We are pleased to present Chapter 5 (in 4 parts) of Cisco Press' Cisco Secure Intrusion Detection System, dealing with IDS Sensor Deployment. Even if you are not using Cisco's technology for intrusion detection, the information contained within will be valuable to you as you ensure you have all the bases covered to assure security for your network.
This first segment looks at all you need to know in preparing your deployment, including entry points into your network, critical network components, and security components.
Cisco Secure IDS Sensor Deployment
by Earl Carter
Being a network-based intrusion detection system (IDS), Cisco Secure IDS relies on one or more sensors to monitor network traffic at selected locations throughout your network. These sensors represent the eyes of Cisco Secure IDS. Therefore, deployment of the sensors is crucial to a successful Cisco Secure IDS installation.
An individual sensor contains two separate network interfaces. The sensor uses one of these interfaces to passively sniff all the network packets by placing the interface in Promiscuous mode. When an interface sniffs, it captures all the network packets that travel on the wire, not just the packets addressed to the system that do the sniffing. The sensor uses the other network interface for command and control traffic. To detect attacks, the sensor maintains a database of attack signatures. As packets traverse the network, the sensor examines each packet, attempting to match one of the signatures in its signature database. Whenever the network traffic matches one of the signatures, the sensor generates an alarm on its command and control interface.
In this chapter, you learn the following:
- To effectively deploy sensors in your network, you must analyze your network topology completely.
- After determining potential sensor installation points within your network, you need to decide how you want to configure those sensors. You can deploy each sensor in one of several different installation configurations, depending on the specific level of protection and capabilities needed.
Preparing for Deployment: Analyzing Your Network Topology
Attackers can launch exploits against any available resources on your network. Analyzing your network topology is crucial to defining all of your resources. Furthermore, deciding what information and resources you want to protect is the first step to creating a sensor deployment plan. Unless you understand your network topology thoroughly, you cannot comprehensively identify all the network resources that need protection. When examining your network topology, you must consider many factors:
- Entry points into your network
- Critical network components
- Remote networks
- Size and complexity of your network
- Security policy restrictions
Entry Points into Your Network
All the points where data enters your network represent potential locations at which an attacker can gain access to your network. You need to verify that each entry point is adequately monitored. Not monitoring an entry point into your network allows an attacker to penetrate your network undetected by your IDS. Common entry points into most networks include the following:
- Remote access configurations
Internet Entry Points
Your networks Internet connection makes your network visible to the entire Internet. Hackers worldwide can attempt to gain access to your network through this entry point. With most corporate networks, access to the Internet is directed through a single router. This device is known as a perimeter router. By placing a sensor behind this device, you can monitor all traffic (including attacks) destined for your corporate network. If your network contains multiple perimeter routers, you might need to use multiple sensors, one to watch each Internet entry point into your network.
As of January, 2001, current estimates project that 100 million hosts are connected to the Internet, with more than 350 million Internet users worldwide. Any of these users can potentially attack your network through your Internet connection.
Extranet Entry Points
Many corporate networks have special connections to business partners networks. Traffic from these business partners networks does not always travel through your networks perimeter device; therefore, it is important to make sure that these entry points are also monitored effectively. By penetrating your business partners networks, an attacker can use the extranet to infiltrate your network. You usually have little or no control over the security of your business partners networks. Furthermore, if an attacker penetrates your network and then uses the extranet link to attack one of your business partners, you are faced with a potential liability issue.
Intranet Separation Points
Intranets represent internal divisions within your network. These divisions might be organizational or functional. Sometimes, different departments within your network require different security considerations, depending on the data and resources that they need to access or protect. Usually, these internal divisions are already separated by a firewall, signaling different security levels between the different networks. Other times, the network administrator uses access control lists (ACLs) on the router between network segments to enforce separate security zones. Placing a sensor between these networks (in front of the firewall or router) enables you to monitor the traffic between the separate security zones and verify compliance with your defined security policy.
Sometimes, you also might want to install a sensor between network segments that have complete access to each other. In this situation, you want the sensor to monitor the types of traffic between the different networks, even though by default you have not established any physical barriers to traffic flow. However, any attacks between the two networks are quickly detected.
Remote Access Entry Points
Most networks provide a means to access the network through a dial-up phone line. This access allows corporate users to access network functionality, such as e-mail, when away from the office. Although this enhanced functionality is useful, it also opens up another avenue for an attacker to exploit. You probably need to use a sensor to monitor the network traffic from your remote access server, just in case a hacker can defeat your remote access authentication mechanism.
