Post on 04-Apr-2018
7/30/2019 CISCO Secure Intrusion Detection System
1/45
CISCO Secure
Intrusion Detection
System
Marsa Rayani Maryam Shahpasand Ali Falsafi
7/30/2019 CISCO Secure Intrusion Detection System
2/45
Contents:
Introduction CSIDS definition CSIDS components
CSIDS features CSIDS Platforms Cisco Security Agent Advantages
Disadvantages CSIDS VS. Snort Summery references
7/30/2019 CISCO Secure Intrusion Detection System
3/45
Introduction:
Cisco security experts believe that
The most effective intrusion detection strategy is toimplementboth host-based and network-based IDS.
Typically, most organizations implement network-basedIDS first, because its effective against attacks originatingexternally.Adding host-based IDS further enhances
protection from attack, especially from attacks that aregenerated from internal sources.
7/30/2019 CISCO Secure Intrusion Detection System
4/45
To achieve these elements, Cisco implements a
line of IDS products that can be integrated into
current network routers
switches
deployed as separate IDS appliances
run as software applications on managementworkstations.
7/30/2019 CISCO Secure Intrusion Detection System
5/45
Cisco Secure IDS is a network-based intrusion
detection system that uses a signature databaseto trigger intrusion alarms
7/30/2019 CISCO Secure Intrusion Detection System
6/45
Components:The major components are:
1. Sensor2. Configuration Manager
3. Event Manager
4. Software
7/30/2019 CISCO Secure Intrusion Detection System
7/45
Components :
1. Sensor : This performs real-time monitoringof network traffic, searching for patterns thatcould represent an attack.
7/30/2019 CISCO Secure Intrusion Detection System
8/45
Performance of the Sensor when it detects anattack:
No action Shun (shunning) refers to the complete blocking
of any traffic from the offending host or subnet Log (logging) refers to both attack event alarms
and whole suspicious IP session logs Shun + log
TCP connection reset TCP connection reset + shun TCP connection reset + log TCP connection reset + shun + log
7/30/2019 CISCO Secure Intrusion Detection System
9/45
2. Configuration manager :
The configuration manager provides
configuration management for the sensor
pushing configuration and policy settings to thesensor.
The configuration manager may be co-located with the sensor(typical for smaller sensor deployments) or may be
separately located at a central location (typical for largersensor deployments).
7/30/2019 CISCO Secure Intrusion Detection System
10/45
3. Event manager :
The event manager is used to
collect events generated by sensors.
Cisco Secure IDS event management platforms include aNetwork Security Database (NSDB), which includes detailed
information about each attack that is detected by a sensor.This information provides analysis support for securityadministrators who must decipher and respond to detectedattacks.
Cisco Secure IDS sensors have extremely limited eventmanagement capabilities; hence the event manager isalways separate from the sensor.
7/30/2019 CISCO Secure Intrusion Detection System
11/45
7/30/2019 CISCO Secure Intrusion Detection System
12/45
Communication between Sensor and
management platform:To communicate messages between the management
platform and the sensor platform, Cisco Secure IDSuses a proprietary protocol called the PostOfficeprotocol.
This protocol provides numerous necessary features,such as the following:
Reliability Redundancy
Fault tolerance
7/30/2019 CISCO Secure Intrusion Detection System
13/45
Reliability
1
2
7/30/2019 CISCO Secure Intrusion Detection System
14/45
Redundancy
7/30/2019 CISCO Secure Intrusion Detection System
15/45
Fault Tolerance
7/30/2019 CISCO Secure Intrusion Detection System
16/45
Cisco Secure IDS Features
Cisco offers a rich IDS product set that is part of CiscosSAFE enterprise security blueprint. Cisco Secure IDS hasmany features that let you effectively detect and respond
to security threats against your network. It provides thefollowing fundamental capabilities:
1. Alarm display and logging
2. Intrusion response
3. Remote sensor configuration and management
These features are discussed in the following sections.
7/30/2019 CISCO Secure Intrusion Detection System
17/45
1. Alarm Display and Logging
When a sensor detects an attack, it sends an alarm to theevent management platform. On the event managementplatform, a graphical user interface (GUI) displays these
alarms in real time, color-coding each alarm based on itsseverity. This display provides a quick indication that anattack has occurred and how dangerous the attack is.The sensor can also log more detailed alarm informationin a local text-based log file, which allows for in-depth
analysis of attack data and the use of custom scripts topresent alarm data specific to your requirements.
7/30/2019 CISCO Secure Intrusion Detection System
18/45
2. Intrusion ResponseThe Cisco Secure IDS sensor can directly respond
to an attack using one or more of the following
methods:
I. TCP reset
II. IP blocking
III. IP logging
7/30/2019 CISCO Secure Intrusion Detection System
19/45
I. TCP reset:The TCP reset response is available only for TCP-
based attacks. Its implementedby the sensor
sending a TCP reset packet to the host that isbeing attacked (the target). This causes theattacked system to close the connection,destroying any processes and memory
associated with the connection.
7/30/2019 CISCO Secure Intrusion Detection System
20/45
7/30/2019 CISCO Secure Intrusion Detection System
21/45
II. IP blocking
TheIP blocking response (also known asshunning) allows a sensor to apply an access
control list (ACL) to a perimeter router interface,blocking IP connectivity from an attackingsystem.
You can also manually block a host or networkfrom the sensor management platform if you seeany suspicious activity
7/30/2019 CISCO Secure Intrusion Detection System
22/45
7/30/2019 CISCO Secure Intrusion Detection System
23/45
III. IP logging
When a sensor detects an attack, an alarm is generatedand forwarded to the event management platform. TheIP logging response allows a sensor to write alarminformation to a local log file as well. The informationwritten to the log file contains much more informationthan is sent to the event management platform, so youcan use this option to provide detailed analysis ofspecific attacks.
7/30/2019 CISCO Secure Intrusion Detection System
24/45
7/30/2019 CISCO Secure Intrusion Detection System
25/45
3. Remote Sensor Configuration and
Management Cisco Secure IDS sensor management platforms let youcentrally manage and monitor multiple sensors located
throughout your network. All sensor-related configurations are stored on aconfiguration management platform.
configuration management platform is responsible for
pushing these configurations out to each sensor. Configuration attributes include the types of intrusiveactivity (signatures) that each sensor should monitor.
7/30/2019 CISCO Secure Intrusion Detection System
26/45
Other Features
Cisco Secure IDS also includes an Active Updates feature, which allows customers
to subscribe to regular e-mail notificationsgenerated by the Cisco Countermeasures Research
Team (C-CRT). download new signature updates to a centrallocation on the network, and then have multiplesensors automatically update their signaturedatabases on a regular basis.
Customize signatures: you create your ownsignatures that can detect some new attack. Thisfunctionality is provided by a complete signaturelanguage, which is similar to a scripting language,providing a powerful tool for customization.
7/30/2019 CISCO Secure Intrusion Detection System
27/45
Cisco Secure Sensor Platforms
The sensor platform is the most criticalcomponent of Cisco Secure IDS, because it
detects, responds to, and reports intrusionactivity to the sensor management platform.
Each sensor is a hardware appliance that hasbeen secured for the environment it works in,optimized for performance, and designed forease of maintenance.
7/30/2019 CISCO Secure Intrusion Detection System
28/45
The sensor uses an extensive signature database
that allows it to capture security attacks inrealtime from large amounts of IP traffic. Sensor possesses packet-reassembly features
that prevent IDS bypass techniques.
Once an attack is detected, the sensor sends analarm to an event management platform and canoptionally place that alarm information in a locallog file.
The sensor can also automatically reset a TCP-based connection that is associated with theattack and/or block the source IP address of theattacking system.
