Cisco Secure IDS

Cisco Secure IDS is an enterprise intrusion detection system designed to detect, report, and, in the event of unauthorized access, terminate data sessions between users and host devices.

Users are not aware that Cisco Secure IDS is watching data across the network; it is transparent to all systems.

Cisco Secure IDS has three components:

■ Cisco Secure IDS Sensor—High-speed device that analyzes the contents of data being transported across a network and determines whether that traffic is authorized or unauthorized. Unauthorized traffic includes ping requests from intruders. Traffic detected from unauthorized sources is sent directly to the IDM and the intruder is removed from the network.

■ Cisco IDS Device Manager (IDM)—Enables IDS security administrators to easily manage the IDS solution in place by allowing secure communication between local and remote IDS systems.

■ Cisco IDS Management Center (MC)—Communicates with the Cisco Secure ACS server. It dictates to Cisco Secure ACS the creation of a command authorization set type, which appears in the Shared Profile Components section of the Cisco Secure ACS HTML interface.

Figure 5-3 displays the typical network placement of Cisco Secure IDS products. Cisco Secure IDS sensors are typically placed on the DMZ network, because that region contains hosts that are publicly reachable via the Internet.

Cisco Secure IDS Sensors can be located anywhere in the network. They are typically located close to hosts or entry points to a network, such as dial-in users or Internet connections. Alarms are logged on the Sensor and IDM. The alarms are displayed or viewed on the IDM. Optional configuration settings include killing an active TCP session or reconfiguring access lists (termed shunning).

The sensor can detect the intruder's IP address and destination ports, and buffer up to 256 characters entered by the illegal devices. Cisco Secure IDS 4.1 supports Ethernet (10/100/1000) only. Cisco Secure IDS Sensors can modify predefined access lists on Cisco IOS routers and change the definitions of permitted networks in response to an attack. Cisco Secure IDS Sensors cannot modify the IP routing table nor reload or shut down interfaces. When illegal activity is discovered, an alarm is sent directly to configured IDMs.

Figure 5-3 Typical Cisco Secure IDS Design

Alarms

IDS Device Manager

IDS Device Manager

TACACS+/ RADIUS

Alarms

IDS Device Manager

TACACS+/ RADIUS

IDS Device Manager

TACACS+/ RADIUS

TACACS+/ RADIUS

The software used on the sensors can be loaded from a central IDM, allowing easier software upgrades. The GUI on the IDM also allows network monitoring from one central location, ensuring that one central group within an organization can be directly responsible for monitoring and acting on alarms. GUIs and colored alarms indicate possible vulnerabilities.

The section "Security Information Monitoring System," later in this chapter, covers some sample events.

NOTE For more details on software and hardware requirements for Cisco IDS Device Manager, go to http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/idmiev/ swchap1.htm#wp50470.

IDS Device Manager can send out an alarm when certain configuration changes are made on Cisco routers, can send e-mail messages when particular alarm levels are reached, and can ensure a TCP attack is thwarted by sending TCP reset segments to unauthorized sources. When a Cisco Secure IDS Sensor communicates with the IDM, if the network is down, up to 255 alternate route paths can be attempted. Packets can be buffered and sent when the network is restored and communications occur (there are no keepalive communications; rather, one device sends and the other waits and listens) to ensure that alarms are sent.

NOTE Cisco Secure IDS 4.1 examines the entire packet. Intruders usually use an attack based on large ICMP traffic, typically fragmented, to discover the behavior of routers in a network. Cisco IDS 4.1 can mitigate this form of attack because packets can be reassembled and alerts sent if required, but this feature is available only in the most recent releases of IDS. Previously, this form of attack could cause networking issues and loss of packets. Intruders typically also use context-based attacks by scanning TCP or UDP ports in use.

For more details on Cisco Secure IDS, search with the keywords "Cisco Secure IDS" at Cisco.com. For example, information on the latest Cisco Secure IDS (version 4.1) can be found at http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/index.htm.

Was this article helpful?

0 0

Post a comment