Intrusion Detection System


The intrusion detection system (IDS) provides the functionality to monitor IP traffic passing across a network and listen for potentially malicious traffic. The system monitors this traffic similar to the way a network sniffer does, except that intrusion detection compares the flowing traffic to known signatures of attacks. If a match is found, one or a combination of several things can be done: An alarm can be set; the packet can be dropped; and the TCP reset flags can be set to cease the connection.

Intrusion detection on the PIX firewall is a small engine that monitors more than 50 types of attacks, whereas a full IDS system can monitor more than 600 types of attacks. This makes the PIX IDS suitable only for basic IDS monitoring.

Signatures

Signatures are patterns found inside packets that have been known to result in some form of attack. The two general classes of signatures on the PIX are informational and attack. The detection of informational signatures does not necessarily indicate an attack on the network, but it can indicate the passing of traffic that is typically turned off, such as ICMP requests . Attack signatures are matches to traffic that produces some type of harmful danger, such as fragmented ICMPs, ping-of-death attacks, and other DoS attacks. The PIX firewall contains a subset of the possible instruction detection signatures that exists. The syslog error messages can be found in the range from 400000 to 407002. See "Cisco PIX Firewall System Log Messages" on the Cisco Web site for the current list.

graphics/alert_icon.gif

The PIX firewall only contains a subset of signatures compared to a full IDS system.


Configuring Audit Policies

The PIX firewall enables you to configure specific and general global audit policies. These audit policies define what action the PIX should perform if an attack or informational signature match is found. Table 9.2 displays the three types of actions the PIX can take.

Table 9.2. IDS Actions

Action

Description

Alarm

Creates a syslog message and sends it to the syslog server configured

Drop

Drops the packet(s)

Reset

Drops the packet and closes the connection

Global Audit Policies

As stated previously, the PIX can have a global audit policy that defines what the PIX will do globally to any signature matches when a specific audit policy is not assigned to the offending interface. For example, if attack signatures are detected on the outside interface and no specific policy is set on that interface, the global policy defines what to do with those packets. The following is the command syntax for the global informational and attack audit policies:

 pixfirewall(config)# [no] ip audit info [action [alarm] [drop] [reset]] pixfirewall(config)# [no] ip audit attack [action [alarm] [drop] [reset]] 

The show ip audit {info attack} command can be used to display the global settings. The example shown here sets attack and informational global policies to alarm and drop matching signatures:

 pixfirewall(config)# ip audit info action alarm drop pixfirewall(config)# ip audit attack action alarm drop pixfirewall(config)# show ip audit info ip audit info action alarm drop pixfirewall(config)# show ip audit attack ip audit attack action alarm drop 
Specific Audit Policies

The PIX can create specific audit policies to define what action to take when signature matches are found on an interface. Typically, only one policy is created and assigned to all the external interfaces. However, the PIX is capable of supporting a different policy for each interface if so desired.

Two steps are involved when working with specific audit policies. Step one creates the named policies, and step two links the policies to the designated interfaces. The following example displays creating and linking two separate policies named audit-info and audit-attack on the outside interface:

 pixfirewall(config)# ip audit name Audit-Info info action alarm pixfirewall(config)# ip audit name Audit-Attack attack action                 alarm drop reset pixfirewall(config)# ip audit interface outside Audit-Info pixfirewall(config)# ip audit interface outside Audit-Attack pixfirewall(config)# show ip audit interface ip audit interface outside Audit-Info ip audit interface outside Audit-Attack 
graphics/alert_icon.gif

In IDS language, a false positive is an alarm or a signature match against legitimate traffic.


Disabling Signatures from Policies

This section covers how to exclude individual signatures from being audited . By default, all signatures are enabled, which can cause several false alarms (called false positives ). To prevent false positives, the ip audit signature command can be used to disable individual signatures. One thing to note is that, when disabling a signature, the signature becomes disabled for the entire PIX, not just an interface or a specific policy. This example demonstrates how to globally disable several audit signatures:

 pixfirewall(config)# ip audit signature 2001 disable pixfirewall(config)# ip audit signature 2002 disable pixfirewall(config)# ip audit signature 2150 disable pixfirewall(config)# show ip audit signature ip audit signature 2001 disable ip audit signature 2002 disable ip audit signature 2150 disable 
graphics/alert_icon.gif

By default, all audit signatures are enabled. If you want to disable one, then the ip audit signature <number> disable command can be used.


The shun Command

When IDSs block traffic, they use a technique called shunning . The PIX can perform dynamic shunning, meaning it can block traffic if the traffic violates a signature. The shun command is used to manually block or unblock traffic. In the following, the shun command blocks traffic from source 169.254.70.1:

 pixfirewall(config)# shun 169.254.70.1 pixfirewall(config)# show shun Shun 169.254.70.1 0.0.0.0 0 0 

The shun command is a powerful command that takes precedence over the conduits and ACLs. However, it's only a temporary command and is not actually shown or saved in the configuration: it is deleted when the device is restarted. To view active shunned addresses, use the show shun command. To clear all active shuns, use the clear shun command, and use the no shun for a specific entry.

graphics/alert_icon.gif

The shun command is used to block traffic for instruction detection system (IDS).




CSPFA Exam Cram 2 (Exam 642-521)
CCSP CSPFA Exam Cram 2 (Exam Cram 642-521)
ISBN: 0789730235
EAN: 2147483647
Year: 2003
Pages: 218

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net