Upload
shemariyah
View
225
Download
0
Embed Size (px)
Citation preview
8/10/2019 CISCO IDS student guide.pdf
1/601
CSIDS
Cisco Secure Intrusion
Detection System
Version 2.1
Student Guide
Text Part Number: 67-0002-01
Cisco Systems, Inc.
170 W Tasman Drive
San Jose, CA 95134-1706 USA
8/10/2019 CISCO IDS student guide.pdf
2/601
The products and specifications, configurations, and other technical information regarding the products in this
manual are subject to change without notice. All statements, technical information, and recommendations in this
manual are believed to be accurate but are presented without warranty of any kind, express or implied. You must
take full responsibility for their application of any products specified in this manual.
LICENSE
PLEASE READ THESE TERMS AND CONDITIONS CAREFULLY BEFORE USING THE MANUAL,
DOCUMENTATION, AND/OR SOFTWARE (MATERIALS). BY USING THE MATERIALS YOU AGREE
TO BE BOUND BY THE TERMS AND CONDITIONS OF THIS LICENSE. IF YOU DO NOT AGREE WITH
THE TERMS OF THIS LICENSE, PROMPTLY RETURN THE UNUSED MATERIALS (WITH PROOF OF
PAYMENT) TO THE PLACE OF PURCHASE FOR A FULL REFUND.Cisco Systems, Inc. (Cisco) and its suppliers grant to you (You) a nonexclusive and nontransferable license
to use the Cisco Materials solely for Your own personal use. If the Materials include Cisco software (Software),
Cisco grants to You a nonexclusive and nontransferable license to use the Software in object code form solely on
a single central processing unit owned or leased by You or otherwise embedded in equipment provided by Cisco.
You may make one (1) archival copy of the Software provided. You affix to such copy all copyright,
confidentiality, and proprietary notices that appear on the original. EXCEPT AS EXPRESSLY AUTHORIZED
ABOVE, YOU SHALL NOT: COPY, IN WHOLE OR IN PART, MATERIALS; MODIFY THE SOFTWARE;
REVERSE COMPILE OR REVERSE ASSEMBLE ALL OR ANY PORTION OF THE SOFTWARE; OR
RENT, LEASE, DISTRIBUTE, SELL, OR CREATE DERIVATIVE WORKS OF THE MATERIALS.
You agree that aspects of the licensed Materials, including the specific design and structure of individual
programs, constitute trade secrets and/or copyrighted material of Cisco. You agree not to disclose, provide, or
otherwise make available such trade secrets or copyrighted material in any form to any third party without the
prior written consent of Cisco. You agree to implement reasonable security measures to protect such trade secrets
and copyrighted Material. Title to the Materials shall remain solely with Cisco.This License is effective until terminated. You may terminate this License at any time by destroying all copies of
the Materials. This License will terminate immediately without notice from Cisco if You fail to comply with any
provision of this License. Upon termination, You must destroy all copies of the Materials.
Software, including technical data, is subject to U.S. export control laws, including the U.S. Export
Administration Act and its associated regulations, and may be subject to export or import regulations in other
countries. You agree to comply strictly with all such regulations and acknowledge that it has the responsibility to
obtain licenses to export, re-export, or import Software.
This License shall be governed by and construed in accordance with the laws of the State of California, United
States of America, as if performed wholly within the state and without giving effect to the principles of conflict
of law. If any portion hereof is found to be void or unenforceable, the remaining provisions of this License shall
remain in full force and effect. This License constitutes the entire License between the parties with respect to the
use of the Materials
Restricted Rights - Ciscos software is provided to non-DOD agencies with RESTRICTED RIGHTS and its
supporting documentation is provided with LIMITED RIGHTS. Use, duplication, or disclosure by the U.S.Government is subject to the restrict ions as set forth in subparagraph C of the Commercial Computer Software
- Restricted Rights clause at FAR 52.227-19. In the event the sale is to a DOD agency, the U.S. Governments
rights in software, supporting documentation, and technical data are governed by the restrictions in the Technical
Data Commercial Items clause at DFARS 252.227-7015 and DFARS 227.7202.
DISCLAIMER OF WARRANTY. ALL MATERIALS ARE PROVIDED AS IS WITH ALL FAULTS. CISCO
AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING,
WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE
AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE
PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL,
CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS
OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL,
EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. In no event shall Ciscos or its suppliers liability to You, whether in contract, tort (includingnegligence), or otherwise, exceed the price paid by You. The foregoing limitations shall apply even if the above-
stated warranty fails of its essential purpose.
The following information is for FCC compliance of Class A devices: This equipment has been tested and found
to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are
designed to provide reasonable protection against harmful interference when the equipment is operated in a
commercial environment. This equipment generates, uses, and can radiate radio-frequency energy and, if not
installed and used in accordance with the instruction manual, may cause harmful interference to radio
communications. Operation of this equipment in a residential area is likely to cause harmful interference, in
which case users will be required to correct the interference at their own expense.
The following information is for FCC compliance of Class B devices: The equipment described in this manual
generates and may radiate radio-frequency energy. If it is not installed in accordance with Ciscos installation
8/10/2019 CISCO IDS student guide.pdf
3/601
instructions, it may cause interference with radio and television reception. This equipment has been tested and
found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the
FCC rules. These specifications are designed to provide reasonable protection against such interference in a
residential installation. However, there is no guarantee that interference will not occur in a particular installation.
Modifying the equipment without Ciscos written authorization may result in the equipment no longer complying
with FCC requirements for Class A or Class B digital devices. In that event, your right to use the equipment may
be limited by FCC regulations, and you may be required to correct any interference to radio or television
communications at your own expense.
You can determine whether your equipment is causing interference by turning it off. If the interference stops, it
was probably caused by the Cisco equipment or one of its peripheral devices. If the equipment causes
interference to radio or television reception, try to correct the interference by using one or more of the following
measures:
Turn the television or radio antenna until the interference stops.
Move the equipment to one side or the other of the television or radio.
Move the equipment farther away from the television or radio.
Plug the equipment into an outlet that is on a different circuit from the television or radio. (That is, make
certain the equipment and the television or radio are on circuits controlled by different circuit breakers or fuses.)
Modifications to this product not authorized by Cisco Systems, Inc. could void the FCC approval and negate
your authority to operate the product.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University
of California, Berkeley (UCB) as part of UCBs public domain version of the UNIX operating system. All rights
reserved. Copyright 1981, Regents of the University of California.AccessPath, Any to Any, AtmDirector, the CCIE logo, CD-PAC, Centri, the CiscoCapital logo, CiscoLink, the
Cisco NetWorks logo, the Cisco Powered Network logo, the Cisco Press logo, ClickStart, ControlStream,
DAGAZ, Fast Step, FireRunner, IGX, IOS, JumpStart, Kernel Proxy, LoopRunner, MGX, Natural Network
Viewer, Cisco Secure IDS, NetSonar, Packet, PIX, Point and Click Internetworking, Policy Builder,
RouteStream, Secure Script, SMARTnet, SpeedRunner, Stratm, StreamView, TheCell, TrafficDirector,
TransPath, VirtualStream, VlanDirector, Workgroup Director, and Workgroup Stack are trademarks; Changing
the Way We Work, Live, Play, and Learn and Empowering the Internet Generation are service marks; and BPX,
Catalyst, Cisco, CiscoIOS, the CiscoIOS logo, CiscoSystems, the CiscoSystems logo, Enterprise/Solver,
EtherChannel, FastHub, ForeSight, FragmentFree, IP/TV, IPX, LightStream, MICA, Phase/IP, StrataSphere,
StrataView Plus, and SwitchProbe are registered trademarks of CiscoSystems,Inc. in the U.S. and certain other
countries. All other trademarks mentioned in this document are the property of their respective owners.
Cisco Secure Intrusion Detection System: Student Guide
Copyright!2001, Cisco Systems, Inc.
All rights reserved. Printed in USA.
8/10/2019 CISCO IDS student guide.pdf
4/601
1
Course Introduction
Overview
This chapter includes the following topics:
Course objectives
Course agenda
Participant responsibilities
General administration
Graphic symbols
Participant introductions
Lab topology
8/10/2019 CISCO IDS student guide.pdf
5/601
1-2 Cisco Secure Intrusion Detection System 2.1 Copyright !2001, Cisco Systems, Inc.
Course Objectives
This section introduces the course and the course objectives.
2001, Cisco Systems, Inc. www.cisco.com CSIDS 2.11-3
Course ObjectivesCourse Objectives
Upon completion of this course, you will beable to perform the following tasks:
Install and configure CSPM and the CIDS Sensor inmultiple network configurations.
Use CSPM to centrally manage and configuremultiple Sensors.
Configure the CIDS Sensor to detect, respond to,
and report intrusion activity. Use CSPM to translate intrusion data into intuitive
and effective graphical displays.
Use the CIDS NSDB to view signature andnetworksecurity vulnerability information.
8/10/2019 CISCO IDS student guide.pdf
6/601
Copyright !2001, Cisco Systems, Inc. Course Introduction 1-3
2001, Cisco Systems, Inc. www.cisco.com CSIDS 2.11-4
Course Objectives (cont.)Course Objectives (cont.)
