Access Control Lists and NMCIDS

The Cisco IOS-IDS implementation checks for certain signatures before an input ACL filters the packet. The purpose is to look for any possible attacks that were destined for the network before they were dropped by the router. Such an approach is difficult to implement with the NM-CIDS. The router sends a copy of the packet to the NM-CIDS, and it is desirable to send only one copy of the packet. If the packet is forwarded to the NM-CIDS even before it is dropped, the router has to send another...

Accessing Nmcids via Telnet

Another method to access the NM-CIDS console is by using direct Telnet. You can open a Telnet session by using the IP address of any interface on the router and a special port number. This actually opens a connection to the console via the internal UART, just like the session command from the router console. The formula for calculating the port number is (32 * slot number ) + 2001. For example, the port number for slot 1 would be 2033, and the port number for slot 2 would be 2065.

Accessing the IDSM2 CLI

You initially access the IDSM-2 from the switch console. When using CatOS, the session switch command gives you access to the IDSM-2 CLI. The syntax for the Catalyst operating system session command is as follows The term mod indicates the slot where the IDSM-2 is located. When using IOS, you access the IDSM-2 CLI by using the session slot switch command. The syntax for the IOS session slot command is as follows session slot mod processor processor-id Suppose that your IDSM-2 is in slot 5. The...

ACL Placement Considerations

When applying ACLs on your network, consider your operational requirements and network topology. You have several options when applying ACLs to one of your network devices. The ACL might be applied on either the external or internal interface of the router. It can also be configured for inbound or outbound traffic on each of these two interfaces (when using ACLs). Although you can choose inbound or outbound traffic (with respect to the router interface, not your network) on each physical...

Actions

The Actions group box in the Preferences window (see Figure 10-22) allows you to set the following parameters The Command Timeout value determines how long (in seconds) the Event Viewer will wait for a response from the sensor before it concludes that it has lost communication with the sensor. In most cases, you will not need to modify this value. If you find that you are experiencing frequent command timeout errors, you might consider increasing the Command Timeout value or diagnosing the...

Adding a Known SSH Host

Your sensor maintains a list of validated SSH known hosts so that the sensor can verify the identity of the servers with which it communicates when it is operating as an SSH client. Adding an entry to the known SSH hosts list also enables you to do the following Automatically or manually upgrade the sensor by using SCP Copy current configurations, backup configurations, and IP logs via SCP The syntax for the ssh host-key command is as follows ssh host-key ip-address key-modulus-length...

Adding and Removing Users

In the Global Configuration mode, you can add new users to and remove existing users from your sensor. The username Global Configuration mode command enables you to add new users. To remove an existing user, simply insert the keyword no in front of the regular username command. The syntax for the username command is as follows username name password password privilege administrator operator viewe The sequence of commands in Example 2-5 illustrates the process of adding to your sensor the user...

Adding Event Rules

Event rules specify the criteria that an event must match in order to cause a specific action. When adding event rules, you need to perform the following four tasks Assign a name to the event rule Define the event filter criteria Assign the event rule action Define the event rule threshold and interval Complete the following steps to add an event rule Step 1. Click on the Configuration tab on the main Security Monitor screen. Step 2. Select Event Rules from the options bar (or from the content...

Adding IOS Devices

Besides receiving events from Cisco IPS sensors, Security Monitor can also receive events from other Cisco IDS devices (such as IOS routers and PIX Firewalls). You can add IOS devices by selecting IOS IDS IPS in the Device Type field. When adding an IOS IDS device, you must specify the following fields Some IOS devices can run the PostOffice protocol. If you want Security Monitor to communicate with the IOS device using PostOffice, you need to select Postoffice in the Protocol field. This will...

Adding RDEP Devices

Security Monitor uses RDEP to communicate with your Cisco IPS version 5.0 sensors. When adding an RDEP device to Security Monitor, you must specify the following information about the device The IP Address, Device Name, and Web Server Port fields identify the device so that Security Monitor can communicate it. The Username and Password fields provide the login credentials necessary to access the RDEP device. Finally, the Minimum Event Level field sets the minimum alert level for the events that...

Adding Users

As part of your IDS MC and Security Monitor configuration, you need to configure accounts for the various users who need to access these applications. The CiscoWorks 2000 Add User screen enables you to create new accounts that have access to the CiscoWorks 2000 applications. To create a new account in CiscoWorks 2000, perform the following steps Step 1. Log in to the CiscoWorks 2000 desktop. Step 2. Choose Server Configuration > Setup > Security > Add Users. The Add User window appears....

Administrative Tasks

The sensor command line enables you to perform numerous administrative tasks, such as the following Display the current configuration Back up the current configuration Restore the current configuration Display technical-support information Some of these tasks will be covered in Chapter 12 , Verifying System Configuration. For detailed information on how to perform these administrative tasks, refer to the CLI documentation at Cisco.com (http www.cisco.com go ids ).

Advanced Catalyst 6500 Traffic Capture

So far our examination has focused on the ways that you can use your Cisco switch to capture network traffic for analysis by your sensor. The next step involves configuring the port on the switch through which your sensor receives its captured traffic. By default your appliance sensors are usually connected to your switch via a standard access port. Since this port is usually not configured as a trunk, your sensor will receive only traffic that belongs to the same VLAN as the VLAN assigned to...

