CISCO Secure Intrusion Detection System

7/30/2019 CISCO Secure Intrusion Detection System

1/45

CISCO Secure

Intrusion Detection

System

Marsa Rayani Maryam Shahpasand Ali Falsafi


2/45

Contents:

Introduction CSIDS definition CSIDS components

CSIDS features CSIDS Platforms Cisco Security Agent Advantages

Disadvantages CSIDS VS. Snort Summery references


3/45

Introduction:

Cisco security experts believe that

The most effective intrusion detection strategy is toimplementboth host-based and network-based IDS.

Typically, most organizations implement network-basedIDS first, because its effective against attacks originatingexternally.Adding host-based IDS further enhances

protection from attack, especially from attacks that aregenerated from internal sources.


4/45

To achieve these elements, Cisco implements a

line of IDS products that can be integrated into

current network routers

switches

deployed as separate IDS appliances

run as software applications on managementworkstations.


5/45

Cisco Secure IDS is a network-based intrusion

detection system that uses a signature databaseto trigger intrusion alarms


6/45

Components:The major components are:

1. Sensor2. Configuration Manager

3. Event Manager

4. Software


7/45

Components :

1. Sensor : This performs real-time monitoringof network traffic, searching for patterns thatcould represent an attack.


8/45

Performance of the Sensor when it detects anattack:

No action Shun (shunning) refers to the complete blocking

of any traffic from the offending host or subnet Log (logging) refers to both attack event alarms

and whole suspicious IP session logs Shun + log

TCP connection reset TCP connection reset + shun TCP connection reset + log TCP connection reset + shun + log


9/45

2. Configuration manager :

The configuration manager provides

configuration management for the sensor

pushing configuration and policy settings to thesensor.

The configuration manager may be co-located with the sensor(typical for smaller sensor deployments) or may be

separately located at a central location (typical for largersensor deployments).


10/45

3. Event manager :

The event manager is used to

collect events generated by sensors.

Cisco Secure IDS event management platforms include aNetwork Security Database (NSDB), which includes detailed

information about each attack that is detected by a sensor.This information provides analysis support for securityadministrators who must decipher and respond to detectedattacks.

Cisco Secure IDS sensors have extremely limited eventmanagement capabilities; hence the event manager isalways separate from the sensor.


11/45


12/45

Communication between Sensor and

management platform:To communicate messages between the management

platform and the sensor platform, Cisco Secure IDSuses a proprietary protocol called the PostOfficeprotocol.

This protocol provides numerous necessary features,such as the following:

Reliability Redundancy

Fault tolerance


13/45

Reliability

1

2


14/45

Redundancy


15/45

Fault Tolerance


16/45

Cisco Secure IDS Features

Cisco offers a rich IDS product set that is part of CiscosSAFE enterprise security blueprint. Cisco Secure IDS hasmany features that let you effectively detect and respond

to security threats against your network. It provides thefollowing fundamental capabilities:

1. Alarm display and logging

2. Intrusion response

3. Remote sensor configuration and management

These features are discussed in the following sections.


17/45

1. Alarm Display and Logging

When a sensor detects an attack, it sends an alarm to theevent management platform. On the event managementplatform, a graphical user interface (GUI) displays these

alarms in real time, color-coding each alarm based on itsseverity. This display provides a quick indication that anattack has occurred and how dangerous the attack is.The sensor can also log more detailed alarm informationin a local text-based log file, which allows for in-depth

analysis of attack data and the use of custom scripts topresent alarm data specific to your requirements.


18/45

2. Intrusion ResponseThe Cisco Secure IDS sensor can directly respond

to an attack using one or more of the following

methods:

I. TCP reset

II. IP blocking

III. IP logging


19/45

I. TCP reset:The TCP reset response is available only for TCP-

based attacks. Its implementedby the sensor

sending a TCP reset packet to the host that isbeing attacked (the target). This causes theattacked system to close the connection,destroying any processes and memory

associated with the connection.


20/45


21/45

II. IP blocking

TheIP blocking response (also known asshunning) allows a sensor to apply an access

control list (ACL) to a perimeter router interface,blocking IP connectivity from an attackingsystem.

You can also manually block a host or networkfrom the sensor management platform if you seeany suspicious activity


22/45


23/45

III. IP logging

When a sensor detects an attack, an alarm is generatedand forwarded to the event management platform. TheIP logging response allows a sensor to write alarminformation to a local log file as well. The informationwritten to the log file contains much more informationthan is sent to the event management platform, so youcan use this option to provide detailed analysis ofspecific attacks.


