CISCO IDS student guide.pdf

8/10/2019 CISCO IDS student guide.pdf

1/601

CSIDS

Cisco Secure Intrusion

Detection System

Version 2.1

Student Guide

Text Part Number: 67-0002-01

Cisco Systems, Inc.

170 W Tasman Drive

San Jose, CA 95134-1706 USA


2/601

The products and specifications, configurations, and other technical information regarding the products in this

manual are subject to change without notice. All statements, technical information, and recommendations in this

manual are believed to be accurate but are presented without warranty of any kind, express or implied. You must

take full responsibility for their application of any products specified in this manual.

LICENSE

PLEASE READ THESE TERMS AND CONDITIONS CAREFULLY BEFORE USING THE MANUAL,

DOCUMENTATION, AND/OR SOFTWARE (MATERIALS). BY USING THE MATERIALS YOU AGREE

TO BE BOUND BY THE TERMS AND CONDITIONS OF THIS LICENSE. IF YOU DO NOT AGREE WITH

THE TERMS OF THIS LICENSE, PROMPTLY RETURN THE UNUSED MATERIALS (WITH PROOF OF

PAYMENT) TO THE PLACE OF PURCHASE FOR A FULL REFUND.Cisco Systems, Inc. (Cisco) and its suppliers grant to you (You) a nonexclusive and nontransferable license

to use the Cisco Materials solely for Your own personal use. If the Materials include Cisco software (Software),

Cisco grants to You a nonexclusive and nontransferable license to use the Software in object code form solely on

a single central processing unit owned or leased by You or otherwise embedded in equipment provided by Cisco.

You may make one (1) archival copy of the Software provided. You affix to such copy all copyright,

confidentiality, and proprietary notices that appear on the original. EXCEPT AS EXPRESSLY AUTHORIZED

ABOVE, YOU SHALL NOT: COPY, IN WHOLE OR IN PART, MATERIALS; MODIFY THE SOFTWARE;

REVERSE COMPILE OR REVERSE ASSEMBLE ALL OR ANY PORTION OF THE SOFTWARE; OR

RENT, LEASE, DISTRIBUTE, SELL, OR CREATE DERIVATIVE WORKS OF THE MATERIALS.

You agree that aspects of the licensed Materials, including the specific design and structure of individual

programs, constitute trade secrets and/or copyrighted material of Cisco. You agree not to disclose, provide, or

otherwise make available such trade secrets or copyrighted material in any form to any third party without the

prior written consent of Cisco. You agree to implement reasonable security measures to protect such trade secrets

and copyrighted Material. Title to the Materials shall remain solely with Cisco.This License is effective until terminated. You may terminate this License at any time by destroying all copies of

the Materials. This License will terminate immediately without notice from Cisco if You fail to comply with any

provision of this License. Upon termination, You must destroy all copies of the Materials.

Software, including technical data, is subject to U.S. export control laws, including the U.S. Export

Administration Act and its associated regulations, and may be subject to export or import regulations in other

countries. You agree to comply strictly with all such regulations and acknowledge that it has the responsibility to

obtain licenses to export, re-export, or import Software.

This License shall be governed by and construed in accordance with the laws of the State of California, United

States of America, as if performed wholly within the state and without giving effect to the principles of conflict

of law. If any portion hereof is found to be void or unenforceable, the remaining provisions of this License shall

remain in full force and effect. This License constitutes the entire License between the parties with respect to the

use of the Materials

Restricted Rights - Ciscos software is provided to non-DOD agencies with RESTRICTED RIGHTS and its

supporting documentation is provided with LIMITED RIGHTS. Use, duplication, or disclosure by the U.S.Government is subject to the restrict ions as set forth in subparagraph C of the Commercial Computer Software

- Restricted Rights clause at FAR 52.227-19. In the event the sale is to a DOD agency, the U.S. Governments

rights in software, supporting documentation, and technical data are governed by the restrictions in the Technical

Data Commercial Items clause at DFARS 252.227-7015 and DFARS 227.7202.

DISCLAIMER OF WARRANTY. ALL MATERIALS ARE PROVIDED AS IS WITH ALL FAULTS. CISCO

AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING,

WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE

AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE

PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL,

CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS

OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL,

EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH

DAMAGES. In no event shall Ciscos or its suppliers liability to You, whether in contract, tort (includingnegligence), or otherwise, exceed the price paid by You. The foregoing limitations shall apply even if the above-

stated warranty fails of its essential purpose.

The following information is for FCC compliance of Class A devices: This equipment has been tested and found

to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are

designed to provide reasonable protection against harmful interference when the equipment is operated in a

commercial environment. This equipment generates, uses, and can radiate radio-frequency energy and, if not

installed and used in accordance with the instruction manual, may cause harmful interference to radio

communications. Operation of this equipment in a residential area is likely to cause harmful interference, in

which case users will be required to correct the interference at their own expense.

The following information is for FCC compliance of Class B devices: The equipment described in this manual

generates and may radiate radio-frequency energy. If it is not installed in accordance with Ciscos installation


3/601

instructions, it may cause interference with radio and television reception. This equipment has been tested and

found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the

FCC rules. These specifications are designed to provide reasonable protection against such interference in a

residential installation. However, there is no guarantee that interference will not occur in a particular installation.

Modifying the equipment without Ciscos written authorization may result in the equipment no longer complying

with FCC requirements for Class A or Class B digital devices. In that event, your right to use the equipment may

be limited by FCC regulations, and you may be required to correct any interference to radio or television

communications at your own expense.

You can determine whether your equipment is causing interference by turning it off. If the interference stops, it

was probably caused by the Cisco equipment or one of its peripheral devices. If the equipment causes

interference to radio or television reception, try to correct the interference by using one or more of the following

measures:

Turn the television or radio antenna until the interference stops.

Move the equipment to one side or the other of the television or radio.

Move the equipment farther away from the television or radio.

Plug the equipment into an outlet that is on a different circuit from the television or radio. (That is, make

certain the equipment and the television or radio are on circuits controlled by different circuit breakers or fuses.)

Modifications to this product not authorized by Cisco Systems, Inc. could void the FCC approval and negate

your authority to operate the product.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University

of California, Berkeley (UCB) as part of UCBs public domain version of the UNIX operating system. All rights

reserved. Copyright 1981, Regents of the University of California.AccessPath, Any to Any, AtmDirector, the CCIE logo, CD-PAC, Centri, the CiscoCapital logo, CiscoLink, the

Cisco NetWorks logo, the Cisco Powered Network logo, the Cisco Press logo, ClickStart, ControlStream,

DAGAZ, Fast Step, FireRunner, IGX, IOS, JumpStart, Kernel Proxy, LoopRunner, MGX, Natural Network

Viewer, Cisco Secure IDS, NetSonar, Packet, PIX, Point and Click Internetworking, Policy Builder,

RouteStream, Secure Script, SMARTnet, SpeedRunner, Stratm, StreamView, TheCell, TrafficDirector,

TransPath, VirtualStream, VlanDirector, Workgroup Director, and Workgroup Stack are trademarks; Changing

the Way We Work, Live, Play, and Learn and Empowering the Internet Generation are service marks; and BPX,

Catalyst, Cisco, CiscoIOS, the CiscoIOS logo, CiscoSystems, the CiscoSystems logo, Enterprise/Solver,

EtherChannel, FastHub, ForeSight, FragmentFree, IP/TV, IPX, LightStream, MICA, Phase/IP, StrataSphere,

StrataView Plus, and SwitchProbe are registered trademarks of CiscoSystems,Inc. in the U.S. and certain other

countries. All other trademarks mentioned in this document are the property of their respective owners.

