Intrusion Detection Systems

When considering network security, deploying intrusion detection might not be the first thing on the mind of a security administrator at the site of a typical SMB. And even if it is, Cisco probably does not top the list of IDS vendors that comes to mind because of the many freeware IDS products available and a certain well-ingrained perception of Cisco as a networking company.

In the final analysis, however, the truism stands: You get what you pay for! With its wide range of IDS solutions—from dedicated devices to focused (partial) and full-blown IDS services integrated into routers, switches, and firewalls—Cisco should top the list of vendors for IDS solutions. This holds true especially if an SMB has already deployed, or is considering deploying, other Cisco security solutions. When making a value proposition to an SMB, you should always be thinking about how to leverage the deployed equipment and seamlessly integrate a new solution (IDS—or any other, for that matter) into the existing security infrastructure.

With the increasing number and sophistication of potential attacks, both from the inside and the outside, firewalling an SMB's network might not be sufficient to protect it against disruptions or theft of confidential information. Effective use of IDSes represents a key component of an integrated end-to-end security solution.

Effective intrusion detection relies first and foremost on the accurate identification of all potential threats. Those intrusion threats can include the following:

• Reconnaissance activity, which is usually intended to identify points of vulnerability within a network. Port and ping sweeps are forms of reconnaissance.

• Denial-of-service (DoS) activity, in which bandwidth is consumed by frivolous traffic. DoS attacks can be directed against common TCP/IP application services like Simple Mail Transfer Protocol (SMTP) (e-mail) or Hypertext Transfer Protocol (HTTP) (web). SYN floods are a form of DoS attack. Because the SYN flag in the TCP header is at the core of setting up TCP connections, perhaps there is not an absolutely foolproof method of protection against SYN floods. But SYN floods can be detected and mitigated through IDSes.

• Misuses of corporate security policies, where employees might be attempting to gain access to information that they are not authorized to see or to transmit confidential information outside of the corporate network.

• Exploits indicative of attempts to compromise the system, including multiple failed logins, unusual login times, unusual traffic patterns indicative of large file transfers, attempts at installation of unauthorized malicious software like remote access trojans (RATs), or TCP session hijacking.

Multiple detection techniques are required for an IDS to recognize such a wide variety of potential threats. When you consider that those threats do not remain static, you can see that securing a computer network is a never-ending battle. Even as attack signatures become understood and subject to mitigation, new ones emerge that must be considered and dealt with.

IDS Deployment Considerations

The Cisco IDS solution is an integral component of the end-to-end security implementation for an SMB, and, as such, its deployment considerations both overlap with and differ somewhat from those of VPNs or firewalls.

The overlaps are in the following areas, which universally apply to any security solution:

• Management and configuration

• Performance

• Reliability

• Resilience

• Scalability

However, given the nature of IDS, there are also some key differences in the deployment considerations. For example, the failure of a VPN or a firewall can result in an immediate disruption to the network. Failure of a dedicated IDS sensor might not have such an immediate impact, but a prolonged absence of IDS from a security implementation might result in far more damaging activities going undetected than the effects of a temporary firewall or VPN failure. Thus, even the value proposition of an IDS solution is somewhat different.

Consider the following IDS solution design considerations:

• Understanding the value of an IDS solution

• Understanding network traffic patterns

• Placing an IDS within the network

• Keeping an IDS solution current

Understanding the Value of an IDS Solution

Using an imperfect analogy, an IDS is an intelligence-gathering solution that leads to more effective network security. Consider the range of threats, as outlined in the previous section, that an IDS can detect.

But unlike firewalls or VPNs, IDSes are still making their way into the mainstream vernacular, even in IT departments, perhaps because the absence of an IDS from a security implementation does not seem to trigger a sense of immediate danger in the minds of network administrators or SMB executives. However, the absence of immediate danger is not the equivalent of long-term security, which is what an IDS can facilitate. An IDS solution designer needs to articulate the value proposition so that an SMB can make an informed decision about whether or not it is worthwhile to pay to obtain knowledge of how the network is being utilized and what threats against it are being mitigated.

As with any deployment, an SMB must have a clear sense of value that an IDS delivers if the deployment is to be successful. Because of the growing number and the increasing level of sophistication of attacks against computer networks, the IDS-related budget discussion might boil down to whether or not to deploy a dedicated system or to use a focused subset of IDS capabilities within an integrated security appliance.

Understanding Network Traffic Patterns

Cisco IDS solutions use multiple detection methods to identify and to analyze potential threats. Similar to stateful firewalling, an IDS uses stateful pattern recognition while keeping track of the state of communications across the network. Traffic and protocol anomaly detection, along with extensive protocol monitoring, are also used.

An IDS is capable of monitoring and analyzing all of the major protocols from the TCP/IP suite, including application layer services like FTP for file transfers, SMPT for e-mail, Domain Name System (DNS) for domain resolution, Telnet for terminal access across the network, HTTP for web access, and more. Moreover, an IDS can monitor and analyze the transport layer protocols like UDP and TCP, and the lower-layer protocols like ICMP and IP, for any unusual patterns or malformations.

