1 / 14

IDS

IDS. Mike O’Connor Eric Tallman Matt Yasiejko. Overview. IDS defined What it does Sample logs Why we need it What it doesn’t do Setup Alternatives. IDS defined. IDS = Intrusion Detection System Cisco IDS-4215 Placed on the switch IDS vs IPS IDS = detection; “passive”

norman-kemp
Download Presentation

IDS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. IDS Mike O’Connor Eric Tallman Matt Yasiejko

  2. Overview • IDS defined • What it does • Sample logs • Why we need it • What it doesn’t do • Setup • Alternatives

  3. IDS defined • IDS = Intrusion Detection System • Cisco IDS-4215 • Placed on the switch • IDS vs IPS • IDS = detection; “passive” • IPS = prevention; “active” • Signature driven (misuse detection)

  4. IDS defined • Used to detect traffic not captured by conventional firewalls • Network vs. Host IDS • Network = examines traffics and monitors multiple hosts • Host = analyzes system calls, file modifications, etc • Misuse (signature based) vs. anomaly (self-learn)

  5. What it does… • Analyzes network traffic that has been sent to or from FA 0/24 • Uses signature database to identify problematic traffic • Custom signatures may be added • False positives are quite possible • DNS requests • IP logging, block IP, allow IP, etc • Detects port scans

  6. DNS request logged

  7. Signature 4003 details

  8. Port scan detected

  9. Why we need IDS • Nmap sweeps • Vulnerability sought constantly • Many attack types • Above is one type of TCP sweep (SYN packets)

  10. What our IDS doesn’t do • Intrusion Prevention!! • The administrator must take action • Does not log traffic that does not pass through FA 0/24 • This was a choice • Internal traffic is undetected at this time

  11. Setup • Used CLI for IDS configuration • Setup IP, gateway, name, netmask • Set access list • Console only at the moment (134.198.161.100)

  12. SPAN • Switched Port ANalyzer • Mirrors 0/24 onto 0/23

  13. Monitor session on the switch #configure terminal #monitor session 1 source interface fastethernet 0/24 both #monitor session 1 destination interface fastethernet 0/23 #end

  14. Alternatives • Snort • Software solution to IDS/IPS • Traffic analysis • Packet logging • Detects port scans, buffer overflows, etc • IPS

More Related