Cisco Secure Intrusion Detection System: Student Guide

Copyright!2001, Cisco Systems, Inc.

All rights reserved. Printed in USA.


4/601

1

Course Introduction

Overview

This chapter includes the following topics:

Course objectives

Course agenda

Participant responsibilities

General administration

Graphic symbols

Participant introductions

Lab topology


5/601

1-2 Cisco Secure Intrusion Detection System 2.1 Copyright !2001, Cisco Systems, Inc.

Course Objectives

This section introduces the course and the course objectives.

2001, Cisco Systems, Inc. www.cisco.com CSIDS 2.11-3

Course ObjectivesCourse Objectives

Upon completion of this course, you will beable to perform the following tasks:

Install and configure CSPM and the CIDS Sensor inmultiple network configurations.

Use CSPM to centrally manage and configuremultiple Sensors.

Configure the CIDS Sensor to detect, respond to,

and report intrusion activity. Use CSPM to translate intrusion data into intuitive

and effective graphical displays.

Use the CIDS NSDB to view signature andnetworksecurity vulnerability information.


6/601

Copyright !2001, Cisco Systems, Inc. Course Introduction 1-3


Course Objectives (cont.)Course Objectives (cont.)

Develop and implement customized intrusiondetection signatures.

Configure the CIDS Sensor in device management

mode to interface with a Cisco IOS router to stopnetwork attacks.

Configure the Catalyst 6000 IDS Module for theCatalyst 6000 family of switches to performintrusion detection in multiple VLANs.

Understand the CIDS architecture and therelationship between configuration files andtokens.

Configure Event Notification in CSPM andgenerate Alarm Reports


Course AgendaCourse Agenda

Chapter 1Course Introduction

Chapter 2Introduction to Network Security Chapter 3Intrusion Detection and the Cisco

IDS Environment

Chapter 4Cisco Secure Policy ManagerInstallation

Chapter 5Cisco IDS Sensor Installation

Chapter 6Alarm Management

Chapter 7Cisco IDS Signatures


7/601



Course Agenda (cont.)Course Agenda (cont.)

Chapter 8Sensor Configuration

Chapter 9Signature and Intrusion

Detection Configuration

Chapter 10IP Blocking Configuration

Chapter 11Catalyst 6000 IDS ModuleConfiguration

Chapter 12Cisco IDS Architecture

Chapter 13Event Notification and AlarmReporting


Student Responsibilities

Complete prerequisitesParticipate in lab exercises

Ask questions

Provide feedback

Participant ResponsibilitiesParticipant Responsibilities


8/601



General AdministrationGeneral Administration

Class-related Sign-in sheet

Length and times

Break and lunch roomlocations

Attire

Facilities-related Participant materials

Site emergencyprocedures

Restrooms

Telephones/faxes


Ethernet link

Router PIXFirewall

CIDS Sensor

Internet

ServerStudent

workstation/server

CIDS DirectorCSPM

Graphic SymbolsGraphic Symbols

IDS Switch Module


9/601



Your name

Your company

Pre-req skills

Brief history

Objective

Participant IntroductionsParticipant Introductions


10/601


Lab Topology

This section explains the lab topology that is used in this course.


Pod P

Your PodPod Q

Peer Pod

CSPM

Lab Visual ObjectiveLab Visual Objective

rP

e0/0

e0/1

10.0.P.0 /24

.10P

.1 .4

rQ

e0/0

e0/1 .10Q

.1 .4

10.0.Q.0 /24

172.30.1.0 /24

10.0.P.3 CSPM 10.0.Q.3

Host ID = 3, Org ID = PHost Name = cspmP, Org Name = podP

Host ID = 3, Org ID = QHost Name = cspmQ, Org Name = podQ

.6 .6

sensorPidsmP

sensorQ

idsmQ

Each pair of students will be assigned a pod. TheP in a command indicates your

pod number. TheQ in a command indicates the pod number of your peer.


11/601

2

Network Security andCisco Intrusion

Detection

Overview

This chapter covers information on network security, what network security is,

and why you need network security. In addition, this chapter discusses the need

for continuous network security and how the Cisco Intrusion Detection System

(CIDS) helps achieve this.


Objectives

Need for network security

Attack types and methods

The Cisco Security Wheel

Cisco AVVID and SAFE

Summary


12/601


Objectives

This section lists the chapters objectives.


ObjectivesObjectives

Upon completion of this chapter, you willbe able to perform the following tasks:

Describe the need for network security.

Describe the four types of security threats.

Describe attack methods and techniques used

by hackers.

Describe the purpose of the Cisco SecurityWheel and how it illustrates security as acontinuous process.


13/601

Copyright !2001, Cisco Systems, Inc. Network Security and Cisco Intrusion Detection 2-3


Objectives (cont.)Objectives (cont.)

Name methods and devices for securing

networks. Identify the phase of the Security Wheel in

which CIDS is designed to function.

Describe the purpose for testing securitypolicies once they are applied to the network.

Describe the Cisco AVVID architecture.

Describe the SAFE framework.


14/601


Need for Network Security

This section explains why network security is needed.


Security Incidents on the RiseSecurity Incidents on the Rise

The Internet has madenetworked computersaccessible andvulnerable to anyonein the world.

Network security is necessary because the Internet has made networked computers

accessible from and vulnerable to any other computer in the world. As companies

become more Internet-reliant, new threats arise from persons who no longer

require physical access to a companys computer assets.


15/601



Four Basic Types of ThreatsFour Basic Types of Threats

There are four primary network securitythreats:

Unstructured threats Structured threats

External threats

Internal threats

There are four primary threats to network security:

Unstructured threats

Structured threats

External threats

Internal threats

Unstructured threats consist of mostly inexperienced individuals using easily

available hacking tools such as shell scripts and password crackers.

Some of the hackers in this category are motivated by malicious intent, but mostare motivated by the intellectual challenge and fun of it and are known as script

kiddies. Script kiddies are notthe most experienced or knowledgeable hackers.

They download these easily executable scripts from numerous hacker Web sites

for free. The script kiddys reasoning is: Why battle monsters in the latest

computer game when you can test your battle skills against real targets?

Even unstructured threats that are only executed with the intent of testing and

challenging a script kiddys skills can still do a lot of damage to a company. For

example, if your companys external Web site is hacked, your companys integrity

is damaged. Even if your external Web site is separate from your internal

information that sits behind a protective firewall, the public does not know that.

All they know is that if your Web site was hacked, your Web site obviously is notsafe enough to do business in.

Structured threats come from hackers who are more highly motivated and

technically competent. They know vulnerabilities, and can understand and develop

exploit-code and scripts. Typically hackers act alone or in small groups. They

understand, develop, and use sophisticated hacking techniques to penetrate

unsuspecting businesses. These groups are often involved with the major fraud

and theft cases reported to law enforcement agencies. Occasionally, these hackers


16/601


are hired by organized crime, industry competitors, or state-sponsored intelligence

organizations.

External threats are individuals or organizations working from outside of your

company. They do not have authorized access to your computer systems or

network. They work their way into a network mainly from the Internet or dialup

access servers. These are the type of threats that people spend the most time and

money protecting themselves against.

