Deploying Cisco IDS Sensors

Deploying Cisco IDS Sensors

In the aboriginal chapter, we briefly discussed some of the best practices accompanying to planning and managing the accomplishing of IDS sensors. In general, aegis architects will acquisition that IDS is best deployed abreast the ingress/egress credibility of the network. This could accommodate locations such as the following:

Internet-connected Networks An IDS affiliated abreast the Internet/Corporate bound point provides acumen into all cartage destined to and from the accumulated network.

Extranet Networks IDSs abreast bell-ringer and accomplice portals or gateways accommodate afterimage into these alloyed zone, semi-trusted networks.

Intranet Networks IDSs at the aperture routers and firewalls amid capacity such as Accounting, Human Resources, and added acute centralized groups.

Remote Admission Networks Don't balloon the another credibility of admission and avenue to your network. Remote Admission Networks could accommodate acceptable dialup RAS network, broadband VPN bound points, or Wireless Admission Points.

We additionally covered aegis action bearing through the Cisco Aegis Wheel alignment and advised the Cisco AVVID architectonics and SAFE blueprint. All of these assets can advice aegis architects and administrators adjudge the best able locations to abode IDS in the infrastructure.

Intelligent deployment of Cisco IDS sensors involves at a minimum, three steps. These include

Understanding and allegory the network

Identifying the analytical basement and services

Placing sensors based on arrangement and casework function

We'll altercate anniversary of these accomplish in this section.

Note Securing the arrangement is allotment of the Secure footfall in the Cisco Aegis Wheel process, which comes afterwards architectonics aegis policy. If administrators are in the action of chief area to arrange IDS, it is afflicted they accept generated a absolute and solid aegis action complete with aegis area analogue and added analytical attributes of the policy.

Understanding and Allegory the Network

Intelligent IDS deployment requires abundant ability and assay of the arrangement as a whole. As we discussed in Affiliate 1, this involves acquisition and compassionate attributes such as all-embracing arrangement admeasurement and topology, admission and departure points, account locations, and accepted appliance breeze parameters. In baby environments this may be simple, but in ample action networks, a absolute acknowledgment of the acquisition and agreeable switching foundation can be absolutely a task.

You should alpha with a map of the network, analytical the cartography from a baffled or Band 3 perspective. You charge to accretion an compassionate of the baffled ambiance first. As allotment of the audit, you should analyze active/active, bombastic networks. Back asynchronous acquisition and switching can actualize calamity on IDS systems; the IDS sensor needs to audit the absolute dataflow or chat to be effective. Accept the ambit aegis accessories area admission may be acceptable or denied. Also, you should accept the appulse of IP adaptation 6 and VPN encryption—both of these can defeat IDS. It may additionally be all-important to apprentice the Layer-2 architectonics of the network, abnormally in ample ATM or MPLS clouds, back communities of absorption are generally aggregated on the aforementioned concrete arrangement platform.

After abounding apperception of the Layer-3 environment, you should assignment up the OSI archetypal to Band 7, the appliance layer. Make an bury of the Layer-3 arrangement map by agreement casework breeze advice on the baffled links. This will advice you accept which links in the arrangement backpack the best analytical appliance cartage such as web or e-mail requests. It will additionally advice you accept the abutting step, Identifying the Analytical Basement and Services.

Finally, appliance the ahead developed aegis policy, verify that the aegis zones are appropriately authentic and appraise how they collaborate with the baffled and appliance environment. Compassionate the cartage and how it flows beyond the arrangement is an capital footfall in planning IDS implementations.

Identifying the Analytical Basement and Services

As allotment of the arrangement analysis, aegis administrators should analyze the analytical apparatus both in agreement of networks and service. Afterwards all, the arrangement exists alone to get bodies and machines to appliance services! On the arrangement map, abode symbols abreast the endpoints of analytical casework canonizing the action of IDS and the Cisco SAFE axioms:

Routers are targets As an alive aspect in the network, hackers can absolute attacks appear routers to agitate a ample cardinal or casework and arrangement admission with one strike. For instance, in July of 2003, a vulnerability in Cisco IOS (CERT Advisory CA-2003-15) was apparent affecting Cisco devices. By sending distinctively crafted IPv4 packets to an interface on a accessible device, an burglar could account the accessory to stop processing packets destined to that interface. By targeting routers with this vulnerability, a hacker could finer shut bottomward a Cisco-based network. Cisco bound appear fix cipher for the vulnerability.

Switches are targets Similar to routers, switches serve as an alive aspect in the network. Disrupting their functionality through a DoS advance or by manipulating their agreement could appulse ample groups of people. Some Cisco switches were afflicted by the vulnerability as discussed earlier.

Hosts are targets One of the best alarming evolutions in hacking involves appliance compromised hosts as aimless attackers in a ample calibration Distributed DoS (DDoS) attack. This blazon of advance was acclimated in the acclaimed Nimda worm. Oftentimes, hosts are acclimated in "blended threats" area a aggregate of worms, Trojan horses, and added awful cipher is instantiated on hosts for use in a accessory advance such as a DDoS.

Networks are targets Networks are alone anatomic with the accommodating alternation of abounding router, switches, and added alive elements. Large-scale attacks or attenuated threats can agitate networks as a whole. A acceptable archetype occurred back the Slammer Bastard was unleashed (CERT Advisory CA-2003-04) and abounding Internet-connected networks arena to a arrest beneath the amount of UDP bastard traffic.

Applications are targets Appliance functionality is the primary acumen networks exist—we all affix to the arrangement to admission some anatomy of application. It may be a book allotment or a web armpit or conceivably a database to which we seek access. Regardless, applications are a acceptable admired of hackers back they accommodate basic advice and can, back compromised, affect such a ample community.

In a well-developed arrangement and systems architecture, casework should be aggregated in aerial bandwidth, acquiescent farms. Often, these are in DMZs, extranets, or intranets. Regardless, it is best acceptable that the map will highlight the afterward locations as critical:

Internet ingress/egress points

Server acreage ingress/egress points

Remote Admission networks

Wireless admission points

Because wireless admission credibility can absorb encryption such as WEP, they, and VPNs in general, present a claiming for IDS systems. The encryption prevents IDS sensors from accepting cleartext admission to the payload, and in some instances, the packet attack and payload. Back IDS cannot break these datastreams, the cartage passes after IDS inspection. This is absolutely why it is benign to abode IDS at the point of decryption in networks so that you may accretion acumen into the cartage casual through the tunnel.

In best instances, the analytical arrangement and casework locations will be abreast absolute aegis infrastructures such as firewalls. Once the analytical basement has been mapped, it's time to baddest the adjustment of sensors.