450 Chapter 10 • Cisco Enterprise IDS Management Adding Sensors to a Sensor Group A sensor can be added to any group including the Global group.To add a sensor to the Global group or a subgroup, use the following procedure: 1. From the Management Center for IDS Sensors page (Figure 10.9), select the Devices tab, then choose Sensors. 2. The Sensor page will appear as shown in Figure 10.14. Click the Add button. 3. The Select Group page will appear, as shown in Figure 10.15. Select the Group to add the sensor to and click Next. www.syngress.com Figure 10.13 The Sensor Group Page with the New Subgroup Figure 10.14 The Sensor Page 267_cssp_ids_10.qxd 9/30/03 6:05 PM Page 450 Cisco Enterprise IDS Management • Chapter 10 451 4. The Enter Sensor Information page appears, as shown in Figure 10.16. Enter the IP Address of the sensor, the NAT Address of the sensor if one exists, and the Sensor Name. To retrieve sensor settings directly from the sensor, select the Discover Settings check box. Enter the User ID and Password for Secure Shell (SSH) communications. For sensor appliances and IDS modules, the default user ID is cisco.The default pass- word for the account is cisco. It is also possible to authenticate to the IDS sensor using an SSH public/private key pair.To use existing SSH keys, check the Use Existing SSH keys check box. However, do not select this option if the sensor is to be used as a master blocking sensor. Once the information has been entered, click Next to move on to the final step. www.syngress.com Figure 10.15 The Select Sensor Group Page Figure 10.16 The Enter Sensor Information Page 267_cssp_ids_10.qxd 9/30/03 6:05 PM Page 451 452 Chapter 10 • Cisco Enterprise IDS Management 5. The Sensor Information page appears, as shown in Figures 10.17 and 10.18. From the Version pull-down menu, select the sensor software ver- sion installed on the sensor. Enter a text Comment. For sensors running the IDS sensor software version 3.x, additional information needs to be entered.This information includes the sensor Host ID, which is typically the last octet of the sensor’s IP address. Enter the Org Name using only lowercase letters. Enter the Org ID.The default is 100. Within a Postoffice domain, with no sensor or sensor group, the Org ID/Host ID pair must be unique. For Sensor software version 4.x and later, a text com- ment need only be entered in the Comment field. Click Finish. www.syngress.com Figure 10.17 The Sensor Information Page for Sensor OS Version 3.x Figure 10.18 The Sensor Information Page for Sensor OS Version 4.x 267_cssp_ids_10.qxd 9/30/03 6:05 PM Page 452 Cisco Enterprise IDS Management • Chapter 10 453 6. The Sensor page reappears, updated with an entry for the new sensor you have added, as shown in Figure 10.19. Deleting Sensors from a Sensor Group A sensor can be deleted from any group including the Global group. Use the fol- lowing steps to delete a sensor from a subgroup: 1. From the Management Center for IDS Sensors page (Figure 10.9), select the Devices tab and choose Sensors. 2. The Sensor page appears, as shown in Figure 10.20. Check the box in front of the entry for the sensor to delete. In this case, the sensor to be deleted is call thorin. Click the Delete button. www.syngress.com Figure 10.19 The Updated Sensor Page Figure 10.20 The Sensor Page 267_cssp_ids_10.qxd 9/30/03 6:05 PM Page 453 454 Chapter 10 • Cisco Enterprise IDS Management 3. The Sensor tree page appears, as shown in Figure 10.21. Note that the sensor named thorin has been removed from the tree. Deleting Sensor Subgroups As with sensors, sensor subgroups can be deleted from any group including the Global group. Use the following steps to delete a sensor subgroup: 1. From the Management Center for IDS Sensors page (Figure 10.9), select the Devices tab, and choose Sensor Group. 2. The Sensor Group page appears, as shown in Figure 10.22. In the tree, select the subgroup to delete and click the Delete button. www.syngress.com Figure 10.21 The Sensor Tree Page Figure 10.22 The Select Sensor Group Page 267_cssp_ids_10.qxd 9/30/03 6:05 PM Page 454 Cisco Enterprise IDS Management • Chapter 10 455 Configuring Signatures and Alarms Network intrusions are scans, attacks upon, or misuses of the network resources. To detect network intrusion, the Cisco IDS sensors use a signature-based tech- nology. Every network attack has an order or a pattern to the bytes in the traffic stream between the attacking system and the target.These bytes represent a “fin- gerprint” or “signature” of the attack. By comparing the pattern of bytes in a given traffic stream between two hosts against a database containing various known signatures for network attacks, the IDS is able to determine when an attack has occurred. Each signature specifies the type of attack the sensor detects and reports. As a sensor scans the network packets, the rules allow it to detect patterns that match a known attack. The IDS MC allows the operator to specify which signatures should be enabled.Additionally, the response action the IDS sensor initiates, whether it is simply raising an alarm on the Security Monitor