Internal threats occur when someone has authorized access to the network witheither an account on a server or physical access to the wire. They are typically

disgruntled former or current employees or contractors. According to the FBI,

internal access and misuse account for between 60 to 80 percent of reported

incidents.

The only perfectly secure computer is one that is unplugged and in a locked vault.

All computer systems and network devices must be protected.


17/601


18/601



AccessAccess

Unauthorized datamanipulation, systemaccess, or privilegeescalation

Access is an all-encompassing term that refers to unauthorized data manipulation,

system access, or privileged escalation. Unauthorized data retrieval is simply

reading, writing, copying, or moving files that are not intended to be accessible to

the intruder. Sometimes this is as easy as finding shared folders in Windows 9x or

NT, or NFS exported directories in UNIX systems with read or read and write

access to everyone. The intruder will have no problems getting to the files and,

more often than not, the accessible information is highly confidential and

completely unprotected from prying eyes, especially if the attacker is already an

internal user.

System access is the ability for an unauthorized intruder to gain access to a devicefor which the intruder does not have an account or password. Entering or

accessing systems to which one does not have access usually involves running a

hack, script, or tool that exploits a known vulnerability of the system or

application being attacked.

Another form of access attacks involves privileged escalation. Privilege escalation

occurs when a user obtains privileges or rights to objects that were not assigned to

the user by an administrator. Objects can be files, commands, or other components

on a network device. The intent is to gain access to information or execute

procedures for which they are not authorized at their current level of access. In

many cases this involves gaining administrative privileges to a system or device to

install sniffers, create backdoor accounts, or delete log files.

In some cases intruders want to gain access without necessarily wanting to steal

informationespecially when the motive is intellectual challenge, curiosity, or

ignorance.


19/601



Denial of ServiceDenial of Service

Disable or corruptnetworks, systems, orservices

Denial of service (DoS) is when an attacker disables or corrupts networks,

systems, or services with the intent to deny the service to intended users. It usually

involves either crashing the system or slowing it down to the point that it is

unusable. But DoS can also be as simple as wiping out or corrupting information

necessary for business. In most cases, performing the attack simply involves

running a hack, script, or tool, and the attacker does not need prior access to the

target because all that is usually required is a way to get to it. For these reasons

and because of the great damaging potential, DoS attacks are the most feared

especially by e-commerce web site operators.


20/601


21/601



Access MethodsAccess Methods

Exploit easily guessed passwords

Default

Brute force

Exploit mis-administered services

IP services

Trust relationships

File sharing

Access methods are varied and run the entire gamut between simple command-

line hacks to sophisticated tools with nice user interfaces. Usually, the first line of

defense when it comes to access attacks is strong authentication. In many cases

user passwords are too easily guessed by attempting to enter default passwords or

brute force attacks. These attacks involve attempting to logon to a host with a

common user name and then trying different password combinations that are

commonly used. This technique is especially effective if the attacker has some

prior knowledge about the user being targeted.

Exploiting misadministered services is simply taking advantage of services that

are poorly installed and administered by novice or unknowing administrators. Oneof the easiest services to exploit is file sharing. Too often users share their files by

creating a shared folder or directory with full access to everyone, and sometimes a

user does not realize that others can access the folder. This can be prevented with

password-protected shares, or sharing only with intended users. Other common

misadministered services are anonymous FTP and TFTP servers, SNMP,

Windows registry access, and trust relationships.


22/601



Access Methods (cont.)Access Methods (cont.)

Exploit application holes

Mishandled input data

Access outside application domain, bufferoverflows, race conditions

Protocol weaknesses

Fragmentation, TCP session hijack

Trojan horses

Programs that introduce an inconspicuousbackdoor into a host

Application security holes have been around since the first piece of software was

written. These holes are usually a result of unanticipated behavior of software

code or unexpected inputs. An example of this is a program that breaks out into a

root shell when receiving an out-of-band input. Protocol weaknesses are also types

of application holes. An example of this is IP fragmentation and TCP session

hijack. The attacker is taking advantage of protocol design deficiencies that the

original designers did not anticipate. Finally Trojan horses are used to gain

unauthorized access by tricking a legitimate user to run trojanized programs that

install or open back doors for attackers to secretly break in. Then the attackers,

circumventing in many cases any authentication procedures, come in through the

back door.


23/601



Denial of Service MethodsDenial of Service Methods

Resource Overload

Disk space, bandwidth, buffers

Ping floods, SYN flood, UDP bombs

Unsolicited Commercial E-mail (UCE)

Fragmentation or Impossible Packets

Large ICMP packets

IP fragment overlay

Same Source and Destination IP packet

DOS attack methods include everything from simple one-line commands to

sophisticated programs, written by knowledgeable hackers.

Common resource overload attacks include ping floods (smurf), TCP SYN floods

(neptune), and packet storms (UDP bomb and fraggle). Unsolicited Commercial

E-mail (UCE), often referred to as SPAM, attempts to overload mail servers.

Some attacks to generate fragmented or impossible packets are ping of death,

winnuke, and landteardrop. One infamous hack tool, targa, combines seven attacks

in one: bonk, winnuke, teardrop, land, jolt, nestea, newtear, and syndrop.


24/601


The Cisco Security Wheel

This section describes why network security should be a continuous process based

on the Security Wheel.


Secure

Monitor

Test

Improve SecurityPolicy

Network Security as aContinuous Process

Network Security as aContinuous Process

Network security is acontinuous processbuilt around a securitypolicy.

Step 1: Secure

Step 2: Monitor Step 3: Test

Step 4: Improve

Most security incidents occur because system administrators do not implement

available countermeasures, and hackers or disgruntled employees exploit the

oversight. Therefore, the issue is not just one of confirming that a technical

vulnerability exists and finding a countermeasure that works; it is also critical to

verify that the countermeasure is in place and working properly.

This is where the Security Wheela continuous security processis effective.

The Security Wheel not only promotes applying security measures to your

network, but most importantly, it promotes retesting and reapplying updated

security measures on a continuous basis.

To begin this continuous process known as the Security Wheel, you need to create

a security policy that enables the application of security measures. A security

policy needs to accomplish the following tasks:

Identify the organizations security objectives

Document the resources to be protected

Identify the network infrastructure with current maps and inventories

Identify the critical resources that need to be protected (such as research and

development, finance, and human resources)


25/601


After the security policy is developed, it becomes the hub upon which the next

four steps of the Security Wheel is based:

Step 1 Secure the system. This involves implementing security devicesfirewalls,

identification authentication systems, Virtual Private Networks (VPNs), and so

onwith the intent to prevent unauthorized access to network systems.

Step 2 Monitor the network for violations and attacks against the corporate security

policy. Violations can occur within the secured perimeter of the network from a

disgruntled employee or from a hacker outside the network. Monitoring thenetwork with a real-time intrusion detection system such as CIDS can ensure that

the security devices in Step 1 have been configured properly.

Step 3 Test the effectiveness of the security safeguards in place. You can use Cisco

Secure Scanner to identify the security posture of the network with respect to the

security procedures that form the hub of the Security Wheel.

Step 4 Improve corporate security. Collect and analyze information from the monitoring

and testing phases to make security improvements.

All four stepssecure, monitor, test, and improveshould be repeated on a

continuous basis and should be incorporated into updated versions of the corporate

security policy.


