Configuring the IDS

Just like any other feature on a router, you must configure IDS services to get IDS functionality. You need to take a number of configuration steps with IDS, and the configuration is going to be unique to your network environment. When we say "your unique network environment," we are referring to two things. First, all security implementations should be based on a written security policy. Second, not all networks run the same services. Some networks use Apache Web servers, but others might be using Microsoft's Internet Information Server (IIS). There is no reason to analyze packets for IIS attacks if you are running Apache. For performance reasons, you should disable signatures that have no relevance to your network.

It is also important to remember that IDS services are included with the IOS Firewall, and you must to be running an IOS image that contains this special code if you want IDS functionality.

Event Notification Options

IDS events are displayed on your console session only if you do not configure events to be sent elsewhere. The other locations where events can be forwarded are the Director management platform and a syslog server. You can send events to either of these devices or to both if you choose. If you want events sent to a syslog server, you must also ensure that logging is on and that you have told the router where the syslog server is.

To send events to the Director, the command is

 Router(config)# ip audit notify nr-director 

To send events to a syslog server, the command is

 Router(config)# ip audit notify log 

The additional steps that are necessary to use a syslog server are to first turn logging on:

 Router(config)# logging on 

Then, tell the router the IP address of the syslog server:

 Router(config)# logging  ip address  

Some versions of the IOS use the following command to configure a syslog server:

 Router(config)# logging host  ip address  

The log keyword is enabled by default and sends events to a syslog server and the router's console.

Figure 6.1 shows how the notification pieces fit together.

Defining a Protected Network

The configuration to define a protected network does not have any impact on IDS functionality. Therefore, you can skip this configuration if you want. Defining a protected network really only helps when you view events messages wherever those events are displayed. If you configure the protected network, events display in the direction field with either the IN or OUT words. IN means the IP address was in the defined protected network. OUT means the IP address was not in the defined protected network. If you do not define a protected network, only the word OUT appears in the direction fields.

To configure a protected network, use the following command:

 Router(config)# ip audit protected  start IP address number  to  end IP address  Router(config)# ip audit protected 192.168.1.1 to 192.168.1.254 

Figure 6.2 shows how to configure a protected network.

Defining the Notification Queue Threshold

Routers have a limited memory capacity as determined by the amount of dynamic RAM (DRAM) that is installed. Depending on the amount of traffic the router processes and the services that you have enabled, memory might be much less than the actual amount of DRAM installed. Therefore, you want to be careful about how many events the router will store in its memory queue should communication be lost to either the Director or syslog server.

Each event uses 32KB of memory, and the default event queue is 100 stored events if communication is lost. Do the math. It works out to a maximum of 3.2MB of memory if you do not change the default queue size.

The default event queue size is 100 events.

However, you can change the default queue size from 1 all the way up to 65,535. The command to do so is

 Router(config)# ip audit po max-events  number  

For instance, if you wanted to store the maximum number of events in the router's queue, 65,535, the command would look like this:

 Router(config)# ip audit po max-events 65535 

Events are overwritten on a FIFO (first-in, first-out) basis. If you configure a queue size of 200 events, and there are 200 events waiting in the queue to be transmitted, the very next new event will overwrite the first queued event, event number 1.

Configuring the Default Signature Action

As with other router services, there are default IDS global configurations. You can change these global configurations and you can also override them with a more specific policy. The global IDS signature action can be alarm, drop, and reset. Remember that you can use one or more actions together.

The default global IDS action for both information signatures and attack signatures is alarm.

To change the global action for information signatures, use the following command:

 Router(config)# ip audit info action [alarm] [drop] [reset] 

To change the global action for attack-based signatures, use the following command:

 Router(config)# ip audit attack action [alarm] [drop] [reset] 

Notice that the only difference in the two commands is the change in the keyword of info and attack .

Refer to Figure 6.3 for an example that configures information signatures to alarm and drop, and attack signatures to alarm, drop, and reset.