Detecting hackers and intruders in switched-network environments is a challenge for all IT managers. Traditionally, administrators have had to attach external intrusion-detection systems (IDS) on mirrored switch ports to monitor network traffic, thereby using valuable port capacity.
Cisco's new Catalyst 6000 IDS Module, introduced last month, resides on a blade that plugs into a Catalyst 6006, 6009, 6506 or 6509 switch and lets you monitor network traffic directly from the switch's backplane. This product lets you monitor and report suspicious network traffic in real time on all seven network layers. What it doesn't do right now, though, is shun attacks.
Our performance tests showed that traffic is monitored and reported without noticeable degradation of switch performance. We determined that full monitoring of traffic occurs, even at wire speed (200M bit/sec, full duplex). This IDS performance is considerably higher than what we've observed on other IDS systems. We observed effective IDS monitoring at even higher throughputs -- up to 769.95M bit/sec -- on traffic traversing eight 10/100M bit/sec switch ports, but we note that this was done in a highly controlled environment using a consistent packet size (512-byte packets) that is not representative of "real-world" corporate network traffic. Still, the potential to effectively monitor traffic at levels way beyond those of any other IDS product we've tested is laudable.
The Catalyst 6000 IDS Module could detect all simulated attacks we sent through the switch almost instantaneously. As soon as an attack hit the target, a message was displayed on the Cisco Secure Policy Manager console.
Complexity vs. granularity trade-off
New security products offer a dizzying array of options for configuring security policies and options, but the trade-off is often a complex graphical user interface. The Catalyst 6000 IDS Module is no exception. Overall, it's a very robust system with a lot of configuration granularity. But for many IT managers, it's going to seem overly complex -- even to those who are already used to Cisco's command-line interface. Cisco provides templates to facilitate the configuration process, but these contained so many options that we often got lost navigating them.
The explanatory text used on the main log provides basic technical information about the type of attacks the product is designed to detect. While the information wouldn't be difficult for a "security geek" to interpret, the average IT manager might have trouble.
For example, the main log lists a "fragmented IP attack" (a type of attack more commonly known by specific examples, such as jolt2 and teardrop). The log would be more intuitive if the more commonly known names of specific attacks were used. However, the system supports hyperlinks to third-party Web sites (such ass Security Focus) that provide more detailed explanations of the terms. Context-sensitive help worked well and provided adequate information in most cases.
Other key management features include the ability to export all logs in comma-separated-value format, which allows use of any spreadsheet application. It is also possible to maintain multiple configuration settings (such as a Web configuration, database configuration and others) on the management console, with the ability to export and import different configurations through FTP. There is also a "notes" field so managers can track individual attacks. This note recording requires an HTML editor.
Physical installation of the Catalyst 6000 IDS Module blade is fairly straightforward. Users should note, though, that while Catalyst switch blades are hot-swappable, the Catalyst 6000 IDS Module blade is not.
One glaring omission of the Catalyst 6000 IDS Module package we tested was the lack of a built-in alarm or SNMP trap facility, which could send out an e-mail or a trap to notify administrators of critical events. Cisco told us that although there was no built-in facility for sending alerts, the software has the flexibility to let users build their own application. In this case, end users, not Cisco, would be responsible for creating and supporting this feature. We think it should be integrated into the product, however.
Finally, while the Catalyst 6000 IDS Module we tested monitored and reported suspicious activity and attacks, it did not offer any means to intercept, avert or inhibit attacks. Cisco engineers say they are working on making this capability available in the next version of the product.
The Catalyst 6000 IDS Module represents a new thrust in intrusion detection, allowing tight integration of the IDS application within the switch itself. A top performer compared with the current IDS competition, it also supports a hardware architecture that has the potential to scale to much higher speeds.
This potential doesn't come without a price -- the complex management interface takes some getting used to. The ability to shun attacks -- not yet available -- will enable this product to better realize its full potential.
This story, "Cisco offers wire-speed intrusion detection" was originally published by Network World.