Cisco Secure Intrusion Detection System

Authors: Earl Carter and Rick Stiffler
Pages: 912
Publisher: Cisco Press
ISBN: 158705034X


Cisco Secure IDS is a network-based intrusion detection system that relies on a signature database to trigger possible intrusion alarms. It is composed of two major components – sensor and director platforms, which communicate via PostOffice protocol. If you are interested in the Cisco Secure IDS, this Cisco Press’ publication will suite you the best.

About the author

Earl Carter, CCNA, is a Security Research Engineer and member of the Security Technologies Assessment Team (STAT) for Cisco Systems, Inc. He performs security evaluations on numerous Cisco products, including everything from the PIX Firewall and VPN solutions to Cisco CallManager and other VoIP products. Earl started with Cisco doing research for Cisco Secure Intrusion Detection System and Cisco Secure Scanner.

An interview with Earl Carter is available here.

Inside the book

Similiar to one of the other Cisco Press books I reviewed recently, this book hosts a foreword by Rick Stiffler, Manager of VPN and Security Training at Cisco Systems. He notes that this is another in the series of Cisco Press books dedicated to the transfer of knowledge and skills critical to the success of the network security professional.

While the book format cannot compete with the actual hands-on courses at Cisco, it provides a valuable component in meeting the ever growing demand for Cisco Certifications. As the book is of a specific nature, because it deals with the Cisco Secure IDS, completed CCNA certification or a knowledge equal to that is preferred for fully understanding this book. The author also notes that strong user-level experience with Microsoft’s Windows NT and a basic level knowledge of Unix is needed to successfully use Cisco Secure IDS.

The book is spread over approximately 900 pages divided into 8 thematic parts, where the last part is comprised of a series of interesting appendixes. “Cisco Secure Intrusion Detection System” opens with a basic overview of network security principles, a chapter which is intended for the readers unfamiliar with network security concepts. As a reader that is interested in operating and maintaining Cisco Secure IDS, you will probably skip through this section. If not, here you can read about security threats and concepts, attack methodologies, hacking techniques and Cisco Security Wheel. This Cisco’s cycle breaks network security into four separate parts: securing the network, monitoring network security, testing the network security and finally improving the state of it.

Following the networking security essentials, second part of the book goes deeper into intrusion detection systems, their functions, benefits and goals. The purpose of every intrusion detection system is to detect malicious attacks to the organization’s network. As there are different types of IDS, you can evaluate them by looking at: IDS triggers (anomaly and misuse detection), monitoring locations (network based and host based) and their hybrid characteristics that combine the functionality of multiple intrusion detection systems. All of these topics are covered in this IDS overview. After the general IDS overview, the following chapter focuses on what Cisco Secure IDS is, and deals with its aspects, such as: system functions, sensor platforms/modules (4200 Series Sensors and an IDS module for Catalyst 6000 switches), director platforms and previously mentioned PostOffice protocol.

As the Cisco Secure IDS is network-based intrusion detection system, it relies on sensors that are deployed on places inside the organization’s network. These sensors have two network interfaces – one is placed in the promiscuous mode so it can sniff all the traffic that passes through the network and the other one is a command and control interface. As the sensor hosts a list of signatures, it matches the packets it sniffs and if a match is done, alarm is raised via its command interface. The third part of the book titled “CSIDS Installation” starts with sensor deployments, talks about Cisco Secure Policy Manager (CSPM) installation and finishes with CSPM based 4200 Series Sensor installation. If you are not familiar with CSPM, it is a Windows based application that provides security policy management for a series of Cisco security products, including: Cisco Secure PIX Firewall, Cisco IOS Firewalls with VPN software and Cisco Secure IDS Application Sensors. CSPM installation is provided through nine steps and accompanying screen captures.

The fourth part of the book deals with alarm management and Intrusion Detection signatures. The first chapter that focuses on working with Cisco Secure IDS alarms in the Cisco Secure Policy Manager application, provides a great overview on getting and understanding the alarms created by potential intrusions. A nice section is provided on customizing the GUI interface of CSPM, therefore setting it up to meet all the needs of your network environment. As the IDS Signatures are an extremely important part of the successful IDS deployment, Mr. Carter gives them 150 pages of his book. The first ten pages of the IDS Signatures section, introduce the readers with an overview on IDS Signatures, especially their definitions, classes, types and severity. For easier identification and usage, Cisco Secure IDS categorizes its signatures in different numeric series. The current signatures are divided into eight series: TCP, ICMP, TCP, UDP, Web/HTTP, Cross-protocol, String-matching and Policy-violation. The other 140 pages of this section provide practical information in the way of tons of pasted IDS Signatures categorized in the series.

Cisco Secure IDS Configuration is the topic of the book’s fifth part and it deals with configuration of the most important sections of the IDS. Besides configuring the sensors using Cisco Security Policy Manager and configuring Catalyst 6000 IDS Module, author talks about Signature and Intrusion Detection configuration. Here you can learn about: basic signature configuration, modifying the signature templates to fit your own needs, advanced signature configuration and filtering and creating ACL signatures. This part closes with a chapter on IP Blocking, which means applying Access Control Lists on network devices, therefore restricting the network flow. IP blocking can be very useful while identifying the attacker and then blocking his IP, making him unable to attack again. Improperly configuring the IP Blocking, can make your router wrongly identify the legit traffic as malicious and, therefore, block it. The author presents some IP Blocking Guidelines and tips that will surely help you do the blocking in the right way.

Cisco Secure Intrusion Detection Director (CSIDD) is the other main component of the Cisco Secure IDS (first being the sensor). This application runs on Solaris or HPUX operating systems and is connected to the HP OpenView Network Node Manager. Its main purpose is to be used for administering the Cisco Secure IDS. Part six of the book goes in depth with CSIDD’s installation and its configuration management utility nrConfigure. nrConfigure is used for managing the configuration of the Director and the sensors when CSIDD is used as the Director platform. It can be used for managing the Cisco Secure ISD for the whole organization’s network from one centrally placed console. If you are interested what does nrConfigure means, here is a little scope. Cisco Secure IDS was previously called NetRanger and was developed by the WheelGroup Corporation. After this company was acquired by Cisco Systems, development was carried on, but names were changed to match the Cisco brand name. Some of the tools used by Cisco Secure IDS (nrConfigure, nrstart and nrstop), still refer to the previous NetRanger name. The last pre-appendix part of the book talks about planned Cisco Secure IDS Enhancements, as the author considers the difference in time between the book publishing date and the time the reader takes a look at it.

Part seven a.k.a. the Appendixes part contains as much as eleven appendixes. These are: Deploying Intrusion Detection Case Studies, description of Cisco Secure IDS architecture, CSIDD basic troubleshooting, overview of Cisco Secure IDS log files, advanced tips for CSIDS users, signature structures, Cisco IOS Firewall IDS signatures list, Cisco Secure Communications Deployment Worksheet and the glossary of terms.

What I think of it

Developed as a written reference to support some of the Cisco System’s security related training courses, “Cisco Secure Intrusion Detection Systems” will provide a vast quantity of information, especially if you have a Cisco Security Specialist 1 (CSS1) certification in mind. The book offers a comprehensive guide through all the perspectives of planning, deploying and maintaining Cisco Secure Intrusion Detection System. The questions/answers placed after every chapter, testing your knowledge of the read material, are a great educational supplement to the book. I highly recommend this book if you are interested in the topics it delivers.

Don't miss