26/601



Secure

Monitor

Test


Secure the NetworkSecure the Network

Implement securitysolutions

Authentication

firewalls

VPNs

patching

Stop or preventunauthorized accessand activities.

Secure the network by applying the security policy and implementing the

following security solutions:

AuthenticationGive access to authorized users only (for example, using

one-time passwords).

FirewallsFilter network traffic to allow only valid traffic and services.

Virtual private networks (VPNs)Hide traffic contents to prevent unwanted

disclosure to unauthorized or malicious individuals.

Vulnerability patchingApply fixes or measures to stop the exploitation of

known vulnerabilities. This includes turning off services that are not neededon every system. The fewer services that are enabled, the harder it is for

hackers to gain access.


27/601



Secure

Monitor

Test


Monitor SecurityMonitor Security

Detect violations to thesecurity policy

System auditing

real-time intrusiondetection

Validate the securityimplementation in stepone

Monitoring security involves both active and passive methods of detecting

security violations. The most commonly used active method is to audit host-level

log files. Most operating systems include auditing functionality. System

administrators for every host on the network must turn these on and take the time

to check and interpret the log file entries.

Passive methods include using CIDS to automatically detect intrusion. This

method requires only a small number of network security administrators for

monitoring. CIDS can detect security violations in real time and can be configured

to automatically respond before an intruder does any damage.

An added benefit of network monitoring is the verification that the securitydevices implemented in Step 1of the Security Wheel have been configured and are

working properly.


28/601


29/601



Secure

Monitor

Test


Improve SecurityImprove Security

Use information from the

monitor and test phases,make improvements tothe securityimplementation

Adjust the securitypolicy as securityvulnerabilities and risksare identified

The improvement phase of the Security Wheel involves analyzing the data

collected during the monitoring and testing phases, and developing and

implementing improvement mechanisms that feed into your security policy and

the securing phase in Step 1. If you want to keep your network as secure as

possible, you must keep repeating the cycle of the Security Wheel, because new

network vulnerabilities and risks are created every day.

With the information collected from the monitoring and testing phases, you can

use CIDS to implement improvements to the security. You can also adjust the

security policy as you uncover new security vulnerabilities and risks.


30/601


31/601


Intelligent Network ServicesThe intelligent network services, provided

through software that operates on network platforms, are a major benefit of

an end-to-end architecture for deploying Internet business solutions. From

quality of service (QoS) (prioritization) through security, accounting, and

management, intelligent network services reflect the enterprises business

rules and policies in network performance. A consistent set of the services

end-to-end through the network is vital if the infrastructure is to be relied

upon as a network utility. These consistent services enable new Internet

business applications and e-business initiatives to rollout very quicklywithout a major re-engineering of the network each time. By contrast,

networks built on best-of-breed strategies may promise higher performance in

a specific device, but cannot be counted on to deliver these sophisticated

features end-to-end in a multivendor environment. Cisco AVVID supports

standards to provide for migration and the incorporation of Internet business

integrators, but the added intelligent network services offered by an end-to-

end Cisco AVVID solution go far beyond what can be achieved in a best of

breed environment.

Internet middleware layerThe next section, including service control and

communication services, is a key part of any networking architecture,

providing the software and tools to break down the barriers of complexity

arising from new technology. These combined layers provide the tools forintegrators and customers to tailor their network infrastructure and customize

intelligent network services to meet application needs. These layers manage

access, call setup and teardown, perimeter security, prioritization and

bandwidth allocation, and user privileges. Software, such as distributed

customer contact suites, messaging solutions, and multimedia and

collaboration provide capabilities and a communication foundation that

enable interaction between users and a variety of application platforms. In a

best-of-breed strategy, many of these capabilities must be individually

configured or managed. In traditional proprietary schemes, vendors dictated

these layers, limiting innovation and responsiveness.

Rapid deployment of Internet business solutions depends on consistent

service control and communication services capabilities throughout the

network. These capabilities are often delivered by Cisco from servers

distributed throughout the network. The service control and communication

services layers are the glue that joins the Internet technology layers of the

Cisco AVVID framework with the Internet business solutions, in effect

tuning the network infrastructure and intelligent network services to the needs

of the Internet business solutions. In turn, the Internet business solutions are

adapted for the best performance and availability on the network

infrastructure by exploiting the end-to-end services available through the

Cisco AVVID framework.

Internet business integratorsAs part of the open ecosystem, it is imperativeto enable partners with Cisco AVVID. Cisco realizes the crucial requirement

to team with integrators, strategic partners, and customers to deliver complete

Internet business. Cisco AVVID offers a guide for these interactions by

describing a consistent set of services and capabilities that form a basis for

many types of partner relationships.

Internet business solutionsEnterprise customers are deploying Internet business

solutions to re-engineer their organizations. The applications associated with

Internet business solutions are not provided by Cisco, but are enabled, accelerated,


32/601


and delivered through Cisco AVVID. The ability for companies to move their

traditional business models to Internet business models and to deploy Internet

business solutions is key to their survival. Cisco AVVID is the architecture upon

which e-businesses build Internet business solutions that can be easily deployed

and managed. Ultimately, the more Internet business solutions that are delivered,

the more efficiently and effectively companies will increase productivity and

added value.


33/601



Cisco AVVID OverviewCisco AVVID Overview

Cisco AVVID is the one enterprise architecture thatprovides the intelligent network infrastructure fortodays Internet business solutions.

As the industrys only enterprise-wide, standards-based network architecture, Cisco AVVID providesthe roadmap for combining Cisco customersbusiness and technology strategies into onecohesive model.

The Internet is creating tremendous business opportunities for Cisco and Cisco

customers. Internet business solutions such as e-commerce, supply chain

management, e-learning, and customer care are dramatically increasing

productivity and efficiency.

Cisco AVVID is the one enterprise architecture that provides the intelligent

network infrastructure for todays Internet business solutions. As the industrys

only enterprise-wide, standards-based network architecture, Cisco AVVID

provides the roadmap for combining customers business and technology

strategies into one cohesive model.


34/601



Cisco AVVID BenefitsCisco AVVID Benefits

IntegrationBy leveraging the Cisco AVVIDarchitecture and applying the network intelligence

inherent in IP, companies can developcomprehensive tools to improve productivity.

IntelligenceTraffic prioritization and intelligentnetworking services maximize network efficiency foroptimized application performance.

InnovationCustomers have the ability to adaptquickly in a changing business environment.

InteroperabilityStandards-based APIs enableopen-integration with third-party developers,providing customers with choice and flexibility.

With Cisco AVVID, customers have a comprehensive roadmap for enabling

Internet business solutions and creating a competitive advantage. There are four

Cisco AVVID benefits:

IntegrationBy leveraging the Cisco AVVID architecture and applying the

network intelligence inherent in IP, companies can develop comprehensive

tools to improve productivity.

IntelligenceTraffic prioritization and intelligent networking services

maximize network efficiency for optimized application performance.

InnovationCustomers have the ability to adapt quickly in a changingbusiness environment.

InteroperabilityStandards-based application programming interfaces (APIs)

enable open-integration with third-party developers, providing customers

with choice and flexibility.

Combining the network infrastructure and services with new-world applications,

Cisco AVVID accelerates the integration of technology strategy with business

vision.


35/601



SAFE Blueprint OverviewSAFE Blueprint Overview

Building on Cisco AVVID, the SAFE frameworkprovides a secure migration path for companies toimplement converged voice, video, and data

networks.

SAFE is a flexible framework that empowerscompanies to securely, reliably, and cost-effectivelytake advantage of the Internet economy.

SAFE integrates scalable, high performance securityservices throughout the e-business infrastructure.

SAFE is enhanced by a rich ecosystem of products,partners, and services that enable companies toimplement secure e-business infrastructures today.

SAFE is a flexible, dynamic security blueprint for networks, which is based on

Cisco AVVID. SAFE enables businesses to securely and successfully take

advantage of e-business economies and compete in the Internet economy.

As the leader in networking for the Internet, Cisco is ideally positioned to help

companies secure their networks. The SAFE blueprint, in conjunction with an

ecosystem of best-of-breed, complementary products, partners, and services,

ensures that businesses can deploy robust, secure networks in the Internet age.


36/601



SAFE BenefitsSAFE Benefits

Provides a proven, detailed blueprint tosecurely compete in the Internet economy

Provides the foundation for migrating tosecure, cost-effective, converged networks

Enables organizations to stay within theirbudgets by deploying a modular, scalablesecurity framework in stages

Delivers protection at every access point tothe network through best-in-class securityproducts and services

There are several major benefits in implementing the SAFE blueprint for secure

e-business:

Provides the foundation for migrating to secure, affordable, converged

networks

Enables companies to cost-effectively deploy a modular, scalable security

framework in stages

Delivers integrated network protection via high-level security products and

services


37/601



SAFE Modular BlueprintSAFE Modular Blueprint

Enterprise campus Enterprise edge Serviceprovider

edgeBuildingBuilding

Buildingdistribution

Buildingdistribution

ManagementManagement

ServerServer

CoreCore

Edgedistribution

Edgedistribution

E-commerceE-commerce

Corporate

Internet

Corporate

Internet

VPN andremote access

VPN andremote access

WANWAN

ISP BISP B

ISP AISP A

PSTNPSTN

Frameor

ATM

Frameor

ATM

The SAFE Blueprint provides a robust security blueprint that builds on Cisco

AVVID. SAFE layers are incorporated throughout the Cisco AVVID

infrastructure:

Infrastructure layerIntelligent, scalable security services in Cisco plat-

forms, such as routers, switches, firewalls, intrusion detection systems, and

other devices

Appliances layerIncorporation of key security functionality in mobile

hand-held devices and remote PC clients

Service control layerCritical security protocols and APIs that enablesecurity solutions to work together cohesively

Applications layerHost- and application-based security elements that

ensure the integrity of critical e-business applications

To facilitate rapidly deployable, consistent security throughout the enterprise,

SAFE consists of modules that address the distinct requirements of each network

area. By adopting a SAFE blueprint, security managers do not need to redesign the

entire security architecture each time a new service is added to the network. With

modular templates, it is easier and more cost-effective to secure each new service

as it is needed and to integrate it with the overall security architecture.

One of the unique characteristics of the SAFE blueprint is that it is the first

industry blueprint that recommends exactly which security solutions should be

included in which sections of the network, and why they should be deployed. Each

module in the SAFE blueprint is designed specifically to provide maximum

performance for e-business, while at the same time enabling enterprises to

maintain security and integrity.


38/601



SAFE Blueprint andEcosystem

SAFE Blueprint andEcosystem

Solutions

Ecosystem$$

Cisco programs and services

Security Associate solutions

Integration partners

ApplicationsApplicationsDire

ctory

Dire

ctory

Opera

tion

s

Opera

tion

s

Service controlService control

InfrastructureInfrastructure

Appliances or clientsAppliances or clients

Cisco AVVIDsystem

architecture

Securee-commerce

Secure supply chainmanagement

Secure intranet forworkforce optimization

Cisco has opened its Cisco AVVID architecture and SAFE blueprint to key third-

party vendors to create a security solutions ecosystem to spur development of

best-in-class multiservice applications and products. The Cisco AVVID

architecture and SAFE blueprint provide interoperability for third-party hardware

and software using standards-based media interfaces, APIs, and protocols. This

ecosystem is offered through the Security and Virtual Private Network (VPN)

Associate Program, an interoperability solutions program that provides Cisco

customers with tested and certified, complementary products for securing their

businesses. The ecosystem enables businesses to design and roll out secure

networks that best fit their business model and enable maximum agility.


39/601



Cisco AVVID Partner ProgramSecurity and VPN Products

Cisco AVVID Partner ProgramSecurity and VPN Products

IDENTITYIDENTITYStrongStrong

Authentication, PKIAuthentication, PKI

APPLICATION SECURITYAPPLICATION SECURITY

Host and Server ProtectionHost and Server Protection

SECURITY MANAGEMENT and MONITORINGSECURITY MANAGEMENT and MONITORING

Event logging, Reporting, and AnalysisEvent logging, Reporting, and Analysis

SECURE CONNECTIVITYSECURE CONNECTIVITY

Wired and Wireless VPNsWired and Wireless VPNs

PERIMETERPERIMETER

SECURITYSECURITYContent Filtering;Content Filtering;Personal FirewallPersonal FirewallInteroperabilityInteroperability

and

CoCo--existenceexistencewith

Cisco Security and VPNCisco Security and VPNProductsProducts

The Security and VPN Solutions Set within the Cisco AVVID Partner Program is

an interoperability solutions program developed to deliver comprehensive security

and VPN solutions for Cisco networks to Cisco customers.

This program is a key component of the SAFE strategy in that it provides a rich

ecosystem of products, partners, and services that empowers companies to

securely, reliably, and cost-effectively take advantage of the Internet Economy.

The program provides the assurance that security solutions making up Partner

products have been tested and verified to be interoperable with Cisco security

products, and add distinct value to Cisco networks. The goal is to enable Cisco

customers to securely take advantage of the expanding e-business marketplace.The security and VPN solutions created through this interoperability program are

focused on critical business applications such as e-commerce, secure remote

access, intranets, extranets, and supply-chain integration and management. As a

result, the solutions categories currently targeted in the program include those that

customers continue to request and deploy in their networks:

n Identity solutions-Include authentication, authorization, and Public Key

Infrastructure (PKI) solutions such as smart cards, hard and soft tokens,

authentication servers, and Certificate Authority (CA) servers

n Application security solutions-Include products such as server and host

protection applications

n Perimeter security solutions-Include products such as URL filtering applications,

e-mail, and virus scanning applications

n Security management and monitoring solutions-Include products that support

Syslog reporting, event analysis, reporting, and secure remote administration

n Secure connectivity solutions-Include products such as VPN client software and

wireless VPN products


40/601



Cisco AVVID Partner ProgramSecurity and VPN Services

Cisco AVVID Partner ProgramSecurity and VPN Services

PPOLICYOLICY and Pand PROCEDUREROCEDURE

OOUTSOURCEUTSOURCE MMONITORINGONITORINGand Mand MANAGEMENTANAGEMENT

AAPPLICATIONPPLICATION and Cand CODEODE RREVIEWEVIEW

IINCIDENTNCIDENT RRESPONSEESPONSE

Security ServicesSecurity ServicesCompatibleCompatible

withwith

Cisco SecurityCisco SecuritySolutionSolution

The security services offered through the AVVID Partner Program are focused on

specific areas of security services available in the industry. As a result, the

services categories currently targeted include those that customers continue to

request and deploy in their organizations:

Application and code reviewExamines and analyzes security structure and

vulnerabilities of hardware and software systems

Outsourced monitoring and managementProvides third-party management,

monitoring of security infrastructure with incident notification, or both

Policy and proceduresProvides assistance with reviewing and buildingrobust and effective security policies and practices

Incident responseResponds to and mitigates attacks on systems and

networks


41/601



Cisco AVVID Partner ProgramSecurity and VPN Services (cont.)

