-
Using Management Center for IDS Sensors 1.2
-
Preface
-
Introduction
-
Getting Started with Management Center for IDS Sensors (IDS MC)
-
Managing Sensors with IDS MC
-
Adding Sensors and Sensor Groups
-
Configuring Sensors and Signatures
-
Generating, Approving, and Deploying Sensor Configurations
-
Tuning Sensor Configurations
-
Administering the IDS MC Server
-
Limitations and Restrictions: Moving from the Unix Director or CSPM to IDS MC and Security Monitor
-
Troubleshooting IDS MC
-
Index
-
Table of Contents
Managing Sensors with IDS MCPlacing a Sensor on Your Network
How the Sensor Functions
Placing a Sensor on Your Network
Deployment Considerations
Managing Sensors with IDS MC
This chapter outlines the task flow that you need to follow to manage your sensors with IDS MC. First, however, you must develop a security policy that enables the application of security measures. Your security policy should:
- Identify security objectives for your organization.
- Document the resources you want to protect.
- Identify the network infrastructure with current maps and inventories.
- Identify the critical resources (such as research and development, finance, and human resources) that you want to give extra protection to.
When you have developed your security policy, it becomes the hub of the Cisco Security Wheel, shown in Figure 3-1.
Figure 3-1 Cisco Security Wheel
The spokes of the Cisco Security Wheel represent network security as a continual process consisting of the following four steps:
2. Monitor the network for violations and attacks against your security policy and respond to them.
3. Test the effectiveness of the security safeguards in place.
4. Manage and improve corporate security.
You should continually perform all four steps, and you should consider each of them when you create and update your corporate security policy.
IDS MC is management software for Cisco Intrusion Detection System. Cisco Intrusion Detection System provides real-time monitoring of network traffic for suspicious activities and active network attacks. The network devices that monitor network traffic are called sensors. Sensors are similar to multihomed hosts in that often they are connected to two physically different networks. However, they are unlike multihomed hosts in that only one connection is addressable. In other words, the adapter that is connected to the monitored network(s) is not addressable—it runs as a promiscuous adapter, studying each network packet that it senses on the physical medium. Sensors come in two physical models: dedicated, standalone network appliances and line card modules running in certain Cisco Catalyst 6000 switches.
The sensor compares network packets to its signatures to determine if the contents of the network packets meet the criteria of an attack. A signature is a pattern of traffic, often thought of as a set of rules, that your sensor uses to detect typical intrusive activity, such as denial of service (DoS) attacks. When the packets match a given signature rule, an alarm is generated and sent to Security Monitor.
 |
Note Some signatures monitor for normal network activity, rather than for an attack. For example, Signature 2004, ICMP Echo Request, may result in a large number of alarms generated not by attacks, but by normal network traffic. |
You can configure a sensor to issue commands to a Cisco router to block any packets from the source IP address that triggers an alarm for specific signatures. These commands are issued as temporary changes to the access control list (ACL) of the Cisco router. After a specified period of time, the sensor removes those commands, restoring the router to its pre-attack configuration state. The sensor can also make similar changes to the Cisco PIX Firewall and the Cisco Catalyst 6000 switch.
Sensors have a number of settings associated with them, beginning with the following:
- The IP address that IDS MC uses to communicate with the sensor.
- The software version that is running on the sensor.
- The signatures that are used to study network traffic.
- The signature overrides that may have been applied.
- The devices that are used to block active attacks.
- The networks and syslog data streams that are monitored.
- Whether the sensor copies its alarm log data to an FTP server.
The sensor follows a basic task flow from initial setup to deployment. The following list identifies the primary tasks and the order in which you should perform them.
1. Bootstrap the sensor so that IDS MC can detect the sensor on the network. Bootstrapping involves getting the sensor up and running on the network, assigning it an IP address, and connecting it to the physical media.
2. Add the sensor to IDS MC. Next, manually define the settings that match the configuration settings of the bootstrapped sensor.
3. Configure signatures for specific responses to an attack, such as logging the packets to and from the source address of an alarm, to a file. You can edit an existing signature or define a new signature.
4. Tune the signatures for the sensor. You can tune sensor signatures using four general methods: by specifying reassembly options for IP fragments and TCP sessions, by identifying hosts and networks that should be exempt from sending an alarm for certain signatures, by filtering alarms in accordance with their severity, and by changing parameters for the signature (such as identifying which ports to monitor).
5. Generate, approve, and deploy the configuration files to the sensors.
6. Use Security Monitor to view historical and real-time attack and system status notifications. After you configure the sensors to study network activities, any notifications generated by the sensors are published to the database. Using Security Monitor, you can study these notifications to determine what attacks are ongoing and to gather status information about the sensors, such as which ones have generated blocking rules for detected attacks.
Placing a Sensor on Your Network
This section discusses the best way to deploy and configure sensors on your network. It has the following topics:
Deciding Where to Place Sensors in Your Network
Deciding where to place sensors in your network means that you must carefully examine the connections between your network and other networks, including the Internet. In the process, you will also need to study the size and complexity of your network and the amount and type of traffic on your network.
Studying these characteristics of your network will also help you determine the number of sensors required and the hardware configuration for each sensor (for example, the size and type of network interface cards). IDS MC is designed to support at least 300 sensor deployments.
|
Note Refer to the Intrusion Detection Planning Guide for detailed information about intrusion detection deployment: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/idpg/index.htm |
The sensor monitors all traffic crossing a given network segment. Keeping that in mind, consider all the network connections you want to protect. These connections fall into four basic categories, or locations, as illustrated in Figure 3-2 and described in the following paragraphs.
Figure 3-2 Major Types of Network Connections
In location 1, the sensor is placed to monitor traffic between the protected network and the Internet. This is commonly referred to as perimeter protection and is the most common deployment for a sensor. This location can be shared with firewall protection, and is discussed in Placing a Sensor on Your Network.
In location 2, the sensor is monitoring the network side of a remote access server, labeled Dial-up server in Figure 3-2. Although this connection may be for employee use only, it could be vulnerable to external attack.
In location 3, the sensor is monitoring an intranet connection. For example, the protected network of one department may contain an e-commerce site where all the connection types described so far are required. The network of another department may contain company-specific research and development or other engineering information and should be given additional protection.
In location 4, the sensor is monitoring an extranet connection with a business partner. Although most organizations have defined policies on the use and security of this type of connection, there is no guarantee that the partner network is adequately protected. Consequently, an outsider can enter your network through this type of connection. These extranet connections also may have firewalls.
Keeping these connection types in mind, consider the network you want to protect. Determine which segments to monitor. Remember that each sensor maintains signatures configured for the segment it monitors. Signatures can be standard across the organization or unique for each sensor. You may consider defining your network topology to force traffic across a specific monitored network segment. There are always operational trade-offs when determining sensor placement. The end result should be a good idea of where to place sensors in your network, how many are needed, and how they should be configured in terms of hardware.
How the Sensor Functions
The next step in protecting your network is understanding how the sensor captures network traffic.
Each sensor comes with two interfaces. In a typical installation, one interface monitors the desired network segment, and the other interface communicates with the IDS MC and other network devices. The monitoring interface operates in promiscuous mode, meaning it has no IP address and is not visible on the monitored segment.
The sensor captures network traffic at the IP layer. Therefore, it must understand and interpret Media Access Control (MAC) layer protocols, which most networks use to pass along data packets.
The command and control interface is always an Ethernet interface. This interface has an assigned IP address, which allows it to communicate with IDS MC or other network devices (typically Cisco routers). Although this interface is "hardened" from a security perspective, it is visible on the network and must be protected.
When responding to attacks, the sensor can do the following:
|
Note The TCP reset action is only appropriate as an action selection on those signatures associated with a TCP-based service. If selected as an action on non-TCP-based services, no action is taken. Additionally, TCP resets are not guaranteed to tear down an offending session because of limitations in the TCP protocol. |
The last step in understanding how a sensor functions is the data speed or load on the monitored network. Because the sensor is not in the data path, it has no impact on network performance. However, there are limitations on the data speeds it can monitor. The following list identifies the available models and the maximum network speed they can monitor:
- IDS-4210 sensor appliance—Supports up to 45 Mbps.
- IDS-4230 sensor appliance—Supports up to 100 Mbps.
- IDS-4235 sensor appliance—Supports up to 200 Mbps.
- IDS-4250 sensor appliance—Supports up to 500 Mbps.
- IDS-4250XL sensor appliance—Supports up to 1000 Mbps.
- IDSM for Catalyst 6000—Supports up to 120 Mbps, depending on network traffic.
- IDSM2 for Catalyst 6000—Supports up to 600 Mbps, depending on network traffic.
- NM-CIDS for Cisco 2600/3600 IOS routers—Supports up to 40 Mbps, depending on network traffic.
Placing a Sensor on Your Network
You can place a sensor in front of or behind a filtering router. Each position has benefits and drawbacks.
Placing the monitoring interface of the sensor in front of a filtering router allows the sensor to monitor all incoming and outgoing network traffic. However, when deployed in this manner, the sensor cannot normally detect internal network traffic. An internal attacker taking advantage of vulnerabilities in network services would remain undetected by the external sensor (see Figure 3-3). In Figure 3-3, the Outermost router is the filtering router.
Figure 3-3 Sensor in Front of a Filtering Router
Placing the monitoring interface of the sensor behind a filtering router shields the sensor from any attacks that the filtering router blocks. This configuration provides a more robust reaction capability because the sensor can work with the router to block future attacks.
Deployment Considerations
To enable the sensor to manage the filtering router to defend your network, you must do the following:
The sensor will then be able to dynamically update the router ACLs to deny unauthorized activity.