Cisco IDS Network Module for Cisco 2600, 3600, and 3700 Routers

CISCO/라우터 & 라우팅 시스템 2007/05/04 12:21
CISCO IDS NETWORK MODULE FOR CISCO 2600, 2800, 3600, 3700 AND 3800 SERIES ROUTERS

The Cisco® IDS Network Module is part of the Cisco integrated intrusion detection system (IDS) network security solutions that enable organizations to protect assets and reduce operating costs.

The Cisco IDS Network Module for the Cisco 2600, 2800, 3600, 3700, and 3800 series routers is part of the Cisco IDS/IPS Family sensor portfolio and the Cisco Intrusion Protection System. These IDS/IPS sensors work in concert with the other IDS/IPS components, (see Figure 1) including Cisco IPS Management Console, CiscoWorks VPN/Security Management Solution, and Cisco IPS Device Manager, to efficiently protect your data and information infrastructure. With the increased complexity of security threats, achieving efficient network intrusion security solutions is critical to maintaining a high level of protection. Vigilant protection helps ensure business continuity and minimizes the effect of costly intrusions. For details about the complete Cisco Intrusion Protection System, go to http://www.cisco.com/go/ids.

Figure 1. Cisco IDS Network Module Sensors Deployment on Cisco 2600, 2800, 3600, 3700, or 3800

Cisco offers a variety of IDS/IPS solutions that enable deployment of IDS/IPS sensors wherever they are needed in the network architecture. These comprehensive solutions provide intrusion detection and prevention system (IDS/IPS) solutions for all environments, from small and medium-sized businesses (SMBs) and branch office locations to large enterprise and service provider installations. Cisco's purpose-built IPS platforms include Cisco IPS 4200 Series sensor appliances, Cisco Catalyst® 6500 Series switch modules, and the Advanced Inspection and Prevention Security Services Module for Cisco ASA 5500 Series adaptive security appliances. The IDS module for Cisco access routers provides traditional detection with enhanced capabilities. Additionally, a focused set of intrusion prevention capabilities is available as a Cisco IOS® Software solution for Cisco routers. For device configuration and event viewing, Cisco solutions include the Cisco IPS Device Manager for single device management and event monitoring, and CiscoWorks VPN/Security Management Solution (VMS) for multidevice, multievent-type correlation.. Each sensor addresses the bandwidth requirements of different routers up to 10 Mbps in the Cisco 2600XM, and up to 45 Mbps in the Cisco 2800, 3700, and 3800 Series. For more information on Cisco's Intrusion Protection family of products, please refer to the following site at http://www.cisco.com/go/ids.

FLEXIBLE DEPLOYMENT OPTIONS IN CISCO ROUTERS:

Cisco Systems® offers the widest range of network IDS/IPS deployment options with our routers, providing customers with the ability to choose the intrusion solution that is most cost-effective for their environments. All solutions are designed for high availability and backed by outstanding customer support from Cisco. See Figure 2 to compare contrast Cisco IOS IPS and Cisco IDS-NM

Figure 2.

CISCO IDS NETWORK MODULE FOR THE CISCO 2600, 2800, 3600, 3700, AND 3800 SERIES ROUTERS: INTEGRATING IDS AND BRANCH OFFICE ROUTING

By integrating IDS and branch office routing, Cisco reduces the complexity of securing WAN links, while reducing operational costs. The integration of the IDS into the branch office router provides numerous important customer benefits:

• Physical Space Savings-The Cisco IDS Network Module uses a single network module slot in a Cisco Series branch office router.

• Investment Protection-Designed to take advantage of the Integrated Services Routers 2811, 21,51 and 3800 Routers Enhanced Network Modules (NMEs) slot.

• Simple Power and Cable Management-The IDS network module takes advantage of the power options of the router, including DC power and redundant power.

• Common Management Interface-The IDS network module can be configured and managed from the Cisco IOS® command-line interface (CLI). This network module supports all the same CiscoWorks Management Center for IDS Sensors that the Cisco IPS 4200 Series supports, allowing customers to use one centralized management system for both appliance and router sensors.

• Network Command and Control Interface-By using the external Fast Ethernet port for command and control, the Cisco IDS Network Module internal router connection is free to capture the packets to the network module for processing by the IDS engine.

• Separate Processor for the Cisco IDS Network Module to Maximize Performance-Having a dedicated CPU in the network module frees the router CPU from process-intensive IDS tasks.

• Lower Operational Costs-The Cisco IDS network module is covered via Cisco maintenance service for the router. This setup minimizes network operational costs.

• Storage-The NM-CIDS ship with a 40-gigabyte hard disk that is used for logging (security forensic ) and storage of signatures

• Performance-the Cisco IDS Network Module can monitor up to 45 Mbps of traffic and is suitable for T1/E1 and T3 environments.

• Security In Depth-A router installed with this IDS network module also supports other Cisco IOS security features such as VPN, firewall, Multiprotocol Label Switching (MPLS), Network Address Translation (NAT), and Web Cache Control Protocol (WCCP), while supporting all common Cisco IOS functions.

• Dedicated Command and Control-The external Ethernet port is used for command and control to enable a secure outbound port for management. This setup also allows for both security operations and network operations to have their own command and control interfaces.

Figure 3. Cisco IDS Network Module

CISCO INTRUSION PROTECTION SYSTEM ADVANTAGES

Accurate Prevention Technologies

Cisco IPS Sensor Software 5.0 running on NM-CIDS includes innovative technologies that give users the confidence to take prevention actions on a broader range of threats. These technologies, including correlation and validation tools, greatly reduce the risk of dropping legitimate traffic. This extra level of accuracy is achieved through the use of:

• Risk Rating-Offers unprecedented reliability and complete confidence to enable your inline prevention deployment. Traditional intrusion prevention has relied on severity rating as its sole method of determining the potential damage associated with an event; Cisco Risk Rating provides a more accurate representation and risk-balanced assessment of the potential damage per event through the use of four separate values:

–Event severity-A user-modifiable weighted value indicating potential damage per event

–Signature fidelity- A user-modifiable weighted value indicating accuracy of the signature

–Asset value-A user-defined value indicating the importance of the attack target

–Attack relevancy-An internal weighted value based on the susceptibility of the target to this attack type

The aggregate of these values provides a single risk rating for the event. Most of these terms are configured by default and require minimal user involvement.

• Meta-Event Generator (MEG)-Provides unique correlation of events in order to accurately detect and stop worms. As worms move through your network, they generate many alarms of varying degrees of severity. Cisco MEG links these seemingly unrelated lower-severity alarms into a high-severity, high-risk event, enabling the user to confidently drop the associated packets. MEG achieves this by modeling worm behavior, correlating specific time between events, network behavior, and multiple exploit behavior.

Flexible Deployment Options

Cisco Systems® offers the widest range of network IDS/IPS deployment options, providing customers with the ability to choose the intrusion solution that is most cost-effective for their environments. All solutions are designed for high availability and backed by outstanding customer support from Cisco.

Easy Installation

Installation of the Cisco IDS Network Module is as easy as sliding the module into an open chassis slot, configuring the module with the initialization parameters, and configuring the router to recognize the card and send traffic to it. After the IDS network module is initialized and running, configurations can be modified and pushed to them from any of the management consoles.

Hardware Architecture

The Cisco IPS Sensor 5.0 software runs in a separate processor on the network module and uses the 40-gigabit hard drive for all logging. The router copies packets to the network module for inspection via the internal Fast Ethernet interface. The network management stations contact the network module via the external Fast Ethernet interface.

Figure 4. Architecture of the Integrated Cisco IDS Network Module with the CiscoWorks VPN/Security Management Solution 2.1

Primary Management Features

• CiscoWorks Management Center for IDS Sensors-Used for configuring network and switch IDS sensors and provides a scalable foundation to configure multiple sensors concurrently using group profiles

• CiscoWorks Monitoring Center for Security-Integrated monitoring used to capture, store, view, correlate, and report on events from network IDS, switch IDS, host IDS, firewalls, and routers

• Cisco CS-MARS-offers a family of high-performance, scalable appliances for threat management, monitoring, and mitigation. Cisco CS-MARS combines network intelligence, context correlation, vector analysis, anomaly detection, hotspot identification, and automated mitigation capabilities

For complete details, go to: http://www.cisco.com/en/US/products/sw/cscowork/ps2330/index.html.

CISCO IDS NETWORK MODULE PRODUCT SUMMARY

Network Modules

Table 1 gives the product part number and description of the Cisco IDS Network Module which may be useful when ordering.

Table 1. Cisco IDS Network Module Product Number

Product Part Number

Description

NM-CIDS-K9

Cisco IDS Network Module, 40-GB IDE hard disk

Required Software Licenses

The Cisco IDS Network Module requires a Security Cisco IOS Software Release 12.2(15)ZJ or later. Table 2 provides an example listing of the possible Cisco IOS Security images available on the Cisco 2600, 3600, 2800, 3700 and 3800 routers.
Table 2 Cisco IOS Security software images available on the Cisco 2600, 2800, 3600, 3700, and 3800 routers (see Cisco online Configuration ordering utility for complete list http://www.cisco.com/en/US/ordering/index.shtml)

Table 2.

Product

IOS IP/FW/IDS

IOS IP/FW/IDS PLUS IPSEC 56

IOS IP/FW/IDS PLUS IPSEC 3DES

IOS IP/IPX/AT/DEC/FW/IDS PLUS

IOS ENTERPRISE/FW/IDS PLUS IPSEC 56

IOS ENTERPRISE/FW/IDS PLUS IPSEC 3DES

IOS Advanced Security

IOS Advanced IP Services

IOS Advanced Enterprise Services

Supported Routers

Only one Cisco IDS Network Module is supported in a router. Table 3 provides the listing of routing platforms that support the Cisco IDS Network Module.

Table 3. Platforms that support the Cisco IDS Network Module

Router

NM-CIDS-K9

Cisco 2600 Series

No

Cisco 2600XM Series, and 2691

Yes

Cisco 2811, 2821, and 2851

Yes

Cisco 3620, 3631, 3640, and 3640A

No

Cisco 3660

Yes

Cisco 3725, and 3745

Yes

Cisco 3825, and 3845

Yes

HARDWARE SPECIFICATIONS

Table 4 gives hardware specifications of the Cisco IDS Network Module.

Table 4. Hardware specifications of Cisco IDS Network Module

Feature

NM-CIDS-K9

Hardware Features
Processor
· 500-MHz Intel Mobile Pentium III
Default Synchronous Dynamic RAM (SDRAM)
· 256 MB
Maximum SDRAM
· 512 MB
Internal Disk Storage
· Cisco IDS Network Module 40 GB IDE
Network Interfaces
· One internal 10-/100-Mbps Ethernet port to router backplane, plus one external 10-/100-Mbps Ethernet port
Flash Memory
· 16-MB internal plus optional external compact Flash memory
Physical Specifications
Dimensions (H x W x D)
· 1.55 x 7.10 x 7.2 inches
· 3.9 x 18.0 x 18.3 Centimeters
Weight
· 1.5 lb maximum
· 0.7 kg Maximum
Operating Humidity
· 5 to 95% noncondensing
Operational Temperature
· 32 to 104°F
· 0 to 40°C
Nonoperating Temperature
· -40 to 185°F
· -40 to 85°C
Operational Altitude
· 0 to 10,000 feet
· 0 to 3000 Meters
Safety
· UL 1950; CSA-C22.2 No. 950, EN 60950, IEC 60950
EMC
· FCC Part 15 Class A; EN55022 Class B; AS/NZS 3548 Class A; CISPR22 Class B; VCCI Class B; EN55024; EN61000-3-2; EN61000-3-3

PRODUCT SPECIFICATIONS CHARACTERISTICS

Table 5 gives product specifications of the Cisco IDS Network Module.

Table 5. Specifications of Cisco IDS Network Module

Feature

NM-CIDS-K9

Hardware Features
Performance When Cisco IDS Network Module is Deployed in a Cisco 2600XM Series Router

Up to 10 Mbps

Performance When Cisco IDS Network Module is Deployed in a Cisco 2800, 3700, and 3800 Series Router

Up to 45 Mbps

Standard Monitoring Interface

Router internal bus

Standard Command and Control Interface

Network module external 10/1010/100BASE-T

Optional Interface

No

Performance Upgradable

N

Stateful Pattern Recognition

Yes

Heuristic Detection

Yes

Anomaly Detection

Yes

Sweeps or Floods

Yes

Denial-of-Service (DoS) Mitigation

Yes

Worms or Viruses

Yes

Common Gateway Interface (CGI) or WWW Attacks

Yes

Buffer Overflow Protection

Yes

Remote-Procedure Call (RPC) Attack Detection

Yes

IP Fragmentation Attacks

Yes

Internet Control Message Protocol (ICMP) Attacks

Yes

Simple Message Transfer Protocol (SMTP), Send Mail, Internet Message Access Protocol (IMAP), or Post Office Protocol (POP) Attacks

Yes

File Transfer Protocol (FTP), Secure Shell Protocol (SSH), Telnet, and rlogin Attacks

Yes

Domain Name System (DNS) Attacks

Yes

TCP Hijacks

Yes

Windows or NetBIOS Attacks

Yes

TCP Application Protection

Yes

BackOrifice Attacks

Yes

Network Timing Protocol (NTP) Attacks

Yes

Customizable Signatures Using Signature Micro-Engine Technology

Yes

Automated Signature Updates

Yes

Alarm Summarization

Yes

Support for 802.1q Traffic

Yes

IP Security (IPSec) or Secure Sockets Layer (SSL) Between Sensor and Management Console

Yes

Encrypted Signature Packages

Yes

SSH for Remote Administration

Yes

Serial Control Protocol (SCP) Support for Secure File Transfer

Yes

IP Fragmentation Reassembly

Yes

TCP Stream Reassembly

Yes

Unicode Deobfuscation

Yes

Router Access-Control-List (ACL) Modifications

Yes

Firewall Policy Modifications

Yes

Switch ACL Modifications

Yes

Session Termination via TCP Resets

Yes

IP Session Logging or Session Replay

Yes

Alarm Display

Yes

E-mail Alerts

Yes

E-page Alerts

Yes

Customizable Script Execution

Yes

Multiple Alarm Destinations

Yes

Third-Party Tool Integration

Yes

IDS Active Update Bulletins

Yes

Web User Interface (HTTPS)

Yes

CLI (Console)

Yes

CLI (Telnet or SSH)

Yes

CiscoWorks VPN Security Management Solution Support

Yes

Redundant Power Supply

Yes only for Cisco 3745/3845

Monitoring Link Failure Detection

Yes

Communications Failure Detection

Yes

Services Failure Detection

Yes

Device Failure Detection

Yes

Note:

This 10-45 Mbps performance for the Cisco IDS Network Module is based on the following conditions:

• Five hundred new TCP connections per second

• Five hundred HTTP transactions per second

• Average packet size of 445 bytes

• Running Cisco IDS 5.0 Sensor Software

2007/05/04 12:21 2007/05/04 12:21
트랙백 0, 댓글 0개가 달렸습니다.

트랙백 주소 :: http://thinkit.or.kr/network/trackback/360

댓글을 달아 주세요

1 ... 19 20 21 22 23 24 25 26 27 ... 382