Intrusion Detection System

Designing & Planning: Before You Begin In order to carry out the password recovery procedures, you will need the following: Solaris for Intel CD-ROM. Solaris Device Configuration Assistant disk (boot disk). This can be downloaded from the Sun support Web site. http://soldc.sun.com/support/drivers/dca_diskettes/. Cisco ... [full story]

Recovering the Sensor's Password Recovering the password on any device is of significant importance. This procedure should be documented early in the deployment of the sensor. Once the default password on a Solaris-based Cisco Secure IDS Sensor is changed from the ... [full story]

Configuring SPAN The SPAN interface can be any interface on the switch as long as it's a static-access port. The SPAN port also has to reside in the same VLAN as the ports being monitored. To configure SPAN, follow these steps: Once ... [full story]

Configuring the SPAN Interface If you have worked with switches much, you are already familiar with Switched Port Analyzer (SPAN). SPAN is used to capture network traffic in the shape of packets for the purpose of analysis. It is especially beneficial ... [full story]

cidServer cidServer is the IDS Web server itself and enables the administrator to connect via IDM. The server automatically begins during system startup. You must be logged in as root to execute this command. cidServer has three parameters that can accompany ... [full story]

Using the Sensor Command-Line Interface When using the command-line interface you need to be aware of all the pertinent commands that are used to initialize the sensor and which ultimately can be used to administer the IDS Sensor. Many of these ... [full story]

The Display The display in Figure 3.17 allows you to toggle back and forth between VGA and terminal settings. This is a setting that everybody needs to get familiar with because inevitably it will be forgotten. VGA/Terminal mode allows the VGA ... [full story]

Secure Shell Communications To use Secure Shell Communications, follow these steps: Select option 2 on the IPSec Communications menu to access the Secure Shell Communications screen. This screen allows you to select up to three levels of security. Select options 1-High (Telnet ... [full story]

IPSec Communications Field Values Key Value Cipher 8-byte hexadecimal string Authentication 16-byte hexadecimal string SPI Value 0x100 - 0xffff ffff (numeric) The other option in the IPSec Communications menu is to enable NAT. Only use this if NAT is set up between the management device and ... [full story]

Communications Infrastructure Values Field Input Sensor Host ID 1–65535 Sensor Organization ID 1–65535 Sensor Host Name 256 alphanumeric characters; no spaces; "-" and "_" are okay Sensor Organization Name 256 alphanumeric characters; no spaces; "-" and "_" are okay Sensor IP Address Valid IP address IDS Manager Host ID 1–65535 IDS Manager Organization ID 1–65535 IDS ... [full story]

Configuring the Sensor Configuring the sensor is a fundamental step in deploying an IDS infrastructure. The first step in configuring the sensor is running the sysconfig-sensor command and going through each option, filling in the required information along the way. Any ... [full story]

What Is sysconfig-sensor? Once you have logged into the sensor as root and changed the password, sysconfig-sensor is the next command performed in order to configure the sensor. This is commonly known as bootstrapping the sensor. Note  Passwords are case-sensitive and can ... [full story]

What Is the netrangr User? To perform administrative of IDS-level functions on the sensor, you will need to log in as netrangr. All the commands discussed later in this chapter are executed using this account, with the exception of sysconfig-sensor. They ... [full story]

What Is the root User? The user root on the sensor is used strictly for configuration of the operating system. It is not used for daily administrative tasks. The main function root is used for is sysconfig-sensor, explained in detail later ... [full story]

Initializing the Sensor Initializing the sensor is where the rubber meets the road, so to speak. Besides physically installing the sensor into a rack and cabling, this is the basic process for getting your sensor up and running. Two accounts are ... [full story]

Identifying the Sensor Technically speaking, there are two types of sensor platforms available: the 4200 series sensors and the Catalyst 6000/6500 series IDS Module (or IDSM), both of which we cover in detail in Chapter 6. Within the 4200 series, there ... [full story]

Initializing Sensor Appliances Introduction Sensor initialization is the first step in deploying a Cisco IDS sensor. Cisco also refers to this as bootstrapping the sensor. Once you have decided where the sensor will be placed on your network (in front of, or ... [full story]