Advanced Signature Configuration

Tuning existing signatures and creating custom signatures is a powerful feature of Cisco IPS. Understanding this functionality enables you to fine-tune your Cisco IPS solution to provide the best protection for your network. This chapter focuses on the following Understanding HTTP and FTP application policy enforcement Tuning an existing signature Creating a custom signature Before broaching these important topics, however, it is helpful to explain the following topics in more detail Regular...

Aic Ftp Signature Engine Parameters

Using the Application Inspection and Control (AIC) FTP signature engine involves configuring the parameters shown in Table 6-4. Table 6-4. AIC FTP Signature Engine Parameters Table 6-4. AIC FTP Signature Engine Parameters Identifies the type of FTP commands that the signature will detect Help, Noop, Stat, Syst, User, abor, acct, alio, appe, cdup, cwd, dele, list, mkd, mode, nlst, pass, pasv, port, pwd, quit, rein, rest, retr, rmd, rnfr, rnto, site, smnt, stor, stou, stru, type The FTP command...

Alarm Summary Modes

Managing alarms efficiently is vital to the success of your Cisco IDS deployment. To enhance your ability to control the volume of alarms generated by your sensors, Cisco IDS supports several alarm modes. Each of the following alarm summary modes is designed to assist you in regulating the number of alarms generated by intrusive traffic in different situations Variable Alarm Summarization The following sections explain the alarm summary modes in detail. To understand these alarm summary modes,...

Alert Frequency Fields

Managing alerts efficiently is vital to the success of your Cisco IPS deployment. To enhance your ability to control the volume of alerts generated by your sensors, Cisco IPS supports several alert modes (including alert summarization). Each of the alert summary modes is designed to assist you in regulating the number of alerts generated by intrusive traffic in different situations. Alert frequency fields are explained in detail in Chapter 5, Basic Cisco IPS Signature Configuration.

Analysis Engine

The analysis engine performs packet analysis and alert detection. It monitors traffic that flows through the specified interfaces and interface pairs. The Analysis Engine category provides the following options To use the any of the sensor's interfaces to analyze network traffic, you must assign it to a virtual sensor. The Virtual Sensor option enables you to assign or remove sensor interfaces from a virtual sensor.

Antispoofing Mechanisms

Attackers will usually forge packets with IP addresses that are either private addresses (refer to RFC 1918) or addresses of your internal network. The attacker's goal is to have Cisco Secure IPS block valid IP addresses, thus causing a DoS. When you properly implement an antispoofing mechanism, Cisco Secure IPS will not block these valid addresses. An excellent reference on IP address filtering is RFC 2827, Network Ingress Filtering Defeating Denial of Service Attacks Which Employ IP Source...

Application Inspection and Control Signature Engines

HTTP and FTP are protocols that commonly traverse firewalls on many networks. Because of this, many applications (and attackers) have started using these protocols to tunnel traffic (other than HTTP and FTP) through firewalls in an attempt to circumvent the security policies implemented on various networks. Cisco IPS version 5.0 enables you to conduct a more thorough analysis of HTTP and FTP through application policy enforcement. Currently, application policy enforcement is available through...

Apply ACL to an Interface or VLAN

Next you need to apply the extended ACL to a VLAN interface on the MSFC. You use the interface vlan command to enter the configuration mode for a specific interface. Then you use the mls ip ids command to apply the extended ACL to that interface. The syntax for the interface vlan command is as follows interface vlan vlan number The syntax for the mls ip ids command is as follows To continue with our example, you would enter the following commands on your router to apply ACL 150 to VLAN 40. MSFC...

Assessing Exam Readiness

After completing a number of certification exams, I have found that you cannot completely know if you are adequately prepared for the exam until you have completed about a third of the questions (during the actual exam). At that point, if you are not prepared, it is too late. Be sure that you prepare for the correct exam. This book covers material for the CCSP IPS exam. The best way to assess your current understanding of the material is to work through the Do I Know This Already quizzes, the...

Asset Value of Target

The final weight, also known as the target-value rating, is based on the perceived value of the target. This value is user-configurable based on the IP address. You can assign one of the following values (listed in order, from lowest to highest priority) to a specific IP address or range of addresses The assignment of values to systems is a subjective process. The important point is that the asset values enable you prioritize the devices on your network based on their perceived value. For...

Assigning a Blocking Action

Before your sensor will initiate IP blocking, configure one or more of your Cisco IPS signatures with a blocking action. In IDM version 5.0, you can configure the actions for a signature by performing the following steps Step 1. Access IDM by entering the following URL in your web browser https 'sensoripaddress. Step 2. Click on the Configuration icon to display the list of configuration tasks. Step 3. If the items under the Signature Definition category are not displayed, click on the plus...

Assigning the Clock Settings

The NM-CIDS clock cannot be set directly. It must use the router's clock or an NTP server as a reference clock. By default, the NM-CIDS automatically synchronizes its clock with the router time. If you use the default setting, Greenwich Mean Time (GMT) is synchronized between the router and the NM-CIDS. The time zone and summer time settings are not synchronized between the router and the NM-CIDS. Therefore, be sure to set the time zone and summer time settings on both the router and the...

