By Chaynika Taneja, Sumit Goswami
The IOS based IDS enables network administrators of small enterprises to build intrusion detection into the network without investing in a dedicated IDS entity
Network Intrusion Detection provides perimeter security to networks over and above policy based firewall protection. A Network based Intrusion Detection System (NIDS) is placed at strategic points in the network to protect it against internal as well as external threats. Commonly used NIDS are dedicated hardware sensors or software implementations that detect attacks based on signatures or profiles. While signature based systems compare incoming traffic to a list of signatures, profile based systems look for anomalies in traffic patterns and statistics. SNORT is a free IDS software. NetProwler from Symantec, RealSecure from ISS, NFR are some other intrusion detection systems. CISCO offers 4200 series hardware based IDS and PIX Firewalls for intrusion detection. However each of these systems add another entity to the network inventory. In this article we explain the implementation of an NIDS using the existing IOS running on CISCO routers.
CISCO routers with IOS Firewall feature set provide IDS functionality. The IOS based IDS enables network administrators of small enterprises to build intrusion detection into the network without investing in a dedicated IDS entity. This feature provides the administrators with a cost effective method of implementing IDS. The system presently provides protection against 100 most common threats. Version prior to 12.2<15>T supported only 59 signatures. The system scans all incoming and outgoing packets for malicious signatures and takes corresponding action. The system can be configured to drop the packet, reset the connection, alert the administrator via mail/SMS or send a notification to the syslog server.
Configuration
IDS functionality is disabled by default in CISCO routers. The following steps describe the initialization and configuration of IDS feature.
Initialization
router(config)# ip audit po max-events
Limits the no of queued up events.
router(config)# ip audit smtp spam
Limits email spamming by limiting the recipients.
- Logging
Logging can be done using syslog or IDS Director. Syslog is the common mode of logging. However, the configuration steps for both the modes of logging are indicated below:
- a) Using syslog
router(config)# ip audit notify log
router(config)# logging console info
This will send logs to router’s console
- b) Using IDS Director
This uses CISCO’s proprietary protocol PostOffice. In this protocol, each device has a unique, user defined, host id and organization id, which identify the device. The IDs can range from 1-65535 and are similar to a host ID and network ID in the IP addressing schema.
router(config)# ip audit notify nr-director
Enables logging of IDS events to IDS Director
router(config)# ip audit po local hostid orgid
Specifies PostOffice configuration for router
router(config)# ip audit po remote host id orgid rmtaddress localaddress
Specifies configuration for remote Director device.
- Audit Rule configuration
IDS audit rules can either be Global or specific. Global policies define default rules when no specific rule has been defined.
Global policies define default actions if no specific rules are specified.
router(config)# ip audit info {alarm }
router(config)# ip audit attack {alarm }
Default action is alarm
Specific policies can be added in addition to the global rules. They are needed if two or more interfaces on the router need different policies.
router(config)# ip audit name {info|attack} < span=""><>
{action }
- Signature Policies
By default all signatures are enabled.
Specific signatures can be disabled with the following command:
router(config)# ip audit signature
{disable | list }
- Protection policies
router(config)# ip audit po protected
ip_address1 to ip_addess2 specifies the range of ip addresses that router identifies as internal addresses. These addresses are prefixed by IN as the locator, in the alerts generated.
- Policy activation
The defined policies need to be activated on an interface.
router(config)# interface type
router(config)# ip audit
in/out specify whether the policy is to be applied to inbound or outbound traffic.
- IDS verification
IDS configuration can be tested with the following command:
router(config)# show ip audit all
Working with Cisco IOS
We now explain the implementation with a specific example, using syslog as the logging method:
router(config)# ip audit po max-events 100
router(config)# ip audit smtp spam 250
router(config)# ip audit notify log
router(config)# ip audit name test_audit info action alarm
router(config)# ip audit name test_audit attack action alarm drop reset
router(config)# ip audit signature 2000 disable
router(config)# interface GiganitEthernet1
router(config-if)# ip audit test_audit in
In this example, informational signatures have been enabled and trigger an alarm. In case an attack signature matches action is alarm, drop and reset. The audit policy is applied to incoming traffic on the GigabitEthernet1 interface of the router. Signature 2000 for echo reply is disabled.
Note: It is recommended that in addition to 2000(echo reply), signatures 2001(host unreachable), 2002(source quench), 2004(echo request), 2005(time exceeded) and 6051(DNS zone transfers) be disabled as they are normal events are can generate a lot of false alarms.
The configuration can be verified using show ip
audit all command. Sample output of this command is
as follows:
Event notification through syslog is enabled
Event notification through Net Director is disabled
Default action for info signatures is alarm
Action for attack signatures is alarm drop reset
Default threshold of recipients for spam signature is 250
Audit Rule Configuration
Audit name test_audit
attack actions alarm drop reset
Interface Configuration
Interface GigabitEthernet1
Inbound IDS audit rule is audit_ids
attack actions alarm drop reset
Outgoing IDS audit rule is not set
Limitations in security
The CISCO IOS IDS is not a full-fledged IDS, hence functionality is limited to only 100 signatures. In addition to this, since the detection is performed inline, performance of the router may be affected due to the overhead of examining the packets.
Conclusion
Though the IOS based NIDS functionality is not a
match to a dedicated, real time enterprise level
intrusion detection system, it is a boon for small enterprise network managers who can achieve added network level protection without adding another device to the network.