Table Of Contents
Hardware and Software Requirements
Define DTM-Specific Inspection Rules
Troubleshooting DTM Integration
Frequently Asked Questions about DTM with IPS
Technology Preview:
Configuring Distributed Threat Mitigation with Intrusion Prevention System in
Cisco Security MARS
Date Revised: September 28, 2006This technology preview exists for Cisco Security Monitoring, Analysis, and Response System (MARS) 4.1.1, and later, and has been incrementally updated through the current release. Use this preview to understand, plan, and verify large deployments in controlled environments. Work with your Cisco sales engineer or partner to plan and configure this technology before you deploy it in a production network. MARS support is conditioned on the assumption that this is not being used in networks that exceed the appliance-to-IOS IPS router recommendations set forth in Table 2.
This document presents the following topics:
•
Hardware and Software Requirements
•
•
•
DTM Solution Overview
Even though attacks can be identified by either signature or anomaly-based systems, there is no easy way to prevent attacks against other network nodes or domains, to mitigate nodes, or to issue company-wide alarms. You need to be able identify and correlate discrete network activities, such as a successful attack that damages the target node or innocent-looking reconnaissance that is preparation for an attack, so that you can quickly protect the rest of the network from similar incidents.
Typically, you cannot correlate the facts about an attack to one another in a timely manner. Various pieces of information are derived from signature-based IPS sensors, and new families of security routers provide volumes of different data: signature alarms, firewall syslog messages, device health information, route information, and so on. Before Cisco Security MARS was developed, this information was not correlated to validate the presence and success of attacks throughout the network.
Cisco Security MARS Distributed Threat Mitigation (DTM) with Intrusion Prevention System (IPS) pro-actively identifies and distributes IPS signatures for active threats detected on the network. It provides distributed and rapid threat mitigation using Cisco IOS Software IPS routers. Cisco Security MARS collects and correlates the attack information provided by signature-based IPS sensors and security routers and, together with Cisco IOS IPS routers, enables IPS signatures to help prevent attacks from spreading. DTM is effective inline intrusion protection and leverages routers already deployed in the network for additional value.
Table 1 lists features and benefits of the DTM solution.
Hardware and Software Requirements
The hardware and software required to enable the DTM solution varies depending on the desired functionality. The DTM solution is composed of three categories of Cisco products: static IPS devices, dynamically updated IPS devices, and management components. Static IPS devices keep Cisco Security MARS abreast of active threats on the network by monitoring traffic for a broad set of signatures. Dynamically updated IPS devices are inline IPS solutions that detect and block traffic matching a signature and that accept dynamic signature updates from Cisco Security MARS. Management components provide change control and auditing of the deployed network policy and signatures. At a minimum, your solution must include one static IPS device, one dynamically updated IP device, and a supported MARS Appliance.
Static IPS Devices
•
•
•
•
Dynamically Updated IPS Devices
•
Management Components
•
–
–
–
–
–
–
•
How DTM Works
In the DTM solution, Cisco Security MARS proactively identifies active signatures as reported by one or more Cisco IPS appliances or modules deployed in your network. Next, Cisco Security MARS distributes the same IPS signatures to specified IOS IPS routers.
Figure 1 DTM Components
A Cisco IPS appliance or module can run the full signature set, whereas Cisco IOS IPS routers run a subset of signatures based on the memory capacity and which signatures are active (different signatures consume different amounts of memory). Therefore, specifying one or more Cisco IPS appliances or modules as the reporting devices in your DTM rules ensures the network is monitored for all known attacks rather than a restricted set. Cisco IPS appliances and modules generate and publish up-to-date signature definition files (SDFs) to Cisco IOS IPS routers. The SDF is an XML file with a definition of all signatures. A Cisco IOS IPS router reads the SDF update, parses the file, and populates its internal tables with the information necessary to detect each signature.
To use the DTM solution, you must enable IOS IPS on the routers and, in MARS, identify these routers as the target of DTM notifications for inspection rules based on Cisco IPS signatures. While technically, an IOS IPS router can also serve as a monitoring device, only IOS IPS routers can be the notification target of a DTM rule.
For DTM rules, the SDF for the signatures matched in the rules is generated and stored on the MARS Appliance when the rules are fired. MARS does not generate a single SDF file for all routers, it generates as separate SDF for each router and that set is limited to the signatures that the routers supports. All IPS signatures supported by the Cisco IPS appliance are not supported by the Cisco IOS IPS routers.
Selecting the DTM notification method means that if the rule fires, MARS issues appropriate commands to any Cisco IOS IPS routers that should receive the notification to instruct those routers to retrieve the associated SDFs. The DTM notification also includes one or more IPS alert action: alarm, drop, reset (if it is a TCP session), deny attacker, or deny flow. This IPS alert action enables new or existing signatures and configures the signature to respond accordingly when it fires. The alert action refers to sending a syslog or SDEE notification to target monitoring devices, such as MARS and syslog servers.
Note
The result of this rule configuration is that Cisco Security MARS provides distributed and rapid threat mitigation to IOS IPS routers based on what an IPS appliance detects in the network. Cisco Security MARS, based on the active threats, amends the set of active signatures running on the IOS IPS routers to mitigate such threats network wide.
When using MARS to monitor your Cisco IPS devices, you can also configure IPS MC to monitor the IOS IPS routers for dynamic configuration changes made by MARS and to notify the administrator when this happens, either via e-mail or via the console. This notification allows you to synchronize your signature policies with the active policy on the network. This feature is important because the dynamic signature changes made by MARS are not permanent; if the IOS IPS router is power cycled, the signature set is synchronized with the last known configuration pushed by IPS MC. The administrator can run a report to see what changed on the configuration and choose whether to re-import the device in IPS MC to synchronize the configuration changes with the database.
As part of the DTM operation, Cisco Security MARS deletes inactive signatures from the SDF file. Inactive signatures have not fired on the network within a user-specified interval. You can specify the interval as "Never Delete Inactive Signatures", 3, 6, or 12 hours, or between 1 and 14 days. If you select Never Delete Inactive Signatures, you will eventually render the DTM feature useless, because no new signatures will be added once the memory limitations of the IOS IPS router is reached.
Cisco Security MARS deletes inactive signatures is to ensure that the IOS IPS routers have the memory available to accept new signatures. However, even when a signature has expired (been inactive for the specified interval), it is not deleted from the SDF until Cisco Security MARS adds a new signature to the SDF. During each add operation, Cisco Security MARS deletes all expired signatures, but it does not removed expired signatures when it is only merging new actions for signatures that are already in the SDF. If a signature in the SDF has fired anywhere on the network, it will be kept in the SDF until it expires, even if the memory limitations are encountered. This strict adherence to the configuration setting means that subsequent updates will fail until signatures can be removed. Therefore, you must study the DTM reports to help tune this signature inactivity value in such a way as to ensure you are keeping the current signatures in the SDF.
This section includes the following topics:
•
•
•
Checklist for Deploying DTM
The following checklist describes the decision-making process and the basic flow required to plan, deploy, and fully enable DTM. Each task might contain several steps and substeps; the steps and substeps should be performed in order. The checklist contains references to the specific procedures used to perform each task.
1.
Defining the architecture of the network involves understanding traffic flows and placement of sensors (appliances or service modules) and routers. You must identify the critical segments of your network and the mitigation strategies for each segment. For example, you might choose a group of routers that will always block any detected security events. In other cases where asset values are lower, you might define a group of IOS IPS routers for which the signatures generate alarms only unless the attack is actually seen, in which case the signatures should also block the traffic.
Note
Result: A map of the network segments is defined. The placement of each Local Controller is relative to the network segment monitored by the primary IPS reporting device. The mitigation response and desired escalation in responses is determined for each IOS IPS router.
For more information, see the following sections in Installing Cisco Intrusion Prevention System Appliances and Modules 5.0:
Capturing Network Traffic
•
Introducing the Appliance
•
Introducing ASA-SSM
•
Introducing IDSM-2
•
Introducing NM-CIDS
•
2.
Bootstrap reporting devices (Cisco IOS IPS routers only) to accept SSH or Telnet updates from MARS and to allow MARS to pull current signature settings. The preferred access IP method is SSH, which is used to discover current signature settings and available memory, and to publish SDF updates. You must also enable SDEE on the IOS IPS router and identify the MARS Appliance as a valid SDEE cleint so that it is configured as a reporting device as MARS.