console or initiating a TCP RST, is also determined based on what is specified in the signature.Tuning IDS signatures is one of the more important features of the IDS MC. Improperly tuned IDS sensors account for the great majority of false positive alarms (alarms raised by the IDS in response to benign network traffic) and result in potential mistrust of the IDS system by security personnel. Configuring Signatures Signatures are divided into six groups: 1. General (embedded) 2. TCP connection 3. UDP connection 4. String-Matching 5. Access Control List (ACL) 6. Custom To provide an example of how to configure and tune signatures, we will use a general signature for a configuration and tuning exercise. Configuring General Signatures General signatures are signatures that are embedded in the sensor software itself. IDS end users cannot add or delete general signatures, but the end user can www.syngress.com 267_cssp_ids_10.qxd 9/30/03 6:05 PM Page 455 456 Chapter 10 • Cisco Enterprise IDS Management enable or disable them and configure the response to attacks that fit the general signatures.The following steps can be used to configure a general signature: 1. From the Management Center for IDS Sensors page, select Configuration | Settings. 2. A Table of Contents page appears. Select the Object Selector handle. 3. In the Object Selector, select the sensor containing the general signature to configure.The Object Selector will close and redisplay the Table of Contents. 4. In the Table of Contents, select Signatures | General. The general Signatures page will appear, as shown in Figure 10.23. 5. Click the link for the signature group to be modified.This results in the display of the Signature(s) in Group page listing all of the signatures within the selected group, as shown in Figure 10.24. www.syngress.com Figure 10.23 The General Signatures Page Figure 10.24 The Signature(s) in Group Page 267_cssp_ids_10.qxd 9/30/03 6:05 PM Page 456 Cisco Enterprise IDS Management • Chapter 10 457 6. Select the signature to configure by checking the corresponding box and clicking Edit. 7. The Edit Signature(s) window appears (as shown in Figure 10.25) and shows the name of the signature to configure.To enable or disable the signature, check or uncheck the Enable box. Configuring Alarms The severity of an alarm, as well as the actions to be taken when an event matches a signature, can be specified by editing the signature. 1. To change the severity of an attack that matches this signature, select a Severity from the pull-down menu: ■ Info Indicates an event that results from normal activity. ■ Low Indicates an attack that is mild in severity.The Security Monitor Event Viewer will display this type of attack with a green icon. ■ Medium Indicates an attack that is moderately severe.The Security Monitor Event Viewer will display this type of attack with a yellow icon. ■ High Indicates an attack that is highly severe.The Security Monitor Event Viewer will display this type of attack with a red icon. 2. Note the options to the right of the Actions label. Depending on the signature, you may specify one or more of the following actions to be taken when a signature matches an event: www.syngress.com Figure 10.25 The Edit Signature(s) Page 267_cssp_ids_10.qxd 9/30/03 6:05 PM Page 457 458 Chapter 10 • Cisco Enterprise IDS Management ■ Log Stands for IP Log, and generates an IP session log with infor- mation about the attack. ■ Reset Stands for TCP Reset, and resets the TCP session in which the attack signature was detected. ■ Block Causes the sensor to issue a command to a PIX firewall or Cisco router.That firewall or router will block packets from the attacking host or network and keep them from entering the pro- tected network. Tuning General Signatures Signatures are tuned to minimize false alarms or “false positives.” False positives are alarm indicators of an attack where either benign or standard activity is pre- sent. A false positive may result from normal network activity in which a network management station polls or scans network devices to ascertain their status.This polling activity is similar to the scanning employed by hackers against a targeted network. Additionally, a false positive may occur when an attacker attempts to use an exploit against a host whose software is not vulnerable to that exploit (for example, using a Microsoft IIS exploit against an Apache Web server). To tune a signature, return to the general Signature(s) page shown in Figure 10.23. For the signature to be tuned, select the signature link in the Engine column of the table.This brings up the Tune Signature page, as shown in Figure 10.26. www.syngress.com Figure 10.26 The Tune Signature Page 267_cssp_ids_10.qxd 9/30/03 6:05 PM Page 458 Cisco Enterprise IDS Management • Chapter 10 459 There are three columns in the Tune Signature Parameters table: Parameter Name, Value, and Default. Each one can be modified to an appropriate, desired value. Use the following procedure to tune a given parameter in a procedure: 1. Select the radio button for the parameter to be tuned in the Parameter Name column, then select Edit, as shown in Figure 10.27. 