Intrusion Detection with Cisco IOS
The Cisco IOS Firewall IDS acts as an inline intrusion detection sensor, watching packets and communication sessions as they flow through the router and scanning each packet to see whether it matches any of the IDS signatures.
Cisco developed its Cisco IOS Software–based intrusion detection capabilities in the Cisco IOS Firewall Feature Set with flexibility in mind so that individual attack signatures could be disabled in case of false positives. Also, although it is preferable to enable both the firewall and intrusion detection features of the FFS CBAC security engine to support a network security policy, each of these features can be enabled independently and on different router interfaces.
The Cisco IOS Firewall Feature Set includes intrusion detection technology in addition to basic firewall functionality. The Cisco FFS IOS acts as a limited inline intrusion detection sensor, watching packets and sessions as they flow through the router. (This is the inline aspect of its operation—scanning each packet to determine whether the contents match any of the IDS signatures it knows about.) When the router detects suspicious activity—in other words, when it believes that a packet contains an attack signature—it responds accordingly before network security can be compromised and logs the suspicious activity by using syslog and by communicating directly with a server running the Cisco Secure IDS Software.
Note
System Message Logging (syslog) provides a means for the system and its running processes to report various types of system state information. There are three classes of system state data: error, informational, and debug. Cisco IOS Software provides an extensive system message and error reporting facility. IOS uses more than 500 service identifiers known as facilities to categorize system state data for error and event message reporting. System logging data is an important resource in diagnosing problems in general and, when issued by the firewall feature set, it enables the reporting of events.
Cisco routers running IDS functionality all have the signatures of attacks; these signatures are the reference to which the IDS will compare packets to determine whether there is an attack. It is critical that these signatures be as accurate and up to date as possible. Starting with Cisco IOS 12(4)11T and later, signatures are separated from the IOS version. This means the signatures and the IOS can be upgraded (or updated) independent of each other. Furthermore, the IDS signatures found on the routers are the same as those on Cisco IDS appliance. These are huge improvements and are definitely recommended should you run older IOS where the IOS was tied to the signatures and vice versa.
In practice, this means that the engineers responsible for your network’s security must ensure that the attack signatures are always as current as possible. We recommend that regular updates be applied to any IDS or security device.
The network administrator can configure the IDS-enabled router to choose the appropriate response to various threats. When packets in a session match a signature, the IDS system can be configured to take one, two, or all the following actions:
• Send an alarm to a syslog server or a Cisco Secure IDS Director (centralized management interface).
• Drop the offending packet.
• Reset the TCP connection.
Security best practice procedures recommend that you use the drop and rest actions together. In practice, this would mean that when the FFS IDS receives a packet that matches its IDS attack signatures; the packet is dropped, thereby preventing it from reaching the targeted device in your network. Because attacks come in the form of multiple packets, simply dropping only one packet is not enough to protect your network. The FFS IDS will proactively send a tcp reset to the device that sent the offending packet, thereby causing the connection to drop (reset). This combination response is effective because the specific packet and the communication session are dropped.
When to Use the FFS IDS
Cisco IOS Firewall IDS capabilities are ideal for providing additional visibility at intranet, extranet, and branch-office Internet perimeters. Networks of all sizes and complexity will enjoy a more robust protection against attacks on the network and can automatically respond to threats from internal or external hosts.
The Cisco IOS Firewall with intrusion detection is intended to satisfy the security goals of all customers and is particularly appropriate for the following scenarios:
• Enterprise customers who are interested in a cost-effective method of extending their perimeter security across all network boundaries—specifically branch-office, intranet, and extranet network perimeters
• Small and medium-sized businesses looking for a cost-effective router that has an integrated firewall with intrusion-detection capabilities
• Service provider customers who want to set up managed services, providing their customers with firewalling and intrusion detection, all housed within the necessary function of a router
FFS IDS Operational Overview
By now, it should be apparent that understanding packets is important in networking. This is a realization that comes slowly for some people; however, after you accept this truth, networking should become much easier to understand. Everything is a packet, and all network devices are designed to do something with a packet. Sometimes, this is forwarding the packet to its destination, inspecting it, or even altering it in some way to accomplish a goal. This understanding is something that many hackers have figured out, and they use this knowledge to serve the dark side. That is melodramatic but truthful because it is no fun rebuilding a server at 3:00 a.m. because it has been compromised, or dealing with a rampant virus, botnet, or attacks that can bring a network to its knees. This book is not designed to make you an expert at packets, but it introduces you to many of the fundamental truths of network security that provide a solid understanding of how the real world functions. If you need to learn more, you can build on this beginning. That being said, you do not need to live at the packet level; simply knowing that it is there and that it functions is the basis for everything networking.
Note
Perhaps the person I respect the most who educates people about living at the packet level is Laura Chappell. Visit her website and her many online resources at www.packet-level.com/.
Living at the packet level is an excellent mindset for troubleshooting, especially if you can “be the packet” and follow its course. From an IDS perspective, packets are the meat and potatoes of everything they look at. Cisco developed its Cisco IOS Software-based intrusion detection capabilities in the Cisco IOS Firewall with flexibility in mind so that individual attack signatures could be disabled in case of false positives. Also, although it is preferable to enable the CBAC security engine’s firewall and intrusion detection features to support a network security policy, each of these features can be enabled independently and on different router interfaces.
