 |
|
|
Cisco Secure IDS v. 2.5 Cisco Secure IDS (formerly known as NetRanger) is a network-based IDS, which means that it monitors all traffic on a subnet and compares individual or groups of packets against known attack signatures in an attempt to identify illegal activity. Cisco Secure IDS is different from most other IDS on the market, however, since it is supplied as a dedicated network appliance, with all hardware and software necessary to get you up and running. The IDS sensor comes in three flavours, each running a heavily modified version of Sun Solaris, with new packet drivers written to cope with up to 100Mbps of traffic on network interfaces in promiscuous mode: Cisco Secure IDS-4210 Sensor - optimised to monitor 45 Mbps environments and is ideally suited for monitoring multiple T1/E1, T3, and 10Mbit Ethernet environments. It comes in a 1U high chassis which contains a Celeron 566MHz processor, 256MB RAM and two auto sensing 10/100BaseT (RJ-45) Ethernet interfaces – one for monitoring and one for management. Cisco Secure IDS 4230 Sensor - optimised to monitor 100Mbps environments and is ideally suited for monitoring traffic of switch Switched Port Analyser (SPAN) ports and Fast Ethernet segments. It is also suitable for monitoring multiple T3 environments. The additional performance is provided by Dual Pentium PIII 600MHz processors, 512MB RAM, and once again it sports two auto sensing 10/100BaseT (RJ-45) Ethernet interfaces for monitoring and management. Catalyst 6000 IDS Module - designed specifically to address switched environments by integrating the IDS functionality directly into the switch and taking traffic right off the switch back-plane, thus bringing both switching and security functionality into the same chassis. Sporting 256MB RAM, it is designed to monitor 100Mbps of traffic. Management is designed to be performed over a dedicated network using one of the two network interfaces in the Sensor. The remaining network interface is used purely for packet sniffing on the live network to be monitored. Multiple sensors can be deployed around the network and managed from a single, central console running one of two pieces of software: Cisco Secure Policy Manager v2.2 - This Windows-based software application provides integrated management of firewalls, virtual private networks, and intrusion detection. The IDS component of Cisco Secure Policy Manager (CSPM) provides robust device management and configuration as well as real-time event monitoring. Communication between the CSPM console and the Sensors is encrypted via IPSEC-compliant VPN tunnels where required. Cisco Secure Intrusion Detection Director - This UNIX-based software application plugs into an existing Hewlett�Package OpenView Network Node Manager console, running on an HP-UX or Sun�Solaris operating system. This solution provides Cisco Secure IDS device configuration and topology-based event monitoring for existing HPOV users. Installation tasks are minimal thanks to the turnkey appliance approach. All that is required is to attach a PC to the serial port of the Cisco Secure IDS box and set the date, time and IP addresses of the two interfaces before plugging it into the network. It starts monitoring straight away with a default policy. In order to see what it is monitoring, of course, it is necessary to install the Cisco Secure Policy Manager (CSPM) software on an NT Server which is connected to the management interface of the IDS Sensor. We had just the one CSPM server, and so a stand alone implementation was used - this is simply a matter of inserting the CD and following the installation wizard. Client-server and distributed implementations can also be deployed, though these are no more difficult to get up and running, merely requiring more steps to install the distributed components.
