Cisco IOS Firewall Intrusion Detection System.pdf
(
217 KB
)
Pobierz
ios_ids
Cisco IOS Firewall
Intrusion Detection System
This feature module describes the Cisco IOS Firewall Intrusion Detection feature. It includes
information on the benefits of the new feature, supported platforms, related documents, and so forth.
This document includes the following sections:
•
Feature Overview on page 2
•
Supported Platforms on page 4
•
Supported Standards, MIBs, and RFCs on page 4
•
Configuration Tasks on page 5
•
Configuration Examples on page 10
•
Command Reference on page 15
•
Message Formats on page 35
•
Cisco IOS IDS Signature List on page 36
•
Glossary on page 40
Cisco IOS Firewall Intrusion Detection System
1
Functional Description
Feature Overview
The Cisco IOS Firewall now includes intrusion detection technology for mid-range and high-end
router platforms with firewall support. It is ideal for any network perimeter, and especially for
locations in which a router is being deployed and additional security between network segments is
required. It also can protect intranet and extranet connections where additional security is mandated,
and branch-office sites connecting to the corporate office or Internet.
The Cisco IOS Firewall’s Intrusion Detection System (Cisco IOS IDS) identifies 59 of the most
common attacks using signatures to detect patterns of misuse in network traffic. The
intrusion-detection signatures included in the new release of the Cisco IOS Firewall were chosen
from a broad cross-section of intrusion-detection signatures. The signatures represent severe
breaches of security and the most common network attacks and information-gathering scans.
The Cisco IOS Firewall acts as an in-line intrusion detection sensor, watching packets and sessions
as they flow through the router, scanning each to match any of the IDS signatures. When it detects
suspicious activity, it responds before network security can be compromised and logs the event
through Cisco IOS syslog. The network administrator can configure the IDS system to choose the
appropriate response to various threats. When packets in a session match a signature, the IDS system
can be configured to:
•
Send an alarm to a syslog server or a Cisco NetRanger Director (centralized management
interface)
•
Drop the packet
•
Reset the TCP connection
Cisco developed its Cisco IOS software-based intrusion-detection capabilities in the Cisco IOS
Firewall with flexibility in mind, so that individual signatures could be disabled in case of false
positives. Also, while it is preferable to enable both the firewall and intrusion detection features of
the CBAC security engine to support a network security policy, each of these features may be
enabled independently and on different router interfaces. Cisco IOS software-based intrusion
detection is part of the Cisco IOS Firewall available on the Cisco 2600, 3600, 7100, and 7200 series
routers.
Functional Description
The Cisco IOS IDS acts as an in-line intrusion detection sensor, watching packets as they traverse
the router’s interfaces and acting upon them in a definable fashion. When a packet, or a number of
packets in a session, match a signature, the Cisco IOS IDS may perform the following configurable
actions:
•
Alarm—Sends an alarm to a syslog server or NetRanger Director
•
Drop—Drops the packet
•
Reset—Resets the TCP connection
The following describes the packet auditing process with Cisco IOS IDS:
1
You create an audit rule, which specifies the signatures that should be applied to packet traffic
and the actions to take when a match is found. An audit rule can apply informational and attack
signatures to network packets. The signature list can have just one signature, all signatures, or
any number of signatures in between. Signatures can be disabled in case of false positives or the
needs of the network environment.
2
You apply the audit rule to an interface on the router, specifying a traffic direction (
in
or
out
).
2
Cisco IOS Release 12.0(5)T
Memory and Performance Impact
3
If the audit rule is applied to the
in
direction of the interface, packets passing through the interface
are audited before the inbound ACL has a chance to discard them. This allows an administrator
to be alerted if an attack or information-gathering activity is underway even if the router would
normally reject the activity.
4
If the audit rule is applied to the
out
direction on the interface, packets are audited after they enter
the router through another interface. In this case, the inbound ACL of the other interface may
discard packets before they are audited. This may result in the loss of IDS alarms even though
the attack or information-gathering activity was thwarted.
5
Packets going through the interface that match the audit rule are audited by a series of modules,
starting with IP; then either ICMP, TCP, or UDP (as appropriate); and finally, the Application
level.
6
If a signature match is found in a module, then the following user-configured action(s) occur:
—
If the action is
alarm
, then the module completes its audit, sends an alarm, and passes the
packet to the next module.
—
If the action is
drop
, then the packet is dropped from the module, discarded, and not sent to
the next module.
—
If the action is
reset
, then the packets are forwarded to the next module, and packets with the
reset flag set are sent to both participants of the session, if the session is TCP.
Note
It is recommended that you use the
drop
and
reset
actions together.
If there are multiple signature matches in a module, only the first match fires an action.
Additional matches in other modules fire additional alarms, but only one per module.
Note
This process is different than on the NetRanger Sensor appliance, which identifies all
signature matches for each packet.
Memory and Performance Impact
The performance impact of intrusion detection will depend on the number of signatures enabled, the
level of traffic on the router, the router platform, and other individual features enabled on the router
such as encryption, source route bridging, and so on. Because this router is being used as a security
device, no packet will be allowed to bypass the security mechanisms. The IDS process in the Cisco
IOS Firewall router sits directly in the packet path and thus will search each packet for signature
matches. In some cases, the entire packet will need to be searched, and state information and even
application state and awareness must be maintained by the router.
