Cisco Enterprise IDS Management

Cisco Enterprise IDS Management

Introduction

Successful attacks against enterprise networks typically require a substantial effort on the part of the attacker. Many large networks that realize they have been compromised only do so after discovering a discrepancy in activity or the log files traversing their network. Once the compromise is known, the network staff may backtrack and identify all of the activity that occurred prior to the compromise…or they may not. Attacks typically are characterized by three phases of activity:

  • Reconnaissance

  • Probing

  • Exploitation

Reconnaissance involves identifying network address ranges, telephone numbers, performing DNS lookups (both forward and reverse), as well as whois searches to identify potential names and accounts to try on various target systems. Probing involves ping sweeps to identify potential targets as well as port scans to identify services active on the target systems. Finally, exploitation of a vulnerability (whether it be a buffer overflow in a running service or access due to poor password selections) is the culmination of an attack to gain access to the target network.

The probing and exploitation phases require the use of active tools to identify available services and potential exploit targets. It is this activity that intrusion detection systems (IDSs) are designed to identify. By monitoring traffic on the network and inspecting and analyzing packets, the IDS is able to determine if a network is under attack. If an attack is identified by the IDS, it can issue alerts to network and security operations personnel so they can respond appropriately to protect vital corporate assets. Additionally, many modern IDSs can execute response measures on their own accord, thus terminating the attacker's connection.

There are significant differences between managing a small handful of IDS sensors (on the order of one, two, or three sensors) and handling an enterprise-wide deployment of sensors. Tuning a single sensor to the traffic on a particular LAN may require one or more days simply for the actual tuning of IDS signatures. Once that has been completed, the sensor must be monitored for false positives and for any additional signature tuning required. This can take on the order of a week or more for a single sensor. When new signature packs are released containing additional attack signatures, they must be deployed and tuned as well. Clearly, once the number of sensors goes beyond a small handful, the administrative effort of configuring, monitoring, and updating sensors becomes a significant burden. By using a tool that provides for managing all sensors through a single interface, the burden is dramatically reduced. This is where CiscoWorks2000 and, in particular, the IDS Management Console (MC) are meant to provide the greatest benefit. Scalable management of IDS sensors is needed to meet the needs of an enterprise network. The Cisco Intrusion Detection System Management Center is designed to provide the centralized sensor management required to protect large enterprise networks.