Header
Home | Set as homepage | Add to favorites
  Search the Site     » Advanced Search
Sections
Syndication


Blogroll:

||||| ALL Cisco-Network ARTICLES |||||  
CCIE Journey,
The CCIE Journey,

Home : CCSP-Cisco Certified Security Professional : Sensor Response

Sensor Response

Feb 24,2010 by alperen

small font medium font large font
image

When a signature is matched, the Cisco IDS sensors can be configured to take preventative action to stop further intrusive activity. The Cisco Active Response System (CARS) allows the sensor to take control of other systems, such as routers, firewalls, and switches to terminate unauthorized sessions. Sensors can be configured to take different actions based on the configurable severity of the signature matched, so different responses could be configured for different signatures. The configuration of sensor responses is discussed in Chapter 25. The possible actions that can be configured on the sensors are the following:

  • Terminate the TCP session

  • Block the IP address of the attacking host

  • Create an IP session log

Terminating the TCP Session

The transport layer protocol, Transmission Control Protocol (TCP), provides a connection-oriented communication mechanism with a three-way handshake. Both hosts can terminate this connection-oriented communication by sending and receiving a TCP packet with the FIN bit set to 1 within the TCP header. Additionally, either host can send a TCP reset packet and force the connection between the hosts to be reset immediately.

A TCP reset packet has the RST bit set to 1 in the TCP header. When a reset packet is received by either host, the connection is terminated. Sensors can take advantage of this protocol feature and send a reset packet to the affected hosts, thereby terminating the connection.


 Note 

The TCP reset action is only appropriate as an action selection on those signatures associated with a TCP-based service. If selected as an action on non-TCP-based services, no action is taken. Additionally, TCP resets aren’t guaranteed to tear down an offending session because of limitations in the TCP protocol.

While resetting the TCP connections is a powerful feature, some drawbacks occur with its use. TCP resets are only effective with communications using the TCP transport layer protocol. Communications using User Datagram Protocol (UDP) aren’t affected by TCP resets.

IP Blocking

“Device management” is the term used by Cisco to describe actions taken by the sensors to reconfigure other network infrastructure equipment, such as routers, firewalls, and switches. Sensors can be configured for device management, allowing them to automatically reconfigure ACLs on infrastructure equipment blocking an intruder’s IP address or an entire network address range. The blocking of IP addresses through device management is also known as shunning. As seen in Figure 24-9, the sensor can reconfigure the ACL on the perimeter router to block the intruders’ IP address.

Click To expand
Figure 24-9: Using Device Management to block an IP address

STUDY TIP 

Perimeter routers are referred to as Blocking Routers. Sensors create and maintain a Telnet session to Blocking Routers to reduce the time required to publish the ACL rule sets that block traffic. IP blocking with the use of Device Management is also known as shunning.

IP blocking should be used cautiously. A hacker could take advantage of this response mechanism to perform a DoS attack. This DoS attack could be aimed at the IDS system itself or at other critical network infrastructure equipment. An intruder could spoof the address of an important server or director platform. Using the spoofed address, the intruder could launch an attack, causing the IDS system to block the IP address of the spoofed host. In essence, the hacker is forcing your IDS system to attack your own hosts, by blocking their IP address. Additionally, intruders might have multiple hosts at their disposal and can continue scanning, probing, and attacking your network from hosts that haven’t yet been blocked. IP blocking could also be initiated manually from the director platform once an attack is discovered.

IP Logging

IP session logs can be used to gather information about the suspected intrusive activity. When a signature has been configured for IP logging and that signature is matched, the sensor begins writing every incoming and outgoing packet to a session log. Security administrators can configure how long the sensor should continue to perform IP logging after the signature was matched. cp24 CIDS Architecture


216 times read

Related news
» IDS MC and Signatures
by admin posted on Nov 26,2008
» Understanding Master Blocking
by admin posted on Nov 26,2008
» Supported Router Platforms
by admin posted on Nov 26,2008
» Configuring Signatures and Alarms
by admin posted on Nov 26,2008
» Configuring Cisco IDS Blocking
by admin posted on Nov 26,2008
Did you enjoy this article?
1 2 3 4 5
(total 0 votes)

comment Comments (0 posted) 

More Top News
CCSP-Cisco Certified Security Professional
arrow Cisco SAFE Implementation
arrow Preparation Documents
arrow Exam Topics
arrow Skills Required for the Exam
arrow Cisco SAFE Implementation Questions and Answers
arrow Access Control Lists Cisco
arrow Access List Basics
arrow Standard Access Lists
arrow Verifying ACLs
arrow Extended Access Lists
arrow TCP Access Lists
arrow UDP Access Lists
arrow ICMP Access Lists
arrow Named Access Lists
arrow Signature and Alarm Management Review
arrow Signature and Alarm Management Review Questions and Answers
arrow Event Viewer
arrow Managing Alarms
arrow Event Viewer Customization
arrow Preference Settings
arrow Sensor Installation
arrow Connecting to Your Network Sensor Appliance
arrow Sensor Bootstrap
arrow Sensor Installation and Configuration Review
arrow Sensor Installation and Configuration Questions and Answers
arrow Signature and Alarm Management
arrow CIDS Signatures
arrow Signature Series
arrow Signature Implementations
arrow Signature Classes
arrow Signature Types
arrow Signature Severity
Most Popular
Most Commented
Featured Author

alperen

image
<| Cisco Articles | Maximum Learning | All Cisco-Network Study Notes | Privacy Policy |>
If you think you own the material being used without permission, contact alperenmad[at]hotmail.com. material will be removed from the site.