Develop and implement customized intrusiondetection signatures.
Configure the CIDS Sensor in device management
mode to interface with a Cisco IOS router to stopnetwork attacks.
Configure the Catalyst 6000 IDS Module for theCatalyst 6000 family of switches to performintrusion detection in multiple VLANs.
Understand the CIDS architecture and therelationship between configuration files andtokens.
Configure Event Notification in CSPM andgenerate Alarm Reports
2001, Cisco Systems, Inc. www.cisco.com CSIDS 2.11-5
Course AgendaCourse Agenda
Chapter 1Course Introduction
Chapter 2Introduction to Network Security Chapter 3Intrusion Detection and the Cisco
IDS Environment
Chapter 4Cisco Secure Policy ManagerInstallation
Chapter 5Cisco IDS Sensor Installation
Chapter 6Alarm Management
Chapter 7Cisco IDS Signatures
8/10/2019 CISCO IDS student guide.pdf
7/601
1-4 Cisco Secure Intrusion Detection System 2.1 Copyright !2001, Cisco Systems, Inc.
2001, Cisco Systems, Inc. www.cisco.com CSIDS 2.11-6
Course Agenda (cont.)Course Agenda (cont.)
Chapter 8Sensor Configuration
Chapter 9Signature and Intrusion
Detection Configuration
Chapter 10IP Blocking Configuration
Chapter 11Catalyst 6000 IDS ModuleConfiguration
Chapter 12Cisco IDS Architecture
Chapter 13Event Notification and AlarmReporting
2001, Cisco Systems, Inc. www.cisco.com CSIDS 2.11-7
Student Responsibilities
Complete prerequisitesParticipate in lab exercises
Ask questions
Provide feedback
Participant ResponsibilitiesParticipant Responsibilities
8/10/2019 CISCO IDS student guide.pdf
8/601
Copyright !2001, Cisco Systems, Inc. Course Introduction 1-5
2001, Cisco Systems, Inc. www.cisco.com CSIDS 2.11-8
General AdministrationGeneral Administration
Class-related Sign-in sheet
Length and times
Break and lunch roomlocations
Attire
Facilities-related Participant materials
Site emergencyprocedures
Restrooms
Telephones/faxes
2001, Cisco Systems, Inc. www.cisco.com CSIDS 2.11-9
Ethernet link
Router PIXFirewall
CIDS Sensor
Internet
ServerStudent
workstation/server
CIDS DirectorCSPM
Graphic SymbolsGraphic Symbols
IDS Switch Module
8/10/2019 CISCO IDS student guide.pdf
9/601
1-6 Cisco Secure Intrusion Detection System 2.1 Copyright !2001, Cisco Systems, Inc.
2001, Cisco Systems, Inc. www.cisco.com CSIDS 2.11-10
Your name
Your company
Pre-req skills
Brief history
Objective
Participant IntroductionsParticipant Introductions
8/10/2019 CISCO IDS student guide.pdf
10/601
Copyright !2001, Cisco Systems, Inc. Course Introduction 1-7
Lab Topology
This section explains the lab topology that is used in this course.
2001, Cisco Systems, Inc. www.cisco.com CSIDS 2.11-12
Pod P
Your PodPod Q
Peer Pod
CSPM
Lab Visual ObjectiveLab Visual Objective
rP
e0/0
e0/1
10.0.P.0 /24
.10P
.1 .4
rQ
e0/0
e0/1 .10Q
.1 .4
10.0.Q.0 /24
172.30.1.0 /24
10.0.P.3 CSPM 10.0.Q.3
Host ID = 3, Org ID = PHost Name = cspmP, Org Name = podP
Host ID = 3, Org ID = QHost Name = cspmQ, Org Name = podQ
.6 .6
sensorPidsmP
sensorQ
idsmQ
Each pair of students will be assigned a pod. TheP in a command indicates your
pod number. TheQ in a command indicates the pod number of your peer.
8/10/2019 CISCO IDS student guide.pdf
11/601
2
Network Security andCisco Intrusion
Detection
Overview
This chapter covers information on network security, what network security is,
and why you need network security. In addition, this chapter discusses the need
for continuous network security and how the Cisco Intrusion Detection System
(CIDS) helps achieve this.
This chapter includes the following topics:
Objectives
Need for network security
Attack types and methods
The Cisco Security Wheel
Cisco AVVID and SAFE
Summary
8/10/2019 CISCO IDS student guide.pdf
12/601
2-2 Cisco Secure Intrusion Detection System 2.1 Copyright !2001, Cisco Systems, Inc.
Objectives
This section lists the chapters objectives.
2001, Cisco Systems, Inc. www.cisco.com CSIDS 2.12-2
ObjectivesObjectives
Upon completion of this chapter, you willbe able to perform the following tasks:
Describe the need for network security.
Describe the four types of security threats.
Describe attack methods and techniques used
by hackers.
Describe the purpose of the Cisco SecurityWheel and how it illustrates security as acontinuous process.
8/10/2019 CISCO IDS student guide.pdf
13/601
Copyright !2001, Cisco Systems, Inc. Network Security and Cisco Intrusion Detection 2-3
2001, Cisco Systems, Inc. www.cisco.com CSIDS 2.12-3
Objectives (cont.)Objectives (cont.)
Name methods and devices for securing
networks. Identify the phase of the Security Wheel in
which CIDS is designed to function.
Describe the purpose for testing securitypolicies once they are applied to the network.
Describe the Cisco AVVID architecture.
Describe the SAFE framework.
8/10/2019 CISCO IDS student guide.pdf
14/601
2-4 Cisco Secure Intrusion Detection System 2.1 Copyright !2001, Cisco Systems, Inc.
Need for Network Security
This section explains why network security is needed.
2001, Cisco Systems, Inc. www.cisco.com CSIDS 2.12-5
Security Incidents on the RiseSecurity Incidents on the Rise
The Internet has madenetworked computersaccessible andvulnerable to anyonein the world.
Network security is necessary because the Internet has made networked computers
accessible from and vulnerable to any other computer in the world. As companies
become more Internet-reliant, new threats arise from persons who no longer
require physical access to a companys computer assets.
8/10/2019 CISCO IDS student guide.pdf
15/601
Copyright !2001, Cisco Systems, Inc. Network Security and Cisco Intrusion Detection 2-5
2001, Cisco Systems, Inc. www.cisco.com CSIDS 2.12-6
Four Basic Types of ThreatsFour Basic Types of Threats
There are four primary network securitythreats:
Unstructured threats Structured threats
External threats
Internal threats
There are four primary threats to network security:
Unstructured threats
Structured threats
External threats
Internal threats
Unstructured threats consist of mostly inexperienced individuals using easily
available hacking tools such as shell scripts and password crackers.
Some of the hackers in this category are motivated by malicious intent, but mostare motivated by the intellectual challenge and fun of it and are known as script
kiddies. Script kiddies are notthe most experienced or knowledgeable hackers.
They download these easily executable scripts from numerous hacker Web sites
for free. The script kiddys reasoning is: Why battle monsters in the latest
computer game when you can test your battle skills against real targets?
Even unstructured threats that are only executed with the intent of testing and
challenging a script kiddys skills can still do a lot of damage to a company. For
example, if your companys external Web site is hacked, your companys integrity
is damaged. Even if your external Web site is separate from your internal
information that sits behind a protective firewall, the public does not know that.
All they know is that if your Web site was hacked, your Web site obviously is notsafe enough to do business in.
Structured threats come from hackers who are more highly motivated and
technically competent. They know vulnerabilities, and can understand and develop
exploit-code and scripts. Typically hackers act alone or in small groups. They
understand, develop, and use sophisticated hacking techniques to penetrate
unsuspecting businesses. These groups are often involved with the major fraud
and theft cases reported to law enforcement agencies. Occasionally, these hackers
8/10/2019 CISCO IDS student guide.pdf
16/601
2-6 Cisco Secure Intrusion Detection System 2.1 Copyright !2001, Cisco Systems, Inc.
are hired by organized crime, industry competitors, or state-sponsored intelligence
organizations.
External threats are individuals or organizations working from outside of your
company. They do not have authorized access to your computer systems or
network. They work their way into a network mainly from the Internet or dialup
access servers. These are the type of threats that people spend the most time and
money protecting themselves against.
Internal threats occur when someone has authorized access to the network witheither an account on a server or physical access to the wire. They are typically
disgruntled former or current employees or contractors. According to the FBI,
internal access and misuse account for between 60 to 80 percent of reported
incidents.
The only perfectly secure computer is one that is unplugged and in a locked vault.
All computer systems and network devices must be protected.
8/10/2019 CISCO IDS student guide.pdf
17/601
8/10/2019 CISCO IDS student guide.pdf
18/601
2-8 Cisco Secure Intrusion Detection System 2.1 Copyright !2001, Cisco Systems, Inc.