Note
You must enable IOS IPS on the routers by defining a default
attack-drop.sdffile. You can bootstrap the routers and enable IOS IPS manually from the CLI or using a management application, such as Security Device Manager (SDM) or the Management Center for Intrusion Prevention System (IPS MC).Note
Result: The recommended software image is running on the routers, and the IOS IPS feature is enabled. The routers are configured to accept SSH administrative connections from the MARS Appliance. Also, the routers are configured to report SDEE events to MARS.
For more information, see:
•
For more detailed information on how the IOS IPS feature works, and what the attack-drop.sdf file is and how to configure it, please refer to the following deployment guide:
http://www.cisco.com/en/US/products/ps6634/products_white_paper0900aecd80327257.shtml
•
•
Enable SDEE on the Cisco IOS Device with an IPS Module, page 10
3.
After you identify and bootstrap the IPS sensors and IOS IPS routers, enable the required traffic flows, and determine the role of the different devices in your DTM solution, you must represent those devices in MARS. MARS uses this information to communicate with and authenticate to the devices. You represent the devices by adding individual devices in the web interface or by importing a comma-separated vector (CSV) seed file, which can define the required settings for basic device types and give you a headstart on defining the more complicated devices. In addition, you can use the SNMP-based topology discovery to discover reporting devices and mitigation devices. You can provide additional detail, such as the SSH credentials used to authenticate to the device, later.
After you add the IOS IPS routers to the MARS web interface, you must select each router, edit the device, and click Add IPS on the device setting page to configure the SDEE authentication and port settings. You must add this information manually, because the seedfile and discovery methods do not support it. SDEE support is required to pull the error and status logs about DTM updates and activities.
Because DTM is a distributed solution, you should be careful to select the correct Local Controller to monitor the IPS sensors and monitor and update the IOS IPS routers. Table 2 recommends the number of IOS IPS routers be updated by a single Local Controller based on the appliance model.
You should also define device groups in the MARS web interface for those devices in the DTM solution that share common roles. Such groups will assist you when defining DTM actions for rules and when running queries and reports. Two example groups follow:
•
Branch IOS IPS, that includes all IOS IPS routers.•
After adding a Cisco IOS IPS router in the MARS web interface, make sure that you have defined the SSH or Telnet connection information and that you have discovered the device, via the Discover button, to verify that the authentication settings are correctly defined.
Note
Result: All IPS sensors and IOS IPS routers are defined and activated in MARS. When the devices are bootstrapped and defined in MARS, MARS pulls and inspects the logs received from the devices. Until the devices are added and activated in MARS, MARS cannot pull the SDEE logs from the devices.
For more information, see:
•
•
•
•
•
•
•
•
(continued)
•
•
4.
DTM enables Cisco IOS Routers running IOS IPS to run those signatures that are most likely to be detected, ensuring that the signature set reflects the current network environment. Scheduling DTM updates refers to specifying the frequency with which MARS contacts the IPS routers to check the signatures that they are running, and to make the necessary changes to their SDF files, adding or deleting signatures. MARS maintains a list of the signatures that have been reported by any IDS/IPS device in the network and that are associated with a DTM rule. The suggested trigger device should not be an IOS IPS, because it cannot run the full set of signatures regardless of the memory that it has. However, any IDS/IPS device can, such as the appliance, the NM-CIDS, SSM module for Cisco ASA, or the Catalyst 6000 blade. At the same time, MARS keeps track of the signatures that have not been reported (inactive signatures) in the last 24 hours (default period), so that they will be deleted from the devices: this is necessary so that the router does not run more signatures than it should. Beginning with 4.2.1, you can configure this signature inactivity period to meet your requirements.
Note
The 4.2.1 release also introduced the top ten signature list,. which is downloaded from Cisco.com. You can also specify the interval for downloading these signatures and define default actions to associate with them.
After you define the settings, you must activate them by clicking Activate on any page in the web interface.
Result: The schedules for updating IOS IPS routers are defined and activated in MARS. The DTM services monitor the MARS database to determine the firing signatures across the reporting devices (Cisco IPS and Cisco IDS devices). Based on this information, MARS adds and deletes signatures in the SDF files so that Cisco IOS Routers running the DTM feature set can query MARS for the list of signatures that have been fired by the DTM rules.
For more information, see:
5.
The DTM feature of MARS works in conjunction with Cisco IPS devices to generate and publish up-to-date signature definition files (SDFs) to Cisco IOS IPS routers. Selecting the DTM notification method means that when an inspection rule fires, MARS pushes the associated SDF to any Cisco IOS IPS routers that are the subject of the notification. The DTM notification also includes an IPS alert action: alarm, drop, reset (if it is a TCP session), deny attacker, or deny flow. This IPS alert action enables new or existing signatures and configures the signature to respond accordingly when it fires. The alarm action refers to sending a syslog or SDEE notification to target monitoring devices, such as MARS and syslog servers.
Result: All MARS inspection rules based on the IPS device signature events include DTM notifications. The notifications specify, as target devices, the Cisco IOS IPS routers monitored by the Local Controller.
For more information, see:
6.
After the settings are configured and the DTM rules created, Cisco Security MARS begins monitoring the network via SDEE for new alarms. The Cisco IOS IPS router or IPS appliance detects one or more signatures and alarms, which the MARS Appliance pulls using SDEE for event correlation and further inspection.
Typical monitoring activity is as follows:
•
When the DTM rule fires, an incident is created. All such incidents are analyzed at the pre-defined interval based on the value specified in the Interval to Synchronize Signatures on DTM Devices field of the Distributed Threat Mitigation Settings page. When the interval expires, Cisco Security MARS retrieves all such incidents and analyzes all of the signatures that are part of each incident. Based on those signatures, Cisco Security MARS generates a single SDF and contacts the routers that are defined in the notification group for that DTM rule to instruct those routers to get the new SDF file. If a signature is already in the SDF file but the action is different from that specified in the DTM notification setting, then the signature action is merged. Otherwise, the new signature is added and any inactive signatures are deleted from the SDF.
MARS tracks the set of signatures running on each router, basing the new SDF file on the contents of that file. MARS adds signatures to this file depending on how the MARS Appliance has been configured and on what is firing. MARS determines the required memory for each signature and the free memory on the router. If the router is out of memory, MARS follows the user-specified setting for deleting inactive signatures. If the router is out of memory and no signatures can be deleted, it is a critical incident, the update fails, and MARS retrieves the SDEE events about this failure from the IOS IPS router. MARS attempts to update the SDF when the interval next expires.
(continued.)
•
You can specify that all signatures are deployed with the drop action or you can specify different actions for each set of routers to which you are deploying. You can define unique rules based on the following criteria: which IPS is firing, how often one or more signature fires within a time period, whether the signature is red, yellow, or green, and whether the source or destination is within a specific network or address range.
•
Result: The DTM solution monitors the network for active attacks and pushes signature updates and defined responses to the IOS IPS routers.
7.
You can define queries and reports around any DTM event, which is organized under the Misc/DTM event group. A DTM event provides status about a DTM update that is published to the target devices. The following actions result from DTM signature changes: DTM_UPDATE_SUCCESS, DTM_UPDATE_FAIL, DTM_DELETE_SUCCESS, and DTM_DELETE_FAIL.
These DTM reports and queries can help you identify errors, such as out of memory and signature update failures, as well as provide clearer status on the DTM updates. The recommended monitoring and trougbleshooting approach is to schedule the full set of DTM reports to be updated frequently and to monitor them, many of which are not scheduled by default.
For example, if you see a signature firing on a primary reporting device (IPS device) but do not see that signature running on your IOS IPS routers, first determine whether a DTM rule based on that signature has fired. If such a rule did fire, then determine whether the update interval has expired since the signature fired on the primary reporting device. If it has not, you may wish to decrease the interval. If that is not the cause, then review the DTM reports for possible failures with the update to that router. If the DTM rule did not fire, then determine why it did not fire. Possible causes include failure to receive the alarm or an incorrectly defined DTM rule.
Result: Stay abreast of DTM signature changes by studying the change audit trail.
For more information, see:
8.
You can specify the interval at which CiscoWorks Management Center for IPS Sensors (IPS MC) version 2.2 polls the monitored devices for configuration changes made out of band. The default interval is 5 minutes. IPS MC checks the signatures deployed versus its configuration stored in the local database and if a change has occurred, it issues an e-mail notification and on the console the icon of the router changes color to indicate a configuration change. You must run a difference report to determine the changes and whether to re-import the router to update the configuration in the IPS MC database or not.
Note
Result: The configuration settings in your IPS management application are synchronized with the SDF updates provided to IOS IPS routers by Cisco Security MARS.
For more information, see:
•
http://www.cisco.com/en/US/products/sw/cscowork/ps3990/tsd_products_support_series_home.html
"Monitoring Sensor Health" from Using Management Center for IPS Sensors 2.2
Define DTM-Specific Inspection Rules
When defining inspection rules for DTM, consider the following framework for the rules:
For <Devices> that report signatures firing that match <Conditions>, update <Targets> with the SDF file with <IPS Action>.
Figure 2 Example DTM Rule
Each inspection rule ties together four pieces of information:
•
–
–
–
•
•
–
–
–
–
–
Tip
Figure 3 IPS Actions and DTM Notification Settings
Note
•
When a rule fires, the SDF update for the signatures is placed in an update queue. When the period, defined by DTM Device Access Interval, elapses, all queued updates are published to each target device. Each target device has a separate SDF that is updated each time the interval period elapses.
Example DTM Rules
The following example rule is illustrated in this section:
If
Source/Dest IP = ANY, Service Name = ANY, Event = SAME, Device = ANY (of the IPs devices), Severity = RED, COUNTS = 3, Reported USER = ANY,
in
Time-Range = 30 min,
then
Action = DTM Action with signature action = Alarm Only & recipients = All IOS routers
To define this rule using the MARS web interface, follow these steps:
Step 1
a.
b.
c.
d.
e.
f.
g.
A dialog box prompts "Are you done defining the rule conditions?"
h.
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
These actions are the ones you want to implement for the signatures when they are triggered (Alarm, Drop, Reset).
Step 8
Step 9
The output is the following rule:
Step 10
Two additional example DTM rules follow:
1.
If
Source/Dest IP = ANY, Service Name = ANY, Event = ANY, Device = ANY, Severity = HIGH, COUNTS = 15, Reported USER = ANY
in
Time-Range = 5 min,
then
Action = DTM Action with signature action = Alarm and Drop & recipients = All IOS routers
2.
If
Source/Dest IP = ANY, Service Name = ANY, Event = ANY, Device = ANY, Severity = MEDIUM, COUNTS = 10, Reported USER = ANY,
in
Time-Range = 5 min,
then
Action = DTM Action with signature action = Alarm Only & recipients = All 2800 and 3800 routers in medium/large branches with 256 MB or more memory
View DTM-Specific Reports
You can define queries and reports around any DTM event, which is organized under the Info/DTM group. A DTM event provides status about a DTM update that is published to the target devices. Alternatively, you can enter DTM in the Description/CVE: field and click Search on the Management > Event Management page of the web interface.
The following DTM-specific report group exists:
•
The following DTM reports are provided by MARS:
•
•
•
•
Schedule DTM Updates
DTM allows Cisco IOS Routers running IOS IPS to run those signatures that are most likely to be detected, ensuring that the signature set is germane to the current network environment. Scheduling DTM updates refers to specifying the frequency with which MARS polls those Cisco IPS and Cisco IDS devices that it monitors. MARS uses this data to generate a list of fired signatures as reported across these devices. MARS stores these generated signature sets on the MARS Appliance for retrieval by Cisco IOS Routers also monitored by MARS. The routers then run the top N signatures based on memory limitations.
To define the global DTM update schedule, follow these steps:
Step 1
Step 2
This value represents the minimum time that MARS waits to synchronize with the target Cisco IOS IPSs, as defined in the notification subjects of the DTM-specific inspection rules. When a DTM rule fires, the list of signatures to be added is modified, but the SDF file deploys only when the specified interval time expires. Consider this value carefully; it is the minimum time that MARS waits. If MARS is updating a large number of routers, a single threat could take longer than the specified time to finish polling all the devices it will have to.
