© 2001, Cisco Systems, Inc. CSIDS Chapter 3 Intrusion Detection and the Cisco Secure Intrusion Detection System Environment

© 2001, Cisco Systems, Inc. CSIDS Objectives Upon completion of this chapter, you will be able to perform the following tasks: Define what is intrusion detection. Name the differences between profile-, signature-, host-, and network-based intrusion detection. Describe the CSIDS functions and features.

© 2001, Cisco Systems, Inc. CSIDS Objectives (cont.) Name all CSIDS Sensor platform models and describe their features. Name all CSIDS Director platforms and describe their features. List the functions and features of the PostOffice protocol. Name and define the two parts of the PostOffice protocol addressing scheme.

© 2001, Cisco Systems, Inc. CSIDS Intrusion Detection Basics

© 2001, Cisco Systems, Inc. CSIDS Intrusion Detection Ability to detect attacks against networks Three types of network attacks –Reconnaissance –Access –Denial of service

© 2001, Cisco Systems, Inc. CSIDS Profile-Based Intrusion Detection Also known as Anomaly Detection –Activity deviates from profile of normal activity Requires creation of statistical user profiles Prone to high number of false positives –Difficult to define normal activity

© 2001, Cisco Systems, Inc. CSIDS Signature-Based Intrusion Detection Also known as Misuse Detection –Matches pattern of malicious activity Requires creation of misuse signatures Less prone to false positives –Based on the signatures ability to match malicious activity

© 2001, Cisco Systems, Inc. CSIDS Firewall Corporate network Agent Untruste d network Agent DNS server WWW server Agent Host-Based Intrusion Detection

© 2001, Cisco Systems, Inc. CSIDS CSPM Corporate network DNS server WWW server Sensor Firewall Untruste d network Network-Based Intrusion Detection

© 2001, Cisco Systems, Inc. CSIDS CSIDS Overview

© 2001, Cisco Systems, Inc. CSIDS Monitoring Untrusted network Targets Command and Control Sensor CSPM Operator Hacker CSIDS

© 2001, Cisco Systems, Inc. CSIDS CSIDS Capabilities Display and log alarms Respond to intrusion attempts Configure Sensors remotely

© 2001, Cisco Systems, Inc. CSIDS Alarm Display Alarms are displayed in CSPM. Alarm Logging Alarms can be logged on the Sensor and on CSPM. Log FileDatabase Alarm Display and Logging

© 2001, Cisco Systems, Inc. CSIDS Kill the session Block attacker Deny TCP Reset Automatic kill of offending session Blocking Auto or manual block of offending IP address Intrusion Response

© 2001, Cisco Systems, Inc. CSIDS IP Logging Automatic capture of suspicious host or network traffic Session log Intrusion Response (cont.)

© 2001, Cisco Systems, Inc. CSIDS Remote Sensor Configuration

© 2001, Cisco Systems, Inc. CSIDS CSIDS Sensor Platforms

© 2001, Cisco Systems, Inc. CSIDS Sensor Platform Features Intrusion Detection –Packet monitoring –Signature matching –Fragment/Packet re- assembly Intrusion response –Alarm or log –Auto or manual response Hardware appliance design –Tuned for ID performance –Security hardened –Ease of maintenance

© 2001, Cisco Systems, Inc. CSIDS IDS-4230 ID Performance: 100 Mbps Processor: Dual Pentium III 600 MHz Memory: 512 MB Monitoring NIC: FE/SFDDI/DFDDI 4200 Series Sensors IDS-4210 ID Performance: 45 Mbps Processor: Single Celeron 566 MHz Memory: 256 MB Monitoring NIC: Ethernet only

© 2001, Cisco Systems, Inc. CSIDS Fully integrated line card Multi-VLAN visibility Full signature set Common configuration and monitoring ID Performance: 100 Mbps No switching performance impact Catalyst 6000 IDS Module

© 2001, Cisco Systems, Inc. CSIDS CSIDS Director Platforms

© 2001, Cisco Systems, Inc. CSIDS Software application Windows NT 4.0 platform Remote Sensor configuration and control Alarm notification and management Cisco Secure Policy Manager

© 2001, Cisco Systems, Inc. CSIDS Software application HP OpenView on Solaris or HPUX platform Remote Sensor configuration and control Alarm notification and management CSIDS Director for UNIX

© 2001, Cisco Systems, Inc. CSIDS Feature Comparison Severities Signatures Templates Configuration Versioning Local Logging Alarm Forwarding Generate SNMP Traps CSPM Low-Medium-High Yes No Database No Director for UNIX 1 through 5 No Yes Text File Yes

© 2001, Cisco Systems, Inc. CSIDS CSIDS PostOffice

© 2001, Cisco Systems, Inc. CSIDS Message Types Command IP log Error Redirect Command log Heartbeat Alarm Message Types Command IP log Error Redirect Command log Heartbeat Alarm Network monitoring Command and control communications UDP Command and control communications UDP PostOffice Protocol Internet

© 2001, Cisco Systems, Inc. CSIDS Primary communication down; switch to secondary IP address Alarm sent Alarm received PostOffice Features ReliabilityAcknowledges every message sent Redundancy Can send alarms to up to 255 destinations Fault tolerance –Up to 255 IP addresses to a single destination –When primary address fails, switches to secondary address

© 2001, Cisco Systems, Inc. CSIDS Host ID = 10 Host Name = director Org ID = 200 Org Name = acme-noc Host ID = 10 Host Name = director Org ID = 100 Org Name = cisco Host ID = 20 Host Name = sensor2 Org ID = 100 Org Name = cisco Host ID = 30 Host Name = sensor3 Org ID = 100 Org Name = cisco PostOffice Host Addressing Numeric –Host ID –Organization ID Alpha –Host Name –Organization Name Combination of host ID and Org ID must be unique Host, Organization, and Application ID are used together to route PostOffice traffic

© 2001, Cisco Systems, Inc. CSIDS Summary

© 2001, Cisco Systems, Inc. CSIDS Summary Intrusion detection is the ability to detect attacks against a network, including the following: reconnaissance, access, and denial of service. CSIDS uses signature and network-based intrusion detection. The Sensor and Director platforms are the main components of the CSIDS.

© 2001, Cisco Systems, Inc. CSIDS Summary (cont.) The CSIDS Sensor is a performance-tuned hardware appliance that detects intrusion attempts. The following are CSIDS Sensor hardware appliances: –CSIDS-4230 and 4210 –Catalyst 6000 IDS Module CSIDS Sensors notify the Director platform when signatures are triggered, and logs alarm activity. CSIDS Sensors can automatically respond to attacks by resetting the connection, blocking the offending IP address, or logging the session.

© 2001, Cisco Systems, Inc. CSIDS Summary (cont.) CSIDS has two Director platforms: CSPM and Director for UNIX. The following are the Director platforms features: –Displays and logs alarms received by one or many Sensors. –Allows the user to manage and respond to alarms from a GUI. –Allows the user to configure and control one or many Sensors. Ciscos proprietary communications protocol used to send messages between Sensors and the Director platform is the PostOffice protocol.

© 2001, Cisco Systems, Inc. CSIDS Summary (cont.) The following are the PostOffice protocol features and benefits: –A reliable protocol that requires acknowledgement of all messages sent, and resends messages as needed –A redundant protocol that can be configured to send messages up to 255 destinations –A fault-tolerant protocol that can be configured to send messages using 255 alternate IP addresses when a primary path is down –Must have a unique host and organization identifier for each CSIDS device –Can be protected with IPSec between Sensors and the Director platform