Implementing Network based Intrusion Detection with CISCO IOS

By Chaynika Taneja, Sumit Goswami

The IOS based IDS enables network administrators of small enterprises to build intrusion detection into the network without investing in a dedicated IDS entity

Network Intrusion Detection provides perimeter security to networks over and above policy based firewall protection. A Network based Intrusion Detection System (NIDS) is placed at strategic points in the network to protect it against internal as well as external threats. Commonly used NIDS are dedicated hardware sensors or software implementations that detect attacks based on signatures or profiles. While signature based systems compare incoming traffic to a list of signatures, profile based systems look for anomalies in traffic patterns and statistics. SNORT is a free IDS software. NetProwler from Symantec, RealSecure from ISS, NFR are some other intrusion detection systems. CISCO offers 4200 series hardware based IDS and PIX Firewalls for intrusion detection. However each of these systems add another entity to the network inventory. In this article we explain the implementation of an NIDS using the existing IOS running on CISCO routers.

CISCO routers with IOS Firewall feature set provide IDS functionality. The IOS based IDS enables network administrators of small enterprises to build intrusion detection into the network without investing in a dedicated IDS entity. This feature provides the administrators with a cost effective method of implementing IDS. The system presently provides protection against 100 most common threats. Version prior to 12.2<15>T supported only 59 signatures. The system scans all incoming and outgoing packets for malicious signatures and takes corresponding action. The system can be configured to drop the packet, reset the connection, alert the administrator via mail/SMS or send a notification to the syslog server.

Configuration

IDS functionality is disabled by default in CISCO routers. The following steps describe the initialization and configuration of IDS feature.

Initialization

router(config)# ip audit po max-events 

Limits the no of queued up events. can range from 1-65535 (default is 250)

router(config)# ip audit smtp spam 

Limits email spamming by limiting the recipients. can range from 1-65535 (default is 250)

1. Logging

Logging can be done using syslog or IDS Director. Syslog is the common mode of logging. However, the configuration steps for both the modes of logging are indicated below:

1. a) Using syslog

      router(config)# ip audit notify log

      router(config)# logging console info

      This will send logs to router’s console

1. b) Using IDS Director

      This uses CISCO’s proprietary protocol PostOffice. In this protocol, each device has a unique, user defined, host id and organization id, which identify the device. The IDs can range from 1-65535 and are similar to a host ID and network ID in the IP addressing schema.

      router(config)# ip audit notify nr-director

      Enables logging of IDS events to IDS Director

      router(config)# ip audit po local hostid  orgid 

      Specifies PostOffice configuration for router

      router(config)# ip audit po remote host id  orgid  rmtaddress  localaddress 

      Specifies configuration for remote Director device.

2. Audit Rule configuration

IDS audit rules can either be Global or specific. Global policies define default rules when no specific rule has been defined.

Global policies define default actions if no specific rules are specified.

      router(config)# ip audit info {alarm   }

      router(config)# ip audit attack {alarm   }

Default action is alarm

Specific policies can be added in addition to the global rules. They are needed if two or more interfaces on the router need different policies.

      router(config)# ip audit name  {info|attack} < span=""><>

      {action  }

is a name given to the policy. Specifying standard ACL in list is optional and is generally avoided as it affects router performance.

3. Signature Policies

By default all signatures are enabled.

      Specific signatures can be disabled with the following command:

      router(config)# ip audit signature

      {disable | list  }

      is the list of signatures numbers to be disabled.

4. Protection policies

      router(config)# ip audit po protected 

ip_address1 to ip_addess2 specifies the range of ip addresses that router identifies as internal addresses. These addresses are prefixed by IN as the locator, in the alerts generated.

5. Policy activation

The defined policies need to be activated on an interface.

router(config)# interface type 

router(config)# ip audit 

in/out specify whether the policy is to be applied to inbound or outbound traffic.

6. IDS verification

IDS configuration can be tested with the following command:

router(config)# show ip audit all

Working with Cisco IOS

We now explain the implementation with a specific example, using syslog as the logging method:

      router(config)# ip audit po max-events 100

      router(config)# ip audit smtp spam 250

      router(config)# ip audit notify log

      router(config)# ip audit name test_audit info 
 action alarm

      router(config)# ip audit name test_audit attack 
 action alarm drop reset

      router(config)# ip audit signature 2000 disable

      router(config)# interface GiganitEthernet1

      router(config-if)# ip audit test_audit in

In this example, informational signatures have been enabled and trigger an alarm. In case an attack signature matches action is alarm, drop and reset. The audit policy is applied to incoming traffic on the GigabitEthernet1 interface of the router. Signature 2000 for echo reply is disabled.

Note: It is recommended that in addition to 2000(echo reply), signatures 2001(host unreachable), 2002(source quench), 2004(echo request), 2005(time exceeded) and 6051(DNS zone transfers) be disabled as they are normal events are can generate a lot of false alarms.

The configuration can be verified using show ip
audit all command. Sample output of this command is
as follows:

      Event notification through syslog is enabled

      Event notification through Net Director is disabled

      Default action for info signatures is alarm

      Action for attack signatures is alarm drop reset

      Default threshold of recipients for spam signature 
 is 250

      Audit Rule Configuration

      Audit name test_audit

      attack actions alarm drop reset

      Interface Configuration

      Interface GigabitEthernet1

      Inbound IDS audit rule is audit_ids

      attack actions alarm drop reset

      Outgoing IDS audit rule is not set

Limitations in security

The CISCO IOS IDS is not a full-fledged IDS, hence functionality is limited to only 100 signatures. In addition to this, since the detection is performed inline, performance of the router may be affected due to the overhead of examining the packets.

Conclusion

Though the IOS based NIDS functionality is not a
match to a dedicated, real time enterprise level
intrusion detection system, it is a boon for small enterprise network managers who can achieve added network level protection without adding another device to the network.