Configuring Cisco IOS Firewall Intrusion.pdf

Configuring Cisco IOS Firewall Intrusion

Detection System

This chapter describes the Cisco IOS Firewall Intrusion Detection System (IDS) feature. Intrusion

detection systems provide a level of protection beyond the firewall by protecting the network from

internal and external attacks and threats. Cisco IOS Firewall IDS technology enhances perimeter firewall

protection by taking appropriate action on packets and flows that violate the security policy or represent

malicious network activity.

For a complete description of the Cisco IOS Firewall IDS commands in this chapter, refer to the

“Cisco IOS Firewall IDS Commands” chapter of the Cisco IOS Security Command Reference . To locate

documentation of other commands that appear in this chapter, use the command reference master index

or search online.

To identify the hardware platform or software image information associated with a feature, use the

Feature Navigator on Cisco.com to search for information about the feature or refer to the software

release notes for a specific release. For more information, see the chapter “Identifying Supported

Platforms” section in the “Using Cisco IOS Software.”

In This Chapter

This chapter has the following sections:

• About the Firewall Intrusion Detection System

• Cisco IOS Firewall IDS Configuration Task List

• Monitoring and Maintaining Cisco IOS Firewall IDS

• Cisco IOS Firewall IDS Configuration Examples

About the Firewall Intrusion Detection System

The Cisco IOS Firewall IDS feature supports intrusion detection technology for midrange and high-end

router platforms with firewall support. It is ideal for any network perimeter, and especially for locations

in which a router is being deployed and additional security between network segments is required. It also

can protect intranet and extranet connections where additional security is mandated, and branch-office

sites connecting to the corporate office or Internet.

Cisco IOS Security Configuration Guide

SC-269

Configuring Cisco IOS Firewall Intrusion Detection System

About the Firewall Intrusion Detection System

The Cisco IOS Firewall IDS feature identifies 59 of the most common attacks using “signatures” to

detect patterns of misuse in network traffic. The intrusion-detection signatures included in the Cisco IOS

Firewall were chosen from a broad cross-section of intrusion-detection signatures. The signatures

represent severe breaches of security and the most common network attacks and information-gathering

scans. For a description of Cisco IOS Firewall IDS signatures, refer to the “Cisco IOS Firewall IDS

Signature List” section.

The Cisco IOS Firewall IDS acts as an in-line intrusion detection sensor, watching packets and sessions

as they flow through the router, scanning each to match any of the IDS signatures. When it detects

suspicious activity, it responds before network security can be compromised and logs the event through

Cisco IOS syslog or the Cisco Secure Intrusion Detection System (Cisco Secure IDS, formerly known

as NetRanger) Post Office Protocol. The network administrator can configure the IDS system to choose

the appropriate response to various threats. When packets in a session match a signature, the IDS system

can be configured to take these actions:

• Send an alarm to a syslog server or a Cisco Secure IDS Director (centralized management interface)

• Drop the packet

• Reset the TCP connection

Cisco developed its Cisco IOS software-based intrusion-detection capabilities in Cisco IOS Firewall

with flexibility in mind, so that individual signatures could be disabled in case of false positives. Also,

while it is preferable to enable both the firewall and intrusion detection features of the CBAC security

engine to support a network security policy, each of these features may be enabled independently and on

different router interfaces. Cisco IOS software-based intrusion detection is part of the Cisco IOS

Firewall.

This section has the following sections:

• Interaction with Cisco IOS Firewall Default Parameters

• Compatibility with Cisco Secure Intrusion Detection

• Functional Description

• When to Use Cisco IOS Firewall IDS

• Memory and Performance Impact

• Cisco IOS Firewall IDS Signature List

Interaction with Cisco IOS Firewall Default Parameters

When Cisco IOS IDS is enabled, Cisco IOS Firewall is automatically enabled. Thus, IDS uses Cisco IOS

Firewall default parameter values to inspect incoming sessions. Default parameter values include the

following:

• The rate at which IDS starts deleting half-open sessions (modified via the ip inspect one-minute

high command)

• The rate at which IDS stops deleting half-open sessions (modified via the ip inspect one-minute

low command)

