Intrusion Detection System Cisco NIDS

Question :

Intrusion Detection System Cisco NIDS - Switched Port Analyzer (SPAN)

Network-based intrusion detection systems (NIDS) are devices intelligently distributed within networks that passively inspect traffic traversing the devices on which they sit. NIDS can be hardware or software-based systems and, depending on the manufacturer of the system, can attach to various network mediums such as Ethernet, FDDI, and others. Oftentimes, NIDS have two network interfaces. One is used for listening to network conversations in promiscuous mode and the other is used for control and reporting. 

The purpose of this research paper is to dive into how Cisco IDS is used in the monitoring of network traffic based on intrusion and detection system, network analyzer, as well as a monitoring port. What are the various vulnerabilities of Cisco NIDS and recommendations?

Answer :

1. Introduction

Information security is one of the most important requirement in the field of information science and information technology. Information security includes the methods and process to secure the sensitive and critical informational assets from the hackers and attackers to prevent the unwanted loss and availability. These days, information is not limited to boundary of organization due to existence of networks and Internet. Information is shared among the different identity by the help of networks. Cyber criminals always targets the networks to get the accessibility of sensitive and critical information flowing through the one network to another network from source to destination. It is also easy for the hackers to get the vital information from network such as Internet as this is open and accessible by all. Due to this fact security is required to protect the sensitive and critical information which traverse into the network to reach from source to destination.

Network Intrusion Detection System (NIDS) or Network Intrusion Prevention System (NIPS) are network tools that detects the anomalies going through the network and make alarm to execute the protection procedure. Network intrusion is very common network attacks which causes the network information to be accessed by the attackers. Once the target of attacker is achieved through the network intrusion, it can get the sensitive and critical information traversing through the network from source to recipient.

Basically, a NIDS is software or hardware based tools which is used under the network to detect the abnormal network behavior. The monitoring is continually taken by the tools to catch the abnormal network behavior and once found such network activity then alarm is generated for further course of action by the administrator to protect the network from intruders. NIDS Works in there different modes. These modes of working of NIDS is signature detection mode, anomaly detection mode and combination of both signature and anomaly detection mode. In signature detection mode the NIDS examines all the traffic which past the interface by checking the and comparing the signature of past known attacks. A customer signature can also be added with the signature based NIDS. The NIDS with anomaly detection mode detects the anomalies from the network traffic by statistical analysis of the network traffic with given parameters and models. If the network traffic deviates from the given model then NIDS makes alarm to administrator about the network intrusion. The hybrid mode such as both signature and anomaly based mode of NIDS includes both capability like signature of past network attacks and model for the anomaly detection (Hilley, 2005).

Network Intrusion Detection System with signature and anomaly detection capability constantly monitors and analyze the network traffic to detect the network intrusion. Network intrusion detection system protects the network from various categories of network attacks such as Denial of Service attack, Router table poisoning attack, MAC spoofing, Masquerading attack etc.

2. Cisco NIDS – Switch Port Analyzer (SPAN)

Cisco Network Intrusion Detection System – Switch Port Analyzer is a Cisco Switch Probe device or any other Remote Monitoring (RMON)  probe having the feature of port mirroring or the port monitoring. It selects the traffic of network to make analysis through the analyzer. The packets that are on the single device port, ports of multiple devices or the whole local network are copied and sent by the network device onto the network monitoring connectivity at another port of device in the process of port mirroring. In network based intrusion detection system this process is very common to monitor the network traffic to detect the network intrusion. Further, the network analyzer which processes the network packet data is connected with the network monitoring port. The mirroring by the device is taken on four interface under a session (Wilhelm, 2011). All the network packets are mirrored as received on the network port and also analyzed by the network analyzer in the case of network based intrusion detection system of Cisco switch port analyzer. Cisco switch port analyzer also losses some of the data which are sent to port analyzer to analyze the data to detect the network intrusion.

3. Problem Statement

Intrusion detection system is a systematic hardware or software based system to monitor the network traffic and analyze the network data to detect the anomalies and do reporting. This is the main functional aspects of the network intrusion detection system. The question is how the intrusion detection system of Cisco detects the network intrusion and analyze the network traffic and determine about the anomalies flowing the network. It is also true that each and every system has loop holes so that it is also important to find out the different loop holes such as vulnerabilities related to the Cisco intrusion detection system. Once the vulnerabilities are identified for Cisco network intrusion detection system, it becomes important to define the process to overcome from the vulnerabilities.

4. Process of Cisco Intrusion Detection System

Cisco intrusion detection system switch port analyzer (SPAN) has the feature of capturing the network packets. Switch port analyzer is supported by most of the Cisco Switches. It copies the packets from the single or multiple ports of the switches under the network. The copied network packets are sent to the port of switch port analyzer destination. The destination port of SPAN is connected with the host which has the running packet analyzer software utility. The packet analyzer can be wireshark, or any other network analyzer software. The diagrammatic representation of Cisco IDS with SPAN is given in figure 1.

