User Guide for Cisco IPS Manager 3.0 - Managing Sensors with IPS MC [Cisco Security Manager]

Table Of Contents

Managing Sensors with IPS MC

Placing a Sensor on Your Network

Deciding Where to Place Sensors in Your Network

How the Sensor Functions

Placing a Sensor on Your Network

Deployment Considerations

Managing Sensors with IPS MC

This chapter outlines the task flow that you need to follow to manage your sensors with Management Center for IPS Sensors (IPS MC). First, however, you must develop a security policy that enables you to apply security measures. Your security policy should:

•Identify security objectives for your organization.

•Document the resources you want to protect.

•Identify the network infrastructure with current maps and inventories.

•Identify critical resources (such as research and development, finance, and human resources) to which you want to give extra protection.

Your completed security policy becomes the hub of the Cisco Security Wheel, shown in Figure 3-1.

Figure 3-1 Cisco Security Wheel

The spokes of the Cisco Security Wheel represent network security as a continual process consisting of the following four steps:

1. Secure your system.

2. Monitor the network for violations and attacks against your security policy and respond to them.

3. Test the effectiveness of the security safeguards in place.

4. Manage and improve corporate security.

You should continually perform all four steps, and you should consider each of them when you create and update your corporate security policy.

IPS MC is management software for Cisco Intrusion Prevention System. Cisco Intrusion Prevention System monitors network traffic in real time for suspicious activities and active network attacks. The network devices that monitor network traffic are called sensors. Sensors are similar to multihomed hosts because they are often connected to two physically different networks. However, they are unlike multihomed hosts because only one connection is addressable. In other words, the adapter that is connected to the monitored network(s) is not addressable—it runs as a promiscuous adapter, studying each network packet that it senses on the physical medium. Sensors come in two physical models: dedicated, standalone network appliances and line card modules running in certain Cisco Catalyst 6000 switches.

Sensors use signatures to determine whether the contents of network packets meet the criteria of an attack. A signature is a pattern of traffic, often thought of as a set of rules, that your sensor uses to detect typical intrusive activity, such as denial of service (DoS) attacks. When the packets match a given signature rule, an alarm is generated and sent to Monitoring Center for Security (Security Monitor).

Note Some signatures monitor for normal network activity, rather than for an attack. For example, Signature 2004, ICMP Echo Request, may result in a large number of alarms generated not by attacks, but by normal network traffic.

You can configure a sensor to issue commands to a Cisco router to block any packets from the source IP address that triggers an alarm for specific signatures. These commands are issued as temporary changes to the access control list (ACL) of the Cisco router. After a specified period of time, the sensor removes those commands, restoring the router to its pre-attack configuration state. The sensor can also make similar changes to the Cisco PIX Firewall and the Cisco Catalyst 6000 switch.

Sensors have several settings associated with them, including the following:

•The IP address that IPS MC uses to communicate with the sensor.

•The software version that is running on the sensor.(The version includes an aspect designation: S for default, or V for anti-virus).

•The signatures that are used to study network traffic.

•The signature overrides that may have been applied.

•The devices that are used to block active attacks.

•The networks and syslog data streams that are monitored.

•Whether the sensor copies its alarm log data to an FTP server.

Sensor preparation and configuration follows a basic task flow from initial setup to deployment. The following list identifies the primary tasks and the order in which you should perform them.

1. Bootstrap the sensor so that IPS MC can detect the sensor on the network. Bootstrapping involves getting the sensor up and running on the network, assigning it an IP address, and connecting it to the physical media.

2. Add the sensor to Cisco Security Manager. Adding the sensor to Cisco Security Manager automatically adds it to IPS MC. Then, manually define the settings that match the configuration settings of the bootstrapped sensor.

3. Configure signatures for specific responses to an attack, such as logging the packets to and from the source address of an alarm, to a file. You can edit an existing signature or define a new signature.

4. Tune the signatures for the sensor. You can tune sensor signatures using four general methods: by specifying reassembly options for IP fragments and TCP sessions, by identifying hosts and networks that should be exempt from sending an alarm for certain signatures, by filtering alarms in accordance with their severity, and by changing parameters for the signature (such as identifying which ports to monitor).

5. Generate, approve, and deploy the configuration files to the sensors.

Placing a Sensor on Your Network

This section discusses how to deploy and configure sensors on your network. It has the following topics:

This section contains the following topics:

•Deciding Where to Place Sensors in Your Network

•How the Sensor Functions

•Placing a Sensor on Your Network

•Deployment Considerations

Deciding Where to Place Sensors in Your Network

Deciding where to place sensors in your network means that you must examine the connections between your network and other networks, including the Internet. You must also study the size and complexity of your network and the amount and type of traffic on your network.