7/30/2019 CISCO Secure Intrusion Detection System
29/45
Cisco produces three main sensor platforms
dedicated to IDS:
4200 series sensors
Catalyst 6000/6500 IDS module (IDSM) Cisco 2600/3600/3700 IDS network modules
7/30/2019 CISCO Secure Intrusion Detection System
30/45
Sensors InterfaceAll of these sensor platforms are passive
sensors, in that they passively monitor networktraffic traversing one or more segments forintrusive activity. Each of these sensors containstwo interfaces:
I. Command-and-control interface
II.Monitoring interface
7/30/2019 CISCO Secure Intrusion Detection System
31/45
I. Command-and-control interface
provides a management interface for thesensor.
The command-and-control interface allows thesensor to be managed via TCP/IP.
lets the sensor send alarms to the eventmanagement platform.
The command-and-control interface is the onlyinterface that contains an IP address.
7/30/2019 CISCO Secure Intrusion Detection System
32/45
II. Monitoring interface
The monitoring interface operates inpromiscuous mode, capturing all traffic on the
attached segment and passing it to the IDSapplication for analysis.
The monitoring interface doesnt have an IPaddress.
ensuring that the sensor can be placed on aninsecure segment and not be subjected to anattack itself
7/30/2019 CISCO Secure Intrusion Detection System
33/45
Cisco Security Agent
The Cisco Security Agent consists of server anddesktop agents.
The security agent resides between the operating
system kernel and applications.
enabling visibility of all system calls to memory, file,network, Registry, and COM object resources.
Cisco Security Agent is an example of an anomaly-based intrusion detection system.
It is useful for detecting new attacks that are oftenimpossible to detect with signature-based intrusiondetection systems such as Cisco Secure IDS sensors
7/30/2019 CISCO Secure Intrusion Detection System
34/45
The Cisco Security Agent provides a variety offeatures that ensure that critical systems andapplications are protected from attacks. Itsdesigned to detect known and unknown attacksbased on the following intrusive activities:
I. Probing
II. Penetration
III.Persistence
IV.Propagation
V. Paralyzing
7/30/2019 CISCO Secure Intrusion Detection System
35/45
I. Probing
Probing relates to the activities associatedwith reconnaissance being performed againstthe host or an attempt to break into a host by
guessing security information. The following aresome of the probe attacks that the Cisco SecurityAgent detects:
Ping Port scans
Password and username guessing
7/30/2019 CISCO Secure Intrusion Detection System
36/45
II. PenetrationPenetration refers to the process of gaining
unauthorized access to processes running and/ordata stored on the target system. The Cisco SecurityAgent can detect a possible attack based on events
that indicate the host is in the process of beingcompromised or penetrated. The following are someof the events related to penetration attacks that theCisco Security Agent detects:
Mail attachments Buffer overflows ActiveX controls Back doors
7/30/2019 CISCO Secure Intrusion Detection System
37/45
III. Persistence
Persistence refers to events that result from asuccessful attack and subsequent infection of ahost system. The following are some of the eventsthat indicate that a system has been compromisedand that some form of unauthorized action,application, or service is present: File creation File modification Security settings modification Installation of new services Trap doors
7/30/2019 CISCO Secure Intrusion Detection System
38/45
IV. Propagation
Propagation refers to the automatic self-replication of an attack to other systems after aninitial target system has been infected. There are
some of the events related to propagation that theCisco Security Agent detects:
E-mail copies of the attack
Web and FTP connections
Internet Relay Chat (IRC) connections
Propagation via file shares
7/30/2019 CISCO Secure Intrusion Detection System
39/45
V. Paralyzing
Paralyzing refers to the complete or partialremoval of the availability and responsiveness ofcomputing resources on a target system. The
following are some of the events related to systemparalysis that the Cisco Security Agent detects:
File modification and deletion
Computer crashes
Denial of service
Stealing of sensitive/confidential information
7/30/2019 CISCO Secure Intrusion Detection System
40/45
Advantages:
1. Accurate attack detection
2. Intelligent attack investigation
3. Ease of security management
4. Flexible deployment options for all network designmodels and topologies
5. you can create your own signatures that can detectsome new attack.
7/30/2019 CISCO Secure Intrusion Detection System
41/45
Cont.
6. combines leading Cisco security solutions witha rich ecosystem of complementary programs,products, partners and services.
7. Focuses on large businesses8. Assumes a security policy
7/30/2019 CISCO Secure Intrusion Detection System
42/45
Disadvantaged
Expensive
Black box design, youll have no idea why it doesanything that it does.
Closed signature language, you have no ability tosee what or how theyre trying to detect anything.
Difficult to install.
Difficult to administer
7/30/2019 CISCO Secure Intrusion Detection System
43/45
CSIDS VS Snort
Battle of Open Source VS Commercial! Snort has a better GUI.
Snort biggest advantage is COST.
CSIDS is better at both IP fragment and TCPsession reassembly.
CSIDS has an excellent support and services.
For small environments where funds are very
limited, snort is probably the better solution. For large enterprises, Cisco would probably be
the better choice.
7/30/2019 CISCO Secure Intrusion Detection System
44/45
References www.cisco.com
CCSP Complete study book by Cisco
www.net-security.org/
www.ciscopress.com/articles
https://itaudit.sans.org/community/papers/aud
iting-cisco-secure-ids-system-auditors-perspective_114
http://www.cisco.com/http://www.net-security.org/http://www.ciscopress.com/articleshttps://itaudit.sans.org/community/papers/auditing-cisco-secure-ids-system-auditors-perspective_114https://itaudit.sans.org/community/papers/auditing-cisco-secure-ids-system-auditors-perspective_114https://itaudit.sans.org/community/papers/auditing-cisco-secure-ids-system-auditors-perspective_114https://itaudit.sans.org/community/papers/auditing-cisco-secure-ids-system-auditors-perspective_114https://itaudit.sans.org/community/papers/auditing-cisco-secure-ids-system-auditors-perspective_114https://itaudit.sans.org/community/papers/auditing-cisco-secure-ids-system-auditors-perspective_114https://itaudit.sans.org/community/papers/auditing-cisco-secure-ids-system-auditors-perspective_114https://itaudit.sans.org/community/papers/auditing-cisco-secure-ids-system-auditors-perspective_114https://itaudit.sans.org/community/papers/auditing-cisco-secure-ids-system-auditors-perspective_114https://itaudit.sans.org/community/papers/auditing-cisco-secure-ids-system-auditors-perspective_114https://itaudit.sans.org/community/papers/auditing-cisco-secure-ids-system-auditors-perspective_114https://itaudit.sans.org/community/papers/auditing-cisco-secure-ids-system-auditors-perspective_114https://itaudit.sans.org/community/papers/auditing-cisco-secure-ids-system-auditors-perspective_114https://itaudit.sans.org/community/papers/auditing-cisco-secure-ids-system-auditors-perspective_114https://itaudit.sans.org/community/papers/auditing-cisco-secure-ids-system-auditors-perspective_114https://itaudit.sans.org/community/papers/auditing-cisco-secure-ids-system-auditors-perspective_114https://itaudit.sans.org/community/papers/auditing-cisco-secure-ids-system-auditors-perspective_114https://itaudit.sans.org/community/papers/auditing-cisco-secure-ids-system-auditors-perspective_114https://itaudit.sans.org/community/papers/auditing-cisco-secure-ids-system-auditors-perspective_114https://itaudit.sans.org/community/papers/auditing-cisco-secure-ids-system-auditors-perspective_114https://itaudit.sans.org/community/papers/auditing-cisco-secure-ids-system-auditors-perspective_114https://itaudit.sans.org/community/papers/auditing-cisco-secure-ids-system-auditors-perspective_114https://itaudit.sans.org/community/papers/auditing-cisco-secure-ids-system-auditors-perspective_114https://itaudit.sans.org/community/papers/auditing-cisco-secure-ids-system-auditors-perspective_114http://www.ciscopress.com/articleshttp://www.net-security.org/http://www.net-security.org/http://www.net-security.org/http://www.cisco.com/7/30/2019 CISCO Secure Intrusion Detection System
45/45