R2 will serve as the IPS preventing specific traffic between R1 and R3.
To begin with IOS IPS, I must download the IPS files from Cisco.com
http://tools.cisco.com/support/downloads/go/Model.x?mdfid=281442967&mdfLevel=Software%20Family&treeName=Security&modelName=Cisco%20IOS%20Intrusion%20Prevention%20System%20Feature%20Software&treeMdfId=268438162
and the public crypto key used by IOS IPS http://download-sj.cisco.com/cisco/ciscosecure/ids/sigup/5.0/ios/realm-cisco.pub.key.txt
Next, I will create a directory on R2 to store the IPS signature files and configurations.
R2#mkdir IPS
Create directory filename [IPS]?
Created dir flash:/IPS
R2#dir
Directory of flash:/
1 -rw- 38765296 Jul 12 2010 18:57:38 +00:00 c2800nm-advsecurityk9-mz.124-24.T3.bin
15 drw- 0 Sep 23 2011 03:10:14 +00:00 IPS
64016384 bytes total (25243648 bytes free)
R2#
Now I'll copy the contents of the key realm-cisco.pub.key.txt to R2 to configure the crypto key used by IOS IPS.
R2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#crypto key pubkey-chain rsa
R2(config-pubkey-chain)# named-key realm-cisco.pub signature
Translating "realm-cisco.pub"
R2(config-pubkey-key)# key-string
Enter a public key as a hexidecimal number ....
R2(config-pubkey)# 30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
R2(config-pubkey)# 00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
R2(config-pubkey)# 17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
R2(config-pubkey)# B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
R2(config-pubkey)# 5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
R2(config-pubkey)# FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
R2(config-pubkey)# 50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
R2(config-pubkey)# 006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
R2(config-pubkey)# 2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
R2(config-pubkey)# F3020301 0001
R2(config-pubkey)# quit
R2(config-pubkey-key)# exit
R2(config-pubkey-chain)# exit
R2(config)#
Now, I'll create a rule name that will be used on an interface, point IOS IPS to the directory that will contain the IPS signature files, and enable IPS SDEE and log notifications. Note that SDEE notifications will not work unless ip http server is enabled.
R2(config)#ip ips name IOSIPS
R2(config)#ip ips config location flash:IPS
R2(config)#ip ips notify sdee
R2(config)#ip ips notify log
R2(config)#ip http server
To prevent running out R2's memory, I'll configure IOS IPS to only enable the IOS IPS basic signatures.
R2(config)#ip ips signature-category
R2(config-ips-category)#category all
R2(config-ips-category-action)#retired true
R2(config-ips-category-action)#category ios_ips basic
R2(config-ips-category-action)#retired false
R2(config-ips-category-action)#exit
R2(config-ips-category)#exit
Do you want to accept these changes? [confirm]
R2(config)#
Now I'll enable the rule on the fa0/1 interface
R2(config)#interface fa0/1
R2(config-if)#ip ips IOSIPS in
R2(config-if)#ip ips IOSIPS out
*Sep 23 04:35:02.891: %IPS-6-ENGINE_BUILDS_STARTED: 04:35:02 UTC Sep 23 2011
*Sep 23 04:35:02.891: %IPS-6-ENGINE_BUILDING: atomic-ip - 3 signatures - 1 of 13 engines
*Sep 23 04:35:02.903: %IPS-6-ENGINE_READY: atomic-ip - build time 12 ms - packets for this engine will be scanned
*Sep 23 04:35:02.903: %IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 12 ms
To load the IOS IPS signature file I downloaded earlier, I created an FTP server at 192.168.1.1 and connected to it with R2's VLAN2 interface, 192.168.1.2. I'll use FTP to copy the file with the parameter "idconf". This parameter initiates the compliing process once the copy is complete.
