IDS

1
IDS

• Mike OConnor
• Eric Tallman
• Matt Yasiejko

2
Overview

• IDS defined
• What it does
• Sample logs
• Why we need it
• What it doesnt do
• Setup
• Alternatives

3
IDS defined

• IDS Intrusion Detection System
• Cisco IDS-4215
• Placed on the switch
• IDS vs IPS
• IDS detection passive
• IPS prevention active
• Signature driven (misuse detection)

4
IDS defined

• Used to detect traffic not captured by
  conventional firewalls
• Network vs. Host IDS
• Network examines traffics and monitors multiple
  hosts
• Host analyzes system calls, file modifications,
  etc
• Misuse (signature based) vs. anomaly (self-learn)

5
What it does

• Analyzes network traffic that has been sent to or
  from FA 0/24
• Uses signature database to identify problematic
  traffic
• Custom signatures may be added
• False positives are quite possible
• DNS requests
• IP logging, block IP, allow IP, etc
• Detects port scans

6
DNS request logged
7
Signature 4003 details
8
Port scan detected
9
Why we need IDS

• Nmap sweeps
• Vulnerability sought constantly
• Many attack types
• Above is one type of TCP sweep (SYN packets)

10
What our IDS doesnt do

• Intrusion Prevention!!
• The administrator must take action
• Does not log traffic that does not pass through
  FA 0/24
• This was a choice
• Internal traffic is undetected at this time

11
Setup

• Used CLI for IDS configuration
• Setup IP, gateway, name, netmask
• Set access list
• Console only at the moment (134.198.161.100)

12
SPAN

• Switched Port ANalyzer
• Mirrors 0/24 onto 0/23

13
Monitor session on the switch

• configure terminal
• monitor session 1 source interface fastethernet
  0/24 both
• monitor session 1 destination interface
  fastethernet 0/23
• end

14
Alternatives

• Snort
• Software solution to IDS/IPS
• Traffic analysis
• Packet logging
• Detects port scans, buffer overflows, etc
• IPS