24/45


25/45

3. Remote Sensor Configuration and

Management Cisco Secure IDS sensor management platforms let youcentrally manage and monitor multiple sensors located

throughout your network. All sensor-related configurations are stored on aconfiguration management platform.

configuration management platform is responsible for

pushing these configurations out to each sensor. Configuration attributes include the types of intrusiveactivity (signatures) that each sensor should monitor.


26/45

Other Features

Cisco Secure IDS also includes an Active Updates feature, which allows customers

to subscribe to regular e-mail notificationsgenerated by the Cisco Countermeasures Research

Team (C-CRT). download new signature updates to a centrallocation on the network, and then have multiplesensors automatically update their signaturedatabases on a regular basis.

Customize signatures: you create your ownsignatures that can detect some new attack. Thisfunctionality is provided by a complete signaturelanguage, which is similar to a scripting language,providing a powerful tool for customization.


27/45

Cisco Secure Sensor Platforms

The sensor platform is the most criticalcomponent of Cisco Secure IDS, because it

detects, responds to, and reports intrusionactivity to the sensor management platform.

Each sensor is a hardware appliance that hasbeen secured for the environment it works in,optimized for performance, and designed forease of maintenance.


28/45

The sensor uses an extensive signature database

that allows it to capture security attacks inrealtime from large amounts of IP traffic. Sensor possesses packet-reassembly features

that prevent IDS bypass techniques.

Once an attack is detected, the sensor sends analarm to an event management platform and canoptionally place that alarm information in a locallog file.

The sensor can also automatically reset a TCP-based connection that is associated with theattack and/or block the source IP address of theattacking system.


29/45

Cisco produces three main sensor platforms

dedicated to IDS:

4200 series sensors

Catalyst 6000/6500 IDS module (IDSM) Cisco 2600/3600/3700 IDS network modules


30/45

Sensors InterfaceAll of these sensor platforms are passive

sensors, in that they passively monitor networktraffic traversing one or more segments forintrusive activity. Each of these sensors containstwo interfaces:

I. Command-and-control interface

II.Monitoring interface


31/45

I. Command-and-control interface

provides a management interface for thesensor.

The command-and-control interface allows thesensor to be managed via TCP/IP.

lets the sensor send alarms to the eventmanagement platform.

The command-and-control interface is the onlyinterface that contains an IP address.


32/45

II. Monitoring interface

The monitoring interface operates inpromiscuous mode, capturing all traffic on the

attached segment and passing it to the IDSapplication for analysis.

The monitoring interface doesnt have an IPaddress.

ensuring that the sensor can be placed on aninsecure segment and not be subjected to anattack itself


33/45

Cisco Security Agent

The Cisco Security Agent consists of server anddesktop agents.

The security agent resides between the operating

system kernel and applications.

enabling visibility of all system calls to memory, file,network, Registry, and COM object resources.

Cisco Security Agent is an example of an anomaly-based intrusion detection system.

It is useful for detecting new attacks that are oftenimpossible to detect with signature-based intrusiondetection systems such as Cisco Secure IDS sensors


34/45

The Cisco Security Agent provides a variety offeatures that ensure that critical systems andapplications are protected from attacks. Itsdesigned to detect known and unknown attacksbased on the following intrusive activities:

I. Probing

II. Penetration

III.Persistence

IV.Propagation

V. Paralyzing


35/45

I. Probing

Probing relates to the activities associatedwith reconnaissance being performed againstthe host or an attempt to break into a host by

guessing security information. The following aresome of the probe attacks that the Cisco SecurityAgent detects:

Ping Port scans

Password and username guessing


36/45

II. PenetrationPenetration refers to the process of gaining

unauthorized access to processes running and/ordata stored on the target system. The Cisco SecurityAgent can detect a possible attack based on events

that indicate the host is in the process of beingcompromised or penetrated. The following are someof the events related to penetration attacks that theCisco Security Agent detects:

Mail attachments Buffer overflows ActiveX controls Back doors


37/45

III. Persistence

Persistence refers to events that result from asuccessful attack and subsequent infection of ahost system. The following are some of the eventsthat indicate that a system has been compromisedand that some form of unauthorized action,application, or service is present: File creation File modification Security settings modification Installation of new services Trap doors


38/45

IV. Propagation

Propagation refers to the automatic self-replication of an attack to other systems after aninitial target system has been infected. There are

some of the events related to propagation that theCisco Security Agent detects:

E-mail copies of the attack

Web and FTP connections

Internet Relay Chat (IRC) connections

Propagation via file shares


39/45

V. Paralyzing

Paralyzing refers to the complete or partialremoval of the availability and responsiveness ofcomputing resources on a target system. The

following are some of the events related to systemparalysis that the Cisco Security Agent detects:

File modification and deletion

Computer crashes

Denial of service

Stealing of sensitive/confidential information


40/45

Advantages:

1. Accurate attack detection

2. Intelligent attack investigation

3. Ease of security management

4. Flexible deployment options for all network designmodels and topologies

5. you can create your own signatures that can detectsome new attack.


