Net Ranger Cisco Secure Intrusion Detection System

NetRanger is an enterprise intrusion detection system designed to detect, report, and, in the event of unauthorized access, terminate data sessions between users and host devices.

NetRanger is an application designed to detect unauthorized access. Users are not aware that NetRanger is watching data across the network; it is transparent to all systems.

NetRanger has two components:

• NetRanger Sensor—High-speed device that analyzes the contents of data being transported across a network and determines whether that traffic is authorized or unauthorized. Unauthorized traffic includes ping requests from intruders. Traffic detected from unauthorized sources is sent directly to the NetRanger Director, and the intruder is removed from the network (optional setting to remove host).

• NetRanger Director—Provides real-time response to intruders in the network by blocking access to the network and terminating any active data sessions. The Director collects the real-time information from the Sensor.

Figure 6-4 displays the typical network placement of NetRanger products.

NetRanger Sensors can be located anywhere in the network. They are typically located close to hosts or entry points to a network, such as dial-in users or Internet connections. Alarms are logged on the Sensor and Director. The alarms are displayed or viewed on the Director. Optional configuration settings include killing an active TCP session or reconfiguring access lists (termed shunning).

The sensor can detect the intruder's IP address and destination ports, and buffer up to 256 characters entered by the illegal devices. NetRanger supports Ethernet (10/100), Token Ring, and FDDI LAN interfaces. NetRanger Sensors can modify predefined access lists on Cisco IOS routers and change the definitions of permitted networks in response to an attack. NetRanger Sensors cannot modify the IP routing table nor reload or shutdown interfaces. When illegal activity is discovered, an alarm is sent directly to configured directors, including multiple directors. The software used on the sensors can be loaded from a central director, allowing easier software upgrades. The GUI interface on the Director also allows network monitoring from one central location, ensuring that one central group within an organization can be directly responsible for monitoring and acting on alarms. GUI interfaces and colored alarms indicate possible vulnerabilities.

Figure 6-4 Typical NetRanger Design











The following platforms support NetRanger Sensor applications:

• IBM PC Pentium II or higher with the following specifications:

— Windows-based software

• Ultra Sparc Based UNIX station with the following specifications:

— 167 MHz Clone or higher

— Ethernet or FDDI

— Solaris version 2.6 or higher software; and HP OpenView installed prior to loading NetRanger software

NetRanger Director can send out an alarm when certain configuration changes are made on Cisco routers, can send e-mail messages when particular alarm levels are reached, and can ensure a TCP attack is thwarted by sending TCP reset segments to unauthorized sources. When a NetRanger Sensor communicates with the Director, if the network is down, up to 255 alternate route paths can be attempted. Packets can be buffered and sent when the network is restored and communications occur (there are no keepalive communications; rather, one device sends and the other waits and listens) to ensure that alarms are sent.

The following platforms support NetRanger Director applications:

• HP UNIX, Ultra UNIX workstations (not PC-based)

• 128 MB RAM, CD-ROM drive, 4 GB of hard disk space

• Example machines include Sun Ultra 170 and HP 725

NOTE NetRanger examines only the IP or TCP header and not actual data. Intruders usually use an attack based on large ICMP traffic, typically fragmented, to discover the behavior of routers in a network. When a router that is set for a particular MTU size receives a fragmented packet, it sends all fragments to the destination, assuming that the end device can reassemble the packet.

Intruders typically also use context-based attacks by scanning TCP or UDP ports in use.

For more details on how Cisco IOS supports NetRanger, visit

0 0

Post a comment