13-1. IDS Overview IDSs are used to inspect traffic on a network, examining activity from hosts to detect malicious behavior. IDS sensors maintain a database of signatures that are used as templates to discover such activity taking place. The signatures are uniquely numbered and define a type of traffic, a pattern of traffic, or a complex sequence of events that make up known exploits. For a complete list of signature ID numbers, see section 13-4, "IDS Sensor Signature List." IDS signatures are divided into two categories: Info signatures Information-gathering techniques used by potentially malicious users. These can include ping sweeps to discover active hosts, port sweeps to discover active applications, and so on. Attack signatures Techniques to push traffic into a protected network, to deny a service, or to compromise the protected hosts. IDS signatures are also labeled by the method they use to match malicious traffic: Atomic signatures Activity can be detected in a single or simple operation, often as a single packet. Compound signatures Activity can be discovered only through a more complex analysis of many packets, traffic from several sources, a combination of protocols or operations, and so on. When an IDS sensor is configured with a set of signatures and audit policies, it begins producing results based on the inspected traffic. The IDS actions generally produce the following types of results: True positives Malicious activity is correctly detected and flagged as such. True negatives Normal or expected activity is not flagged as malicious activity. In other words, only legitimate traffic is seen and recognized as such. False positives Legitimate network activity is flagged as an intrusion or as malicious activity. False negatives An actual intrusion, attack, or malicious activity that was not detected. You can configure Cisco firewall and router IDS sensors to take any of the following actions when network activity matches a signature, as discussed in this chapter: Generate an alarm by sending a message to an IDS activity collector Drop offending packets that are involved with the matched signature Reset offending TCP connections that match the signature Cisco Embedded IDS Sensor Availability Cisco firewalls offer the embedded IDS sensor feature beginning with PIX OS release 6.0. Firewalls have a database of 57 signatures built into the operating system software. Cisco routers offer the embedded IDS sensor feature only in releases containing the IOS Firewall feature set. Cisco IOS software Releases 12.2(11)YU and earlier have a database of 59 signatures built into the image. IOS Releases 12.2(15)T and later have 42 additional signatures, for a total of 101. Because the embedded IDS sensors have signatures built into a static database, the only way to add more signatures is to download a new software release that contains the new signatures. There is currently no way to update the signature database through a dynamically downloadable module. However, several Cisco products can have a dedicated IDS module added to them. Although they are not covered in this book, these modules offer much greater IDS performance and a richer signature database (currently approximately 1000 signatures), each running the Cisco IDS Sensor 4.x software. For example, the following IDS modules are available: Cisco IDS 4200 Sensor series appliances Catalyst 6500 IDSM-2 module Cisco IDS Network Module for the Cisco 2600XM, 3660, and 3700 series routers Cisco Security Services Module (SSM) for the ASA 5500 Adaptive Security Appliance series IDS Alarms Cisco embedded firewall and router IDS sensors can send alarms through the following mechanisms: Syslog A standards-based protocol used to send system logging messages to a Syslog server. Syslog has the following attributes: - Syslog servers are hosts that run applications for collecting, archiving, and analyzing incoming Syslog messages. - Syslog uses UDP port 514 (the default) or TCP port 1468. - Both Cisco firewall and router IDS sensors can send alarms over Syslog.
Post Office A proprietary protocol used by legacy Cisco IDS appliances (sensors) and manager applications (collectors). Post Office has the following attributes, layered over existing IP addressing: - All sensor and collector components are assigned an organization ID number. - Each component is assigned a host ID number that is unique within the organization ID. - Sensors and collectors within the same organization ID maintain connections with each other. Heartbeat packets are exchanged to determine the connection state. - A sensor can be configured with up to 255 different "routes" to reach collectors. Each Post Office route is a unique combination of sensor and collector IP addresses. If one collector is unreachable, the sensor moves to the next lower-priority route entry. - Sensors can also act as collection proxies; Post Office messages can be collected from other sensors and relayed to remote collectors if needed. (This applies to IDS sensor appliances but not to the firewall and router IDS sensors.) - By default, IDS components use UDP port 45000 for Post Office message exchanges. - Only Cisco router IDS sensors can use Post Office to send alarms; firewalls cannot.
NOTE The CiscoWorks Management Center for IDS Sensors (IDS MC) is a different application module within the VPN/Security Management Solution (VMS) suite. This application is suited to manage and monitor only full-blown IDS sensor appliances and switch and router IDS modules. IDS MC is not suited for embedded firewall or router IOS IDS sensors. Figure 13-1 shows how IDS sensors can be dispersed across a network, each sending alarms to centralized Syslog or Post Office collector servers. Notice that the router IOS IDS sensor can send alarms to Syslog servers, to CiscoWorks VMS servers, or both. The Cisco IDS sensor appliance (not covered in this book) has a more robust signature database and can be fully managed by CiscoWorks VMS. The Cisco firewall IDS sensors can send alarms only to Syslog servers. Figure 13-1. Basic Alarm Communication by IDS Sensors
Both Cisco routers and firewalls with embedded or integrated IDS sensors can send Syslog alerts to a CiscoWorks Security Information Management Solution (SIMS) server. SIMS is a product that can collect, aggregate, and correlate security event information from a wide variety of sources. In effect, you can use SIMS as a central resource for monitoring and analyzing suspicious network activity. NOTE Cisco has two basic types of IDS sensors: A hardware appliance or module that acts as a passive "eavesdropping" device. Traffic doesn't pass through these sensors; rather, the sensor listens to all traffic on its network and takes action based on signatures that are matched. These sensors can also interact with routers and firewalls so that malicious hosts can immediately be blocked as soon as their activity is discovered. Embedded IDS sensors, found within firewall and router "IOS firewall" operating system code. Traffic must pass through these devices to be inspected because of their normal operation. Therefore, these sensors cannot be passive.
|