Studying these characteristics of your network will also help you determine the number of sensors required and the hardware configuration for each sensor (for example, the size and type of network interface cards). IPS MC can support up to 300 sensor deployments.

The sensor monitors all traffic crossing a given network segment. Network connections fall into four basic categories, or locations, as illustrated in Figure 3-2 and described in the following paragraphs.

Figure 3-2 Major Types of Network Connections

In location 1, the sensor monitors traffic between the protected network and the Internet. This is commonly referred to as perimeter protection and is the most common deployment for a sensor. This location can be shared with firewall protection, and is discussed in Placing a Sensor on Your Network.

In location 2, the sensor monitors the network side of a remote access server, labeled Dial-up server in Figure 3-2. Although this connection may be for employee use only, it could be vulnerable to external attack.

In location 3, the sensor monitors an intranet connection. For example, the protected network of one department may contain an e-commerce site where all the connection types described so far are required. The network of another department may contain company-specific research and development or other engineering information and should be given additional protection.

In location 4, the sensor monitors an extranet connection with a business partner. Although most organizations have defined policies on the use and security of this type of connection, there is no guarantee that the partner network is adequately protected. Consequently, an outsider can enter your network through this type of connection. These extranet connections also may have firewalls.

Keeping these connection types in mind, determine which segments to monitor. Remember that each sensor maintains signatures configured for the segment it monitors. Signatures can be standard across the organization or unique for each sensor. You may consider defining your network topology to force traffic across a specific monitored network segment. There are always operational trade-offs when determining sensor placement. The end result should be a good idea of where to place sensors in your network, how many are needed, and how they should be configured in terms of hardware.

How the Sensor Functions

Another critical aspect in protecting your network is understanding how the sensor captures network traffic.

Each sensor comes with at least two interfaces. In a typical installation, one interface monitors the desired network segment, and the other interface communicates with the IPS MC and other network devices. The monitoring interface operates in promiscuous mode, meaning it has no IP address and is not visible on the monitored segment.

The sensor captures network traffic at the IP layer. Therefore, it must understand and interpret Media Access Control (MAC) layer protocols, which most networks use to pass along data packets.

The command and control interface is always an Ethernet interface. This interface has an assigned IP address, which allows it to communicate with IPS MC or other network devices (typically Cisco routers). Although this interface is "hardened" from a security perspective, it is visible on the network and must be protected.

When responding to attacks, the sensor can do the following:

•Insert TCP resets via the monitoring interface.

Note The TCP reset action is only appropriate as an action selection on those signatures associated with a TCP-based service. If selected as an action on non-TCP-based services, no action is taken. Additionally, TCP resets are not guaranteed to tear down an offending session because of limitations in the TCP protocol.

•Make ACL changes to block traffic on routers (or PIX Firewall or Cisco Catalyst 6000 switches) that the sensor manages, using the command and control interface.

Note Such routers are referred to as blocking routers, and the sensor opens and maintains a Telnet session (or an SSH session, in the case of a PIX Firewall) to such routers to reduce the time required to publish the ACL rule sets that block traffic.

The last aspect of understanding how a sensor functions is the data speed or load on the monitored network. Because the sensor is not in the data path, it has no direct impact on network performance. However, there are limitations on the data speeds it can monitor. For example, the IDS-4210 sensor appliance, one of the slowest, supports up to 45 Mbps; whereas the IDS-4250XL sensor appliance supports up to 1000 Mbps.

Placing a Sensor on Your Network

You can place a sensor in front of or behind a filtering router. Each position has benefits and drawbacks.

Placing the monitoring interface of the sensor in front of a filtering router allows the sensor to monitor all incoming and outgoing network traffic. However, when deployed in this manner, the sensor cannot normally detect internal network traffic. An internal attacker taking advantage of vulnerabilities in network services would remain undetected by the external sensor (see Figure 3-3). In Figure 3-3, the Outermost router is the filtering router.

Figure 3-3 Sensor in Front of a Filtering Router

Placing the monitoring interface of the sensor behind a filtering router shields the sensor from any attacks that the filtering router blocks. This configuration provides a more robust reaction capability because the sensor can work with the router to block future attacks.

Deployment Considerations

To enable the sensor to manage the filtering router to defend your network, you must do the following:

•Enable Telnet services on the router.

•Add the router to the Object Selector in IPS MC.

The sensor can then dynamically update the router ACLs to deny unauthorized activity.