For our tests, we also installed the netForensics server (see Reporting & Analysis section), which was considerably more involved given the need to install Linux and Oracle before we could get everything talking. However, netForensics also provide a plug-and-go appliance solution too, in which case – as with the Cisco Secure IDS Sensor – installation requires nothing more than plugging it in and setting a couple of parameters. Despite the loss of the nice hard copy manual that used to accompany the previous Cisco Secure IDS product (which, admittedly, concentrated on the HP OpenView plug-in), the quality of the Cisco documentation supplied is more than adequate. The new documentation obviously concentrates more on the CSPM software than the sensor itself, but then there is not much involved in operating the sensor, over and above that which is covered in the hard copy installation notes included in the box. Operation and configuration of the sensor via CSPM is covered in plenty of detail, and there are a number of AVI “training” videos included also. For centralised, remote management and monitoring, Cisco provides a couple of management options in the shape of the Windows-based Cisco Secure Policy Manager (CSPM) - which provides consolidated management of firewalls, site-to-site VPN’s, and intrusion detection systems - and the UNIX-based Cisco Secure IDS Director, providing integrated IDS management into an HP OpenView network management system (NMS). As part of this test, we used CSPM for IDS configuration. CSPM is a scalable, powerful security policy management system that effectively provisions security services throughout a corporate network. CSPM configures Cisco firewalls and Virtual Private Network (VPN) routers in a consistent and uniform manner that is independent of whether the device is a Cisco Secure PIX Firewall or a Cisco router supporting firewall capabilities. Cisco Secure Policy Manager allows customers to define, distribute, enforce, and audit network-wide security policies from a central location. CSPM streamlines the tasks of managing complicated network security elements such as perimeter access control, Network Address Translation (NAT) and IPSec-based VPN’s . CSPM also simplifies the deployment of security services throughout corporate networks.
CSPM’s graphical user interface allows administrators to visually define high-level, end-to-end security policies for multiple Cisco firewalls and VPN routers within a network. CSPM translates these policies into the appropriate device configurations with the proper syntax for the various devices within the managed network. These configurations can then be distributed automatically, eliminating the costly time-consuming practice of implementing security commands on a device-by-device basis. CSPM also provides system-auditing functions including event notification and a Web-based reporting system. Most of the features currently available within CSPM are thus aimed at firewalls and VPN’s – Cisco Secure IDS is one of the more recent additions and the functionality is not quite as complete. For instance, there are no Web-based reporting capabilities available for IDS devices, and much of the policy management stuff simply does not apply. This means that much of the hierarchical tree display in the left hand pane can be ignored when configuring the Cisco Secure IDS system. In the Network Topology section it is necessary to define a network address range (so the IDS can determine whether attack are coming from the “inside” or “outside”), as well as creating entries for the CSPM server itself and all IDS Sensors.� For each Sensor, it is possible to determine which IDS policy is currently being used, how addresses are to be blocked, whether event log files should be generated, and which attack signatures should be filtered out and ignored from which IP addresses (this would allow port scans to be run from internal machines without triggering IDS alerts, for instance).
The most important branch of the policy tree is headed Sensor Signatures, and here is where IDS security policies can be defined. Over three hundred attack signatures are available as part of the Cisco Secure IDS product covering a range of attack categories. These include: Exploits - Activity indicative of someone attempting to gain access or compromise systems on your network, such as Back Orifice, failed login attempts, and TCP hijacking Denial-of-service (DoS) - Activity indicative of someone attempting to consume bandwidth or computing resources to disrupt normal operations, such as Trinoo, TFN, and SYN floods Reconnaissance - Activity indicative of someone probing�or mapping the network to identify "targets of opportunity," such as ping sweeps and port sweeps - usually a precursor to an actual exploit attempt Misuse - Activity indicative of someone attempting to violate corporate policy. This can be detected by configuring the sensor to look for a custom text strings in the network traffic The latest version of the Cisco�Secure IDS also includes IP fragmentation reassembly and “Whisker” anti-IDS detection capability support. Curiously, this is switched off by default, presumably because of the potential performance penalty involved. All signatures are updated on a regular basis to remain current with emerging hacker exploit techniques.
All of the “General” signatures are enabled by default, and it is possible to change the severity code (High, Medium or Low) and the Actions (Block, TCP Reset or Log to file). When an attack is noted, as well as logging to file and alerting to the CSPM console, the Sensor can instantly cut TCP sessions, and dynamically manage a Cisco router’s access control list to “shun” intruders, thus preventing further attacks from that source. This feature can be temporary, if desired, or maintained indefinitely. The rest of the network traffic will function normally - only the unauthorised traffic from internal users or external intruders will be removed. Clearly this feature needs to be managed carefully, particularly where there is the chance of false positive alerts – you don’t want to accidentally cut off your entire accounts department from their network just because someone typed a password incorrectly. To prevent this sort of mistake, a panel in the CSPM configuration allows the administrator to define certain addresses that will never be blocked. In addition to the General signatures, it is also possible for the administrator to define additional signatures based on connection details, string expressions or ACL’s. Connection signatures provide the means to raise alerts on any TCP or UDP connection to any port, allowing the administrator to monitor unauthorised Telnet usage, for example. String signatures enable the administrator to create custom signatures based around regular string expressions directed to or from specific ports, thus enabling a quick and dirty method of trapping viruses such as “ILOVEYOU” by watching for the offending string in packets destined for port 25. Finally, ACL signatures are user-configurable attack signatures based on policy violations recorded by network devices in the syslog stream (which requires that your routers be configured to log ACL violations and the sensor be configured to accept syslog traffic from the router). Creating IDS security policies is thus extremely straightforward in CSPM – the interface is simple, uncluttered, intuitive and very easy to use and there is rarely any need to refer to documentation. Applying them is simply a matter of clicking on the “save & update” button, at which point they are transferred to all Sensors that use that particular policy automatically.
As soon as a policy has been applied, the Sensor will begin sending alerts to the CSPM console that has been designated as its manager. The real-time alert console under CSPM provides instant notification of all alerts from all managed sensors. It displays information such as date and time of attack, attack name, attack details and parameters used, source and destination address, source and destination port, attack ID and severity. Multiple occurrences of the same attack within a short period of time are consolidated into a single row with a count of the total number of occurrences against it. Right clicking on a consolidated row brings up a context menu that can be used to expand the row showing the individual attacks if required. The same menu can be used to collapse rows, delete rows, add or remove columns from the display, and pull up detailed HTML-based attack information from the Cisco Network Security Database (NSDB). This provides instant access to specific information about the attack, hotlinks, and potential countermeasures. Because the NSDB is an HTML database, it can be personalised to a user to include operation-specific information such as response and escalation procedures for specific attacks.
The way the attacks are reported could be a little confusing for those that are not steeped in the dark arts of security lore. Eyebrows may have been raised at the mention above that there are just 300 attack signatures in the database, but this does not tell the whole tale. These are generic “group” signatures, each one covering one or more actual attack types. This means that Cisco Secure IDS is more likely to be able to spot new variants of old attacks without signature updates, but it does mean that the reported attack names are very non-specific. For example, our Land attack was reported as an “Impossible IP Packet” attack. Technically correct, of course, but not very specific for those who do not know their onions (or their impossible IP packets). However, this has to be the way forward for the majority of IDS vendors. The difficulty of pattern matching packets against an ever-growing database of signatures in a reasonable (i.e. very small) amount of time means that� a more generic approach to detecting attacks is required. The advantage is a higher level of performance, fewer signature database updates required, and more chance that new variant of an old attack will be spotted immediately. The main problem with the real-time alert console is not the general purpose attack names, but the fact that the rows can only be grouped according to� the first column, and clicking on various column headings will only sort items within the overall first column groups. If you would like to see all the attacks from a particular IP address together, for instance, you need to drag the Source IP column to position number one in order to sort the table accordingly. Bearing in mind that this is the only means that the administrator has to get IDS attack and alert information out of the CSPM database, it does need to be made as flexible and easy to use as possible. It would be far better to follow the standard Windows convention of simply allowing the user to sort unconditionally on any column by clicking on the column heading. Once this minor glitch has been fixed, the real-time alert console will prove to be an extremely useful tool. Reporting and Analysis - netForensics As with its predecessor, the latest version of the Cisco Secure IDS is completely devoid of any form of reporting and analysis or alerting capability. It has an excellent real-time monitoring capability at the console, and a basic log viewer to examine the log files (there is a log action that can be associated with individual signatures), but nothing more. Some reporting will be built in to CSPM at some point in the future – as it has been already for PIX, for instance – but Cisco will continue to rely on partners for the heavy-duty stuff. And heavy duty reporting, analysis and
alerting for the Cisco Secure IDS is provided by netForensics.com with its
netForensics product, a comprehensive security infrastructure
management platform for network managers. It has been designed to collate
information from multiple network services, such as firewalls, intrusion
detection devices, web servers, routers, and authentication servers and
present it in a style useful for executive management and security experts
alike.
