Tuning IDS sensors is critical to a successful network implementation. IDS sensors generate alerts in response to all traffic matching established criteria; without tuning, this will not be as reliable as possible. This could result in a large number of false positives, which could easily overwhelm security personnel and reduce the value of the information the IDS provides, resulting in a relaxed attitude by security support and administration staff until a real event occurs. But that could be too late.
The Cisco SAFE Blueprint recommends a number of key guidelines when tuning an IDS sensor (as described by Cisco at http://cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/ networking_solutions_white_paper09186a00801bc111.shtml):
Step 1 Identify Potential Locations for Sensors—To properly tune IDS sensors, the first step is to identify network locations where the sensors can be placed for maximum efficiency.
Step 2 Apply an Initial Configuration—The objective of this step is to take a first pass at configuring the network IDS sensors. First, sensors are classified and grouped according to active signatures and are then configured by group with a common signature profile. The sensors in a group are managed collectively, which simplifies the management of large numbers of sensors.
Step 3 Monitor the Sensor While Tuning—The objective of steps 3 and 4 is to monitor IDS sensor alarms and tune out any alarms caused by normal background traffic rather than malicious activity. This results in a decrease in the number of false alarms.
Step 4 Analyze Alarms, Tune Out False Positives, and Implement Signature Tuning (If Needed)—During the initial tuning period, you will need to determine the cause of every alarm in order to identify false positives. This task could be tedious, but it is necessary for your network IDS deployment to be of any use in detecting malicious activity.
Step 5 Selectively Implement Response Actions—Once the false positives are tuned out and logging due to IDS tuning changes is sufficiently reduced, response actions such as TCP resets, shunning, and IP logging can be implemented.
Step 6 Update Sensors with New Signatures—Automatic signature updates should be implemented for deployments with large numbers of sensors.
Network managers or security users can define user blade signatures with string matches using the signature in the 8000 range. Each signature is defined by a signature ID or number.
Network IDSs imbedded in Cisco IOS, in hardware-based models, or in PIX Firewalls can respond to attacks with a number of predefined actions to help network security managers:
■ Blocking—Blocking (also known as shunning) may also be implemented within the network to protect corporate servers that are not customer facing.
■ Resetting TCP connections—TCP Reset is a blocking method whereby an IDS sensor responds to an attack by sending the source and destination address of the attack a TCP RST packet to terminate the connection.
■ IP logging—Network IDS sensors can be configured to log IP packet data after an attack signature is seen.
■ Logging/reporting—Extensive logging and reporting can be performed on Cisco IDS sensors to report and log an event, indicate the attack signature seen, notify the management stations, report deviations from a particular attack signature, and look at new signatures not seen before.
As you can see, IDS technology offers many advantages to protect today's growing networks. The need to be connected to the public Internet has meant IP networks are always vulnerable if not protected.
Was this article helpful?