ids
DESCRIPTION
IDS. Mike O’Connor Eric Tallman Matt Yasiejko. Overview. IDS defined What it does Sample logs Why we need it What it doesn’t do Setup Alternatives. IDS defined. IDS = Intrusion Detection System Cisco IDS-4215 Placed on the switch IDS vs IPS IDS = detection; “passive” - PowerPoint PPT PresentationTRANSCRIPT
IDSIDS
Mike O’ConnorMike O’Connor
Eric TallmanEric Tallman
Matt YasiejkoMatt Yasiejko
OverviewOverview
IDS definedIDS defined What it doesWhat it does
Sample logsSample logs Why we need itWhy we need it
What it doesn’t doWhat it doesn’t do SetupSetup AlternativesAlternatives
IDS definedIDS defined
IDS = Intrusion Detection SystemIDS = Intrusion Detection System Cisco IDS-4215Cisco IDS-4215
Placed on the switchPlaced on the switch IDS vs IPSIDS vs IPS
IDS = detection; “passive”IDS = detection; “passive” IPS = prevention; “active”IPS = prevention; “active”
Signature driven (misuse detection)Signature driven (misuse detection)
IDS definedIDS defined
Used to detect traffic not captured Used to detect traffic not captured by conventional firewallsby conventional firewalls
Network vs. Host IDSNetwork vs. Host IDS Network = examines traffics and Network = examines traffics and
monitors multiple hostsmonitors multiple hosts Host = analyzes system calls, file Host = analyzes system calls, file
modifications, etcmodifications, etc Misuse (signature based) vs. Misuse (signature based) vs.
anomaly (self-learn)anomaly (self-learn)
What it does…What it does…
Analyzes network traffic that has Analyzes network traffic that has been sent to or from FA 0/24been sent to or from FA 0/24
Uses signature database to identify Uses signature database to identify problematic trafficproblematic traffic Custom signatures may be addedCustom signatures may be added False positives are quite possibleFalse positives are quite possible
DNS requestsDNS requests IP logging, block IP, allow IP, etcIP logging, block IP, allow IP, etc Detects port scansDetects port scans
DNS request loggedDNS request logged
Signature 4003 detailsSignature 4003 details
Port scan detectedPort scan detected
Why we need IDSWhy we need IDS
Nmap sweepsNmap sweeps Vulnerability sought constantlyVulnerability sought constantly Many attack typesMany attack types
Above is one type of TCP sweep (SYN packets)Above is one type of TCP sweep (SYN packets)
What our IDS doesn’t doWhat our IDS doesn’t do
Intrusion Prevention!!Intrusion Prevention!! The administrator must take actionThe administrator must take action
Does not log traffic that does not Does not log traffic that does not pass through FA 0/24pass through FA 0/24 This was a choiceThis was a choice Internal traffic is undetected at this Internal traffic is undetected at this
timetime
SetupSetup
Used CLI for IDS configurationUsed CLI for IDS configuration Setup IP, gateway, name, netmaskSetup IP, gateway, name, netmask Set access listSet access list
Console only at the moment Console only at the moment (134.198.161.100)(134.198.161.100)
SPANSPAN Switched Port Switched Port
ANalyzerANalyzer Mirrors 0/24 onto Mirrors 0/24 onto
0/230/23
Monitor session on the Monitor session on the switchswitch
#configure terminal#configure terminal
#monitor session 1 source interface #monitor session 1 source interface fastethernet 0/24 bothfastethernet 0/24 both
#monitor session 1 destination interface #monitor session 1 destination interface fastethernet 0/23fastethernet 0/23
#end#end
AlternativesAlternatives
SnortSnort Software solution to IDS/IPSSoftware solution to IDS/IPS Traffic analysisTraffic analysis Packet loggingPacket logging Detects port scans, buffer overflows, etcDetects port scans, buffer overflows, etc
IPSIPS