Filter
Top Products
A-25
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Appendix A System Architecture
SensorApp
All packets that are unknown or of no interest to the IPS are forwarded to the paired interface with
no analysis. All bridging and routing protocols are forwarded with no participation other than a
possible deny due to policy violations. There is no IP stack associated with any interface used for
inline (or promiscuous) data processing. The current support for 802.1q packets in promiscuous
mode is extended to inline mode.
• IP normalization
Intentional or unintentional fragmentation of IP datagrams can serve to hide exploits making them
difficult or impossible to detect. Fragmentation can also be used to circumvent access control
policies like those found on firewalls and routers. And different operating systems use different
methods to queue and dispatch fragmented datagrams. If the sensor has to check for all possible
ways that the end host will reassemble the datagrams, it makes the sensor vulnerable to denial of
service attacks. Reassembling all fragmented datagrams inline and only forwarding completed
datagrams, refragmenting the datagram if necessary, is the solution to this problem. The IP
Fragmentation Normalization unit performs this function.
• TCP normalization
Through intentional or natural TCP session segmentation, some classes of attacks can be hidden. To
make sure policy enforcement can occur with no false positives and false negatives, the state of the
two TCP endpoints must be tracked and only the data that is actually processed by the real host
endpoints should be passed on. Overlaps in a TCP stream can occur, but are extremely rare except
for TCP segment retransmits. Overwrites in the TCP session should not occur. If overwrites do
occur, someone is intentionally trying to elude the security policy or the TCP stack implementation
is broken. Maintaining full information about the state of both endpoints is not possible unless the
sensor acts as a TCP proxy. Instead of the sensor acting as a TCP proxy, the segments will be ordered
properly and the normalizer will look for any abnormal packets associated with evasion and attacks.
• Event risk rating
Event risk rating helps reduce false positives from the system and gives you more control over what
causes an alarm. The event risk rating incorporates the following additional information beyond the
detection of a potentially malicious action:
–
Severity of the attack if it were to succeed
–
Fidelity of the signature
–
Relevance of the potential attack with respect to the target host
–
Overall value of the target host
SensorApp New Features
The SensorApp contains the following new features:
• Policy table—Provides a list of risk category settings (high, medium, and low).
• Evasion protection—Lets an inline interface mode sensor switch from strict mode to asymmetric
mode for the Normalizer.
• Sensor health meter—Provides sensor-wide health statistics.
• Top services—Provides the top ten instances of the TCP, UDP, ICMP, and IP protocols.
• Security meter—Profiles alerts into threat categories and reports this information in red, yellow, and
green buckets. You can configure the transition points for these buckets.