2001, Cisco Systems, Inc. www.cisco.com CSIDS 2.12-9
AccessAccess
Unauthorized datamanipulation, systemaccess, or privilegeescalation
Access is an all-encompassing term that refers to unauthorized data manipulation,
system access, or privileged escalation. Unauthorized data retrieval is simply
reading, writing, copying, or moving files that are not intended to be accessible to
the intruder. Sometimes this is as easy as finding shared folders in Windows 9x or
NT, or NFS exported directories in UNIX systems with read or read and write
access to everyone. The intruder will have no problems getting to the files and,
more often than not, the accessible information is highly confidential and
completely unprotected from prying eyes, especially if the attacker is already an
internal user.
System access is the ability for an unauthorized intruder to gain access to a devicefor which the intruder does not have an account or password. Entering or
accessing systems to which one does not have access usually involves running a
hack, script, or tool that exploits a known vulnerability of the system or
application being attacked.
Another form of access attacks involves privileged escalation. Privilege escalation
occurs when a user obtains privileges or rights to objects that were not assigned to
the user by an administrator. Objects can be files, commands, or other components
on a network device. The intent is to gain access to information or execute
procedures for which they are not authorized at their current level of access. In
many cases this involves gaining administrative privileges to a system or device to
install sniffers, create backdoor accounts, or delete log files.
In some cases intruders want to gain access without necessarily wanting to steal
informationespecially when the motive is intellectual challenge, curiosity, or
ignorance.
8/10/2019 CISCO IDS student guide.pdf
19/601
Copyright !2001, Cisco Systems, Inc. Network Security and Cisco Intrusion Detection 2-9
2001, Cisco Systems, Inc. www.cisco.com CSIDS 2.12-10
Denial of ServiceDenial of Service
Disable or corruptnetworks, systems, orservices
Denial of service (DoS) is when an attacker disables or corrupts networks,
systems, or services with the intent to deny the service to intended users. It usually
involves either crashing the system or slowing it down to the point that it is
unusable. But DoS can also be as simple as wiping out or corrupting information
necessary for business. In most cases, performing the attack simply involves
running a hack, script, or tool, and the attacker does not need prior access to the
target because all that is usually required is a way to get to it. For these reasons
and because of the great damaging potential, DoS attacks are the most feared
especially by e-commerce web site operators.
8/10/2019 CISCO IDS student guide.pdf
20/601
8/10/2019 CISCO IDS student guide.pdf
21/601
Copyright !2001, Cisco Systems, Inc. Network Security and Cisco Intrusion Detection 2-11
2001, Cisco Systems, Inc. www.cisco.com CSIDS 2.12-12
Access MethodsAccess Methods
Exploit easily guessed passwords
Default
Brute force
Exploit mis-administered services
IP services
Trust relationships
File sharing
Access methods are varied and run the entire gamut between simple command-
line hacks to sophisticated tools with nice user interfaces. Usually, the first line of
defense when it comes to access attacks is strong authentication. In many cases
user passwords are too easily guessed by attempting to enter default passwords or
brute force attacks. These attacks involve attempting to logon to a host with a
common user name and then trying different password combinations that are
commonly used. This technique is especially effective if the attacker has some
prior knowledge about the user being targeted.
Exploiting misadministered services is simply taking advantage of services that
are poorly installed and administered by novice or unknowing administrators. Oneof the easiest services to exploit is file sharing. Too often users share their files by
creating a shared folder or directory with full access to everyone, and sometimes a
user does not realize that others can access the folder. This can be prevented with
password-protected shares, or sharing only with intended users. Other common
misadministered services are anonymous FTP and TFTP servers, SNMP,
Windows registry access, and trust relationships.
8/10/2019 CISCO IDS student guide.pdf
22/601
2-12 Cisco Secure Intrusion Detection System 2.1 Copyright !2001, Cisco Systems, Inc.
2001, Cisco Systems, Inc. www.cisco.com CSIDS 2.12-13
Access Methods (cont.)Access Methods (cont.)
Exploit application holes
Mishandled input data
Access outside application domain, bufferoverflows, race conditions
Protocol weaknesses
Fragmentation, TCP session hijack
Trojan horses
Programs that introduce an inconspicuousbackdoor into a host
Application security holes have been around since the first piece of software was
written. These holes are usually a result of unanticipated behavior of software
code or unexpected inputs. An example of this is a program that breaks out into a
root shell when receiving an out-of-band input. Protocol weaknesses are also types
of application holes. An example of this is IP fragmentation and TCP session
hijack. The attacker is taking advantage of protocol design deficiencies that the
original designers did not anticipate. Finally Trojan horses are used to gain
unauthorized access by tricking a legitimate user to run trojanized programs that
install or open back doors for attackers to secretly break in. Then the attackers,
circumventing in many cases any authentication procedures, come in through the
back door.
8/10/2019 CISCO IDS student guide.pdf
23/601
Copyright !2001, Cisco Systems, Inc. Network Security and Cisco Intrusion Detection 2-13
2001, Cisco Systems, Inc. www.cisco.com CSIDS 2.12-14
Denial of Service MethodsDenial of Service Methods
Resource Overload
Disk space, bandwidth, buffers
Ping floods, SYN flood, UDP bombs
Unsolicited Commercial E-mail (UCE)
Fragmentation or Impossible Packets
Large ICMP packets
IP fragment overlay
Same Source and Destination IP packet
DOS attack methods include everything from simple one-line commands to
sophisticated programs, written by knowledgeable hackers.
Common resource overload attacks include ping floods (smurf), TCP SYN floods
(neptune), and packet storms (UDP bomb and fraggle). Unsolicited Commercial
E-mail (UCE), often referred to as SPAM, attempts to overload mail servers.
Some attacks to generate fragmented or impossible packets are ping of death,
winnuke, and landteardrop. One infamous hack tool, targa, combines seven attacks
in one: bonk, winnuke, teardrop, land, jolt, nestea, newtear, and syndrop.
8/10/2019 CISCO IDS student guide.pdf
24/601
2-14 Cisco Secure Intrusion Detection System 2.1 Copyright !2001, Cisco Systems, Inc.
The Cisco Security Wheel
This section describes why network security should be a continuous process based
on the Security Wheel.
2001, Cisco Systems, Inc. www.cisco.com CSIDS 2.12-16
Secure
Monitor
Test
Improve SecurityPolicy
Network Security as aContinuous Process
Network Security as aContinuous Process
Network security is acontinuous processbuilt around a securitypolicy.
Step 1: Secure
Step 2: Monitor Step 3: Test
Step 4: Improve
Most security incidents occur because system administrators do not implement
available countermeasures, and hackers or disgruntled employees exploit the
oversight. Therefore, the issue is not just one of confirming that a technical
vulnerability exists and finding a countermeasure that works; it is also critical to
verify that the countermeasure is in place and working properly.
This is where the Security Wheela continuous security processis effective.
The Security Wheel not only promotes applying security measures to your
network, but most importantly, it promotes retesting and reapplying updated
security measures on a continuous basis.
To begin this continuous process known as the Security Wheel, you need to create
a security policy that enables the application of security measures. A security
policy needs to accomplish the following tasks:
Identify the organizations security objectives
Document the resources to be protected
Identify the network infrastructure with current maps and inventories
Identify the critical resources that need to be protected (such as research and
development, finance, and human resources)
8/10/2019 CISCO IDS student guide.pdf
25/601
Copyright !2001, Cisco Systems, Inc. Network Security and Cisco Intrusion Detection 2-15
After the security policy is developed, it becomes the hub upon which the next
four steps of the Security Wheel is based:
Step 1 Secure the system. This involves implementing security devicesfirewalls,
identification authentication systems, Virtual Private Networks (VPNs), and so
onwith the intent to prevent unauthorized access to network systems.
Step 2 Monitor the network for violations and attacks against the corporate security
policy. Violations can occur within the secured perimeter of the network from a
disgruntled employee or from a hacker outside the network. Monitoring thenetwork with a real-time intrusion detection system such as CIDS can ensure that
the security devices in Step 1 have been configured properly.
Step 3 Test the effectiveness of the security safeguards in place. You can use Cisco
Secure Scanner to identify the security posture of the network with respect to the
security procedures that form the hub of the Security Wheel.
Step 4 Improve corporate security. Collect and analyze information from the monitoring
and testing phases to make security improvements.
All four stepssecure, monitor, test, and improveshould be repeated on a
continuous basis and should be incorporated into updated versions of the corporate
security policy.
8/10/2019 CISCO IDS student guide.pdf
26/601
2-16 Cisco Secure Intrusion Detection System 2.1 Copyright !2001, Cisco Systems, Inc.
2001, Cisco Systems, Inc. www.cisco.com CSIDS 2.12-17
Secure
Monitor
Test
Improve SecurityPolicy
Secure the NetworkSecure the Network
Implement securitysolutions
Authentication
firewalls
VPNs
patching
Stop or preventunauthorized accessand activities.
Secure the network by applying the security policy and implementing the
following security solutions:
AuthenticationGive access to authorized users only (for example, using
one-time passwords).
FirewallsFilter network traffic to allow only valid traffic and services.
Virtual private networks (VPNs)Hide traffic contents to prevent unwanted
disclosure to unauthorized or malicious individuals.
Vulnerability patchingApply fixes or measures to stop the exploitation of
known vulnerabilities. This includes turning off services that are not neededon every system. The fewer services that are enabled, the harder it is for
hackers to gain access.
