Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss Intrusion Detection Systems with Cisco expert Joe Sirrianni. Joe has been in the computer/network security field for more than ten years. Feel free to post any questions relating to Intrusion Detection Systems.
Joe may not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through March 2. Visit this forum often to view responses to your questions and the questions of other community members.
Im pleased to see this discussion...My question is, what changes does Cisco see happenning with perimeter security monitoring and data management in the next year or so? We are a Cisco shop and it seems to make sense to stick with CSIDS, however; the data management tools currently available seem to work well in low volume applications. I can only imagine that the problem gets worse the larger the network. If we implemented IDS sensors by the book (as in the Cisco Safe blueprint)...wow!, lots of data!, The problem is not scaleabilty of the IDS components, it is scaleability of the user interface and data mgmt tools. Does that make sense? Understanding that IDS must be tuned, false alarms excluded, etc....What is Cisco doing to make it easier to manage all this data and react more quickly to events? Is the answer a product(s)? Training? Custom integration/engineering? All of the above?
We agree that data management will be critical to scaling IDS in very large environments. While the current management applications can handle a reasonable volume of alarm traffic, it certainly becomes more challenging as you scale sensor deployments into the hundreds. As you mentioned, tuning the sensors to reduce the volume of data that you collect definitely helps, but again isn't always adequate in large-scale deployments. We do have some internal efforts underway to address this (which I can discuss with you more in-depth under Nondisclosure) and we have 3rd party partners that are also attacking this challenge. I can't accurately comment on timelines at this point, but I can say that this is an area where you'll see advancements in the future not only by Cisco, but by our partners as well.
That said, I also believe that tools are only going to solve part of the challenge that you posed. Understanding the data that the IDS reports requires a good understanding of the network environment that you're monitoring, and skills to accurately determine what happened and how to respond appropriately. There is a policy/procedures aspect to IDS that also has to be established before you can realize its full benefits. Consultants/integrators can be very helpful in setting all of this up, but, ultimately, the end customer has to assume operational responsibility. Another option is to outsource management/monitoring of your IDS to one of the IDS managed service providers that work with our products. Hope this answers your question and thanks for your insightful question.
Thanks Joe, It's good to know you guys are working this issue. There are lots of products out there that make great claims, but it's very hard to tell what you're getting into until you start using the data, and by then it may be too late to back out the product easily. This gives me some ammo to keep pushing for Cisco solutions as we build our networks.
I am using IDS systems from different vendors, so i used the NetRanger at StorageTek times. I have a few questions about the future plans of Cisco:
Cisco has two products with similar features the CSPM and the CSIDS Director, what is the future of this products ?
Using the CSPM, why is it impossible to use the "blocking" feature with 2.5 IDSM ?
In todays environment you have several 100 Mbit Connections or Gigabit Connections. Cisco has several Sensors, thinking for Catalyst 6000 you have a IDS Sensor with 100 Mbit throughput but a switch with up to 256 Gb/sec Backplane. Where is the scalability of Sensors and Directors ?
> Cisco has two products with similar features the CSPM and the CSIDS Director, what is the
> future of this products ?
The Director and CSPM really address different customer environments and we plan to support both platforms for the foreseeable future. The Director is a Unix-based management platform that displays alarms in HP OpenView Network Node Manager (NNM). Customers that use NNM like the ability to consolidate all of their network events into a single interface. CSPM, on the other hand, is a multi-device, policy management tool. In addition to the IDS functionality, it can manage other Cisco security products as well (e.g., PIX, VPN gateways).
> Using the CSPM, why is it impossible to use the "blocking" feature with 2.5 IDSM ?
Since we don't support blocking/shunning on the Cat6K IDS Module (IDSM) yet, CSPM is product/version aware and will not let you configure that functionality on the IDSM. Shunning/blocking on the IDSM is scheduled to be released in Q2CY01, at which time the blocking/shunning tab in CSPM will be activated.
