You might have noticed in the figures in Chapter 6, "The SAFE Security Blueprint," and Chapter 7, "The Extended SAFE Blueprints," that many of the switches, even inside the campus, included NIDS; in addition, all servers in both the Management module and the Server module had HIDS. You need to understand how IDS works because it is a significant element of the SAFE Blueprint. Much of this was covered in the SECUR (or MCNS) Exam, and you should have gotten into it in quite a bit of detail in the IDS exam; we only review it here. An IDS inspects each packet as it passes through the device (if it canif the load is too great, it inspects as many as it can, but some might pass through uninspectedsize the IDS's capability to match the device's throughput). If a packet matches the characteristics of a known attack, the IDS reacts according to its configuration: It can generate an alarm, drop the packet, and/or reset the connection (if the connection is TCP). The packet characteristics can indicate an info (reconnaissance) profile or an attack profile. This depends on the nature of the packet and how many packets with what header characteristics are being detected . Typically, a network IDS (NIDS) placed on a switch sends an alarm and possibly resets the connection (depending partly on whether the match is to an info or attack profile). A host IDS (HIDS), on the other hand, is configured to be more aggressive ; generally , it sends an alarm, drops the packets, and sends a reset. NIDS will probably see more attacks (because you will place it to monitor choke points in the network, where all traffic passes through a switch), so its alarms will give you a better sense of what is actually happening in terms of where in your network an attack is being attempted (one host? one segment? an entire module?). HIDS, however, will see fewer attacks but could give you a deeper perspective on the nature of the attack. The two systems complement each other. NIDS ConfigurationAs a system, NIDS requires the placement of sensors (which are typically software packages on a networking device, such as a switch or a router with the IOS Firewall Feature Set) and then linking them to an IDS Director. Some points to remember about how the IDS works are as follows :
HIDS ConfigurationThe Cisco Security Agent (CSA) endpoint security software package is the HIDS that Cisco offers; SAFE also works, of course, with HIDS from other vendors (HIDS from Entercept was used in the validation lab, for instance). The Security Agent is a new product, and it offers intrusion prevention as well as intrusion detection (you might recognize it as the product set developed by Okena, Inc., which Cisco purchased in early 2003). Prevention does not rely on previously known signatures but is based instead on packet-level behavioral analysis; this allows it to protect against zero-day attacks . These are previously unknown attacks, usually exploiting a previously unknown vulnerability. They are also usually a nightmare for the unlucky victim because no one yet knows how to handle the mystery attack. The CSA is monitored and managed by a Management Center running on the CiscoWorks VPN/Security Management Solution (VMS, discussed in Chapter 9). Configuration is performed from the VMS. Management is done through the Web-based VMS and uses policies (it has 20 default policies available, and you can design custom policies as well). The CSA is available in two types, the Server Agent and the Desktop Agent. The Server Agent is supported on these platforms:
The Desktop Agent is supported on these platforms:
The Management Center is supported on Windows 2000 Server and Advanced Server (SP 3 required). |