Figure 1. Cisco Intrusion Detection SPAN

Figure 1. shows that there are two PCs are connected by Cisco Switch through Gigabit Ethernet ports 0/1 and 0/2. CS-Mars is the sensor device or packet analyzer device which is also connected to the Cisco Switch through the gigabyte Ethernet port 0/3. CS-Mars has the packet analyzing software utility. Arrow from left PC indicates that packet is sent by left PC to Right PC. Packet first go to switch port and the switch port mirrors the packet like copy the packet and sends to both ports connected to right PC and port of CS-Mars. 

Suppose the packet analyzer is wireshark network traffic analyzer then the packet which is sent to the packet analyzer device port by switch port is analyzed and report is sent to the host monitoring station. 

Signature or rule based packet analyzer software analyze the packet data by matching with the given signature or rule. There is list of signatures or rules are required to be configured as per the requirements with the signature or rule based packet analyzer of NIDS. Signature or rule based NIDS complexity increases when the high network bandwidth is consumed by the traffic. The real time analysis becomes failure in this situation of the network. The functional aspects of the signature based NIDS is presented in figure 2.

Figure 1. Signature Based IDS based on Snort Rule

Signature or rule based analyzer first decodes the network packets to make in a standard format of 1500 bytes and preprocess the packets to add additional information. After that the preprocessor packet goes to detection engine where the rules are used by detection engine to detect the network anomalies as per the rules or signature. According to the detection engine report the alert system acts to perform the further alarming activities.

5. Configuration of SPAN on Cisco Switchport 

The configuration of the SPAN on Cisco Switchport is performed on the same switch destination port. The additional benefit of the SPAN configuration on Cisco Switchport is that it supports the remote SPAN configuration. Hence, due to this property it becomes easy to configure the SPAN on any of the switches of the given network. The given figure 1 network scenario for the NIDS the configuration of the SPAN on given Switchport is detailed as follows.

Switch> Enable

Switch# Configure Terminal

Switch (Config) # Monitor Session 1 Source Interface g0/2

Switch (Config) # Monitor Session 1 Destination Interface g0/3

Switch (Config) # Exit

Above configuration commands of Cisco IOS configures the session, source and destination interfaces for the SPAN of Cisco IDS.

6. Network Analyzer

A network analyzer is a software utility of the Cisco NIDS. Network analyzer analyze the received packets from the source port to port of the device connected to the source port of the Cisco Switch. There are two categories of network analyzer like signature or rule and anomaly detection based. Signature based network analyzer works on the rules or signature of the database. signatures are created and uploaded in the database to be compared with the packet data to detect the network anomalies  (Boskany, 2014). In case of anomaly detection based network analyzer the packet data are directly analyzed by the analyzer to detect the network traffic anomalies and then generate the report.

For example, let a user logging to the system at 9:00 AM and log out to the system on 6:00 PM regularly. When logging is performed at 11:PM then network analyzer detects the anomalies as the regular loging to the server is 9:00 AM and it is not the usual activity. Thus network analyzer send the report of network anomalies and alarm of NIDS is activated to inform the monitoring system about the network anomalies going with the network. 

Snort is rule or signature based network analyzer provided by the Cisco. Snort rules are created and modified whenever required for the network security. It is Cisco provided software so that it is optimal for the Cisco NIDS. The wireshark, NAST, Genmap etc are anomaly detection based network analyzer used to detect the network anomalies from the network traffic to generate the report. These anomaly based network analysis software tools can also works independently with the individual host of the system to detect the anomalies in the sent and received packets through the network.

7. Monitoring Port

Port is connection interface from one device to another device. According to figure 1, left PC is connected to the Gigabit ethernet port 0/1 with the switchport. Similarly, right PC of Figure 1, is connected with the gigabit ethernet port 0/2 and also the gigabit ethernet port 0/3 of switch is connected to the CS-MARS. This gigabit ethernet port 0/3 is monitoring port which mirrors or copy the network packet to send the copied packet to the destination port of the analyzer to make analysis and generate report to make the alarm system function accordingly. Monitoring port is inbuilt with the Cisco Switch and required to be configured by connecting CS-MRSS through this port to facilitate the NIDS with the Cisco Switchport Analyzer to detect the network anomalies from the network traffic (Sisodia & Raghuwanshi, 2011).

Monitoring port of Switchport is an active port that always runs to monitor the network traffic in promiscuous mode. it is connected to the destination device to further process of the NIDS system. 

8. Vulnerabilities of Cisco NIDS and Recommendation

Cisco NIDS is Cisco provided network intrusion detection system. It is used to secure the network from the different kinds of network security risks and threats. There are many vulnerabilities and loop holes of Cisco Network Intrusion Detection System. These vulnerabilities are discussed as follows.

  8.1 Secured Socket Layer Security Check Flaw

The flaw with the secured socket layer that checks the security certificate allows the attacker to spoofs the NIDS implemented and gain the accessibility of the network sensitive data. The Cisco NIDS sensor are affected by this flaw and even the attacker gain the secret credentials to access the network device ("Intrusion Detection Systems Overview, eTutorials.org", 2019). This leads to security breaches with the Cisco devices.

This vulnerabilities can be avoided by updating the security certificate and configuring the system to always check the security certificate. The spoofing is prevented through the SSL encryption mechanism to hide the scope of attacker to gain the vital information which further assists attacker to launch the attack.

  8.2 Real User Activity by attacker

The real network user activity is performed by the attacker then the Cisco NIDS is not able to determine this as intrusion activity. Therefore, with normal user activity like network intrusion of attacker is not detected as anomalies by the Cisco NIDS and network attack occurs with the network even the Cisco NIDS is implemented over the network (Savvas, 2005).

There should be signature or rule which identify the normal activity and anomaly activities. In the case of intrusion activity of attacker like the normal activity of real users of the network but, the rules matching with traffic identify such anomaly activity and generate the report for alarm control system.

  8.3 Failure to Detect Unknown and New attacks

Cisco NIDS based on the rule and signature fails to detect the new or unknown network intrusion and attacks. This is so because it works by the signature or rule stored into the signature database. The network traffic is compared with the signature of database. if the signature is not available for new anomaly activity of intrusion then network attack occurs and sensitive data may be hacked by the network attacker.

This vulnerability of signature based Cisco NIDS can be avoided by updating the database with possible new and unknown intrusion activities rules and signatures. Even regular update it may be possible to the network be attacked by the attacker.

  8.4 Unable to Detect Attack Variations

Cisco NIDS system is vulnerable to detect the attack variations. As the signature definition file is common to all the users so that attacker can also access the signatures or rules from the signature database of NIDS. Therefore, attacker apply testing of the signature and then launch the attack on the network. After altering the rules or signature the NIDS fails to detect the intrusion of the network because the sensor does not generate report for the alarm to be activated and so that attacker performs the attack on the network to gain the access of the sensitive and critical information of the network. 

Encrypting the signature database of the NIDS may be useful in context of the prevention of the signature or rule modification and testing by the attacker. There should also be a permission to access the signature database to read, delete and modify so that the proper protection of the signature database can be optimized and enhance the security of network by enabling the Cisco NIDS to detect the variation of attacks (Carter, 2019).

  8.5 Protection failure during Initial Training Time

This is vulnerability associated with anomaly detection based Cisco NIDS. During the initial training time the huge data cause the network traffic as the normal traffic. This is a big vulnerability which provides the attacker intrusion to not be detected by the NIDS. The normal activities of the real network users changes with respect to the time elapse with a defined interval. This leads the NIDS to loose its capability to differentiate between normal and intrusion activity.

This vulnerability of the Cisco NIDS can be removed or reduced by deploying the fixation of the user activities with the network. Sometimes this is not possible but maximum extent should be employed to fix the user normal activity. If the changes is necessary then updating of the monitoring system must be accorded to facilitates the more accurate differentiation between normal and anomaly activities. Thus, the intrusion can be detected and alarm is activated to further prevent the network attack by the attackers.

9. Conclusion

Network Intrusion Detection System is a network security tool used to secure the network from the various types of network attacks. Cisco NIDS SPAN is a switchport based network intrusion detection system which mirrors or copies the network packets and the mirrored or copied packets are sent to the network analyzer to detect the anomalies going through the network traffic. Once the network anomaly is detected then a report is submitted to the alarm module to make alarm to the monitoring system. The alarm activates the network administrator and monitoring agent to take the prevention mechanism to protect the network from attack and leak of the sensitive and critical data of the network. In this work the detailed information about the network intrusion detection system is presented such as how it works, what are security features etc.

10. References

Hilley, S. (2005). Cisco widens security span in network. Network Security, 2005(2), 2-3. doi: 10.1016/s1353-4858(05)00192-3

Wilhelm, T. (2011). network based intrusion detection system - an overview | ScienceDirect Topics. Retrieved 9 November 2019, from https://www.sciencedirect.com/topics/computer-science/network-based-intrusion-detection-system

Boskany, N. (2014). Design of Alarm Based Network Intrusion Detection System. Journal Of Zankoy Sulaimani - Part A, 16(2), 65-69. doi: 10.17656/jzs.10294

Sisodia, M., & Raghuwanshi, V. (2011). Anomaly Base Network Intrusion Detection by Using Random Decision Tree and Random Projection: A Fast Network Intrusion Detection Technique. Network Protocols And Algorithms, 3(4). doi: 10.5296/npa.v3i4.1342

Intrusion Detection Systems Overview :: Chapter 23: Intrusion Detection System Overview :: Part V: Intrusion Detection Systems (IDS) :: CCSP Cisco Certified Security Professional Certification :: Networking :: eTutorials.org. (2019). Retrieved 9 November 2019, from http://etutorials.org/Networking/Cisco+Certified+Security+Professional+Certification/Part+V+Intrusion+Dete

Savvas, A. (2005). Loophole exposes Cisco intrusion detection system. Retrieved 9 November 2019, from https://www.computerweekly.com/news/2240074995/Loophole-exposes-Cisco-intrusion-detection-system

Carter, E. (2019). Intrusion Detection Systems > Triggering Mechanisms. Retrieved 9 November 2019, from http://www.ciscopress.com/articles/article.asp?p=25334