Intrusion Detection System

Intrusion detection systems (IDS) are designed to detect and thwart network attacks. Based on their location, they can be either of the following:

• Network IDS—Examines or sniffs every packet flowing across the network and generates an alarm upon detection of a network attack signature.

• Host IDS—Examines operating system information such as logs or system process, against a base line. When the system deviates from the normal values because of an attack, alarms are generated.

Chapter 6 defines some of the intrusion detection mechanisms you can use in an IP network, namely NetRanger.

Cisco IDS delivers a comprehensive, pervasive security solution for combating unauthorized intrusions, malicious Internet worms, and bandwidth and e-Business application attacks.

Recently, Cisco announced a number of new products to support IDS:

• Cisco IDS Host Sensor 2.5—Bolsters enterprise security by delivering unparalleled levels of protection and customization to customers

• Cisco IDS 4250 Appliance Sensor—Raises the performance bar for high-throughput gigabit protection in a performance-upgradable IDS chassis

• Cisco IDS 4235 Appliance Sensor—Provides enterprise-class intrusion protection at new price/performance levels

• Cisco IDS 3.1 Sensor Software—Delivers powerful web-based, embedded device management, graphical security analysis, and data mining capabilities

NOTE In addition to the Cisco IDS 4200 series of IDS appliances, Cisco also has the following IDS sensors:

• IOS with IDS feature set for routers

• Catalyst 6500 IDS module for switch-based sensor

• PIX Firewall with version 6.x with built-in IDS sensor

• Cisco IDS Host sensor for Windows, Solaris OS, and web servers, such as IIS and Apache

You are not expected to know these details for the written exam; they are presented here for completeness only.

Each Cisco IDS sensor can be configured to support a number of different signatures. A Signature Engine is a component of the Cisco IDS sensor designed to support many signatures in a certain category. An engine is composed of a parser and an inspector. Each engine has a set of legal parameters that have allowable ranges or sets of values. Exploit signatures are an identifiable pattern of attack detected by your network device, such as a Cisco IDS Host sensor.

Table 8-1 displays the signature lists and descriptions available with Cisco IDS version 3.1.

IDS can be used, for example, to detect spam e-mail and still allow regular e-mail. Most ISPs do not detect or remove spam e-mail, so it is up to the security administrator to ensure that spam e-mail is not permitted or used as a DoS attack.

Table 8-1 Cisco IDS Signature Engines*

Signature Engine

Description

ATOMIC.ICMP

Simple ICMP alarms based on the following parameters: type, code, sequence, and ID

ATOMIC.IPOPTIONS

Simple alarms based on the decoding of Layer 3 options

ATOMIC.L3.IP

Simple Layer 3 IP alarms

ATOMIC.TCP

Simple TCP packet alarms based on the following parameters: port, destination, and flags

ATOMIC.UDP

Simple UDP packet alarms based on the following parameters: port, direction, and data length

FLOOD.HOST.ICMP

ICMP floods directed at a single host

FLOOD.HOST.UDP

UDP floods directed at a single host

FLOOD.NET

Multiprotocol floods directed at a network segment

FLOOD.TCPSYN

Connections to multiple ports using TCP SYN

SERVICE.DNS.TCP

Domain Name Service (DNS) packet analyzer on TCP port 53 (includes compression handler)

SERVICE.DNS.UDP

UDP-based DNS signatures

SERVICE.PORTMAP

Remote Procedure Call (RPC) program number sent to port mapper

SERVICE.RPC

Simple RPC alarms based on the following parameters: program, procedure, and length

STATE.HTTP

Stateful HTTP protocol decode-based string search (includes anti-evasive URL deobfuscation)

STRING.HTTP

Specialized STRING.TCP alarms for Web traffic (includes anti-evasive URL deobfuscation)

STRING.ICMP

Generic ICMP-based string search engine

STRING.TCP

Generic TCP-based string search engine

STRING.UDP

Generic UDP-based string search engine

SWEEP.HOST.ICMP

A single host sweeping a range of nodes using ICMP

SWEEP.HOST.TCP

A single host sweeping a range of nodes using TCP

SWEEP.PORT.TCP

TCP connections to multiple destination ports between two nodes

SWEEP.PORT.UDP

UDP connections to multiple destination ports between two nodes

SWEEP.RPC

Connections to multiple ports with RPC requests between two nodes

The information in Table 8-1 is from Table 1 at the Cisco web page, www.cisco.com/en/US/partner/products/sw/ secursw/ps2113/prod_technical_reference09186a00800d9dd5.html#56785.

The information in Table 8-1 is from Table 1 at the Cisco web page, www.cisco.com/en/US/partner/products/sw/ secursw/ps2113/prod_technical_reference09186a00800d9dd5.html#56785.

0 0

Post a comment