Cisco AVVID Partner ProgramSecurity and VPN Services (cont.)

VVULNERABILITYULNERABILITY AASSESSMENTSSESSMENT DDESIGN andESIGN and IIMPLEMENTATIONMPLEMENTATION

CCOMPETITIVEOMPETITIVECCOUNTEROUNTER--IINTELLIGENCENTELLIGENCE

BBUSINESSUSINESS IIMPACTMPACT andandRRISKISK AASSESSMENTSSESSMENT

Security ServicesSecurity ServicesCompatibleCompatible

withwith

Cisco SecurityCisco SecuritySolutionSolution

Business impact and risk assessmentCorrelates the security state of the

network to impact on broad business processes

Vulnerability assessmentProvides proactive audit and analysis of the

current security state of a system or network

Competitive counter-intelligenceAssesses the vulnerability to compromise

from knowledge-based attacks

Design and implementationProvides assistance with the architecture,

design, and implementation of security products and technologies


42/601



CCO LinksCCO Links

www.cisco.com/go/avvid

www.cisco.com/go/safe

www.cisco.com/go/avvidpartners

www.cisco.com/warp/public/779/largeent/partner/esap/secvpn.html


43/601


Summary

This section summarizes what you learned in this chapter.


SummarySummary

Network security is necessary because theproliferation of the Internet has madeinformation systems easily accessible andvulnerable to attacks.

The four basic threats to network security are:unstructured, structured, external, and internal.

The three basic attack types are:reconnaissance, access, and denial of service.

Some access methods used by hackers are:application holes, passwords, and poorlyadministered services.


44/601



Summary (cont.)Summary (cont.)

Network security is a continuous process builtaround a security policy.

Cisco IDS is part of the monitor phase of thesecurity wheel.

Cisco AVVID is a standards-based enterprisearchitecture that accelerates the integration ofbusiness and technology strategies.

Cisco SAFE, which is based on Cisco AVVID, isa flexible, dynamic, security blueprint fornetworks.


45/601

3

Intrusion Detection andthe Cisco Intrusion

Detection System

Environment

OverviewThis chapter explains what the Cisco Intrusion Detection System (CIDS) is and

what its major components are.


Objectives

Intrusion detection basics

CIDS overview

CIDS Sensor platforms

CIDS Director platforms

CIDS PostOffice

Summary


46/601


Objectives

This section lists the chapters objectives.


ObjectivesObjectives

Upon completion of this chapter, you willbe able to perform the following tasks:

Define what is intrusion detection.

Name the differences between profile-,

signature-, host-, and network-based intrusiondetection.

Describe the CIDS functions and features.


47/601

Copyright !2001, Cisco Systems, Inc. Intrusion Detection and the Cisco Intrusion Detection System Environment 3-3


Objectives (cont.)Objectives (cont.)

Name all CIDS Sensor platform models and

describe their features. Name all CIDS Director platforms and describe

their features.

List the functions and features of thePostOffice protocol.

Name and define the two parts of thePostOffice protocol addressing scheme.


48/601


Intrusion Detection Basics

This section discusses basic intrusion detection concepts and terminology.


Intrusion DetectionIntrusion Detection

Ability to detect attacksagainst networks

Three types of networkattacks

Reconnaissance

Access

Denial of service

Intrusion detection is the ability to detect attacks against your network. There are

three types of network attacks:

Reconnaissance attacksAn intruder is attempting to discover and map

systems, services, or vulnerabilities.

Access attacksAn intruder attacks networks or systems to retrieve data, gain

access, or escalate their access privilege.

Denial of service (DoS) attacksAn intruder attacks your network in such a

way that damages or corrupts your computer system, or denies you and others

access to your networks, systems, or services.


49/601



Profile-Based IntrusionDetection

Profile-Based IntrusionDetection

Also known as Anomaly DetectionActivity deviates from profile of normal

activity

Requires creation of statistical user profiles

Prone to high number of false positives

Difficult to define normal activity

Profile-based intrusion detection generates an alarm when activity on the network

goes outside of the profile. By collecting examples of user and network activity,

you can build a profile of normal activity. For instance, a web server farm would

typically generate web (HTTP) traffic. A profile could be created to monitor web

traffic. Another example is a network segment where the users are help desk

technicians. The help desk technicians primary job function is to monitor e-mail

requests. A profile could be created to monitor mail (SMTP) traffic.

The problem with this method of intrusion detection is that users do not feel a

responsibility to follow a profile. Humans do not consistently keep to a normal

pattern; consequently, what may be defined as normal activity today might not benormal activity tomorrow. Simply put: there is too much variation in the way users

act on the network for this type of detection to be effective. For instance, some

help desk technicians may access the web or telnet to systems in order to

troubleshoot problems. Based on the profile created, this type of network activity

would trigger alarms although the alarms are likely to be benign.


50/601



Signature-Based IntrusionDetection

Signature-Based IntrusionDetection

Also known as Misuse DetectionMatches pattern of malicious activity

Requires creation of misuse signatures

Less prone to false positives

Based on the signatures ability to matchmalicious activity

Signature-based intrusion detection is less prone to false positives when detecting

unauthorized activity. A signature is a set of rules pertaining to typical intrusion

activity. Highly skilled network engineers research known attacks and

vulnerabilities and can develop signatures to detect these attacks and

vulnerabilities.

CIDS implements signatures that can look at every packet going through the

network and generate alarms when necessary. CIDS generates alarms when a

specific pattern or signature occurs. You can configure CIDS to exclude signatures

and modify signature parameters to work optimally in your network environment.


51/601



Firewall

Corporate

network

Agent

Untrusted

network

Agent Agent Agent

Agent Agent

DNS serverWWW server

Agent Agent

Host-Based IntrusionDetection

Host-Based IntrusionDetection

Host-based intrusion detection is the auditing of local and host log files. An

advantage of host-based intrusion detection is that it can monitor operating system

processes and protect critical system resources including files that may only exist

on that specific host. A simple form of host-based intrusion detection is enabling

system logging on the host. However, it can become manpower intensive to

recover and analyze these logs. Host-based intrusion detection software requires

agent software be installed on each host to monitor activity performed on and

against the host. The agent software performs the intrusion detection analysis and

protection of the host. Less manpower is required when using software than the

simple form, but it can still be overwhelming to manage in a large enterprise

network.

Although physical access to any computer systems practically guarantees access to

the system information, physical protection of all critical servers and network

devices is paramount to ensure information security.


52/601



CSPM

Corporate

network

DNSserver

WWW

server

SensorSensor

Firewall

Untrusted

network

Network-Based IntrusionDetection

Network-Based IntrusionDetection

Network-based intrusion detection involves the deployment of probing devices or

sensors throughout the network, which analyze the traffic as it moves by.

Sensors detect unauthorized activity in real time and can take action when

required.

CIDS is a network-based intrusion detection product designed for deployment

throughout the enterprise. Sensors can be deployed at designated network points

that enable security managers to see network activity while it is occurring no

matter where the target of the attack is located.