8/10/2019 CISCO IDS student guide.pdf
27/601
Copyright !2001, Cisco Systems, Inc. Network Security and Cisco Intrusion Detection 2-17
2001, Cisco Systems, Inc. www.cisco.com CSIDS 2.12-18
Secure
Monitor
Test
Improve SecurityPolicy
Monitor SecurityMonitor Security
Detect violations to thesecurity policy
System auditing
real-time intrusiondetection
Validate the securityimplementation in stepone
Monitoring security involves both active and passive methods of detecting
security violations. The most commonly used active method is to audit host-level
log files. Most operating systems include auditing functionality. System
administrators for every host on the network must turn these on and take the time
to check and interpret the log file entries.
Passive methods include using CIDS to automatically detect intrusion. This
method requires only a small number of network security administrators for
monitoring. CIDS can detect security violations in real time and can be configured
to automatically respond before an intruder does any damage.
An added benefit of network monitoring is the verification that the securitydevices implemented in Step 1of the Security Wheel have been configured and are
working properly.
8/10/2019 CISCO IDS student guide.pdf
28/601
8/10/2019 CISCO IDS student guide.pdf
29/601
Copyright !2001, Cisco Systems, Inc. Network Security and Cisco Intrusion Detection 2-19
2001, Cisco Systems, Inc. www.cisco.com CSIDS 2.12-20
Secure
Monitor
Test
Improve SecurityPolicy
Improve SecurityImprove Security
Use information from the
monitor and test phases,make improvements tothe securityimplementation
Adjust the securitypolicy as securityvulnerabilities and risksare identified
The improvement phase of the Security Wheel involves analyzing the data
collected during the monitoring and testing phases, and developing and
implementing improvement mechanisms that feed into your security policy and
the securing phase in Step 1. If you want to keep your network as secure as
possible, you must keep repeating the cycle of the Security Wheel, because new
network vulnerabilities and risks are created every day.
With the information collected from the monitoring and testing phases, you can
use CIDS to implement improvements to the security. You can also adjust the
security policy as you uncover new security vulnerabilities and risks.
8/10/2019 CISCO IDS student guide.pdf
30/601
8/10/2019 CISCO IDS student guide.pdf
31/601
Copyright !2001, Cisco Systems, Inc. Network Security and Cisco Intrusion Detection 2-21
Intelligent Network ServicesThe intelligent network services, provided
through software that operates on network platforms, are a major benefit of
an end-to-end architecture for deploying Internet business solutions. From
quality of service (QoS) (prioritization) through security, accounting, and
management, intelligent network services reflect the enterprises business
rules and policies in network performance. A consistent set of the services
end-to-end through the network is vital if the infrastructure is to be relied
upon as a network utility. These consistent services enable new Internet
business applications and e-business initiatives to rollout very quicklywithout a major re-engineering of the network each time. By contrast,
networks built on best-of-breed strategies may promise higher performance in
a specific device, but cannot be counted on to deliver these sophisticated
features end-to-end in a multivendor environment. Cisco AVVID supports
standards to provide for migration and the incorporation of Internet business
integrators, but the added intelligent network services offered by an end-to-
end Cisco AVVID solution go far beyond what can be achieved in a best of
breed environment.
Internet middleware layerThe next section, including service control and
communication services, is a key part of any networking architecture,
providing the software and tools to break down the barriers of complexity
arising from new technology. These combined layers provide the tools forintegrators and customers to tailor their network infrastructure and customize
intelligent network services to meet application needs. These layers manage
access, call setup and teardown, perimeter security, prioritization and
bandwidth allocation, and user privileges. Software, such as distributed
customer contact suites, messaging solutions, and multimedia and
collaboration provide capabilities and a communication foundation that
enable interaction between users and a variety of application platforms. In a
best-of-breed strategy, many of these capabilities must be individually
configured or managed. In traditional proprietary schemes, vendors dictated
these layers, limiting innovation and responsiveness.
Rapid deployment of Internet business solutions depends on consistent
service control and communication services capabilities throughout the
network. These capabilities are often delivered by Cisco from servers
distributed throughout the network. The service control and communication
services layers are the glue that joins the Internet technology layers of the
Cisco AVVID framework with the Internet business solutions, in effect
tuning the network infrastructure and intelligent network services to the needs
of the Internet business solutions. In turn, the Internet business solutions are
adapted for the best performance and availability on the network
infrastructure by exploiting the end-to-end services available through the
Cisco AVVID framework.
Internet business integratorsAs part of the open ecosystem, it is imperativeto enable partners with Cisco AVVID. Cisco realizes the crucial requirement
to team with integrators, strategic partners, and customers to deliver complete
Internet business. Cisco AVVID offers a guide for these interactions by
describing a consistent set of services and capabilities that form a basis for
many types of partner relationships.
Internet business solutionsEnterprise customers are deploying Internet business
solutions to re-engineer their organizations. The applications associated with
Internet business solutions are not provided by Cisco, but are enabled, accelerated,
8/10/2019 CISCO IDS student guide.pdf
32/601
2-22 Cisco Secure Intrusion Detection System 2.1 Copyright !2001, Cisco Systems, Inc.
and delivered through Cisco AVVID. The ability for companies to move their
traditional business models to Internet business models and to deploy Internet
business solutions is key to their survival. Cisco AVVID is the architecture upon
which e-businesses build Internet business solutions that can be easily deployed
and managed. Ultimately, the more Internet business solutions that are delivered,
the more efficiently and effectively companies will increase productivity and
added value.
8/10/2019 CISCO IDS student guide.pdf
33/601
Copyright !2001, Cisco Systems, Inc. Network Security and Cisco Intrusion Detection 2-23
2001, Cisco Systems, Inc. www.cisco.com CSIDS 2.12-23
Cisco AVVID OverviewCisco AVVID Overview
Cisco AVVID is the one enterprise architecture thatprovides the intelligent network infrastructure fortodays Internet business solutions.
As the industrys only enterprise-wide, standards-based network architecture, Cisco AVVID providesthe roadmap for combining Cisco customersbusiness and technology strategies into onecohesive model.
The Internet is creating tremendous business opportunities for Cisco and Cisco
customers. Internet business solutions such as e-commerce, supply chain
management, e-learning, and customer care are dramatically increasing
productivity and efficiency.
Cisco AVVID is the one enterprise architecture that provides the intelligent
network infrastructure for todays Internet business solutions. As the industrys
only enterprise-wide, standards-based network architecture, Cisco AVVID
provides the roadmap for combining customers business and technology
strategies into one cohesive model.
8/10/2019 CISCO IDS student guide.pdf
34/601
2-24 Cisco Secure Intrusion Detection System 2.1 Copyright !2001, Cisco Systems, Inc.
2001, Cisco Systems, Inc. www.cisco.com CSIDS 2.12-24
Cisco AVVID BenefitsCisco AVVID Benefits
IntegrationBy leveraging the Cisco AVVIDarchitecture and applying the network intelligence
inherent in IP, companies can developcomprehensive tools to improve productivity.
IntelligenceTraffic prioritization and intelligentnetworking services maximize network efficiency foroptimized application performance.
InnovationCustomers have the ability to adaptquickly in a changing business environment.
InteroperabilityStandards-based APIs enableopen-integration with third-party developers,providing customers with choice and flexibility.
With Cisco AVVID, customers have a comprehensive roadmap for enabling
Internet business solutions and creating a competitive advantage. There are four
Cisco AVVID benefits:
IntegrationBy leveraging the Cisco AVVID architecture and applying the
network intelligence inherent in IP, companies can develop comprehensive
tools to improve productivity.
IntelligenceTraffic prioritization and intelligent networking services
maximize network efficiency for optimized application performance.
InnovationCustomers have the ability to adapt quickly in a changingbusiness environment.
InteroperabilityStandards-based application programming interfaces (APIs)
enable open-integration with third-party developers, providing customers
with choice and flexibility.
Combining the network infrastructure and services with new-world applications,
Cisco AVVID accelerates the integration of technology strategy with business
vision.
8/10/2019 CISCO IDS student guide.pdf
35/601
Copyright !2001, Cisco Systems, Inc. Network Security and Cisco Intrusion Detection 2-25
2001, Cisco Systems, Inc. www.cisco.com CSIDS 2.12-25
SAFE Blueprint OverviewSAFE Blueprint Overview
Building on Cisco AVVID, the SAFE frameworkprovides a secure migration path for companies toimplement converged voice, video, and data
networks.
SAFE is a flexible framework that empowerscompanies to securely, reliably, and cost-effectivelytake advantage of the Internet economy.
SAFE integrates scalable, high performance securityservices throughout the e-business infrastructure.
SAFE is enhanced by a rich ecosystem of products,partners, and services that enable companies toimplement secure e-business infrastructures today.
SAFE is a flexible, dynamic security blueprint for networks, which is based on
Cisco AVVID. SAFE enables businesses to securely and successfully take
advantage of e-business economies and compete in the Internet economy.
As the leader in networking for the Internet, Cisco is ideally positioned to help
companies secure their networks. The SAFE blueprint, in conjunction with an
ecosystem of best-of-breed, complementary products, partners, and services,
ensures that businesses can deploy robust, secure networks in the Internet age.
