Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to get an update on how to have a good Incident Management process to prepare for security threats which have increased dramatically, with Cisco expert Omar Santos. Omar is a senior network security engineer in the worldwide security service practice of Cisco's advanced services for network security. He has more than ten years of experience in secure data communications. He has designed, implemented, and supported numerous secure networks for Fortune 500 companies and the U.S. Government.
Remember to use the rating system to let Omar know if you have received an adequate response.
Omar might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through November 2, 2007. Visit this forum often to view responses to your questions and the questions of other community members.
Incident management is not a product-specific methodology; it is more of a life-cycle. There are many security products and technologies that can be implemented to better prepare your infrastructure. Incident management and incident readiness is beyond the "black box" approach that many people take. For example, you can take advantage of event monitoring and correlation tools such as CS-MARS to quickly monitor, identify, and mitigate a network threat to improve uptime and increase productivity. You can deploy strong security policies on multi-function security devices such as the Cisco ASA to enhance the security of your network.
Just like I mention in my book and other articles... You must also build strong configuration guidelines, policies, and best practices to effectively prepare your organization against security threats. Building strong security policies is crucial for any organization. These policies should be strong, yet realistically flexible to accommodate ever-changing requirements.
We have had ongoing problems with a specific signature, namely 'TCP Segment Overwrite', sig 1300/0.
Due to the fact that this should be a rare attack, as it has a low probability of working and is 'difficult', we became suspicious a while back due to the volume, and raised a TAC case 602133293, which ended up with a bug being opened up as the signature fired when nothing was overwritten (something to do with keepalives on certain TCP stacks). This was fixed and all was well for a while, but in later versions of 5 code, this started appearing again.
The problem we have is how we troubleshoot this - we cant log on the sensor as the sensor only starts logging from the packet that caused the alert, so we cant see the packet that was overwritten. has anybody got any ideas of the best way to troubleshoot this, as the only way we can think of is to constantly capture packets on the server (or another sniffer) with wireshark or the like.
I note on the forums there have been a few posts about this, and due to the fact that we manage quite a few sensors, I can confirm that most clients have got so sick of the alert, they have just requested that it is filtered, as they feel they have no other option.
I have researched the TAC service request you described as well as talked to the engineers that were helping you. Unfortunately, since this was a defect in our code (ie., a bug) the troubleshooting procedure is very particular to these symptoms. Unfortunately, other than the examination of the server packets with a sniffer, just as you mentioned, the sensor will log the packet that caused the alert. Although, you can create more customized rules to capture other packets, it may be simpler and easier to use the sniffer on this case. Again, this is because the nature of this specific problem.
Cisco experts engage in discussions with you, our members, on specific networking issues. Each event runs for a two-week period. Previous "Ask the Expert" Q&As are listed below. Understanding Cisco ASR 9000 Series Aggregation Services Routers Platform...
As part of the Cisco Experts Bureau, we invite you to participate in the Community's Special Contribution Programs. These programs are a unique opportunity to spotlight your expertise that is specifically promoted throughout some of Cisco...