Configuring the Sensing Parameters

Configuring the Sensing Parameters

Configuring the sensing parameters is very important on the network. You have to tell the sensor how to do TCP Session reassembly, IP fragment reassembly, how to define internal networks, and specify data sources. These are critical steps. I'll explain what the benefits are as we go along.

TCP Session Reassembly

TCP reassembly causes the sensor to reassemble a TCP session's packets before they are compared against the signatures. This helps keep resources from being tied up. There are three TCP session reassembly options you can choose from: No Reassembly, Loose Reassembly, and Strict Reassembly.

Note

This only applies to version 2.5(X) software and later for the IDSM. If you do not have an IDSM, this section will not apply.

No Reassembly

Simply stated, the sensor does not reassemble TCP sessions. All packets are processed on arrival. No reassembly can generate false positives and negatives because of the potential for packets being processed out-of-order. It is not recommended unless your network is subject to a higher-than-normal rate of packet loss.

Loose Reassembly

A step up from not reassembling at all, loose reassembly does process all packets in order. The problem loose reassembly causes is the same though. False positive alarms are generated because the sensor allows gaps in the sequence when reassembling the session record.

Strict Reassembly

If you are going to do TCP session reassembly, strict reassembly is the way to go. I'd like to say there is no chance of any false positives or negatives, but you might try and hold me to it. The odds are in my favor though. Unless all of the packets are received and the session is completely reassembled, the sensor will not analyze the session.

Warning

Remember, when we talk about reassembly (whenever you have a network device do any type of reassembly of fragments, sessions, and so on…), we're talking about the overhead involved. It will consume memory and be CPU-intensive.

Configuring TCP Session Reassembly

In order to configure TCP Session Reassembly, follow these steps:

1. In CSPM, select the Sensing configuration tab of the sensor you want to configure.

2. Select TCP Three-Way Handshake in the configuration screen. This tracks only three-way handshakes that are complete.

3. Choose what method you will use for reassembly.

4. Define values for TCP Open Establish Timeout and TCP Embryonic Timeout.

5. Once you have finished configuring the Sensing parameters, click OK, then save and update your configuration.

6. Finally, from the Command tab, click Approve Now to push the new configuration to your sensor.

   Note

   TCP Open Establish Timeout gives the number of seconds before the sensor frees the resources allocated for established TCP sessions. Ninety seconds is the default. TCP Embryonic Timeout gives the number of seconds before the sensor frees the resources allocated for half-open TCP sessions. Fifteen seconds is the default.

IP Fragment Reassembly

IP fragment reassembly is very similar to the TCP session reassembly. IP reassembly causes the sensor to reassemble IP packets before they are compared against the signatures. This helps to keep resources from being tied up, since reconstruction does consume some resources. IP fragment reassembly has three parameters:

• Maximum Partial Datagrams The maximum number of partial datagrams the sensor will attempt to reconstruct at any time.

• Maximum Fragments Per Datagram The maximum number of fragments that are accepted for a single datagram.

• Fragmented Datagram Timeout The maximum number of seconds before the sensor stops trying to reassemble a datagram.

Configuring IP Fragment Reassembly

To configure IP fragment reassembly, follow these steps:

1. Select the Sensing tab on the sensor you want to configure.

2. Check the Reassemble Fragments check box (refer to Figure 7.22).

   
   Figure 7.22: The Sensing Tab

3. Enter the settings for Maximum Partial Datagrams, Maximum Fragments Per Datagram, and Fragmented Datagram Timeout.

4. Once you have finished configuring the Sensing parameters, click OK, then save and update your configuration.

5. From the Command tab, click Approve Now to push the new configuration to your sensor.

   Note

   Cisco's recommended guidelines for determining the maximum partial datagrams and maximum fragments per datagram is as follows (it takes a little math here): The partial datagrams multiplied by the fragments per datagram should be less than 2,000,000. This applies to all 4200 series sensors running versions 2.2.1.5 or 2.5(X). The partial datagrams multiplied by the fragments per datagram should be less than 5000. This applies to the IDSMs running versions 2.5(X).

Internal Networks

What is the purpose of identifying internal networks, you ask? Well, you want to log all the alarms, right? You want the events to make sense to you, right? How much use would your logs be if everything was considered an external address marked with "OUT"? So, to be able to differentiate from internal and external networks and hosts, Cisco has given you the ability to configure internal networks into the mix so the events are easier to understand. In this section, you will define your Internal Protected networks that the sensor is protecting. CSPM uses this to parse the events in Event Viewer. Any address space that is not identified in this section is considered an external address designated as "OUT". The internal addresses are designated as "IN" (see Figure 7.23).

Figure 7.23: Internal Networks

Adding Internal Networks

To add networks that are labeled as internal networks (IN), follow these steps:

1. Select the sensor you want to configure. The first tab showing should be the Properties tab. If it is not, select the Properties tab.

2. Select the Internal Networks subtab and click Add.

3. Enter all of the networks and subnet masks you want to be identified as internal (IN) addresses for logging purposes.

4. Once you have finished adding networks, click OK, then save and update your configuration.

5. From the Command tab, click Approve Now to push the new configuration to your sensor.

Sensing Properties

As you have read in Chapter 4, the Sensing tab allows you to configure what signature configuration file the sensor is using, what Packet Capture Device (Interface) the sensor is using, and how to handle IP fragment reassembly. You can specify the active configuration, which is the signature file the sensor is using for comparison. You also set the Packet Capture Device. This is the sniffing interface. This is also the tab that you configure for IP fragment reassembly (discussed earlier in this chapter).

Configuring Sensing Properties

To configure the sensing properties, follow these steps:

1. Select the Sensing tab on the sensor you are going to configure (see Figure 7.22 earlier).

2. In the Active Configuration field, select the Sensor Signature file template that the sensor will be using to monitor the network. It is not uncommon to have a different Sensor Signature file template for each sensor. Some signatures may be disabled or tuned differently depending on the positioning on the network.

3. Select the appropriate Packet Capture device for your device and network. The Packet Capture device is the interface that is doing the sniffing. (Refer to Chapter 3 for help with the different interfaces on a sensor.)

4. If you are configuring IP fragment reassembly, make your configuration changes here. IP fragment reassembly causes your sensor to reassemble a fragmented IP packet first, and then compare that packet with a signature. This can be a resource hog depending on your network traffic patterns. Unless you are very familiar with the traffic patterns on your network, do not modify the default settings.

5. Once you have finished configuring the Sensing parameters, click OK, then save and update your configuration.

6. From the Command tab, click Approve Now to push the new configuration to your sensor