8/10/2019 CISCO IDS student guide.pdf
36/601
2-26 Cisco Secure Intrusion Detection System 2.1 Copyright !2001, Cisco Systems, Inc.
2001, Cisco Systems, Inc. www.cisco.com CSIDS 2.12-26
SAFE BenefitsSAFE Benefits
Provides a proven, detailed blueprint tosecurely compete in the Internet economy
Provides the foundation for migrating tosecure, cost-effective, converged networks
Enables organizations to stay within theirbudgets by deploying a modular, scalablesecurity framework in stages
Delivers protection at every access point tothe network through best-in-class securityproducts and services
There are several major benefits in implementing the SAFE blueprint for secure
e-business:
Provides the foundation for migrating to secure, affordable, converged
networks
Enables companies to cost-effectively deploy a modular, scalable security
framework in stages
Delivers integrated network protection via high-level security products and
services
8/10/2019 CISCO IDS student guide.pdf
37/601
Copyright !2001, Cisco Systems, Inc. Network Security and Cisco Intrusion Detection 2-27
2001, Cisco Systems, Inc. www.cisco.com CSIDS 2.12-27
SAFE Modular BlueprintSAFE Modular Blueprint
Enterprise campus Enterprise edge Serviceprovider
edgeBuildingBuilding
Buildingdistribution
Buildingdistribution
ManagementManagement
ServerServer
CoreCore
Edgedistribution
Edgedistribution
E-commerceE-commerce
Corporate
Internet
Corporate
Internet
VPN andremote access
VPN andremote access
WANWAN
ISP BISP B
ISP AISP A
PSTNPSTN
Frameor
ATM
Frameor
ATM
The SAFE Blueprint provides a robust security blueprint that builds on Cisco
AVVID. SAFE layers are incorporated throughout the Cisco AVVID
infrastructure:
Infrastructure layerIntelligent, scalable security services in Cisco plat-
forms, such as routers, switches, firewalls, intrusion detection systems, and
other devices
Appliances layerIncorporation of key security functionality in mobile
hand-held devices and remote PC clients
Service control layerCritical security protocols and APIs that enablesecurity solutions to work together cohesively
Applications layerHost- and application-based security elements that
ensure the integrity of critical e-business applications
To facilitate rapidly deployable, consistent security throughout the enterprise,
SAFE consists of modules that address the distinct requirements of each network
area. By adopting a SAFE blueprint, security managers do not need to redesign the
entire security architecture each time a new service is added to the network. With
modular templates, it is easier and more cost-effective to secure each new service
as it is needed and to integrate it with the overall security architecture.
One of the unique characteristics of the SAFE blueprint is that it is the first
industry blueprint that recommends exactly which security solutions should be
included in which sections of the network, and why they should be deployed. Each
module in the SAFE blueprint is designed specifically to provide maximum
performance for e-business, while at the same time enabling enterprises to
maintain security and integrity.
8/10/2019 CISCO IDS student guide.pdf
38/601
2-28 Cisco Secure Intrusion Detection System 2.1 Copyright !2001, Cisco Systems, Inc.
2001, Cisco Systems, Inc. www.cisco.com CSIDS 2.12-28
SAFE Blueprint andEcosystem
SAFE Blueprint andEcosystem
Solutions
Ecosystem$$
Cisco programs and services
Security Associate solutions
Integration partners
ApplicationsApplicationsDire
ctory
Dire
ctory
Opera
tion
s
Opera
tion
s
Service controlService control
InfrastructureInfrastructure
Appliances or clientsAppliances or clients
Cisco AVVIDsystem
architecture
Securee-commerce
Secure supply chainmanagement
Secure intranet forworkforce optimization
Cisco has opened its Cisco AVVID architecture and SAFE blueprint to key third-
party vendors to create a security solutions ecosystem to spur development of
best-in-class multiservice applications and products. The Cisco AVVID
architecture and SAFE blueprint provide interoperability for third-party hardware
and software using standards-based media interfaces, APIs, and protocols. This
ecosystem is offered through the Security and Virtual Private Network (VPN)
Associate Program, an interoperability solutions program that provides Cisco
customers with tested and certified, complementary products for securing their
businesses. The ecosystem enables businesses to design and roll out secure
networks that best fit their business model and enable maximum agility.
8/10/2019 CISCO IDS student guide.pdf
39/601
Copyright !2001, Cisco Systems, Inc. Network Security and Cisco Intrusion Detection 2-29
2001, Cisco Systems, Inc. www.cisco.com CSIDS 2.12-29
Cisco AVVID Partner ProgramSecurity and VPN Products
Cisco AVVID Partner ProgramSecurity and VPN Products
IDENTITYIDENTITYStrongStrong
Authentication, PKIAuthentication, PKI
APPLICATION SECURITYAPPLICATION SECURITY
Host and Server ProtectionHost and Server Protection
SECURITY MANAGEMENT and MONITORINGSECURITY MANAGEMENT and MONITORING
Event logging, Reporting, and AnalysisEvent logging, Reporting, and Analysis
SECURE CONNECTIVITYSECURE CONNECTIVITY
Wired and Wireless VPNsWired and Wireless VPNs
PERIMETERPERIMETER
SECURITYSECURITYContent Filtering;Content Filtering;Personal FirewallPersonal FirewallInteroperabilityInteroperability
and
CoCo--existenceexistencewith
Cisco Security and VPNCisco Security and VPNProductsProducts
The Security and VPN Solutions Set within the Cisco AVVID Partner Program is
an interoperability solutions program developed to deliver comprehensive security
and VPN solutions for Cisco networks to Cisco customers.
This program is a key component of the SAFE strategy in that it provides a rich
ecosystem of products, partners, and services that empowers companies to
securely, reliably, and cost-effectively take advantage of the Internet Economy.
The program provides the assurance that security solutions making up Partner
products have been tested and verified to be interoperable with Cisco security
products, and add distinct value to Cisco networks. The goal is to enable Cisco
customers to securely take advantage of the expanding e-business marketplace.The security and VPN solutions created through this interoperability program are
focused on critical business applications such as e-commerce, secure remote
access, intranets, extranets, and supply-chain integration and management. As a
result, the solutions categories currently targeted in the program include those that
customers continue to request and deploy in their networks:
n Identity solutions-Include authentication, authorization, and Public Key
Infrastructure (PKI) solutions such as smart cards, hard and soft tokens,
authentication servers, and Certificate Authority (CA) servers
n Application security solutions-Include products such as server and host
protection applications
n Perimeter security solutions-Include products such as URL filtering applications,
e-mail, and virus scanning applications
n Security management and monitoring solutions-Include products that support
Syslog reporting, event analysis, reporting, and secure remote administration
n Secure connectivity solutions-Include products such as VPN client software and
wireless VPN products
8/10/2019 CISCO IDS student guide.pdf
40/601
2-30 Cisco Secure Intrusion Detection System 2.1 Copyright !2001, Cisco Systems, Inc.
2001, Cisco Systems, Inc. www.cisco.com CSIDS 2.12-30
Cisco AVVID Partner ProgramSecurity and VPN Services
Cisco AVVID Partner ProgramSecurity and VPN Services
PPOLICYOLICY and Pand PROCEDUREROCEDURE
OOUTSOURCEUTSOURCE MMONITORINGONITORINGand Mand MANAGEMENTANAGEMENT
AAPPLICATIONPPLICATION and Cand CODEODE RREVIEWEVIEW
IINCIDENTNCIDENT RRESPONSEESPONSE
Security ServicesSecurity ServicesCompatibleCompatible
withwith
Cisco SecurityCisco SecuritySolutionSolution
The security services offered through the AVVID Partner Program are focused on
specific areas of security services available in the industry. As a result, the
services categories currently targeted include those that customers continue to
request and deploy in their organizations:
Application and code reviewExamines and analyzes security structure and
vulnerabilities of hardware and software systems
Outsourced monitoring and managementProvides third-party management,
monitoring of security infrastructure with incident notification, or both
Policy and proceduresProvides assistance with reviewing and buildingrobust and effective security policies and practices
Incident responseResponds to and mitigates attacks on systems and
networks
8/10/2019 CISCO IDS student guide.pdf
41/601
Copyright !2001, Cisco Systems, Inc. Network Security and Cisco Intrusion Detection 2-31
2001, Cisco Systems, Inc. www.cisco.com CSIDS 2.12-31
Cisco AVVID Partner ProgramSecurity and VPN Services (cont.)
Cisco AVVID Partner ProgramSecurity and VPN Services (cont.)
VVULNERABILITYULNERABILITY AASSESSMENTSSESSMENT DDESIGN andESIGN and IIMPLEMENTATIONMPLEMENTATION
CCOMPETITIVEOMPETITIVECCOUNTEROUNTER--IINTELLIGENCENTELLIGENCE
BBUSINESSUSINESS IIMPACTMPACT andandRRISKISK AASSESSMENTSSESSMENT
Security ServicesSecurity ServicesCompatibleCompatible
withwith
Cisco SecurityCisco SecuritySolutionSolution
Business impact and risk assessmentCorrelates the security state of the
network to impact on broad business processes
Vulnerability assessmentProvides proactive audit and analysis of the
current security state of a system or network
Competitive counter-intelligenceAssesses the vulnerability to compromise
from knowledge-based attacks
Design and implementationProvides assistance with the architecture,
design, and implementation of security products and technologies
8/10/2019 CISCO IDS student guide.pdf
42/601
2-32 Cisco Secure Intrusion Detection System 2.1 Copyright !2001, Cisco Systems, Inc.