CIDS gives security managers real-time insight into their network no matter how

the network may grow. Network growth can either occur by adding additionalhosts or new networks. Additional hosts added to existing protected networks

would be covered without any new Sensors. Sensors can easily be deployed to

protect the new network.


53/601


CIDS Overview

This section describes the CIDS functions and features: intrusion detection, alarm

display, alarm logging, intrusion response, and remote Sensor configuration.


Monitoring

Untrusted

network

Targets

Command

and Control

Sensor CSPM

Operator

Hacker

CIDSCIDS

CIDS involves the real-time monitoring of network packets. Sensors have two

interfaces: monitoring and command and control. The monitoring port captures the

network packets for intrusion detection analysis. The command and control port

sends alarms and commands to the Director platform. The Director platform is the

management software used to configure, log, and display alarms generated by

Sensors.

The following steps describe the basic CIDS intrusion detection process:

Step 1 Sensors capture network packets through its monitoring interface.

Step 2 Packets are reassembled, if required, and compared against a rule set indicating

typical intrusion activity.

Step 3 The Sensor logs and notifies the Director platform if an attack is detected through

the command and control interface.

Step 4 The Director platform alarms, logs, and takes action if an attack is detected.

When CIDS analyzes network data, it looks for patterns of attacks. Patterns can be

as simple as an attempt to access a specific port on a specific host, or as complex

as sequences of operations directed at multiple hosts over an arbitrary period of

time.


54/601



CIDS CapabilitiesCIDS Capabilities

Display and log alarms

Respond to intrusion attempts

Terminate sessions

Block the attacking host

Create an IP session log

Configure Sensors remotely

The CIDS has the following capabilities:

Displays and logs alarms

Responds to intrusion attempts

Terminates sessions

Blocks the attacking host

Creates an IP log

Configures Sensors remotely


55/601



Alarm Display

Alarms are

displayed inCSPM.

Alarm Logging

Alarms can be

logged on the

Sensor and on

CSPM.

Log File Database

Alarm Display and LoggingAlarm Display and Logging

After a Sensor detects an attack, it can respond in the following user-configurable

ways:

Alarms are generated by the Sensor and are sent to one or more remote

Director platforms where they are displayed on a graphical user interface. The

alarms are color-coded based on the defined severity. This provides you with

a quick visual representation of the alarms triggered.

Alarm information can also be saved in text log files on both the Sensor and

the Director platform. Logging allows you to easily archive the data, write

custom scripts to extract alarm data specific to your site, and monitor attacks

via a command-line tool such as the UNIX command tail.


56/601



Kill the

session

Block

attacker

Deny

TCP Reset

Automatic kill of

offendingsession

Blocking

Auto or manual block

of offending IP

address

Intrusion ResponseIntrusion Response

The Sensor can be configured to respond automatically to specific signatures in

the following three ways:

TCP ResetThe Sensor can reset individual TCP connections upon detection

of an attack and eliminate the threat.

IP BlockingThe Sensor can work in conjunction with a Cisco IOS router to

deny a specific host or network entry into the protected network.

Note Blocking requires careful review before it is deployed, whether as an automatic

response or through operational guidelines for the staff. To implement blocking, theSensor dynamically reconfigures and reloads a Cisco IOS routers access control

list. This type of automated response by the Sensor should only be configured for

attack signatures with a low probability of false positive detection. In case of any

suspicious activity that does not trigger automatic blocking, you can use the

Director platform to block manually. CIDS can be configured to never block specific

hosts or networks. This safety mechanism prevents denial of service attacks using

the CIDS infrastructure.


57/601



IP Logging

Automatic capture

of suspicious host

or network traffic

Session log Session log

Intrusion Response (cont.)Intrusion Response (cont.)

IP LoggingIP session logs are used to gather information about

unauthorized use. When specific signatures are triggered, the Sensor can be

configured to write every incoming and outgoing packet to an IP session log

for a predefined period of time.


58/601



Remote Sensor ConfigurationRemote Sensor Configuration

CIDS allows for remote Sensor configuration through the Director platforms. For

instance, using Cisco Secure Policy Manager (CSPM) you can manage the

configuration of all Sensors. CSPM also enables you to create different signature

templates to be saved and applied as needed. This enables you to maintain

multiple versions of signature settings for each Sensor or group of Sensors. For

example, you could have one configuration for normal working hours and another

for after-hours. Either can be enabled or disabled as needed from CSPM. You can

also experiment with different settings and revert to a previous version if there are

problems.


59/601


CIDS Sensor Platforms

This section names all CIDS Sensor platform models and describes their features.


Sensor Platform FeaturesSensor Platform Features

Intrusion Detection

Packet monitoring

Signature matching

Fragment/Packet re-assembly

Intrusion response

Alarm or log

Auto or manual response Hardware appliance design

Tuned for ID performance

Security hardened

Ease of maintenance

Two main components make up CIDS: the Sensor and the Director platform. The

Sensor is the most critical component because it detects, responds to, and reports

unauthorized activity to a Director platform. It uses a rules-based engine to distill

large volumes of IP network traffic into meaningful security events. It detects

unauthorized activity by sniffing or capturing raw traffic from the network and

then analyzing it for intrusion detection signatures in real-time. The Sensor, if

configured to do so, re-assembles packets before the signature analysis is

performed, thus avoiding a potential intrusion detection defeating technique.

When signatures are triggered, the Sensor logs the event and sends an alarm

notification to a Director platform. It can automatically terminate the TCP session

that triggered the signature, block the IP address by dynamically creating an

access control list (ACL) in a managed Cisco IOS router, or both. Sensors can also

log an IP session that triggers a signature. An operator may manually block host or

network IP addresses that generated alarms.

All Sensor platforms are hardware appliances that are tuned for performance, havebeen security hardened, and are designed for ease of maintenance. The hardware,

including CPU and memory, for each appliance was selected for optimal

performance of intrusion detection analysis. The appliances host operating system

was also configured securely to protect against possible attacks.


60/601



IDS-4230

ID Performance: 100 Mbps

Processor: Dual Pentium III 600 MHz

Memory: 512 MB

Monitoring NIC: FE/SFDDI/DFDDI

4200 Series Sensors4200 Series Sensors

IDS-4210

ID Performance: 45 Mbps

Processor: Single Celeron 566 MHz

Memory: 256 MB

Monitoring NIC: Ethernet only

Cisco offers a complete line of dedicated intrusion detection appliances. The 4200

Series Sensors come in three versions: the IDS-4230, and IDS-4210. The

following table shows the differences between the Sensors:

IDS-4230 IDS-4210

Intrusion detection

performance

100 Mbps 45 Mbps

Processor Dual Pentium III 600MHz

Single Celeron 566MHZ

Memory 512 MB 256 MB

Monitoring

network interface

cards

10/100 Ethernet

Single attachedFDDI

Dual attachedFDDI

10/100 Ethernet

Chassis 4 U 1 U


61/601



Fully integrated line card

Multi-VLAN visibility Full signature set

Common configurationand monitoring

ID Performance: 100Mbps

No switchingperformance impact

Catalyst 6000 IDS ModuleCatalyst 6000 IDS Module

The IDS Module (IDSM) for the Catalyst 6000 Family of switches is designed

specifically to address switched environments by integrating the IDS functionality

directly into the switch and taking traffic right off the switch back-plane, thus

bringing both switching and security functionality into the same chassis.