> In todays environment you have several 100 Mbit Connections or Gigabit Connections. Cisco
> has several Sensors, thinking for Catalyst 6000 you have a IDS Sensor with 100 Mbit
> throughput but a switch with up to 256 Gb/sec Backplane. Where is the scalability of Sensors
> and Directors ?
Unfortunately, network data rates are increasing faster than we can keep up. It is probably safe to say that maximum data rates will always exceed our ability to monitor all of it because IDS is extremely resource intensive (e.g., memory, memory bandwidth and CPU requirements). The way we address this with the IDSM is that you have the ability to granularly define the flows that you want to monitor by using the VLAN ACL (VACL) "capture" functionality on the Catalyst switch. For example, you can tell the switch that you just want to monitor traffic destined to subnets A, B and C, and/or just monitor HTTP, Telnet and FTP traffic. This allows you to effectively monitor higher bandwidths because you're only looking at a subset of the overall traffic (only the "traffic of interest"). This does require you to understand the traffic on the network and make policy decisions as to what traffic is higher priority from an IDS perspective. You can scale performance by putting multiple IDSMs in a chassis and directing traffic from different VLANs to each. While we are working very hard to improve performance of both our appliance and IDSM sensors, it will probably be a while before we can monitor a fully loaded 256Gbps backplane (at which time the switch will probably be running at Terabit speeds). Most security mechanisms are challenged by high data rates and it ususally comes down to a risk management decision as to what you protect first. If we could only get the world to slow down a bit and give us a chance to catch up . ;-)
Thank you for your questions and if I didn't adequately answer them, please let me know and I'll try again.
Let´s say it is the answer i expected, Cisco is not the only one who have problems with the high data rates, companies like ISS and NFR have the same problems.
But I have to advise or implement IDS environment at different customers with a high request for security. I can´t say, well let us "only" look at traffic from VLAN-A to VLAN-B or "only" HTTP-traffic. I know of the problems to handle traffic in IDS environment but I have to have a solution for our customers.
The only solution I see in the moment is to copy different traffic types to different sensor farms. This is done with Content Switches like TopLayer or CSS 11000 ?
Load balancing IDS traffic is definitely an approach to scaling performance; however, it too has challenges. Not all load balancers can be used for IDS. Load balancers that have to see response traffic from the servers in order to establish their state tables will not work with IDS. IDS sensors are passive, promiscuous devices and do not send out response traffic. In addition, certain signatures may not work well in load balanced IDS environments depending upon the load-balancing algorithm because they need to see traffic that is sent to multiple destinations (e.g., host sweeps). If all the traffic associated with the sweep (with different destination IP addresses) isn't sent to the same sensor, the signature won't detect the sweep. This is not to say that load balancing isn't a viable approach to scaling performance; it is, but it also has its limitations. Ultimately, you'll probably have to make policy decisions about what traffic you want to monitor even with load balancing because of cost reasons (10 - 100 Mbps sensors and a load balancer can quickly exceed $100K). If you can subset/segment your traffic by VLAN and keep each VLAN or group of VLANs under ~120Mbps, you could build a Gbps sensor using a Catalyst 6009 switch, 1 supervisor card and 8 IDS Modules.
We are now evaluating the IDS 4230, we are in a IDC environment, please advise how is the best method to place IDS. As general idea, two methods. Method 1,In theory, IDS is better place behind Firewall. But normally, any network behind Firewall is the network which belongs to customer. Method 2.And thus, the only way is to place before Firewall, in this case, how can it provide value to the customer.
And if we are using method 1, we can think of alternative method. i.e. we will connect the internal network of each customer to a dedicated Switch. And each customer is assigned a VLAN. And then we will span all the traffic to the IDS 4230 and to monitor any problem. And since there is no Routing btw the VLANs, in theory, each customer will not talk with each other in network layer.
However, in security point of view, many customers share a physical switch, (even though they are separated logically) is an issue.
Please have your advise and suggest how is the normal practice of IDC using IDS. Does it means that each customer got a separate IDS which is not cost justified.