Atomic Signature Engines

The two signature engines shown in Table 6-10 handle all of the atomic signatures. Each of these engines is designed to efficiently support signatures that trigger based on information in a single packet. Whenever a packet that matches a configured signature is detected, the appropriate signature engine triggers an alarm. The atomic engines are constructed to efficiently handle searching different types of traffic streams (such as ICMP, TCP, and UDP). Table 6-10. Atomic Signature Engines Table...

Back

As you move through the various configuration and monitoring screens, IDM keeps track of the options you have selected. Clicking on the Back icon enables you to return to one of previous configuration screens that you were modifying or viewing (the Back icon is similar to your browser's Back button). Each click on the Back icon takes you back one screen in the list of configuration screens that you have visited. For instance, suppose that you view the following configuration screens for the...

Basic Signature Configuration

After locating signatures by using signature groups, you can perform various configuration operations on signatures or groups of signatures. These configuration operations fall into the following categories Viewing Network Security Database (NSDB) information Editing existing signatures Defining signature responses Besides understanding the basic signature configuration operations, it is helpful to understand the fields that an alert contains. Table 5-4 describes the major fields found in an...

Basic Signature Fields

Each signature has the following four basic fields that identify the signature Together, the Signature ID and SubSignature ID uniquely identify the signature. Both fields are numeric. The SubSignature ID enables you to have multiple signatures under a broader signature identified by the Signature ID. The Signature Fidelity Rating indicates the likelihood that the signature will detect attack traffic (as opposed to normal user traffic) without the sensor having specific knowledge about the...

Blocking

One of the actions that you can configure your sensor to take when a signature triggers is to block traffic from the system that initiated the intrusive traffic. The two types of blocking actions that you can configure are as follows When you configure a signature to block a connection, it blocks only traffic from the host that triggered the signature to the destination port, the protocol (such as TCP or UDP), and the destination IP address that triggered the signature. Therefore, the blocking...

Blocking Guidelines

The IP blocking functionality in Cisco IPS provides a powerful tool to protect your network. If IP blocking is used incorrectly, however, a knowledgeable attacker can use the error against your network in a DoS attack. The IP blocking feature generates ACLs that are based solely on IP addresses. The sensor has no mechanism to determine whether the address being blocked is a critical server on your network or the address of a legitimate attacker. Therefore, implementing IP blocking requires...

Blocking Hosts

When defining a manual block against a single host, you need to define the fields shown in Table 9-7. Table 9-7. IDM Host Manual Block Fields Table 9-7. IDM Host Manual Block Fields The source address that will be blocked by the block request. Check box that enables blocking of connections (source IP combined with destination IP and possibly destination port) instead of just all traffic from the source host. The destination address of the traffic to be blocked (required when the Enable...

Blocking Networks

When defining a manual block against a network, you need to define the fields shown in Table 9-8. Table 9-8. IDM Network Manual Block Fields Table 9-8. IDM Network Manual Block Fields The source IP address that will be blocked by the block request. The netmask that defines which bits in the IP address are part of the network address that will be blocked. A 1 in the mask indicates a valid part of the network address, and a 0 indicates bits that are not part of the network. If selected, causes...

Blocking Process

Blocking is initiated when a signature configured for IP blocking triggers an alarm or when a manual blocking event is generated. This causes the NAC to create the appropriate blocking ACLs (or sets of configurations) and to send this information to all of the managed devices that it controls. At the same time, an alarm is sent to the Event Store. When the block duration expires, the NAC updates the ACLs (or configurations) to remove the block from each controlled device. The NAC is the sensor...

Booting the Helper Image

To boot the helper image, enter boot helper at the ServicesEngine boot-loader> prompt as shown in the following command line ServicesEngine boot-loader> boot helper The boot loader brings up the external interface and locates the TFTP server host. When the TFTP load actually begins, a spinning character is displayed to indicate packets arriving from the TFTP server. When the load completes, a message indicates that the helper is valid, and the helper utility is launched, as shown in the...

Capturing Network Traffic

Your IPS sensors can process only traffic that they receive on one of their interfaces. Inline processing mode uses pairs of sensor interfaces, whereas promiscuous mode requires only a single sensor interface. This chapter focuses on the following methods of traffic capture Capturing traffic for inline mode Capturing traffic for promiscuous mode It also provides the following detailed sections to explain how the different traffic capture methods can be applied to the Catalyst 4500 and 6500...

Catalyst 6500 Requirements

Unlike the appliance sensor, the IDSM-2 is a switch card. Therefore, to deploy the IDSM-2 you must have a Catalyst 6500 family switch. Furthermore, to successfully use your IDSM-2 as another component in your overall Cisco IPS solution, your switch operating system must fulfill one of the following requirements Catalyst OS 7.5(1) or later (on supervisor engine) Cisco IOS Release 12.1(19)E or later If you have Catalyst OS 7.5(1) or later, you also need to have one of the following supervisor...

Caution

The goal of self-assessment is to gauge your mastery of the topics in this chapter. If you do not know the answer to a question or are only partially sure of the answer, you should mark this question wrong for purposes of the self-assessment. Giving yourself credit for an answer you correctly guess skews your self-assessment results and might provide you with a false sense of security. 1. What do you call a signature that does not fire after observing normal user traffic 2. Which of the...

Cells

The Blank Left and Blank Right check boxes in the Cells section of the Preferences window enable you to specify whether certain cells will be blank or filled in (see Figure 10-22). When you choose the Blank Left check box, you can control whether values that are suggested by a cell above a row are filled in on following rows in the Event Viewer. For example, consider the following alarms triggered by the same source IP address of 172.30.4.150 WWW perl interpreter attack, WWW IIS view source...

Changing Display Preferences

This section describes the different preference settings that you can use to customize the Event Viewer. To access the Preferences window, choose Tools > Options. This will display the Preferences window. (See Figure 10-22.) Figure 10-22. Event Viewer Preferences Window Figure 10-22. Event Viewer Preferences Window The settings available in this window fall into six basic categories

Cisco Intrusion Prevention System IPS Overview

This chapter covers the following subjects Cisco Intrusion Prevention Solution Intrusion Prevention Overview Cisco Intrusion Prevention System Hardware Inline Mode Versus Promiscuous Mode Cisco Sensor Communications Protocols Cisco Sensor Software Architecture The latest technology to protect your network is known as an Intrusion Prevention System (IPS). Unlike a traditional Intrusion Detection System (IDS), intrusion prevention technology enables you to stop intrusion traffic before it enters...

Alarm Monitoring and Management

This chapter covers the following subjects Installing Security Monitor Security Monitor Configuration Security Monitor Event Viewer Security Monitor Administration When deploying a large number of Cisco IPS sensors, you need an efficient way to monitor the alerts from these devices. Security Monitor (a component of the CiscoWorks VPN Security Management Solution VMS product) provides this functionality. Using Security Monitor, you can correlate and analyze events from multiple sensors deployed...

Cisco IDS

This chapter covers the following subjects IDSM-2 Configuration . IDSM-2 Ports Catalyst 6500 Switch Configuration ID SM-2 Admini strative Tasks One of the advantages of Cisco IPS is the multiple locations at which you can deploy sensors throughout your network. The Cisco IDS Module (IDSM) enables you to deploy your sensor directly into your Catalyst 6500 switch via a switch-line card. Besides tuning Cisco IPS to match your unique network requirements, you must also thoroughly understand the...

Cisco IDS Network Module for Access Routers

This chapter covers the following subjects NM-CIDS Hardware Architecture . Traffic Capture for NM-CIDS NM-CIDS Installation and Configuration Tasks Recovering the NM-CIDS Software Image Flexibility of deployment options is a strength of the Cisco IPS solution. Besides deploying appliance sensors, you can also deploy sensors in your Catalyst 6500 switches via the IDSM-2. A final deployment location is your access routers. Deploying IPS sensors in your access routers enables you to incorporate...

IPS Command Line Interface

This chapter covers the following subjects Each Cisco IPS sensor provides a robust command-line interface (CLI) that enables you to configure the operational characteristics of your sensor. This CLI operates in a way similar to the IOS CLI. You must understand this interface to appropriately install a sensor as well as to debug sensor problems. Do I Know This Already Quiz The purpose of the Do I Know This Already quiz is to help you decide if you really need to read the entire chapter. If you...

Cisco IPS Device Manager IDM

This chapter covers the following subjects System Requirements for IDM Configuring Communication Parameters by Using IDM The Cisco IPS Device Manager (IDM) is a tool that enables you to configure and manage a single Cisco network sensor. This Java-based web tool provides you with a graphical interface to manipulate the operation of your sensor. Each IPS appliance running on your network has its own web server that provides access to the IDM application on the sensor. Accurately configuring your...

Basic Sensor Configuration

This chapter covers the following subjects Sensor Host Configuration Tasks Interface Configuration Tasks Analysis Engine Configuration Tasks For all Cisco IPS deployments, you need to perform certain basic sensor configuration tasks (such as defining the hosts allowed to connect to the sensor and creating new user accounts). Understanding how to perform basic sensor configuration tasks is vital to any successful Cisco IPS deployment. You must correctly configure your sensors to protect your...

Basic Cisco IPS Signature Configuration

This chapter covers the following subjects Configuring Cisco IPS Signatures Basic Signature Configuration The heart of the Cisco IPS is the signatures that the sensor uses to identify intrusive traffic on your network. Viewing signatures by using signature groups enables you to efficiently configure the numerous Cisco IPS signatures to match your unique network configuration. Your Cisco IPS sensors check network traffic against signatures of known intrusive traffic. It is important to...

Cisco IPS Signature

This chapter covers the following subjects Cisco IPS Signature Engines Application Inspection and Control (AIC) Signature Engines Normalizer Signature Engine Trojan Horse Signature Engines The heart of the Cisco IPS solution is the various signature engines that enable signature designers and customers to easily and efficiently develop IPS signatures that cover a wide range of protocols and applications. Each signature engine supports various parameters that are used to create signatures. Cisco...

Advanced Signature

This chapter covers the following subjects Advanced Signature Configuration Understanding HTTP and FTP Application Policy Enforcement Tuning an Existing Signature Creating a Custom Signature Many Cisco IPS deployments can take advantage of default signature configurations. Sometimes, however, you may need to create a custom signature or tune an existing signature to meet the needs your specific network environment. Cisco IPS provides the capability to tweak existing signatures and to easily...

Cisco IPS Response Configuration

This chapter covers the following subjects Cisco IPS response overview The heart of the Cisco IPS is the signatures that the sensor uses to identify intrusive traffic on your network. Each signature can be configured to perform numerous actions whenever the signature fires. Configuring signature responses is vital to efficiently using your Cisco IPS sensors to protect your network. Besides detecting specific traffic on your network, you can configure numerous actions that the sensor will...

Cisco 4215 Appliance Sensor

Its capabilities are as follows Monitoring interface 10 100BASE-TX Command and control interface 10 100BASE-TX Optional interface 4 10 100BASE-TX Performance upgrade Not available Most of the connections are located on the back of the IDS 4215, including the two Ethernet interfaces (see Figure 1-2). The command and control interface is on the right, whereas the monitoring interface is on the left. The monitoring interface is FastEthernet0 0.

Cisco 4235 Appliance Sensor

The following are the technical specifications for the Cisco IDS 4235 sensor Monitoring interface 10 100 1000BASE-TX Command and control interface 10 100 1000BASE-TX . Optional interface 4 10 100BASE-TX Performance upgrade Not available The connections are on the back of the IDS 4235 (see Figure 1-3). The command and control interface is on the left (labeled 2), whereas the monitoring interface is on the right (labeled 1). The monitoring interface is FastEthernet0 0. Op onat d-port Fasl...

Cisco 4240 Diskless Appliance Sensor

The following are the technical specifications for the Cisco IDS 4240 sensor Monitoring interface 4 10 100 1000BASE-TX Command and control interface 10 100 1000BASE-TX . Optional interface 4 10 100BASE-TX Performance upgrade Not available The connections are on the back of the IDS 4240 (see Figure 1-4). The command and control interface is on the left above the USB ports. The four monitoring interfaces are near the middle on the bottom (when interface 0 is on the right). The monitoring...

Cisco 4250 Appliance Sensor

The following are the technical specifications for the Cisco IDS 4250 sensor Monitoring interface 10 100 1000BASE-TX Command and control interface 10 100 1000BASE-TX . Optional interface 1000BASE-SX (fiber) or 4 10 100BASE-TX The connections on the back of the IDS 4250 are identical to those on the IDS 4235 (see Figure 1-3). The command and control interface is on the left (labeled 2), whereas the monitoring interface is on the right (labeled 1). The monitoring interface is GigabitEthernet0 0....

Cisco 4250XL Appliance Sensor

The following are the technical specifications for the Cisco IDS 4250XL sensor . Monitoring interface Dual 1000BASE-SX interface with MTRJ Command and control interface 10 100 1000BASE-TX Optional interface 1000BASE-SX (fiber) Performance upgrade Not available The connections located on the back of the IDS 4250XL are identical to those on the IDS 4235 and IDS 4250, with the exception of the IDS Accelerator (XL) Card (see Figure 1-5). The command and control interface (labeled 2) is the leftmost...

Cisco 4255 Diskless Appliance Sensor

The following are the technical specifications for the Cisco IDS 4255 sensor Monitoring interface 4 10 100 1000BASE-TX . Command and control interface 10 100 1000BASE-TX Optional interface 1000BASE-SX (fiber) or 4 10 100BASE-TX The connections on the back of the IDS 4255 are identical to those on the IDS 4240 (see Figure 1-4). The command and control interface is on the left, above the USB ports. The four monitoring interfaces are near the middle on the bottom (when interface 0 is on the...

Cisco Hybrid Ipsids Solution

IDSs passively monitor network traffic for intrusive activity. When intrusive activity is detected, the sensor can reset TCP connections and block future traffic from the attacking system. The initial attack packet, however, will still reach the target system. In Cisco IPS version 5.0, this mode of operation is known as promiscuous mode. It requires only a single sensor interface to monitor each network location. With intrusion prevention, your sensor functions as a layer 2 forwarding device on...

Cisco IDS 4200 Series Network Sensors

You must understand the features, connections, and interfaces on the different appliance models when installing these devices on your network. Knowing the bandwidth limitations will help you determine which appliance model matches your network environment. The following models will be examined in detail

Cisco IDSM2 for Catalyst 6500

The following are the technical specifications for the Cisco IDSM-2 (IDS Module 2) for Catalyst 6500 . Built-in interfaces 2 10 100 1000BASE-TX Command and control interface 10 10 10 100BASE-TX Performance upgrade Not available The performance of the Cisco IDSM-2 is based on the following factors 4000 new TCP connections per second Average packet size of 450 bytes Presence of Cisco IDS software version 4.1 or greater

Cisco Intrusion Prevention Solution

Proactively protecting your network resources is the latest trend in security. Most Intrusion Detection Systems (IDS) passively monitor your network for signs of intrusive activity. When intrusive activity is detected, the IDS provides the capability to block further intrusive activity from the suspect host. This reactive approach does not prevent the initial attack traffic from reaching the targeted device. An Intrusion Prevention System (IPS), however, can proactively stop even the initial...

