Young fighter course: we are protected by a router. Continuation: IPS

    Intrusion Prevention System (IPS)

    In general, the cisco intrusion prevention system product line is quite wide. It includes stand-alone IPS 42XX series sensors, the 6500 module - IDSM2, the ASA module - AIP-SSM, the router module (ISR) - NME-IPS, the ISR card - AIM-IPS. He is trying to bring the same ideology of tsiska to ISR-based software solutions, adding the corresponding functionality to IOS.

    The whole ideology of intrusion detection and prevention is based on the concept of signature. The signature is essentially a pattern of "irregularities" in a single packet or stream.

    There are various “irregularities,” ranging from typical reconnaissance methods to network worms. These templates are carefully written by tsiska programmers and reach the user in the form of updates. Those. the system is reactive in nature and is based on constant updates that cost money. Licenses for updates are tied to each piece of hardware directly. Without a license, you can change the OS, but you cannot roll up signature updates.

    A little history of router-based intrusion detection and prevention systems.

    The first Intrusion Detection System (IDS) was implemented on routers with IOS 12.2.8T with a firewall feature set. Then it was 26XX and 36XX routers. The system was a few dozen (maximum 105) signatures. You could only disable them or set the job not for all traffic.

    This system was enabled by

    ip audit name IDS attack action {alarm, drop, reset}
    ip audit name IDS info action {alarm, drop, reset}

    int f0 / 0
    ip audit IDS {in | out}

    This was a thing in itself. Neither flexible settings, nor updates, nor the concept of what is in the signatures.

    The next step was to implement a separate signature definition file. This special file was uploaded to the router, it was pointed out in the settings, all signatures and their parameters were stored in it. This design was configured as follows:

    ip ips sdf location flash: {256MB.sdf | 128MB.sdf | attack-drop.sdf} the

    file is selected based on the amount of RAM on the router. The largest file, 256MB.sdf, contained more than 1,500 signatures and required a minimum of 256 megabytes of RAM

    ip ips name IPS

    int f0 / 0
    ip ips IPS {in | out}

    After hanging the IPS rules on the interface, the tsisk loaded the signatures from the file into the memory and made it possible to configure them both through the console and via the web-GUI (by the way, the GUI called Security Device Manager, SDM, is very convenient for configuring IPS)

    For backward compatibility in IOSax (up to 12.4.T (11)) there were also built-in signatures. When using an external file, it was recommended to disable them.

    No ip ips sdf builtin

    You could require that the traffic be blocked if it is impossible to load the sdf file or if the IPS subsystem fails

    ip ips fail close

    But the signature format here was the same as in the IPS version 4 sensors. This format did not allow a deeper analysis of traffic and cut off new tricky attacks. By the time the IPS sensors themselves, a new format appeared - 5, in which you can configure the accumulative risk parameters of attack (Risk Rating), create areas of closer attention (Target Value Rating) and much more.

    Therefore, from version 12.4.T (11), the old format is no longer supported, format 4 signature updates ceased in August 2008.

    To switch to the new format and flexibly protect the network using IPS, you must now load another IOS-S ### - CLI file
    which stores the encrypted current signatures and their parameters. Number ### is constantly increasing, updates must be constantly loaded. By the way, this can be done automatically with the

    ip ips auto-update
    Next, you need to install the cisco key on the router to decrypt (or rather, verify the digital signature) of the downloaded file.

    Do this:

    crypto key pubkey-chain rsa

    named-key realm-cisco. pub signature

    30820122 300D0609 2A864886 F70D0101
    01050003 82010F00 3082010A
    02820101 00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5D7DFBDBDBDBBBEBE
    B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
    5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
    FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
    50,437,722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
    006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
    2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
    F3020301 0001

    These commands can simply be injected into
    Ro (config) #
    copy-paste mode . The key is one for all.

    It is advisable to create a separate folder for the IPS files in the router’s flash

    Ro # mkdir flash: / IPS

    There you need to copy the file IOS-S ### - CLI.pkg, and also indicate that it will store the files

    Ro (config) # ip ips config location flash needed for work : / IPS /

    Now you need to install these most necessary files there . This is done by the cunning team

    Ro # copy flash: / IPS / IOS-S ### - CLI.pkg idconf

    This procedure will take a considerable time (several minutes) and in the results you will see in flash

    21 May 27 2009 14:22:58 + 04:00 IPS
    22 8662169 May 27 2009 14:24:22 +04: 00 IPS / IOS-S399-CLI.pkg
    23 284871 May 28 2009 22:48:00 +04: 00 IPS / ccmt-2811-sigdef-default .xml
    24 255 May 27 2009 16:35:56 +04: 00 IPS / ccmt-2811-sigdef-delta.xml
    25 34761 May 28 2009 22:43:44 +04: 00 IPS / ccmt-2811-sigdef-category .xml
    26 304 May 27 2009 16:35:56 +04: 00 IPS / ccmt-2811-seap-delta.xml
    27 8509 May 28 2009 22:43:40 +04: 00 IPS / ccmt-2811-sigdef-typedef.xml
    28 491 May 27 2009 17:05:00 +04: 00 IPS / ccmt-2811-seap-typedef.xml

    These xml files contain default settings, your changes, blocking parameters, etc.

    Virtually everything. It is only necessary to create a rule and hang it on the interface, as was done before:

    ip ips name IPS

    int f0 / 0
    ip ips IPS {in | out}

    After this, the signature will be loaded into the memory and those of them that are enabled by default immediately will get to work.

    Remember that there are a lot of signatures, they eat a lot of memory and processor, therefore tsiska strongly recommends to do the following.

    1. Disable signature category all

    Ro (config) # ip ips signature-category
    Ro (config-ips-category) # category all
    Ro (config-ips-category-action) # retired true

    2. Turn on the IOS category for starters, and in the basic version

    Ro (config) # ip ips signature-category
    Ro (config-ips-category) # category ios_ips basic
    Ro (config-ips-category-action) # retired false
    Ro (config-ips-category-action) # enabled true The

    config is updated after exit back to (config) mode #

    3. Further, monitoring the memory and processor load, you can add other categories of signatures. Configuring the signatures themselves is possible both through the console from

    ip ips signature-definition mode

    and through SDM or the newer WEB-GUI - CCE (Cisco Configuration Expert)

    Parameters and the mechanism for configuring signatures are as close as possible to tuning on sensors, so if you have experience configuring AIP-SSM, 42XX or IDMS2 sensors, you can safely get down to business. If there is no such experience, it is better to read about setting up signatures. Or take an IPS 6.0 course :)

    To be continued...

    Also popular now: