Cisco Secure IDS is a network-based intrusion detection system that uses a signature database to trigger intrusion alarms. The major components are a sensor platform and a director platform. The sensor platform monitors the network and the director platform provides a single GUI management interface for the end user. This chapter describes the available plaforms and explains how they interact.
This sample chapter is excerpted from Cisco Secure Intrusion Detection Systems.
Cisco Secure IDS is a network-based intrusion detection system that uses a signature database to trigger intrusion alarms. The system is composed of sensors that perform the real-time monitoring of network packets and a Director platform that provides the management software used to configure, log, and display alarms generated by sensors. Cisco Secure IDS supports two Director platforms:
- Cisco Secure Policy Manager (CSPM)
- Cisco Secure IDS Director for UNIX
Cisco Secure IDS Sensors are available in two distinct platforms. The 4200 Series Sensors are network appliances that can be deployed throughout your network. (See Chapter 7, "4200 Series Sensor Installation Within CSPM.") The Intrusion Detection System Module (IDSM) for the Catalyst 6000 family of switches is a sensor that resides on a blade in your Catalyst 6000 family switch. (See Chapter 14, "Catalyst 6000 IDS Module Configuration.") A final IDS monitoring device is the Cisco IOS Firewall IDS. This platform enables you to change your router into an IDS monitoring device. (See Chapter 17, "Cisco IOS Firewall Intrusion Detection System.")
All Cisco Secure IDS Sensors have two interfaces:
- Monitoring
- Command and control
Sensors monitor network traffic for alarms in real time through the monitoring interface. All alarms are then transmitted through the command and control interface to the Director platform.
When Cisco Secure IDS analyzes network data, it looks for patterns of attacks. Patterns can be as simple as an attempt to access a specific port on a specific host, or as complex as sequences of operations directed at multiple hosts over an arbitrary period of time.
This chapter covers the following aspects of Cisco Secure IDS:
- System function and features
- Sensor platforms and modules
- Director platforms
- Cisco Secure IDS and the PostOffice protocol
System Function and Features
Cisco Secure IDS is network-based IDS that compares network traffic against known intrusive signatures to define network attacks. It is composed of two major components:
- Sensor
- Director platform
The Cisco Secure IDS communications infrastructure handles communication between these two components and represents another major aspect of Cisco Secure IDS.
The basic Cisco Secure IDS process is as follows (refer to Figure 4-1):
){kind=link}
A sensor captures network packets through its monitoring interface.
Packets are reassembled, if required, and compared against a signature indicating typical intrusion activity.
If an attack is detected, the sensor logs the attack and notifies the Director platform through the command and control interface.
The Director platform displays the alarms, logs the data, and takes action on attacks detected by a sensor.
You can program your sensors to respond in various ways upon alarm detection. This response is configurable based on the severity of the attack discovered. The possible responses are as follows:
- TCP reset
- IP blocking
- IP logging
The TCP reset response essentially kills the current TCP connection from the attacker by sending a TCP reset packet (see Figure 4-2). This response is effective only for TCP-based connections. UDP traffic, for example, is unaffected by TCP reset packets.
){kind=link}
Figure 4-1 Basic Cisco Secure IDS Configuration.
TCP Reset Packets
The Transmission Control Protocol (TCP) provides a connection-oriented communication mechanism. The connection is established through a three-way handshake. To terminate a connection, each side of the connection can send a FIN packet, signaling the end of the connection. It also is possible for one side of the connection to abruptly terminate the connection by sending a TCP reset packet (a packet with the RST flag set) to the other side. The sensor uses this approach to terminate an attacker TCP connection. For a detailed explanation of TCP/IP protocols, refer to TCP/IP Illustrated Volume 1: The Protocols (W. Richard Stevens, Addison-Wesley).
Figure 4-2 TCP Reset Sensor Response.
With the IP blocking option, the sensor updates the access control list (ACL) on the perimeter router to deny all traffic from the offending IP address (see Figure 4-3). This response prevents the attacker from sending any further traffic into the protected network from that specific host. (Refer to Chapter 13, "IP Blocking Configurations," for a detailed description on IP blocking.)
){kind=link}
Note that if an attacker has multiple compromised hosts at his disposal, he can keep launching attacks from machines that have not been blocked yet. Furthermore, some attacks enable the attacker to spoof the source host from which he appears to be coming. Against this type of attack, the IP blocking option is ineffective because the attacker can always choose a new source address for his attack traffic. (Refer to Chapter 1, "Need for Network Security," for more information on different attack methods.)
Figure 4-3 IP Blocking Response.
WARNING
Blocking requires careful review before it is deployed, whether as an automatic response or through operational guidelines for the operators. To implement blocking, the sensor dynamically reconfigures and reloads a Cisco IOS router's ACL. This type of automated response by the sensor needs to be configured only for attack signatures with a low probability of false-positive detection. In case of any suspicious activity that does not trigger automatic blocking, you can use the Director platform to block manually. Cisco Secure IDS can be configured to never block specific hosts or networks. This safety mechanism prevents denial of service (DoS) attacks against the Cisco Secure IDS and other infrastructure components.
Using IP Blocking as a DoS Attack Vehicle
An attacker has a couple of ways in which he can use your own IP blocking response to attack your network. First, he can launch an attack, pretending to be an important host on your network or one of your business partners' networks. When you detect the attack and invoke IP blocking, you generate a DoS against that host. If this host is critical to your network, the DoS significantly disrupts the operation of your network. Another DoS situation is when an attacker launches an attack from a multiuser machine. In this scenario, all users on that machine are blocked, not just the attacker.
The third response, IP logging, records in a session log file what the attacker is doing (see Figure 4-4). This option is passive and does not prevent the attacker from continuing his attack. The logged information provides a record of what the attacker does against the network.
){kind=link}
Figure 4-4 IP Logging Response.
Sensor Platforms and Modules
The sensors form the workhorses of the Cisco Secure IDS. They constantly monitor network traffic looking for potential attacks. Each sensor checks network traffic looking for a match against one of the attack signatures in its signature database.
Each sensor utilizes two network interfaces. One of these two interfaces monitors network traffic; the other is a command and control interface. All communication with the Director platform occurs over the command and control interface. For further information on basic sensor configuration, refer to Chapter 11, "Sensor Configuration Within CSPM."
When network data triggers a signature, the sensor logs the event and sends an alarm notification to the Director platform. Besides notifying the Director platform, the sensor also has several response options. If the attacker is using a TCP connection, the sensor can send a TCP reset to the connection. To completely shut the attacker off from the network, the sensor can block the attacker's IP address by dynamically updating an ACL on a managed Cisco IOS router (IP blocking). The sensor also can log the IP session that triggered the signature. A final response is for an operator to manually block the host or network that generated the alarms. This manual action takes place on the Director platform.
All sensors are hardware appliances that are tuned for optimum performance. The hardware, including CPU and memory, for each appliance provides optimal IDS performance, while maintaining ease of maintenance. To protect the sensors, the appliance's host operating system must be configured securely. Known security vulnerabilities must be patched, and unneeded services removed.
This section covers the following topics:
- 4200 Series Sensors
- IDS module for the Catalyst 6000 family of switches
4200 Series Sensors
The 4200 Series Sensors come in two versions: the IDS-4230 and the IDS-4210. The IDS-4230 is the more powerful of the two sensors and is shown in Figure 4-5. Some of the features of the IDS-4230 are the following:
){kind=link}
- Performance: 100 Mbps
- Processor: Dual Pentium III 600 MHz
- Memory: 512 MB
- Monitoring NIC: FE/SFDDI/DFDDI
Figure 4-5 IDS-4230 Sensor.
The IDS-4210 is a more compact sensor (see Figure 4-6). With the smaller size comes a slimmed down feature set compared to the IDS-4230. The basic features of the IDS-4210 are the following:
){kind=link}
- Performance: 45 Mbps
- Processor: Single Celeron 566 MHz
- Memory: 256 MB
- Monitoring NIC: Ethernet only
Figure 4-6 IDS-4210 Sensor.
Table 4-1 highlights the differences between the 4200 Series Sensors.
Table 4-1 Comparison of 4200 Series Sensors
|
Sensor Characteristic |
IDS-4230 |
IDS-4210 |
|
Performance |
100 Mbps |
45 Mbps |
|
Processor |
Dual Pentium III 600 MHz |
Single Celeron 566 MHz |
|
Memory |
512 MB |
256 MB |
|
Monitoring network interface cards |
10/100 Ethernet Single-attached FDDI Dual-attached FDDI |
10/100 Ethernet |
|
Chassis |
4 U |
1 U |
For detailed information on installation of the 4200 Series Sensors, refer to Chapter 7.
IDS Module for the Catalyst 6000 Family of Switches
The IDS Module (IDSM) for the Catalyst 6000 family of switches is designed specifically to address switched environments by integrating IDS functionality directly into the switch. The IDSM receives traffic right off the switch backplane, thereby combining both switching and security functionality into the same chassis (see Figure 4-7).
){kind=link}
Figure 4-7 Catalyst 6000 IDS Module.
Similar to the 4200 Series Sensors, IDSM detects unauthorized activity on the network and sends alarms to the Director platform, detailing the event. This sensor resides directly in the switch, capturing data directly from the switch's backplane. Two methods of data capture are the following:
- Switch port analyzer (SPAN)
- Virtual LAN access control list
Using a SPAN port enables you to tell the switch to make copies of packets that are destined for certain ports on the switch. VLAN access control lists enable you to define more granular monitoring. This monitoring can be based on specific IP addresses and network services. Furthermore, the IDSM can monitor a full 100 Mbps without impacting switch performance. The monitoring is passive and inspects copies of the packets being monitored. The monitoring is not in the switch-forwarding path.
In addition, the same Director platforms that the 4200 Series Sensors use can monitor IDSM. You can deploy both the 4200 Series Sensors and IDSM on a single network to provide comprehensive coverage of critical subnets, as well as your entire enterprise network.
Some of the major features of IDSM are the following:
- Fully integrated line card
- Multi-VLAN visibility
- Full signature set
- Common configuration and monitoring
- 100 Mbps performance
- No switching performance impact
For detailed information on configuration of IDSM, refer to Chapter 14.
Director Platforms
You can deploy multiple 4200 Series Sensors and IDSMs on your network to provide complete IDS coverage. Manually monitoring the alarms on each of these sensors is inefficient. The Director platforms provide the management software necessary to configure, log, and display alarms generated by sensors efficiently. Furthermore, a single Director platform can consolidate all the alarms from multiple sensors into a single user-friendly interface.
In particular, this section examines the following:
- Director platform features
- Cisco Secure Policy Manager (CSPM) as a Director platform
- Cisco Secure Intrusion Detection Director
- Director platform feature comparison
Director Platform Features
The Director platform supplies a graphical user interface (GUI) through which you can manage your Cisco Secure IDS. The main features of the Director platform follow:
- Alarm display
- Alarm response
- Sensor configuration
Alarm Display
The GUI on the Director platform provides an excellent vehicle to view alarms generated by the various sensors throughout the network. Each alarm displays with a unique color based on the severity of the alarm. You can quickly view all the alarms that are occurring on your network at any time, as well as visually assess their potential damage.
You also can save alarm information in text log files on both the sensor and the Director platform. Logging enables you to easily archive the data, write custom scripts to extract alarm data specific to your site, and monitor attacks using command-line tools, such as the UNIX command tail.
UNIX tail Command
UNIX systems have a tail command, which enables you to display a specified number of lines at the end of a file. By adding the –f option to the tail command, you can continually watch the end of a file. This is especially useful when some program is continually adding data to a specific file. With tail –f, you can watch as data is added to the file. Starting with Cisco Secure IDS version 2.2.1.5, however, the log files are memory-mapped files. This prevents you from using tail –f to view these log files in real time.
Alarm Response
Many of the responses to alarms are configured to occur automatically upon detection of certain intrusive actions. The sensors handle these automatic responses. Sometimes, however, an operator wants to take action based on the alarms that she is viewing on the Director platform. In these situations, the operator can initiate a manual IP blocking response. This response can block a single IP address or entire network. The user initiates this manual response directly on the Director platform.
Remote Sensor Configuration
Both Director platforms enable you to centrally manage the configuration of all the remote sensors under their control. With the Cisco Secure IDS Director for UNIX, the Cisco Secure Configuration Management Utility (nrConfigure) enables you to save different remote sensor configurations and apply them as needed. The Cisco Secure Policy Manager (CSPM) supports remote sensor signature templates that can be shared between remote sensors. (Refer to Chapter 12, "Signature and Intrusion Detection Configuration," for more information on signature templates.) Furthermore, if you change a template, it is automatically applied to all remote sensors referencing it.
Cisco Secure Policy Manager as a Director Platform
Cisco Secure Policy Manager is a Windows NT 4.0-based application that provides scalable, comprehensive security policy management for the following:
- Cisco Secure PIX firewalls
- Cisco IOS routers with the IOS Firewall feature
- Cisco IOS routers with the Cisco Secure Integrated VPN software
- IDS sensors
An entire book can be written on CSPM alone. Staying within the scope of this book, however, this chapter addresses only the use of CSPM as a Director platform for Cisco Secure IDS, where it provides a centralized GUI for intrusion detection management across a distributed network.
CSPM enables you to remotely control all of your sensor configurations. You use the Add Sensor Wizard to define sensors in the Network Topology tree (NTT), and you can use the panels on each sensor node to configure device-specific settings. In addition, you can define sensor signature templates and apply those templates to one or more sensors defined in the NTT. (For more information on signature templates, see Chapter 12.)
Network Topology Tree
CSPM must know the location of the objects on your network with which it must interact and communicate. The Network Topology tree is the vehicle with which you describe your physical network topology. The goal of the NTT is to define all the network objects for which you want to define a unique security policy. The extent to which you define your network topology depends on what you want CSPM to do. In your NTT, you define networks, gateways, and some hosts.
For alarm reporting, CSPM provides a GUI to view real-time alarms as the IDS sensors generate them. This real-time alarm view is accessible using the View Sensor Events option on the Tools menu of the GUI client. (For more information on alarm management, see Chapter 8, "Working with CSIDS Alarms in CSPM.")
For instructions on installing CSPM, see Chapter 6, "Cisco Secure Policy Manager Installation."
Cisco Secure Intrusion Detection Director
Cisco Secure IDS Director for UNIX is an HP OpenView application that runs on Solaris or HPUX, which, like CSPM, provides a centralized GUI for intrusion detection management across a distributed network.
It enables you to centrally manage the configuration of all the sensors reporting to it. The Cisco Secure IDS Configuration Management Utility (nrConfigure) allows different configurations to be saved and applied as needed, enabling you to maintain multiple versions of configurations for each device. You might want to establish one configuration to use during work hours and another for use after work hours. Many situations require the use of multiple configurations.
For alarm reporting, the Director for UNIX provides a GUI to view real-time alarms as they are generated by IDS sensors on an HP OpenView submap. (For instructions on installing the Director for UNIX, see Chapter 15.)
Director Platform Feature Comparison
CSPM and the Director for UNIX differ in many ways other than just the operating system on which they run. Table 4-2 shows a feature comparison of the two Director platforms.
Table 4-2 Director Platform Feature Comparison
|
Director Feature |
CSPM |
Director for UNIX |
|
Severity levels |
Low Medium High |
1 through 5 |
|
Signature templates |
Yes |
No |
|
Configuration versioning |
No |
Yes |
|
Local logging |
Database |
Text file |
|
Configuration versioning |
No |
Yes |
|
Generate SNMP traps |
No |
Yes |
Both Director platforms display the alarms generated by the sensors. Alarm severity in CSPM has three possible levels: Low, Medium, or High. With the Cisco Secure IDS Director for UNIX, alarm severity is a number between 1 and 5. A severity 1 alarm represents the lowest severity, whereas a severity 5 alarm represents the most severe alarm.
When you deploy multiple sensors on your network, you probably want to manage their configurations from your Director platform. With CSPM, you create signature templates for your sensors. These signature templates can be shared between sensors. Furthermore, if you change a template, it is automatically applied to all sensors referencing it. The Cisco Secure IDS Director for UNIX also enables you to save multiple complete configuration versions for the sensors that can be applied as needed through nrConfigure. (For more information on nrConfigure, see Chapter 16, "The Configuration Management Utility (nrConfigure).")
Each Director platform needs to save the alarms generated by your sensors. The logged alarms in CSPM are saved in a database and as text files in the Director for UNIX.
The Cisco Secure IDS Director for UNIX supports two final features that CSPM does not support:
- Configuration versioning
- Generating SNMP traps for alarms
Configuration versioning tracks multiple versions of each sensor configuration. Every time you change a configuration, the current configuration is saved as a previous version. Therefore, if necessary, you can easily roll back to any of these saved configuration versions. When the Cisco Secure IDS Director for UNIX receives alarms, it can also generate SNMP
Cisco Secure IDS and the PostOffice Protocol
The Director platform and sensors must communicate with each other to relay alarms, configurations, messages, and so on. Cisco Secure IDS services communicate with each other by using the PostOffice protocol (not to be confused with e-mail, SMTP, or other mail delivery protocols). These services are the IDS software daemons that exist on the sensors and Director platform. The following are some of the major daemons:
- postofficed
- sapd
- loggerd
- fileXferd
NOTE
These daemons are explained in Appendix B, "Cisco Secure IDS Architecture."
The following sections examine the aspects of the Cisco Secure IDS communications infrastructure:
- PostOffice protocol
- PostOffice features
- PostOffice identifiers
- PostOffice addressing scheme
PostOffice Protocol
The proprietary PostOffice protocol provides a communication vehicle between your sensors and your Director platform. It uses the UDP transport on port 45000. The following types of messages are sent using the PostOffice protocol:
- Command
- Error
- Command log
- Alarm
- IP log
- Redirect
- Heartbeat
PostOffice Features
- Reliability
- Redundancy
- Fault tolerance
Reliability
When a sensor generates an alarm, it transmits this information to the Director platform. The sensor needs to guarantee that the Director received the alarm information. The PostOffice protocol supports guaranteed delivery by requiring an acknowledgment for every message sent (see Figure 4-8). When the sensor sends a message to the Director, the Director must reply with an acknowledgment within a predetermined length of time. If the acknowledgment is not received, the sensor retransmits the message repeatedly until the acknowledgment is received.
){kind=link}
Figure 4-8 PostOffice Protocol Reliability.
Redundancy
In many network topologies, you want a sensor to transmit alarm messages to multiple Directors. Notifying multiple Directors enables you to inform multiple personnel when sensors detect intrusive activity on your network. The PostOffice protocol enables sensors to propagate messages up to 255 destinations (see Figure 4-9). This feature allows for redundant alarm notifications, which ensures that the appropriate personnel are notified when an alarm is received.
){kind=link}
Figure 4-9 PostOffice Protocol Redundancy.
Fault Tolerance
With the PostOffice protocol, you can have up to 255 alternate IP addresses for a single host (see Figure 4-10). These alternate IP addresses represent different network interface cards (NICs) on your multihomed Director. The alternate routing protocol automatically switches to the next IP address on your Director whenever the current connection fails. It also uses a system watchdog to detect when a connection to the preferred IP address is reestablished, at which time the sensor reverts to the primary address.
){kind=link}
Figure 4-10 PostOffice Protocol Fault Tolerance
By placing multiple NICs into your Director, you make it a multihomed system. It can then receive traffic from multiple networks. By configuring the IP addresses for all the NICs into the PostOffice protocol, your sensors can contact your Director via any of the alternate IP addresses. The sensor uses these backup addresses, however, only if the primary address programmed into the sensor is inaccessible.
Using a multihomed Director increases the fault tolerance of your Cisco Secure IDS by increasing availability to the Director. However, using multiple NICs is not the only key to fault tolerance. To obtain the highest fault tolerance, you also need to ensure that multiple paths exist to the different NICs on your Director. Therefore, a single network failure is unlikely to prevent your sensor from communicating with your Director.
Multihomed Systems
Many machines have a single NIC. These machines can send and receive network traffic only through this one interface and are known as single-homed devices. To route traffic between different networks, routers usually have multiple NICs. (At a minimum, a router must have two NICs.) A router is a good example of a multihomed device. Sometimes, you want a regular system, such as a server, to also be multihomed for network accessibility. By placing multiple NICs on your server, you connect that system to multiple networks. Each of these NICs has a separate IP address for the network to which it is connected. Traffic that needs to reach your server can go to any of the IP addresses for the server. If a router fails on one network, users can still reach your server by using another path and network interface. By multihoming your Director, you gain the same fault tolerance by providing multiple paths between your sensors and your Director.
