Some of the SAFE White Papers have some of this information, but most of it is not specific to IDS sensors.

Here are some links to look at:

http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networking_solutions_white_papers_list.html

The product documentation usually has some of this information.

For the IDS sensor:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/index.htm

For VMS:

http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_b/vpnman/vms_2_2/index.htm

There is also a Cisco IDS course as well as a certification test that you can take:

http://www.cisco.com/en/US/partner/learning/le3/le2/le41/le58/learning_certification_type_home.html

Here are some of my usual suggestions:

I generally recommend monitoring the internal connections of the Firewall. This way you won't spend time filtering through alarms for packets that were already stopped by the Firewall. Some advanced users will place an IDS outside of the Firewall to give them more information about what attacks are coming in from the internet that are being blocked by the Firewall, but I would only do this if you have the extra time for analysis.

Also just like your switches, routers, and firewall; you want an IDS sensor rated higher than what your normal traffic rate is. This way the IDS sensor can keep up with usage spikes in the network.

Keep in mind that the sensor needs to see both directions of traffic to function properly. When monitoring TCP connections the sensor must see both the client packets as well as the server packets. This is because the sensor will track the TCP session state to determine whether or not the packets were legitimate. If you connect the sensor to a hub between the firewall and the inside network, then this is fairly easy to achieve. But if the firewall is connected to a switch, then you will need to use a span session to copy the packets to the sensor. When you setup the span session you will need to ensure that traffic in both directions is sent to the sensor. This usually accomplished by setting up a "both" span session for the firewall port of the switch. This way both the "tx" and "rx" packets for the firewall port are sent to the sensor. A side note to keep in mind is that some switches may require extra parameters on the span port to allow TCP Reset packets from the sensor to come in on the span port.

Some users prefer to use network taps to send traffic to the sensor. When using taps keep in mind that the tap has 2 outputs. One output is for traffic to the firewall, and the second output is for traffic from the firewall. Both outputs must be sent to the sensor, so you will need a sensor with 2 sniffing ports to connect to these 2 outputs. Additionally keep in mind that using taps will generally prevent you from being able to do TCP Resets since taps do not allow packets coming in from the sensor.

The sensor has 2 or more interfaces. One of these interfaces is the command and control interface, and the other interfaces are the sniffing interfaces. The command and control interface will have an IP assigned while the sniffing interfaces will not. It is generaly recommended that the command and control interface be connected to either a specific network for configuring and managing your security devices (often known as the out of band secure management network), or at a minumum to a vlan that is used only for managing your security devices. If you are using a vlan, then the command and control of your sensor, an interface of your VMS box, and an interface of your firewall and other security devices would be placed in this vlan. You could then route to other vlans in your network through your firewall to further protect this vlan. Connections to and from your security devices should be over encrypted connections. The Cisco IDS comes loaded and running with SSH for CLI access, and TLS/SSL for access to it's web server.

Cisco IDS sensors have a feature reffered to as blocking (also known as shunning). When the sensor is configured to block the source address of an attack, it will connect to a Cisco router, Cat 6500 switch, or Pix firewall. It will either create a Router ACL, a Vlan ACL, or in the case of the Pix execute the shun command to block the ip address. When deciding where to put the sensor you will need to keep in mind the other devices on the network segment. You will need to configure the sensor to use one of those devices for blocking, and configure the device to allow the sensor to telnet or ssh to the device. You will need to ensure ip connectivity between the sensor's command and control interface and the networking device.

From the management standpoint, with only a single sensor you are probably fine loading both the IDS MC and Security Monitor on the same box.

NOTE: IDS MC and Security Monitor are both part of VMS.

if you were going to deploy a larger number of sensors, then I generally recommend installing IDS MC on one machine and the Security Monitor on a second machine.

When putting together the hardware for your VMS machine, I generally recommend giving yourself a little bit of growing room.

Read the minimum requirements for running VMS. Boxes with less than the minimum often have problems. But also keep in mind that these are minimums and in most cases you will want something.

Pick a machine where you can put in as much memory as you think you need, but still have slots available for adding more memory in the future.

A faster CPU and larger harddrive are also beneficial.

I also recommend dedicating a machine to VMS. VMS has limitations which prevent it from running on machines where you may have installed other programs (VMS has it's own web server so you won't be able to run another web server; VMS also has it's own database so running other databases on the same machine is not recommended)

Another good thing would be to secure the VMS machine with Cisco's Security Agent (CSA). CSA is Cisco's host based IDS software. Many users will also purchase CSA to run on other major servers on their network. Cisco network IDS and host based IDS technologies when used together provide a more secure network.

And connect the VMS machine to the same secure network or vlan as the command and control port of your sensor.

If the VMS machine has to be installed on another network or vlan (usually because of geographical locations), then you will need to ensure that the network devices between the management machine and the sensor will allow certain traffic between the 2 machines. The IDS MC will need to SSH to the sensor. Security Monitor will need to connect to port 443 of the sensor over a HTTPS (TLS/SSL) connection to retrieve alarms. The sensor will need to connect back to port 443 of the IDS MC to pull down updates.

The VMS machine runs a database for storing alarms. You will need to come up with a schedule for archiving and/or deleting these alarms to keep from filling your database. Additionally the more alarms stored in the database the longer it will take your viewer to load the alarms for viewing.

For more information on archiving the alarms refer to this link:

http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/mon_sec/secmon12/technote.htm

The signatures on the Cisco sensor will come with preset severity levels.

A general rule of thumb is to begin by using the default severities and see what alarms are detected on your network.

Begin by looking at the High level alarms and determine what the cause might be.

The NSDB (Network Security DataBase) is a good reference for more information about an alarm.

The NSDB is installed on the sensors and the VMS machine as part of the signature update process.

If you see alarms that upon analysis are determined to be normal traffic then you will need to either filter the alarms for the particular address set or lower the severity of the alarm, or even disable the alarm. Filtering or disabling the alarms will prevent you from having to spend time on these alarms in the future.

If an alarm is legitimate then you will need to determine if your system is vulnerable (refer to the NSDB for informaiton on vulnerable machines). If the machine is not vulnerable then consider filtering this alarm as well. If the machine is vulnerable then you will need to see if the system has been compromised and take appropriate steps.

SIDE NOTES: Cisco Security Agent (CSA) can also be run on some of these machines and the logs between the network sensor and host sensor can be compared. You might seen an alarm from the network IDS and a corresponding alarm from CSA showing that CSA was able to prevent the attack.

You might also consider deploying Cisco Threat Response. Threat Response can be configured to do the OS verification for you to determine whether or not the end system was vulnerable. If the end system was not vulnerable it can automatically downgrade the alarm. If the end system was vunlerable it can login to the end system and grab logs that may contain traces for analyzing what happened in the attack.

Once the High severity alarms have been analyzed then determine whether or not you want any automatic actions to occur for these alarms in the future.

Available action include TCP Resetting the TCP connection, blocking the source ip address, or logging the packets to and from the source address of the alarm.

Once you've gone through the High alarms, then attempt to go through the Medium severity alarms doing the same thing.

Most users will then just continue to monitor the High and Medium alarms and even disable Low and Information alarms.

Regarding "A side note to keep in mind is that some switches may require extra parameters on the span port to allow TCP Reset packets from the sensor to come in on the span port" - So, on Cat6500 we have the TCP Reset Port. On others it is used the sniffing port and we could need an extra commands for the TCP Reset. Do you mean another models of Cisco's switches? or another brand? If it is also on Cisco Switches, could you show which commands? or a document where we can find that? And also, how can we see that the switch is not letting pass the TCP Reset from the sensor?

Thanks in advance,

Paula Pannuzzo

The IDSM-2 for the Cat 6500 has a 3rd port that is the TCP Reset port. When using an IDSM-2 you want to make sure the TCP Reset port (port 1) has the same Native Vlan as the 2 sniffing ports (ports 7 and 8).

The IDS-4250-XL also has a 3rd port that is the TCP Reset port. Just like with the IDSM-2 you will need to make sure the TCP Reset port has been assigned to the same vlans as the 2 sniffing ports.

The other IDS-42xx models will send TCP Resets out of the Sniffing port on which the alarm was detected. When configuring span to send packets to the sniffing port you will need to determine the following:

1) Does the switch allow incoming packets on the Span port. Some switches do and some switches don't. You would need to read the documentation for your switch. If the switch does not allow incoming packets then TCP Resets won't work in your setup.

2) Does the switch require a special parameter to be used on the span command to allow incoming packtes? The Cat 6500 requires "inpkts enable" be added to the span command to allow the incoming TCP Reset packets:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_8_1/confg_gd/span.htm#1033304

One way to tell if the switch is allowing the incoming packets:

1) Configure a signature to execute TCP Resets. (I usually configure sig 3401 for this test)

2) Execute the attack and see if the connection is Reset (For signature 3401 you just need to telnet to a box and type "IFS=/"; if the sensor fires the alarm then the connection shoudl be Reset if the switch is allowing TCP Resets)

Additionally most switches have a "show count" or similar command to see the packet counts on each port. Execute the "show count" on the sensor port and see if the packet counter is increasing for incoming packets. If it is then there is a high possibility that the switch is accepting incoming packets.

I guess this depends on the level of scripting you are willing to do.

First let us consider some options to make manual configuration a little bit faster.

The “show configuration” command contains a listing of all of the command line configuration entries for the sensor with the exception of usernames and passwords.

I will often configure one sensor using IDS MC, or IDM, or the CLI with all of the parameters I need.

Then on that one sensor I will execute the “show configuration” command to see what the resulting cli commands were for that configuration.

I will then take portions of the “show configuration” output and simply paste them into a text window on my pc. I will make any other changes I feel are necessary. Then copy the commands again and paste them into my telnet or ssh connection to another sensor.

Here are some basic tips:

In “show configuration” you will see lines with “!-----------“. These lines are just logical separators for the different configuration areas. When first using this technique it is best to concentrate on one configuration area at a time.

At the end of each configuration you will generally see one or more “exit” commands.

What you can do is copy ONE of these configuration areas, then on another sensor enter the “configure terminal” mode. Then paste in the commands for that configuration area, including the exits. If any of your pasted commands changes the configuration of the sensor then you will generally be prompted whether or not to save those configuration changes. You will need to respond with “yes” to the question. This “yes” answer is not part of the “show configuration” output.

Once you’ve tried this a few times you will realize that you can in most cases simply put in a “yes” at the end of most of the configuration areas and the changes will be saved. In most cases the “yes” needs to go before the last exit for that configuration area.

Another thing to keep in mind is that the “service virtual-sensor-configuration virtualSensor” and “service alarm-channel-configuration virtualAlarm” configuration areas have some interaction to be aware of.

If you were to paste in the “service virtual-sensor-configuration” and answer “yes” to the changes, then sensorApp who is accepting these configuration changes will proceed to analyze the changes to the configuration and begin reconfiguring itself. Depending on the configuration changes these changes could take a few minutes. There will be a “Processing Changes” message that will appear. When this message goes away the configuration changes have been accepted. However, it will still be another minute or two before sensorApp is ready for more configuration commands as there are still a few more steps for it to do.

If you were to immediately paste in the “service alarm-channel-configuration virtualAlarm” configuration area commands then you would receive error after error because sensorApp is still reconfiguring itself.

So once you paste in the “service virtual-sensor-configuration virtualSensor” configuration area commands and answering “yes”, it is best to wait a few minutes. Then execute just the command line “service alarm-channel-configuration” and the “tune-alarm-channel” command. If you receive an error then wait a few more minutes and try again. If it changes into the tuning mode then go ahead and paste the rest of the commands.

When doing the virtualSensor configuration, you will notice that it is subdivided by Engines and then again by Signatures. When you copy and paste these commands into your text window you can easily delete any Signature line and its corresponding “exit” line for each signature that you are not modifying. This will make the changes a little bit cleaner before pasting them into your next sensor.

Just so you know where to look, the signature configuration is in the “service virtual-sensor-configuration virtualSensor” configuration area, and the Internal Networks and Filters are part of the “service alarm-channel-configuration virtualAlarm” configuration area.

If you find you will be doing this type of thing often, then you can try to go the extra step.

Here in our test lab we create expect scripts to do these types of configurations on multiple sensors. Expect is a scripting language that can be used to emulate human interaction, and works well for automating configurations with IDS sensors.

But I would only try this if it were something you would be doing on a regular basis as writing these scripts can be time consuming.

Additionally for really advanced users you could ask for copies of the RDEP (Remote Data Exchange Protocol) and IDIOM (Intrusion Detection Interchange and Operations Messages) specifications. These are detailed specifications of how management applications can communicate with the sensor and send configurations directly to the underlying components in a native xml format rather than going through the standard CLI.

These specifications though are highly technical and are really only meaningful to experienced software developers. They are primarily geared toward our partner companies. If you are still interested you would either need to contact the TAC or your Cisco Representative and sign the necessary forms to get access to the specifications.

If you would like an example of how to copy the config and paste into a another sensor's CLI session, then let me know and I will put one together for you.

You could use the "copy" command and copy one of the sensors configs off to a secure (scp) or ftp server:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/cmdref/15599ch2.htm#377910

Then use it again to bring the config in .....It copies off a set of CLI commands that you can script.

This is nearing final stages of testing and will soon be released.

When released, the Version 1.1 of the CallManager headless CSA agent will be posted to the CallManager Software Center page on Cisco.com

With CTR there is a "Archive" option in the Manage Alarms menu of the viewer that will archive the alarms and CTR investigation information for the alarm:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/threat/ctr20/userguid/15289ch7.htm#1031651

This option will create a jar file that you can later open with winzip. The resulting files can be then loaded into a mysql database.

CTR does not currently have the option for importing these archived files, and does not have an option for exporting or importing the CTR configuration data. Requests for these features have been passed to the development team and are being considered for a future version.

IEV has a feature to export the alarm tables into a CSV format and then re-import them at a later time.

Refer to the Database Administration section (the last section) of the following document:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/idmiev/swchap6.htm

Backuping of the SQL databases for either CTR or IEV is not supported. I am not sure what the steps would be to try it.

I only have LMS but it seems alerting would occur through VMS. If you are running VMS take a look there. Since my installation uses the stand alone Event Viewer and Threat Response there are no tools for alerting. Although I'm looking for other ways to create some level of alerting with what I have.

Email Notifications are currently only supported directly within Security Monitor which is part of VMS.

NOTE: VMS is a management tool geared for enterprise customers and is avialable at an extra cost.

The management software available at no extra charge (IDM, IEV, and the trial version of CTR) does not currently have any email notification features.

Alternatives to consider:

If you are using CTR, then CTR does have the ability to send SNMP Traps for alarms. If you have a SNMP tool capabable of sending email notifications then you could have CTR send SNMP Traps to this other tool.

If your sensors are version 4.x, then you can contact the TAC and ask for access to the Remote Data Exchange Protocol specification (RDEP). RDEP describes the protocol for building your own client to connect to the sensor and pull alarms. You would write your own RDEP client to pull the alarms and send email notitications.