Downloads |
Solution Overview
Cisco IDS Solution
Background
Small and medium-sized businesses (SMBs) have become increasingly dependent on the network to support their primary business objectives. As businesses become more open to supporting Internet-powered initiatives such as e-commerce, customer care, supply-chain management, and extranet collaboration, network security risks are also increasing.
Network security and security policies are essential to ensure the integrity of company data. Repeatedly, SMBs, enterprise executives, and IT management rate network security as their top concern. Nonetheless, organizations often approach it in a step-by-step fashion at best, and many companies only explore robust security after a crisis. By then, the damage is done.
New Threats
The Internet and recent global cyber terrorism have fundamentally changed the way organizations approach security. Recent worm and virus incidents such as Code Red, Nimda, and the Slammer worm have heightened security awareness. Also, numerous other threats have emerged recently that are particularly troublesome:
For those who oversee their organization's network security and privacy, these attack trends are driving the need for a proactive "defense-in-depth solution."
The Defense-in-Depth Solution
Defense-in-depth is designed to counter the new generation of complex threats. Adopting this robust security strategy defends against highly sophisticated attacks that can occur at multiple locations in an organization's network. But the benefits of a comprehensive security infrastructure can only be realized if the network also maintains an integrated policy, management, and monitoring system that supports it. The ultimate goal is to deploy a set of security capabilities that together create an intelligent, self-defending network that identifies attacks as they occur, generates alerts as appropriate, and then automatically responds. Defense-in-depth will become increasingly vital as data, voice, and video networks converge into a single network and as wireless LANs (WLANs) become common.
Security mechanisms must counter threats to each part of the network. When you select security products, remember that they should be easily integrated into a total, end-to-end security solution. These complementary products should provide the following functions and provide a balance between access and protection:
- Access control, including identity services, authentication, authorization, accounting (AAA), access control servers, and certificate authorities
- Extended perimeter services, such as firewalls, purpose-built appliances, and router access control lists (ACLs)
- Network and host-based intrusion detection and protection
- Centralized security (and policy) management
- Secure connectivity through encryption and VPNs
Multiple threats attack different parts of the network, so it's essential to deploy and manage network devices on all layers of the network. This strategy of defense-in-depth will help stop a threat should it breach one area of a network.
Network and Host-Based Intrusion Detection and Protection Solution
The need for intrusion detection is based on the increasing number of threats to computer networks. The amount of traffic carried by networks today makes it difficult to use traditional intrusion detection techniques, such as reviewing logs, to provide a meaningful and practical defense. This ultimately results in many attacks that are not detected and prevented.
What is Intrusion Detection?
Intrusion detection is the process of detecting attempts to gain unauthorized access to a network or to create network degradation. This unauthorized access is dealt with either automatically or through manual intervention and based on a set of rules.
Intrusion detection involves developing an understanding of how network attacks occur, and based on that understanding, taking a phased approach to stopping the attacks.
1. Ensure that general patterns of malicious activity are detected.
2. Ensure that specific events that do not fall into common categories of attacks are dealt with decisively.
Most intrusion detection systems (IDSs) rely on update mechanisms for their software that are quick enough to preempt a growing network threat. However, detecting intrusions is not sufficient. You need to trace intrusions back to the source and deal with the attacker in an effective manner. Dealing with attackers is not a trivial issue, because many attacks use spoofed IP addresses or are sourced from compromised devices or systems.
In summary, intrusion detection is the ability to analyze data in real time to detect, log, and stop misuse or attacks as they occur. In practice, intrusion detection is complex, and IDSs perform in different ways.
Categories of IDSs
Two basic types of IDSs in the market today are:
Host-based IDSs
HIDSs are software agents used to secure critical network severs and desktops that contain sensitive information. In typical implementations agents are loaded on each protected asset. These agents use system resources such as: disk space, RAM, CPU time to analyze the operation system, and application and system audit trails. The collected information is compared to a set of rules to determine if a security breach has taken place. These agents are tailored to detect host-related activity and can track these types of events with a fine degree of granularity (for example, which user accessed which file at what time).
HIDS agents can be self-contained, sending alarm information to the local console, or remotely managed by a manager/collector that receives periodic updates and security data. A host-based implementation that includes a centralized management platform makes it easier to upgrade the software. HIDSs are ideal if a limited number of critical systems need protection, and they are complementary to network-based IDSs; however, they do not scale well if a companywide solution is needed.
Network-based IDSs (NIDS)
- Network-based IDSs monitor activity on a specific network segment. Unlike host-based agents, network-based systems are usually dedicated platforms with two components: a sensor that passively analyzes network traffic and a management system that displays alarm information from the sensor and allows security personnel to configure the sensors.
- Implementations for NIDSs can be appliance-based, including sensor and management platforms, or software-based, such as the one provided by the Cisco IOS® Intrusion Detection Systems that provide sensor-based complete inline intrusion protection embedded in the software.
The sensors in a NIDS capture traffic in a monitored segment and perform rules-based or expert-system analysis of the traffic using configured parameters. The sensors analyze packet headers to determine source and destination addresses and type of data being transmitted, and analyze the packet payload to learn about the data being transmitted. When the sensor detects misuse, it can perform various security-related actions: log the event, send an alarm to the management console, reset the data connection, or instruct the router to deny future traffic from that host or network.
Primary Methods of Detecting Misuse
Profile-based detection (also known as anomaly-based detection) involves building statistical profiles of user activity and then reacting to any activity that falls outside those established profiles. A user's profile can contain attributes such as files and servers frequently accessed, time spent logged onto the network, location of the network access, and many more.
Two major obstacles have rendered the profile-based detection an impractical and cost-prohibitive solution:
- Users change the way they use the network on a regular basis. Projects begin and end, and employees are transferred between departments or they work remotely, thus changing their point of entry into the network.
- There is no cost-effective way to build a sensor with enough memory and processing power to maintain even a small percentage of the ever-changing user profiles. Thus, due to current limitations on memory and processing power, profile-based intrusion detection often leads to a large number of false positives, or alarms deriving from nonthreatening events.
Signature-based detection, at a very basic level, can be compared to virus checking programs. IDS vendors produce and build signatures that the IDS system uses to compare against activity on the network or host. When a match is found, the IDS takes action, such as logging the event or sending an alarm to a management console. Although many vendors allow users to configure existing signatures and create new ones, customers are primarily dependent on the vendors to provide the latest signatures to keep the IDS up to date.
Signature-based detection can also produce false positives, as certain normal network activity can be construed as malicious. For example, some network applications or operating systems may send out numerous ICMP messages, which a signature-based detection system may interpret as an attempt by an attacker to map out a network segment.
Figure 1
An Example of Implementing IDS in the Network
Benefits
A well-planned, well-executed, and comprehensive security plan will help mitigate:
In addition, robust network security can be a business enabler for deploying functions for significantly boosting productivity, efficiency, and information reach. Moreover, secure networks allow companies to work more fully with customers, suppliers, and other business partners. Thus, organizations gain greater business opportunities and potentially huge reductions in cost.
Conclusion
Port scans and denial-of-service attacks are an ongoing threat, and a firewall cannot protect against them. However, intrusion detection and protection tools are critical components of a defense-in-depth security solution that can identify potential threats and allow a company to take immediate action to block a hacker or a particular IP address that's being used to launch an assault.
By developing an appropriate security policy backed by industry-leading Cisco® solutions, companies can confidently deploy their network solutions and reap the benefits that the Internet offers.