Similar to how the CIDS Sensors operate, IDSM detects unauthorized activity

traversing the network, such as attacks by hackers, and sends alarms to a Director

platform with details of the detected event. You specify the network traffic that

must be inspected by the IDS module using the Catalyst operating system Switch

Port Analyzer (SPAN) functionality or virtual LAN (VLAN) access control list

(ACL) capture feature. VLAN ACLs allow for very granular traffic monitoring byproviding you the ability to filter interesting traffic based on the IP address and

network service.

In addition, IDSM can be managed and monitored by the same Director platform

as the Sensors, allowing customers to deploy both appliance Sensors and IDSM to

monitor critical subnets throughout their enterprise network.

The IDSM can analyze 100 Mbps of traffic for intrusion detection. It does not

impact switch performance, because it is a passive monitoring module that

inspects copies of packets and is not in the switch-forwarding path.


62/601


CIDS Director Platforms

This section names all CIDS Director platforms and describes their features.


SoftwareapplicationWindows NT 4.0platform

Remote Sensorconfiguration and

control Alarm notification

and management

Cisco Secure Policy ManagerCisco Secure Policy Manager

The Director platform is the management software used to configure, log, and

display alarms generated by Sensors. The Director platforms are Cisco Secure

Policy Manager (CSPM) and CIDS Director for UNIX.

CSPM is a Windows NT 4.0-based application that provides scalable,comprehensive security policy management for Cisco Secure PIX Firewalls, Cisco

IOS routers with the IOS Firewall feature or the Cisco Secure Integrated Virtual

Private Network (VPN) Software, and IDS Sensors. This course covers only the

use of CSPM as a Director platform. As such, CSPM provides a centralized GUI

for the management of intrusion detection across a distributed network.

CSPM enables you to remotely control all Sensor configurations. You use the Add

Sensor wizard to define Sensors in the Network Topology Tree (NTT) and you

can use the panels on each Sensor node to configure device-specific settings. In

addition, you can define Sensor signature templates and apply those templates to

one or more sensors defined in the NTT.

The Event Viewer in CSPM provides a mechanism to view alarms generated byCIDS components in real time. The Event Viewer presents the alarms in a

configurable grid to enable multiple views and instances.


63/601



Software applicationHP OpenView on Solarisor HPUX platform

Remote Sensorconfiguration andcontrol

Alarm notification andmanagement

CIDS Director for UNIXCIDS Director for UNIX

CIDS Director for UNIX is an HP OpenView application that runs on Solaris or

HPUX, which, like CSPM, provides a centralized GUI for the management of

intrusion detection across a distributed network.

It enables you to centrally manage the configuration of all the Sensors reporting to

it. The CIDS Configuration Management Utility (nrConfigure) also allows

different configurations to be saved and applied as needed. This enables you to

maintain multiple versions of configurations for each device.

The Director for UNIX provides a GUI to view real-time alarms as they are

generated by CIDS components on an HP OpenView submap.


64/601



Feature ComparisonFeature Comparison

Severities

Signatures Templates

Configuration Versioning

Local Logging

Alarm Forwarding

Generate SNMP Traps

CSPM

Low-Medium-High

Yes

No

Database

Yes

Yes

Director for UNIX

1 through 5

No

Yes

Text File

Yes

Yes

CSPM and the Director for UNIX differ in many ways other than just the

operating system that they run on. Severities in CSPM are assigned Low, Medium,

or High levels, whereas in the Director for UNIX a number between 1 through 5 is

assigned, where 1 is the lowest severity and 5 is the highest.

CSPM enables you to create signature templates that can be shared between

Sensors, so that if you change a template it is automatically applied to all Sensors

referencing it. The Director for UNIX enables you to save multiple complete

configuration versions for the Sensors that can be applied as needed.

The logged alarms in CSPM are saved in a database, and as text files in the

Director for UNIX. Alarm forwarding, the ability of the Director to send alarms toanother Director, is available in the Director for UNIX but not on CSPM.

CSPM and the UNIX Director both have alarm forwarding and SNMP trap

capability. In CSPM, the SNMP traps are possible via custom script execution.

You must create a custom script that generates a SNMP trap to be sent to a

Network Management station.

Note Refer to the Event Notification and Alarm Reporting chapter for more details on

configuring CSPM for script execution.


65/601


CIDS PostOffice

This section describes the functions and features of the PostOffice protocol.


Message Types

Command IP log

Error Redirect

Command log Heartbeat

Alarm

Message Types

Command IP log

Error Redirect

Command log Heartbeat

Alarm

Network

monitoring

Command and control

communications

UDP 45000

Command and control

communications

UDP 45000

PostOffice ProtocolPostOffice Protocol

Internet

CIDS services and hosts communicate with one another using the PostOffice

protocol. The services are the IDS software daemons that exist on the Sensors and

Director platforms.

PostOffice uses the UDP transport on port 45000. The following are the types of

messages that are sent using the PostOffice protocol:

Command messages

Error messages

Command log messages

Alarm messages

IP log messages:

Redirect messages

Heartbeat messages

Note The PostOffice port number is configurable; however, it is recommended to accept

the default to avoid potential configuration problems


66/601



Primary communication down;

switch to secondary IP address

Alarm sent

Alarm received

PostOffice FeaturesPostOffice Features

ReliabilityAcknowledgesevery message sent

Redundancy Can sendalarms to up to 255destinations

Fault tolerance

Up to 255 IP addressesto a single destination

When primary addressfails, switches tosecondary address

The PostOffice protocol is designed to guarantee the transmission of messages to

the intended recipient; therefore, it expects acknowledgement for every message

sent from the receiver. If no acknowledgement is received within a predetermined

length of time, the message is resent until the acknowledgement is received.

The PostOffice protocol enables Sensors to propagate messages to up to 255

destinations. This feature allows for redundant alarm notifications, which ensure

that the appropriate personnel are notified when an alarm is received.

With the PostOffice protocol you can have up to 255 alternate IP addresses to a

single host. The alternate routing protocol automatically switches to the next IP

address whenever the current connection fails. It also uses a system watchdog todetect when a connection to the preferred IP address is reestablished, and at which

time reverts back to the primary address.


67/601



Host ID = 10Host Name = director

Org ID = 200Org Name = acme-noc

Host ID = 10Host Name = director

Org ID = 100Org Name = cisco

Host ID = 20Host Name = sensor2


Host ID = 30

Host Name = sensor3


PostOffice Host AddressingPostOffice Host Addressing

Numeric

Host ID

Organization ID Alpha

Host Name

Organization Name

Combination of host IDand Org ID must beunique

Host, Organization,and Application ID areused together to routePostOffice traffic

You must assign each CIDS device a unique numeric identifier. This unique

numeric identifier is a combination of a host identification and an organization

identification. With every host identification and organization identification

combination, there is an associated alphanumeric identifier consisting of a host

name and an organization name. The following are descriptions of the individual

identifiers:

Host IDA numeric identifier greater than zero for each CIDS device.

Organization IDA numeric identifier greater than zero for a collection of

CIDS devices. It can be used to group a number of CIDS devices together

under the same number for easy identification purposes.

Host NameAn alphanumeric identifier for each CIDS device. The name

chosen here is typically one that contains the word sensor or director so

you can easily identify the device type.

Organization NameAn alphanumeric identifier for a group of CIDS

devices. The name chosen here is typically one that describes the name of the

company where the device is installed or the name of the department within

the company where the device is installed.

The host and organizat

Documents

CISCO IDS student guide.pdf