Intrusion Detection System

Intrusion detection systems (IDSs) are designed to detect and thwart network attacks. Based on their location, IDSs can be either of the following:

■ Network-based IDS (NIDS)—Examines or sniffs every packet flowing across the network and generates an alarm upon detection of a network attack signature.

■ Host-based IDS (HIDS)—Examines operating system information, such as logs or system processes, against a base line. When the system deviates from the normal values because of an attack, alarms are generated.

Chapter 6, "Security Technologies," defines some of the network prevention and host intrusion detection mechanisms that you can use in an IP network, namely Cisco Intrusion Prevention and Cisco Security Agent.

Cisco IDS delivers a comprehensive, pervasive security solution for combating unauthorized intrusions, malicious Internet worms, and bandwidth and e-business application attacks.

Recently, Cisco announced a number of new products to support IDS:

■ Cisco Security Agent (CSA)—Analyzes behavior rather than relying on signature matching. This ensures that tasks are checked against the system-based policies before the system kernel is used, thus stopping worms and viruses from spreading. CSA is covered in detail in Chapter 6.

■ Cisco IDS 4250 Appliance Sensor—Raises the performance bar for high-throughput gigabit protection in a performance-upgradeable IDS chassis.

■ Cisco IDS 4235 Appliance Sensor—Provides enterprise-class intrusion protection at new price/performance levels.

■ Cisco IDS 4.1 Sensor Software—Delivers powerful web-based, embedded device management, graphical security analysis, and data-mining capabilities. Version 4.1 of the IDS software includes support for 2600/3600/3700 routers. IDS is built in on the new platforms, namely the 2800 and 3800 series routers.

NOTE In addition to the Cisco IDS 4200 series of IDS appliances, Cisco also has the

following IDS sensors:

Cisco IOS with IPS (Intrusion Prevention Systems) feature set for routers

Catalyst 6500 IDS module for switch-based sensor (IDSM-2 module)

PIX Firewall with version 6.x with built-in IDS sensor; Version 7.x will be

available in 2005

Cisco IDS Host sensor for Windows, Solaris OS, desktops, and web servers, such

as IIS and Apache

You are not expected to know these details for the written exam; they are presented here for

completeness only.

Each Cisco IDS sensor can be configured to support a number of different signatures. A signature engine is a component of the Cisco IDS sensor that is designed to support many signatures in a certain category. An engine is composed of a parser and an inspector. Each engine has a set of legal parameters that have allowable ranges, or sets of values. Exploit signatures are an identifiable pattern of attack detected by your network device, such as a Cisco IDS Network sensor.

Table 7-1 lists and describes the signature engines available with Cisco IDS Version 4.1.

Table 7-1 Cisco IDS Signature Engines*


ARP simple and cross-packet signatures.


Simple ICMP alarms based on the following parameters: Type, Code, Sequence, and ID.


Simple alarms based on the decoding of Layer 3 options.


Simple Layer 3 IP alarms.


Simple TCP packet alarms based on the following parameters: Port, Destination, Flags, and single packet Regex. Use SummaryKey to define the address view for MinHits and Summarize counting. For best performance, use a StorageKey of xxxx.


Simple UDP packet alarms based on the following parameters: Port, Direction, and DataLength.


ICMP floods directed at a single host.


UDP floods directed at a single host.


Multiprotocol floods directed at a network segment. IP addresses are wildcarded for this inspection.


Used to group generic signatures so that common parameters can be changed. It defines an interface into common signature parameters.

Table 7-1 Cisco IDS Signature Engines* (Continued)


Analyzes the DNS service.


FTP service special decode alarms.


Custom service/payload decode. For expert use only.


HTTP decode-based string engine. Includes anti-evasive URL deobfuscation.


IDENT service (client and server) alarms.


Microsoft SQL service inspection engine.


Network Time Protocol-based signature engine.


Analyzes the RPC service.


SMB SuperInspector signatures.


Inspects SMTP protocol.


Inspects SNMP traffic.


SSH header decode signatures.


Processes syslogs.


Telnet-based Cisco login inspection engine.


Inspects LPR protocol.


Generic ICMP-based string search engine.


Generic TCP-based string search engine.


Generic UDP-based string search engine.


A single host sweeping a range of nodes using ICMP.


Detects host and service sweeps over TCP.


Conducts cross-protocol sweeps.


Conducts fingerprint scans.


Detects port sweeps between two nodes.


Detects UDP connections to multiple destination ports between two nodes.

*The information in Table 7-1 is from the page at iaabu/csids/csids10/idmiev/swappa.htm.

*The information in Table 7-1 is from the page at iaabu/csids/csids10/idmiev/swappa.htm.

An IDS can be used, for example, to detect spam e-mail and still allow regular e-mail. Most ISPs do not detect or remove spam e-mail, so it is up to the security administrator to ensure that spam e-mail is not permitted or used as a DoS attack.

Was this article helpful?

0 0

Post a comment