Cisco battles threats by embedding IPS in switches, routers, firewalls, and appliances.
As the threat landscape evolved, Network Intrusion Detection and Prevention Systems (NIDS / NIPS) became an enterprise best practice to spot and automatically block attacks. In this edition of Enterprise Networking Planet's NIPS buyer's guide, we examine the capabilities and features offered by Cisco Systems' comprehensive portfolio of embedded and standalone IPS products.
A three-step evolution
Cisco's long involvement in the NIPS market started back in 1998 when it acquired the WheelGroup Corporation, a start-up focused on stand-alone intrusion detection and vulnerability assessment products.
"When we first got into this business with the WheelGroup, there was heavy emphasis on intrusion detection," said Rush Carskadden, product line manager for Cisco Security. "There is still interest in IDS, but now we find that there are really three big buckets [of functionality]. One is intrusion detection: providing visibility into traffic and network threats in a passive alerting environment."
But Cisco expanded the WheelGroup's technology to incorporate a separate component, focused specifically on intrusion prevention, using in-line blocking, rate limiting, and integration with other security systems to implement NIPS-initiated threat responses. "Our customers have the ability to move intrusion signatures and engines between those two areas. You can choose what's alerting and what's blocking," said Carskadden.
Finally, Cisco has devoted considerable attention to building out a third major functional area: global correlation within the NIPS. "Cisco was the first to bring a public cloud source of data into IPS, in the form of reputation," he said.
Baking IPS into the network
Throughout this evolution, Cisco innovated by driving NIPS functionality into the rest of the network. "Today, our IPS portfolio includes router, firewall, switch, and appliance products," said Carskadden. "While the lion's share of customers deploy IPS on a firewall or as a stand-alone appliance, features are the same across the entire portfolio."
Cisco's standalone offering is the 4200 Series -- a family of NIPS appliances that run from 150 Mbps at the low end (IPS 4240) to 4 Gbps at the high end (IPS 4270). "In these appliances, we addressed high-availability concerns by providing options for hardware bypass, multiple power supplies, etc," said Carskadden. 'These are really robust dedicated appliances, designed specifically to support the IPS software approach that we've taken."
Cisco stretches performance beyond this in other portions of its NIPS portfolio, reaching up to 10 Gbps. "Until recently, hardware was not quite where we felt we could provide IPS in the firewall at a market competitive price and deliver performance. That's why we provided IPS as add-on hardware -- a blade that slid into a shared backplane. Today, we have 7 different options for plugging IPS into an ASA 5500 firewall chassis." At the low end, Cisco sells a75 Mbps SSP-10 card that slides into 5585-X chassis. At the high end, a Cisco SSP-60 can achieve concurrent (firewall + IPS) threat mitigation throughput up to 10 Gbps.
For switching environments, Cisco offers an IDS Services Module (IDSM 2) that fits into a Cisco Catalyst 6500 -- a blade that slides into the switch chassis to integrate with the backplane. IDSM-2 performance ranges from 500 Mbps (in-line IPS) to 600 Mbps (passive IDS). Up to 8 blades per chassis can be used to inspect a total of 4 Gbps.
"In the router space, we offer both a network module that plugs into an ISR router slot and a card that can be inserted into an ISR chassis," said Carskadden. The AIM-IPS-K9 can be used with Cisco 1841 and Cisco 2800 and 3800 Series Integrated Services Routers to reach rates up to 45 Mbps. The newer NME-IPS-K9 can be paired with Cisco 2811, 2821, 2851, 3825, 3845, 2911, 2921, 2951, 3925 and 3945 Integrated Services Routers to reach rates up to 75 Mbps. Both run the same Cisco IPS software, delivering the same NIPS features found in other members of this product portfolio.
Choosing the right form factor
Carskadden sees NIPS deployment occurring in two major areas: at the edge and in the data center.
"We see a lot of interest at the edge, through deployment of an IPS appliance or a firewall. Use cases there are similar because you're drawing line of demarcation. There is also a mentality that goes with edge deployment: looking across broad sets of applications and protocols and the vulnerabilities associated with them," said Carskadden. "You might think of this as putting IPS at the open end of a funnel."
By comparison, IPS deployed in a data center is much more focused and narrow. "You are physically and logically closer to the assets that you want to protect, and that makes you much more specific about the signatures that you want to put into place," explained Carskadden. "That frees us to look deeper for SQL injection or database abuse -- because traffic is more specific, we can be more specific in signatures and engines deployed." Typically, data centers are appliance or switch-based IPS deployments, although Carskadden said that Cisco's new high-throughput firewall is also seeing use there.
Finally, running IPS on an ISR router tends to be more of a branch office or SMB solution -- making that one multi-services network platform do more, without requiring yet another box to provision and maintain. When used in an ISR router, IPS can be applied to any routed WAN link (e.g., T1/E1, T3/E3, Ethernet, xDSL, MPLS, 3G). Note that IPSec and SSL VPN traffic arriving from the WAN must of course be inspected after decryption.
Cisco IPS Manager Express (IME) can be used to manage small NIPS deployments up to 5 sensors, providing basic configuration, real-time monitoring, alerting and reporting. However, larger deployments up to 5000 devices can be handled in an integrated fashion by using Cisco Security Manager, also responsible for managing Cisco firewall, router, and VPN products.
Cloud sourcing threat intelligence
According to Carskadden, Cisco IPS make use of cloud-sourced reputation data in several ways. "One is dynamic blacklisting -- based off intelligence about threat environments at large, we can block the Internet's most wanted. This has been an effective approach for the network IPS market as a whole."
But Carskadden stressed that Cisco's major differentiator is an integrated inspection plane. "By combining signature intelligence with reputation intelligence, we can see activities that in and of themselves would not be conclusive," he explained. "If we can correlate those activities to a source associated with broad-based hacking, that's where we can gain efficacy. We have seen that intelligence modify greater than 80 percent of signatures that fire in edge IPS deployments. That shows that we can stop twice as much by using these together than we can with signatures alone."
Cisco's primary source of threat intelligence is live deployment of Cisco security technologies. "We've gone through our Web security products, our email security products, and our IPsec clients, enabling all of these to send us what they're seeing. That gives us about 4 terabytes of data per day -- not just flow data, but specific threat data," said Carskadden. Cisco's next step, he said, will be pulling in threat data sourced from core routing technologies.
But how does Cisco turn this huge pile of data into actual intelligence that can be applied to IPS? According to Carskadden, this is where Cisco development efforts have recently been focused. "The key is where we see overlaps between different types of environments. If we can see that a host [associated with an IPS event] has sent spam before that might be a good indicator that it's infected. We also see a great correlation between content hosting and threats, such as websites that host ads for on-line gambling and websites that host malware. Pairing these datasets is a force multiplier. You're not just gaining intelligence -- you're incrementally increasing your visibility," he said.
In summary, Cisco's approach to NIPS is multi-faceted. As with many other areas of network security, Cisco has defined a broad NIPS architecture into which individual products within its portfolio can fit. Where possible, Cisco offers NIPS capabilities running on a customer's existing network device -- this approach often appeals to smaller environments that tend prefer consolidation for the sake of simplicity. But for those who want dedicated devices, Cisco offers NIPS appliances -- and dedicated hardware modules that can be paired with other network devices for the sake of performance. As the world's largest network equipment manufacturer, Cisco is in a unique position to gather network-based threat information. Feeding that data into Cisco IPS is clearly beneficial -- so long as customers have the visibility and manageability needed to put this power to good use.
Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. With over 25 years in the network industry, Lisa has reviewed, deployed, and tested network security products for nearly a decade.