The HIDS is typically placed in a number of locations, such as the DMZ, behind a firewall, inline inside a Catalyst 6500, or on the inside network.
Figure 5-2 displays a typical IDS placement and shows how this technology can be used to prevent attacks from within and from outside an organization.
Figure 5-2 IDS Placement
IDS 1 in Figure 5-2 is the frontline defense against all the noise from the Internet and will typically stop attacks such as port scans, Network Mapper (Nmap) for example. Nmap is a free, open-source utility for network exploration or security auditing, downloadable from http://www.insecure.org/ nmap/index.html.
NOTE The NIDS appliance (IDS 1) in Figure 5-2 at the public side of the firewall is monitoring for attacks based on Layer 4 through Layer 7 analysis and on comparisons against known signatures. Still, this NIDS should have alarms set to a lower level than appliances on the inside of the firewall. Alarms seen here do not represent actual breaches, but merely attempts to reduce the number of false positives and to decrease the amount of time it takes to discover any successful attacks against devices within the corporate network.
However, IDS 2 in Figure 5-2 is a 6500 series switch with an IDS blade and a Cisco Firewall Services Module (FWSM). The Cisco FWSM is a high-speed, integrated firewall module for Cisco Catalyst 6500 switches and Cisco 7600 Series routers and is based on Cisco PIX Firewall technology. It includes advanced features like multiple security contexts both at the routed levels and in bridging mode, helping to reduce cost and operational complexity while managing multiple firewalls from the same management platform. IDS 2 in Figure 5-2 can prevent much more sophisticated forms of attack, such as manipulated Internet Information Server (IIS) services in
Windows-based platforms. Recent reports mention a number of vulnerabilities in the IIS services, such as device manager traversal, Unicode device manager traversal, and the ability to decode command execution via a webpage.
Cisco IDS Sensors are network devices that perform real-time monitoring of network traffic for suspicious activities and active network attacks. When an event does occur, the Cisco IDS sends an alarm to the Cisco IDS Device Manager (IDM), a software package installed on an HP OpenView, HPUX, or Solaris workstation.
Typically, when an alarm is raised, the IDS can send e-mail messages at a particular alarm level via the daemon named eventd. IDS sensors can also set an alarm that is user configurable. IDS sensors cannot perform a trace route function to the intruding system; this is not often effective, because hackers use other IP addresses by spoofing valid network addresses. Recent developments in Cisco security also mean that sensors can modify and add new access lists, for example, when an event does occur, and block the source IP address from instigating any more attacks. This is called shunning in Cisco terminology.
IDS 3 in Figure 5-2 will prevent intruders from within an organization.
It is vital that any organization that is serious about defending against new styles of attacks constantly tune the IDS signatures so that the number of false positives is minimized.
Was this article helpful?