1 © 2003, Cisco Systems, Inc. All rights reserved. SEC-2030 8175_05_2003_c1 Advanced Enterprise IDS Deployment and Tuning

1© 2003, Cisco Systems, Inc. All rights reserved.

SEC-20308175_05_2003_c1

Advanced Enterprise IDS Deployment and Tuning


SEC-20308175_05_2003_c1

The Potential Impact to the Bottom Line Is Significant

The Potential Impact to the Bottom Line Is Significant

The Number of Security Incidents Continues to Rise Exponentially

The Number of Security Incidents Continues to Rise Exponentially

The Complexity and Sophistication of Attacks and Vulnerabilities Continues to Rise

The Complexity and Sophistication of Attacks and Vulnerabilities Continues to Rise

The Challenge: Security in Modern Networks


SEC-20308175_05_2003_c1

Mitigating the Risk: Defense in Depth

• Comprehensive security policy

• Pervasive security—end to end

• Security in layers

• Multiple technologies, working together


SEC-20308175_05_2003_c1

Defense in Depth:The Role of Intrusion Detection

• Complementary technology to firewalls

• Been around for more than a decade, started coming into prominence in the late ’90s

• Performs deep packet inspection, gaining visibility into detail often missed by firewalls

Internet


SEC-20308175_05_2003_c1

Advanced Enterprise IDS Deployment: Agenda

• Intrusion Protection Systems

• Network Sensors

• Host Agents

• Management Consoles

• Case Studies


SEC-20308175_05_2003_c1

Intrusion Protection Systems


SEC-20308175_05_2003_c1

Intrusion Protection Agenda

• Terminology and Technologies

• Complete Architecture:

Sensors, Agents, Management Consoles

• Placement Strategies

Where to Place Your Sensors, what Traffic to Watch, How to Get Traffic to Them

• Organization-Level Concerns

Responding to Intrusions, Ownership and Organization, Outsourcing


SEC-20308175_05_2003_c1

IDS Terminology: False Positives

• A False Alarm occurs when an IDS reports an attack even though noattack is underway

• Benign activity that the system mistakenly reports as malicious

• Typically due to improper tuning

• Can easily overwhelm alarm consoles creating enormous amount of background noise

• Can result in mistrust of the IDS by security personnel


SEC-20308175_05_2003_c1

IDS Terminology False Negatives

• A False Negative occurs when an IDS fails to report an ongoing attack

• Malicious activity that the system does not detect or report

• Tend to be worse because the purpose of an IDS is to detect such events

• Can be due to a variety of eventsCan be the result of IDS evasion efforts by an attacker

Can also be due to out-of-date signature knowledge base (misuse detection systems)

Minor state transition that is below a detectable threshold (anomaly-based systems)


SEC-20308175_05_2003_c1

IDS Terminology:Signatures and Anomalies

• Signatures explicitly define what activity should be considered malicious

Simple pattern matching

Stateful pattern matching

Protocol decode-based analysis

Heuristic-based analysis

• Anomaly detection involves defining “normal” activity and looking for deviations from this baseline


SEC-20308175_05_2003_c1

IDS Architecture: Sensors, Agents, and Management

Agents

Agents

Agents

Agents

Sensors

Sensors

Sensors

Sensors

Management

Management

Management

Management

Production Network

Management Network


SEC-20308175_05_2003_c1

IDS Components

• Network-Based SensorsSpecialized software and/or hardware used to collect and analyze network traffic

Appliances, modules, embedded in network infrastructure

• Host-Based AgentsServer-Specific Agent

Provides both packet- and system-level monitoring, and active response

• Security Management and MonitoringPerforms configuration and deployment services

Alert collection and aggregation for monitoring


SEC-20308175_05_2003_c1

Data Flow

Data Capture

Monitoring the Network

Network Link to the Management Console

IP Address

Passive InterfaceNo IP Address

Network-Based IDS: The Sensor


SEC-20308175_05_2003_c1

Data Flow

Network Link to the Management Console

IP Address

Passive InterfacesNo IP Address

Network-Based IDS: The In-line Sensor

Data Flow


SEC-20308175_05_2003_c1

Network-Based IDS:Functions and Capabilities

• Monitors all traffic on a given segment

• Compare traffic against well known attack patterns (signatures); also look for heuristic attack patterns (i.e. multi-host scans, DoS)

