SALA Y ESCENARIO DEL TEATRO

Intrusion detection systems are extremely helpful tools that aid security adminis- trators in the ever-evolving task of securing the network. Using a variety of tech- niques previously discussed, these systems can monitor and alert the security team in many potentially harmful situations.This does not imply, however, that IDS are invincible.The art of managing intrusion detection systems is not simple and requires constant effort and attention.

We have already discussed several limitations of each type of intrusion detec- tion system. All varieties can suffer from information overload in bandwidth intensive networks and most IDS require constant tuning and support. For instance, if signature-based IDS are not updated with the latest, most prevalent attack signatures, they will be ineffective against newly discovered vulnerabilities. Likewise, should new network applications be added or altered on the network, anomaly-based IDS must again run baselines against the new “normal” network state. Even if IDS are properly maintained and updated, the security team must respond properly and quickly to security events, otherwise the IDS is useless.

Network IDS must be positioned properly in the network and the network infrastructure must be appropriately configured to deliver traffic to the IDS. In most modern networks and certainly in large network environments, one IDS will not suffice. Multiple IDS (and oftentimes, multiple types of IDS) are therefore required for effective detection coverage, which necessitates good management practices and potentially, the use of IDS event correlation and aggregation servers.

There also exist methods by which an attacker may render IDS ineffective. These include DoS attacks directed at IDS infrastructure and other more focused attacks. For instance, if a hacker overloads a network with decoy attack signatures, he or she may be able to secretly exploit other code simultaneously and remain undetected by the IDS.

Another way attackers may elude IDS is through an act known as session slicing.This can occur when a malicious payload is successfully delivered over mul- tiple packets and may defeat simple pattern- or signature- matching mechanisms. Oftentimes, this payload can be delivered over long time periods using various means, which leads to another vulnerability of IDS; slow scanning. Many IDS do not recognize attacks that occur over extended periods of time. If an attacker is patient enough, he or she may be able to elude IDS simply by working slowly.

IDS can also be bypassed by changing the default manner in which applica- tions or network communications operate. For instance, if a signature-based system is looking for Back Orifice connections on TCP port 31337, a hacker

might simply change the TCP port to avoid detection. Similarly, if an attacker changes the sequence of exploit events, he or she may not trigger common net- work signature alert routines.

Finally, proxy attacks and spoofing are ways in which attack traffic may appear from internal, trusted hosts and may, therefore, be ignored by IDS.

Summary

We discussed several important security concepts and designs, and IDS types and functions in this chapter.The idea that network and systems security is essential in the modern enterprise environment is of utmost importance. Industry and government financial losses themselves merit the inclusion of good security prac- tices, let alone the lost productivity and effort spent combating security events.

To assist security architects, Cisco created two comprehensive guides for the secure, modular, and efficient design and deployment of network security. Cisco AVVID provides the notion of a single, IP-based, resilient network infrastructure that acts as the foundation for all enterprise e-business and mission-critical opera- tions. SAFE, when used in combination with AVVID, provides a complete secu- rity overlay that addresses all enterprise security options in a modular format. These guides, Cisco AVVID and Cisco SAFE, both provide indispensable and detailed information and should be fully understood by those charged with building today’s network infrastructure.

Cisco also created a methodology known as the Cisco Security Wheel to aid in thorough and dynamic security management and operations.The Security Wheel is a cyclical process involving security policy, network security, monitoring and response, regular testing, and evolving management.

Through use of the security wheel, security teams can effectively respond to the four Cisco-identified primary threats and three attack types.The four threats include structured and unstructured threats, and internal and external threats.The three types of attacks are reconnaissance, access, and DoS attacks.

Finally, we examined the types and functions of intrusion detection systems. Host and Network IDS are the most deployed in networks, but there are other types of IDS, such as honeypots and Hybrid IDS. Most of these devices alert administrators about potential attacks via signature matching or anomalous event detection.

In preparation for the Cisco Secure Intrusion Detection Systems Exam, you should be well versed in these topics. Specifically, you should know and under- stand the underlying principles of network security in terms of Security Policy and practice.You should also be very familiar with intrusion detection termi- nology and the various means by which IDS function. Regardless of IDS func- tionality, it is important to know that no IDS is invincible.There are several means by which hackers can elude IDS, which makes a holistic security stance extremely important in the enterprise.