PostOffice Identifiers
){kind=link}
- Host ID
- Organization ID
- Host name
- Organization name
Figure 4-11 Cisco Secure IDS PostOffice Identifiers.
Host ID
Each device with the same organization ID requires a unique host identifier (host ID). The host ID is a numeric value greater than zero for each Cisco Secure IDS device.
Organization ID
An organization identifier (organization ID) groups each collection of Cisco Secure IDS devices. The organization ID, like the host ID, is a numeric value greater than zero. It can be used to group a number of Cisco Secure IDS devices under the same number for easy identification purposes.
Host Name
Each Cisco Secure IDS device is labeled with an alphanumeric identifier. The name chosen is typically one that contains the word sensor or director, which enables you to easily identify the device type.
Organization Name
Each group of Cisco Secure IDS devices is associated with an alphanumeric identifier. The name chosen is typically one that describes the name of the company where the device is installed or the name of the department within the company where the device is installed.
PostOffice Addressing Scheme
Figure 4-12 illustrates an example in which the sensor (20.100) is transmitting a PostOffice message to the Director platform (10.100). The packetd service on the sensor (application ID 10008) generates the alarm message destined for the smid service (application ID 10006) on the Director platform. When the Director receives the alarm message, the Director platform's postofficed service (application ID 10000) sends an acknowledgment (ACK) message to the postofficed service on the sensor (application ID 10000).
){kind=link}
Figure 4-12 PostOffice Addressing Parameters.
Summary
Cisco Secure IDS is a network-based intrusion detection system that uses a signature database to trigger intrusion alarms. Cisco Secure IDS is composed of the following two major components:
- Sensor platform
- Director platform
Interaction between these two components is accomplished via a communication infrastructure based on the proprietary PostOffice protocol.
Each Cisco Secure IDS Sensor has a monitoring interface and a command and control interface. Using the monitoring interface, the sensor compares network traffic against the signatures in its signature database. If unauthorized activity is detected, the sensor uses the command and control interface to inform the Director platform of the activity. Cisco Secure IDS supports two different sensor platforms:
- 4200 Series Sensors
- IDS Module for the Catalyst 6000 family of switches
The 4200 Series Sensors are PC appliances that can be placed at various locations throughout your network. The 4200 Series Sensors come in two varieties: IDS-4210 and IDS-4230.
IDSM is an actual integrated line card that operates directly on the Catalyst switch. It receives packets directly from the switch's backplane. The switch's performance is not impacted, however, because the IDSM operates on copies of the network packets. It is not located in the switch-forwarding path.
All of these sensors communicate with a Director platform that supplies a single GUI management interface for the end user. Cisco Secure IDS currently supports two Director platforms:
- Cisco Secure Policy Manager (CSPM)
- Cisco Secure Intrusion Detection Director
CSPM provides a management interface that supports many different Cisco products. IDS sensors are only one of these products. It runs on the Windows NT operating environment.
Cisco Secure IDS Director for UNIX uses HP OpenView to provide the GUI interface. The base operating system is Solaris or HPUX.
To communicate messages between the Director platform and the sensor platform, Cisco Secure IDS uses a proprietary protocol called the PostOffice protocol. This protocol provides numerous necessary features, such as the following:
- Reliability
- Redundancy
- Fault tolerance
Review Questions
The following questions test your retention of the material presented in this chapter. The answers to the Review Questions are in Appendix K, "Answers to Review Questions."
1. What are the two main components of the Cisco Secure IDS?
2. Is Cisco Secure IDS a network-based IDS?
3. What is intrusion detection?
4. What are the two Cisco Secure IDS Director platforms?
5. What are the features of the PostOffice protocol?
6. What is the IDS triggering mechanism used by Cisco Secure IDS?
7. How many different types of sensor platforms are supported by Cisco Secure IDS?
8. What are the two 4200 Series Sensors?
9. What are the three types of responses that a sensor can perform in reply to an attack?
10. How do Cisco Secure IDS devices communicate with each other?
11. What three identifiers are used to construct a unique addressing scheme for Cisco Secure IDS?
12. Can multiple systems share the same host ID?