Cisco 4215 - Intrusion Detection Sys Sensor Configuration Manual page 381

Appendix A System Architecture
Backup for dataflow in inline operations
•
Hold down timer
•
When SensorApp first starts, it may need to build state information for any flows that currently exist.
The hold-down timer prevents SensorApp from denying packets while building this state
information. During the hold-down timer, SensorApp still enforces policy whenever there is enough
information.
IP normalization
•
Intentional or unintentional fragmentation of IP datagrams can serve to hide exploits making them
difficult or impossible to detect. Fragmentation can also be used to circumvent access control
policies like those found on firewalls and routers. And different operating systems use different
methods to queue and dispatch fragmented datagrams. If the sensor has to check for all possible
ways that the end host will reassemble the datagrams, it makes the sensor vulnerable to denial of
service attacks. Reassembling all fragmented datagrams inline and only forwarding completed
datagrams, refragmenting the datagram if necessary, is the solution to this problem. The IP
Fragmentation Normalization unit performs this function.
TCP normalization
•
Through intentional or natural TCP session segmentation, some classes of attacks can be hidden. To
make sure policy enforcement can occur with no false positives and false negatives, the state of the
two TCP endpoints must be tracked and only the data that is actually processed by the real host
endpoints should be passed on. Overlaps in a TCP stream can occur, but are extremely rare except
for TCP segment retransmits. Overwrites in the TCP session should not occur. If overwrites do
occur, someone is intentionally trying to elude the security policy or the TCP stack implementation
is broken. Maintaining full information about the state of both endpoints is not possible unless the
sensor acts as a TCP proxy. Instead of the sensor acting as a TCP proxy, the segments will be ordered
properly and the normalizer will look for any abnormal packets associated with evasion and attacks.
Event RR
•
The event RR incorporates the following additional information beyond the detection of a
potentially malicious action:
–
–
–
–
Event RR helps reduce false positives from the system and gives you more control over what causes
an alarm.
Event action filters and processing
•
4.x event filters filtered all actions. 5.0 event filters handle events separately. Sending the alarm is
now also considered an action and you can filter or configure it like the other actions.
Driver support for concurrent SensorApp and TCPdump capture
•
The drivers for the data interfaces support concurrent use of the interfaces by SensorApp and
TCPdump or other libpcap based reader
78-16527-01
Severity of the attack if it were to succeed
Fidelity of the signature
Relevance of the potential attack with respect to the target host
Overall value of the target host
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
SensorApp
A-27