Header
Home | Set as homepage | Add to favorites
  Search the Site     » Advanced Search
Sections
Syndication


Blogroll:

||||| ALL Cisco-Network ARTICLES |||||  
CCIE Journey,
The CCIE Journey,

Home : Intrusion Detection System : Complex IDS Deployment

Complex IDS Deployment

Nov 24,2008 by admin

small font medium font large font
image

Complex IDS Deployment

The second example involves a larger, more complex network and services environment with high bandwidth requirements. In this example, the ACME Company is a large defense contracting organization with a headquarters campus network and remote offices in seven cities. While each location has its own security infrastructure, headquarters contains most internally and externally sought services. Network and services operations are centrally managed from the headquarters office.

As a consultant, you have been asked to review the ACME Company security stance with specific regards to Intrusion Detection. ACME has a very limited deployment of IDS, but, because of recent hacking and worm attack problems, seeks to deploy an enterprise-wide IDS solution.

So, where do you start? Based on what we've discussed so far, you should remember that intelligent deployment of Cisco IDS sensors involves, at a minimum, three steps as follows:

  1. Understanding and analyzing the network

  2. Identifying the critical infrastructure and services

  3. Placing sensors based on network and services functions

You should also remember the Cisco AVVID and SAFE information from Chapter 1. Your first step is to map the network to understand how routing, switching, and traffic flow occurs in the ACME Company. While you're drawing, you add the SAFE modular design to the map for reference.


Note 

To simplify the network map, some SAFE modules are combined where possible in Figure 2.4.

Click To expand
Figure 2.4: Complex IDS Deployment Network Map

When finished, your map should look like Figure 2.4.

In your research, you determine ACME is using BGP in the Corporate Internet Module to provide redundant and load-balanced access to the Internet. You also realize that, internally, ACME uses OSPF and routes down to the Distribution Cisco 4503 switches in the Building Distribution and Edge Modules. It's important to note that OSPF and BGP are providing active/active network connectivity where possible since this can disrupt an IDS, as we've previously discussed. Use the remote offices route into the Campus Core for connectivity.

The next step is to determine the critical services and application layer flows across the network. From Figure 2.4, it's apparent that the E-Commerce and VPN/RAS Module contains Internet accessible services. A lot of critical services, such as DNS, E-mail, and E-commerce web sites are located in this module and, therefore, require extra security. VPN and remote access services are provided in this module as well. There's also an internal server farm in the Server and Management Module. Since many of the network management systems (NMS), databases, and other critical applications reside here, it's important to protect this area as well. Finally, you've made note of the wireless access that ACME has recently installed in each building. To ensure security in the wireless deployment, they provide force clients to authenticate and tunnel wireless connections to the VPN concentrator in the Server and Management Module.

So, now that you've gained a good appreciation for the network and critical services at the ACME Company, it's time to determine where the best locations are for an IDS. In your discussions with ACME managers, you've determined that budget, while not infinite, probably won't be a limiting factor in your design. Based on the SAFE architecture, you choose to focus on network areas other than the distribution and edge networks.

Let's have a look at your IDS implementation by focusing on each area in which you've selected to place IDS. The Server and Management Module is shown in Figure 2.5.

Click To expand
Figure 2.5: Server and Management Module IDS

The Service and Management Module is an essential part of the network to protect. Therefore, you've decided to install the Cisco Host IDS sensor on the critical servers. You'll also need to inspect the traffic coming and going from the SAFE module. Don't forget that it includes VPN traffic from all of your wireless clients in the access layer of the network. Because this part of the network has high-bandwidth requirements, you select the Cisco 4250 XL Sensor, which provides gigabit performance, to inspect traffic. Finally, this is the network from which you'll be managing the entire Cisco-based IDS infrastructure. Because you're working in an enterprise-sized network with multiple IDS sensors, you select CiscoWorks VMS, which will provide management capabilities for all your IDSs. For each IDS deployment, you'll configure the Control and Reporting IDS sensor interface in a private VLAN that communicates securely back to the VMS server.


Note 

As previously discussed, the routed environment in the ACME Company provides for active/active network flow across redundant platforms. To accommodate this design, IDSs need special provisions at the switch so that they may inspect traffic flowing across either of the ingress/egress paths. This could be accomplished via trunks configured between the switch devices over which RSPAN data is shared.

Like the Services and Management Module, the E-Commerce and VPN/RAS Module contains critical servers and services that require extra security protection. It's also a high-speed network environment, with gigabit attached servers and switching devices. This type of computing environment requires a similar solution to that in the Services and Management Module. You load servers with the Cisco Host IDS software and install another Cisco 4250XL Sensor connected to the Cisco 4503 switches. This way, you'll be able to inspect traffic at speeds of up to 1 Gbps and you'll have host-based inspection and protection for your servers. The E-Commerce and VPN/RAS Module is shown in Figure 2.6.

Click To expand
Figure 2.6: E-Commerce and VPN/RAS Module IDS

So far, you've done a good job of protecting the services in the organization. But what about the security of the users and general network infrastructure? As we discussed earlier, the SAFE architecture doesn't include IDS at the distribution and edge networks. So where is a good location to inspect user traffic? Since the ACME Company uses the Cisco 6506 switch platform in the core, you can most likely deploy the Cisco IDSM-2 Module in the 6506 chassis. This decision will depend on the interface speeds and utilization of the Core switches. If you're using less than 1 Gbps, the IDSM-2 Module will work well. Again, the active/active network design in the core is something you'll need to consider. Like the other modules we've discussed so far, you'll need something like RSPAN to trade traffic between the core switches. This will ensure your IDS can inspect entire network flows, regardless of which network device they traverse. The Core Module is shown in Figure 2.7.


Figure 2.7: Core Module IDS

Now the ACME Enterprise appears to be secure on the inside. Don't forget about the front door! Of course, you've considered that as well. The ACME Company currently has two internet connections to two different ISPs for redundancy. They're fortunate to have Ethernet handoffs to their providers and use BGP attributes to distribute network traffic accordingly across the 10- and 100-Mbps connections. Since the redundant PIX firewalls are operating in an active/passive mode, all traffic will traverse the active firewall under normal circumstances. Your IDS, therefore, can be implemented above the active PIX, but will become useless if the PIX firewalls fail-over. Again, you could use the RSPAN solution discussed previously.

The ISP connections are high speed, but not so fast as the internal networks. Based on this information, choose the Cisco 4235 IDS Sensor since it will perform at speeds up to 250 Mbps and will easily support the maximum combined connection speed of 110 Mbps. You position these sensors above the firewalls (and possibly above the routed interface on the Cisco 4503 switches) to inspect all traffic to and from the ACME Company.

The Corporate Internet Module is depicted in Figure 2.8.

Click To expand
Figure 2.8: Corporate Internet Module IDS

Finally, you realize that one remaining ingress/egress point exists in the ACME network, the frame-relay links to the seven remote office locations. Each office is configured very similarly, so you can design the remote office solution once and replicate it to each site. Luckily, the remote sites already each have a Cisco 3640 router that provides WAN connectivity back to the ACME core network Cisco 6506 switches. It makes sense then to implement the Cisco IDS Module for the 3600 series router. With this module, you'll be able to provide IDS services in each remote location without requiring additional rack space, cabling, or power, since the module inserts directly into the 3640 chassis. The Remote Site IDS solution is depicted in Figure 2.9.

Click To expand
Figure 2.9: Remote Site IDS

At this point, the ACME Company appears to have a fairly comprehensive IDS architecture. What other locations in the network would be good candidates for IDS? What processes should you use to tune the IDS infrastructure? What other security devices could be deployed to increase the security of the ACME network? Finally, how do we actually manage all of these security devices? These are all excellent questions and bring us back to the Cisco Security Wheel concepts we discussed in Chapter 1. As a security professional, you need to consider how policy, monitoring, response, testing, and management all tie into your IDS deployment.


235 times read

Related news
» Enterprise SAFE block diagram
by alperen posted on Dec 02,2008
» The Network Campus Area
by admin posted on Nov 24,2008
» The Network Edge Area
by admin posted on Nov 24,2008
» Using Gigabit Ethernet in the Enterprise
by alperen posted on Dec 03,2008
» Small IDS Deployment
by admin posted on Nov 24,2008
Did you enjoy this article?
1 2 3 4 5
(total 0 votes)

comment Comments (0 posted) 

More Top News
CCSP-Cisco Certified Security Professional
arrow Cisco SAFE Implementation
arrow Preparation Documents
arrow Exam Topics
arrow Skills Required for the Exam
arrow Cisco SAFE Implementation Questions and Answers
arrow Access Control Lists Cisco
arrow Access List Basics
arrow Standard Access Lists
arrow Verifying ACLs
arrow Extended Access Lists
arrow TCP Access Lists
arrow UDP Access Lists
arrow ICMP Access Lists
arrow Named Access Lists
arrow Signature and Alarm Management Review
arrow Signature and Alarm Management Review Questions and Answers
arrow Event Viewer
arrow Managing Alarms
arrow Event Viewer Customization
arrow Preference Settings
arrow Sensor Installation
arrow Connecting to Your Network Sensor Appliance
arrow Sensor Bootstrap
arrow Sensor Installation and Configuration Review
arrow Sensor Installation and Configuration Questions and Answers
arrow Signature and Alarm Management
arrow CIDS Signatures
arrow Signature Series
arrow Signature Implementations
arrow Signature Classes
arrow Signature Types
arrow Signature Severity
Most Popular
Most Commented
Featured Author

admin

image
<| Cisco Articles | Maximum Learning | All Cisco-Network Study Notes | Privacy Policy |>
If you think you own the material being used without permission, contact alperenmad[at]hotmail.com. material will be removed from the site.