• Includes fragmentation and stream reassembly logic for de-obfuscation of attacks

• Primarily an alarming and visibility tool, but also allows active response: IP session logging, TCP reset, shunning (blocking)


SEC-20308175_05_2003_c1

Host Agents:Functions and Capabilities

• Distributed Agent residing on each server to be protected

• Intimately tied to underlyingoperating system

Can allow very detailed analysis

Can allow some degree of Intrusion Protection

• Allows analysis of data encrypted for transport

• Monitors kernel-level application behavior, to mitigate attacks such as buffer-overflow and privilege escalation


SEC-20308175_05_2003_c1

ConsCons

Network-Based

Host-Based

ProsPros

• Can verify success or failure of attack

• Generally not impacted by bandwidth or encryption

• Understands host context and may be able to stop attack

• Can verify success or failure of attack

• Generally not impacted by bandwidth or encryption

• Understands host context and may be able to stop attack

• Impacts host resources

• Operating system dependent

• Scalability—Requires one agent per host

• Impacts host resources

• Operating system dependent

• Scalability—Requires one agent per host

• Protects all hosts on monitored network

• No host impact

• Can detect network probes and denial of service attacks

• Protects all hosts on monitored network

• No host impact

• Can detect network probes and denial of service attacks

• Switched environments pose challenges

• Monitoring >100Mbps is currently challenging

• Generally can’t proactively stop attacks

• Switched environments pose challenges

• Monitoring >100Mbps is currently challenging

• Generally can’t proactively stop attacks

Should View as Complementary!Should View as Complementary!

Some General Pros and Cons


SEC-20308175_05_2003_c1

Placement Strategies

• Monitoring critical traffic

• Deploy network sensors at security policy enforcement points throughout the network

• Deploy host sensors on business critical servers

• Beware of sensor overload — sensors must be able to handle peak traffic loads

Otherwise they will suffer packet drop/loss and possibly miss attacks


SEC-20308175_05_2003_c1

Deploying IDS Solutions


SEC-20308175_05_2003_c1

Overview

Often, IDS cannot be implemented “everywhere” due to cost restrictions.

Where do you need to detect an intrusion as soon as it occurs?

Where an incident would be most expensive (most valuable data)

At the entry to a sensitive domain (to detect the first successful step of the attacker)

At other locations, where attempts need to be analyzed

Look at the risks again—make sure you prioritized based on the value of a resource and the exposure involved.


SEC-20308175_05_2003_c1

Network IDS Primary Functions

•Identify Malicious Activity

•Identify Network Anomalies

•Network Traffic Enforcement

•First Alert: Day Zero

•First Packet Response

•TCP Traffic Normalization


SEC-20308175_05_2003_c1

NIDS Deployment Considerations

•General Location Selection Issues

Purpose of Deployment Defines Location

Inside, Outside, or DMZ

Internal vs Perimeter

Response Actions vs Passive Monitoring

Trusted vs Non-Trusted Zones (chokepoints)

Security Operations vs Network Operations


SEC-20308175_05_2003_c1

NIDS Deployment Considerations (cont)

•Specific Location Selection Issues

Location Requirements Define Platform

Sensor Performance

Large Network Pipes can result in Data Overflow

Proper Platform Selection is Crucial

Load Balancing Issues (Sweep and Flood Fidelity)

Data Reduction Possibilities

Highly Available or Asymmetrically Routed Networks


SEC-20308175_05_2003_c1

NIDS Deployment Considerations (cont)

•Specific Location Selection Issues

Encrypted Traffic

SSL or IPSec

IDS Monitoring Sources

Network Taps

SPAN (and RSPAN)

VACL Capture

Aggregation Switch

Inline


SEC-20308175_05_2003_c1

IDS Sensor Monitoring Considerations

• NIDS sensors should monitor segments, where you need to detect attacks the most:

Monitor most sensitive internal segments (management network)

Monitor most sensitive internal servers

Monitor network entry points:

