Cisco Security Professional's Guide to Secure Intrusion Detection Systems (eBook)
656 Seiten
Elsevier Science (Verlag)
978-0-08-047654-4 (ISBN)
A comprehensive, up-to-date guide to the hardware and software that comprise the Cisco IDS. This book does more than show network engineers how to set up and manage this line of best selling products ... it walks them step by step through all the objectives of the Cisco Secure Intrusion Detection System course (and corresponding exam) that network engineers must pass on their way to achieving sought-after CCSP certification.
* Offers complete coverage of the Cisco Secure Intrusion Detection Systems Exam (CSIDS 9E0-100) for CCSPs
Cisco Systems, Inc. is the worldwide leader in networking for the Internet, and its Intrusion Detection Systems line of products is making in roads in the IDS market segment, with major upgrades having happened in February of 2003. Cisco Security Professional's Guide to Secure Intrusion Detection Systems is a comprehensive, up-to-date guide to the hardware and software that comprise the Cisco IDS. Cisco Security Professional's Guide to Secure Intrusion Detection Systems does more than show network engineers how to set up and manage this line of best selling products ... it walks them step by step through all the objectives of the Cisco Secure Intrusion Detection System course (and corresponding exam) that network engineers must pass on their way to achieving sought-after CCSP certification. - Offers complete coverage of the Cisco Secure Intrusion Detection Systems Exam (CSIDS 9E0-100) for CCSPs
Cover 1
Contents 12
Foreword 24
Chapter 1 Introduction to Intrusion Detection Systems 28
Chapter 2 Cisco Intrusion Detection 66
Chapter 3 Initializing Sensor Appliances 102
Chapter 4 Cisco IDS Management 146
Chapter 5 Configuring the Appliance Sensor 212
Chapter 6 Configuring the Cisco IDSM Sensor 260
Chapter 7 Cisco IDS Alarms and Signatures 298
Chapter 8 Configuring Cisco IDS Blocking 374
Chapter 9 Capturing Network Traffic 410
Chapter 10 Cisco Enterprise IDS Management 456
Appendix A Cisco IDS Sensor Signatures 540
Index 658
Cisco Intrusion Detection
Solutions in this Chapter
Introduction
In Chapter 1, we learned the fundamental principals and theory of security and intrusion detection systems. We also looked at Cisco-centric security mechanisms such as Cisco AVVID and SAFE. Cisco focuses on two primary types of IDSs, Host IDSs, and Network IDSs. Within each of these systems, Cisco develops products that promote an “active defense” to secure the network environment. Cisco Active Defense focuses on three points:
Detection The ways and means to identify malicious attacks on networks and resources.
Prevention How to stop detected attacks from being executed.
Reaction How to immunize the systems from future attacks and provide real-time alerts.
We’ll learn that Cisco IDS sensors provide Active Defense detection using several methods, including signature detection and other hybrid techniques. We’ll also discuss the ways Cisco IDS can stop an attacker in his footsteps by sending TCP resets or dynamically manipulating firewall rule sets to prevent unwanted access. Finally, we’ll see how Cisco IDS solutions, such as the Host IDS sensor, can protect your resources, thwarting attacks through intelligent integration with application services and operating systems.
But, just what is Cisco Intrusion Detection? In this chapter, we’ll answer that question as we look closely at the specific Network and Host IDS platforms that comprise the Cisco IDS solution. We’ll discuss the 4200 IDS Sensor product line, the new IDS modules available for the Cisco Catalyst 6500 and Cisco 2600, 3600, and 3700 routers, and the Cisco Host IDS software.
Next, we’ll examine how to effectively manage the Cisco intrusion detection systems by using tools like Cisco IDS Event Viewer (IEV), IDS Device Manager (IDM), Cisco Secure Policy Manager (CSPM), and CiscoWorks VPN/Security Management Solution (VMS). Each of these tools has benefits for different environments and uses different mechanisms and protocols to communicate with Cisco IDSs in the network. We will discuss two protocols that Cisco has used to facilitate communication between the management stations and the sensors, the Cisco PostOffice Protocol and Cisco Remote Data Exchange protocol.
Finally, we’ll discuss in detail where Cisco IDS may be best deployed in the network. While each network environment requires different security approaches, there are several guiding principals regarding the intelligent and effective deployment of Cisco IDS.
Let’s begin by defining Cisco Intrusion Detection.
What Is Cisco Intrusion Detection?
Cisco Intrusion Detection is a complete security approach that provides a wide range of intrusion detection capabilities to help administrators secure and monitor their network environments against threats and security breaches. Cisco Systems IDS solutions are based on four concepts:
Accurate threat detection
Intelligent threat investigation and mitigation
Ease of management
Flexible deployment options
Cisco delivers each of these concepts through flexible Network IDS hardware, host-based IDS software, Cisco IDS sensor software, and scalable Cisco IDS management software.
At the heart of the Cisco Intrusion Detection System is the Cisco Network and Host IDS software, which provides accurate threat detection, intelligent threat investigation and mitigation, and simplified management. The software imparts comprehensive threat detection, delivering a hybrid system that uses methods including stateful pattern recognition, protocol analysis, traffic anomaly detection, and protocol anomaly detection. With the software, unauthorized exploits, DoS activity, reconnaissance attempts, and other malicious actions are quickly detected.
