IDS - PowerPoint PPT Presentation

1 / 14
About This Presentation
Title:

IDS

Description:

The administrator must take action. Does not log traffic ... Console only at the moment (134.198.161.100) SPAN. Switched Port ANalyzer. Mirrors 0/24 onto 0/23 ... – PowerPoint PPT presentation

Number of Views:14
Avg rating:3.0/5.0
Slides: 15
Provided by: ericst6
Category:
Tags: ids | at | console | moment | the

less

Transcript and Presenter's Notes

Title: IDS


1
IDS
  • Mike OConnor
  • Eric Tallman
  • Matt Yasiejko

2
Overview
  • IDS defined
  • What it does
  • Sample logs
  • Why we need it
  • What it doesnt do
  • Setup
  • Alternatives

3
IDS defined
  • IDS Intrusion Detection System
  • Cisco IDS-4215
  • Placed on the switch
  • IDS vs IPS
  • IDS detection passive
  • IPS prevention active
  • Signature driven (misuse detection)

4
IDS defined
  • Used to detect traffic not captured by
    conventional firewalls
  • Network vs. Host IDS
  • Network examines traffics and monitors multiple
    hosts
  • Host analyzes system calls, file modifications,
    etc
  • Misuse (signature based) vs. anomaly (self-learn)

5
What it does
  • Analyzes network traffic that has been sent to or
    from FA 0/24
  • Uses signature database to identify problematic
    traffic
  • Custom signatures may be added
  • False positives are quite possible
  • DNS requests
  • IP logging, block IP, allow IP, etc
  • Detects port scans

6
DNS request logged
7
Signature 4003 details
8
Port scan detected
9
Why we need IDS
  • Nmap sweeps
  • Vulnerability sought constantly
  • Many attack types
  • Above is one type of TCP sweep (SYN packets)

10
What our IDS doesnt do
  • Intrusion Prevention!!
  • The administrator must take action
  • Does not log traffic that does not pass through
    FA 0/24
  • This was a choice
  • Internal traffic is undetected at this time

11
Setup
  • Used CLI for IDS configuration
  • Setup IP, gateway, name, netmask
  • Set access list
  • Console only at the moment (134.198.161.100)

12
SPAN
  • Switched Port ANalyzer
  • Mirrors 0/24 onto 0/23

13
Monitor session on the switch
  • configure terminal
  • monitor session 1 source interface fastethernet
    0/24 both
  • monitor session 1 destination interface
    fastethernet 0/23
  • end

14
Alternatives
  • Snort
  • Software solution to IDS/IPS
  • Traffic analysis
  • Packet logging
  • Detects port scans, buffer overflows, etc
  • IPS
Write a Comment
User Comments (0)
About PowerShow.com