Home > Articles > Cisco Network Technology > General Networking > Intrusion Detection: Cisco IDS Overview

Intrusion Detection: Cisco IDS Overview

Chapter Description

Cisco Secure IDS is a network-based intrusion detection system that uses a signature database to trigger intrusion alarms. The major components are a sensor platform and a director platform. The sensor platform monitors the network and the director platform provides a single GUI management interface for the end user. This chapter describes the available plaforms and explains how they interact.

This sample chapter is excerpted from Cisco Secure Intrusion Detection Systems.

Director Platforms

You can deploy multiple 4200 Series Sensors and IDSMs on your network to provide complete IDS coverage. Manually monitoring the alarms on each of these sensors is inefficient. The Director platforms provide the management software necessary to configure, log, and display alarms generated by sensors efficiently. Furthermore, a single Director platform can consolidate all the alarms from multiple sensors into a single user-friendly interface.

In particular, this section examines the following:

  • Director platform features
  • Cisco Secure Policy Manager (CSPM) as a Director platform
  • Cisco Secure Intrusion Detection Director
  • Director platform feature comparison

Director Platform Features

The Director platform supplies a graphical user interface (GUI) through which you can manage your Cisco Secure IDS. The main features of the Director platform follow:

  • Alarm display
  • Alarm response
  • Sensor configuration

Alarm Display

The GUI on the Director platform provides an excellent vehicle to view alarms generated by the various sensors throughout the network. Each alarm displays with a unique color based on the severity of the alarm. You can quickly view all the alarms that are occurring on your network at any time, as well as visually assess their potential damage.

You also can save alarm information in text log files on both the sensor and the Director platform. Logging enables you to easily archive the data, write custom scripts to extract alarm data specific to your site, and monitor attacks using command-line tools, such as the UNIX command tail.

UNIX tail Command

UNIX systems have a tail command, which enables you to display a specified number of lines at the end of a file. By adding the –f option to the tail command, you can continually watch the end of a file. This is especially useful when some program is continually adding data to a specific file. With tail –f, you can watch as data is added to the file. Starting with Cisco Secure IDS version 2.2.1.5, however, the log files are memory-mapped files. This prevents you from using tail –f to view these log files in real time.

Alarm Response

Many of the responses to alarms are configured to occur automatically upon detection of certain intrusive actions. The sensors handle these automatic responses. Sometimes, however, an operator wants to take action based on the alarms that she is viewing on the Director platform. In these situations, the operator can initiate a manual IP blocking response. This response can block a single IP address or entire network. The user initiates this manual response directly on the Director platform.

Remote Sensor Configuration

Both Director platforms enable you to centrally manage the configuration of all the remote sensors under their control. With the Cisco Secure IDS Director for UNIX, the Cisco Secure Configuration Management Utility (nrConfigure) enables you to save different remote sensor configurations and apply them as needed. The Cisco Secure Policy Manager (CSPM) supports remote sensor signature templates that can be shared between remote sensors. (Refer to Chapter 12, "Signature and Intrusion Detection Configuration," for more information on signature templates.) Furthermore, if you change a template, it is automatically applied to all remote sensors referencing it.

Cisco Secure Policy Manager as a Director Platform

Cisco Secure Policy Manager is a Windows NT 4.0-based application that provides scalable, comprehensive security policy management for the following:

  • Cisco Secure PIX firewalls
  • Cisco IOS routers with the IOS Firewall feature
  • Cisco IOS routers with the Cisco Secure Integrated VPN software
  • IDS sensors

An entire book can be written on CSPM alone. Staying within the scope of this book, however, this chapter addresses only the use of CSPM as a Director platform for Cisco Secure IDS, where it provides a centralized GUI for intrusion detection management across a distributed network.

CSPM enables you to remotely control all of your sensor configurations. You use the Add Sensor Wizard to define sensors in the Network Topology tree (NTT), and you can use the panels on each sensor node to configure device-specific settings. In addition, you can define sensor signature templates and apply those templates to one or more sensors defined in the NTT. (For more information on signature templates, see Chapter 12.)

Network Topology Tree

CSPM must know the location of the objects on your network with which it must interact and communicate. The Network Topology tree is the vehicle with which you describe your physical network topology. The goal of the NTT is to define all the network objects for which you want to define a unique security policy. The extent to which you define your network topology depends on what you want CSPM to do. In your NTT, you define networks, gateways, and some hosts.

For alarm reporting, CSPM provides a GUI to view real-time alarms as the IDS sensors generate them. This real-time alarm view is accessible using the View Sensor Events option on the Tools menu of the GUI client. (For more information on alarm management, see Chapter 8, "Working with CSIDS Alarms in CSPM.")

For instructions on installing CSPM, see Chapter 6, "Cisco Secure Policy Manager Installation."

Cisco Secure Intrusion Detection Director

Cisco Secure IDS Director for UNIX is an HP OpenView application that runs on Solaris or HPUX, which, like CSPM, provides a centralized GUI for intrusion detection management across a distributed network.
It enables you to centrally manage the configuration of all the sensors reporting to it. The Cisco Secure IDS Configuration Management Utility (nrConfigure) allows different configurations to be saved and applied as needed, enabling you to maintain multiple versions of configurations for each device. You might want to establish one configuration to use during work hours and another for use after work hours. Many situations require the use of multiple configurations.

For alarm reporting, the Director for UNIX provides a GUI to view real-time alarms as they are generated by IDS sensors on an HP OpenView submap. (For instructions on installing the Director for UNIX, see Chapter 15.)

Director Platform Feature Comparison

CSPM and the Director for UNIX differ in many ways other than just the operating system on which they run. Table 4-2 shows a feature comparison of the two Director platforms.

Table 4-2 Director Platform Feature Comparison

Director Feature

CSPM

Director for UNIX

Severity levels

Low

Medium

High

1 through 5

Signature templates

Yes

No

Configuration versioning

No

Yes

Local logging

Database

Text file

Configuration versioning

No

Yes

Generate SNMP traps

No

Yes


Both Director platforms display the alarms generated by the sensors. Alarm severity in CSPM has three possible levels: Low, Medium, or High. With the Cisco Secure IDS Director for UNIX, alarm severity is a number between 1 and 5. A severity 1 alarm represents the lowest severity, whereas a severity 5 alarm represents the most severe alarm.

When you deploy multiple sensors on your network, you probably want to manage their configurations from your Director platform. With CSPM, you create signature templates for your sensors. These signature templates can be shared between sensors. Furthermore, if you change a template, it is automatically applied to all sensors referencing it. The Cisco Secure IDS Director for UNIX also enables you to save multiple complete configuration versions for the sensors that can be applied as needed through nrConfigure. (For more information on nrConfigure, see Chapter 16, "The Configuration Management Utility (nrConfigure).")

Each Director platform needs to save the alarms generated by your sensors. The logged alarms in CSPM are saved in a database and as text files in the Director for UNIX.

The Cisco Secure IDS Director for UNIX supports two final features that CSPM does not support:

  • Configuration versioning
  • Generating SNMP traps for alarms

Configuration versioning tracks multiple versions of each sensor configuration. Every time you change a configuration, the current configuration is saved as a previous version. Therefore, if necessary, you can easily roll back to any of these saved configuration versions. When the Cisco Secure IDS Director for UNIX receives alarms, it can also generate SNMP

4. Cisco Secure IDS and the PostOffice Protocol | Next Section Previous Section