May 29, 2009 at 00:13Young fighter course: we are protected by a router. Continuation: IPS
Intrusion Prevention System (IPS)
In general, the cisco intrusion prevention system product line is quite wide. It includes stand-alone IPS 42XX series sensors, the 6500 module - IDSM2, the ASA module - AIP-SSM, the router module (ISR) - NME-IPS, the ISR card - AIM-IPS. He is trying to bring the same ideology of tsiska to ISR-based software solutions, adding the corresponding functionality to IOS.
The whole ideology of intrusion detection and prevention is based on the concept of signature. The signature is essentially a pattern of "irregularities" in a single packet or stream.
There are various “irregularities,” ranging from typical reconnaissance methods to network worms. These templates are carefully written by tsiska programmers and reach the user in the form of updates. Those. the system is reactive in nature and is based on constant updates that cost money. Licenses for updates are tied to each piece of hardware directly. Without a license, you can change the OS, but you cannot roll up signature updates.
A little history of router-based intrusion detection and prevention systems.
The first Intrusion Detection System (IDS) was implemented on routers with IOS 12.2.8T with a firewall feature set. Then it was 26XX and 36XX routers. The system was a few dozen (maximum 105) signatures. You could only disable them or set the job not for all traffic.
This system was enabled by
ip audit name IDS attack action {alarm, drop, reset}
ip audit name IDS info action {alarm, drop, reset}
int f0 / 0
ip audit IDS {in | out}
This was a thing in itself. Neither flexible settings, nor updates, nor the concept of what is in the signatures.
The next step was to implement a separate signature definition file. This special file was uploaded to the router, it was pointed out in the settings, all signatures and their parameters were stored in it. This design was configured as follows:
ip ips sdf location flash: {256MB.sdf | 128MB.sdf | attack-drop.sdf} the
file is selected based on the amount of RAM on the router. The largest file, 256MB.sdf, contained more than 1,500 signatures and required a minimum of 256 megabytes of RAM
ip ips name IPS
int f0 / 0
ip ips IPS {in | out}
After hanging the IPS rules on the interface, the tsisk loaded the signatures from the file into the memory and made it possible to configure them both through the console and via the web-GUI (by the way, the GUI called Security Device Manager, SDM, is very convenient for configuring IPS)
For backward compatibility in IOSax (up to 12.4.T (11)) there were also built-in signatures. When using an external file, it was recommended to disable them.
No ip ips sdf builtin
You could require that the traffic be blocked if it is impossible to load the sdf file or if the IPS subsystem fails
ip ips fail close
But the signature format here was the same as in the IPS version 4 sensors. This format did not allow a deeper analysis of traffic and cut off new tricky attacks. By the time the IPS sensors themselves, a new format appeared - 5, in which you can configure the accumulative risk parameters of attack (Risk Rating), create areas of closer attention (Target Value Rating) and much more.
Therefore, from version 12.4.T (11), the old format is no longer supported, format 4 signature updates ceased in August 2008.
To switch to the new format and flexibly protect the network using IPS, you must now load another IOS-S ### - CLI file
.pkg
which stores the encrypted current signatures and their parameters. Number ### is constantly increasing, updates must be constantly loaded. By the way, this can be done automatically with the
ip ips auto-update
command.
Next, you need to install the cisco key on the router to decrypt (or rather, verify the digital signature) of the downloaded file.
Do this:
crypto key pubkey-chain rsa
named-key realm-cisco. pub signature
key-string
30820122 300D0609 2A864886 F70D0101
01050003 82010F00 3082010A
02820101 00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5D7DFBDBDBDBBBEBE
B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
50,437,722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
F3020301 0001
quit
These commands can simply be injected into
Ro (config) #
copy-paste mode . The key is one for all.