2. Enter a value for the parameter in the Value field, as shown in Figure 10.28. 3. Enter an optional description for the signature parameter in the Description field. www.syngress.com Figure 10.27 The Tune Signature Parameters Page Figure 10.28 The Signature Parameter Page 267_cssp_ids_10.qxd 9/30/03 6:05 PM Page 459 [...]... Security Monitor .To access the Security Monitor from the CiscoWorks2000 Desktop, select the Monitoring Center and then the Security Monitor, as shown in Figure 10. 38 Figure 10. 38 The Security Monitor To access reports provided by the Security Monitor, select the Reports tab and then the View entry.This will bring up the Completed Reports menu, as shown in Figure 10.39 Figure 10.39 The Security Monitor Completed... a Director to send alarm notifications It is therefore not possible to create a custom signature for an IOS-IDS on the Director in case of a new threat for which no signature is available yet, such as the recent SQL Slammer Worm NOTE Be aware that the current test material of the Cisco Secure Intrusion Detection Systems Exam (CSIDS 9E0-100) still refers to a total number of 59 signatures that Cisco IOS-IDS... old configuration should be on hand as a backup Some good tools to measure CPU performance include: MRTG and the CPU Monitor from Solarwinds.net An explanation of how to use the free MRTG to monitor the CPU utilization for a Cisco router can be found at http://slowest.net/docs/howtos/mrtg/mrtg -cisco- cpu.html As discussed earlier in this book, atomic signatures are triggered by a single packet that matches... will learn how to configure IOS-based IDS, see how IDS takes action when under attack, and learn how to verify and monitor an IDS configuration In Figure 11.1, we see some of the ways Cisco IOS-IDS can be employed within your network Company A is using Cisco IOS-IDS to protect its LAN from attacks originating on the Internet Company B has put IOS-IDS to use to protect a Frame-Relay link to one of its... is using Cisco IOS-IDS to protect the LAN from attacks originating on the Internet, but is also using IOS-IDS to protect a cluster of intranet web servers from attacks Figure 11.1 Cisco IOS-IDS Employment Company A Internet Company C Company B www.syngress.com 267 _Cisco_ IDS_11.qxd 9/30/03 4:09 PM Page 483 Cisco Firewall/IDS IOS • Chapter 11 Understanding Cisco IOS-Based IDS Understanding Cisco IOS-based... following router platforms: I Cisco 1700 Series I Cisco 2600 Series I Cisco 3600 Series I Cisco 3700 Series I Cisco 7100 Series I Cisco 7200 Series I Cisco 7400 Series I Cisco 7500 Series Performance A router configured for IDS can be classified as an inline processing network sensor.The router sits in the packets’ path, analyzes each packet that passes through and compares it to the signature base For some... 267_cssp_ids_10.qxd 9/30/03 6:05 PM Page 465 Cisco Enterprise IDS Management • Chapter 10 I The Console Notification Report I The Audit Log Report The following sections examine each report in detail The Subsystem Report The Cisco Intrusion Detection System has many subsystems.These subsystems include the Management Center, the Security Monitor, and other subsystems The Subsystem Report shows audit records... Page 480 267 _Cisco_ IDS_11.qxd 9/30/03 4:09 PM Page 481 Chapter 11 Cisco Firewall/IDS IOS Solutions in this chapter: I Understanding Cisco IOS-Based IDS I Configuring the IOS-Based IDS I Configuring IOS-Based IDS Signatures I Responses from the IOS-Based IDS I Verifying the IOS-IDS configuration Summary Solutions Fast Track Frequently Asked Questions 481 267 _Cisco_ IDS_11.qxd 482 9/30/03 4:09 PM Page 482 Chapter... the Approve button Figure 10.31 The Approve Page 3 To view a selected IDS configuration file before approving it, check the corresponding box to the right of the configuration file name and click the View button 4 To delete an IDS configuration without approving it, check the corresponding box to the right of the configuration file name and select the Delete button Deploying Configuration Files To deploy a configuration... Hall PTR, Upper Saddle River, NJ., 1997 I SANS – Security Policy Project, www.sans.org/resources/policies/ I NIST – “Guidelines on Firewalls and Firewall Policy,” NIST, http://csrc.nist.gov/publications/nistpubs /80 0-41/sp800-41.pdf I National State Auditors Association and U.S General Accounting Office – “Management Planning Guide for Information Systems Security Auditing,” www.gao.gov/special.pubs/mgmtpln.pdf . the configuration to the selected sensor .To start the job immediately, click the Immediate button .To schedule the job to execute at a later time, click the Scheduled radio button and select the desired. Subsystem Report The Cisco Intrusion Detection System has many subsystems.These subsystems include the Management Center, the Security Monitor, and other subsystems. The Subsystem Report shows. click Delete to delete it. Generating Configuration Files To generate a configuration file is to take a file of sensor configuration settings that is stored in the IDS Database and prepare it for deployment to