For auditing atomic signatures, there is no traffic-dependent memory requirement. For auditing
compound signatures, CBAC allocates memory to maintain the state of each session for each
connection. Memory is also allocated for the configuration database and for internal caching.
Cisco IOS Firewall Intrusion Detection System
3
Benefits
Benefits
Intrusion detection systems (IDSes) provide a level of protection beyond the firewall by protecting
the network from internal and external attacks and threats. Cisco IOS Firewall IDS technology
enhances perimeter firewall protection by taking appropriate action on packets and flows that violate
the security policy or represent malicious network activity.
Cisco IOS Firewall intrusion detection capabilities are ideal for providing additional visibility at
intranet, extranet, and branch-office Internet perimeters. Network administrators now enjoy more
robust protection against attacks on the network and can automatically respond to threats from
internal or external hosts.
NetRanger IDS customers can deploy the Cisco IOS software-based IDS signatures to complement
their existing IDS systems. This allows an IDS to be deployed to areas that may not be capable of
supporting a NetRanger Sensor. Cisco IOS IDS signatures can be deployed alongside or
independently of other Cisco IOS Firewall features.
The Cisco IOS Firewall with intrusion detection can be added to the NetRanger Director screen as
an icon to provide a consistent view of all intrusion detection sensors throughout a network. The
Cisco IOS Firewall intrusion detection capabilities have an enhanced reporting mechanism that
permits logging to the NetRanger Director console in addition to Cisco IOS syslog.
The Cisco IOS Firewall with intrusion detection is intended to satisfy the security goals of all of our
customers, and is particularly appropriate for:
•
Enterprise customers that are interested in a cost-effective method of extending their perimeter
security across all network boundaries, specifically branch-office, intranet, and extranet
perimeters.
•
Small and medium-sized businesses that are looking for a cost-effective router that has an
integrated firewall with intrusion-detection capabilities.
•
Service provider customers that want to set up managed services, providing firewalling and
intrusion detection to their customers, all housed within the necessary function of a router.
Supported Platforms
Cisco IOS intrusion detection capability is integrated with the Cisco IOS Firewall feature set on the
following platforms:
•
Cisco 2600
•
Cisco 3600
•
Cisco 7100
•
Cisco 7200
Additional platform support is planned for future Cisco IOS software releases.
Supported Standards, MIBs, and RFCs
None
4
Cisco IOS Release 12.0(5)T
Initializing Cisco IOS IDS
Configuration Tasks
See the following sections for configuration tasks for the Cisco IOS Firewall Intrusion Detection
feature. Each task in the list indicates if it is optional or required:
•
Initializing Cisco IOS IDS (Required)
•
Initializing the Post Office (Required)
•
Configuring and Applying Audit Rules (Required)
•
Verifying the Configuration (Optional)
Initializing Cisco IOS IDS
The following tasks are necessary for initializing Cisco IOS IDS on a router:
Step 1
Log on to the router.
Step 2
Enter enable mode by typing
en
followed by the enable password.
Step 3
Type
conf t
to enter configuration mode.
Step 4
Use the
ip audit smtp
command to set the threshold beyond which spamming in e-mail
messages is suspected:
ip audit smtp spam
recipients
where
recipients
is the maximum number of recipients in an e-mail message. The default
is 250.
Step 5
Use the
ip audit po max-events
command to set the threshold beyond which queued
events are dropped from the queue for sending to the NetRanger Director:
ip audit po max-events
number_events
where
number_events
is the number of events in the event queue. The default is 100.
Increasing this number may have an impact on memory and performance, as each event
in the event queue requires 32 KB of memory.
Step 6
Type
exit
to leave terminal configuration mode.
Initializing the Post Office
The following tasks are necessary for initializing the Post Office system:
Step 1
Enter enable mode by typing
en
followed by the enable password.
Step 2
Type
conf t
to enter configuration mode.
Step 3
Use the
ip audit notify
command to send event notifications (alarms) to either a
NetRanger Director or syslog server.
If you are sending alarms to a NetRanger Director, use the following command:
ip audit notify nr-director
If you are sending alarms to a syslog server, use the following command:
ip audit notify log
Cisco IOS Firewall Intrusion Detection System
5
Plik z chomika:
MATTECHMAT
Inne pliki z tego folderu:
M05.Okablowanie_sieci_LAN_i_WAN[1].pdf
(971 KB)
Planowanie adresacji IP.pdf
(388 KB)
M11.Warstwa transportowa i aplikacji.pdf
(516 KB)
M10.Podstawy routingu i działanie podsieci.pdf
(731 KB)
M09.Zestaw protokołów TCP.IP.pdf
(1058 KB)
Inne foldery tego chomika:
Bezpieczeństwo sieci komputerowych
Cisco
EMC w informatyce
Programy
Projektowanie Sieci Rozległych
Zgłoś jeśli
naruszono regulamin