Cisco IPS Course

The Cisco IPS official training course provides an explanation of the Cisco intrusion prevention solution through classroom instruction and lab exercises. Since it is based on the Cisco IPS course, this book provides a detailed reference to help you prepare for the exam. You can learn more about the course at

Cisco IPS Device Manager

The Cisco IDM is a Java-based web interface that enables you to configure and manipulate the operation of your Cisco network sensors. Each IPS appliance running on your network has its own web server that provides access to the IDM application on the sensor. The web server uses Transport Layer Security (TLS) to encrypt the traffic to and from the sensor to prevent an attacker from viewing sensitive management traffic. The web server is also hardened to minimize an attacker's ability to disrupt...

Cisco IPS Signature Engines

Cisco IPS monitors network traffic with a suite of signature engines. By spreading signature processing across distinct categories where all of the signatures for a category share similar characteristics, you can analyze network traffic more efficiently and add your own custom signatures more easily. The signature engines fall into the categories shown in Table 6-2. Table 6-2. Signature Engine Categories Table 6-2. Signature Engine Categories Application Inspection and Control (AIC) Used to...

Cisco IPS Signatures

To identify malicious activity, Cisco IPS monitors network traffic and generates alerts when traffic matching specific signatures is detected. A signature is basically a description of network traffic that attackers use while conducting network-based attacks. To support a wide range of signatures and enable users to develop their own custom signatures, Cisco IPS uses a set of signature engines that each examine network traffic for intrusive activity with similar characteristics. An example of...

Cisco Login States

When using the Cisco Login state machine, you can configure your signature to look for one of the following states Table 6-37 shows the transitions defined for the Cisco Login state machine. These states relate to interactive logins to Cisco devices. You can use these defined transitions (in conjunction with the State Name parameter) to create signatures that check for specific patterns at different states in the Cisco login process. Table 6-37. Cisco Login State Machine Transitions Table 6-37....

Cisco PIX Firewalls

In addition to Cisco routers and Catalyst 6000 switches, you can also use Cisco PIX Firewalls (and ASAs) to serve as managed devices. Instead of updating an ACL on the router, however, the sensor uses the PIX Firewall's shun command to block the traffic from the attacking system. Since the shun command was introduced in version 6.0 of the PIX operating system, any of the following PIX models running version 6.0 or higher can serve as a managed device Just as with the Cisco routers that serve as...

Cisco Sensor Communications Protocols

Communication between your Cisco IPS sensors and other network devices involves the following protocols SSH provides a protocol for secure access to remote devices by encrypting the communication session (refer to for more information). SSH is the secure replacement for Telnet, since Telnet transmits its session information in an unencrypted form.

Cisco Sensor Deployment

Cisco IPS supports various sensor platforms. Each platform has varying capabilities and is designed to operate in a specific network environment. You need to consider the following factors when deciding where to place sensors on your network Figure 1-6 shows a sample network with IPS sensors monitoring key functional boundaries (Internet boundaries, extranet boundaries, remote access boundaries, and so on) in the network.

CLI Command Modes

The CLI on your IPS appliance is organized into various modes. Each of these modes gives you access to a subset of the commands that are available on your IPS appliance. Numerous CLI modes such as the following are available on the IPS appliance Service signature-definition Each of these is described in the following sections.

Client Requirements

Your users access Security Monitor via a browser on their system. These user systems should meet certain minimum requirements to ensure successful system operation. Your client systems should meet the following requirements 300 MHz (or faster) processor 400 MB virtual memory (free space on hard drive for Windows) In addition to meeting these requirements, your clients need to be running one of the following operating systems Windows 2000 Professional with Service Pack 3 Windows 2000 Server with...

Cloning an Existing Signature

Sometimes you need to create a new signature that closely matches an existing signature. Instead of using the Add button on the Signature Configuration screen, you can use the Clone button. When you use Clone instead of Add, most of the signature fields are already populated with the values of the signature being cloned (the highlighted signature). Other field values are changed. For example, a new Signature ID is assigned, and the Signature Name field is assigned the original signature's name...

Collapsing Rows

To reduce the number of lines displayed on the Event Viewer grid, multiple alarms are collapsed into a single row based on a specific number of fields (known as the expansion boundary). By default, the expansion boundary is only the first field. All alarm entries with the same value for the first field are consolidated into a single row on the Event Viewer display. To examine specific alarms, you may expand the display so that only a few alarms are consolidated on each row in the Event Viewer...

Command and Control Port

Your management application needs to be able to communicate with the IDSM-2 to change its configuration and operating characteristics. Your monitoring application needs to access the IDSM-2 to retrieve alerts. Both of these operations are conducted through the command and control interface. Port 2 on the IDSM-2 is the command and control interface. You will configure an actual IP address for this port (and assign the appropriate VLAN on your switch) to make your IDSM-2 accessible from the...

