Gartner
© 2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved.Reproduction of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be
Cisco Systems’ Intrusion Detection System
Summary
Cisco’s acquisition of OKENA adds a host-based intrusion prevention product to its range of
network-based intrusion-detection products, but it still lacks full in-line intrusion-prevention capability.
Table of Contents
Overview Analysis Pricing Competitors Strengths Limitations InsightList Of Tables
Table 1: Overview: Cisco Systems Cisco IDS
Table 2: Features and Functions: Cisco IDS: Technology Infrastructure Characteristics Table 3: Features and Functions: Cisco IDS: Ruleset Characteristics
Table 4: Features and Functions: Cisco IDS: Performance Characteristics Table 5: Features and Functions: Cisco IDS: Response Characteristics Table 6: Features and Functions: Cisco IDS: Operational Characteristics Table 7: Features and Functions: Cisco IDS: Management Characteristics Table 8: Features and Functions: Cisco IDS: Security Characteristics Table 9: Features and Functions: Cisco IDS: Support Characteristics Table 10: Price List: Cisco IDS
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706, U.S.A.
Tel: +1 408 526 4000
Internet: www.cisco.com
E-Mail: [email protected]
Overview
Cisco Intrusion Detection System (IDS) combines Cisco’s real-time network-based IDS (NIDS) products
with Cisco Security Agent, a host-based intrusion prevention system (HIPS) for servers and desktops.
Cisco IDS is one component of the vendor’s security product line that also includes firewalls, virtual
private network (VPN) devices, authentication software and security management.
NIDS Components
Cisco IDS 4200 Series Sensors are dedicated IDS solutions that enable deployment of IDS sensors
wherever they are needed in the network architecture. Four performance levels are available:
•
IDS 4215 Sensor—80 Mbps
•
IDS 4235 Sensor—250 Mbps
•
IDS 4250 Sensor—500 Mbps
•
IDS 4250 XL Sensor—1000 Mbps
IDSM-2 Module for the Catalyst 6500 chassis efficiently integrates full IDS capabilities into the Cisco
Catalyst switch through a dedicated module, providing integrated protection at 600 Mbps.
IDS Network Module for the Cisco Access Routers (for Cisco 2600XM, 2691 and 3700 series routers)
is a router-integrated line card that delivers 45 Mbps of full-featured protection. Through collaboration with
Ipsec or Internet Protocol security VPN and Generic Routing Encapsulation (GRE) traffic, this module can
allow decryption, tunnel termination and traffic inspection at the first point of entry into the network.
Router sensor provides a focused set of IDS capabilities through a Cisco IOS Software solution
integrated into the router OS. The router sensor has the capability of dropping malicious packets on the
triggering of an alarm.
Firewall sensor provides a focused set of IDS capabilities through a software solution integrated into the
PIX firewall OS. The firewall sensor can drop malicious packets on the triggering of an alarm.
Cisco Threat Response provides automated investigation of NIDS security events, helping to eliminate
false alarms, escalate critical attacks and aiding in remediation of intrusions. NIDS events are sent to the
Threat Response server for analysis and then forwarded onto the security event monitor with the results
of the investigation.
DPRO-93505
Cisco’s host-based intrusion prevention solution consists of agents that can be deployed on
mission-critical desktops and servers (“end-points”) and a management console.
The Cisco Security Agent (CSA) resides between the applications and the kernel, enabling maximum
application visibility with minimal effect on the stability and performance of the underlying operating
system. The agent can intercept all system calls to:
•
File, network and registry sources
•
Dynamic runtime resources—such as memory pages, shared library modules and Component Object
Model (COM) objects
When an application attempts an operation, the agent checks the operation against the organization’s
security policy for that application and makes a real-time decision to block malicious or undesirable
behavior. The agent also logs blocked attempts as specified in the policy.
Because protection provided by the default policies is based on blocking malicious behavior, the agent
stops both known and unknown attacks without needing updates.
The Cisco Security Agent Manager provides centralized management functions for all CSAs. Agents
are deployed to servers and desktops directly from the Cisco Security Agent Manager and are controlled
and updated from this manager.