Many remote users use home systems that connect continuously through high-speed Internet connections, such as cable modems. Because these systems are usually minimally protected, attackers frequently target and compromise these home systems, which might also lead to a compromise of your remote access mechanism. Other times, stolen laptops reveal a wealth of information on how to access your network. Therefore, even if you trust your users and remote access mechanisms, it is beneficial to monitor your remote access servers with IDS sensors.
Critical Network Components
Determining critical components on your network is vital to a comprehensive analysis of your network topology. A hacker usually views your critical network components as trophies. Compromising a critical component also poses a significant threat to the entire network. Critical components fall into several categories:
- Servers (DNS, HTTP, CA, NFS, and so on)
- Infrastructure (routers, switches, hubs, and so on)
- Security components (firewalls, IDS components, and so on)
Sensors need to be deployed throughout your network to ensure that attacks against these critical components can be detected, and in certain situations halted through blocking (also known as device management).
, or device management
, refers to the process whereby the IDS sensor can dynamically update the access control lists on a router to block current and future traffic coming to the router from an attacking host.
Network servers represent the workhorses in your network. Typical services provided by your servers include name resolution, authentication, e-mail, and corporate Web pages. Monitoring access to these valuable network components is vital to a comprehensive security policy.
Many servers exist on a typical network. Some of those servers are as follows:
- Domain Name System (DNS) servers
- Dynamic Host Configuration Protocol (DHCP) servers
- Hypertext Transfer Protocol (HTTP) servers
- Windows domain controllers
- Certificate Authority (CA) servers
- E-mail servers
- Network File System (NFS) servers
The network infrastructure represents the devices that transfer data or packets between the hosts on the network. Common infrastructure devices include routers, switches, gateways, and hubs. Without these devices, the individual hosts on your network are isolated entities that are incapable of communicating with each other.
Routers transfer traffic between different network segments. When a router stops functioning, traffic flow between connected networks ceases. Your network is probably composed of several internal routers and one or more perimeter routers.
Switches transfer traffic between hosts located on the same network segment. Switches provide minimal security by sending nonbroadcast traffic to only specific ports on the switch. If a switch is disabled, it can cease to send traffic, resulting in a denial of service (DoS). In other situations, a switch can fail in an open state. In this open state, it sends all network packets to every port on the switch, essentially converting the switch into a hub.
Hubs also transfer traffic between hosts located on the same network. Unlike switches, however, hubs pass all the traffic to every port on the switch. Not only does this generate performance problems, it also reduces the security of the network by enabling any host on the segment to watch the traffic going to other hosts on the network.
Security components enhance the security of the network by limiting traffic flow and watching for attacks against the network. Common security devices include firewalls, IDS sensors, IDS management devices, and routers with access control lists.
Firewalls establish a security barrier between multiple networks. Normally, a firewall is installed to protect an internal network from unauthorized access. This makes them a prime target for attack.
Similarly, the IDS components continually monitor the network looking for signs of an attack. Hackers continually hunt for new methods to confuse and disrupt the operation of common intrusion detection systems. By disabling the intrusion detection system, an attacker can penetrate the network unseen (without raising the alarms that indicate an attack is in progress).
Many networks are composed of a central corporate network and multiple remote offices that communicate with the corporate network through WANs. Security at these remote facilities needs to be considered in your network analysis. Depending on the security posture of the remote sites, you might want to place a sensor to monitor the traffic traveling across the WAN links. Sometimes, remote facilities have independent connections to the Internet. All Internet connections definitely need to be monitored.
Size and Complexity of Your Network
The more complex your network is, the more likely it is that you need to deploy multiple sensors at various locations throughout your network. A large network also usually dictates the use of multiple sensors because each sensor is limited by a maximum amount of traffic that it can monitor. If your Internet network connection is a multi-gigabit pipe, a single sensor cannot currently handle all the traffic that your fully loaded Internet connection can deliver to your network.
Considering Security Policy Restrictions
Sometimes, sensors are placed in your network to verify compliance with your defined security policy. An excellent example of this is placing a sensor on the inside and the outside of a firewall.
The sensors labeled Sensor 1 and Sensor 5 in Figure 5-1 illustrate this setup. Sensor 1 monitors all traffic that is headed to the protected network. It detects all the attacks sent toward the protected network, even though most of the attacks can be prevented by the firewall. Sensor 5, however, monitors all the internal traffic. This represents traffic that manages to make it through the firewall from the outside, as well as traffic generated by internal hosts. Both sensors can detect security policy violations. Sensor 5 monitors traffic that makes it into the protected network, whereas Sensor 1 monitors the traffic that leaves the protected network.
Figure 5-1: Deploying Sensors at Common Functional Boundaries
(Click image for larger view in a new window)
Our next segment from Cisco Press' Cisco Secure Intrusion Detection System will deal with executing the deployment.