Devices that can be monitored and analysed by netForensics Version 2.0 include Cisco Secure IDS, Cisco PIX Firewall and AAA Server. netForensics runs on Solaris or Linux platforms, and will shortly be appearing on NT. Three versions are available – Lite, Workgroup and Service Provider – each offering additional capacity, horsepower and facilities over the previous version, and software-only and appliance-based implementations can also be had. Looking at what is involved in getting the system running under Linux (although it is all documented in detail, and the documentation is excellent), we would tend to favour the appliance route.
The high-end versions are based on Oracle, and access to the data is provided via an Apache Web server that makes a JDBC connection to the underlying database. This means that there is plenty of opportunity for customising the settings to tune the performance for different environments. netForensics can be configured on a single box for a workgroup-type of installation, handling up to 200 messages per second. Workgroups are defined as a maximum of five devices per workgroup. netForensics components - the Oracle database, the Apache Web server and the netForensics engine - can also be distributed across multiple servers to increase the message handling capabilities up to five times the workgroup configurations. It can also be arrayed in a distributed hierarchical architecture to handle centralised management and monitoring of hundreds of security devices across an enterprise Access to the reports and alerts is available to any machine on the network via a Java-enabled browser. Java is not usually our favourite user interface, being resource-hungry and all too often slow. However, the netForensics interface seems to have been well-designed and, apart from a lengthy delay when first attaching to the Web server, is very fast and easy to use. The administrator is presented with a dual-pane display that does a very good job of emulating a Win32 application in appearance and operation. The left hand pane contains a hierarchical tree display with top-level headings of Security, NFReports and Administration. The Administration menu allows you to manage sensor devices, alarms, events, user accounts, log files/databases and reports. Any number of user accounts can be created to authenticate to the netForensics server, and each one can be restricted to viewing certain devices – we had our administrator configured to only view Cisco Secure IDS sensors, for instance, which meant that the PIX and IOS devices did not show up on the report menus. The real-time console can be configured to filter and display only certain types and severity of alarms and events, and standard reports can be scheduled for regular repeating runs. Notification methods can be configured from a choice of SNMP traps, pager and e-mail, and the Console can be configured to perform event aggregation, if required. This combines multiple events occurring within a specified time frame into a single line in the real-time Console, making them much easier to manage. By double clicking on any aggregated event, the line is expanded into the individual events for further examination. Finally, netForensics can be configured to perform regular database housekeeping tasks, such as purging and archiving event records. Database backup and recovery, however, is initiated from the command line outside the netForensics environment.