The Cisco IOS Intrusion Detection System (IDS) acts as an inline intrusion detection sensor, watching packets as they traverse the router’s interfaces and acting upon them in a definable fashion.
The Cisco IOS IDS identifies the most common attacks using signatures to detect patterns of misuse in network traffic (attack signatures). The Cisco IOS Firewall feature set’s intrusion detection signatures were chosen from a broad cross-section of intrusion detection signatures. The signatures represent severe breaches of security, the most common network attacks, and information gathering scans.
In Cisco IOS IDS, signatures are categorized into four types:
• Info atomic: Detect patterns as simple as an attempt to access a specific port on a specific host, such as a port scan.
• Info compound: Detect complex patterns, such as a sequence of operations distributed across multiple hosts over an arbitrary period of time. In general, both kinds of informational signatures detect attackers’ information-gathering activities.
• Attack atomic: Detect patterns where an attacker is attempting to access a single host device.
• Attack compound: Detects complex attack activities spread across multiple hosts over an arbitrary period of time.
The intrusion detection signatures included in the Cisco IOS Firewall were chosen from a broad cross-section of intrusion detection signatures that represent the most common network attacks and information gathering scans not commonly found in an operational network.
The following describes the packet auditing process with Cisco IOS IDS:
1. You create an audit rule, which specifies the attack signatures that should be applied to packet traffic and the actions to be taken when a match is found. An audit rule can be as flexible and specific as needed to meet the goals of your security policy. A sample rule follows in which you suspect or want to prevent the spamming of email messages, so the IDS is configured to audit all SMTP traffic and ensure that there are no more than 100 recipients:
ip audit smtp spam 100
2. You apply the audit rule to an interface on the router, specifying a traffic direction (in or out). The following example applies the audit rule to look at all inbound SMTP traffic to the router:
ip audit smtp in
3. If the audit rule is applied to the in direction of the interface, packets passing through the interface are audited before the inbound ACL has a chance to discard them. This enables an administrator to be alerted if an attack or information-gathering activity is underway, even if the router would normally reject the activity. It is considered best practice to apply IDS audit rules inbound because they are inspected.
4. If the audit rule is applied to the out direction on the interface, packets are audited after they enter the router through another interface. In this case, the inbound ACL of the other interface might discard packets before they are audited. This could result in the loss of IDS alarms, even though the attack or information-gathering activity was thwarted.
5. Packets going through the interface that match the audit rule are audited by a series of modules, starting with IP; then either ICMP, TCP, or UDP (as appropriate); and finally, the application level.
6. If a signature match is found in a module, the following user-configured actions occur:
• If the action is alarm, the module completes its audit, sends an alarm, and passes the packet to the next module.
• If the action is drop, the packet is dropped from the module, discarded, and not sent to the next module.
• If the action is reset, the packets are forwarded to the next module, and packets with the reset flag set are sent to both participants of the session, if the session is TCP.
If there are multiple signature matches in a module, only the first match fires an action. Additional matches in other modules fire additional alarms, but only one per module. IDS can reset only a TCP-based connection because this protocol has a SYN ACK and the all-powerful RST, which the IDS can send back to the attacker’s TCP-based session and shut down that application. UDP is not connection-oriented, so this is not something that can be reset—thus the need for ACLs on a blocking device such as a router or PIX Firewall.
FFS Limitations
CBAC enhances the effectiveness of IOS routers as security devices. Used with other available security enhancements, you can use IOS routers for more than packet forwarding, thus increasing their ROI and allowing administrators to cost-effectively implement more secure networks. Of course, there is no perfect security device. Following are some operational issues and limitations to CBAC of which administrators should be aware:
• Intrusion detection’s performance impact depends on the configuration of the signatures, the level of traffic on the router, the router platform, and other individual features enabled on the router, such as encryption, routing, and so on. Enabling or disabling individual signatures does not significantly alter performance; however, signatures configured to use ACLs have a significant performance impact because the more you ask the router to inspect a packet, the greater its effect on router performance.
• For auditing atomic signatures, there is no traffic-dependent memory requirement. For auditing compound signatures, CBAC allocates memory to maintain the state of each session for each connection because by definition compound signatures are going to multiple machines. Memory is also allocated for the configuration database and for internal caching.
• CBAC inspection is not performed on packets with the source or destination address of the firewall interfaces. This impacts the router’s operation two different ways:
• vty (that is, Telnet) sessions between administrators and the firewall are not inspected.
• Management, authorization, and accounting (TACACS/RADIUS) traffic is not inspected because it, too, is destined to the router’s interface.
• Encrypted packet payloads, such as those used in VPNs, are not inspected unless the router is the encrypted link endpoint.
In general, having the more advanced functions available does increase the security of your router and network. However, these functions do not address the best practices in making the router a secure device when you do not employ them. The following section discusses this aspect of securing a router because given the cost and effort needed to maintain the FFS, you are likely going to deploy it only at the edge of your network; therefore, protecting the inside devices is covered next.