While your proposal is theoretically possible, currently, you can't do this with our appliance sensors (4230). If you have multiple VLANs that you want to SPAN, you'll have to SPAN them to a trunk port and our sensors currently can't parse ISL or 802.1q tagged frames. We will be adding that capability in the next quarter, with the caveat that the max frame size the monitoring/sniffing NIC can handle will be a limitation. If you use a Catalyst 6000/6500 switch with the IDS Module (IDSM); however, then this isn't a problem (IDSM can handle trunked traffic) as long as you keep the aggregate bandwidth that you're monitoring to around 120Mbps in a Web environment.
Other considerations are your SLAs when you start sharing components between customers and how you address redundancy.
Thanks for your idea and at least we know the direction of Cisco's IDS solution. WHat do you think putting IDS infront of Customer's FW ? Any value of doing this ??
Putting a sensor inside or outside the firewall really depends upon your policy/objectives and the resources that you have to analyze the data from the sensors. You'd want to put a sensor in front of the firewall if you want to see ALL of the activity that is hitting your site; however, you'll probably have a lot of event data to analyze. You also need to consider how you're going to determine if the event gets through or is blocked by the firewall. You're probably not going to get up at 3:00am to address an event that is blocked by the firewall, but you'll probably need to be wide awake if it gets through ;-) The benefit to putting the sensor inside the firewall is that you'll just see the events that pass through the firewall. If I had to prioritize, I'd start with a sensor inside, but if I had the resources, I'd consider an additional sensor on the outside to help determine if I'm being targeted. There are a number of sites that run this IDS sensor "firewall sandwich" configuration.
Thus, it is more cost effective to put IDS behind FW.
And for putting IDS before FW, the only selling point is to help to determine if the site was being targeted.
Now, if we want to provide the Managed IDS Service to our customer, then it is more sensible to provide a IDS at each customer site and behind their FW. BUt in economic point of view, that is not justified. What do you think in security point of view, each customer will extend a connection to a central switch, and each customer will have its own VLAN. And we will using that IDS Sensor to monitor its. Of course, the IDS Sensor is suppose to support VLAN Trunk. Please advise you email is firstname.lastname@example.org so that I can send you my propose network diagram.
Your proposal sounds very reasonable and if you are using Catalyst 6000 switches, you really need to consider the IDS Module (IDSM).
Intrusion Detection for Smaller Organizations
Intrusion detection is an important part of today's networks with Internet connections. Many smaller companies are getting connected. But, they often go without the added security of an intrusion detection system because of its cost. Does Cisco offer an enty level intrusion detection solution?
Absolutely. We have the IDS-4210 sensor at a LIST price of $8000 that includes all the hardware and software. The IDS-4210 can monitor up to 45Mbps and has a 10/100 Ethernet monitoring NIC. On the management side, you can use the 3-device version of CSPM (which runs on NT), which lists for $2000. This is priced very competitively when you consider that the IDS-4210 includes the hardware.
Well, I need some info on this IDS-4210, I already had bought CSPM 2.2 ( but i dunno y i bought the full version, which is expensive) i have only one PIX firewall to manage. Now that i have thisw CSPM 2.2. and my director wants me to implement an intrusion detection system. I have VPN clients terminating on the same pix. Since i heard that CSPM does not support IPSEC now. How should i go about implementing this IDS-4120 in my network.
Recommend that you start with the information that we have posted on the IDS-4210 at:
Let me know if you have any additional questions. Thanks.
well as my compnay is evaluating Cisco IDS 4210. I was goin thru the information on the cisco's website. I cant seem to find CSPM as the management or you say as a director anywhere, no configuration or neth'n. I have a PIX firewall, and for which i need this IDS or as part of my network security. I am not using CSPM. But i have it. How will this work.
CSPM version 2.2 and higher provides IDS sensor (including the IDS-4210) configuration and alarm management functionality. You configure the sensor to send alarms and accept configurations from the CSPM platform. From then on, you use the CSPM GUIs to update the sensor configuration and to analyze the alarms sent from the sensor. You can manage your PIX and IDS sensor with a single copy of CSPM.