	User Guide for Cisco IPS Manager 3.0
	Managing Sensors with IPS MC
User Guide for Cisco IPS Manager 3.0 Preface Introduction Advanced User Interface Design Features Managing Sensors with IPS MC Working with Groups and Sensors Configuring Sensors and Signature Settings Generating, Approving, and Deploying Sensor Configurations Monitoring Sensor Health Using Update Files Administering the System Configuration Administering the Database Reports Moving from the Unix Director or CSPM to IPS MC Solving Common Problems in IPS MC Employing Cisco Secure ACS with IPS MC Index	Download this chapter Managing Sensors with IPS MC Download the complete book User Guide for Cisco IPS Manager 3.0 (PDF - 3 MB) Table Of Contents Managing Sensors with IPS MC Placing a Sensor on Your Network Deciding Where to Place Sensors in Your Network How the Sensor Functions Placing a Sensor on Your Network Deployment Considerations Managing Sensors with IPS MC This chapter outlines the task flow that you need to follow to manage your sensors with Management Center for IPS Sensors (IPS MC). First, however, you must develop a security policy that enables you to apply security measures. Your security policy should: •Identify security objectives for your organization. •Document the resources you want to protect. •Identify the network infrastructure with current maps and inventories. •Identify critical resources (such as research and development, finance, and human resources) to which you want to give extra protection. Your completed security policy becomes the hub of the Cisco Security Wheel, shown in Figure 3-1. Figure 3-1 Cisco Security Wheel The spokes of the Cisco Security Wheel represent network security as a continual process consisting of the following four steps: 1. Secure your system. 2. Monitor the network for violations and attacks against your security policy and respond to them. 3. Test the effectiveness of the security safeguards in place. 4. Manage and improve corporate security. You should continually perform all four steps, and you should consider each of them when you create and update your corporate security policy. IPS MC is management software for Cisco Intrusion Prevention System. Cisco Intrusion Prevention System monitors network traffic in real time for suspicious activities and active network attacks. The network devices that monitor network traffic are called sensors. Sensors are similar to multihomed hosts because they are often connected to two physically different networks. However, they are unlike multihomed hosts because only one connection is addressable. In other words, the adapter that is connected to the monitored network(s) is not addressable—it runs as a promiscuous adapter, studying each network packet that it senses on the physical medium. Sensors come in two physical models: dedicated, standalone network appliances and line card modules running in certain Cisco Catalyst 6000 switches. Sensors use signatures to determine whether the contents of network packets meet the criteria of an attack. A signature is a pattern of traffic, often thought of as a set of rules, that your sensor uses to detect typical intrusive activity, such as denial of service (DoS) attacks. When the packets match a given signature rule, an alarm is generated and sent to Monitoring Center for Security (Security Monitor). Note Some signatures monitor for normal network activity, rather than for an attack. For example, Signature 2004, ICMP Echo Request, may result in a large number of alarms generated not by attacks, but by normal network traffic. You can configure a sensor to issue commands to a Cisco router to block any packets from the source IP address that triggers an alarm for specific signatures. These commands are issued as temporary changes to the access control list (ACL) of the Cisco router. After a specified period of time, the sensor removes those commands, restoring the router to its pre-attack configuration state. The sensor can also make similar changes to the Cisco PIX Firewall and the Cisco Catalyst 6000 switch. Sensors have several settings associated with them, including the following: •The IP address that IPS MC uses to communicate with the sensor. •The software version that is running on the sensor.(The version includes an aspect designation: S for default, or V for anti-virus). •The signatures that are used to study network traffic. •The signature overrides that may have been applied. •The devices that are used to block active attacks. •The networks and syslog data streams that are monitored. •Whether the sensor copies its alarm log data to an FTP server. Sensor preparation and configuration follows a basic task flow from initial setup to deployment. The following list identifies the primary tasks and the order in which you should perform them. 1. Bootstrap the sensor so that IPS MC can detect the sensor on the network. Bootstrapping involves getting the sensor up and running on the network, assigning it an IP address, and connecting it to the physical media. 2. Add the sensor to Cisco Security Manager. Adding the sensor to Cisco Security Manager automatically adds it to IPS MC. Then, manually define the settings that match the configuration settings of the bootstrapped sensor. 3. Configure signatures for specific responses to an attack, such as logging the packets to and from the source address of an alarm, to a file. You can edit an existing signature or define a new signature. 4. Tune the signatures for the sensor. You can tune sensor signatures using four general methods: by specifying reassembly options for IP fragments and TCP sessions, by identifying hosts and networks that should be exempt from sending an alarm for certain signatures, by filtering alarms in accordance with their severity, and by changing parameters for the signature (such as identifying which ports to monitor). 5. Generate, approve, and deploy the configuration files to the sensors. Placing a Sensor on Your Network This section discusses how to deploy and configure sensors on your network. It has the following topics: This section contains the following topics: •Deciding Where to Place Sensors in Your Network •How the Sensor Functions •Placing a Sensor on Your Network •Deployment Considerations Deciding Where to Place Sensors in Your Network Deciding where to place sensors in your network means that you must examine the connections between your network and other networks, including the Internet. You must also study the size and complexity of your network and the amount and type of traffic on your network. Studying these characteristics of your network will also help you determine the number of sensors required and the hardware configuration for each sensor (for example, the size and type of network interface cards). IPS MC can support up to 300 sensor deployments. The sensor monitors all traffic crossing a given network segment. Network connections fall into four basic categories, or locations, as illustrated in Figure 3-2 and described in the following paragraphs. Figure 3-2 Major Types of Network Connections In location 1, the sensor monitors traffic between the protected network and the Internet. This is commonly referred to as perimeter protection and is the most common deployment for a sensor. This location can be shared with firewall protection, and is discussed in Placing a Sensor on Your Network. In location 2, the sensor monitors the network side of a remote access server, labeled Dial-up server in Figure 3-2. Although this connection may be for employee use only, it could be vulnerable to external attack. In location 3, the sensor monitors an intranet connection. For example, the protected network of one department may contain an e-commerce site where all the connection types described so far are required. The network of another department may contain company-specific research and development or other engineering information and should be given additional protection. In location 4, the sensor monitors an extranet connection with a business partner. Although most organizations have defined policies on the use and security of this type of connection, there is no guarantee that the partner network is adequately protected. Consequently, an outsider can enter your network through this type of connection. These extranet connections also may have firewalls. Keeping these connection types in mind, determine which segments to monitor. Remember that each sensor maintains signatures configured for the segment it monitors. Signatures can be standard across the organization or unique for each sensor. You may consider defining your network topology to force traffic across a specific monitored network segment. There are always operational trade-offs when determining sensor placement. The end result should be a good idea of where to place sensors in your network, how many are needed, and how they should be configured in terms of hardware. How the Sensor Functions Another critical aspect in protecting your network is understanding how the sensor captures network traffic. Each sensor comes with at least two interfaces. In a typical installation, one interface monitors the desired network segment, and the other interface communicates with the IPS MC and other network devices. The monitoring interface operates in promiscuous mode, meaning it has no IP address and is not visible on the monitored segment. The sensor captures network traffic at the IP layer. Therefore, it must understand and interpret Media Access Control (MAC) layer protocols, which most networks use to pass along data packets. The command and control interface is always an Ethernet interface. This interface has an assigned IP address, which allows it to communicate with IPS MC or other network devices (typically Cisco routers). Although this interface is "hardened" from a security perspective, it is visible on the network and must be protected. When responding to attacks, the sensor can do the following: •Insert TCP resets via the monitoring interface. Note The TCP reset action is only appropriate as an action selection on those signatures associated with a TCP-based service. If selected as an action on non-TCP-based services, no action is taken. Additionally, TCP resets are not guaranteed to tear down an offending session because of limitations in the TCP protocol. •Make ACL changes to block traffic on routers (or PIX Firewall or Cisco Catalyst 6000 switches) that the sensor manages, using the command and control interface. Note Such routers are referred to as blocking routers, and the sensor opens and maintains a Telnet session (or an SSH session, in the case of a PIX Firewall) to such routers to reduce the time required to publish the ACL rule sets that block traffic. The last aspect of understanding how a sensor functions is the data speed or load on the monitored network. Because the sensor is not in the data path, it has no direct impact on network performance. However, there are limitations on the data speeds it can monitor. For example, the IDS-4210 sensor appliance, one of the slowest, supports up to 45 Mbps; whereas the IDS-4250XL sensor appliance supports up to 1000 Mbps. Placing a Sensor on Your Network You can place a sensor in front of or behind a filtering router. Each position has benefits and drawbacks. Placing the monitoring interface of the sensor in front of a filtering router allows the sensor to monitor all incoming and outgoing network traffic. However, when deployed in this manner, the sensor cannot normally detect internal network traffic. An internal attacker taking advantage of vulnerabilities in network services would remain undetected by the external sensor (see Figure 3-3). In Figure 3-3, the Outermost router is the filtering router. Figure 3-3 Sensor in Front of a Filtering Router Placing the monitoring interface of the sensor behind a filtering router shields the sensor from any attacks that the filtering router blocks. This configuration provides a more robust reaction capability because the sensor can work with the router to block future attacks. Deployment Considerations To enable the sensor to manage the filtering router to defend your network, you must do the following: •Enable Telnet services on the router. •Add the router to the Object Selector in IPS MC. The sensor can then dynamically update the router ACLs to deny unauthorized activity.
	© 1992-2009 Cisco Systems, Inc. All rights reserved. Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks of Cisco Systems, Inc.