Something that was initially very confusing for me when I first learned about IDS/IPS technologies was how it all came together. When I
The network sensor
For all intents and purposes, in a network-based solution, sensors tend to be beefed-up network sniffers that are deployed strategically throughout the network to monitor the traffic. In host-based solutions, the sensor is the software that is installed on the host that is being
The management console
The management console is the central data repository that all the sensors report back to. This allows you to manage your entire environment from a single location as well as provides a central data repository from which you can run
Like all your network devices, your IDS/IPS can and should be
Hardening PureSecure and hardening a Cisco IDS require two dramatically different techniques. As a result, I am going to cover the hardening process for each product individually.
Because PureSecure runs on top of an underlying operating system, the most important thing you can do is to harden the HTTP server it uses for the console (for example, IIS on Windows) and the operating system itself, as prescribed in Hardening Windows Systems by Roberta Bragg (or Hardening Linux by John Terpstra, if you decided to run PureSecure on Linux).
Beyond those general instructions, however, are a few tasks that should be performed to harden the IDS. These
Hardening remote access
Hardening network interfaces
PureSecure is managed through a web-based interface running on Microsoft IIS. As a result, one of the first tasks is to implement HTTPS to ensure that all management traffic is encrypted and protected
Open the Internet Information Services administrative tool, connect to the web server, right-click the website, and select Properties.
Select the Directory Security tab and click Server Certificate. This will start the Web Server Certificate Wizard. At the Welcome screen, click
At the Server Certificate screen, select Create a new certificate and click Next.
At the Delayed or Immediate Request screen, if you have implemented a public key infrastructure, select Send the request immediately to an online certification authority. (If you have not implemented PKI on your network, you must obtain a certificate from a public certificate authority [CA] by creating a request file and following their instructions to obtain the server certificate.) When you re finished, click Next.
At the Name and Security Settings screen, enter the appropriate
At the Organization Information screen, enter the appropriate organization and organizational unit. When you re finished, click Next.
At the Your Site s Common Name screen, enter the name you want to use to connect to the server (for example, the fully qualified domain name). When you re finished, click Next.
At the Geographical Information screen, enter the appropriate country/region, state/
At the Choose a Certification Authority screen, enter the appropriate certification authority server for your environment and click Next.
At the Certificate Request Submission screen, click Next.
Once the certificate has been obtained and installed, click Finish to complete the wizard.
At the Directory Security tab under Secure Communications, click Edit. Check the boxes to require secure channel (SSL) and 128-bit encryption, as shown next, and then click OK. Click OK to close the website properties and exit the Internet Information Services administrator tool.
At this point, the server should only accept HTTPS/SSL connections.
The next step is to harden remote access by implementing users and IP address restrictions concerning who is permitted to log onto the management console. You do this by clicking Configure in the top bar and selecting PureSecure Console Users from the configuration menu. This will present you with the
One of the nicer features is the ability to add an IP address restriction for the user account. If the user does not connect from a permitted IP address, they will not be allowed to log in. You can use a semicolon to separate IP addresses (for example, 192.168.1.25;192.168.1.26). In addition, you can use wildcards, such as entering 192.168.1.1-254 to permit all
You can also specify five user roles:
Super User This type of user has full administrative privileges, including the ability to add, edit, and delete other users (with the exception of the original admin account specified during installation).
NIDS Admin This type of user has the ability to administer the NIDS portion of the PureSecure console, including editing the Snort ruleset.
This type of user has the ability to administer the Extensible Service Monitoring portion of the PureSecure console, including the ability to add, modify, or delete any
SIV Admin This type of user has the ability to administer the System Integrity Verification portion of the PureSecure console, including the ability to add, modify, and delete the rules for the files and web pages being monitored.
Regular users have none of the check boxes checked and can only view the PureSecure console, with the exception of adding new alert rules for
One of the problems that you have to address in deploying a sensor is that one of its network interfaces will frequently be connected to an unsecured network segment. For example, it is very common to deploy a sensor outside of the firewall to monitor the attack attempts that are
The most effective method of hardening this interface is to remove any and all protocol bindings from the interface. You can unbind the network protocols and services by accessing the network interface properties and unchecking all the
Like all your other network devices, the Cisco IDS sensor should be hardened before it is deployed in your environment. You need to be sure that the IDS is secure and protected before you can expect it to adequately protect your network. We are going to look at the following hardening tasks:
Restricting remote access
The first task in hardening your Cisco IDS sensor is to restrict which IP addresses can connect for remote administration. Remote access is controlled by the accesslist command. You can permit remote access by running the following commands at the CLI while consoled into the sensor:
cisco-ids# configure terminal cisco-ids(config)# service host cisco-ids(config-Host)# networkParams cisco-ids(config-Host-net)# accesslist ipAddress 192.168.1.105 netmask 255.255.255.255
Once you have done this, you should be able to connect to the sensor via HTTPS/TLS, SSH, and the Management Center for IDS Sensors from the permitted IP address.
The Cisco IDS sensor supports four user roles that define what operations can be performed:
Administrator This role can perform all administrative functions on the sensor.
Operator This role can view everything and can modify the following items:
Assignment of virtual sensor configuration to interface groups
The Operator user s own password
Viewer This role can view the configuration and any events but cannot modify anything other than the Viewer user s own password.
Service This is a special role that can only be assigned to one account. This role allows the user to log into the underlying Linux operating system with a bash shell instead of using the CLI. This account should only be created at the direction of the Cisco TAC for troubleshooting purposes only.
Like many Cisco devices, the IDS sensor has a default username of cisco, which should be removed (the username cannot be changed) at the first opportunity. This can be done by first creating a new
You can add a new user via the GUI at the Device Sensor Setup Users screen by clicking Add, entering a username and password, and selecting the appropriate user role, as shown next. One of the nice security requirements of the IDS sensor is that it will not allow you to use a password based on a dictionary word. You must use
You can then remove the cisco username by checking the user at the Device Sensor Setup Users screen and clicking Delete.
A critical component of your IDS logs is ensuring that they contain accurate timestamps of the activity being logged. You can configure the time settings for the IDS sensor at the Device Sensor Setup Time screen, as shown here:
The IDS sensor requires that you use NTP authentication, which is another nice security requirement that Cisco has implemented.