Cisco Intrusion Detection

Solutions in this Chapter

Introduction

In Chapter 1, we learned the fundamental principals and theory of security and intrusion detection systems. We also looked at Cisco-centric security mechanisms such as Cisco AVVID and SAFE. Cisco focuses on two primary types of IDSs, Host IDSs, and Network IDSs. Within each of these systems, Cisco develops products that promote an “active defense” to secure the network environment. Cisco Active Defense focuses on three points:

 Detection The ways and means to identify malicious attacks on networks and resources.

 Prevention How to stop detected attacks from being executed.

 Reaction How to immunize the systems from future attacks and provide real-time alerts.

We’ll learn that Cisco IDS sensors provide Active Defense detection using several methods, including signature detection and other hybrid techniques. We’ll also discuss the ways Cisco IDS can stop an attacker in his footsteps by sending TCP resets or dynamically manipulating firewall rule sets to prevent unwanted access. Finally, we’ll see how Cisco IDS solutions, such as the Host IDS sensor, can protect your resources, thwarting attacks through intelligent integration with application services and operating systems.

But, just what is Cisco Intrusion Detection? In this chapter, we’ll answer that question as we look closely at the specific Network and Host IDS platforms that comprise the Cisco IDS solution. We’ll discuss the 4200 IDS Sensor product line, the new IDS modules available for the Cisco Catalyst 6500 and Cisco 2600, 3600, and 3700 routers, and the Cisco Host IDS software.

Next, we’ll examine how to effectively manage the Cisco intrusion detection systems by using tools like Cisco IDS Event Viewer (IEV), IDS Device Manager (IDM), Cisco Secure Policy Manager (CSPM), and CiscoWorks VPN/Security Management Solution (VMS). Each of these tools has benefits for different environments and uses different mechanisms and protocols to communicate with Cisco IDSs in the network. We will discuss two protocols that Cisco has used to facilitate communication between the management stations and the sensors, the Cisco PostOffice Protocol and Cisco Remote Data Exchange protocol.

Finally, we’ll discuss in detail where Cisco IDS may be best deployed in the network. While each network environment requires different security approaches, there are several guiding principals regarding the intelligent and effective deployment of Cisco IDS.

Let’s begin by defining Cisco Intrusion Detection.

What Is Cisco Intrusion Detection?

Cisco Intrusion Detection is a complete security approach that provides a wide range of intrusion detection capabilities to help administrators secure and monitor their network environments against threats and security breaches. Cisco Systems IDS solutions are based on four concepts:

 Accurate threat detection

 Intelligent threat investigation and mitigation

 Ease of management

 Flexible deployment options

Cisco delivers each of these concepts through flexible Network IDS hardware, host-based IDS software, Cisco IDS sensor software, and scalable Cisco IDS management software.

At the heart of the Cisco Intrusion Detection System is the Cisco Network and Host IDS software, which provides accurate threat detection, intelligent threat investigation and mitigation, and simplified management. The software imparts comprehensive threat detection, delivering a hybrid system that uses methods including stateful pattern recognition, protocol analysis, traffic anomaly detection, and protocol anomaly detection. With the software, unauthorized exploits, DoS activity, reconnaissance attempts, and other malicious actions are quickly detected.

Accurate detection leads to threat investigation and mitigation. When an attack is detected, Cisco’s Threat Response technology works with Cisco IDSs to eliminate false alarms and escalate authentic attacks. This is accomplished using a three-step process involving:

 Basic investigation of target vulnerability

 Advanced investigation of targets

 Forensic data capture

Cisco IDSs are capable of several means of protecting a company’s assets. Whether dropping an offending packet, terminating an attacker’s session by using the TCP reset feature, dynamically reconfiguring Access Control Lists (ACLs) on routers and switches, or automatically modifying firewall policies, Cisco IDS offers an array of immediate response actions to stop attacks in near–real time.

Cisco understands the potential difficulties involved with managing network and security infrastructure. To alleviate management impediments, Cisco provides a series of management options that offer ease of use and centralized management. With tools like the Cisco IDS Event Viewer, IDS Device Manager, Secure Policy Manager, and the CiscoWorks VPN/Security Management Solution, administrators have many powerful options at their fingertips.

The Cisco Network IDS solution set includes appliance-based intrusion detection through the Cisco 4200 line of sensors. Ranging from performance options between 45 Mbps to 1 Gbps, the 4200 series offers multiple options for security administrators and can be quickly and easily integrated into network environments. Cisco also helps companies leverage existing switching and routing infrastructures through use of the Cisco Catalyst 6500 IDSM and Cisco IDS Module for 2600,3600, and 3700 routers. These modules integrate seamlessly into existing hardware to provide additional network security. And last but certainly not least, network IDS functionality is available in routers through an integrated but limited IOS functionality.

Cisco Host IDS works on the service endpoints in the network. Installed on hosts such as web and mail servers, the host sensor software protects operating systems and application-level functionality through tight integration. This is accomplished by inspecting all interaction with the operating system and comparing the requests for service against a database of known attacks. Should the request match a known exploit, the request for service will be terminated by the sensor software. Along with preventing known attacks, the Host sensor can also protect against generic or unknown exploits by preventing dangerous situations such as buffer overruns, a typical result of hacker exploits. Finally, the Host IDS software acts as a shield against intentional file corruption attempts, such as Trojan code insertion attacks. This is performed by “fingerprinting” executables and configuration flies during baseline operations. This fingerprint or checksum is then regularly compared to the current version to protect system resources such as Registry keys, password flies, and executables against unwanted manipulation.

Cisco’s Network Sensor Platforms

As part of their flexible deployment strategy, Cisco offers several different Network IDS platforms to meet the varying needs of enterprise environments. Included in the Network IDS suite of products are the Cisco IDS 4200 Series sensors, the Cisco Catalyst 6000 IDS Modules, Cisco IDS Modules for 2600, 3600, and 3700 routers, and the Cisco router and firewall-based sensors. All of these devices represent the cost-effective, comprehensive security solutions Cisco can provide for custom-tailored network performance needs.

From the affordable Cisco IDS 4210 to the high performance IDS 4250XL, the Cisco 4200 Series devices provide an appliance-based detection system. Refer to Table 2.1 for details regarding the Cisco IDS platforms.