Cisco Security
Setup & Configuration:
Part 3 – Network &
Host-Based IPS
1-800-COURSES
www.globalknowledge.com
Expert Reference Series of White Papers
Introduction
This paper is the third in a three-part series of white papers, each of which focuses on a functional area of
securing your network. So far, we have a perimeter router secured and configured with interface Access
Control Lists (ACLs). We also have a firewall using stateful inspection and switches in between controlling our
ports for secure end station connectivity. This all sounds very impressive and complete, but is it?
Of course not,
or this white paper series would be complete. The problem is that routers, firewalls, and switch-
es aren’t always enough. There are still attacks out there that travel over valid client requests and responses.
These attacks would be permitted by our perimeter ACLs and stateful firewalls. Or perhaps a worm infects an
end station and tries to propagate throughout our network. Maybe even some of our own end-users decide to
chew up all of our bandwidth downloading Spider Man II using Bit Torrent.
In all of these situations static ACLs, or even stateful firewalls would not be enough. That is where we install,
configure, and use Network- and Host-based Intrusion Prevention Systems (IPS).
IPS/HIPS
IPS/HIPS provide for an increased level of protection not available from a static access list or stateful firewall
inspection. IPS and HIPS offer security by sensing abnormalities in traffic communications or protocol,
and
packet behaviors that are known to have malicious objectives. Here are some recommendations for installing
and hardening your IPS sensors:
Allowing for a sufficient discovery period prior to sensor installation is a key item often overlooked. Many envi-
ronments simply try to rack and stack a sensor, give it a quick IP address, and let it do its thing. Then they
wonder why there is a high level of false positives, an interruption to network communication, or an unman-
ageable amount of log information.
To properly configure and optimize your IPS sensor, I suggest a minimum of two weeks (ideally a month) of

allows you to verify that new signature updates have not overwritten your custom settings and will help you
troubleshoot your configuration in the event of a problem.
Integrated Platform
While our focus has been largely on specialized equipment offering a specific service, there are devices avail-
able from Cisco Systems that integrate all of these services into a single affordable platform.
Integrated Services Routers (ISRs)
ISRs are the new 1800, 2800, and 3800 series routers, which have the ability to integrate routing, security,
voice, and wireless into a single chassis
. From a security standpoint, they support hardware co-processor cards
to off-load the tunneling, authentication, and encryption services of a VPN. These models also support a subset
of IPS features that include over 700 IPS signatures and the ability to create signatures specific to your envi-
ronment.
Adaptive Security Appliances (ASAs)
ASAs are the next generation firewalls available from Cisco Systems. It is important to understand that the
ASAs are not designed as a replacement to the existing Packet Internet Exchange (PIX) product line; instead,
they fit nicely to fill in k
ey areas where a PIX may be too much or not enough for the current environment.
As of the writing of this document,
there are 3
ASA models available: the ASA 5510, 5520, and 5540. Available
in all 3 models are the IPS, Content Security Service, and 4-port Gig module. The IPS module (AIP-SSM) pro-
vides a full-features network based IPS that can be configured and monitored just as an external sensor. The
Content Security module (CSC-SSM) provides a full suite of Anti-X features, including anti-Virus, Phishing,
SPAM, Trojan, and Malware, plus URL filtering. These modules, once inserted into the expansion bay of the new
ASAs, provide high-level security services in a consolidated chassis via a single command set, all at an afford-
able price when compared to purchasing individual security appliances
.
Enterprise 6500 and 7600 Series Devices
These combine high performance, high port density, and advanced features into a single module-based chassis.
From a security standpoint, the operating system natively supports all security features mentioned in the

appliance.
ssh over telnet Just as in tftp and ftp, telnet communicates all information in the clear. To make mat-
ters worse, by default, telnet will send only one character per packet. This means that
not only is there is an incredible amount of padding in each packet, but all of your
sensitive information is sent in plain text for others to see. This is the driving force
behind using secure shell (ssh) as a secure management alternative for managing all
network devices
. When we say ‘all’, we mean all; ssh can be configured on any oper-
ating system where supported. This means router, switches, firewalls, and even
servers. To find out more, visit www.openssh.org.
https over http
Http is another popular protocol that sends all information in plain text. Even though
this protocol supports authentication, all communications are still sent in the clear.
By using https, you first perform authentication with the end device and then encrypt
all communications to follow.
Authenticated NTP
In many environments, time is paramount. Time can be used for timed access restric-
tions, daily authentication and access, digital certificates, building access, and trou-
bleshooting by way of internal and system log files. If time is compromised, many
systems can be at risk. As a result, using authenticated ntp peers is highly recom-
mended. Many environments will purchase and configure internal ntp appliances just
to ensure a high degree of security and control.
Copyright ©2006 Global Knowledge T
raining LLC. All rights reserved.
Page 4
s
nmp version 3 The Simple Network Management Protocol (SNMP) has been around for almost 20
years and, even though it provides a great method of network discovery and config-
uration, it has done so in a very insecure manner. That is, until version 3.
Ver. 1: Provides for no authentication or protection (encryption) of information

.
At
the time of connection,
when the user is prompted by the router for authentication
credentials, the user enters username, pin, and unique value found on the key fob.
Here you have the user entering credentials made up of something they know (user-
name and pin) plus a v
alue unique to them (random number) by w
ay of the k
ey fob
.
Now
,
if their authentication credentials are compromised,
those v
alues will only be
valid until the fob generates a new random value, which is less than 60 seconds.
You’d better hurry!
Copyright ©2006 Global Knowledge T
raining LLC. All rights reserved.
Page 5