Internet firewall, business partner entry, vpn/dial-up entry

Switched network edge (biggest performance issue)

Monitor exposed hosts most likely to be compromised:

If they are likely to be used as a jump-off point

If your reputation depends on them


SEC-20308175_05_2003_c1

Monitoring Sensitive Internal Servers or Segments with NIDS

• Performance considerations:

Select the correct Sensor platform

Use a dedicated sensor per network/vlan (if required)

Move the sensor to a different location to see more specifically defined traffic

If necessary, only capture a subset of traffic (exclude traffic that can’t be inspected: IPSec, SSL, Multicast)

Use HIDS (not a performance issue)

Use Load Balancing to distribute network flows


SEC-20308175_05_2003_c1

IDS Placement and Tuning


SEC-20308175_05_2003_c1

Network Sensor Deployment Locations

• Inside (trusted side) network monitoring:

Typical initial IDS deployment spot (along with DMZ)

Usually broad monitoring to detect any attacks

Sees traffic filtered by the firewall

Detects attacks that penetrate the firewall

Detects outgoing attacks (even if blocked by the firewall)

Useful to check config of firewall


SEC-20308175_05_2003_c1


• Outside (untrusted side) network monitoring:

“Broad” monitoring for all types of attacks

Also detects attacks which the firewall will block (early warning, trends, new risks, “Internet thermometer”)

Serious risk of operator overload as sensor monitors uncontrolled network space (no man’s land)

Usually requires special configuration and possibly special management and monitoring considerations

• Useful for correlation with inside sensors


SEC-20308175_05_2003_c1

Multi-Sourced NIDS Sensors

• Multiple capture interfaces forwarding to the same IDS engine:

Monitors multiple segments with similar properties (same IDS policy, simple with service modules)

Potential for IDS oversubscription

Possible issues with address range overlap


SEC-20308175_05_2003_c1


•High Availability or Asymmetrically Routed Networks

IDS must see all packets involved in a connection

Usually requires a sensor with multiple interfaces to capture data from all points

Data overflow to IDS is serious possibility in an active/active network setup


SEC-20308175_05_2003_c1


•Inline IDS Deployments (IPS)

IDS is able to block offending packet

IDS signature quality must be very accurate with low false positives otherwise legitimate network traffic is disrupted

Since packets flow through device, the IDS must have no measurable impact to traffic flow (ex. loss rate, latency, jitter, etc)

Network reliability must follow standard procedures

Failover in a highly available network

Fail open or fail closed?


SEC-20308175_05_2003_c1

Data Center

Web Tier

Application Tier

Mainframe

NIDS NIDS

Aggregation

Access

Deployment Example:IDS Load Balancing for the Data Center


SEC-20308175_05_2003_c1

Encrypted Traffic and Network IDS

IPSec - Use a Network Module in the tunnel termination router to inspect traffic before it gets sent out the interfaces

SSL - Early decryption of SSL sessions at an SSL accelerator

For crypto tunnels terminated on the host, use HIDS


SEC-20308175_05_2003_c1

NIDS Switched Environment Considerations

• In a switched environment, you can monitor:

Inside a switch (IDSM) or router (NM-IDS)

Using a network TAP

Using SPAN or VACL Capture

On the host (HIDS)

• Avoid oversubscribing the device or port:

Lost packets break stream and composite signatures

Smart VACLs (specific protocols)

Perhaps monitor only one port via SPAN

Understand the limitations of the packet sourcing device

Reference IDS_Capture_Techniques[1].ppt


SEC-20308175_05_2003_c1

SPAN Overview

• SPAN means Switch Port Analyzer

• SPAN copies ALL packets from source VLANS or ports to a destination port

• Supported across most Cisco switches

• Different switches have different limitations on use of SPAN, including number of SPAN destination ports

• Some switches do not allow incoming packets on SPAN destination port. This is necessary if a customer wishes to use TCP Reset.

Traffic SPAN

SPAN directs copy of ALL traffic from SOURCE port or VLAN


SEC-20308175_05_2003_c1

NIDS Switched Environment Considerations

•A VLAN aware sensor is:

Able to process 802.1q tagged packets

•Issues when using the SPAN port:

If SPAN belongs to a single VLAN, packets enter the SPAN port without the VLAN headers.