But malicious exploitation of TCP/IP weaknesses of the incoming traffic is not the only potential threat to an SMB. As discussed in Chapter 4, internal security breaches can be as damaging, if not more so, than external ones. Internal and outgoing traffic patterns are consequently of equal significance to the incoming traffic. Every SMB is going to have certain internal operational resources—for example, accounting, customer relationship management (CRM), or human resources (HR)—that are normally available only to authorized employees.

An IDS solution, whether it is dedicated or on a router or a supported switch, can be configured to detect unauthorized attempts to access confidential information, whether by guests, curious employees, or perhaps even corporate spies.

Placing an IDS Within the Network

The effective integration of IDS-capable devices into the network topology is critical if an SMB expects to take full advantage of IDS capabilities. In shared media networks (remember coax and hubs?), monitoring network traffic was easier because all of the traffic passed by every device attached to the shared media. In switched internetworks, the collision domains have shrunk so that they are now effectively single devices plugged into switched ports. But a switch port can be mirrored to allow traffic from a network segment or a virtual local-area network (VLAN) to be observed by an IDS sensor.

It is a common strategy to deploy an IDS on the outside network to see what is hitting against it. But to have a perspective of what is pressing against the network from the outside versus what is happening behind the firewall (and what the firewall is filtering), an IDS should also be deployed on the inside. Because some IDSes have only two interfaces—one for command and control, and one for sensing the network—it is important to decide which network segments are going to be monitored because it might require multiple units. However, Cisco also offers an IDS solution with multiple sensors in a single box.

Keeping an IDS Solution Current

The number of different signatures that a dedicated Cisco IDS can detect is around 900. This number is likely to grow because of the misdirected creativity of many individuals, who have taken upon themselves the task of trying to compromise other peoples' networks, either for thrill or for profit. Updates to IDS signatures might not be as frequent as those to virus scanners, but an IDS solution should include a subscription service to leverage the investment in IDS hardware and to stay as current as possible against emerging threats.

In addition to staying current with IDS signatures, it is important to keep up with any operating system upgrades, especially if a security flaw has been discovered in an OS. Keeping the OS up to date applies universally to all security and network products as well as to host operating systems.

Cisco IDS Product Lines

The Cisco IDS product lines, which span equipment categories and scale in the degree of detection and protection that they offer, include the following:

• Dedicated IDS sensors

• Integrated security appliances with IDS

• Modular units

4200 Series Dedicated IDS Sensors

The 4200 series dedicated IDS sensors scale from the 4210 to the 4250-XL models, with scanning performance ranging from 45 Mbps to 1 Gbps, respectively.

The 4215 model is particularly noteworthy because it supports multiple NICs and is capable of monitoring up to five network segments. This model is a major improvement when compared to a dedicated IDS sensor that typically comes with one network (sensor) interface and one command and control interface.

You should always verify the up-to-date operating system requirements for any unit that provides a premium capability (for example, multi-NIC support) or that accepts a specific IDS module, as in the modular IDS approach that is discussed later in this chapter.

All of the 4200 series models can be managed via the Management Center for IDS Sensors, which is a component of the integrated management platform VMS. They can also be managed and configured from CLI or via a web-based device manager. They all implement a comprehensive database of attack signatures and IDS antievasion techniques, allow for user-defined signatures, and facilitate automatic signature updates.

Integrated Security Appliances with IDS

Most of the Cisco devices that fall into the category of integrated security appliances support a degree of IDS detection and mitigation. These devices include the entire line of Cisco PIX firewalls as well as select models of the 1700 series routers, with the appropriate software feature pack.

The PIX IDS support is a focused subset of the dedicated IDS solution. It represents signatures of the most common information-gathering scans and the DoS attacks with the greatest potential for severe network disruption.

At the time of this writing, the number of IDS signatures supported on the PIX ranges from 60 to 70, as compared to about 900 for a dedicated solution. However, the value of an integrated security appliance, even with a small subset of total IDS signatures, should not be underestimated.

PIX can be configured to take action when it detects packets that meet an IDS signature. Malicious packets can be dropped, an offending TCP connection can be reset, or a network administrator can be notified about the suspect traffic. Figure 5-5 displays a configuration screen for enabling and disabling IDS signatures on a PIX 515.

Modular IDS Solutions

In certain deployment scenarios, the use of a modular IDS solution might be more appropriate than using a dedicated or an integrated security appliance. You might be steered toward a modular approach because of performance requirements or the desire to leverage the existing equipment or space. Modular IDS can be deployed on routers or in integrated routing and switching environments.

Specifically, the IDS Network Module is designed for the 2600, 3600, and 3700 series platforms. It offers performance ranging from 10 Mbps on the 2600XM up to 45 Mbps on the 3700 series. Given the VPN, firewall, and multiservice capability of these router platforms, the addition of the IDS Network Module turns them into a midrange, fully integrated modular security appliance that can satisfy the routing and security needs of many SMBs. Of course, the performance also has to be adequate when all of the security and multiservice services are combined and activated in a single platform.

For the 6500 Catalyst switches, Cisco offers the Intrusion Detection System (IDSM-2) Service Module. The IDSM-2 sports up to 600-Mbps IDS inspection performance and allows for the monitoring of the switched traffic across the Catalyst through the use of the Switch Port Analyzer (SPAN) feature. In SMB environments where a Catalyst 6500 series switch is already deployed, the IDSM-2 leverages that deployment and, given its performance characteristics, becomes a natural choice for an IDS solution.