Cisco IDS Management

Cisco IDS Management

Introduction

There is so much more to intrusion detection than just putting a sensor out on a network and then never addressing it again. Someone has to take the time and manage the sensors. It would not be very efficient to have to go to each of the sensors on a network and look at them on an individual basis. What if you saw something suspicious? Then you would have to go to the others and try and correlate the events. That is not the most efficient way to manage a group of security sensors. Luckily, we have a central management solution to help us manage our Cisco IDS sensors.

There are several items that need to be addressed when managing the IDS sensors on the network:

  • How secure is the network going to be? Are we looking at everything or looking for specific events driven by our security policy?

  • How many people will have access to the management console and who can modify the configuration?

  • How much logging is going to take place? Do we log everything or only the events we care about?

  • How often do we generate reports?

  • Will alarms be sent to e-mail/pagers?

  • Do I shun or carry out TCP resets?

Start Sidebar
Designing & Planning: Shunning and Resets

Shunning is the process of blocking traffic from a certain host or network. To most, this sounds like a great idea, but if you have a Web presence for the purpose of e-commerce or marketing, you may be denying customers or potential ones the ability to do business with your organization. Shunning should be done with extreme caution, or not at all. Make sure you get the okay from management and explain the situation carefully to them before shutting someone out.

The other option is to do TCP resets. The name of "TCP reset" itself should be a clue to you that this only applies to TCP traffic. When an attack is detected, the sensors send out TCP reset messages to both the source and the destination of the attack. In order to properly use TCP resets in a switched network, a SPAN port must be configured for bidirectional traffic. The SPAN configuration must support bidirectional traffic and on the SPAN port, MAC learning must be disabled.

End Sidebar

This only scratches the surface of planning your management solution. Depending on your business needs, you may find some solutions suit your business better than others. No matter what the solution though, IDS management is a full-time job with or without the central management solution. The central management solution just makes it much easier. You will find yourself constantly tuning signatures to reduce the amount of traffic that is generated. Be warned that the initial traffic can seem overwhelming, but in the end it's manageable. In fact, having any of these management solutions in place makes life easy, letting you implement one change at one location that affects all the sensors simultaneously.

In this chapter, we cover all the IDS management applications in depth. Cisco has three different methods: Cisco Secure Policy Manager (CSPM), IDS Device Manager (IDM), and Cisco IDS Director. After covering management solutions, we take a look at the Cisco Network Security Database (NSDB). Like most management solutions, initial deployment and configuration is the toughest. So it is our intent to cover these steps thoroughly