It is advisable to create a separate folder for the IPS files in the router’s flash
Ro # mkdir flash: / IPS
There you need to copy the file IOS-S ### - CLI.pkg, and also indicate that it will store the files
Ro (config) # ip ips config location flash needed for work : / IPS /
Now you need to install these most necessary files there . This is done by the cunning team
Ro # copy flash: / IPS / IOS-S ### - CLI.pkg idconf
This procedure will take a considerable time (several minutes) and in the results you will see in flash
21 May 27 2009 14:22:58 + 04:00 IPS
22 8662169 May 27 2009 14:24:22 +04: 00 IPS / IOS-S399-CLI.pkg
23 284871 May 28 2009 22:48:00 +04: 00 IPS / ccmt-2811-sigdef-default .xml
24 255 May 27 2009 16:35:56 +04: 00 IPS / ccmt-2811-sigdef-delta.xml
25 34761 May 28 2009 22:43:44 +04: 00 IPS / ccmt-2811-sigdef-category .xml
26 304 May 27 2009 16:35:56 +04: 00 IPS / ccmt-2811-seap-delta.xml
27 8509 May 28 2009 22:43:40 +04: 00 IPS / ccmt-2811-sigdef-typedef.xml
28 491 May 27 2009 17:05:00 +04: 00 IPS / ccmt-2811-seap-typedef.xml
These xml files contain default settings, your changes, blocking parameters, etc.
Virtually everything. It is only necessary to create a rule and hang it on the interface, as was done before:
ip ips name IPS
int f0 / 0
ip ips IPS {in | out}
After this, the signature will be loaded into the memory and those of them that are enabled by default immediately will get to work.
Remember that there are a lot of signatures, they eat a lot of memory and processor, therefore tsiska strongly recommends to do the following.
1. Disable signature category all
Ro (config) # ip ips signature-category
Ro (config-ips-category) # category all
Ro (config-ips-category-action) # retired true
2. Turn on the IOS category for starters, and in the basic version
Ro (config) # ip ips signature-category
Ro (config-ips-category) # category ios_ips basic
Ro (config-ips-category-action) # retired false
Ro (config-ips-category-action) # enabled true The
config is updated after exit back to (config) mode #
3. Further, monitoring the memory and processor load, you can add other categories of signatures. Configuring the signatures themselves is possible both through the console from
ip ips signature-definition mode
and through SDM or the newer WEB-GUI - CCE (Cisco Configuration Expert)
Parameters and the mechanism for configuring signatures are as close as possible to tuning on sensors, so if you have experience configuring AIP-SSM, 42XX or IDMS2 sensors, you can safely get down to business. If there is no such experience, it is better to read about setting up signatures. Or take an IPS 6.0 course :)
In general, the cisco intrusion prevention system product line is quite wide. It includes stand-alone IPS 42XX series sensors, the 6500 module - IDSM2, the ASA module - AIP-SSM, the router module (ISR) - NME-IPS, the ISR card - AIM-IPS. He is trying to bring the same ideology of tsiska to ISR-based software solutions, adding the corresponding functionality to IOS.
The whole ideology of intrusion detection and prevention is based on the concept of signature. The signature is essentially a pattern of "irregularities" in a single packet or stream.
There are various “irregularities,” ranging from typical reconnaissance methods to network worms. These templates are carefully written by tsiska programmers and reach the user in the form of updates. Those. the system is reactive in nature and is based on constant updates that cost money. Licenses for updates are tied to each piece of hardware directly. Without a license, you can change the OS, but you cannot roll up signature updates.
A little history of router-based intrusion detection and prevention systems.
The first Intrusion Detection System (IDS) was implemented on routers with IOS 12.2.8T with a firewall feature set. Then it was 26XX and 36XX routers. The system was a few dozen (maximum 105) signatures. You could only disable them or set the job not for all traffic.
This system was enabled by
ip audit name IDS attack action {alarm, drop, reset}
ip audit name IDS info action {alarm, drop, reset}
int f0 / 0
ip audit IDS {in | out}
This was a thing in itself. Neither flexible settings, nor updates, nor the concept of what is in the signatures.
The next step was to implement a separate signature definition file. This special file was uploaded to the router, it was pointed out in the settings, all signatures and their parameters were stored in it. This design was configured as follows:
ip ips sdf location flash: {256MB.sdf | 128MB.sdf | attack-drop.sdf} the
file is selected based on the amount of RAM on the router. The largest file, 256MB.sdf, contained more than 1,500 signatures and required a minimum of 256 megabytes of RAM
ip ips name IPS
int f0 / 0
ip ips IPS {in | out}
After hanging the IPS rules on the interface, the tsisk loaded the signatures from the file into the memory and made it possible to configure them both through the console and via the web-GUI (by the way, the GUI called Security Device Manager, SDM, is very convenient for configuring IPS)
For backward compatibility in IOSax (up to 12.4.T (11)) there were also built-in signatures. When using an external file, it was recommended to disable them.
