The remainder of this chapter focuses on Cisco router IDS capabilities and the configuration of IDS using the Cisco IOS Firewall feature set. The Cisco IOS IDS implementation is suited best for midlevel to higher-level platforms because of the overhead associated with examining packets to detect threats and attacks on perimeter routers. It also can provide a level of protection for remote access and dialup connections. There are four basic reasons for deploying the Cisco IOS Firewall IDS:
To extend security to your perimeter routers across an enterprise network, especially at branch and regional offices
To provide a cost-effective IDS solution for small- to medium-size businesses
To detect external attacks directed at the router itself where a network-based sensor, connected behind the router, cannot detect these attacks
To implement a one-box perimeter solution
NOTE
The router IDS is not a full-blown IDS solution: Because it is an inline solution, it might affect the performance of the router. Therefore, you need to be careful about enabling it on a router. Also, the router supports a limited number of signatures and, therefore, should be coupled with a network-based IDS solution, such as the 4200 sensors, in medium- to large-size networks.
Whereas the Cisco network-based sensors, such as the 4200, support more than 1000 signatures, the Cisco IOS Firewall IDS feature supports only 100. Because of the limited number of signatures, the Cisco IOS IDS software typically is used at the perimeter of the network and in combination with other IDS solutions, such as dedicated hardware sensors.
For example, if you refer back to Figure 16-1, you can see that the hardware sensor sitting behind the perimeter router never sees the traffic that the perimeter router filters. With the Cisco IOS IDS software, the perimeter router at least can report a small number of attacks that are directed at the perimeter router or that the perimeter router filters; in either case, the hardware sensor behind the perimeter router would never see this traffic anyway. Even though the number of signatures is limited, the Cisco IOS IDS software looks for common attacks and threats. Table 16-2 lists the signatures supported by the Cisco IOS Firewall IDS feature set.
Signature Number | Type | Description |
1000 | Informational, atomic | Bad options exist in the IP header, or the IP header is incomplete or malformed. |
1001 | Informational, atomic | Option 7 in the IP header is marked (record the route of the packet). |
1002 | Informational, atomic | Option 4 in the IP header is marked (timestamp information requested). |
1003 | Informational, atomic | Option 2 (security) in the IP header is marked. This is obsolete. |
1004 | Informational, atomic | Option 3 in the IP header is marked (loose source-routing information). |
1005 | Informational, atomic | Option 8 (SATNET stream identifier) in the IP header is marked. This is obsolete. |
1006 | Informational, atomic | Strict source routing is requested for the packet. |
1100 | Attack, atomic | The "more fragments" flag is set to 1, or an offset is indicated in the Offset field. |
1101 | Attack, atomic | A packet has an IP protocol of 134 or higher. These protocols either are undefined or are reserved and should not be used. (The IP protocol number used to be 101.) |
1102 | Attack, atomic | This indicates a Land.c attack, in which the source and destination addresses are the same. |
1104 | Attack, compound | 127.0.0.1 is detected in the source IP address field. |
1105 | Attack, compound | A broadcast address (255.255.255.255.) is detected in the source IP address field. |
1106 | Attack, compound | A multicast address is detected in the source IP address field. |
1107 | Informational, compound | RFC 1918 addresses are detected. |
1202 | Attack, compound | The reassembled packet is larger than the specified length or is greater than 65,535 bytes. |
1206 | Attack, compound | Any fragment (except the last) is less than 400 bytes. |
2000 | Informational, atomic | The ICMP type field is set to 0 (echo reply). |
2001 | Informational, atomic | The ICMP type field is set to 1 (host unreachable). |
2002 | Informational, atomic | The ICMP type field is set to 4 (source quench). |
2003 | Informational, atomic | The ICMP type field is set to 5 (redirect). |
2004 | Informational, atomic | The ICMP type field is set to 8 (echo request). |
2005 | Informational, atomic | The ICMP type field is set to 11 (time exceeded). |
2006 | Informational, atomic | The ICMP type field is set to 12 (parameter problem in the packet). |
2007 | Informational, atomic | The ICMP type field is set to 13 (timestamp request). |
2008 | Informational, atomic | The ICMP type field is set to 14 (timestamp reply). |
2009 | Informational, atomic | The ICMP type field is set to 15 (information request). |
2010 | Informational, atomic | The ICMP type field is set to 16 (information reply). |
2011 | Informational, atomic | The ICMP type field is set to 17 (subnet mask request). |
2012 | Informational, atomic | The ICMP type field is set to 18 (subnet mask reply). |
2150 | Attack, atomic | An ICMP packet has the More Fragments flag set to 1, or an offset is indicated in the header. |
2151 | Attack, atomic | The length in the IP header is set to something larger than 1024 bytes. |
2154 | Attack, atomic | An ICMP packet has the last fragment bit set, and the following is true: ("IP offset" * 8) + "IP data length" > 65,535). This is called the Ping of Death. |
3038 | Attack, compound | A TCP segment does not have the SYN, FIN, ACK, or RST flags set (reconnaissance sweep). |
3039 | Attack, compound | A fragmented TCP FIN packet was sent to a port less than 1024, called an orphaned FIN. |
3040 | Attack, atomic | A TCP segment with no bits set is present in the flags field. |
3041 | Attack, atomic | A TCP segment has both the SYN and FIN bits set. |
3042 | Attack, atomic | A TCP segment has the FIN bit set but no ACK bit set. |
3043 | Attack, compound | A fragmented TCP segment has the SYN and FIN bits set. |
3050 | Attack, compound | Multiple TCP connections have been initiated but have not completed. This looks at only ports 21, 23, 25, and 80. |
3100 | Attack, compound | This looks for the mail attack against RFC-compliant SMTP servers, such as sendmail. |
3101 | Attack, compound | E-mail messages have the pipe symbol (|) in the To field. |
3102 | Attack, compound | E-mail messages have the pipe symbol (|) in the From field. |
3103 | Attack, compound | E-mail messages have the expn or vrfy commands. |
3104 | Attack, compound | E-mail messages have the wiz or debug commands. |
3105 | Attack, compound | E-mail messages have :decode@ in the e-mail header. |
3106 | Attack, compound | An e-mail message has more than 250 (default) Rcpt To lines. |
3107 | Attack, compound | A bug in Majordomo allows remote users to execute commands on the server. |
3150 | Attack, compound | The FTP site command was executed on an FTP connection. |
3151 | Informational, compound | The FTP syst command was executed on an FTP connection. |
3152 | Attack, compound | The FTP cwd ~root command was executed on an FTP connection. |
3153 | Attack, atomic | In an FTP connection, a port command was executed with a different address than the requesting source. |
3154 | Attack, atomic | A port number less than 1024 or greater than 65,535 was specified on an FTP connection. |
3215 | Attack, compound | Someone tried to execute a command, using a directory traversal bug, on an IIS web server (IIS DOT DOT EXECUTE attack). |
3229 | Attack, compound | Someone tried to access the win-c-sample program through a web server. |
3233 | Attack, compound | An overflow attempt against the CGI-bin count program was detected. |
4050 | Attack, atomic | The UDP segment length is less than the length in the IP header. |
4051 | Attack, compound | UDP packets have a source port of 7, 19, or 135 and a destination of 135 (Snork attack). |
4052 | Attack, compound | UDP traffic was sent to port 7 or 19 (Chargen attack). |
4100 | Attack, compound | Someone tried to access the /etc/passwd file through TFTP. |
4600 | Attack, compound | A malformed syslog message was sent to UDP port 514. This is called an Cisco IOS UDP bomb. |
5034 | Attack, compound | Someone tried to run the newdsn.exe program through an HTTP server. |
5035 | Attack, compound | An attacker tried to send commands through the CGI-bin program HylaFAX Faxsurvey. |
5041 | Attack, compound | An attacker tried to execute commands through a CGI-bin script. |
5043 | Attack, compound | An attacker tried to access scripts on a ColdFusion server. |
5044 | Attack, compound | An attacker tried to execute commands through the rguest.exe or wguest.exe CGI-bin scripts associated with the Webcom.se Guestbook. |
5045 | Attack, compound | A CGI-bin script attempted to execute the xterm-display command to circumvent a UNIX WWW server. |
5050 | Attack, compound | A .htr buffer overrun attack was detected against a Windows IIS server. |
5055 | Attack, compound | An HTTP buffer overflow attempt was made using a large username/password combination. |
5071 | Attack, compound | An attacker tried to access the msacds.dll WWW Windows file to execute commands or view secured files. |
5081 | Attack, compound | An attacker tried to access the cmd.exe program on a Windows WWW server. |
5090 | Attack, compound | An attacker tried to access a FrontPage CGI script with a filename ending in 0,0. |
5114 | Attack, compound | An attacker tried to exploit the Unicode ../ directory movement in WWW IIS. |
5116 | Attack, compound | An attacker sent shell metacharacters to be executed with the privilege level in the CGI script in Endymion MailMan. |
5117 | Attack, compound | An attacker attempted to execute code that exploits a vulnerability in phpGroupWare. |
5118 | Attack, compound | An attacker sent a special HTTP/GET request to upload files to the web server (called the eWave ServletEXEC 3.0C File Upload attack). |
5123 | Attack, compound | An abnormally large HTTP GET request was sent to a web server. |
6050 | Informational, compound | Someone attempted to access HINFO DNS records on a DNS server. |
6051 | Informational, compound | A DNS zone transfer with a source port of 53 (legitimate) was detected. |
6052 | Attack, compound | A DNS zone transfer with a different source port than 53 was detected. |
6053 | Informational, compound | Someone requested all the records for a DNS server. |
6054 | Informational, compound | Someone requested the version of a DNS server. |
6055 | Attack, compound | A DNS inverse query with more than 255 characters was detected, attempting a buffer overflow. |
6056 | Attack, compound | A DNS NXT buffer overflow against a DNS server was detected. |
6057 | Attack, compound | A DNS SIG buffer overflow against a DNS server was detected. |