• The maximum incomplete sessions (modified via the ip inspect max-incomplete high and the ip

inspect max-incomplete low commands)

After the incoming TCP session setup rate crosses the one-minute high water mark, the router will reset

the oldest half-open session, which is the default behavior of the Cisco IOS Firewall. Cisco IOS IDS

cannot modify this default behavior. Thus, after a new TCP session rate crosses the one-minute high

Cisco IOS Security Configuration Guide

SC-270

Configuring Cisco IOS Firewall Intrusion Detection System

About the Firewall Intrusion Detection System

water mark and a router attempts to open new connections by sending SYN packets at the same time, the

latest SYN packet will cause the router to reset the half-open session that was opened by the earlier SYN

packet. Only the last SYN request will survive.

Compatibility with Cisco Secure Intrusion Detection

Cisco IOS Firewall is compatible with the Cisco Secure Intrusion Detection System (formally known as

NetRanger). The Cisco Secure IDS is an enterprise-scale, real-time, intrusion detection system designed

to detect, report, and terminate unauthorized activity throughout a network.

The Cisco Secure IDS consists of three components:

• Sensor

• Director

• Post Office

Cisco Secure IDS Sensors, which are high-speed network appliances, analyze the content and context of

individual packets to determine if traffic is authorized. If a network's data stream exhibits unauthorized

or suspicious activity, such as a SATAN attack, a ping sweep, or the transmission of a secret research

project code word, Cisco Secure IDS Sensors can detect the policy violation in real time, forward alarms

to a Cisco Secure IDS Director management console, and remove the offender from the network.

The Cisco Secure IDS Director is a high-performance, software-based management system that centrally

monitors the activity of multiple Cisco Secure IDS Sensors located on local or remote network segments.

The Cisco Secure IDS Post Office is the communication backbone that allows Cisco Secure IDS services

and hosts to communicate with each other. All communication is supported by a proprietary,

connection-based protocol that can switch between alternate routes to maintain point-to-point

connections.

Cisco Secure IDS customers can deploy the Cisco IOS Firewall IDS signatures to complement their

existing IDS systems. This allows an IDS to be deployed to areas that may not be capable of supporting

a Cisco Secure IDS Sensor. Cisco IOS Firewall IDS signatures can be deployed alongside or

independently of other Cisco IOS Firewall features.

The Cisco IOS Firewall IDS can be added to the Cisco Secure IDS Director screen as an icon to provide

a consistent view of all intrusion detection sensors throughout a network. The Cisco IOS Firewall

intrusion detection capabilities have an enhanced reporting mechanism that permits logging to the

Cisco Secure IDS Director console in addition to Cisco IOS syslog.

For additional information about Cisco Secure IDS (NetRanger), refer to the NetRanger User Guide .

Functional Description

The Cisco IOS Firewall IDS acts as an in-line intrusion detection sensor, watching packets as they

traverse the router’s interfaces and acting upon them in a definable fashion. When a packet, or a number

of packets in a session, match a signature, the Cisco IOS Firewall IDS may perform the following

configurable actions:

• Alarm—Sends an alarm to a syslog server or Cisco Secure IDS Director

• Drop—Drops the packet

• Reset—Resets the TCP connection

Cisco IOS Security Configuration Guide

SC-271

Configuring Cisco IOS Firewall Intrusion Detection System

About the Firewall Intrusion Detection System

The following describes the packet auditing process with Cisco IOS Firewall IDS:

• You create an audit rule, which specifies the signatures that should be applied to packet traffic and

the actions to take when a match is found. An audit rule can apply informational and attack

signatures to network packets. The signature list can have just one signature, all signatures, or any

number of signatures in between. Signatures can be disabled in case of false positives or the needs

of the network environment.

• You apply the audit rule to an interface on the router, specifying a traffic direction ( in or out ).

• If the audit rule is applied to the in direction of the interface, packets passing through the interface

are audited before the inbound ACL has a chance to discard them. This allows an administrator to

be alerted if an attack or information-gathering activity is underway even if the router would

normally reject the activity.