The NFReports menu contains a small number of reports which cover the events, alerts and messages specific to the netForensics server itself, whilst the Security menu contains reports of wider interest to the security administrator. In this section, there are sub-menus for each of the types of security device being monitored – PIX firewall, IOS device, IDS and so on. Over 250 reports and summaries are available for Cisco Secure PIX Firewalls and Cisco Secure IDS. These target the needs of engineering, operations, senior management and forensic evidence gatherers. Because we had restricted our administrator account to see only the Cisco Secure IDS devices, we only had the IDS reports available in this section. It is also possible to select a device-specific menu which will show only the reports available for a specific device (useful when many different device types and devices are being monitored from a single console). Reports available for Cisco Secure IDS include:
Unfortunately, it is not possible to add custom reports, but the range of reports available should be adequate for most uses. Each report has a number of settings including time period which should be covered (time and date), sort order, which devices should be included in the report and which columns should be included. Output can be as text or graphics, and in addition to the browser-based display, reports can also be exported as HTML files, PDF files, CSV files or XML. All reports are normalised across different time zones, to ensure that the administrator running the report in London gets meaningful local times against events reported from a sensor in New York. This is an extremely useful capability for global operations. Another very useful feature that minimises the need for the ability to define your own reports is the drill-down capability. When any report is run, certain key fields are highlighted as live hyperlinks. Clicking on any of these allows another level of report to be generated based on that particular item of data. For example, when running the Top 10 Attacked Hosts report, it is possible to click on the IP address of any host and generate a further drill-down report showing all attacks against that particular host. From there, you could select any source address, and generate another drill-down report showing all attacks emanating from that address. This drill-down can continue indefinitely, allowing netForensics data to be “sliced and diced” in any number of different ways, and this is one of the product’s most powerful and useful features. At any point where an attack signature is included in a report, it is also possible to select the signature ID and display in-depth details about that particular attack signature taken from the Cisco Network Security Database. But it is not just historical reporting that can be performed with netForensics, since the product also provides a real-time Alarm Console that is capable of taking a feed directly from the IDS Sensor at the same time as the CSPM system.
Once an administrator has connected to an IDS device, a “traffic light” display along the bottom of the screen provides an instant indication of device status (red for alerts, yellow for warnings, green for normal), whilst the Alarm Console screen displays the individual events as they happen. This console is capable of handling 125 messages per second or, 10 million messages per day, and provides extensive filtering capability based on IP address, port numbers, message type, and device. The Alarm Console shows a list of messages with time and date of attack, source IP address, count and attack signature. By default, one entry on the console corresponds to a single alert event, but when attack aggregation is turned on, netForensics consolidates multiple attacks of the same type within a specified time period into a single console entry, which makes it much easier to follow when many attacks are being recorded in a short space of time. Double clicking on an individual entry presents the administrator with a detailed event query. Once again, key fields are offered as live hyperlinks for further drill-down if required. The final feature of note is the real-time chat window, which allows administrators in different locations to communicate instantly about events they are viewing via the Console. Although the Cisco solution could be considered a little on the expensive side compared with some basic IDS products, this needs to be balanced against the fact that you get all the Sensor hardware and software included in the price. There is also a range of products available now, with different capabilities and at different price points. Taking this into account, along with the lower installation and ongoing maintenance costs provided by the appliance approach, the Cisco Secure IDS could actually work out to be an extremely cost-effective solution in the long run. One of the biggest negative factors of previous releases – the reliance on HP OpenView for configuration and alerting – has been eliminated with the latest release. Although the HPOV plug-in is still available, the new Cisco Secure Policy Manager provides a more familiar (for many) Windows management and alerting environment with an extremely slick and intuitive interface. Installing and configuring Cisco Secure IDS Sensors is nothing if not straightforward. As with previous incarnations, however, Cisco offers nothing in the way of alerting (other than to the CSPM Console) reporting and analysis, and prefers to work with partners in this area. If you are considering the Cisco offering as your IDS, you should consider budgeting for additional reporting products such as netForensics as reviewed here.� netForensics is an excellent tool for real-time monitoring, historical reporting and analysis, and alerting. Based on a robust Oracle database platform, netForensics provides a scalable solution with a range of options capable of managing a single device up to a complete enterprise. There is a wide range of reports available to cover all eventualities, and the drill-down capabilities make netForensics an extremely powerful and flexible offering. It should also be borne in mind that it is capable of monitoring more than just IDS, providing a centralised means of reporting across all your Cisco security devices. Most sites will need to seriously consider the acquisition of some form of third-party monitoring and reporting tool to go with Cisco Secure IDS – even if they are monitoring a single device, managing even an average number of alerts can be daunting, but with an entire network of devices to manage some additional help will almost definitely be required. If this should prove to be the case, netForensics is well worth a look. Company
name: Cisco
Systems, Inc. Cisco
Systems Company name:
netForensics.com, Inc. Click here
to return to the Cisco questionnaire
|
 |
Send mail to webmaster
with questions or�
|