Table 1: Overview: Cisco Systems Cisco IDS
Version • Network Sensor v.4 —IDS-4215: 1-RU: 80 Mbps —IDS-4235: 1-RU: 250 Mbps —IDS-4250: 1-RU: 500 Mbps
—IDS 4250 with Hardware Assist: 1-RU: 1 Gbps “true line speed” —Switch Sensor—IDSM2: 600 Mbps
—IDS Network Module for Cisco Access Routers: 45 Mbps • Firewall Sensor
• Router Sensors
• CiscoWorks VMS v.2.2 (IDS Management) • Cisco Security Agent 4.0
Data Announced GA:
• IDS-4235 and IDS-4250—May 2002 • IDS 4250XL—February 2003 • IDS 4215—June 2003 • IDSM2—February 2003
• IDS Network Module—June 2003 • CSA—June 2003
Installed Base Thousands of sensors deployed in (undisclosed) organizations worldwide: • North America: (undisclosed)
• Latin America: (undisclosed)
• Europe, Middle East and Africa (EMEA): (undisclosed) • Asia/Pacific: (undisclosed)
Table 2: Features and Functions: Cisco IDS: Technology Infrastructure
Characteristics
Operating Systems (Cisco Security Agent) Server Agent—Windows:• Microsoft Windows NT v.4.0 Server (Service Pack 5 or later)
• Microsoft Windows NT v.4.0 Enterprise Server (Service Pack 5 or later) • Microsoft Windows 2000 Server (up to Service Pack 3)
• Microsoft Windows 2000 Advanced Server (up to Service Pack 3) Server Agent—Solaris:
• Sun Solaris 8 SPARC architecture (64-bit kernel) Desktop Agent:
• Microsoft Windows NT v.4.0 Workstation (Service Pack 5 or later) • Microsoft Windows 2000 Professional (up to Service Pack 3) • Microsoft Windows XP Professional (up to Service Pack 1) Network Topology Cisco IDS 4200 Series
• Cisco IDS 4215—up to 80 Mbps in T1/E1 and T3 networks; can simultaneously protect up to five subnets.
• Cisco IDS 4235—up to 250 Mbps in switched environments, on multiple T3 subnets and (with the support of 10/100/1000 interfaces) on partially utilized gigabit links.
• Cisco IDS 4250—up to 500 Mbps in gigabit subnets and traffic traversing switches (used to aggregate traffic from numerous subnets); with a hardware upgrade, can scale to full line-rate gigabit performance.
• Cisco IDS 4250-XL—up to 1 Gbps (through customized hardware acceleration) in fully saturated gigabit links as well as multiple partially utilized gigabit subnets. IDSM2—monitoring up to 600 Mbps traffic directly from the backplane of Catalyst Switch.
IDS Network Module (in Cisco Access Routers)—delivers functionality to remote and branch offices; enables inspection of IPsec and GRE encapsulated traffic Router sensor—integrated into Cisco routers; can drop malicious packets on the triggering of an alarm
Firewall sensor—integrated into Cisco PIX firewalls
Network sensors can be deployed in front of a firewall, behind a firewall, in a transaction zone (or demilitarized zone [DMZ]), on internal network subnets, at a switch that is being used to aggregate traffic, at branch offices, within the router and within the switch.
The sensors are virtual local-area network (VLAN) aware, so they can be deployed in switched environments.
Switched Network Capability
Cisco’s Switch Sensor line card resides within the Catalyst 6000 chassis. It works from copies of the IP packets without impacting the performance of the switch. The line card can also monitor 802.1q and trunked traffic spanning multiple VLANs. An organization can also use custom VLAN access control lists (ACLs [VACLs]) to define the traffic it wants to send to the card or multiple cards to subset the traffic. This relies on traffic spanning which has the following limitations:
• Limited number of switched port analyzer (SPAN) ports • Monitor only a single VLAN of traffic per SPAN port • Cannot monitor 802.1q traffic
DPRO-93505
Table 2: Features and Functions: Cisco IDS: Technology Infrastructure
Characteristics
Network Protocols Cisco’s NIDSs can decode and monitor: • ICMP
• IP v.4 • TCP • UDP
• Institute of Electrical and Electronics Engineers (IEEE) 802.3 (Ethernet) • NetBIOS
• IEEE 802.5 (Token Ring)
• IEEE 802.1q (VLAN)/trunked traffic Network Application
Protocols
The network application protocols monitored by Cisco IDS include but are not limited to:
• Domain Name System (DNS) • FTP
• HTTP
• Identification (IDENT), Internet Message Access Protocol (IMAP) • Line Printer Request (LPR)
• Network News Transfer Protocol (NNTP), Network Time Protocol (NTP) • Post Office Protocol (POP)
• RPC (various programs) • Remote Shell (RSH)
• Server Message Block (SMB), Simple Mail Transfer Protocol (SMTP), Simple Network Management Protocol (SNMP)
• SSH—HIDS only
• SSL/Transport Layer Security (TLS)—HIDS only • Telnet
Applications • Web and Application Servers—NIDS is capable of detecting and reacting to attacks targeting Web applications; HIDS is capable of protecting the Web application from compromise.
—Apache—HIDS/NIDS
—IBM WebSphere Application Server—NIDS only —Sun ONE Web Server—HIDS/NIDS
—Microsoft IIS—HIDS/NIDS Customizable
System Log/Audit Record Definition
The Cisco Security Agent collects and correlates user-selected audit events.
Customizable Protocol Definition
An organization can use the Threat Analysis Micro Engine (TAME) language to customize rules for new protocols or applications.
Table 3: Features and Functions: Cisco IDS: Ruleset Characteristics
Detection Method Cisco IDS uses an array of detection methods to accurately detect nearly all potential threats. Cisco delivers a hybrid system using detection methods most appropriate for the threat, including stateful pattern recognition, protocol analysis, traffic anomaly detection and protocol anomaly detection. Additionally, Cisco IDS can detect policy violations related to the use of peer-to-peer (P2P) and file sharing applications. These detection techniques also deliver anti-IDS evasion techniques, such as IP defragmentation, TCP streams reassembly and deobfuscation.
Table 3: Features and Functions: Cisco IDS: Ruleset Characteristics
Execution Frequency Cisco IDS performs continuous (real-time) analysis. Additional Misuse
Monitoring
Cisco IDS can monitor for and respond to other invalid activity, as follows: • Abnormal process and operating system behavior (HIDS only)
• E-mail content (that is, objectionable words and phrases) • Encrypted sessions (HIDS only)
• Internet Relay Chat (IRC)
• Objectionable words and phrases in other network traffic
• Traffic that originates at specific uniform resource locators (URLs)/Web sites Customizable Attack
and Misuse Definition
Cisco IDS allows users to create and modify policies to specifically suit the environment in which they are deployed.
TAME policy language users can create new policies or modify existing policies to meet their unique security objectives.
TAME policies are decoupled from the sensing application, so changes do not effect the sensor performance or reliability.
TAME allows user to leverage underlying protocol analysis capabilities, rather than relying on pattern matching alone.
Attack Definition Updates
Cisco IDS signatures are updated on different frequencies, depending on platform and urgency:
• Within hours of urgent issues via Active Update notification bulletin • Every two weeks for routine appliance updates
• Every month for switch and host sensors
• Cisco posts signature file updates on its Web site and notifies customers via e-mail. Once the customer downloads the files, the updates can be centrally distributed automatically or on a pre-defined schedule.
Secure Attack Definition Updates
Cisco hashes and encrypts the signature package before distribution to ensure the integrity and security of the update package.
Sensors automatically authenticate the update package before unpacking and installing the update.
Cisco uses Triple Data Encryption Standard (3DES) security.
Secure Copy (SCP) is also supported for secure file transfer of the updates.
Table 4: Features and Functions: Cisco IDS: Performance Characteristics
Performance Cisco has a number of sensing options capable of monitoring from up to 80 Mbps to 1 Gbps.
Cisco Security Agent is capable of performing attack and call interception with very low system overhead (less than 2 percent using standard benchmarking tests). Accuracy Cisco’s NIDS sensors err on the side of higher false positive rates to limit the
possibility of missing actual attacks.
Cisco Security Agent looks for attacks against the operating system or Web applications using call interception rather than pure pattern matching, which yields very low false positive and false negative rates. In addition, it automatically correlates events on the agent and on the manager.
Agent-based correlation results in many fewer alerts (Cisco claims a typical factor of 40 or more when compared to traditional signature-based HIDS), and correlation on the manager results in fewer false negatives (distributed scans, brute force login attacks, network worms).
DPRO-93505
Table 5: Features and Functions: Cisco IDS: Response Characteristics
Response Cisco IDS product line has a number of “active response” capabilities, including: • Sending alerts via console messages, e-mail, pages, scripting and reports • Terminating the active session using TCP resets
• Blocking or shunning the connection by adding a dynamic ACL to the router, switch or firewall
• Logging the session data in a TCP dump log
• Dropping malicious packets based on the triggering of a an alarm (available on the router sensors)
• Preventing the activity using the Cisco Security Agent
Event Prioritization Cisco IDS classifies each alarm with a pre-defined (yet configurable) severity level. Organizations can easily sort alarms based on severity level and can use this criterion to prioritize responses.
Report Merging and Data Visualization
The event monitoring system provides a dynamic interface to visually sort, analyze and correlate events across the organization.
The management console has a robust reporting engine to distill large quantities of data into concise, pinpoint reports.
Event Trace and Replay
Cisco IDS can do a complete IP session log capture. This capture contains keystroke-level information during the suspected session. This event log can be viewed in standard TCP dump format using many freeware products, including Ethereal.
The trigger packet for the alarm is also captured, and its fully decoded contents can be viewed within the alarm.
The add-on product Cisco Security Agent Profiler provides a forensics capability where an application’s behavior can be monitored, rather than prevented. Reports are provided to the security administrator detailing all file, network, registry and Component Object Model (COM) object access by that application, allowing the administrator to determine whether the application is malicious or not.
Customizable Reports
Organizations cannot modify the report templates, but they can modify the query parameters: for example, time-of-day, IP address, signatures, severity levels. Session Hijacking Cisco IDS cannot seize the connection of any user on the network. (Cisco doesn’t
believe that anyone would want this capability.)
Session Termination Cisco NIDS can terminate the active session using a TCP reset or issuing a block command on the router, firewall or switch.
Cisco HIDS can disable user accounts as well. Firewall
Reconfiguration
Cisco IDS can automatically reconfigure Cisco PIX Firewalls (but not other vendors’).
Router or Switch Reconfiguration
Cisco IDS can dynamically reconfigure most Cisco routers as well as the Catalyst 5000 RSM and Catalyst 6000 MSFC switches (but not other vendors’).
Deception Techniques
Cisco IDS delivers a number of anti-IDS deception techniques.
As Cisco Security Agent relies on operating system call interception, rather than packet parsing, it is therefore resistant to deception techniques.
Vulnerability Correction
Cisco IDS cannot automatically correct misconfigurations that leave the system open to attack.
Customizable Attack and Misuse
Response
Cisco IDS supports scripting to provide for modification of supplied or the addition of new responses. All response actions can be customized at a per signature level.
Table 6: Features and Functions: Cisco IDS: Operational Characteristics
Deployment
Information Sources • A Network Sensor monitors traffic on the wire in real time using a promiscuous sniffing interface on the appliance sensors.
• A Switch Sensor monitors traffic traversing the switch back plane and analyzes copies of captured packets.
• A Router Sensor monitors traffic traversing the router. • A Firewall Sensor monitors traffic traversing the firewall.
• A Host Agent, unlike traditional syslog-analysis products, monitors and intercepts system calls to the kernel or APIs.
Distributed Deployment
Cisco NIDS sensors have the capability of sending event information to numerous destinations concurrently.
The management console has the ability to receive, filter and forward events to one or more secondary tiers.
Sensor:Console Ratio
The sensor:console ratio is more of a function of the event rate coming off the sensor(s).
If the event monitoring is off-loaded to a separate system, then a single instance of the management console can configure up to 100 devices per console.
If monitoring and management is done from the same console, Cisco recommends a ratio of 25:1.
Management and monitoring of the HIDS product is more scalable. This threshold is set to around 5,000:1
Implementation • Network Sensor is packaged as a turnkey, plug-and-play network appliance. • Switch Sensor is packaged as a switch line card.
• IDS Network Module plugs into the Cisco Access Routers.
These products include all necessary hardware with the operating system and application software pre-installed and pre-configured:
• Router Sensor is distributed as a software image that can be loaded onto any Cisco router.
• Firewall Sensor is distributed as part of the base firewall software image that can be loaded on all private Internet exchange (PIX) firewall platforms.
• Cisco Security Agents are software agents installed on servers and desktops. System
Requirements for Console
IDS Management: CiscoWorks VMS v.2.2: • Microsoft Windows 2000 Server
CSA Manager:
• Microsoft Windows 2000 Server or Advanced Server (Service Pack 1 or Service Pack 2)
• Pentium 500MHz processor or faster • 384 MB RAM (minimum)
• 2GB disk System
Requirements for Network Sensors
The network-based sensors are hardware-based turnkey solutions.
DPRO-93505
Table 6: Features and Functions: Cisco IDS: Operational Characteristics
Deployment
Robustness Cisco IDS’s communication system constantly checks to ensure that connectivity is available between the sensors and management console.
If communications are lost, events are buffered on the sensor until communication is re-established, administrators are alerted that the primary route is down, and the system can choose alternative routes to re-establish connectivity.
Additionally, the sensor can use a “watchdog” process to ensure that all sensor daemons are active and operating properly. This ensures a low occurrence of system failures.
Software Updates Cisco updates its base code approximately twice a year. However, often it adds new features to service packs released between major updates, and these updates are made available via its Web site.
Secure Software Updates
Sensor updates are encrypted packages. SCP is supported for secure file transfer.
Table 7: Features and Functions: Cisco IDS: Management Characteristics
Management NIDS:
There are four management options available:
• CiscoWorks VMS v.2.2—browser-based sensor management and monitoring over Secure Sockets Layer (SSL) connection
• CiscoWorks SIMS v.3.1—real-time event monitoring and correlation for security events originating from multiple vendors’ network security products
• Cisco IDS Device Manager (IDM)/IDS Event Viewer (IEV)—browser-based embedded device management over a secure SSL connection
• Command-line interface (CLI) over a Secure Shell (SSH) connection. HIDS (CSA):
Cisco Security Agent Manager provides centralized management functions for all server and desktop agents in a centralized manner. It is a role-based, Web browser application that allows administrators to create agent software-distribution
packages, create or modify security policies, monitor alerts or generate reports. CSA Manager is part of CiscoWorks VMS 2.2.
Comprehensive Network
Management System (NMS)
Cisco Works Security Information Management System (SIMS) v3.1.
Alternative
Management System
APIs have enabled a number of third-party monitoring tools to integrate with the Cisco IDS sensors.
Vulnerability Scanner Cisco delivers real-time vulnerability scanning capabilities through Cisco Threat Response (CTR) using what it calls “Just-in-Time Analysis” that can:
• Check such things as the targeted system’s OS and patch levels, to determine if the attack may succeed or fail; for example, a Windows attack against a Unix system would be given a lower priority
• Determine if an attack succeeded or failed; failed attacks are given a lower priority so staff can focus on the critical event
• Gather robust forensic data by creating secure archives of audit trails, log files and intrusion traces
Table 8: Features and Functions: Cisco IDS: Security Characteristics
Security Audit Cisco IDS logs event information based on three categorical types—events, errors and commands.
Audit logs are generated anytime a command is issued on the sensor. Identification and Authentication
Login No actions are allowed before the user supplies a user name and is successfully authenticated.
The sensor has four different accounts that differ in access privileges; for example, read only, read/write and support.
The management console has separate accounts for each user based on a user name.
Authentication Failure Handling
Cisco NIDS disallows access to the sensor as the user name/password test fails. However, the system doesn’t log repetitive unsuccessful tries.
User Attribute Definition
Cisco IDS maintains basic user name and password credentials on the sensor. The management console holds multiple user credentials (user name/password pairs) to enforce access to the console.
Authentication Service
Users can access and authenticate themselves a number of ways with Cisco IDS. Sensors support telnet or SSH for remote administration.
Telnet and FTP can be disabled with only SSH and SCP-enabled.
Management access is controlled by the user access rights on the console. Security Policy Management
Non-Bypassability of the Security Policy
A user must log in to Cisco IDS successfully before system access is granted.
Domain Separation Cisco recommends that an organization create a security domain for IDS execution to protect it from interference and tampering by untrusted users by installing the management console on a dedicated server.
Administration Only users with Full Access have complete control over the database. Also allows the user to create other administrative accounts, define user accounts, create network services and security policies, and modify all database configuration settings.
System Privileges and Access Control
Cisco IDS’s management application supports: • Full Access—As above.
• Read-Only Access—Provides the ability to view policies and configuration settings in the database and to view scheduled and on-demand reports generated by the Reporting subsystem. With read-only access, a user cannot change policies or configuration settings.
• Report Viewing Only—Gives a user the ability to view only scheduled and on-demand reports and audit records generated by the Reporting subsystem. A user can use this account to view scheduled and on-demand reports from a Web browser.
TCP Wrapper is also used to limit access to the device to pre-defined IP addresses only.
Security Roles IDS management maintains authorized identified roles and associates users with roles.
DPRO-93505
Table 8: Features and Functions: Cisco IDS: Security Characteristics
Data and Communications Security
Availability Audit and system data are stored locally on the sensor and management platforms. Users can directly connect to these systems to extract the data natively.
Trusted Communication
• Remote Data Exchange Protocol (RDEP) delivers encrypted communications over SSL.
• CLI access to the sensors is delivered via 3DES SSH.
• The Cisco IDS Management products use encrypted communications via SSL. • Sensors are updated using SCP.
• TCP Wrappers are used to secure authentication to the sensors. • Signature updates on the sensors that are encrypted.
• Device management (blocking) is performed over SSH. Confidentiality
During Transmission
Communications (both configuration and monitoring data) between sensor and management console are encrypted using SSL.
Detection of Modification
Cisco IDS also uses encrypted communications to verify the integrity and detect modification of all data during transmission between management console and sensors.
Cryptography Options
Cisco IDS allows the organization to set cryptography on or off.
Attack Protection
Self-Monitoring A Cisco IDS sensor monitors its own internal processes to ensure uninterrupted operation. If a process fails, the sensor will try to restart the process itself as well as notify the operator of the status change.
The Cisco Security Agent includes built-in self-protection capabilities to prevent even administrator/root users from disabling the security.
Stealth Techniques Network Sensors and Switch Sensors use promiscuous monitoring interfaces to capture packets. As they don’t have IP addresses, neither can be detected using, say, ping or Secure Software Technologies’ AntiSniff.
Table 9: Features and Functions: Cisco IDS: Support Characteristics
Vendor-Provided Attack Database
Cisco IDS includes the Network Security Database (NSDB), which provides: • A comprehensive description of each signature.
• A listing of any known benign triggers.
• Common Vulnerabilities and Exposures (CVE) links. • Severity ratings; recommendations
• Links to associated vulnerabilities
A restricted-access Web version of NSDB is available on the Cisco Security Encyclopedia.
24×7 Vendor Hotline Cisco has a support organization that provides worldwide, 24×7 product support. It has support facilities throughout the world providing follow-the-sun support and expertise.
Vendor Response Cisco customers have access to Cisco personnel through many different channels. Cisco doesn’t publish figures for target and average actual response times for an acknowledgement to queries and for a complete and accurate response.
Analysis
Cisco Systems commands a strong position in the IDS marketplace because of its presence in the
network infrastructure of a majority of organizations. It currently holds about one-quarter of the market for
firewalls and two-thirds of the market for routers.
Cisco’s acquisition of OKENA delivers a wide array of functions, including a HIPS, distributed firewall,
malicious code protection and operating system lockdown.
Cisco’s acquisition of Psionic Software delivers CTR that provides the unique capability to determine
whether or not an attack was successful. This analysis is performed automatically on all alarms generated
from the NIDS sensors and is instrumental in addressing one of the key pain points of IDS deployments—
occurrence of false alarms.
Network-Based Intrusion Detection Techniques
Cisco’s NIDS uses hybrid analysis with attack signatures for:
•
Name attacks—attacks with specific names, such as “Smurf” and “PHF”
•
General category attacks—attacks with variations on a basic type of network exploit, including
fragmented packets (an attempt to evade detection)
•
Extraordinary attacks—attacks with very complex signatures, such as Loki, e-mail spam, or
simplex-mode TCP hijacking.
Cisco IDS does full-protocol analysis rather than simple pattern matching to reduce the reliance on
exploit-specific signatures: Cisco IDS signatures are looking at the vulnerability in the protocol instead of
the exploit. Cisco IDS is unusual among leading IDS products in using protocol analysis so extensively.
Cisco IDS’s NSDB provides the operator with a detailed description of each alarm, defining the severity
and type as well as known benign triggers that may have falsely triggered the alarm. In addition, Cisco
provides the operator with a comprehensive filtering capability to minimize the existence of the false
positive without compromising the integrity of the system.
Operation in Switched Networks
Operating NIDS in a switched network is typically problematic because of the volume of traffic and the
high speed at which it is switched. Other IDS vendors use a standard network sensor and hang it off
these SPAN ports. This can be unsatisfactory because the IDS can only monitor traffic on a single VLAN,
and switches offer a limited number of SPAN ports (usually only one).
Cisco’s unique approach is to offer the Cisco IDS “blade,” a line card for its Catalyst 6000 switch, which
takes packets from the backplane of the switch. To keep up with the high-speed backplane, the
technology monitors a specific subset of the traffic to maintain a satisfactory performance. That traffic
subset, which can be specified either by source or destination IP address, by protocol type or by
application, is then sent to the IDS module for inspection and analysis.
Real-Time Vulnerability Assessment Correlation
As vulnerabilities vary from one network to another, different attacks will be effective against different
organizations. If an IDS product is aware of existing vulnerabilities on the network and can identify attacks
that have a high probability of success because they exploit those vulnerabilities, it will provide more
effective protection.
DPRO-93505
Cisco provides this through CTR; it estimates that this can reduce false alarms up to 95 percent. Although
CTR can prioritize successful attacks, it is, however, analysis after the fact. Where an organization is
using Cisco’s host-based intrusion prevention, it adds little additional protection, although it can focus
response on successful attacks that evade CSA.
Host-Based Intrusion Prevention
CSA is an exemplar of the approach to host-based intrusion prevention that uses a software shim to
intercept calls between applications and the underlying OS. (The other approach is to use kernel
modifications that apply more stringent security controls than are built into commercial OSs.)
CSA intercepts all application OS calls to the kernel and compares them with a cached centrally defined
policy. If the call is allowed by the policy, it is passed to the kernel for execution; otherwise, it is blocked,
an error message is passed back to the application, and CSA sends an alert to the CSA Manager.
CSA is behavior based—it correlates each call with others made by that application to detect malicious
activity—rather than relying on signatures that require frequent updates. Hence, in common with other
intrusion prevention and IDS products that use protocol anomaly or behavioral analysis, it can detect new
attacks on “day zero.” Like other host-based intrusion-prevention products, but unlike HIDS products, it
can block all attacks that it detects.
Integrated Management Platform for NIDS and HIPS
Like other leading IDS vendors, Cisco offers an integrated management platform for the Cisco IDS’s NIDS
sensors and Cisco Security Agent: CiscoWorks VMS. This can also manage other Cisco devices,
including Cisco PIX and IOS firewalls, and its site-to-site VPN product. This allows organizations to
manage multiple Cisco security products from a single system, reducing the complexity and overheads of
network security management.
Pricing
Table 10: Price List: Cisco IDS
Product Price (US$) Single Unit
Cisco IDS Network Appliance Sensor
Cisco IDS 4215 Sensor 7,295
Cisco IDS 4235 Sensor 12,500
Cisco IDS 4250 Sensor 25,000
Cisco IDS 4250-XL Sensor 40,000
Cisco IDS Switch Sensor
Catalyst 6000 IDS module—IDSM-2 29,995 Cisco IDS Network Module Sensor for router
IDSNM for 2600XM, 2691 and 3700 4,995 Cisco Security Agent
Server Agent single agent—1,950
Desktop Agent 25 agent bundle—2,150
IDS Management
VMS Bundle—Restricted license for 20 devices (unrestricted for Host IDS)
Single package for Management of Network IDS, Host IDS, Firewalls, Router VPNs and other functions
Table 10: Price List: Cisco IDS
Product Price (US$) Single Unit
VMS Bundle—Unrestricted device license
Single package for Management of Network IDS, Host IDS, Firewalls, Router VPNs and other functions
19,995
Cisco IDM and IEV free
SIMS Bundle for 30 devices 40,000
SIMS Bundle for 20 additional devices 20,000 GSA Pricing
Yes.
Competitors
Table 11: Competing IDS Products
Vendor/Product(s) Description Enterasys Networks, Inc. • Dragon IDS (Internet: www.enterasys.com)
Dragon IDS comprises Dragon Network Sensors, Dragon Host Sensors (formerly Dragon Squire) and a common Dragon Enterprise Management Server for Web-based management and reporting.
Dragon Network Sensors are available as software and as Linux-based appliances. Dragon Host Sensor monitors host platforms, applications, firewalls and other vendors’ NIDS and HIDS sensors.
Enterasys also offers the Dragon Integrated Server/Sensor, an all-in-one appliance aimed at small or branch office use.
Enterasys has a strong focus on the managed security service provider (MSSP) space and has achieved significant penetration.
Internet Systems Security, Inc. (ISS) • Enterprise Protection Platform (EPP)
(Internet: www.iss.net)
EPP adds Proventia appliances and SiteProtector centralized management to the successful RealSecure product line:
• RealSecure Network agents (NIDS) • RealSecure Host agents (HIDS) • RealSecure Desktop agents (HIDS)
• RealSecure Vulnerability Assessment agents (for example, Internet Scanner) ISS is integrating components acquired from Network Ice (protocol anomaly detection) and vCIS (preemptive behavioral inspection) into its RealSecure IDS technology and increasing the proactive “prevention” responses.
ISS now offers Proventia NIDS appliances, for aggregate network bandwidth up to 1200 Mbps on one to four network segments.
ISS has yet to offer either in-line network-based intrusion prevention appliances or host-based intrusion prevention software.
DPRO-93505
Table 11: Competing IDS Products
Vendor/Product(s) Description Network Associates Inc. (NAI) • “IntruShield” (formerly IntruVert IntruShield) • “Entercept” (formerly Entercept Host Sensor) (Internet: www.nai.com)
NAI was a former leader in the IDS market with the PGP Security CyberCop IDS, but withdrew this product early in 2001.
NAI has now (May 2003) positioned itself to compete effectively in the IDS market with the acquisition of two IPS vendors:
• IntruVert, one of the leading vendors in the network intrusion prevention space • Entercept, with its strong host-based intrusion prevention offering
NAI’s funds and global presence gives these products more leverage in deals where they compete against traditional IDS vendors.
Snort • Snort (Internet: www.snort.org)
Snort is an open-source NIDS, available free under a GNU General Public License. Snort is the leading open-source NIDS, and third-party evaluations consistently rank it highly in comparison with commercial NIDS products and higher than any
commercial product in signature coverage.
The rapid evolution of the rule sets is an important advantage of an open-source system, where a large community can create new rules promptly.
In some cases, a Snort rule is posted to BugTraq with the original vulnerability report.
Additionally, Snort also allows plug-ins: ways to incorporate additional detection functionality into the system.
Snort has been making growing inroads into the marketplace, but many
organizations will have been reluctant to adopt it because of the lack of commercial support. In this case, an organization may consider:
• Silicon Defense (Internet: www.silicondefense.com), who provides commercial support contracts for organizations using Snort.
• Sourcefire (Internet: www.sourcefire.com), who offers an enhanced version of Snort with its Intrusion Management System (IMS), an appliance-based system that provides event correlation and analysis.
An organization will likely find it useful to install Snort for at least a trial period during the selection process for a commercial NIDS product. Snort can provide an effective additional sources of data to a “meta IDS.”
Symantec Corp. • Host IDS • ManHunt (Internet:
www.symantec.com)
Symantec now puts ManHunt NIDS that it acquired from Recourse Technologies in 2002 alongside its own Host IDS (developed from and superseding the Intruder Alert product that it acquired from AXENT Technologies in 2000).
ManHunt includes protocol anomaly detection, which addresses a significant limitation of the old NetProwler NIDS product.
Symantec still needs to provide integrated management of the two products, as ISS and other market leaders do. Host IDS already uses the Symantec Enterprise Security Architecture (SESA) management framework, but a fully SESA-compliant version of ManHunt will not be available until 2004.
Strengths
CTR provides real-time vulnerability assessment correlation using what it calls “Just-in-Time Analysis.”
This approach reduces false alarms—Cisco estimates that this approach will reduce false alarms up to 95
percent—and to better prioritize real attacks.
Provides Intrusion Detection in Switched Networks
Most NIDS products cannot perform well in switched networks because of traffic volumes, switching
speeds, and the restrictions of using SPAN ports. Cisco IDS uniquely addresses this limitation by offering
a Switch Sensor, a line card that can be implemented in its Catalyst 6000 switches. It cannot be used with
other vendors’ switches, however.
Server And Desktop Agent Stop Unknown Attacks
CSA uses behavior analysis of OS calls to detect and stop malicious behavior. Deployed server and
desktop agents offer “day zero” protection against novel attacks without the organization having to
reconfigure or update them. This is in contrast to other end-point security products, such as HIDS and
personal firewalls, that rely on either static port blocking or on databases of known attack signatures.
NIDS Appliances Reduce Implementation Overheads
Cisco’s Network Sensor appliances give organizations the benefit of an out-of-the box, plug-and-play
solution. Most IDS vendors offer network sensors as software to be installed on a commercial off-the-shelf
(COTS) workstation connected to the network. An organization has to acquire suitable hardware and
install the OS and “harden” it before installing the IDS software, all at additional cost. With Cisco IDS’s
appliances, maintenance is low because administrators don’t need OS expertise and don’t need to install
OS patches. IOS, however, does not have the same “history” of security and reliability as an OS, such as
Linux.
Limitations
Lack of Support for Other Vendors’ Network Devices
Other leading vendors’ NIDS solutions can work with firewalls and routers from different vendors. Cisco
IDS’s Firewall Sensor and Router Sensor, however, work only with the companies own PIX Firewall and
IOS network devices, and Cisco’s blade only with Cisco switches. Organizations without an “all Cisco”
network infrastructure might be better served by an alternative solution.
No In-Line Network-Based Intrusion Prevention
Many features of Cisco’s NIDS offerings—with its high-speed appliances, software or hardware modules
for line firewalls, routers, and switches, and its hybrid analysis—are necessary but not sufficient for
in-line intrusion prevention. Now that it has integrated one of the leading HIPS products into its product in-line,
it needs a true NIPS product to meet near-term enterprise needs.
Insight
Cisco IDS leverages Cisco’s huge presence in the networking market to create a strong presence in the
NIDS market. Cisco is the only vendor that fully addresses NIDS in a switched network and integration
into routers, although its solution can be used only with its own switches and routers. Cisco’s NIDS
appliances, however, can be used in any network. CTR uses real-time vulnerability assessment
correlation to minimize false alarms. CSA, Cisco’s HIPS offering, uses behavioral techniques to provide
comprehensive attack blocking for servers and desktops, including protection against day-zero attacks.
Cisco IDS offers a sound NIDS solution for all organizations and is clearly attractive to those already
DPRO-93505