2001, Cisco Systems, Inc. www.cisco.com CSIDS 2.12-32
CCO LinksCCO Links
www.cisco.com/go/avvid
www.cisco.com/go/safe
www.cisco.com/go/avvidpartners
www.cisco.com/warp/public/779/largeent/partner/esap/secvpn.html
8/10/2019 CISCO IDS student guide.pdf
43/601
Copyright !2001, Cisco Systems, Inc. Network Security and Cisco Intrusion Detection 2-33
Summary
This section summarizes what you learned in this chapter.
2001, Cisco Systems, Inc. www.cisco.com CSIDS 2.12-34
SummarySummary
Network security is necessary because theproliferation of the Internet has madeinformation systems easily accessible andvulnerable to attacks.
The four basic threats to network security are:unstructured, structured, external, and internal.
The three basic attack types are:reconnaissance, access, and denial of service.
Some access methods used by hackers are:application holes, passwords, and poorlyadministered services.
8/10/2019 CISCO IDS student guide.pdf
44/601
2-34 Cisco Secure Intrusion Detection System 2.1 Copyright !2001, Cisco Systems, Inc.
2001, Cisco Systems, Inc. www.cisco.com CSIDS 2.12-35
Summary (cont.)Summary (cont.)
Network security is a continuous process builtaround a security policy.
Cisco IDS is part of the monitor phase of thesecurity wheel.
Cisco AVVID is a standards-based enterprisearchitecture that accelerates the integration ofbusiness and technology strategies.
Cisco SAFE, which is based on Cisco AVVID, isa flexible, dynamic, security blueprint fornetworks.
8/10/2019 CISCO IDS student guide.pdf
45/601
3
Intrusion Detection andthe Cisco Intrusion
Detection System
Environment
OverviewThis chapter explains what the Cisco Intrusion Detection System (CIDS) is and
what its major components are.
This chapter includes the following topics:
Objectives
Intrusion detection basics
CIDS overview
CIDS Sensor platforms
CIDS Director platforms
CIDS PostOffice
Summary
8/10/2019 CISCO IDS student guide.pdf
46/601
3-2 Cisco Secure Intrusion Detection System 2.1 Copyright !2001, Cisco Systems, Inc.
Objectives
This section lists the chapters objectives.
2001, Cisco Systems, Inc. www.cisco.com CSIDS 2.13-2
ObjectivesObjectives
Upon completion of this chapter, you willbe able to perform the following tasks:
Define what is intrusion detection.
Name the differences between profile-,
signature-, host-, and network-based intrusiondetection.
Describe the CIDS functions and features.
8/10/2019 CISCO IDS student guide.pdf
47/601
Copyright !2001, Cisco Systems, Inc. Intrusion Detection and the Cisco Intrusion Detection System Environment 3-3
2001, Cisco Systems, Inc. www.cisco.com CSIDS 2.13-3
Objectives (cont.)Objectives (cont.)
Name all CIDS Sensor platform models and
describe their features. Name all CIDS Director platforms and describe
their features.
List the functions and features of thePostOffice protocol.
Name and define the two parts of thePostOffice protocol addressing scheme.
8/10/2019 CISCO IDS student guide.pdf
48/601
3-4 Cisco Secure Intrusion Detection System 2.1 Copyright !2001, Cisco Systems, Inc.
Intrusion Detection Basics
This section discusses basic intrusion detection concepts and terminology.
2001, Cisco Systems, Inc. www.cisco.com CSIDS 2.13-5
Intrusion DetectionIntrusion Detection
Ability to detect attacksagainst networks
Three types of networkattacks
Reconnaissance
Access
Denial of service
Intrusion detection is the ability to detect attacks against your network. There are
three types of network attacks:
Reconnaissance attacksAn intruder is attempting to discover and map
systems, services, or vulnerabilities.
Access attacksAn intruder attacks networks or systems to retrieve data, gain
access, or escalate their access privilege.
Denial of service (DoS) attacksAn intruder attacks your network in such a
way that damages or corrupts your computer system, or denies you and others
access to your networks, systems, or services.
8/10/2019 CISCO IDS student guide.pdf
49/601
Copyright !2001, Cisco Systems, Inc. Intrusion Detection and the Cisco Intrusion Detection System Environment 3-5
2001, Cisco Systems, Inc. www.cisco.com CSIDS 2.13-6
Profile-Based IntrusionDetection
Profile-Based IntrusionDetection
Also known as Anomaly DetectionActivity deviates from profile of normal
activity
Requires creation of statistical user profiles
Prone to high number of false positives
Difficult to define normal activity
Profile-based intrusion detection generates an alarm when activity on the network
goes outside of the profile. By collecting examples of user and network activity,
you can build a profile of normal activity. For instance, a web server farm would
typically generate web (HTTP) traffic. A profile could be created to monitor web
traffic. Another example is a network segment where the users are help desk
technicians. The help desk technicians primary job function is to monitor e-mail
requests. A profile could be created to monitor mail (SMTP) traffic.
The problem with this method of intrusion detection is that users do not feel a
responsibility to follow a profile. Humans do not consistently keep to a normal
pattern; consequently, what may be defined as normal activity today might not benormal activity tomorrow. Simply put: there is too much variation in the way users
act on the network for this type of detection to be effective. For instance, some
help desk technicians may access the web or telnet to systems in order to
troubleshoot problems. Based on the profile created, this type of network activity
would trigger alarms although the alarms are likely to be benign.
8/10/2019 CISCO IDS student guide.pdf
50/601
3-6 Cisco Secure Intrusion Detection System 2.1 Copyright !2001, Cisco Systems, Inc.
2001, Cisco Systems, Inc. www.cisco.com CSIDS 2.13-7
Signature-Based IntrusionDetection
Signature-Based IntrusionDetection
Also known as Misuse DetectionMatches pattern of malicious activity
Requires creation of misuse signatures
Less prone to false positives
Based on the signatures ability to matchmalicious activity
Signature-based intrusion detection is less prone to false positives when detecting
unauthorized activity. A signature is a set of rules pertaining to typical intrusion
activity. Highly skilled network engineers research known attacks and
vulnerabilities and can develop signatures to detect these attacks and
vulnerabilities.
CIDS implements signatures that can look at every packet going through the
network and generate alarms when necessary. CIDS generates alarms when a
specific pattern or signature occurs. You can configure CIDS to exclude signatures
and modify signature parameters to work optimally in your network environment.
8/10/2019 CISCO IDS student guide.pdf
51/601
Copyright !2001, Cisco Systems, Inc. Intrusion Detection and the Cisco Intrusion Detection System Environment 3-7
2001, Cisco Systems, Inc. www.cisco.com CSIDS 2.13-8
Firewall
Corporate
network
Agent
Untrusted
network
Agent Agent Agent
Agent Agent
DNS serverWWW server
Agent Agent
Host-Based IntrusionDetection
Host-Based IntrusionDetection
Host-based intrusion detection is the auditing of local and host log files. An
advantage of host-based intrusion detection is that it can monitor operating system
processes and protect critical system resources including files that may only exist
on that specific host. A simple form of host-based intrusion detection is enabling
system logging on the host. However, it can become manpower intensive to
recover and analyze these logs. Host-based intrusion detection software requires
agent software be installed on each host to monitor activity performed on and
against the host. The agent software performs the intrusion detection analysis and
protection of the host. Less manpower is required when using software than the
simple form, but it can still be overwhelming to manage in a large enterprise
network.
Although physical access to any computer systems practically guarantees access to
the system information, physical protection of all critical servers and network
devices is paramount to ensure information security.
8/10/2019 CISCO IDS student guide.pdf
52/601
3-8 Cisco Secure Intrusion Detection System 2.1 Copyright !2001, Cisco Systems, Inc.
2001, Cisco Systems, Inc. www.cisco.com CSIDS 2.13-9
CSPM
Corporate
network
DNSserver
WWW
server
SensorSensor
Firewall
Untrusted
network
Network-Based IntrusionDetection
Network-Based IntrusionDetection
Network-based intrusion detection involves the deployment of probing devices or
sensors throughout the network, which analyze the traffic as it moves by.
Sensors detect unauthorized activity in real time and can take action when
required.
CIDS is a network-based intrusion detection product designed for deployment
throughout the enterprise. Sensors can be deployed at designated network points
that enable security managers to see network activity while it is occurring no
matter where the target of the attack is located.
CIDS gives security managers real-time insight into their network no matter how
the network may grow. Network growth can either occur by adding additionalhosts or new networks. Additional hosts added to existing protected networks
would be covered without any new Sensors. Sensors can easily be deployed to
protect the new network.
8/10/2019 CISCO IDS student guide.pdf
53/601
Copyright !2001, Cisco Systems, Inc. Intrusion Detection and the Cisco Intrusion Detection System Environment 3-9
CIDS Overview
This section describes the CIDS functions and features: intrusion detection, alarm
display, alarm logging, intrusion response, and remote Sensor configuration.
