Introduction
Successful attacks against enterprise
networks typically require a substantial effort on the part of the attacker.
Many large networks that realize they have been compromised only do so after
discovering a discrepancy in activity or the log files traversing their network.
Once the compromise is known, the network staff may backtrack and identify all
of the activity that occurred prior to the compromise…or
they may not. Attacks typically are characterized by three phases of activity:
-
Reconnaissance
-
Probing
-
Exploitation
Reconnaissance involves identifying network address ranges,
telephone numbers, performing DNS lookups (both forward and reverse), as well as
whois searches to identify potential names and accounts to
try on various target systems. Probing involves ping sweeps to identify
potential targets as well as port scans to identify services active on the
target systems. Finally, exploitation of a vulnerability (whether it be a buffer
overflow in a running service or access due to poor password selections) is the
culmination of an attack to gain access to the target network.
The probing and exploitation phases require the use of active
tools to identify available services and potential exploit targets. It is this
activity that intrusion detection systems (IDSs) are designed to identify. By
monitoring traffic on the network and inspecting and analyzing packets, the IDS
is able to determine if a network is under attack. If an attack is identified by
the IDS, it can issue alerts to network and security operations personnel so
they can respond appropriately to protect vital corporate assets. Additionally,
many modern IDSs can execute response measures on their own accord, thus
terminating the attacker's connection.
There are significant differences between managing a small
handful of IDS sensors (on the order of one, two, or three sensors) and handling
an enterprise-wide deployment of sensors. Tuning a single sensor to the traffic
on a particular LAN may require one or more days simply for the actual tuning of
IDS signatures. Once that has been completed, the sensor must be monitored for
false positives and for any additional signature tuning required. This can take
on the order of a week or more for a single sensor. When new signature packs are
released containing additional attack signatures, they must be deployed and
tuned as well. Clearly, once the number of sensors goes beyond a small handful,
the administrative effort of configuring, monitoring, and updating sensors
becomes a significant burden. By using a tool that provides for managing all
sensors through a single interface, the burden is dramatically reduced. This is
where CiscoWorks2000 and, in particular, the IDS Management Console (MC) are
meant to provide the greatest benefit. Scalable management of IDS sensors is
needed to meet the needs of an enterprise network. The Cisco Intrusion Detection
System Management Center is designed to provide the centralized sensor
management required to protect large enterprise networks.
Sections
Comments (0 posted)
Syndication
