Cisco IPS4345 Manual de usuario descargar pdf (Pagina 8)

Cisco Intrusion Prevention System Security Target

1.2 TOE Overview

The Cisco Intrusion Prevention System TOE consists of both hardware and software solutions

deployed as network appliances, and evaluated as generic network devices as defined by the

Network Device Protection Profile (NDPP) v1.1. The TOE includes both software and hardware

models as described in Table 2 in section 1.1.

1.2.1 TOE Product Type

The Cisco Intrusion Prevention System is a family of network-based intrusion detection and

prevention appliances. These appliances offer range of specialized security functionality that is

outside the logical scope of evaluation as defined by the NDPP. The specialized network traffic

inspection and attack prevention functionality is outside the scope of evaluation, but does not

interfere with the evaluated functionality, so any of the IPS functionality can remain enabled in

the certified configurations.

As a network device, the TOE supports self-protection through implementation of authentication

mechanisms for local and remote administration, and use of encrypted network protocols for

remote administration. The TOE also supports generation of an array of security-relevant audit

messages, and the ability to have those messages transmitted over encrypted network protocols

to authenticated remote hosts.

The specialized IPS functionality that is outside the scope of evaluation, but which defines the

product type includes the ability to monitors and react to network traffic in real-time, able to

analyze the header and content of each packet. The Cisco IPS can analyze single packets or a

complete flow for attacks while maintaining flow state, allowing for the detection of multi-

packet attacks. The Cisco IPS uses a rule-based expert system to analyze the packet information

to determine the type of attack, be it simple or complex.

All data collection and analysis is performed by the Cisco IPS which is to be placed at strategic

points throughout a target IT network to collect and analyze passing network traffic. In response

to an attack, the IPS has several options that include generating an alarm, logging the alarm

event, dropping and modifying packets (e.g., defragmentation, TCP stream reassembly),

sending a command to a Cisco router, switch, or firewall to block traffic specific offending

network traffic, and killing Transfer Control Protocol (TCP) sessions.

Key features of the IPS product type that are outside the logical scope of evaluation include:

 Provides network-wide, distributed protection from many attacks, exploits, worms and

viruses exploiting vulnerabilities in operating systems and applications.

 Provides Risk Rating based IPS policy provisioning, an authorized administrator assigns

IPS policies based on risk, instead of tuning individual signatures. All events are

assigned a Risk Rating number between 0 and 100 based on the risk level of the event.

Based on the Risk Rating, different policy actions can be assigned, including drop packet,

alarm, and log.

 Offers inline inspection of traffic passing through any combination of router LAN and

WAN interfaces in both directions. No traffic can continue through the TOE without first

passing through, and being inspected by the TOE. Note: IPS 4300 and 4500 sensors can

be installed inline (such that network traffic flows through them) to provide this

1 2 3 4 5 6 7 8 9 10 11 12 13 ... 60 61

Sin comentarios

Cisco IPS4345 Manual de usuario Pagina 8