I have a couple of questions regarding Cisco's new threat response technology. I have several appliance sensors running the 4.0 software, and vms idsmc/sec mon (2.1).
1) Are the Cisco IDS Threat Response activities performed by the VMS server or the sensors?
2) One of our sensors (the one that I am most interested in) sniffs on our perimeter (outside of our firewall, but behind our border router). When it detects attacks directed at our dmz machines they are, of course, identified by their "perimeter addresses", which are not the same as the dmz addresses, since they are translated on our PIX. If I want to appropriately implement the threat response technology, it would be best if I could investigate the machines by their internal, private addresses rather than their internet addresses. Is there a way to do this?
answers are inline:
Q. Are the Cisco IDS Threat Response activities performed by the VMS server or the sensors?
A. It is performed by the sensors? VMS will help in configuring this.
A. No, as the sniffing interface is on outside of the PIX, sensor will have no knowledge of your dmz ips. But, not sure why you want to implement the threat response using dmz addresses rather than the public addresses on the dmz. You just need to know the public addresses for the corresponding servers on dmz and implement the threat response using this public addresses.
regarding q. 2, the threat response server is on a secure internal network, where all of the IDS management resides. No systems behind our firewall can communicate with the dmz machines using their public addresses without opening up ports on the PIX that would create a security risk. I haven't figured out a method yet with Windows 2000 where I can "alias" IP addresses. We could do it on the network side, but it would be dirty.
Not sure if I understood it completely... When you are saying threat response server, what device are you refering to ? Management stations (like IDS MC) ? or the command and control interface of the sensors? It should be your sensor, if you are talking about NIDS, and if the command and control interface is on inside, then I don't see why this interface will not be able to acceess the dmz servers? Again, the threat response should be sent to your router on outside router not the actual server unless you are talking about products like Psionic. I am sorry if I am understanding it wrong, if any part I got it wrong, please correct me so that I can address your issue. Thanks,
I apologize for not clarifying and being more specific... I was referring to the psionic technology that Cisco purchased, which utilizes a dedicated threat response server.
Thanks for clarifying this.. In that case, I can think of couple of options:
Option 1: Move your sniffing interface of sensor to the dmz network or,
Option 2: To twick the FW config. If you have a PIX FW, then you can configure d-nat (destination NAT for all the servers in dmz) on inside interface of the PIX. You can accomplish this with the help of "alias" command or with the 6.2.2 code on pix you can configure static commands with "outside" keyword in it. Syntax should look like this:
alias (inside) public_address_server actual_address_in_dmz or
static (dmz,in) public_address_server actual_address_in_dmz outside
Also, if you are thinking about security, this will no compromise your existing security as this would be only open from inside to dmz.
The upcoming VMS 2.2 version has not incorporated the Cisco Threat Response integration, so to your Q1, current release of VMS 2.2 does not have the CTR handling capability. The Cisco Security Agent has been implemented i.e. Okena.
CTR will be integrated in the future release of VMS.
Hope this helps a bit.
I would really like to see the integration work as follows:
CTR type policies defined on VMS central console and pushed out to CTR engine that resides on Sensors.
The sensors can then check in real-time or capture snapshots to compare against for systems that are being protected.
this would remove the need for a dedicated CTR Server and allow better management and scalability.
Information from the sensor snapshots should also cascade up to the central database for event handling and populate the database with devices in addition to sensors so stats can be gathered by running reports and views against sensors and systems.
I also wonder if Cisco are going to use the VMS / IDC-MC as a distributed scanner model in addition to a distributed IDS architecture. This would really marry the two technologies rather well now that NetSonar is not being actively developed.
What are other peoples thoughts?