Intrusion Detection System

Intrusion detection systems (IDSs) are designed to detect and thwart network attacks. Based on their location, IDSs can be either of the following:

■ Network-based IDS (NIDS)—Examines or sniffs every packet flowing across the network and generates an alarm upon detection of a network attack signature.

■ Host-based IDS (HIDS)—Examines operating system information, such as logs or system processes, against a base line. When the system deviates from the normal values because of an attack, alarms are generated.

Chapter 6, "Security Technologies," defines some of the network prevention and host intrusion detection mechanisms that you can use in an IP network, namely Cisco Intrusion Prevention and Cisco Security Agent.

Cisco IDS delivers a comprehensive, pervasive security solution for combating unauthorized intrusions, malicious Internet worms, and bandwidth and e-business application attacks.

Recently, Cisco announced a number of new products to support IDS:

■ Cisco Security Agent (CSA)—Analyzes behavior rather than relying on signature matching. This ensures that tasks are checked against the system-based policies before the system kernel is used, thus stopping worms and viruses from spreading. CSA is covered in detail in Chapter 6.

■ Cisco IDS 4250 Appliance Sensor—Raises the performance bar for high-throughput gigabit protection in a performance-upgradeable IDS chassis.

■ Cisco IDS 4235 Appliance Sensor—Provides enterprise-class intrusion protection at new price/performance levels.

■ Cisco IDS 4.1 Sensor Software—Delivers powerful web-based, embedded device management, graphical security analysis, and data-mining capabilities. Version 4.1 of the IDS software includes support for 2600/3600/3700 routers. IDS is built in on the new platforms, namely the 2800 and 3800 series routers.

NOTE In addition to the Cisco IDS 4200 series of IDS appliances, Cisco also has the

following IDS sensors:

Cisco IOS with IPS (Intrusion Prevention Systems) feature set for routers

Catalyst 6500 IDS module for switch-based sensor (IDSM-2 module)

PIX Firewall with version 6.x with built-in IDS sensor; Version 7.x will be

available in 2005

Cisco IDS Host sensor for Windows, Solaris OS, desktops, and web servers, such

as IIS and Apache

You are not expected to know these details for the written exam; they are presented here for

completeness only.

Each Cisco IDS sensor can be configured to support a number of different signatures. A signature engine is a component of the Cisco IDS sensor that is designed to support many signatures in a certain category. An engine is composed of a parser and an inspector. Each engine has a set of legal parameters that have allowable ranges, or sets of values. Exploit signatures are an identifiable pattern of attack detected by your network device, such as a Cisco IDS Network sensor.

Table 7-1 lists and describes the signature engines available with Cisco IDS Version 4.1.

Table 7-1 Cisco IDS Signature Engines*

ATOMIC.ARP

ARP simple and cross-packet signatures.

ATOMIC.ICMP

Simple ICMP alarms based on the following parameters: Type, Code, Sequence, and ID.

ATOMIC.IPOPTIONS

Simple alarms based on the decoding of Layer 3 options.

ATOMIC.L3.IP

Simple Layer 3 IP alarms.

ATOMIC.TCP

Simple TCP packet alarms based on the following parameters: Port, Destination, Flags, and single packet Regex. Use SummaryKey to define the address view for MinHits and Summarize counting. For best performance, use a StorageKey of xxxx.

ATOMIC.UDP

Simple UDP packet alarms based on the following parameters: Port, Direction, and DataLength.

FLOOD.HOST.ICMP

ICMP floods directed at a single host.

FLOOD.HOST.UDP

UDP floods directed at a single host.

FLOOD.NET

Multiprotocol floods directed at a network segment. IP addresses are wildcarded for this inspection.

OTHER

Used to group generic signatures so that common parameters can be changed. It defines an interface into common signature parameters.

Table 7-1 Cisco IDS Signature Engines* (Continued)

SERVICE.DNS

Analyzes the DNS service.

SERVICE.FTP

FTP service special decode alarms.

SERVICE.GENERIC

Custom service/payload decode. For expert use only.

SERVICE.HTTP

HTTP decode-based string engine. Includes anti-evasive URL deobfuscation.

SERVICE.IDENT

IDENT service (client and server) alarms.

SERVICE.MSSQL

Microsoft SQL service inspection engine.

SERVICE.NTP

Network Time Protocol-based signature engine.

SERVICE.RPC

Analyzes the RPC service.

SERVICE.SMB

SMB SuperInspector signatures.

SERVICE.SMTP

Inspects SMTP protocol.

SERVICE.SNMP

Inspects SNMP traffic.

SERVICE.SSH

SSH header decode signatures.

SERVICE.S YSLOG

Processes syslogs.

STATE.STRING.CISCO LOGIN

Telnet-based Cisco login inspection engine.

STATE.STRING.LPR FORMATSTRING

Inspects LPR protocol.

STRING.ICMP

Generic ICMP-based string search engine.

STRING.TCP

Generic TCP-based string search engine.

STRING.UDP

Generic UDP-based string search engine.

SWEEP.HOST.ICMP

A single host sweeping a range of nodes using ICMP.

SWEEP.HOST.TCP

Detects host and service sweeps over TCP.

SWEEP.MULTI

Conducts cross-protocol sweeps.

SWEEP.OTHER.TCP

Conducts fingerprint scans.

SWEEP.PORT.TCP

Detects port sweeps between two nodes.

SWEEP.PORT.UDP

Detects UDP connections to multiple destination ports between two nodes.

*The information in Table 7-1 is from the Cisco.com page at http://www.cisco.com/univercd/cc/td/doc/product/ iaabu/csids/csids10/idmiev/swappa.htm.

*The information in Table 7-1 is from the Cisco.com page at http://www.cisco.com/univercd/cc/td/doc/product/ iaabu/csids/csids10/idmiev/swappa.htm.

An IDS can be used, for example, to detect spam e-mail and still allow regular e-mail. Most ISPs do not detect or remove spam e-mail, so it is up to the security administrator to ensure that spam e-mail is not permitted or used as a DoS attack.

Was this article helpful?

0 0

Post a comment