2001, Cisco Systems, Inc. www.cisco.com CSIDS 2.13-11
Monitoring
Untrusted
network
Targets
Command
and Control
Sensor CSPM
Operator
Hacker
CIDSCIDS
CIDS involves the real-time monitoring of network packets. Sensors have two
interfaces: monitoring and command and control. The monitoring port captures the
network packets for intrusion detection analysis. The command and control port
sends alarms and commands to the Director platform. The Director platform is the
management software used to configure, log, and display alarms generated by
Sensors.
The following steps describe the basic CIDS intrusion detection process:
Step 1 Sensors capture network packets through its monitoring interface.
Step 2 Packets are reassembled, if required, and compared against a rule set indicating
typical intrusion activity.
Step 3 The Sensor logs and notifies the Director platform if an attack is detected through
the command and control interface.
Step 4 The Director platform alarms, logs, and takes action if an attack is detected.
When CIDS analyzes network data, it looks for patterns of attacks. Patterns can be
as simple as an attempt to access a specific port on a specific host, or as complex
as sequences of operations directed at multiple hosts over an arbitrary period of
time.
8/10/2019 CISCO IDS student guide.pdf
54/601
3-10 Cisco Secure Intrusion Detection System 2.1 Copyright !2001, Cisco Systems, Inc.
2001, Cisco Systems, Inc. www.cisco.com CSIDS 2.13-12
CIDS CapabilitiesCIDS Capabilities
Display and log alarms
Respond to intrusion attempts
Terminate sessions
Block the attacking host
Create an IP session log
Configure Sensors remotely
The CIDS has the following capabilities:
Displays and logs alarms
Responds to intrusion attempts
Terminates sessions
Blocks the attacking host
Creates an IP log
Configures Sensors remotely
8/10/2019 CISCO IDS student guide.pdf
55/601
Copyright !2001, Cisco Systems, Inc. Intrusion Detection and the Cisco Intrusion Detection System Environment 3-11
2001, Cisco Systems, Inc. www.cisco.com CSIDS 2.13-13
Alarm Display
Alarms are
displayed inCSPM.
Alarm Logging
Alarms can be
logged on the
Sensor and on
CSPM.
Log File Database
Alarm Display and LoggingAlarm Display and Logging
After a Sensor detects an attack, it can respond in the following user-configurable
ways:
Alarms are generated by the Sensor and are sent to one or more remote
Director platforms where they are displayed on a graphical user interface. The
alarms are color-coded based on the defined severity. This provides you with
a quick visual representation of the alarms triggered.
Alarm information can also be saved in text log files on both the Sensor and
the Director platform. Logging allows you to easily archive the data, write
custom scripts to extract alarm data specific to your site, and monitor attacks
via a command-line tool such as the UNIX command tail.
8/10/2019 CISCO IDS student guide.pdf
56/601
3-12 Cisco Secure Intrusion Detection System 2.1 Copyright !2001, Cisco Systems, Inc.
2001, Cisco Systems, Inc. www.cisco.com CSIDS 2.13-14
Kill the
session
Block
attacker
Deny
TCP Reset
Automatic kill of
offendingsession
Blocking
Auto or manual block
of offending IP
address
Intrusion ResponseIntrusion Response
The Sensor can be configured to respond automatically to specific signatures in
the following three ways:
TCP ResetThe Sensor can reset individual TCP connections upon detection
of an attack and eliminate the threat.
IP BlockingThe Sensor can work in conjunction with a Cisco IOS router to
deny a specific host or network entry into the protected network.
Note Blocking requires careful review before it is deployed, whether as an automatic
response or through operational guidelines for the staff. To implement blocking, theSensor dynamically reconfigures and reloads a Cisco IOS routers access control
list. This type of automated response by the Sensor should only be configured for
attack signatures with a low probability of false positive detection. In case of any
suspicious activity that does not trigger automatic blocking, you can use the
Director platform to block manually. CIDS can be configured to never block specific
hosts or networks. This safety mechanism prevents denial of service attacks using
the CIDS infrastructure.
8/10/2019 CISCO IDS student guide.pdf
57/601
Copyright !2001, Cisco Systems, Inc. Intrusion Detection and the Cisco Intrusion Detection System Environment 3-13
2001, Cisco Systems, Inc. www.cisco.com CSIDS 2.13-15
IP Logging
Automatic capture
of suspicious host
or network traffic
Session log Session log
Intrusion Response (cont.)Intrusion Response (cont.)
IP LoggingIP session logs are used to gather information about
unauthorized use. When specific signatures are triggered, the Sensor can be
configured to write every incoming and outgoing packet to an IP session log
for a predefined period of time.
8/10/2019 CISCO IDS student guide.pdf
58/601
3-14 Cisco Secure Intrusion Detection System 2.1 Copyright !2001, Cisco Systems, Inc.
2001, Cisco Systems, Inc. www.cisco.com CSIDS 2.13-16
Remote Sensor ConfigurationRemote Sensor Configuration
CIDS allows for remote Sensor configuration through the Director platforms. For
instance, using Cisco Secure Policy Manager (CSPM) you can manage the
configuration of all Sensors. CSPM also enables you to create different signature
templates to be saved and applied as needed. This enables you to maintain
multiple versions of signature settings for each Sensor or group of Sensors. For
example, you could have one configuration for normal working hours and another
for after-hours. Either can be enabled or disabled as needed from CSPM. You can
also experiment with different settings and revert to a previous version if there are
problems.
8/10/2019 CISCO IDS student guide.pdf
59/601
Copyright !2001, Cisco Systems, Inc. Intrusion Detection and the Cisco Intrusion Detection System Environment 3-15
CIDS Sensor Platforms
This section names all CIDS Sensor platform models and describes their features.
2001, Cisco Systems, Inc. www.cisco.com CSIDS 2.13-18
Sensor Platform FeaturesSensor Platform Features
Intrusion Detection
Packet monitoring
Signature matching
Fragment/Packet re-assembly
Intrusion response
Alarm or log
Auto or manual response Hardware appliance design
Tuned for ID performance
Security hardened
Ease of maintenance
Two main components make up CIDS: the Sensor and the Director platform. The
Sensor is the most critical component because it detects, responds to, and reports
unauthorized activity to a Director platform. It uses a rules-based engine to distill
large volumes of IP network traffic into meaningful security events. It detects
unauthorized activity by sniffing or capturing raw traffic from the network and
then analyzing it for intrusion detection signatures in real-time. The Sensor, if
configured to do so, re-assembles packets before the signature analysis is
performed, thus avoiding a potential intrusion detection defeating technique.
When signatures are triggered, the Sensor logs the event and sends an alarm
notification to a Director platform. It can automatically terminate the TCP session
that triggered the signature, block the IP address by dynamically creating an
access control list (ACL) in a managed Cisco IOS router, or both. Sensors can also
log an IP session that triggers a signature. An operator may manually block host or
network IP addresses that generated alarms.
All Sensor platforms are hardware appliances that are tuned for performance, havebeen security hardened, and are designed for ease of maintenance. The hardware,
including CPU and memory, for each appliance was selected for optimal
performance of intrusion detection analysis. The appliances host operating system
was also configured securely to protect against possible attacks.
8/10/2019 CISCO IDS student guide.pdf
60/601
3-16 Cisco Secure Intrusion Detection System 2.1 Copyright !2001, Cisco Systems, Inc.
2001, Cisco Systems, Inc. www.cisco.com CSIDS 2.13-19
IDS-4230
ID Performance: 100 Mbps
Processor: Dual Pentium III 600 MHz
Memory: 512 MB
Monitoring NIC: FE/SFDDI/DFDDI
4200 Series Sensors4200 Series Sensors
IDS-4210
ID Performance: 45 Mbps
Processor: Single Celeron 566 MHz
Memory: 256 MB
Monitoring NIC: Ethernet only
Cisco offers a complete line of dedicated intrusion detection appliances. The 4200
Series Sensors come in three versions: the IDS-4230, and IDS-4210. The
following table shows the differences between the Sensors:
IDS-4230 IDS-4210
Intrusion detection
performance
100 Mbps 45 Mbps
Processor Dual Pentium III 600MHz
Single Celeron 566MHZ
Memory 512 MB 256 MB
Monitoring
network interface
cards
10/100 Ethernet
Single attachedFDDI
Dual attachedFDDI
10/100 Ethernet
Chassis 4 U 1 U
8/10/2019 CISCO IDS student guide.pdf
61/601
Copyright !2001, Cisco Systems, Inc. Intrusion Detection and the Cisco Intrusion Detection System Environment 3-17
2001, Cisco Systems, Inc. www.cisco.com CSIDS 2.13-20
Fully integrated line card
Multi-VLAN visibility Full signature set
Common configurationand monitoring
ID Performance: 100Mbps
No switchingperformance impact
Catalyst 6000 IDS ModuleCatalyst 6000 IDS Module
The IDS Module (IDSM) for the Catalyst 6000 Family of switches is designed
specifically to address switched environments by integrating the IDS functionality
directly into the switch and taking traffic right off the switch back-plane, thus
bringing both switching and security functionality into the same chassis.