6062 | Informational, compound | A DNS query of type TXT was made with the string Authors.Bind. |
6063 | Informational, compound | A DNS query type 251 was detected for a zone transfer. |
6100 | Informational, atomic | Someone tried to register new RPC services on a host. |
6101 | Informational, atomic | Someone tried to unregister RPC services on a host. |
6102 | Informational, atomic | An RPC dump request was made to a host. |
6103 | Attack, atomic | A proxied RPC request was sent to the portmapper process on a host. |
6150 | Informational, atomic | A request was sent to the portmapper process for the YP server daemon. |
6151 | Informational, atomic | A request was sent to the portmapper process for the YP bind daemon. |
6152 | Informational, atomic | A request was sent to the portmapper process for the YP password daemon. |
6153 | Informational, atomic | A request was sent to the portmapper process for the YP update daemon. |
6154 | Informational, atomic | A request was sent to the portmapper process for the YP transfer daemon. |
6155 | Informational, atomic | A request was sent to the portmapper process for the mount daemon. |
6175 | Informational, atomic | A request was sent to the portmapper process for the rexd daemon. |
6180 | Informational, atomic | A call was sent to the portmapper process for the rexd daemon. This typically indicates an access attack. |
6190 | Attack, atomic | A large statd request was sent, probably indicating a buffer overflow attack method. |
8000:2101 | Attack, atomic | Someone entered the string passwd during an FTP session, probably indicating that someone was trying to download the system's password file. |
NOTE
More than 40 signatures were added in 12.2(15)T; therefore, if you have an older Cisco IOS version, the number of signatures that the Cisco IOS Firewall feature set supports is actually less than 60. Read the Cisco IOS release notes to determine what signatures are enabled for the Cisco IOS version that you currently are running on your router.
By default, IDS is not enabled on a router that has the Cisco IOS Firewall feature set installed. Instead, you must create audit rules, which specify the signatures that the Cisco IOS should use when looking for suspicious traffic, threats, or attacks. Cisco divides the signatures into two basic categories on the Cisco IOS, based on their severity: informational and attack. You can enable one or both groups. Also, you can selectively enable or disable specific signatures, or specify that a signature be enabled or disabled for a specific host or hosts.
After you have created your audit rule, you need to activate it on the router's interface(s) in an in or out direction. After you do this, IDS is enabled. If you applied the audit rule inbound, all packets are audited entering the interface. Unlike most other features, IDS is performed before any inbound ACL is processed; this enables you to detect external threats coming into your network. If you apply an audit policy outbound on an interface, as long as traffic is permitted into the router and routed to the outbound interface, the audit policy is used. In this case, IDS examines packets before the outbound ACL, if any, is processed on the interface.
When comparing a packet or packets against the router's signatures, the Cisco IOS does it in this order:
IP signatures
ICMP signatures
TCP or UDP signatures (depending on the connection type)
Application layer signatures
NOTE
One important thing to point out about the matching process is that, as soon as the Cisco IOS finds a match on one signature, it immediately stops looking for any other matches within the same type. However, it continues to look for matches in other modules. For example, if the Cisco IOS finds an IP signature match, it does not look for any other IP signature matches, but it continues on to ICMP. This is different from the Cisco 4200 hardware sensors, which look for all possible signature matches in all categories.
When a router with the firewall IDS enabled detects an attack, it can take one of three actions:
Generate an alarm, which, by default, is displayed on the console. This alarm also can be sent to a syslog server or to Cisco Secure IDS Director, a centralized management platform.
For TCP connections, reset them.
Drop the packet.
TIP
Cisco highly recommends that you use the reset and drop actions together.
Even though all 100 signatures are enabled by default, you selectively can disable them if the router is triggering a high number of false positives. You can even disable a signature selectively based on the device that triggered the alarm.
I previously discussed some general issues with IDS solutions. This section discusses some issues that are specific to the Cisco IOS and the IDS and its configuration. Obviously, the performance of IDS on a Cisco router depends on many things, including these:
The processor on the router.
The amount of memory on the router. For compound signatures, the CBAC allocates memory to maintain not only the state information for the connection, but also internal caching of packets.
The amount of traffic traveling through the router.
Whether the router is performing encryption.
NOTE
Enabling or disabling specific signatures does not impact the performance of IDS on the router. Likewise, interface ACLs do not impact IDS performance. However, if you are using an ACL to determine what packets trigger signatures, there will be a significant impact in the performance of the router.