The data sheet for CSPM 2.2 is available at:
If you have a version of CSPM before 2.2, you can upgrade to 2.2 for free. You can also download a 90-day eval version of CSPM 2.2 from:
I have my VPN clients terminating on the outside interface of my firewall, first what security holes are there to have clients terminating on the PIX. Second how can IDS sensor help me monitor my VPN access. Also, can you clear this to me, since i have a CSPM 2.2, but i m not using it to implement policy for the firewall, what exactly is needed to be configured to set up the CSPM to monitor the IDS sensor.
Terminating VPN clients at the PIX will not introduce any security holes; however, you may want to monitor the traffic from the VPN clients coming through the PIX. This is a case where you want to put the sensor behind the firewall. If you have any publicly exposed resources (e.g., DMZ), then you'd want to monitor those resources as well with the sensor.
All of the components required to manage and monitor IDS sensors is installed by default with CSPM 2.2. You may recall being prompted for a "Host ID" and "Organization ID" during the install process. This was for the IDS functionality. The instructions for adding a sensor to your topology is described in the CSPM documentation at:
(Sorry for the long URL).
Hope this helps.
We are currently in the process of implementing IDS in our network. Our Network is a Hub and Spoke topology and the direction we appear to be going in for now is not running the sensor even though it has good capabilities. We are however going to run the Director software for IDS with IOS firewall running in the hub locations. My question is since IOS firewall reads every packet that runs across the interface that is being monitored how much stain will that put on the CPU that is already being taxed by running in a large OSPF network.
I'm not an expert on the IDS functionality in the IOS, but I've been told that it is very resource intensive. I wouldn't recommend that you turn on the IDS functionality on the production router until you test it in your lab first, especially if the CPU is already being taxed.
Can you give some info about the difference in IDS functionality between IOS with IDS (software solution) and the IDS 42xx (hardware solution).
The differences between the two as far as I understand is that the 4200 hardware is more like a sniffer which means it can only scan on segment at a time by spanning across different switch ports and with the IDS IOS software you can monitor any port on the router by turning on ip audit under the interface you want to monitor which IDS IOS software can only sense 59 of the most common signatures and you cant upgrade the signatures unless it is released in a new IOS version since the signatures are hard coded into the IOS, but the 4200 sensor signatures can be updated via download. A nice commonality between the two are you can report IDS IOS software and 4200 software to the NetRanger Director or to a syslog server.
Jake, I couldn't have said it better myself. Differences in a nutshell are:
1. Performance hit on the router with IOS IDS.
2. Signature coverage.
3. In-line device with router vs. passive, promiscuous sensor.
I'm writing to you because my company needs to use
more afficiently Internet and its services, and the security is a big problem.
I need that my users could connect to their respective mail bases over WWW, I need a fix connection to Internet to offer WWW access for my users, and send and receive mail over my mail server into my company, all this with other things more ... But I need to guarantee secure all my info, stations, servers, .... Please help me, I need to do this .
677 30 28 41
I'd need more detailed information and an indication of your risk tolerance to give you specific recommendations. Some generic thoughts are that you probably need to consider SSL with some kind of authentication (e.g., userid/passwd, client-side certificates, etc.) to secure access to mail via HTTP. You could also use a remote access VPN product (e.g., Cisco VPN 3000 Concentrator) to authenticate and secure access to your Internet services depending upon your users and the type of services that you offer. You should also consider a firewall and IDS to secure your Internet connection, and Web and mail servers. Hope this helps you get started. Thanks.
JOE, I AM A CISCO RESELLER WORKING ON MY CERTIFICATIONS CCNA,CCNP I HAVE TO SETUP A NETOWRK IN TWO BUILDINGS I HAVE FOR THIS PROJECT 3 CABLE GUYS, 2 NETWORKERS MCSE AND CCNP AND MYSELF AS A PROJECT MANAGER DO YOU THINK THIS IS ENOUGHT WORKERS PLEASE E-MAIL ME AT NARDISYSTEMS@ONEBOX.COM THANKS RENATO VENCI