Command Syntax Conventions

The conventions used to present command syntax in this book are the same conventions used in the IOS Command Reference. The Command Reference describes these conventions as follows Boldface indicates commands and keywords that are entered literally as shown. Italics indicate arguments for which you supply actual values. Vertical bars ( ) separate alternative, mutually exclusive elements. Square brackets indicate optional elements. Braces indicate a required choice. Braces within brackets...

Configuration

SflKlV M iM llVipiilthc k -jn pli JTifMlifef Tii itrtJiiri Ttrut itftfa Iren SPH Tmri ani n iiii hh & r ueowf Configuring the operational characteristics of the sensor is the main functionality provided by IDM. By clicking on the Configuration icon (located on the top menu bar), you can display a list of configurable items down the left side of the screen (see Figure 3-1). These items are divided into the following operational categories These operational categories are explained in the...

Configuration Tabs

The configuration tasks are divided into the following five major categories Devices Enables you to perform initial setup of devices to be monitored by Security Monitor Configuration Enables you to configure event rules for Security Monitor Monitor Enables you to monitor information about your devices and launch the Event Viewer Reports Enables you to generate reports, view scheduled reports, and view reports Admin Enables you to administer system and database settings To access one of the...

Configuration Tasks

The CLI provides you with a textual interface that enables you to configure essentially every facet of the sensor's configuration, such as the following Configure virtual sensor system variables Configuring these tasks through the CLI, however, is not a simple task. Most people prefer to use a graphical interface, such as Cisco IPS Device Manager, to configure these parameters. Numerous chapters in this book explain how to configure these characteristics of your sensor by using the Cisco IPS...

Configure an ACL

With IOS, you specify the interesting traffic that you want to monitor using an ACL. Therefore, the first step in setting up a VACL is to create your ACL. Suppose, for example, that you are using the IDSM-2 to protect a web server farm and that the subnet for the web servers is 172.12.31.0. You may create an ACL similar to the following to allow any hosts to connect to port 80 on any system on the server farm subnet Router(Config) access-list 110 permit tcp any 172.12.31.0.0.0.0.255 eq 8

Configure Capture Ports

Finally, you need to configure which port on your router will receive the captured traffic. You accomplish this with the switchport capture command. For our example, the commands would be as follows Router(config-if) switchport capture allowed vlan 10-12, 15 The allowed keyword enables you to limit the traffic sent to the capture port. Any VLANs that are not included in the allowed list will not be sent to the capture port. Using this option enables you to separate captured traffic between...

Configure the Extended ACL

Just as in regular VACL configuration, your first step in creating an IOS Firewall VACL is to define the interesting traffic. In this situation, the interesting traffic is determined by an extended ACL that you create on your MSFC. The command to create the extended ACL is ip access-list and its syntax is as follows ip access-list extended access-list-number denylpermit protocol source_ source_wild-card destination_IP destination_wild-card log log-in Table 15-3 describes the major parameters...

Configuring a Master Blocking Sensor in IDM

When defining a Master Blocking Sensor in IDM, you need to specify the parameters listed in Table 9-6. Table 9-6. IDM Master Blocking Sensor Fields Table 9-6. IDM Master Blocking Sensor Fields Specifies the IP address of the sensor that will apply the blocking requests to the managed device Indicates the port that the sensor will connect to when communicating with the Master Blocking Sensor Username of the account that the sensor will use when connecting to the Master Blocking Sensor Password...

Configuring Allowed Hosts

During the initial sensor configuration using the setup CLI command, you define the basic sensor network parameters (such as IP address and default gateway) as well as change the list of hosts allowed to access the sensor. Only hosts that have been allowed via access list entries are allowed to manage your sensors. To configure the systems (via the IDM interface) that are allowed to access the sensor's command and control interface, perform the following steps Access IDM by entering the...

Configuring Cisco IPS Signatures

Monitoring network traffic, identifying intrusive activity, and responding to network attacks is the core functionality provided by Cisco IPS. Cisco IPS provides numerous signatures that enable your sensors to determine which traffic on your network represents potential attacks or violates your security policy. To efficiently protect your network from attack, you should understand the numerous signatures that are provided and the actions they perform when intrusive activity is detected. This...

Configuring Inline Interface Pairs

When operating in inline mode, your sensor bridges the traffic between two distinct virtual LANs VLAN or network interfaces. To perform this bridging requires the use of two interfaces on the sensor. These two interfaces are known as an inline interface pair. To configure inline interface pairs, perform the following steps Step 1. Access IDM by entering the following URL in your web browser https 'sensoripaddress. Step 2. Click on the Configuration icon to display the list of configuration...

Configuring IP Log Settings

IP logging enables you to capture the actual packets that an attacking host sends to your network. You can then analyze these packets by using a packet analysis tool, such as Ethereal or tcpdump, to determine exactly what an attacker is doing. You can capture traffic by using IP logging in response to both a signature configured with the IP logging action as well as manually initiated IP logging requests. When logging an attacker's activity, you have the following three options All of these...

Configuring Nmcids Clock Mode

To configure NTP mode, first specify the NTP server's IP address by using the ntp server command. The syntax for the ntp server command is as follows ntp server ip-address version-number key keyid source-interface pi Table 14-2 explains the parameters for the ntp server command. IP address of the time server providing the clock synchronization. version-number (Optional) Defines the NTP version number. Valid values are 1 through 3. key keyid (Optional) Keyword that indicates that the next value...