No ip ips sdf builtin
You could require that the traffic be blocked if it is impossible to load the sdf file or if the IPS subsystem fails
ip ips fail close
But the signature format here was the same as in the IPS version 4 sensors. This format did not allow a deeper analysis of traffic and cut off new tricky attacks. By the time the IPS sensors themselves, a new format appeared - 5, in which you can configure the accumulative risk parameters of attack (Risk Rating), create areas of closer attention (Target Value Rating) and much more.
Therefore, from version 12.4.T (11), the old format is no longer supported, format 4 signature updates ceased in August 2008.
To switch to the new format and flexibly protect the network using IPS, you must now load another IOS-S ### - CLI file
.pkg
which stores the encrypted current signatures and their parameters. Number ### is constantly increasing, updates must be constantly loaded. By the way, this can be done automatically with the
ip ips auto-update
command.
Next, you need to install the cisco key on the router to decrypt (or rather, verify the digital signature) of the downloaded file.
Do this:
crypto key pubkey-chain rsa
named-key realm-cisco. pub signature
key-string
30820122 300D0609 2A864886 F70D0101
01050003 82010F00 3082010A
02820101 00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5D7DFBDBDBDBBBEBE
B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
50,437,722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
F3020301 0001
quit
These commands can simply be injected into
Ro (config) #
copy-paste mode . The key is one for all.
It is advisable to create a separate folder for the IPS files in the router’s flash
Ro # mkdir flash: / IPS
There you need to copy the file IOS-S ### - CLI.pkg, and also indicate that it will store the files
Ro (config) # ip ips config location flash needed for work : / IPS /
Now you need to install these most necessary files there . This is done by the cunning team
Ro # copy flash: / IPS / IOS-S ### - CLI.pkg idconf
This procedure will take a considerable time (several minutes) and in the results you will see in flash
21 May 27 2009 14:22:58 + 04:00 IPS
22 8662169 May 27 2009 14:24:22 +04: 00 IPS / IOS-S399-CLI.pkg
23 284871 May 28 2009 22:48:00 +04: 00 IPS / ccmt-2811-sigdef-default .xml
24 255 May 27 2009 16:35:56 +04: 00 IPS / ccmt-2811-sigdef-delta.xml
25 34761 May 28 2009 22:43:44 +04: 00 IPS / ccmt-2811-sigdef-category .xml
26 304 May 27 2009 16:35:56 +04: 00 IPS / ccmt-2811-seap-delta.xml
27 8509 May 28 2009 22:43:40 +04: 00 IPS / ccmt-2811-sigdef-typedef.xml
28 491 May 27 2009 17:05:00 +04: 00 IPS / ccmt-2811-seap-typedef.xml
These xml files contain default settings, your changes, blocking parameters, etc.
Virtually everything. It is only necessary to create a rule and hang it on the interface, as was done before:
ip ips name IPS
int f0 / 0
ip ips IPS {in | out}
After this, the signature will be loaded into the memory and those of them that are enabled by default immediately will get to work.
Remember that there are a lot of signatures, they eat a lot of memory and processor, therefore tsiska strongly recommends to do the following.
1. Disable signature category all
Ro (config) # ip ips signature-category
Ro (config-ips-category) # category all
Ro (config-ips-category-action) # retired true
2. Turn on the IOS category for starters, and in the basic version
Ro (config) # ip ips signature-category
Ro (config-ips-category) # category ios_ips basic
Ro (config-ips-category-action) # retired false
Ro (config-ips-category-action) # enabled true The
config is updated after exit back to (config) mode #
3. Further, monitoring the memory and processor load, you can add other categories of signatures. Configuring the signatures themselves is possible both through the console from
ip ips signature-definition mode
and through SDM or the newer WEB-GUI - CCE (Cisco Configuration Expert)
Parameters and the mechanism for configuring signatures are as close as possible to tuning on sensors, so if you have experience configuring AIP-SSM, 42XX or IDMS2 sensors, you can safely get down to business. If there is no such experience, it is better to read about setting up signatures. Or take an IPS 6.0 course :)