SEGUNDA JORNADA

Host ID

The Host ID is set to any number greater than zero. For example, one Sensor might be assigned number 1, a Director is assigned 2, and another Sensor is assigned 3.

Organizational ID

The Organizational ID is any number greater than zero. This is commonly used to group devices together according to region or function. For example, all Sensors and Directors in South America could be assigned 2000, while all Sensors and Directors within North America are assigned 3000. This makes it easier for the administrator of a large system to know where a device is located.

The Host and Organizational ID are combined by adding a period (.) between the Host and Organizational ID numbers. Examples of this are 3.2000 and 2.2000.

Alpha Identifiers

Associated with the Host and Organizational IDs are the Host Name and Organization Name, respectively. The names are joined together in the same manner as their numeric

counterparts. These also allow for easier identification of devices. For example, Sensors might be labeled sensor1.southamerica and sensor2.southamerica, while Directors might be labeled director1.northamerica or director2.northamerica. Although there is no specific rule stating that any naming conventions should be used, labeling devices logically and consistently greatly eases both administration and training of new personnel.

The Application Identifier is a statistically unique number assigned by the software. This allows for a combination among the three parts of the Identifier that should always be unique. These identifiers are used to route all communications between devices.

The Sensor, the Post Office Protocol, and the Director work together to form the CSIDS. The next sections delve deeper into a discussion of the hardware associated with the CSIDS Sensor, an explanation of the Post Office Protocol, and a discussion of the requirements for the CSIDS Director.

The CSIDS Sensor

The CSIDS Sensor comes in two basic models. The first model is a standalone rack-mountable version, and the second model is a Catalyst switch module, also called a blade, residing within the Catalyst 6000 series.

With the standalone rack-mountable version, there is a floppy disk provided for software upgrades and password recovery. The front cover is also lockable.

The standalone module number is based on the type of network interface used for monitoring. The CSIDS Sensor can be used on Ethernet, Fast Ethernet, Single or Dual FDDI, and Token Ring. There are a number of connections available on the back of the Sensor.

There are connections on the back for power, in addition to a COM port, and a monitor and a keyboard, which are used for initial configuration. Connecting a cable to the COM port of a computer is done in the same manner as with a router that uses the COM port.

Notice that there are two network interface ports on the rear of the Sensor. The built-in horizontal network port, called the Command NIC, is used for communications with routers and the Director. The vertically mounted Monitoring NIC port is used to monitor the network segment. Although a standard Ethernet connection could be used to monitor a network with a number of Fast Ethernet connections, such a configuration could easily cause the Ethernet link to become overused because of the large amount of tra ffic that is typically traversing such a network. Both NICs must be connected for the Sensor to operate properly.

When connecting the Monitoring NIC to a switch, ensure that SPAN monitoring is enabled for that port within the switch. Because a switch, by d efault, forwards packets only to the appropriate ports, failing to enable port monitoring on the switch will result in the Sensor being unable to see attacks that are not directed toward the Sensor itself. In the event that multiple VLANs are in use, the Sensor can monitor more than one VLAN, if the switch is properly configured with port monitoring on the desired VLANs through the Monitor NIC port. The second form of the CSIDS Sensor is available in the form of a blade module for the Catalyst line of switches. This version of the Sensor becomes an integral part of the switch. The advantage of using this form of the Sensor is that all data destined for the Sensor travels over the backplane of the switch. Assume for a moment that the network you wish to monitor

uses a Cisco Catalyst 6509 with four sets of 48-port Fast Ethernet modules. There is very real possibility that the amount of data traveling through this switch could exceed the capacity of the single Fast Ethernet connection of Monitoring NIC on a standalone version. Having this data travel through the backplane of the switch on the blade version means that the maximum amount of data inspected is not limited by a Fast Ethernet connection (100 Mbps). The

limitation while using the blade version comes from the processing speed of the Sensor itself, instead of the Ethernet connection. The configuration of the Sensor is virtually the same, whether the standalone or the blade version is used. Because a larger number of the standalone versions are used, the re mainder of this section will focus on this form of the Sensor.