Introducing Cisco IOS IPS参考.pptVIP

Cisco IOS Threat Defense Features Introducing Cisco IOS IPS IDS Introduction IDS is a passive device—traffic does not pass through the IDS device.IDS是一个被动的设备-流量不会通过IDS. IDS is reactive—generates alert to notify manager of malicious traffic.IDS针对恶意的流量会产生警告信息通知管理者. Optional active response: Further malicious traffic may be denied with security appliance or router恶意的流量可以被安全设备或路由拒绝 TCP resets can be sent to the source device重置TCP能够发送给源设备 IPS Introduction IPS is an active device:IPS是一个主动设备 All traffic passes through IPS所有流量会通过IPS Uses multiple interfaces使用多个接口 Proactive prevention: Malicious traffic is denied对恶意流量的拒绝 Alert is sent to management station向指定的管理站点发送警告 Combining IDS and IPS IPS actively blocks offending traffic:IPS能够积极的阻止令人不快的流量: Should not block legitimate data不会阻止合法的数据 Only stops “known malicious traffic”仅仅阻塞“已知的恶意流量” Requires focused tuning to avoid connectivity disruption需要针对其进行性能调优才能有效的避免连接被中断 IDS complements IPS:IDS组合IPS: Verifies that IPS is still operational仍然需要IPS进行确认 Alerts about any suspicious data except “known good traffic” 除了已知的安全的流量以外的其它可疑数据均会产生警告 Covers the “gray area” of possibly malicious traffic that IPS did not stop保护IPS不能阻止的可能有风险 “灰色区域”的流量 Types of IDS and IPS Systems Signature-Based IDS and IPS Policy-Based IDS and IPS Observes, and blocks or alarms if an event outside the configured policy is detected使用已经配置的策略来进行检测阻塞或警告 Requires a policy database需要策略数据库 Anomaly-Based IDS and IPS Honeypot Network-Based andHost-Based IPS NIPS: Sensor appliances are connected to network segments to monitor many hosts. HIPS: Centrally managed software agents are installed on each host. Cisco Security Agents (CSAs) defend the protected hosts and report to the central management console. HIPS provides individual host detection and protection. HIPS does not require special hardware. Network-Based vs. Host-Based IPS NIDS and NIPS Deployment Signature Categories Four types of signatures:四种类型的签名: Exploit signatures match specific known atta