As mentioned before, Cisco Express Forwarding (CEF) switching is required on the router to forward the traffic to the NM-CIDS. Therefore it is important to understand how packets are processed when CEF is configured with various other features and services on the router. Once you build this knowledge, you need to know at which point the router forwards the packets to the NM-CIDS, so that you know which packets are forwarded and how they are forwarded to the NM-CIDS for various features. The goal of this case study is to examine this traffic forwarding technique to the NM-CIDS in detail, so that you know what to expect in terms of packets captured by the NM-CIDS.
CEF Forwarding Path
A packet goes through the following path when CEF is configured with other features on the router:
IPS Insertion Points
Now that you are familiar with the CEF packet path, it is time to understand the insertion points that are used to forward a copy of the packet to the NM-CIDS. An insertion point is the point in the CEF forwarding path from where a copy of the packet is sent to the NM-CIDS. For NM-CIDS, with CEF configured, a router is required to have at least two insertion points: one before FIB lookup, and one after the FIB lookup (FIB lookup is at Step 6 in the CEF forwarding path). These insertion points give desired results for NAT, IPsec, ACL, and so on, which are discussed next.
Network Address Translation (NAT)
The signature engines of NM-CIDS maintain the TCP session states for every TCP connection it monitors. The engines need to see packets in both directions to analyze the TCP session correctly. The source and destination IP addresses of the bi-directional packets have to be consistent. But, when Network Address Translation (NAT) is configured, the source and destination IP addresses are changed depending on the configuration. However, as the inserting point for packet forwarding is selected right before and after Step 6 of "CEF Forwarding Path," the Outside to Inside NAT (destination address translation) takes place (at Step 5) before the packets are forwarded to the NM-CIDS. And after the packets are forwarded to NM-CIDS, the inside to outside (Source Address Translation) NAT takes place at Step 8. This gives a consistent bi-directional state of the TCP packets for the NM-CIDS. This also helps in performing the blocking based on the actual source address, and translated destination address, as these addresses will be seen by the NM-CIDS in the packets.
The NM-CIDS cannot interpret encrypted packets for any possible attacks. So if a router receives an encrypted packet and if the router is the termination point for the packet, it first decrypts the packet before sending it to the NM-CIDS as mentioned in Step 3 of the "CEF Forwarding Path" section.
Similarly, if the router needs to encrypt a packet before sending it, then it sends it to the NM-CIDS before it encrypts. In "CEF Forwarding Path," this takes place at Step 11, and the traffic is forwarded immediately before or after Step 6.
If the router is merely forwarding an encrypted packet (that is, the router is neither encrypting nor decrypting the packet), it sends the packet as is (without decryption) to the NM-CIDS. Although NM-CIDS can analyze the packet as a TCP/UDP packet, it is not able to analyze the contents of the packet, as encrypted.
Access List Check
The IOS performs an input-ACL check on a packet before it processes the packet for NAT or encryption. As explained earlier, the NM-CIDS monitors the packet after the NAT and decryption is processed. Therefore if the packet is dropped by the inbound ACL, it is not forwarded to the NM-CIDS. The IOS router performs an outbound ACL check after the packet is forwarded to the NM-CIDS. So the packet will be forwarded to the NM-CIDS even if the output ACL drops the packet. As described in the section entitled "CEF Forwarding Path," the insertion point is right before and after Step 6, and the inbound checking is performed at Step 2, but the outbound ACL checking is performed at Step 9.
IP Multicast, UDP Flooding, IP Broadcast
If the router is configured for IP Multicast, User Datagram Protocol (UDP) flooding or IP Broadcast, a packet received on the input interface is forwarded on two or more output interfaces. In this situation, if the input interface is configured for IPS monitoring, the packet will be sent to the NM-CIDS. However, if only the output interfaces are configured for monitoring, the packet will not be forwarded to the NM-CIDS.
Generic Routing Encapsulation (GRE) Tunnels
The NM-CIDS does not analyze GRE encapsulated packets. So if a GRE packet is received, and the incoming interface is enabled for IPS monitoring, the packet will not be forwarded to the NM-CIDS for monitoring. However, if a packet is encapsulated by the router into a GRE tunnel, and the incoming interface is enabled for IPS monitoring, the packet (before encapsulation) will be sent to the NM-CIDS.
Address Resolution Protocol (ARP) Packets
Address Resolution Protocol (ARP) packets are handled at Layer 2 and are not forwarded to the NM-CIDS.
Packets Dropped by the IOS
The IP stack of the router verifies the integrity of the packets before forwarding the packets to NM-CIDS. The router will drop a packet if some of the fields in the packet are incorrect or unexpected. Following is a list of such cases in which the router drops the packets and they are not be forwarded to the NM-CIDS:
In these cases, an Internet Control Message Protocol (ICMP) message is sent back (indicating the reason for the drop).
Forwarding the Packets to the IDS at a Rate Higher Than the Internal Interface Can Handle
The internal interface between the router and the NM-CIDS is a 100 MBps back-to-back Ethernet port. So if the monitoring traffic exceeds 100 MBps, the router will not be able to forward that traffic. There is no guarantee of which packets would be sent and which would be dropped. This might interfere with the ability of the IPS to reassemble the TCP data stream, possibly preventing it from triggering an alarm.
The NM-CIDS is designed to monitor up to 45 MBps of traffic. So when the traffic approaches 100 MBps, in most cases the NM-CIDS itself will miss signatures.