Accurate detection leads to threat investigation and mitigation. When an attack is detected, Cisco’s Threat Response technology works with Cisco IDSs to eliminate false alarms and escalate authentic attacks. This is accomplished using a three-step process involving:
Basic investigation of target vulnerability
Advanced investigation of targets
Forensic data capture
Cisco IDSs are capable of several means of protecting a company’s assets. Whether dropping an offending packet, terminating an attacker’s session by using the TCP reset feature, dynamically reconfiguring Access Control Lists (ACLs) on routers and switches, or automatically modifying firewall policies, Cisco IDS offers an array of immediate response actions to stop attacks in near–real time.
Cisco understands the potential difficulties involved with managing network and security infrastructure. To alleviate management impediments, Cisco provides a series of management options that offer ease of use and centralized management. With tools like the Cisco IDS Event Viewer, IDS Device Manager, Secure Policy Manager, and the CiscoWorks VPN/Security Management Solution, administrators have many powerful options at their fingertips.
The Cisco Network IDS solution set includes appliance-based intrusion detection through the Cisco 4200 line of sensors. Ranging from performance options between 45 Mbps to 1 Gbps, the 4200 series offers multiple options for security administrators and can be quickly and easily integrated into network environments. Cisco also helps companies leverage existing switching and routing infrastructures through use of the Cisco Catalyst 6500 IDSM and Cisco IDS Module for 2600,3600, and 3700 routers. These modules integrate seamlessly into existing hardware to provide additional network security. And last but certainly not least, network IDS functionality is available in routers through an integrated but limited IOS functionality.
Cisco Host IDS works on the service endpoints in the network. Installed on hosts such as web and mail servers, the host sensor software protects operating systems and application-level functionality through tight integration. This is accomplished by inspecting all interaction with the operating system and comparing the requests for service against a database of known attacks. Should the request match a known exploit, the request for service will be terminated by the sensor software. Along with preventing known attacks, the Host sensor can also protect against generic or unknown exploits by preventing dangerous situations such as buffer overruns, a typical result of hacker exploits. Finally, the Host IDS software acts as a shield against intentional file corruption attempts, such as Trojan code insertion attacks. This is performed by “fingerprinting” executables and configuration flies during baseline operations. This fingerprint or checksum is then regularly compared to the current version to protect system resources such as Registry keys, password flies, and executables against unwanted manipulation.
Cisco’s Network Sensor Platforms
As part of their flexible deployment strategy, Cisco offers several different Network IDS platforms to meet the varying needs of enterprise environments. Included in the Network IDS suite of products are the Cisco IDS 4200 Series sensors, the Cisco Catalyst 6000 IDS Modules, Cisco IDS Modules for 2600, 3600, and 3700 routers, and the Cisco router and firewall-based sensors. All of these devices represent the cost-effective, comprehensive security solutions Cisco can provide for custom-tailored network performance needs.
From the affordable Cisco IDS 4210 to the high performance IDS 4250XL, the Cisco 4200 Series devices provide an appliance-based detection system. Refer to Table 2.1 for details regarding the Cisco IDS platforms.
Table 2.1
The Cisco Sensor Capability Matrix
Cisco IDS 4210 | 45 Mbps | 1 10/100Base-TX | 1 10/100Base-TX | N/A | 1 |
Cisco IDS 4215 | 80 Mbps | 1 10/100Base-TX | 1 10/100Base-TX | Four 10/100BaseTX sniffinginterfaces | 1 |
Cisco IDS 4230 | 100 Mbps | 1 10/100Base-TX | 1 10/100Base-TX | N/A | 4 |
Cisco IDS 4235 | 250 Mbps | 1 10/100/1000Base-TX | 1 10/100/1000Base-TX | Four 10/100BaseTX sniffinginterfaces | 1 |
Cisco IDS 4250 | 500 Mbps | 1... |
Erscheint lt. Verlag | 29.10.2003 |
---|---|
Sprache | englisch |
Themenwelt | Informatik ► Netzwerke ► Sicherheit / Firewall |
Informatik ► Theorie / Studium ► Kryptologie | |
Technik ► Elektrotechnik / Energietechnik | |
Wirtschaft ► Betriebswirtschaft / Management | |
ISBN-10 | 0-08-047654-6 / 0080476546 |
ISBN-13 | 978-0-08-047654-4 / 9780080476544 |
Haben Sie eine Frage zum Produkt? |
Kopierschutz: Adobe-DRM
Adobe-DRM ist ein Kopierschutz, der das eBook vor Mißbrauch schützen soll. Dabei wird das eBook bereits beim Download auf Ihre persönliche Adobe-ID autorisiert. Lesen können Sie das eBook dann nur auf den Geräten, welche ebenfalls auf Ihre Adobe-ID registriert sind.
Details zum Adobe-DRM
Dateiformat: EPUB (Electronic Publication)
EPUB ist ein offener Standard für eBooks und eignet sich besonders zur Darstellung von Belletristik und Sachbüchern. Der Fließtext wird dynamisch an die Display- und Schriftgröße angepasst. Auch für mobile Lesegeräte ist EPUB daher gut geeignet.
Systemvoraussetzungen:
PC/Mac: Mit einem PC oder Mac können Sie dieses eBook lesen. Sie benötigen eine
eReader: Dieses eBook kann mit (fast) allen eBook-Readern gelesen werden. Mit dem amazon-Kindle ist es aber nicht kompatibel.
Smartphone/Tablet: Egal ob Apple oder Android, dieses eBook können Sie lesen. Sie benötigen eine
Geräteliste und zusätzliche Hinweise
Buying eBooks from abroad
For tax law reasons we can sell eBooks just within Germany and Switzerland. Regrettably we cannot fulfill eBook-orders from other countries.
aus dem Bereich