لطفا منتظر باشید ...
Network Intrusion Detection System Overview
An in-depth look at the implementation of a NIDS is beyond the scope of this book. Furthermore, the configuration that is required to implement any NIDS depends on the system to be used. Within the medium-sized network design, NIDS appliances are used within the following:
- Public services segment
- Inside PIX Firewall segment
- Layer 3 core switch
Figure 16-1 shows the deployment of these NIDS sensors within the medium-sized network.A NIDS works by using dedicated, hardened devices known as sensors, which analyze all network traffic that is received on the NIDS's interfaces. These sensors can monitor many hosts and, if configured properly, many different network segments. If you expand your network by adding new servers, you do not need to change the NIDS setup.Adding more sensors gives the following benefits:
- Traffic levels
With the introduction of Gigabit Ethernet, more than one IDS sensor easily provides the interface capacity of new networks. - Performance
As traffic increases, it may be necessary to introduce new sensors to cope with the increased capacity. - Network implementation
The security policy or network design may require sensors in more than one location to monitor for different types of traffic.
Sensors have three crucial elements that must be specified in accordance with the network design:
- Connectivity
Network interface cards must be able to connect into the network (Ethernet, Fast Ethernet, Gigabit Ethernet, Token Ring, and FDDI are all options). - Processor
Sensors must have adequate processing power to deal with the amount of traffic. - Memory
Intrusion detection analysis is memory intensive.
NOTE
As mentioned at the beginning of this section, an in-depth look at NIDS deployment is beyond the scope of this book. You may have had some exposure to NIDS deployment by preparing for other CCSP exams. If not, however, you should familiarize yourself with the implementation and configuration steps required to deploy a NIDS. You should draw from practical experience and rely on reference material such as the CCSP course and Cisco Press self-study guides.The remainder of this section summarizes the important features and facts that you should be aware of, at a minimum, regarding NIDSs:To set up a NIDS sensor, perform the following steps:| Step 1. | Configure the sensor's network settings. |
| Step 2. | Define the list of hosts that are authorized to manage the sensor. |
| Step 3. | Configure remote-management services. |
| Step 4. | Configure SSH settings. |
| Step 5. | Configure the sensor's date and time. |
| Step 6. | Change the password for the account that is used to access the IDS Device Manager (IDM). |
By default, the sensor logs all events locally by severity and type.The sensor can transfer archived copies of log files off line to an FTP server. This facility requires the following:
- Network access to the FTP server
- FTP username and password
- Directory with write permissions
The IP logging feature captures packets from an attacking host. The IP log file is in tcpdump format:
- Logs packets automatically when IP log is a signature response
- Logs packets if the source address is entered manually
- Requires that event logging is enabled
The sensor has parameters that affect the sensing function that are not necessarily specific to a particular signature or set of signatures. The following are the global sensing parameters:
- Internal network
- Sensing properties
- Level of traffic logging
The following provides an overview of signatures:
- The sensing engines and signatures are the core technologies of the Cisco IDSs.
- The sensing engines use the signature information to determine if the network traffic is considered malicious activity.
- The sensing engines are designed to perform pattern matching, stateful pattern matching, protocol decodes, and heuristic methods.
- The IDS Director enables the network security administrator to view the signatures, which are categorized by the following:
- - Signature groups
- - TCP connection signatures
- - UDP connection signatures
- - String signatures
- - ACL violation signatures
- Basic signature configuration includes the following:
- - Enabling or disabling the signature
- - Assigning the severity level
- - Assigning the signature action
Complete the following tasks to start using IDS Event Viewer (IEV):
