© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Lesson 3 Intrusion Detection Overview

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Objectives Upon completion of this lesson, you will be able to perform the following tasks: Define intrusion detection. Explain the difference between true and false and positive and negative alarms. Describe the relationship between vulnerabilities and exploits. Explain the similarities and differences among the various intrusion detection technologies. Explain the differences between HIPS and NIDS.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Objectives (Cont.) Describe the benefits of intrusion protection. Describe the network sensors that are currently available and their features. Describe the Cisco Security Agent. Describe the considerations necessary for selection, placement, and deployment of network intrusion protection.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Intrusion Detection Terminology

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Intrusion Detection Ability to detect attacks against networks, including network devices and hosts.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS False Alarms False positiveA situation in which normal traffic or a benign action causes the signature to fire. False negativeA situation in which a signature is not fired when offending traffic is detected. An actual attack is not detected.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS True Alarms True positiveA situation in which a signature is fired properly when the offending traffic is detected. An attack is detected as expected. True negativeA situation in which a signature is not fired when nonoffending traffic is detected. Normal traffic or a benign action does not cause an alarm.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Vulnerabilities and Exploits A vulnerability is a weakness that compromises either the security or the functionality of a system. –Poor passwords –Improper input handling –Insecure communication An exploit is the mechanism used to leverage a vulnerability. –Password guessing tools –Shell scripts –Executable code

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Intrusion Detection Technologies

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Profile-Based Intrusion Detection Also known as anomaly detectionActivity deviates from the profile of normal activity Requires creation of statistical user and network profiles Prone to high number of false positives Difficult to define normal activity

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Signature-Based Intrusion Detection Also known as misuse detection or pattern matchingMatches pattern of malicious activity Requires creation of signatures Less prone to false positivesBased on the signatures ability to match malicious activity

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Protocol Analysis Intrusion detection analysis is performed on the protocol specified in the data stream. Examines the protocol to determine the validity of the packet Checks the content of the payload (pattern matching)

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Responsive Reactive IDSs can respond to an attack in any of the following ways: Terminate session (TCP resets) Block offending traffic (ACL) Create session log files (IP logging)

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Network-Based Intrusion Detection Systems

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS NIDS Features Sensors are connected to network segments. A single Sensor can monitor many hosts. Growth of a network is easily protected. New hosts and devices can be added to the network without additional Sensors. The Sensors are network appliances tuned for intrusion detection analysis. –The operating system is hardened. –The hardware is dedicated to intrusion detection analysis.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Management server Corporate network DNS server WWW server Sensor Firewall NIDS Sensor Untrusted network Router

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Host-Based Intrusion Prevention System

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS HIPS Features Agent software installed on each host Provides individual host detection and protection Does not require special hardware

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Firewall Corporate network DNS server WWW server Agent HIPS Console Agent SMTP server Application server Agent Untrusted network Agent

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Intrusion Protection Benefits

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Intrusion Protection Benefits Intrusion protection provides: Enhanced security over classic technologies Advanced technology to address the changing threat Increased resiliency of e-business systems and applications Effective mitigation of malicious activity and insider threats Broad visibility into the corporate data stream Greater protection against known and unknown threats

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Active Defense System A complete intrusion protection solution focuses on the following: DetectionIdentify malicious attacks on network and host resources. PreventionStop the detected attack from executing. ReactionImmunize the system against future attacks from a malicious source.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Cisco IDS Solution Active Defense System Network SensorsOverlaid network protection Switch SensorsIntegrated switch protection Router SensorsIntegrated router protection Firewall SensorsIntegrated firewall protection feature Host AgentsServer and desktop protection Comprehensive management Robust system management and monitoring

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Defense in DepthA Layer Solution Application-level encryption protection Policy enforcement (resource control) Web application protection Buffer overflow Network attack and reconnaissance detection DoS detection Host-focused technology Network-focused technology

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Network Sensor Platforms

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Network Sensor Features Active responses –TCP resets –IP session logging –Blocking Active updates –Regular, automated updates –Cisco Countermeasures Research Team (C-CRT) Signature language –Allowing customers to write their own signatures Analysis support –Integrated Network Security Database C-CRT NSDB

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Cisco IDS Family Performance (Mbps) Network Media Cisco IDS Family IDSM-2 IDS 4235 IDS 4250 IDS 4215 IDS 4250 XL IDS Network Module 10/100/1000 TX 1000 SX 10/100 TX 1000 SX Switched/ /100/1000 TX

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Network SensorCisco 4200 Series Appliance Appliance solution focused on protecting network devices, network services, and applications Sophisticated attack detection –Network attacks –Application attacks –DoS attacks –Fragmented attacks –Whisker anti-IDS protection Active responses –Blocking –TCP resets –IP logging

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Switch SensorCisco Catalyst 6500 IDSM-2 Switch-integrated intrusion protection module delivering a high-value security service in the core network fabric device Designed specifically to address switched environments by integrating the IDS functionality directly into the switch and taking traffic right off the switch backplane No impact on switch performance Supports unlimited number of VLANs Runs same code as Sensor appliance

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Router SensorIDS Network Module for Access Routers Integrates IDS into the 2600XM, 2691, 3660, 3725, & 3745 access router platforms Provides full-featured intrusion protection Able to monitor traffic from all router interfaces Able to inspect GRE/IPSec traffic that has been decrypted at the router Delivers comprehensive intrusion protection at branch offices, isolating threats from corporate network Runs same code as Sensor appliances

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Router SensorCisco IOS IDS Router IDS technology targeted at lower-risk environments SoftwareCisco IOS Software Release 12.0(5)T+ Platforms830, 1700, 2600, 3600, 7100, 7200, 7500, and RSM Series routers Signatures100 Syslog or PostOffice alarming ResponsesDrop, block, and reset

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Firewall SensorPIX Firewall IDS Firewall integrated intrusion detection technology targeted at lower-risk environments SoftwarePIX Firewall v5.2+ PlatformsPIX 501, 506E, 515E, 525, and 535 Firewall Signatures57 Syslog alarming ResponsesDrop and reset

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Host-Based Intrusion Protection System

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Cisco Security Agent Features Active protection –Protects application and operating system against known and unknown attacks –Prevents access to server resources before unauthorized activity occurs –Uses behavior-based technology Consists of two products –Agents –Management Center Automatic Agent deployment –Up to 5,000 agents –Transparent to end users Active update capabilitiesSecurity policy and software updates propagated to Agents without operator intervention 5–10% Agent CPU overhead

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Cisco Security Agent Architecture Shim Reference model Application Layer O/S Layer Device Layer Intrusion protection HTTP Web server Custom web apps Desktop/server suite Instant messaging clients Hardware I/O NDIS System call Registry File system TDI Shims Kernel COM interceptor Windows and Solaris platforms Server and desktop agents Malicious mobile code protection and operating system lockdown in one Agent Default and customizable policies Approximately 2% CPU overhead Buffer overflow protection Web server protection Instant messenger security Comprehensive kernel interceptor shims Low computational overhead

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS CSA Aggregates Multiple Endpoint Security Functions CSA Conventional Distributed Firewall Conventional HIDS Desktop/laptop protectionXX Block incoming network requestsXX Block outgoing network requestsXX Stateful packet analysisXX Detect/block port scansXX Detect/block network DoS attacksXX Detect/prevent malicious applicationsXX Detect/prevent known buffer overflowsXX Detect/prevent unknown buffer overflowsXX Detect/prevent unauthorized file modificationXX Operating system lockdownXX

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Sensor Appliances

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Cisco 4215 Sensor Front Panel Monitoring NIC LED Power LED Command and control NIC LED

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Cisco 4215 Sensor Back Panel Monitoring interface Command and control interface Console access Optional monitoring interfaces

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Cisco 4235 Sensor Front Panel Monitoring NIC LED Command and control NIC LED

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Cisco 4235 Sensor Back Panel Video monitor Keyboard Monitoring interface Command and control interface Console access Optional 4-port Fast Ethernet interface

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Cisco 4250 Sensor Front Panel Monitoring NIC LED Command and control NIC LED

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Cisco 4250 Sensor Back Panel Video monitor Keyboard Monitoring interface Command and control interface Console access Optional 1000BASE-SX or accelerated 1000BASE-SX (XL) interface Optional 4-port Fast Ethernet interface

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Cisco 4250-XL Sensor Front Panel Monitoring NIC LED Command and control NIC LED

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Cisco 4250-XL Sensor Back Panel Reset interface Command and control interface Keyboard Video monitor Console access Monitoring interface

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Cisco IDS XL Card

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Deploying Cisco IDS

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Sensor Selection Factors Network mediaEthernet, Fast Ethernet, and Gigabit Ethernet Intrusion detection analysis performanceBits per second Network environmentT1/E1, switched, multiple T3/E3, OC-12, and Gigabit

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Sensor Deployment Considerations Number of Sensors Sensor placement Management and monitoring options External Sensor communications

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Deployment of Sensors DMZ servers Internet NAS Data center Users Corporate office Business partner Remote access protection (NIDS)Hardens perimeter control by monitoring remote users Intranet and internal protection (NIDS/HIPS) Protects data centers and critical systems from internal threats Server farm protection (HIPS) Protects e-business servers from attack and compromise Internet protection Complements firewalls and VPNs by monitoring traffic for malicious activity Extranet protection (NIDS)Monitors partner traffic where trust is implied but not assured CTREliminates false alarms, escalates real attacks, and aids remediation of costly intrusions

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Sensor Placement Sensor on outsideSensor on inside Attacker Inside DMZ Sees all traffic destined for your network High probability of false positives Does not detect internal attacks Sees only traffic permitted by firewall Lower probability of false positives Alarms require immediate response Internet

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Summary

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Summary Intrusion detection is the ability to detect attacks against networks, including network devices and hosts. Exploits leverage vulnerabilities associated with a system. False positive alarms can be triggered by normal network activity. True positive alarms are signatures that are triggered as expected.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Summary (Cont.) A HIPS provides individual host protection and detection. A NIDS provides broader protection by monitoring network segments. The Cisco intrusion protection technology includes intrusion detection and security scanning. The features of an active defense system are detecting, protecting, and reacting.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Summary (Cont.) A defense-in-depth security solution is focused on using multiple layers of security to provide additional security beyond a single device or technology. Selection of network Sensors depends on the following factors: network media, intrusion detection analysis performance, and network environment. Sensor deployment considerations include the following: number of Sensors needed, Sensor placement, management and monitoring options, and external Sensor communications.