• If the audit rule is applied to the out direction on the interface, packets are audited after they enter

the router through another interface. In this case, the inbound ACL of the other interface may discard

packets before they are audited. This may result in the loss of Cisco IOS Firewall IDS alarms even

though the attack or information-gathering activity was thwarted.

• Packets going through the interface that match the audit rule are audited by a series of modules,

starting with IP; then either ICMP, TCP, or UDP (as appropriate); and finally, the Application level.

• If a signature match is found in a module, then the following user-configured action(s) occur:

– If the action is alarm , then the module completes its audit, sends an alarm, and passes the packet

to the next module.

– If the action is drop , then the packet is dropped from the module, discarded, and not sent to the

next module.

– If the action is reset , then the packets are forwarded to the next module, and packets with the

reset flag set are sent to both participants of the session, if the session is TCP.

Note It is recommended that you use the drop and reset actions together.

If there are multiple signature matches in a module, only the first match fires an action. Additional

matches in other modules fire additional alarms, but only one per module.

Note This process is different than on the Cisco Secure IDS Sensor appliance, which identifies

all signature matches for each packet.

When to Use Cisco IOS Firewall IDS

Cisco IOS Firewall IDS capabilities are ideal for providing additional visibility at intranet, extranet, and

branch-office Internet perimeters. Network administrators enjoy more robust protection against attacks

on the network and can automatically respond to threats from internal or external hosts.

The Cisco IOS Firewall with intrusion detection is intended to satisfy the security goals of all of our

customers, and is particularly appropriate for the following scenarios:

• Enterprise customers that are interested in a cost-effective method of extending their perimeter

security across all network boundaries, specifically branch-office, intranet, and extranet perimeters.

• Small and medium-sized businesses that are looking for a cost-effective router that has an integrated

firewall with intrusion-detection capabilities.

Cisco IOS Security Configuration Guide

SC-272

Configuring Cisco IOS Firewall Intrusion Detection System

About the Firewall Intrusion Detection System

• Service provider customers that want to set up managed services, providing firewalling and intrusion

detection to their customers, all housed within the necessary function of a router.

Memory and Performance Impact

The performance impact of intrusion detection will depend on the configuration of the signatures, the

level of traffic on the router, the router platform, and other individual features enabled on the router such

as encryption, source route bridging, and so on. Enabling or disabling individual signatures will not alter

performance significantly, however, signatures that are configured to use Access Control Lists will have

a significant performance impact.

Because this router is being used as a security device, no packet will be allowed to bypass the security

mechanisms. The IDS process in the Cisco IOS Firewall router sits directly in the packet path and thus

will search each packet for signature matches. In some cases, the entire packet will need to be searched,

and state information and even application state and awareness must be maintained by the router.

For auditing atomic signatures, there is no traffic-dependent memory requirement. For auditing

compound signatures, CBAC allocates memory to maintain the state of each session for each connection.

Memory is also allocated for the configuration database and for internal caching.

Cisco IOS Firewall IDS Signature List

The following is a complete list of Cisco IOS Firewall IDS signatures. A signature detects patterns of

misuse in network traffic. In Cisco IOS Firewall IDS, signatures are categorized into four types:

• Info Atomic

• Info Compound

• Attack Atomic

• Attack Compound

An info signature detects information-gathering activity, such as a port sweep.

An attack signature detects attacks attempted into the protected network, such as denial-of-service

attempts or the execution of illegal commands during an FTP session.

Info and attack signatures can be either atomic or compound signatures. Atomic signatures can detect

patterns as simple as an attempt to access a specific port on a specific host. Compound signatures can

detect complex patterns, such as a sequence of operations distributed across multiple hosts over an

arbitrary period of time.

The intrusion-detection signatures included in the Cisco IOS Firewall were chosen from a broad

cross-section of intrusion-detection signatures as representative of the most common network attacks

and information-gathering scans that are not commonly found in an operational network.

The following signatures are listed in numerical order by their signature number in the Cisco Secure IDS

Network Security Database. After each signature’s name is an indication of the type of signature (info

or attack, atomic or compound).

Note

Atomic signatures marked with an asterisk (Atomic*) are allocated memory for session states by

CBAC.

Cisco IOS Security Configuration Guide

SC-273

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika: