Just like any other feature on a router, you must configure IDS services to get IDS functionality. You need to take a number of configuration steps with IDS, and the configuration is going to be unique to your network environment. When we say "your unique network environment," we are referring to two things. First, all security implementations should be based on a written security policy. Second, not all networks run the same services. Some networks use Apache Web servers, but others might be using Microsoft's Internet Information Server (IIS). There is no reason to analyze packets for IIS attacks if you are running Apache. For performance reasons, you should disable signatures that have no relevance to your network. It is also important to remember that IDS services are included with the IOS Firewall, and you must to be running an IOS image that contains this special code if you want IDS functionality. Event Notification OptionsIDS events are displayed on your console session only if you do not configure events to be sent elsewhere. The other locations where events can be forwarded are the Director management platform and a syslog server. You can send events to either of these devices or to both if you choose. If you want events sent to a syslog server, you must also ensure that logging is on and that you have told the router where the syslog server is. To send events to the Director, the command is Router(config)# ip audit notify nr-director To send events to a syslog server, the command is Router(config)# ip audit notify log The additional steps that are necessary to use a syslog server are to first turn logging on: Router(config)# logging on Then, tell the router the IP address of the syslog server: Router(config)# logging ip address Some versions of the IOS use the following command to configure a syslog server: Router(config)# logging host ip address
Figure 6.1 shows how the notification pieces fit together. Figure 6.1. Event notification.
Defining a Protected NetworkThe configuration to define a protected network does not have any impact on IDS functionality. Therefore, you can skip this configuration if you want. Defining a protected network really only helps when you view events messages wherever those events are displayed. If you configure the protected network, events display in the direction field with either the IN or OUT words. IN means the IP address was in the defined protected network. OUT means the IP address was not in the defined protected network. If you do not define a protected network, only the word OUT appears in the direction fields. To configure a protected network, use the following command: Router(config)# ip audit protected start IP address number to end IP address Router(config)# ip audit protected 192.168.1.1 to 192.168.1.254 Figure 6.2 shows how to configure a protected network. Figure 6.2. Protected network.
Defining the Notification Queue ThresholdRouters have a limited memory capacity as determined by the amount of dynamic RAM (DRAM) that is installed. Depending on the amount of traffic the router processes and the services that you have enabled, memory might be much less than the actual amount of DRAM installed. Therefore, you want to be careful about how many events the router will store in its memory queue should communication be lost to either the Director or syslog server. Each event uses 32KB of memory, and the default event queue is 100 stored events if communication is lost. Do the math. It works out to a maximum of 3.2MB of memory if you do not change the default queue size.
However, you can change the default queue size from 1 all the way up to 65,535. The command to do so is Router(config)# ip audit po max-events number For instance, if you wanted to store the maximum number of events in the router's queue, 65,535, the command would look like this: Router(config)# ip audit po max-events 65535
Configuring the Default Signature ActionAs with other router services, there are default IDS global configurations. You can change these global configurations and you can also override them with a more specific policy. The global IDS signature action can be alarm, drop, and reset. Remember that you can use one or more actions together.
To change the global action for information signatures, use the following command: Router(config)# ip audit info action [alarm] [drop] [reset] To change the global action for attack-based signatures, use the following command: Router(config)# ip audit attack action [alarm] [drop] [reset] Notice that the only difference in the two commands is the change in the keyword of info and attack . Refer to Figure 6.3 for an example that configures information signatures to alarm and drop, and attack signatures to alarm, drop, and reset. Figure 6.3. Global configuration of signature reaction.
|