Configure SPAN as a trunking port, if necessary (supporting ALL active VLANs).

Which VLAN do you send the RST to?


SEC-20308175_05_2003_c1

VACL Capture Overview

• A VLAN ACL, also known as Security ACL, specifies traffic to capture.

• The VACL Capture copies filtered packets from source VLANS to a destination port.

Traffic VACL

VACL directs copy of FILTERED traffic from SOURCE port


SEC-20308175_05_2003_c1

Management Interface Security Guidelines

•Perimeter (outside monitoring) placement options:

Classic firewall sandwich (in-band)

Management interface on separate inside VLANs

Management interface on separate DMZ

Management interface on separate physical network


SEC-20308175_05_2003_c1

BusinessPartnerAccessExtranet

Connections

Corporate NetworkInternet

Internet Connections

Remote Access Systems

Remote/Branch Office Connectivity

Intrusion Detection DeploymentWhat Areas of the Network Are Candidates?

Data Center

Management Network


SEC-20308175_05_2003_c1

Sensor Placement Rationale

• No real standard

• No primer or cookbook that says “Place IDS here”

• Varies tremendously from network to network

• IDS is typically found around firewalls

These are usually perceived as transit points from one network to another

• Also found where there are differing trust levels within the network


SEC-20308175_05_2003_c1

Typical Order of Deployment

• How far down the deployment path you go often depends on your resources; if resources are tight, always look at where you can get the most ‘bang for your buck’

• Data centers, high risk, or other ‘HDV’ areas

• Directly behind perimeter firewalls

• Internet DMZ areas

• Remote access and remote offices


SEC-20308175_05_2003_c1

Why at Internet Connections?

• Firewalls usually don’t protect against data driven attacks

• Consider a Web server on a DMZVarious web server vulnerabilities have been found over the past few years

Microsoft IIS Directory Traversal Vulnerability (UNICODE)

Apache/OpenSSL SSL2 Handshake Process buffer overflow

Microsoft IIS WebDAV buffer overflow

Microsoft SQL Slammer worm

Patches are available, but…

• Can be exploited to deny service or access the server


SEC-20308175_05_2003_c1

Attacking through the Firewall

WWW

Telnet

Firewall Rules:• Permit any DMZ port 80

• Permit DMZ inside

• Permit DMZ outside

• Permit inside any

• Deny any any

Internet

Attacker

Vulnerable Web Server


SEC-20308175_05_2003_c1

Inside or Outside?

• Somewhat of a “religious” debate

• Depends on the situation and the needs

• Made more effective with good ACLs at the edge router(s)

• Must be tuned properly—otherwise false alarms will significantly reduce the value of the IDS on the outside


SEC-20308175_05_2003_c1

Sensor Placement—Inside or Outside?

Sensors on Outside• Sees everything including

traffic blocked by firewallCan’t distinguish betweenwhat is denied or permittedby firewallTools like Stick can generate lots of noise

• Monitors both DMZand inside traffic

Sensors on Inside• Sees only traffic permitted

by the firewallResponse is needed

• Sensor is needed for each internal leg of the firewall

AttackerDMZ Inside


SEC-20308175_05_2003_c1

Next Steps:Getting Traffic to your Network Sensors

• Traffic must be mirrored to network sensors (replicated)

• Choices:

Shared media (hubs)

Network taps

Switch-based traffic mirroring (SPAN)

Selective mirroring (traffic capture—VACLs)


SEC-20308175_05_2003_c1

TX and RXTX and RX

Fro

m F

irew

all

Fro

m F

irew

all

Fro

m R

ou

ter

Fro

m R

ou

ter Traffic from

Firewall

Traffic from RouterTX and RXTX and RX

SPAN Tap Traffic

Full Duplex LinkAggregation

Switch

Using a Network Tap

• Tap splits full duplex link into two streams

• For sensors with only one sniffing interface, need to aggregate traffic to one interface

• Be careful of aggregate bandwidth of two tapped streams

Don’t exceed SPAN port or sensor capacity


SEC-20308175_05_2003_c1

Switch-Based Traffic Capture

• Port Mirroring: SPAN functionality and command syntax varies between product lines and switch vendors

Some limit the number of SPAN ports

Some allow you to monitor multi-VLAN traffic

Note that not all sensor vendors can’t handle multi-VLAN traffic

http://www.cisco.com/warp/public/473/41.html

• Rule-Based Capture: VLAN Capture/MLS IP IDS

Policy Feature Card (PFC) required on Catalyst 6500

Allows you to monitor multi-VLAN traffic

Use “mls ip ids” when using “router” interfaces or when interface is configured for Cisco IOS FW

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/idsm/idsm_2/13074_03.htm


http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/idsm/idsm_2/13074_03.htm


SEC-20308175_05_2003_c1

Switch-Based Traffic Capture Example

Using SPAN switch>(enable) set span 4/5 6/1 rx createswitch>(enable) set span 401 6/1 rx create

• Sets port 5 on module 4 and VLAN 401 to span to the monitoring

port on the IDS Module in slot 6Using VACL

switch>(enable) set security acl ip WEBONLY permit tcp any any eq 80 capture

switch>(enable) set security acl ip WEBONLY permit tcp any eq 80 any capture

switch>(enable) commit security acl WEBONLYswitch>(enable) set security acl map WEBONLY 401switch>(enable) set security acl capture-ports 6/1

• Captures web traffic on VLAN 401 only, and sends the captured traffic to the monitoring port on the IDS Module in slot 6


SEC-20308175_05_2003_c1

Additional Deployment Considerations: Organizational Issues

• As with all security technologies, it is critical to have a robust security policy

• Intrusion Detection technologies cross many different business functions:

IT Security—Policy, deployment, monitoring

Networking—Traffic direction, active response

Server Admins—installation, maintenance

Who determines how/where to connect sensorson the network? Install new agents?

Switch configuration considerations, tap considerations, management considerations


SEC-20308175_05_2003_c1

Incident Response:Policies and Procedures

• Security policy must also address incident response

Must be approved by senior management

• Must address containment/recovery procedures

Which areas do you respond to first?

When do you start severing connections?

Under what circumstances do you notify senior management?

Under what circumstances do you engage law enforcement (if ever)?


SEC-20308175_05_2003_c1

Incident Response:Responding to an Intrusion

• Following investigation and alarm validation, an appropriate triage solution is put in place

• It is important to understand that this is not the end of the incident life cycle

A root cause analysis must be performed

A long term fix must be implemented

The IDS policy and security policy in general must be updated as appropriate


SEC-20308175_05_2003_c1

Planning Ahead: Other Resource Issues

• 24x7x365 monitoring and response capability

Cross-functional skill set (networking, security, operating systems, etc.)

Staffing and training considerations

Escalation paths—constant availability

• Consider outsourced managed security service provider

Could employ to augment internal security resourcesin cooperative fashion

Note that service level agreements for outsourced managed IDS services are difficult to develop


SEC-20308175_05_2003_c1

“Layer 8” of the OSI Model

• IDS is cross functional

• Challenges

Who “owns” IDS?

Does the owner of IDS own both host IDS and network IDS?

Who determines how/where to connect sensors on the network?

• Must be worked out up front before deploying

PhysicalPhysical

Data LinkData Link

NetworkNetwork

TransportTransport

SessionSession

PresentationPresentation

ApplicationApplication

PoliticalPolitical


SEC-20308175_05_2003_c1

IDS Tuning


SEC-20308175_05_2003_c1

Terminology

• False Alarms: State in which the ID system mistakenly reports a benign activity as being malicious

• False Negative: State in which the ID system does not detect and report actual malicious activity even though it is monitored


SEC-20308175_05_2003_c1

What Is IDS Tuning?

• IDS Tuning is the art of balancing between false alarms and false negatives

• The intent is to achieve the following:

• We want to minimize the value of TIDS

TIDS =

Falarms + Fneg

ATotal


SEC-20308175_05_2003_c1

Where to Start?

• Start by understanding the network

“Learn the network, know the network…live the network!”

• Look at where you place your IDS sensors

Remember, we discussed this just a few slides ago

• Understand the traffic patterns near your sensors


SEC-20308175_05_2003_c1

IDS Tuning Methodology

Start

Apply InitialConfiguration

FalseAlarms?