As an example, consider the time interval of 15 minutes. This value specifies that every 15 minutes the MARS Appliance attempts to contact the IOS IPS routers to compare their operating configuration with the active set and to deploy a new SDF file if needed. If a DTM rule fires in the middle of this 15-minute interval, the wait time is only 7 and a half minutes.
The process that polls the IOS IPS routers is single threaded; therefore, the number of devices monitored by a Local Controller should be small enough that a full round of polling can occur within the specified interval. A minimum interval time for the signatures to be updated must be defined to avoid an attack to the IOS IPS router itself. If new SDF updates are being pushed, it is important to allow the IOS IPS router time to compile and activate the previous updates before new SDF updates are pushed. If a new SDF file is deployed too early, it could corrupt the signature set running on the router.
Table 2 provides the maximum number of devices and polling interval recommendations for each model of MARS Appliance.
Caution
Table 2 Sizing DTM for Your Network
MARS 20
25 devices
15 minutes
MARS 20R
5 devices
15 minutes
MARS 50
25 devices
15 minutes
MARS 100
100 devices
15 minutes
MARS 100e
100 devices
15 minutes
MARS 200
100 devices
15 minutes
1 Managed using SSH.
Step 3
This value identifies the period of time that inactive signatures are kept as part of the SDF on IOS IPS routers before they are deleted from it. If a signature is not reported as active by any IPS or IOS IPS router monitored by MARS, it is deleted from the IOS IPS routers that are notification targets for DTM rules after the signature inactivity interval expires.
If you select the Never Delete Inactive Signatures value, eventually the DTM feature will be rendered useless because no new signatures are added once the memory limitations of the IOS IPS router is reached.
MARS polls the Cisco IOS IPS and IDS devices to develop a list of signatures fired by devices over a period of time. When that period elapses, MARS deletes the stored signature list, compiles a new SDF, and restarts this process. This setting ensures that MARS has generated the SDFs based on the current signatures. Before MARS generates an SDF, it polls the Cisco IPS devices to ensure that it has the most recent signatures. Each IOS IPS router has an active signature list against which MARS compares to determine if any signatures in the queue are already running on the device. If any queued signatures are not already running, MARS publishes a marginal SDF of those signatures.
Note
The number of signatures running on a Cisco IOS IPS router can vary depending on memory constraints. MARS builds an SDF of the current set plus the marginal set. MARS determines how much router memory is available, and if there is sufficient memory, it builds the new SDF file around what is not marked for deletion, as those signatures have been active on the network within the specified interval. The memory is calculated with a "show memory statistics" command.
MARS does not delete any signatures that were reported to MARS within the interval or that MARS published as part of an SDF in the interval. If any signature running on the Cisco IOS IPS has not fired within the interval, it is marked for deletion even if the router has enough memory to run it. However, it is not removed until a new signature is actually added to the SDF. During a signature addition operation, all signatures marked for deletion are removed from the SDF. This signature allocation approach ensures that the router maintains a maximum set of signatures to memory ratio, and it ensures that, in case of an attack, the router has enough free memory to sustain an increase in traffic.
Note
Step 4
This report is published as an XML file to the MARS Appliance, http://tools.cisco.com/MySDN/Intelligence/top10.x. The report is similar in content to the Top Ten Intelligence Reports found at http://tools.cisco.com/MySDN/Intelligence/home.x and it uses this information to create signature updates for Cisco IOS IPS routers. By downloading and enabling this ten report, Cisco Security MARS ensures that those supported signatures from the top 10 signature report are always running on your Cisco IOS IPS routers. However, only those top signatures supported by both the MARS software version running on the appliance and Cisco IOS IPS routers can be published as an SDF update to the router.
Step 5
The IPS signature actions specify that the new SDF file should include one or more of the following actions as part of the signature configuration.
•
•
•
•
•
Step 6
Troubleshooting DTM Integration
Table 3 identifies possible errors and likely causes and solutions.
Frequently Asked Questions about DTM with IPS
Q.
A.
Q.
A.
•
•
•
Q.
A.
Q.
A.
Q.
A.
Q.
A.
Q.
A.
Q.
A.
Q.
A.
Q.
A.
Q.
A.
Q.
A.
Q.
A.
Q.
A.
Q.
A.
Q.
A.
Q.
A.