R2#copy ftp://jason:cisco@192.168.1.71/IOS-S595-CLI.pkg idconf
Loading IOS-S595-CLI.pkg !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[OK - 13572723/4096 bytes]
*Sep 23 04:38:37.959: %IPS-6-ENGINE_BUILDS_STARTED: 04:38:37 UTC Sep 23 2011
*Sep 23 04:38:37.967: %IPS-6-ENGINE_BUILDING: multi-string - 228 signatures - 1 of 13 engines
*Sep 23 04:38:38.795: %IPS-6-ENGINE_READY: multi-string - build time 828 ms - packets for this engine will be scanned
*Sep 23 04:38:38.819: %IPS-6-ENGINE_BUILDING: service-http - 914 signatures - 2 of 13 engines
*Sep 23 04:38:41.855: %IPS-6-ENGINE_READY: service-http - build time 3036 ms - packets for this engine will be scanned
*Sep 23 04:38:41.915: %IPS-6-ENGINE_BUILDING: string-tcp - 2441 signatures - 3 of 13 engines
*Sep 23 04:38:53.723: %IPS-6-ENGINE_READY: string-tcp - build time 11808 ms - packets for this engine will be scanned
*Sep 23 04:38:53.731: %IPS-6-ENGINE_BUILDING: string-udp - 79 signatures - 4 of 13 engines
*Sep 23 04:38:53.883: %IPS-6-ENGINE_READY: string-udp - build time 152 ms - packets for this engine will be scanned
*Sep 23 04:38:53.883: %IPS-6-ENGINE_BUILDING: state - 39 signatures - 5 of 13 engines
*Sep 23 04:38:54.139: %IPS-6-ENGINE_READY: state - build time 256 ms - packets for this engine will be scanned
*Sep 23 04:38:54.235: %IPS-6-ENGINE_BUILDING: atomic-ip - 424 signatures - 6 of 13 engines
*Sep 23 04:38:55.963: %IPS-6-ENGINE_READY: atomic-ip - build time 1728 ms - packets for this engine will be scanned
*Sep 23 04:38:56.051: %IPS-6-ENGINE_BUILDING: string-icmp - 3 signatures - 7 of 13 engines
*Sep 23 04:38:56.051: %IPS-6-ENGINE_READY: string-icmp - build time 0 ms - packets for this engine will be scanned
*Sep 23 04:38:56.051: %IPS-6-ENGINE_BUILDING: service-ftp - 3 signatures - 8 of 13 engines
*Sep 23 04:38:56.071: %IPS-6-ENGINE_READY: service-ftp - build time 20 ms - packets for this engine will be scanned
*Sep 23 04:38:56.075: %IPS-6-ENGINE_BUILDING: service-rpc - 78 signatures - 9 of 13 engines
*Sep 23 04:38:56.275: %IPS-6-ENGINE_READY: service-rpc - build time 200 ms - packets for this engine will be scanned
*Sep 23 04:38:56.275: %IPS-6-ENGINE_BUILDING: service-dns - 39 signatures - 10 of 13 engines
*Sep 23 04:38:56.335: %IPS-6-ENGINE_READY: service-dns - build time 56 ms - packets for this engine will be scanned
*Sep 23 04:38:56.335: %IPS-6-ENGINE_BUILDING: normalizer - 9 signatures - 11 of 13 engines
*Sep 23 04:38:56.339: %IPS-6-ENGINE_READY: normalizer - build time 4 ms - packets for this engine will be scanned
*Sep 23 04:38:56.343: %IPS-6-ENGINE_BUILDING: service-smb-advanced - 63 signatures - 12 of 13 engines
*Sep 23 04:38:57.819: %IPS-6-ENGINE_READY: service-smb-advanced - build time 1476 ms - packets for this engine will be scanned
*Sep 23 04:38:57.819: %IPS-6-ENGINE_BUILDING: service-msrpc - 36 signatures - 13 of 13 engines
*Sep 23 04:38:58.151: %IPS-6-ENGINE_READY: service-msrpc - build time 332 ms - packets for this engine will be scanned
*Sep 23 04:38:58.151: %IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 20192 ms
R2#
I can verify the 6 signature files in the IPS directory:
R2#dir flash:IPS
Directory of flash:/IPS/
4 -rw- 565829 Sep 23 2011 04:39:24 +00:00 R2-sigdef-default.xml
5 -rw- 255 Sep 23 2011 04:35:02 +00:00 R2-sigdef-delta.xml
6 -rw- 9482 Sep 23 2011 04:36:44 +00:00 R2-sigdef-typedef.xml
7 -rw- 90856 Sep 23 2011 04:36:52 +00:00 R2-sigdef-category.xml
8 -rw- 304 Sep 23 2011 04:35:04 +00:00 R2-seap-delta.xml
9 -rw- 491 Sep 23 2011 04:35:04 +00:00 R2-seap-typedef.xml
64016384 bytes total (24551424 bytes free)
I can verify the ip ips complied signature count.