Complex IDS Deployment The second example involves a larger, more complex network and services environment with high bandwidth requirements. In this example, the ACME Company is a large defense contracting organization with a headquarters campus network and remote offices in seven ... [full story]

Small IDS Deployment Our first example (Figure 2.3) involves the Nittany Corporation, who has a small internal network and a server farm DMZ that houses all internally and externally accessed services. The organization relies heavily on its e-commerce web site and ... [full story]

Placing Sensors Based on Network and Services Function With technological changes and new threats, the placement of intrusion detection systems has evolved over time. Initially, IDSs were typically deployed only at the Internet ingress/egress point, outside the company firewall. With the ... [full story]

Identifying the Critical Infrastructure and Services As part of the network analysis, security administrators should identify the critical components both in terms of networks and service. After all, the network exists only to get people and machines to application services! On ... [full story]

Understanding and Analyzing the Network Intelligent IDS deployment requires detailed knowledge and analysis of the network as a whole. As we discussed in Chapter 1, this involves gathering and understanding attributes such as overall network size and topology, ingress and egress ... [full story]

Deploying Cisco IDS Sensors In the first chapter, we briefly discussed some of the best practices related to planning and managing the implementation of IDS sensors. In general, security architects will find that IDS is best deployed near the ingress/egress points ... [full story]

Remote Data Exchange Protocol As of the Cisco IDS 4.0 software, PostOffice Protocol is no longer used for communication between console and IDS sensor devices. Instead, Cisco implements the Remote Data Exchange Protocol (RDEP), which is a proprietary HTTP and XML-based ... [full story]

Cisco PostOffice Protocol To manage and maintain the Cisco IDS devices, Cisco first developed a proprietary protocol known as PostOffice Protocol. It is now being replaced by RDEP, which we'll describe later. The PostOffice Protocol is not to be confused with ... [full story]

Managing Cisco's IDS Sensors In conjunction with Cisco's flexible approach to security management, Cisco has developed several means of managing IDS platforms in the network. Each has different intents and benefits to better address the varying needs of security administrators. Some ... [full story]

Cisco Host Sensor Capable of running on various operating systems such as Windows or Solaris, the Cisco IDS Host Sensor integrates into the host OS to protect it from malicious intent. The Host Sensor not only inspects inbound traffic destined for ... [full story]

Cisco's Host Sensor Platforms Cisco also offers Host IDS to protect the service endpoints distributed in the network. The Cisco HIDS solution is based on Entercept functionality and augments Cisco's NIDS capabilities as proscribed in the AVVID architecture and SAFE blueprint. ... [full story]

IDSM-1 vs. IDSM-2 Comparison Functionality IDSM-1 IDSM-2 Performance 250 Mbps 600 Mbps SPAN/RSPAN X X VACL Capture X X Shunning X X IEV X X VMS X X IDM   X TCP Resets   X IP Logging   X CLI   X Signature Micro Engines   X Same Code as Appliances   X Fabric Enabled   X SNMP     Unix Director X   CSPM X   Event retrieval method PostOffice RDEP Slot Size (form factor) 1 RU 1RU Local Event Store 100,000 Events N/A, retrieved As can be seen, the IDSM-2 module has far greater capabilities. Indeed, because it ... [full story]

The Cisco 6500 Series IDS Services Module Like the IDS Module for Cisco routers, Cisco also offers a module for the Cisco 6500 series switch. Referred to as the IDSM, the module occupies one or more slots in the 6500 chassis, ... [full story]

The Cisco IDS Module for Cisco 2600, 3600, and 3700 Routers With the recent addition of the Cisco IDS Module for the 2600XM, 3600, and 3700 Cisco routers, Cisco provides affordable and capable intrusion detection services in small office and branch ... [full story]

4250 XL Sensor The most capable of the Cisco 4200 IDS series, the 4250 XL performs at gigabit speeds and is ideal for fully or partially saturated gigabit network environments. Like the other sensors, the 4250 XL is one RU, but ... [full story]