FalseAlarms?

ImplementSignature

Tuning

ImplementResponseActions

UpdateSensors

MonitorIdentify PotentialLocation for Sensors

Monitor

NegativeEffects?NegativeEffects?

Yes

No

Yes No


SEC-20308175_05_2003_c1

IDS Sensor Tuning Tasks

1. Determine what traffic requires monitoring to protect critical assets

2. Connect “sensors” to network

3. Apply initial configuration

4. Run for a week or so with default configuration

5. Analyze the alarms and tune out false positives

6. Selectively implement response actions

7. Update sensors with new signatures


SEC-20308175_05_2003_c1

Tuning Your Sensors

• Tuning is the most important part of intrusion detection deployment

The data reduction that results from proper tuning is essential for a fully functional system

• Not every sensor needs to alert onevery event

Implementing environment specific configurations increases scalability of the entire system


SEC-20308175_05_2003_c1

Tuning: Where to Start

• Most sensors ship with a default signature configuration

This is a good starting point for an initial deployment in most cases

• Start by listening to high/medium severity alarms

Prioritize the tuning of the high priority alarms, and then move on to the mediums


SEC-20308175_05_2003_c1

How to Tune a Sensor: Techniques

• Understand the environment and traffic patterns

• List out potential false positives

Analyze each alert and classify stimulus and response

• Define policy, and policy exceptions

i.e. Ping sweeps generate alarms, except when coming from the management network

• Turn down severity of signatures not applicable to that environment

• Iterative process: as traffic patterns change, sensors can require re-tuning


SEC-20308175_05_2003_c1

Example Tuning Features

• Signature Specific:

Ports, Protocols, Services, Analysis Length, etc.

• Filtering: what networks to alarm on

• MinHits: number of events to see before alarm

• Severity: what level of alarm to send

• Alarm Aggregation: how many alarms to send

Alarm Throttle: Summarization characteristics

Alarm Interval: Summarization window

Choke Threshold: High water mark to force summary

• Actions: what to do following an alarm


SEC-20308175_05_2003_c1

Customizing Your Signatures

• Customize vendor-provided signatures

• New environment specific signatures can be created

• Cisco Custom Signature configuration tasks:

Select the signature micro-engine that best meets your requirements

Enter values for the signature parameters that are required and meet your requirements

Save and apply the custom signature to the sensor

• Signature customization is not trivial

Writing signatures requires detailed knowledge of attack “loose” signatures will generate false positives and mistakes might result in false negatives

Test, test and test again before you deploy


SEC-20308175_05_2003_c1

Host Agents


SEC-20308175_05_2003_c1

Agenda

• Host Agents and the Security Architecture

Capabilities of a host agent

• Cisco Security Agent Architecture

Policy, Rules, and Anomalies

• Server Selection and Deployment Techniques

Which Servers Are Candidates for Deployment? Initial Configuration and Tuning Techniques


SEC-20308175_05_2003_c1

Host IDS in the Security Architecture

• Host-based agents installed on a specific host

Can be based on behavioral/anomalies, signatures, file system integrity checking, and/or system event analysis

• Can provide:

Event visibility and analysis

Buffer overflow protection

Malicious code protection

OS lockdown

• Endpoint security: Host IDS and…

Personal firewalls?

Anti-virus?


SEC-20308175_05_2003_c1

Host IDS: System Level Architecture

• Agents

Some products provide server-specific and desktop-specific agents

Some products provide application-specific agents (such as web-server, or database)

Agents are specific to a particular OS

• Management Console

Required to communicate with and manage the agents

Tends to have significant scalability requirements

Beginnings of correlation facilities appearing in the management stations


SEC-20308175_05_2003_c1

Cisco Security Agent Architecture

• Rules-based architecture; static and dynamic rules (behavioral)

• Composed of a set of “interceptors”

COM Component Interceptor

Network Application Interceptor

Network Traffic Interceptor

File Interceptor

Registry Interceptor

• Other components: Rule/Event Correlation Engine, Local Event Manager, Agent Policy Manager


SEC-20308175_05_2003_c1

Agent Architecture: Windows



Network Traffic

Interceptor

File Interceptor


TCP/IP

NIC Disk System

Rule/Event Rule/Event Correlation Correlation

EngineEngine

Agent Policy Agent Policy ManagerManager

Local Event Local Event ManagerManager

Internet/ Intranet

Policies from Management

Console

Log and Event Notifications

to Management

Console


SEC-20308175_05_2003_c1

Agent Architecture: Windows



Network Traffic

Interceptor

File Interceptor


TCP/IP

NIC Disk System

Rule/Event Rule/Event Correlation Correlation

EngineEngine

Agent Policy Agent Policy ManagerManager

Local Event Local Event ManagerManager

Word

Install

Policies from Management

Console

Log and Event Notifications

to Management

Console

Internet Explorer

Internet/ Intranet


SEC-20308175_05_2003_c1

Agent Architecture: Rules

• Agent architecture based around a series of rules guiding behavior passing through an interceptor

e.g. Internet Explorer is not allowed to access the memory space of Word (or any other application)—stops many buffer overflows

• A series of default rule profiles ship with the product

90% of the time, these rule-sets are sufficient to meet a security policy requirement

• Rules can be custom built on the management console, or “learned” through behavioral analysis


SEC-20308175_05_2003_c1

Deploying Host Agents:Server Selection and Critical Assets

• Which servers to protect?

Servers that can receive external connections from unknown parties

Servers that perform services critical to business continuity

Servers that receive traffic that can’t be monitored through other means

SSL


SEC-20308175_05_2003_c1

Policy Deployment on Agents: Grouping

• Some products allow for host groupings

Simplifies policy deployment through grouping similar hosts into a larger policy group

• For large scale deployments, this can be a significant benefit

Call Manager

ERPInternal

Web Development Servers


SEC-20308175_05_2003_c1

Initial Configuration and Tuning

• Initial configuration is very agent/vendor specific

Most agents install with a default secure configuration, but check specifics

• Host agents can need tuning to specific environment, just like network sensors (particularly signature-based agents)

• Recommend using similar techniques as network sensors

Install in environment

Monitor for a week

Tune signatures and responses based on results


SEC-20308175_05_2003_c1

Response Actions and Updates

• Agents can active alert on suspicious action

• In certain cases, agents can actually prevent intrusions before they occur by not allowing trigger action

• For signature-based agents: Signature response is only as current as database

Ensure agent signature files are kept up to date


SEC-20308175_05_2003_c1

Management Considerations


SEC-20308175_05_2003_c1

Agenda

• Management Paradigms

One Device vs. Many

• Secure Management Guidelines

Protecting the Management Network

• Scaling IDS Management

Alarm Aggregation, Data Reduction

Device, Network, Console, and User Level


SEC-20308175_05_2003_c1

Management Paradigms

• Small deployments

1–5 sensors

• Low alarm rates

• Small deployments

1–5 sensors

• Low alarm rates

• Medium/large deployments

Many sensors

• High alarm rates

• Medium/large deployments

Many sensors

• High alarm rates

Device-Level ManagementDevice-Level Management

Multi-Device ManagementMulti-Device Management


SEC-20308175_05_2003_c1

Attacker

InsideDMZ

Internet

Secure Management Guidelines:Secure Management Out of Band

• Monitoring and Management Network Segment

• A conceptual air gap between IDS and Management segment provides the most security

Mgmt


SEC-20308175_05_2003_c1

When Out of Band Management Isn’t Possible

• When an “air-gapped” management subnet isn’t possible:

Encrypt all in-band communications (SSH, SSL, or IPSec)

Firewall all access points to the Management Network

• Use IPSec Tunnel between network devices when traversing “untrusted” networks

Aggregate multiple sensors though one tunnel


SEC-20308175_05_2003_c1

InsideDMZ

Inband Management through Tunnels

• Firewall brokers connection from inside to Management Segment

• Encrypted tunnels terminated at firewall or at Management Station

Mgmt

InternalNetwork


SEC-20308175_05_2003_c1

The Intrusion Detection Challenge:Turning Data into Information

• Intrusion detection systems have a (somewhat well deserved) reputation for being very noisy

• If not solved, this problem will eventually cripple the IDS network

• The challenge is to optimize the entire system to get the most usable information out

The Single Biggest Barrier to Large The Single Biggest Barrier to Large Scale IDS Deployments Is Dealing Scale IDS Deployments Is Dealing

with All the Data They Generatewith All the Data They Generate


SEC-20308175_05_2003_c1

Scaling Intrusion Detection Management

• Scalability limitations:

Sensor-to-console ratio

Aggregate event rate

• Solutions:

Sensor/Agent Level: Use tuning and alarm validation techniques for data reduction

Network Level: Hierarchical deployment

Console Level: Event correlation, separate configuration, monitoring, and archive stations

User Level: Notification Services


SEC-20308175_05_2003_c1

Network Level:Hierarchical Management

• Local consoles managing local sensors—detailed analysis

• Global consoles managing high level, critical events—event correlation is important here

Local vs. Global Management Domains


SEC-20308175_05_2003_c1

Console Level: Event Correlation

• Event Correlation: Combining multiple alarms into one meaningful security incident

• Many products trying to solve this problem

• While not completely “solved”, good steps have been made


SEC-20308175_05_2003_c1

Console Level:Archival/Trend Reporting Database

• Run on separate platform and database

• Determine how long you want to keep data

Regulatory or policy considerations

• Can import alarm data from log files on:

Sensors

Monitoring consoles

Archive DB

Reporting GUI Real-Time GUI

Event DB Event DB


SEC-20308175_05_2003_c1

User Level: Scaling Monitoring

• Most products have some sort of notification feature

e.g., E-mail sent when event detected with some event information

• Use notifications to let you know something significant happened

Rule of thumb for pager notification: Only page you if it’s something you want to know about at 3am

• Then look at console for details

Web-based console functionality (e.g., Security Monitor) make this easier

• Caution: Overuse of notifications can actually lead to a DoS effect on page or mailer systems


SEC-20308175_05_2003_c1

Case Studies


SEC-20308175_05_2003_c1

Internet Edge

Internet

• What sort of traffic is being monitored?

• Where to place network sensors?

• Which servers are candidates for agents?

• How do I tune to the environment?

• What level of sensitivity on the sensors?

• What is the connectivity to the management network?


SEC-20308175_05_2003_c1

Corporate Data Center








SEC-20308175_05_2003_c1

Internet Data Center








SEC-20308175_05_2003_c1

Closing

Intrusion Detection in the Comfort of Your own Home…


SEC-20308175_05_2003_c1

Further Reading

• Cisco IDS product documentationhttp://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/index.htm

• Cisco IDS Discussion Forumhttp://www.cisco.com/go/netpro

• Proactive Field Notices Tool for signature updateshttp://www.cisco.com/cgi-bin/Support/FieldNoticeTool/field-notice

• Document describing SPAN functionality on Cisco switcheshttp://www.cisco.com/warp/public/473/41.html

• Cisco SAFE Blueprinthttp://www.cisco.com/go/safe

• Cisco Security Advisories (includes a number of security documents)http://www.cisco.com/warp/public/707/advisory.html

• Vulnerability informationhttp://www.cisco.com/go/csec http://www.cert.org/ http://www.securityfocus.com http://whitehats.com

http://www.incidents.org

• Ethereal tool to view IP Session Logshttp://www.ethereal.com

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/index.htm

http://www.cisco.com/go/netpro


http://www.cisco.com/go/safe

http://www.cisco.com/warp/public/707/advisory.html

http://www.cisco.com/go/csec

http://www.cert.org/

http://www.securityfocus.com/

http://whitehats.com/

http://www.incidents.org/

http://www.ethereal.com/


SEC-20308175_05_2003_c1

Summary

• Intrusion Detection is a mature yet still evolving field of technology

• Effective deployment strategies are critical to the successful implementation of the technology

• Intrusion Detection has become a key component of a defense in depth strategy


SEC-20308175_05_2003_c1

Documents

1 © 2003, Cisco Systems, Inc. All rights reserved. SEC-2030 8175_05_2003_c1 Advanced Enterprise IDS Deployment and Tuning