IDS

Previous page
Table of content
Next page

You might have noticed in the figures in Chapter 6, "The SAFE Security Blueprint," and Chapter 7, "The Extended SAFE Blueprints," that many of the switches, even inside the campus, included NIDS; in addition, all servers in both the Management module and the Server module had HIDS. You need to understand how IDS works because it is a significant element of the SAFE Blueprint. Much of this was covered in the SECUR (or MCNS) Exam, and you should have gotten into it in quite a bit of detail in the IDS exam; we only review it here.

An IDS inspects each packet as it passes through the device (if it canif the load is too great, it inspects as many as it can, but some might pass through uninspectedsize the IDS's capability to match the device's throughput). If a packet matches the characteristics of a known attack, the IDS reacts according to its configuration: It can generate an alarm, drop the packet, and/or reset the connection (if the connection is TCP). The packet characteristics can indicate an info (reconnaissance) profile or an attack profile. This depends on the nature of the packet and how many packets with what header characteristics are being detected .

Typically, a network IDS (NIDS) placed on a switch sends an alarm and possibly resets the connection (depending partly on whether the match is to an info or attack profile). A host IDS (HIDS), on the other hand, is configured to be more aggressive ; generally , it sends an alarm, drops the packets, and sends a reset.

NIDS will probably see more attacks (because you will place it to monitor choke points in the network, where all traffic passes through a switch), so its alarms will give you a better sense of what is actually happening in terms of where in your network an attack is being attempted (one host? one segment? an entire module?). HIDS, however, will see fewer attacks but could give you a deeper perspective on the nature of the attack. The two systems complement each other.

NIDS Configuration

As a system, NIDS requires the placement of sensors (which are typically software packages on a networking device, such as a switch or a router with the IOS Firewall Feature Set) and then linking them to an IDS Director. Some points to remember about how the IDS works are as follows :

  • Cisco has a total of 59 intrusion signatures in its IOS IDS database; they are categorized as info or attack, and as atomic or compound (for a set of four possibilities: info, atomic; info, compound; attack, atomic; attack, compound).

  • You create an audit rule via ip audit name audit-name {infoattack} [list standard ACL ] [action [alarm] [drop] [reset]] . Remember to use a standard IP access listyou are concerned with only source IP addresses (which can be any).

  • You apply the audit rule to an interface with a direction. Remember that if you want to know about all attacks, apply the audit rule to incoming traffic because it will be inspected before any ACL processing. If this is too much, apply the rule to outgoing traffic on an internal- facing interface (and it will apply after unwanted traffic is dropped by the ACLs).

  • Auditing starts with the IP header and proceeds to the ICMP/TCP/UDP header (depending on the packet's upper-layer protocol); then the application-layer protocol is audited . It might help to think of the audit rule as progressively decapsulating the packet.

  • If a match is found, the action specified by the rule is taken.

  • Don't forget to configure logging with the ip audit notify log command. Note that log in this command indicates to use the syslog format (instead of the NetRanger format); it does not indicate a server, per se, nor is it followed by an IP address.

HIDS Configuration

The Cisco Security Agent (CSA) endpoint security software package is the HIDS that Cisco offers; SAFE also works, of course, with HIDS from other vendors (HIDS from Entercept was used in the validation lab, for instance). The Security Agent is a new product, and it offers intrusion prevention as well as intrusion detection (you might recognize it as the product set developed by Okena, Inc., which Cisco purchased in early 2003). Prevention does not rely on previously known signatures but is based instead on packet-level behavioral analysis; this allows it to protect against zero-day attacks . These are previously unknown attacks, usually exploiting a previously unknown vulnerability. They are also usually a nightmare for the unlucky victim because no one yet knows how to handle the mystery attack.

The CSA is monitored and managed by a Management Center running on the CiscoWorks VPN/Security Management Solution (VMS, discussed in Chapter 9). Configuration is performed from the VMS. Management is done through the Web-based VMS and uses policies (it has 20 default policies available, and you can design custom policies as well). The CSA is available in two types, the Server Agent and the Desktop Agent. The Server Agent is supported on these platforms:

  • Windows 2000 Server and Advanced Server

  • Windows NT 4.0 Server and Enterprise Server (SP 5 or later required)

  • Solaris 8 Service Pack ARC Architecture (64-bit kernel)

The Desktop Agent is supported on these platforms:

  • Windows NT 4.0 Workstation (SP 5 or later required)

  • Windows 2000 Professional

  • Windows XP Professional

The Management Center is supported on Windows 2000 Server and Advanced Server (SP 3 required).


Previous page
Table of content
Next page
CSI Exam Cram 2 (Exam 642-541)
CCSP CSI Exam Cram 2 (Exam Cram 642-541)
ISBN: 0789730243
EAN: 2147483647
Year: 2002
Pages: 177
Authors: Annlee Hines
BUY ON AMAZON
Crystal Reports 9 on Oracle (Database Professionals)
Strategies for Information Technology Governance
Cisco IP Communications Express: CallManager Express with Cisco Unity Express
Cisco IOS Cookbook (Cookbooks (OReilly))
Data Structures and Algorithms in Java
Microsoft Office Visio 2007 Step by Step (Step By Step (Microsoft))
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy