Technical Documentation

Configuring Intrusion Detection Service (NSM Procedure)

The Adaptive Services (AS) or Multiservices PIC supports a limited set of intrusion detection services (IDS) to perform attack detection. IDS enables you to focus attack detection and remedial actions on specific hosts or networks that you specify in the IDS terms. Signature detection is not supported.

To configure IDS in NSM:

  1. In the navigation tree select Device Manager > Devices.
  2. Click the Device tree tab and then double-click the device to select it.
  3. In the Configuration tab, expand Services > Ids.
  4. Add or modify the settings as specified in Table 1.
  5. Click one:
    • OK—To save the changes.
    • Cancel—To cancel the modifications.

Table 1: IDS Configuration Details

Task Your Action

Specify the rule the router uses when applying this service.

  1. Click Rule next to Ids.
  2. Click Add new entry next to Rule.
  3. In the Name box, enter the identifier for the collection of terms that constitute this rule.
  4. In the Comment box, enter the comment.
  5. From the Match Direction list, select the direction in which the rule match is applied.
    • input—To apply the rule match on input.
    • output—To apply the rule match on output.
    • input-output—To apply the rule match bidirectionally.
  6. Expand rule.
  7. Click Term next to rule.
  8. Click Add new entry next to Term.
  9. In the Name box, enter the Identifier for the term.
  10. In the Comment box, enter the comment.

Specify input conditions for the IDS term.
  1. Expand term.
  2. Click From next to term.
  3. In the Comment box, enter the comment.
  4. Expand From.
  5. From the listed match conditions, select the ones that are applicable for Ids.

    The match conditions listed are Application Sets, Applications, Destination Address, Destination Address Range, Destination Prefix List, Source Address, Source Address Range, and Source Prefix List.

Define the IDS term actions.
  1. Click Then next to term.
  2. In the Comment box, enter the comment.
  3. Expand Then.

Specify the type of data to be aggregated.
  1. Click Aggregation next to Then.
  2. In the Comment box, enter the comment.
  3. From the Source Prefix list, select the prefix value for source IPv4 address aggregation.

    Range: 1 through 32

  4. From the Destination Prefix list, select the prefix value for destination IPv4 address aggregation.

    Range: 1 through 32

  5. From the Source Prefix Ipv6 list, select the prefix value for source IPv6 address aggregation.

    Range: 1 through 128.

  6. From the Destination Prefix Ipv6 list, select the prefix value for destination IPv6 address aggregation.

    Range: 1 through 128

Specify handling of entries in the IDS events cache.

  1. Click Force Entry next to Then.
  2. Select one of the following:
    • force-entry—To ensure that the entry has a permanent place in the IDS cache after one event is registered.
    • ignore-entry—To ensure that all IDS events are ignored.

Set logging values for this IDS term.
  1. Click Logging next to Then.
  2. In the Comment box, enter the comment.
  3. From the Threshold list, select the logging threshold number of events per second.
  4. Select the Syslog check box to enable system logging.

Configuring session limit.
  1. Click Session Limit next to Then.
  2. In the Comment box, enter the comment.
  3. Expand Session Limit.
  4. Click By Destination , By Source or By Pair next to Session Limit.
  5. In the Comment box, enter the comment.
  6. In the Maximum box, enter the maximum number of open sessions per IP address or subnet per application.

    Range: 1 through 32,767

  7. In the Rate box, enter the maximum number of sessions per second per IP address or subnet per application.

    Range: 4 through 32,767

  8. In the Packets box, enter the maximum peak packets per second per application or IP address.

    Range: 4 through 2147483647

  9. From the Hold Time list, select the length of time for which to stop all new flows once the rate of events exceeds the threshold set by one or more of the maximum, packets, or rate statements.

    Range: 0 through 60

Enable SYN-cookie defenses against SYN attacks.
  1. Click Syn Cookie next to Then.
  2. In the Comment box, enter the comment.
  3. From the Threshold list, select the SYN-cookie defense number of SYN attacks per second.
  4. From the Mss list, select the maximum segment size value used in TCP delayed binding.

    Default: 1500

    Range: 128 through 8192

Specify the rule set the router uses when applying this service.

  1. Click Rule Set next to Ids.
  2. Click Add new entry next to Rule Set.
  3. In the Name box, enter the rule the router uses when applying this service.
  4. In the Comment box, enter the comment.
  5. Expand rule-set.
  6. Click Rule next to rule-set.
  7. Click Add new entry next to Rule.
  8. In the Name box, enter the rule the router uses when applying this service.
  9. In the Comment box, enter the comment.

Published: 2009-08-23