Intrusion Detection Sensor
(Summary description)Intrusion Detection Sensor
Intrusion Detection Sensor
(Summary description)Intrusion Detection Sensor
- Categories:Industry information
- Origin:Science Direct
- Time of issue:2019-12-09 12:11
Eric Knipp, ... Edgar Danielyan, in Managing Cisco Network Security (Second Edition), 2002
What Is the Cisco Secure Network Intrusion Detection System?
This is a solution that can be added to your network to perform dynamic intrusion detection. Cisco Secure IDS will monitor for, and respond to, intrusions in real time. A simple IDS solution is made up of a distributed model with three main components: the probe, the Director, and the CSPM.
The probe is a specialized device that uses a rule-based inference engine to process large volumes of traffic in order to identify security issues in real time. The probe is either a ready-made appliance purchased from Cisco, or it can be software-based and installed on a Windows x86 (the Catalyst 6000 IDS module) or SPARC Solaris station (the IDS 4230 and IDS 4210).The software to create your own probe can be found on the IDS CD, and can either capture traffic itself or monitor syslog traffic from a Cisco router. Once an attack or security event is detected, the probe can respond by generating alarms, logging the event, resetting TCP connections or shunning the attack (by reconfiguration of managed router ACLs). Probe events are forwarded to a central facility via a control/command interface.
Probes have two interfaces, one for monitoring and one for control. The monitoring interface of the probe does not have an IP address and will not respond to Layer 3 detection attempts. There are several types of monitor interfaces available from Cisco, each selected for a particular network scenario. An example is the IDS 4230 Sensor, which is capable of supporting LAN speeds of up to 100 Mbps LAN orT3 WAN speeds. Another is the Catalyst 6000 IDS module that is designed for switched networks.
The Director is a GUI software solution used to “direct” or manage Cisco IDS from a HP OpenView platform. It is installed on a HP UX or Solaris workstation. Directors are used to complete initial probe configuration, process and present information sent from sensors (in HP OpenView) and specify sensor behavior. The Director contains drivers for the Oracle RDBMS and the Remedy Trouble Ticket system. It is possible to modify these drivers to interface with Sybase or Informix systems, if required. When the Director receives information from the probes it will initially log to a flat file and then push the data to a relational database. Once stored in the database, RDBMS tools such as SQL can be used to interrogate the data. Database details such as location of files and account information have to be configured using the nrConfigure utility (discussed later in this chapter). Systems such as Oracle contain tools to generate reports containing graphical as well as numerical representation of data. To get you started, each Director ships with a sample set of SQL queries that can be easily modified and run from within your RDBMS system. It is possible to define custom actions based on events, too (this is covered in more detail later in this section).The Director also provides you with access to the NSDB for reference material on exploits.
The Cisco Secure Policy Manager
The Cisco Secure Policy Manager is a Windows-based GUI software solution that can also manage Cisco IDS. It is installed on a modern Windows NT platform. The software is very memory sensitive—specifications call for 0.5GB, but more is better. Because of the native Windows environment, it is easy for an analyst to explore the alerts generated by the platform.
Because the CSPM is documented in Chapter 12, this chapter will go over configuration and management using the Director platform.
Cisco recommends that no more than 25 probes be configured to send information to a single Director. Cisco suggests between three and six Probes be configured per CSPM. If more probes are required for your network, you should install multiple CSPM/Directors and build a hierarchical structure of probes and Directors.
The Post Office
The Post Office is a messaging facility between management stations and sensors that uses a proprietary UDP transport protocol for communication. Rather than being unacknowledged, the protocol guarantees transmissions, maintains connection status and provides acknowledgement for packets received with lower overhead than TCP/IP. It uses an enhanced addressing structure that is ideal for building hierarchical fault-tolerant structures. Up to 255 alternate routes between each probe and its Director can be supported. The structures are comprised of multiple Directors and probes; in this way, you can support a theoretically unlimited number of probes. Probes can forward updates onto one or more Directors which can then propagate the message to other Directors in the hierarchy.
If you need to perform any traffic filtering on routers between Directors and probes (control interfaces), you must allow traffic using UDP port 45000 to pass between the two.
Figure 13.1 shows these basic components in context.
Sign in to download full-size image
Figure 13.1. IDS protocols and Associated Components.
You can see the IDS components with the main daemons that are responsible for running the system. Each daemon performs a specific function, which is explained in more detail next:
■ sensord/packetd Sensord is used to relay intrusion detection information sent from other devices capable of detecting attacks and sending data; packetd is used when the sensor itself does the intrusion detection.
■ loggerd Used to write to log files and record events such as alarms and command instructions.
■ sapd Provides file and data management functions, including the transfer of data to database systems such as Oracle.
■ postofficed Manages and provides all communications between the Director and probes.
■ eventd Performs notification management on events to pager and e-mail systems.
■ managed Controls configuration of managed Cisco routers.
Here are some other daemons not displayed on the diagram:
■ smid A Director daemon that converts raw information into data that ndirmap uses.
■ nrdirmap Displays icons for NetRanger components and events such as alarms and status conditions for other daemons.
■ configd Interprets and manages commands entered through ndirmap to interface with the other daemons.
Now we understand the components, let’s discuss some of the more general features. Cisco Secure IDS is a network-based IDS system that captures packets and then performs signature analysis using an inferencing engine. The analysis involves examination of each packet’s payload for content-based attacks and the examination of the header for patterns of misuse. Cisco Secure IDS classifies the types of attacks into two types: atomic (single, directed at one victim) and composite (multiple, over a period of time and involving many victims).
The Director uses an internal (upgradeable) security database (NSDB) for signature analysis, which provides information about exploits and matching countermeasures. There are two types of signatures, embedded and string matching. As the name suggests, embedded signatures are contained within the probe’s system files; they cannot be modified and protect against misuse by matches against the packet header fields. String matching signatures, on the other hand, are user configurable and work by examining the payload of the packet.
As for these products, we warmly recommend our temperature batteries which can discharging from -40˚C to 85˚C. Very suiteable for these sensor setting outdoor.
Scan the QR code to read on your phone
GIVE US INFORMATION