Cisco Labs – Network Security (1) – Intrusion Prevention System on router


Introduction

During my university studies I was doing a diploma thesis in field of Redundant and reliable networking. The purpose of itwas to create LAB examples for students, so they can test Basic settings for VPN, IPS and others. These tasks are created to Virtlab (Virtual lab with physical Cisco routers) however configuration is valid and tested on physical Cisco routers as well.

Each task in the series will have its separate post with brief description of the task and schema. Complete task can be downloaded on My Onedrive

NS2 – Modul2 2.1.6 IOS task definition

IPS on Router

Goal

  • Initialize the Intrusion Protection System (IPS) on the router.
  • Generate a test message.
  • Verify the IPS configuration.
  • Before you start do not forget to reload router configuration (reload)
    and check IOS version for compatibility(sh version

Required time

2 hours

Theoretical background

Follow the link to get theoretical background for this task: Cisco IPS white papers.

Topology

NS2-2.1.6_IOS_topology1_VIRTLAB

Configuration

PC1

ifconfig int3 10.0.0.2 netmask 255.255.255.0    ;set IP address
route add default gw 10.0.0.1 dev int3          ;set default gw

PC2

ifconfig int4 192.168.1.2 netmask 255.255.255.0 ;set IP address
route add default gw 192.168.1.1 dev int4       ;set default gw

Router

1) basic interface settings

(config)#interface int1
(conf-if)#ip address 10.0.0.1 255.255.255.0
(conf-if)#no shutdown
(config)#interface int0
(conf-if)#ip address 192.168.1.1 255.255.255.0
(conf-if)#no shutdown

2) configuration of IPS:

(config)#ip ips sdf builtin                     ;use the built in signatures definition file (SDF)
(config)#ip ips name IPSNAME                    ;create IPS rule named IPSNAME
(config)#*ip ips fail closed                    ;OPTIONAL - see "Optional tasks" part for further description
(config)#interface int1                         ;go to interface configuration mode
(conf-if)#ip ips IPSNAME in                     ;Apply IPS rule at interface. It loads signatures and builds signature engines.
    

3) logging settings

(config)#logging 192.168.1.2                    ;IP address where SYSLOG server is located
(config)#logging facility LOCAL7                ;user defined log settings
(config)#logging trap warnings                  ;Configure a trap level to 4 or lower
(config)#logging on                             ;turn logging on

4) syslog server

For virtlab users this is preconfigured in image and does not need to be touched.

This is linux configuration.

edit /etc/syslog.conf       :add line *.* /var/log/NS2-IDS.log      ;insert line to the beginning of configuration file adding facility.severity   filename.log
edit /etc/init.d/sysklogd   :replace SYSLOGD="" with SYSLOGD="-r"   ;set syslog server to log messages from remote host
restart sysklogd daemon     :/etc/init.d/sysklogd restart           ;testart server daemon (same as restart service in Windows), server is ready to use

Function test

check router configuration

sh ip ips configuration                         ;show IPS configuration
sh ip ips signatures                            ;show signatures

ping

Extended ping (fragmented packets) from PC1 to PC2 – it will be logged to syslog server according to the settings previously made.

Syntax

win: 	ping -l >size< >host IP address<        ;ping -l 50000 192.168.1.2
linux:	ping -s >size< >host IP address<        ;ping -s 50000 192.168.1.2

check logs on configured place – usually: /var/logs/NS2-IDS.log – You can see lines with description which signature was detected and action made.

Optional tasks

  • set logging level differently (logging trap see point 3)
  • set sdf file from flash: see point 2) (ip ips sdf flash:128MB.sdf) if it is present (dir NVRAM:) and check out functionality and configuration

ip ips fail closed – explanation

Configure the router to drop all packets until the signature engine is built and ready to scan traffic with the ip ips fail closed comamnd. If this command is issued, one of the following scenarios will occur:

  • If IPS fails to load the SDF, all packets will be dropped unless the user specifies an ACL for packets to send to IPS.
  • If IPS successfully loads the SDF but fails to build a signature engine, all packets that are destined for that engine will be dropped.
  • If this command is not issued, all packets will be passed without scanning if the signature engine fails to build.

Complete task can be downloaded from my OneDrive:

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s