R2#show ip ips signature count
Cisco SDF release version S595.0
Trend SDF release version V0.0
Signature Micro-Engine: multi-string: Total Signatures 228
multi-string enabled signatures: 154
multi-string retired signatures: 224
multi-string compiled signatures: 4
multi-string obsoleted signatures: 1
Signature Micro-Engine: service-http: Total Signatures 914
service-http enabled signatures: 178
service-http retired signatures: 859
service-http compiled signatures: 55
service-http obsoleted signatures: 4
Signature Micro-Engine: string-tcp: Total Signatures 2441
string-tcp enabled signatures: 645
string-tcp retired signatures: 2315
string-tcp compiled signatures: 126
string-tcp obsoleted signatures: 35
Signature Micro-Engine: string-udp: Total Signatures 79
string-udp enabled signatures: 0
string-udp retired signatures: 73
string-udp compiled signatures: 6
string-udp obsoleted signatures: 2
Signature Micro-Engine: state: Total Signatures 39
state enabled signatures: 1
state retired signatures: 28
state compiled signatures: 11
Signature Micro-Engine: atomic-ip: Total Signatures 424
atomic-ip enabled signatures: 105
atomic-ip retired signatures: 403
atomic-ip compiled signatures: 21
atomic-ip obsoleted signatures: 2
Signature Micro-Engine: string-icmp: Total Signatures 3
string-icmp enabled signatures: 0
string-icmp retired signatures: 3
Signature Micro-Engine: service-ftp: Total Signatures 3
service-ftp enabled signatures: 1
service-ftp retired signatures: 2
service-ftp compiled signatures: 1
Signature Micro-Engine: service-rpc: Total Signatures 78
service-rpc enabled signatures: 44
service-rpc retired signatures: 54
service-rpc compiled signatures: 24
Signature Micro-Engine: service-dns: Total Signatures 39
service-dns enabled signatures: 26
service-dns retired signatures: 16
service-dns compiled signatures: 23
service-dns obsoleted signatures: 1
Signature Micro-Engine: normalizer: Total Signatures 9
normalizer enabled signatures: 8
normalizer retired signatures: 1
normalizer compiled signatures: 8
Signature Micro-Engine: service-smb-advanced: Total Signatures 63
service-smb-advanced enabled signatures: 47
service-smb-advanced retired signatures: 49
service-smb-advanced compiled signatures: 14
service-smb-advanced obsoleted signatures: 1
Signature Micro-Engine: service-msrpc: Total Signatures 36
service-msrpc enabled signatures: 16
service-msrpc retired signatures: 31
service-msrpc compiled signatures: 5
service-msrpc obsoleted signatures: 1
Total Signatures: 4356
Total Enabled Signatures: 1225
Total Retired Signatures: 4058
Total Compiled Signatures: 298
Total Obsoleted Signatures: 47
R2#
Show ip ips signatures will give details on each signature.
R2#sh ip ips signatures
Cisco SDF release version S595.0
Trend SDF release version V0.0
En - possible values are Y, Y*, N, or N*
Y: signature is enabled
N: enabled=false in the signature definition file
*: retired=true in the signature definition file
Cmp - possible values are Y, Ni, Nr, Nf, or No
Y: signature is compiled
Ni: signature not compiled due to invalid or missing parameters
Nr: signature not compiled because it is retired
Nf: signature compile failed
No: signature is obsoleted
Action=(A)lert, (D)eny, (R)eset, Deny-(H)ost, Deny-(F)low
Trait=alert-traits EC=event-count AI=alert-interval
GST=global-summary-threshold SI=summary-interval SM=summary-mode
SW=swap-attacker-victim SFR=sig-fidelity-rating Rel=release
Signature Micro-Engine: multi-string: Total Signatures 228
multi-string enabled signatures: 154
multi-string retired signatures: 224
multi-string compiled signatures: 4
multi-string obsoleted signatures: 1
SigID:SubID En Cmp Action Sev Trait EC AI GST SI SM SW SFR Rel
----------- -- ---- ------ --- ----- ---- ---- ----- --- -- -- --- ---
50013:5 N* Nr ADR MED 0 1 0 0 0 FA N 100 S480
50013:4 N* Nr ADR MED 0 1 0 0 0 FA N 100 S480
50013:3 N* Nr ADR MED 0 1 0 0 0 FA N 100 S480
50013:2 N* Nr ADR MED 0 1 0 0 0 FA N 100 S480
50013:1 N* Nr ADR MED 0 1 0 0 0 FA N 100 S480
50013:0 N* Nr ADR MED 0 1 0 0 0 FA N 100 S480
50012:3 Y* Nr ADR MED 0 1 0 0 0 FA N 100 S480
50012:2 Y* Nr ADR MED 0 1 0 0 0 FA N 100 S480
50012:1 Y* Nr ADR MED 0 1 0 0 0 FA N 100 S480
50012:0 Y* Nr ADR MED 0 1 0 0 0 FA N 100 S480
R2#
Part 1
Part 2
Part 3
Part 4
Part 5
Part 6
Part 7
Part 8
Part 9
Part 10
Great Article
ReplyDeleteNetwork Security Final Year Project Ideas
Project Centers in Chennai
JavaScript Training in Chennai
JavaScript Training in Chennai