During my university studies I was doing a diploma thesis in field of Redundant and reliable networking. The purpose of itwas to create LAB examples for students, so they can test Basic settings for VPN, IPS and others. These tasks are created to Virtlab (Virtual lab with physical Cisco routers) however configuration is valid and tested on physical Cisco routers as well.
Each task in the series will have its separate post with brief description of the task and schema. Complete task can be downloaded on My Onedrive
NS2 – Modul2 2.1.6 IOS task definition
IPS on Router
- Initialize the Intrusion Protection System (IPS) on the router.
- Generate a test message.
- Verify the IPS configuration.
- Before you start do not forget to reload router configuration (reload)
and check IOS version for compatibility(sh version
Follow the link to get theoretical background for this task: Cisco IPS white papers.
ifconfig int3 10.0.0.2 netmask 255.255.255.0 ;set IP address route add default gw 10.0.0.1 dev int3 ;set default gw
ifconfig int4 192.168.1.2 netmask 255.255.255.0 ;set IP address route add default gw 192.168.1.1 dev int4 ;set default gw
1) basic interface settings
(config)#interface int1 (conf-if)#ip address 10.0.0.1 255.255.255.0 (conf-if)#no shutdown
(config)#interface int0 (conf-if)#ip address 192.168.1.1 255.255.255.0 (conf-if)#no shutdown
2) configuration of IPS:
(config)#ip ips sdf builtin ;use the built in signatures definition file (SDF) (config)#ip ips name IPSNAME ;create IPS rule named IPSNAME (config)#*ip ips fail closed ;OPTIONAL - see "Optional tasks" part for further description (config)#interface int1 ;go to interface configuration mode (conf-if)#ip ips IPSNAME in ;Apply IPS rule at interface. It loads signatures and builds signature engines.
3) logging settings
(config)#logging 192.168.1.2 ;IP address where SYSLOG server is located (config)#logging facility LOCAL7 ;user defined log settings (config)#logging trap warnings ;Configure a trap level to 4 or lower (config)#logging on ;turn logging on
4) syslog server
For virtlab users this is preconfigured in image and does not need to be touched.
This is linux configuration.
edit /etc/syslog.conf :add line *.* /var/log/NS2-IDS.log ;insert line to the beginning of configuration file adding facility.severity filename.log edit /etc/init.d/sysklogd :replace SYSLOGD="" with SYSLOGD="-r" ;set syslog server to log messages from remote host restart sysklogd daemon :/etc/init.d/sysklogd restart ;testart server daemon (same as restart service in Windows), server is ready to use
check router configuration
sh ip ips configuration ;show IPS configuration sh ip ips signatures ;show signatures
Extended ping (fragmented packets) from PC1 to PC2 – it will be logged to syslog server according to the settings previously made.
win: ping -l >size< >host IP address< ;ping -l 50000 192.168.1.2 linux: ping -s >size< >host IP address< ;ping -s 50000 192.168.1.2
check logs on configured place – usually: /var/logs/NS2-IDS.log – You can see lines with description which signature was detected and action made.
- set logging level differently (logging trap see point 3)
- set sdf file from flash: see point 2) (ip ips sdf flash:128MB.sdf) if it is present (dir NVRAM:) and check out functionality and configuration
ip ips fail closed – explanation
Configure the router to drop all packets until the signature engine is built and ready to scan traffic with the ip ips fail closed comamnd. If this command is issued, one of the following scenarios will occur:
- If IPS fails to load the SDF, all packets will be dropped unless the user specifies an ACL for packets to send to IPS.
- If IPS successfully loads the SDF but fails to build a signature engine, all packets that are destined for that engine will be dropped.
- If this command is not issued, all packets will be passed without scanning if the signature engine fails to build.
Complete task can be downloaded from my OneDrive: