IDS
Mike O’Connor
Eric Tallman
Matt Yasiejko
Overview


IDS defined
What it does
Sample logs
 Why we need it




What it doesn’t do
Setup
Alternatives
IDS defined


IDS = Intrusion Detection System
Cisco IDS-4215


Placed on the switch
IDS vs IPS
IDS = detection; “passive”
 IPS = prevention; “active”


Signature driven (misuse detection)
IDS defined


Used to detect traffic not captured by
conventional firewalls
Network vs. Host IDS
Network = examines traffics and monitors multiple
hosts
 Host = analyzes system calls, file modifications, etc


Misuse (signature based) vs. anomaly (self-learn)
What it does…


Analyzes network traffic that has been sent to or
from FA 0/24
Uses signature database to identify problematic
traffic
Custom signatures may be added
 False positives are quite possible




DNS requests
IP logging, block IP, allow IP, etc
Detects port scans
DNS request logged
Signature 4003 details
Port scan detected
Why we need IDS



Nmap sweeps
Vulnerability sought constantly
Many attack types

Above is one type of TCP sweep (SYN packets)
What our IDS doesn’t do

Intrusion Prevention!!


The administrator must take action
Does not log traffic that does not pass through
FA 0/24
This was a choice
 Internal traffic is undetected at this time

Setup



Used CLI for IDS configuration
Setup IP, gateway, name, netmask
Set access list

Console only at the moment (134.198.161.100)
SPAN


Switched Port ANalyzer
Mirrors 0/24 onto 0/23
Monitor session on the switch
#configure terminal
#monitor session 1 source interface fastethernet 0/24
both
#monitor session 1 destination interface fastethernet
0/23
#end
Alternatives

Snort
Software solution to IDS/IPS
 Traffic analysis
 Packet logging
 Detects port scans, buffer overflows, etc


IPS