Similar to how the CIDS Sensors operate, IDSM detects unauthorized activity
traversing the network, such as attacks by hackers, and sends alarms to a Director
platform with details of the detected event. You specify the network traffic that
must be inspected by the IDS module using the Catalyst operating system Switch
Port Analyzer (SPAN) functionality or virtual LAN (VLAN) access control list
(ACL) capture feature. VLAN ACLs allow for very granular traffic monitoring byproviding you the ability to filter interesting traffic based on the IP address and
network service.
In addition, IDSM can be managed and monitored by the same Director platform
as the Sensors, allowing customers to deploy both appliance Sensors and IDSM to
monitor critical subnets throughout their enterprise network.
The IDSM can analyze 100 Mbps of traffic for intrusion detection. It does not
impact switch performance, because it is a passive monitoring module that
inspects copies of packets and is not in the switch-forwarding path.
8/10/2019 CISCO IDS student guide.pdf
62/601
3-18 Cisco Secure Intrusion Detection System 2.1 Copyright !2001, Cisco Systems, Inc.
CIDS Director Platforms
This section names all CIDS Director platforms and describes their features.
2001, Cisco Systems, Inc. www.cisco.com CSIDS 2.13-22
SoftwareapplicationWindows NT 4.0platform
Remote Sensorconfiguration and
control Alarm notification
and management
Cisco Secure Policy ManagerCisco Secure Policy Manager
The Director platform is the management software used to configure, log, and
display alarms generated by Sensors. The Director platforms are Cisco Secure
Policy Manager (CSPM) and CIDS Director for UNIX.
CSPM is a Windows NT 4.0-based application that provides scalable,comprehensive security policy management for Cisco Secure PIX Firewalls, Cisco
IOS routers with the IOS Firewall feature or the Cisco Secure Integrated Virtual
Private Network (VPN) Software, and IDS Sensors. This course covers only the
use of CSPM as a Director platform. As such, CSPM provides a centralized GUI
for the management of intrusion detection across a distributed network.
CSPM enables you to remotely control all Sensor configurations. You use the Add
Sensor wizard to define Sensors in the Network Topology Tree (NTT) and you
can use the panels on each Sensor node to configure device-specific settings. In
addition, you can define Sensor signature templates and apply those templates to
one or more sensors defined in the NTT.
The Event Viewer in CSPM provides a mechanism to view alarms generated byCIDS components in real time. The Event Viewer presents the alarms in a
configurable grid to enable multiple views and instances.
8/10/2019 CISCO IDS student guide.pdf
63/601
Copyright !2001, Cisco Systems, Inc. Intrusion Detection and the Cisco Intrusion Detection System Environment 3-19
2001, Cisco Systems, Inc. www.cisco.com CSIDS 2.13-23
Software applicationHP OpenView on Solarisor HPUX platform
Remote Sensorconfiguration andcontrol
Alarm notification andmanagement
CIDS Director for UNIXCIDS Director for UNIX
CIDS Director for UNIX is an HP OpenView application that runs on Solaris or
HPUX, which, like CSPM, provides a centralized GUI for the management of
intrusion detection across a distributed network.
It enables you to centrally manage the configuration of all the Sensors reporting to
it. The CIDS Configuration Management Utility (nrConfigure) also allows
different configurations to be saved and applied as needed. This enables you to
maintain multiple versions of configurations for each device.
The Director for UNIX provides a GUI to view real-time alarms as they are
generated by CIDS components on an HP OpenView submap.
8/10/2019 CISCO IDS student guide.pdf
64/601
3-20 Cisco Secure Intrusion Detection System 2.1 Copyright !2001, Cisco Systems, Inc.
2001, Cisco Systems, Inc. www.cisco.com CSIDS 2.13-24
Feature ComparisonFeature Comparison
Severities
Signatures Templates
Configuration Versioning
Local Logging
Alarm Forwarding
Generate SNMP Traps
CSPM
Low-Medium-High
Yes
No
Database
Yes
Yes
Director for UNIX
1 through 5
No
Yes
Text File
Yes
Yes
CSPM and the Director for UNIX differ in many ways other than just the
operating system that they run on. Severities in CSPM are assigned Low, Medium,
or High levels, whereas in the Director for UNIX a number between 1 through 5 is
assigned, where 1 is the lowest severity and 5 is the highest.
CSPM enables you to create signature templates that can be shared between
Sensors, so that if you change a template it is automatically applied to all Sensors
referencing it. The Director for UNIX enables you to save multiple complete
configuration versions for the Sensors that can be applied as needed.
The logged alarms in CSPM are saved in a database, and as text files in the
Director for UNIX. Alarm forwarding, the ability of the Director to send alarms toanother Director, is available in the Director for UNIX but not on CSPM.
CSPM and the UNIX Director both have alarm forwarding and SNMP trap
capability. In CSPM, the SNMP traps are possible via custom script execution.
You must create a custom script that generates a SNMP trap to be sent to a
Network Management station.
Note Refer to the Event Notification and Alarm Reporting chapter for more details on
configuring CSPM for script execution.
8/10/2019 CISCO IDS student guide.pdf
65/601
Copyright !2001, Cisco Systems, Inc. Intrusion Detection and the Cisco Intrusion Detection System Environment 3-21
CIDS PostOffice
This section describes the functions and features of the PostOffice protocol.
2001, Cisco Systems, Inc. www.cisco.com CSIDS 2.13-26
Message Types
Command IP log
Error Redirect
Command log Heartbeat
Alarm
Message Types
Command IP log
Error Redirect
Command log Heartbeat
Alarm
Network
monitoring
Command and control
communications
UDP 45000
Command and control
communications
UDP 45000
PostOffice ProtocolPostOffice Protocol
Internet
CIDS services and hosts communicate with one another using the PostOffice
protocol. The services are the IDS software daemons that exist on the Sensors and
Director platforms.
PostOffice uses the UDP transport on port 45000. The following are the types of
messages that are sent using the PostOffice protocol:
Command messages
Error messages
Command log messages
Alarm messages
IP log messages:
Redirect messages
Heartbeat messages
Note The PostOffice port number is configurable; however, it is recommended to accept
the default to avoid potential configuration problems
8/10/2019 CISCO IDS student guide.pdf
66/601
3-22 Cisco Secure Intrusion Detection System 2.1 Copyright !2001, Cisco Systems, Inc.
2001, Cisco Systems, Inc. www.cisco.com CSIDS 2.13-27
Primary communication down;
switch to secondary IP address
Alarm sent
Alarm received
PostOffice FeaturesPostOffice Features
ReliabilityAcknowledgesevery message sent
Redundancy Can sendalarms to up to 255destinations
Fault tolerance
Up to 255 IP addressesto a single destination
When primary addressfails, switches tosecondary address
The PostOffice protocol is designed to guarantee the transmission of messages to
the intended recipient; therefore, it expects acknowledgement for every message
sent from the receiver. If no acknowledgement is received within a predetermined
length of time, the message is resent until the acknowledgement is received.
The PostOffice protocol enables Sensors to propagate messages to up to 255
destinations. This feature allows for redundant alarm notifications, which ensure
that the appropriate personnel are notified when an alarm is received.
With the PostOffice protocol you can have up to 255 alternate IP addresses to a
single host. The alternate routing protocol automatically switches to the next IP
address whenever the current connection fails. It also uses a system watchdog todetect when a connection to the preferred IP address is reestablished, and at which
time reverts back to the primary address.
8/10/2019 CISCO IDS student guide.pdf
67/601
Copyright !2001, Cisco Systems, Inc. Intrusion Detection and the Cisco Intrusion Detection System Environment 3-23
2001, Cisco Systems, Inc. www.cisco.com CSIDS 2.13-28
Host ID = 10Host Name = director
Org ID = 200Org Name = acme-noc
Host ID = 10Host Name = director
Org ID = 100Org Name = cisco
Host ID = 20Host Name = sensor2
Org ID = 100Org Name = cisco
Host ID = 30
Host Name = sensor3
Org ID = 100Org Name = cisco
PostOffice Host AddressingPostOffice Host Addressing
Numeric
Host ID
Organization ID Alpha
Host Name
Organization Name
Combination of host IDand Org ID must beunique
Host, Organization,and Application ID areused together to routePostOffice traffic
You must assign each CIDS device a unique numeric identifier. This unique
numeric identifier is a combination of a host identification and an organization
identification. With every host identification and organization identification
combination, there is an associated alphanumeric identifier consisting of a host
name and an organization name. The following are descriptions of the individual
identifiers:
Host IDA numeric identifier greater than zero for each CIDS device.
Organization IDA numeric identifier greater than zero for a collection of
CIDS devices. It can be used to group a number of CIDS devices together
under the same number for easy identification purposes.
Host NameAn alphanumeric identifier for each CIDS device. The name
chosen here is typically one that contains the word sensor or director so
you can easily identify the device type.
Organization NameAn alphanumeric identifier for a group of CIDS
devices. The name chosen here is typically one that describes the name of the
company where the device is installed or the name of the department within
the company where the device is installed.
The host and organizat