Intrusion Detection System

IDS Signatures Grouped by Software Release Version For configuration management purposes, the following list of signatures is grouped by the software release version from which it was publicly released. For more information regarding these signatures refer to the signature descriptions ... [full story]

Verifying the IOS-IDS Configuration A working and well-tested IDS can be very important for the continuity of your business. It ensures all attacks IOS has a signature for are being detected and that alerts are sent to the right place. In ... [full story]

Responses from the IOS-Based IDS At this point, we have seen how to configure IOS-based IDS and in the next section we will see how to verify and monitor a configuration. What we haven't seen so far is Cisco IOS-based IDS ... [full story]

Configuring IOS-Based IDS Signatures IOS-IDS will trigger an alarm when a packet matches a certain behavior defined in a signature. It is critical that no alarms are generated for an event that will not be harmful for the network. A large ... [full story]

Configuring the IOS-Based IDS The IOS Firewall/IDS image and a Cisco router that supports the Firewall/IDS feature set is all you need to start configuring the IOS-based IDS. Configuring an IOS-based IDS is a six-step process. In these six steps, the ... [full story]

Supported Router Platforms One of the major benefits of using IOS-based IDS is that you can add intrusion detection functionality to your network, using your existing router hardware. Not all Cisco routers have support for the Firewall IDS feature set of ... [full story]

Understanding Cisco IOS-Based IDS Understanding Cisco IOS-based IDS starts with realizing that it is a different kind of IDS than previously seen. There are differences in hardware, software, performance, and signatures. To get a better understanding of IOS-based IDS, we will ... [full story]

Cisco Firewall/IDS IOS Introduction When you start implementing intrusion detection in the corporate LAN, it isn't necessary to spend a lot on IDS sensors or IDSM blades. This is even truer for networks in small offices, which don't have the budgets of ... [full story]

Administering the Cisco IDS MC Server The administration of the Cisco IDS MC server is comprised of tasks associated with the IDS Database and other global tasks. This encompasses: Operations with database rules Updating sensor software and signature release levels Defining the e-mail server ... [full story]

Reviewing Configuration Files Changes to file settings are placed in a pending status before they are committed to the IDS Database. The following steps can be used to review the pending changes and commit them to the database: From the Management Center ... [full story]

How to Generate, Approve, and Deploy IDS Sensor Configuration Files The previous section, "Configuring Signatures and Alarms," covered how to select the proper values for the sensor settings and signature settings. The next step in using the IDS MC is to ... [full story]

Configuring Signatures Signatures are divided into six groups: General (embedded) TCP connection UDP connection String-Matching Access Control List (ACL) Custom To provide an example of how to configure and tune signatures, we will use a general signature for a configuration and tuning exercise. Configuring General Signatures General signatures are signatures ... [full story]

Configuring Signatures and Alarms Network intrusions are scans, attacks upon, or misuses of the network resources. To detect network intrusion, the Cisco IDS sensors use a signature-based technology. Every network attack has an order or a pattern to the bytes in ... [full story]

Deleting Sensor Subgroups As with sensors, sensor subgroups can be deleted from any group including the Global group. Use the following steps to delete a sensor subgroup: From the Management Center for IDS Sensors page (Figure 10.9), select the Devices tab, and ... [full story]

Deleting Sensors from a Sensor Group A sensor can be deleted from any group including the Global group. Use the following steps to delete a sensor from a subgroup: From the Management Center for IDS Sensors page (Figure 10.9), select the Devices ... [full story]

Adding Sensors to a Sensor Group A sensor can be added to any group including the Global group. To add a sensor to the Global group or a subgroup, use the following procedure: From the Management Center for IDS Sensors page (Figure ... [full story]

Creating Sensor Subgroups A sensor subgroup can be added to any group including the Global group. The following steps can be used to create a sensor subgroup: From the Management Center for IDS Sensors page (Figure 10.7), select the Devices tab, then ... [full story]

The IDS MC Hierarchy The IDS MC maintains a hierarchy of sensors, sensor groups and sensor subgroups. Groups provide the capability of managing multiple sensors performing similar functions. Rather than configuring each sensor individually, the IDS MC allows for the configuration ... [full story]

Setting Up Sensors and Sensor Groups Sensors are the "eyes and ears" of the Cisco IDS Management Center. They are placed strategically at the perimeter of the network and near key resources within the enterprise. Each of the sensors deployed in ... [full story]

Client Installation Requirements Accessing CiscoWorks2000 and IDS Management Center is accomplished through a Web interface. This allows clients to access the IDS Management Center by using a browser. The minimum system requirements for a client are specified in Table 10.2. Table 10.2: ... [full story]

VMS Component Compatibility Most VMS components require CiscoWorks2000 Common Services to be installed on the same server. While it may seem more efficient to combine some of these VMS components on one server, this cannot always be done due to compatibility ... [full story]

CiscoWorks Architecture Overview The IDS MC architecture is shown in Figure 10.3. The MC itself relies upon the services provided by the CiscoWorks Common Services software. The Common Services component provides a comparable environment for all of the MCs. Some of ... [full story]

Server Hardware Requirements CiscoWorks2000 and the VMS bundle can be installed and operated on either a Windows 2000 Server platform or a Sun Solaris platform. The hardware requirements for CiscoWorks2000 and VMS are specified in Table 10.1. Table 10.1: Server Hardware ... [full story]

Installing the Cisco IDS Management Center The Cisco IDS MC is a component of the VPN/Security Management Solution (VMS) that, in turn, is part of the CiscoWorks2000 software package. The VMS software suite includes additional components such as CiscoWorks2000 Common Services, ... [full story]

IDS MC and Security Policy From an enterprise perspective, it is important to note that sensor and signature management are merely tools used to implement your Corporate Security Policy. This policy will determine how you deploy your sensors and what signatures ... [full story]

IDS MC and Signatures IDS sensor signatures are the representations of patterns that have certain characteristics of various attacks and other activities attackers may use against a network. The patterns or signatures will be used by the Cisco IDS sensors to ... [full story]

The IDS MC and Sensors The Cisco IDS Management Center can manage up to approximately 300 sensors. In the example deployment shown in Figure 10.1, the sensor is deployed on the network perimeter or demilitarized zone (DMZ). Inside the protected network ... [full story]

IDS MC and Security Monitor Closely related to the Cisco IDS MC is the Cisco Monitoring Center for Security, also known as the Security Monitor. Although the Security Monitor is a separate and optional product, it is often packaged with the ... [full story]

Understanding the Cisco IDS Management Center The Cisco IDS Management Center serves four primary functions: It logs audit records pertaining to the intrusion detection system . It notifies IDS personnel when internal event thresholds are reached. It manages and distributes configurations to the sensors. It ... [full story]

Cisco Enterprise IDS Management Introduction Successful attacks against enterprise networks typically require a substantial effort on the part of the attacker. Many large networks that realize they have been compromised only do so after discovering a discrepancy in activity or the log ... [full story]

Dealing with Encrypted Traffic and IPv6 The last-but-not-least important problem of traffic capture is the spread of various traffic encryption mechanisms. Use of virtual private networks (VPNs), either IPSec-based or otherwise, HTTPS Web servers, and Secure Shell (SSH) became a common ... [full story]

Capturing with Multiple Sensors and Multiple VLANs The generic case of multiple sensors capturing traffic from a number of VLANs can be very complex depending on the switch infrastructure. The simplest implementation is when there are many 2900-type switches, and sensors ... [full story]