41/45

Cont.

6. combines leading Cisco security solutions witha rich ecosystem of complementary programs,products, partners and services.

7. Focuses on large businesses8. Assumes a security policy


42/45

Disadvantaged

Expensive

Black box design, youll have no idea why it doesanything that it does.

Closed signature language, you have no ability tosee what or how theyre trying to detect anything.

Difficult to install.

Difficult to administer


43/45

CSIDS VS Snort

Battle of Open Source VS Commercial! Snort has a better GUI.

Snort biggest advantage is COST.

CSIDS is better at both IP fragment and TCPsession reassembly.

CSIDS has an excellent support and services.

For small environments where funds are very

limited, snort is probably the better solution. For large enterprises, Cisco would probably be

the better choice.


44/45

References www.cisco.com

CCSP Complete study book by Cisco

www.net-security.org/

www.ciscopress.com/articles

https://itaudit.sans.org/community/papers/aud

iting-cisco-secure-ids-system-auditors-perspective_114
http://www.cisco.com/http://www.net-security.org/http://www.ciscopress.com/articleshttps://itaudit.sans.org/community/papers/auditing-cisco-secure-ids-system-auditors-perspective_114https://itaudit.sans.org/community/papers/auditing-cisco-secure-ids-system-auditors-perspective_114https://itaudit.sans.org/community/papers/auditing-cisco-secure-ids-system-auditors-perspective_114https://itaudit.sans.org/community/papers/auditing-cisco-secure-ids-system-auditors-perspective_114https://itaudit.sans.org/community/papers/auditing-cisco-secure-ids-system-auditors-perspective_114https://itaudit.sans.org/community/papers/auditing-cisco-secure-ids-system-auditors-perspective_114https://itaudit.sans.org/community/papers/auditing-cisco-secure-ids-system-auditors-perspective_114https://itaudit.sans.org/community/papers/auditing-cisco-secure-ids-system-auditors-perspective_114https://itaudit.sans.org/community/papers/auditing-cisco-secure-ids-system-auditors-perspective_114https://itaudit.sans.org/community/papers/auditing-cisco-secure-ids-system-auditors-perspective_114https://itaudit.sans.org/community/papers/auditing-cisco-secure-ids-system-auditors-perspective_114https://itaudit.sans.org/community/papers/auditing-cisco-secure-ids-system-auditors-perspective_114https://itaudit.sans.org/community/papers/auditing-cisco-secure-ids-system-auditors-perspective_114https://itaudit.sans.org/community/papers/auditing-cisco-secure-ids-system-auditors-perspective_114https://itaudit.sans.org/community/papers/auditing-cisco-secure-ids-system-auditors-perspective_114https://itaudit.sans.org/community/papers/auditing-cisco-secure-ids-system-auditors-perspective_114https://itaudit.sans.org/community/papers/auditing-cisco-secure-ids-system-auditors-perspective_114https://itaudit.sans.org/community/papers/auditing-cisco-secure-ids-system-auditors-perspective_114https://itaudit.sans.org/community/papers/auditing-cisco-secure-ids-system-auditors-perspective_114https://itaudit.sans.org/community/papers/auditing-cisco-secure-ids-system-auditors-perspective_114https://itaudit.sans.org/community/papers/auditing-cisco-secure-ids-system-auditors-perspective_114https://itaudit.sans.org/community/papers/auditing-cisco-secure-ids-system-auditors-perspective_114https://itaudit.sans.org/community/papers/auditing-cisco-secure-ids-system-auditors-perspective_114https://itaudit.sans.org/community/papers/auditing-cisco-secure-ids-system-auditors-perspective_114http://www.ciscopress.com/articleshttp://www.net-security.org/http://www.net-security.org/http://www.net-security.org/http://www.cisco.com/


45/45

Documents

CISCO Secure Intrusion Detection System