Configuring Reassembly Options

To configure reassembly options using IDM, you need to perform the following steps Step 1. Access IDM by entering the following URL in your web browser https sensoripaddress. Step 2. Click on the Configuration icon to display the list of configuration tasks. Step 3. If the items under the Signature Definition category are not displayed, click on the plus sign to the left of Signature Definition. Step 4. Click on Miscellaneous to access the Miscellaneous configuration screen. Step 5. Configure...

Configuring SSH Hosts

When you use your sensors to perform blocking, they log in to your network infrastructure devices by using SSH. Before you can establish an SSH session from your sensor to another device, you must add the device's public key to the sensor's list of known SSH hosts. Presently, the IPS sensor's CLI is limited to defining SSH version 1 public keys (meaning that the target system the sensor is connecting to must be running SSH version 1). When connecting to the sensor using SSH, however, your...

Configuring the Boot Loader

To configure the boot loader, you must first download the helper file from Cisco.com to a TFTP server on your network and copy the helper image to the tftpboot directory on your TFTP server. Then access the boot loader prompt. The following steps show how to access the boot loader prompt for an NM-CIDS in slot 1 Step 1. Establish a session in to the NM-CIDS (service-module ids-sensor 1 0 session ). Step 2. Suspend the session by pressing Ctrl-Shift-6 and then x . You should see the router...

Configuring the Interface

The session command used to access the NM-CIDS console starts a reverse Telnet connection using the IP address of the ids-sensor interface. The ids-sensor interface is between the NM-CIDS and the router. You must assign an IP address to the ids-sensor interface before invoking the session command. However, assigning a routable IP address can make the ids-sensor interface itself vulnerable to attacks. To counter that vulnerability, you can assign a loopback IP address to the ids-sensor...

Configuring the Internal idssensor Interface

The router-side internal Fast Ethernet interface is known as interface ids-sensor. It can be seen in the Cisco IOS show interface and show controller command output. An IP address must be assigned to this interface in order to obtain console access to the NM-CIDS. However, if this IP address is advertised via routing updates, the monitoring interface itself can become vulnerable to attacks. Therefore, it is highly recommended that you assign a loopback address to this interface (since the...

Configuring the IPS Application

The same software revision upgrades, service packs, and signature updates that you use for any Cisco IPS sensor also apply to the NM-CIDS. After installing the application image, you need to use the upgrade CLI command to restore the NM-CIDS software to the correct service pack level and signature release. The upgrade process is the same as for other Cisco IPS sensors.

Configuring the NTP Server Settings

Instead of manually configuring the time on your sensor, you can synchronize the time on your network devices by using an NTP server. To configure your sensor to retrieve its time from an NTP server, perform the following steps Step 1. Click on Sensor Setup > Time from the IDM configuration options to access the Time configuration screen. Step 2. Enter the IP address of the NTP server in the IP Address field. Step 3. Enter the key to be used to access the NTP server in the Key field. Step 4....

Configuring the Sensors Time Parameters

Maintaining the correct time on your sensors is important to help correlate events across multiple devices on your network. You can configure your sensor's time manually, or you can use a Network Time Protocol (NTP) server. When configuring time settings on your sensor, you can make the following major changes Configure the NTP server settings Configure the summertime settings All of the time settings are configured via the Time sensor configuration screen (see Figure 4-6).

Configuring the Switch Traffic Capture Settings

Besides establishing management access, you need to configure the capture ports on your IDSM-2 so that your switch sensor can analyze your network traffic. Capturing important network traffic (while not exceeding the IDSM-2's 600-Mbps capacity) is the key to successfully deploying the IDSM-2 on your network. To perform its operation, the IDSM-2 uses four internal ports that fall into the following three functional categories

Configuring the Time Zone

Using time zones enables you to have the correct local time on your sensors yet easily correlate events from sensors across multiple geographic regions. To adjust a sensor's time based on the local time zone, you need to change the time zone of the sensor. Changing the time zone on the sensor involves the following steps Step 1. Click on Sensor Setup > Time from the IDM configuration options to access the Time configuration screen. Step 2. Select the appropriate time zone from the pull-down...

Configuring VACLs for Catalyst 6500 Traffic Capture

When configuring a VACL on Cisco IOS, you need to go through the following steps Step 1. Configure an Access Control List (ACL). Step 2. Match the ACL to the access map. Step 4. Define an action for the access map. Step 5. Apply the access map to the VLANs. Step 6. You also need to configure the TCP reset port to complete the configuration. This is not part of configuring your VACL, but it is necessary to ensure that the TCP reset traffic can reach the hosts for which it is intended.

Content Types Parameters

When defining AIC HTTP signatures by using the Content Types signature type, you specify the content types that the signature will search for in the HTTP messages. The parameters for this AIC HTTP signature type are shown in Table 6-6. Type of content type processing the signature will use Identifies the extra information to be specified for the content type Indicates whether the signature verifies the content type Identifies whether the signature verifies that the content type specified...

Copyright

Published by Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in a review. Printed in the United States ofAmerica 1234567890 First Printing...