Network Security Fundamentals [Electronic resources] نسخه متنی

IDS Management CommunicationsMonitoring the Network

Network device management requires a communications channel to be available to the network devices. Devices may support out-of-band management, in-band management, or both. In-band management consumes bandwidth that could otherwise be used by network traffic. Out-of-band management increases bandwidth available for network traffic and typically improves the privacy and security of network management communications. The benefits are achieved in the reduced cost of designing, provisioning, and managing the management network itself. In any case, the management channels should be robust, private, and secure.

Communication SyntaxRDEP

The data format used on the communication channel, which is set up between the network IDS sensor and the management station (often called the IDS director), is defined by the RDEP protocol. As of version 4.x of IDS sensor software, RDEP is used instead of PostOffice Protocol, which was used by earlier versions. The RDEP communication channel is critical to the success of an IDS and therefore must comply with some minimum requirements.

Figure 10-15 shows this communication channel, which is also referred to as the

command and control network . The data link is referred to as the

monitoring network .

External communication, or data exchange, between the sensor and the external systems uses XML data format. RDEP uses HTTP, or in some cases TLS/SSL, to pass these XML documents between the sensor and the director. The RDEP protocol communication consists of two message types, namely the RDEP request and the RDEP response message. These messages can be event messages or IP log messages, as you noticed in the previous section on IP logging.

More information on how to configure the RDEP protocol for Cisco devices can be found at:

http://www.cisco.com/en/US/products/sw/cscowork/ps3991/products_user_guide_chapter09186a008018d92172.

The RDEP protocol is designed to be reliable, redundant, and fault tolerant. Guaranteed or reliable packet delivery is assured because all messages (alarms) sent by the sensor require an acknowledgement by the management station within a predefined period of time.

Figure 10-16 illustrates a fault-tolerant setup with the RDEP protocol.

Out-of-Band Management

Preparation for the worst-case network management scenario includes ensuring that there is a way to reach the devices when the usual access channel is unavailable. Out-of-band management using modem access through a management port is an attractive option when combined with authentication and access controls. Direct connection to management ports using serial communication cables is a final, labor-intensive option.

Out-of-band management offers many significant advantages and becomes more desirable as the managed network grows. In this case, real-time monitoring and access can be performed over a protected channel, which does not impact transport bandwidth availability. In a large network, the costs of provisioning and maintaining the management network are less proportional than in a small network. Out-of-band management is a part of the Enterprise Composite Network Model and Security Architecture for Enterprises (SAFE) as applied to large enterprises.

In-Band Management

In-band management is appropriate in smaller networks and in networks with sufficient link capacities to support both application traffic and management activity. Securing access to the devices and management applications is an important consideration. When supported, secured VPN access in-band may provide access if a management network is lost. Mechanisms to secure the management command and data stream include IPSec tunnels, secure shell (SSH), and secure sockets layer (SSL). In-band communication channels are often the only option for managing remotely installed network sensors, such as securing management traffic for branch offices if the IDS directors are installed at the company headquarters. Figure 10-18 illustrates this scenario.