices and host applications

Supports event aggregation, device discovery, compliance reporting, notifications

Assists in analysis/response of threats on network

policy lookup : map syslogs to FW/signature policy on CSM which triggered syslog

CSM can implement suggestions made by MARS (eg. blocking, shunning)

What does CSA provide security for?

How does it basically work?

Cisco Security Agent

Protects servers and PCs

Works on set of predefined rules/policies

Management center monitors behavior of hosts

What are some of the general preventive measures that CSA offer and what attacks do they block?

(Hint: 5 P's)

Prevents port scanning & pinging (probing)

Prevents mail attachments running any applications that can compromise the system (penetration)

Prevents file creation/modification (persist/paralyze)

Prevents hosts from sending malicious traffic to network (propagate)

Collection of (multiple) rule modules

Each rule module is a container for a collection of rules

Audit Mode policies are not "live" - will allow all actions bug instead log actions that should have been denied/queried

Used for testing/observing the effects of a policy before making it live.

Can be used as is.

Should NOT be edited (though technically possible)

Instead - should be cloned & edited, or a new similar policy created.

What are the characteristics of CSA system state conditions?

When multiple states are configured, how is the trigger determined?

If statements that trigger conditional rules.

If multiple states configured, all conditions need to be met to trigger the conditional rule.

Cookies

Browser Helper Objects

Browser Plug-in

Keylogger

NMS Tools

Remote Install tools

Trojan/virus/worms

Cisco IOS Intrusion Prevention System

Functions as inline IPS sensor that can be enabled bi-directionally on routers

How does IPS sensors process ACLs?

Which ACLs does it incorporate by default at startup?

IPS acts on the first line that is matches and does not check further.

At startup, the sensor creates interface ACL of:

1. permit line for IP of the sensor itself

2. all lines of the pre-block ACL

3. deny line for each IP blocked by sensor

4. all lines of post-block ACL

Pre-Block ACL: Used for permitting what should never be blocked by other ACLs. Overrides deny lines in other ACLs

Post-Block ACL: Used for additional block/permit on the same interface/direction; replaces the default "permit ip any any" at the end of new ACLs.

What are the characteristics of an IPS sensor in promiscuous mode?

What are the pros/cons?

Sensor analyzes copy of all traffic.

Pro: Does not affect latency of traffic flow thru sensor

Con: Post-even responses rely on config changes to other devices (routers/FW) to stop attack; does not catch atomic attacks

What are the characteristics of an IPS sensor in inline mode?

What are the pros/cons?

IPS resides directly in traffic flow

Pro: Sensor able to immediatly drop malicious traffic when sensed; L3/4-7 deep inspection performed

Con: Adds latency to all packets/traffic thru sensor

IOS IPS has a default set of built-in signatures as part of IOS, assuming post 12.3(8)T

Otherwise, signatures are downloaded in sdf file and saved to flash. Updated sdf files are published on cisco.com

Generate alert or verbose alert

Log pair/victim/attacker packets

Reset TCP connection

Deny attacker/connection/packet inline

Request for: SNMP Trap, block conn., block host

What is the purpose of the IPS command

"ip ips deny-action ips-interface"

Creates ACl filter for denying connection/flow inline

Action applied on ips interface instead of ingress interface (which is default for ACL filters)

application layer inspection, fragmentation

MPLS/IPv6/DEP support, more checks for HTTP

monitoring using SNMP instead of syslog

IDM using java instead of HTML

ASDM support

Identifies and classifies DDOS attacks, viruses and worms in real-time.

Capture changes/anomalies in network behavior (and forward to security/management application). Forensic tool to understand and replay the history of security incidents.

What are the general characteristics of Cisco Secure Desktop?

What are its major security features?

Multifunctional component of the Cisco SSL VPN solution. Secures webhosts against attacks from SSL connections.

Host scan

Secure Desktop (Vault)

Cache cleaner

Keystroke logger detection

Host emulation detection

Host scan - Checks for watermarks on remote computers attempting to open (client or clientless) session to see if they are company owned.

Secure Desktop (Vault) - Encrypts data/files associated with or downloaded during remote session to secure partition; to be wiped when the session ends.