Network Based Intrusion Detection Systems

You will be forgiven for looking at this new blueprint objective and wondering what exactly is to be expected of a candidate taking the new CCIE Security written exam. This section unravels this objective and provides you with the best preparation possible to ensure that you pass this portion of the exam on your first attempt.

Network-based intrusion detection has been defined by many security vendors, such as Cisco, which has defined IDS as a method of detecting an illegal packet within your network. Ensuring that IP packets and TCP segments are valid can be an enormous task in today's ever-evolving networks because all organizations need to be connected to the public domain, the World Wide Web. To effectively run e-commerce within an organization, the basic aim of the Cisco network-based IDS (NIDS) solution is to proactively detect network packets and segment what may be illegal and to alert the security team within the organization. For the CCIE Security written exam, your basic knowledge of how the Cisco network-based IDS functions is what you can expect to be tested upon.

First, the following list defines a few basic terms you should be aware of:

■ Signature—A set of conditions that, when met, indicates some type of intrusion event.

■ Pattern matching—Searching for a fixed sequence of bytes within an IP packet (encompassing, of course, TCP or UDP details).

■ Stateful pattern matching—A far more sophisticated method of searching for certain patterns is stateful pattern matching-based analysis. Instead of looking at only one packet, this method looks at the actual flow of packets between two end systems.

■ Protocol decode-based analysis—Protocol decode-based signatures are in many ways intelligent extensions to stateful pattern matches. This class of signature is implemented by decoding the various elements in the same manner as would the client or server in the conversation. When the elements of the protocol are identified, the IDS applies rules defined by the RFCs to look for violations.

■ Heuristic-based analysis—Heuristic-based signatures use some type of algorithmic logic on which to base their alarm decisions. A port sweep is a typical attack that will be detected.

■ Anomaly-based analysis—Anomaly-based signatures are typically geared to look for network traffic that is a variation from the normally expected data types. Typically, a strong differentiation is required between normal and abnormal.

These methods have their pros and cons. To date, the Cisco strategy for NIDS is to blend the use of pattern matching, stateful pattern matching, protocol decodes, and heuristic-based signatures.

Passive or Inline IDS?

A passive IDS module receives copies of all the traffic passing through the backplane—for example, on a Cisco 2600 or 3600 router. The IDS sensor simply analyzes all captured data and compares it to set defined rules, called signatures.

An inline IDS module analyzes all traffic passing from one network to another, such as through a PIX Firewall.

Cisco supplies a new agent with every Cisco CallManager installation and recommends its use in any network, namely Cisco Security Agent (CSA), discussed next.

You will now cover the Cisco CSA agent and Host-Based IDS systems.

0 0

Post a comment