IOS IPS is fair game for the CCIE Security and CCIE R/S labs. With IOS IPS now using v5 signatures, (just like the sensor appliance), the ability to setup up IOS is not as simple, but very important. The intention of this post is to provide a streamlined process to use as a jumpstart into IOS IPS. For full details, examples and explanations, please refer to our lab workbooks. Both RS and Security cover the topic. Lets get started!
First, we need a place for IPS configuration files to call home. IPS wants a folder. Lets make a directory on the router flash. Optionally if there were other IOS file systems present, we could use those writable file systems as well.
R6-sigdef-default.xml: factory default signature definitions
R6-sigdef-delta.xml: signature definitions which were changed from the default
R6-sigdef-typedef.xml: signature parameter definitions
R6-sigdef-category.xml: signature category information, such as category ios_ips basic and advanced
R6-seap-delta.xml: has changes made to the default SEAP parameters
R6-seap-typedef.xml: has the default SEAP parameter definitions
SEAP = Signature Event Action Processor. Event Overrides/Filters, etc
Now lets give the router some signature information to crunch. We can download the latest signature packages from cisco.com, and put them on a local server. Here, R6 is copying the .pkg file from a local tftp server.
Lets look at the default for this signature first:
First, we need a place for IPS configuration files to call home. IPS wants a folder. Lets make a directory on the router flash. Optionally if there were other IOS file systems present, we could use those writable file systems as well.
R6#mkdir ips Create directory filename [ips]? Created dir flash:/ips R6#IOS IPS uses a crypto key to verify the digital signature for the master signature file, which is signed using a private key. To verify the signature, we need a corresponding public key. This key is available as a text file on Cisco’s site. The file is called realm-cisco.pub.key.txt. To inject the public key into the router config, we would do the following:
R6(config)#crypto key pubkey-chain rsa R6(config-pubkey-chain)#named-key realm-cisco.pub signature Translating "realm-cisco.pub" R6(config-pubkey-key)#key-string Enter a public key as a hexidecimal number .... ! Note: The $ to the left of the hex characters represent there are more numbers present than would fit on one line. R6(config-pubkey)#$2A864886 F70D0101 01050003 82010F00 3082010A 02820101 R6(config-pubkey)#$D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16 R6(config-pubkey)#$912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128 R6(config-pubkey)#$085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E R6(config-pubkey)#$0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35 R6(config-pubkey)#$994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85 R6(config-pubkey)#$5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36 R6(config-pubkey)#$A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE R6(config-pubkey)#$80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3 R6(config-pubkey)# F3020301 0001 R6(config-pubkey)# quit R6(config-pubkey-key)#endWe’ll save the configuration, just to be safe.
R6#wr Building configuration...Let’s check the ips folder we created on flash. It should still be empty.
R6#cd ips R6#dir Directory of flash:/ips/ No files in directory 255967232 bytes total (187428864 bytes free) R6#cd ..Once we complete the IPS configuration, the router can monitor all traffic on the interface and direction we specify. If we want to limit the traffic that goes through the IPS processing, we can use an access-list to filter. Only traffic permitted in the ACL will be subjected to IPS analysis. Let’s create an ACL that matches only on traffic destined to 6.6.6.6, which is the loopback of R6.
R6(config)#access-list 123 permit ip any host 6.6.6.6Next we will create an IPS rule named “IOS-IPS”, and associate the ACL we just created. In a later step, we will apply IPS rule to an interface.
R6(config)#ip ips name IOS-IPS list 123IPS needs to know where to keep it’s signature definitions and configurations. It just so happens that we have a folder on flash we created earlier named “ips”. We will use that directory.
R6(config)#ip ips config location flash:/ipsThe router can send alerts using Security Device Event Exchange (SDEE) and/or Syslog. We will configure both, and allow up to 2 simultaneous SDEE managers to setup up requests for alerts called subscriptions. To use SDEE, http server must be enabled on the router. Lets take care of these items next.
R6(config)#ip ips notify sdee R6(config)#ip sdee subscriptions 2 R6(config)#ip ips notify log R6(config)#ip http serverBefore we apply the IPS rule to an interface, we are going to set up some safety. We will retire all the signatures, and then enable just the signatures in the “advanced” default set. If we un-retired the “all” category, it is possible that the router could run out of memory. (Your mileage may vary☺) As we exit out of the configuration, we are prompted to accept the changes.
R6(config)#ip ips signature-category R6(config-ips-category)#category all R6(config-ips-category-action)#retired true R6(config-ips-category-action)#exit R6(config-ips-category)# R6(config-ips-category)#category ios_ips advanced R6(config-ips-category-action)#retired false R6(config-ips-category-action)#end Do you want to accept these changes? [confirm] R6# Applying Category configuration to signatures ... R6#Next we will apply the ips rule we created to an interface. We also enable virtual-reassembly so that IPS can better analyze sessions and attacks that comprise multiple packets.
R6(config)#interface FastEthernet0/0 R6(config-if)#ip ips IOS-IPS in R6(config-if)#ip virtual-reassemblyNotice that after we apply the IPS rule to an interface, the router begins to compile signatures. This won’t take long at this point, due to the fact that we haven’t given the router a signature package (yet).
R6# %IPS-6-ENGINE_BUILDS_STARTED: Jan 14 2010 %IPS-6-ENGINE_BUILDING: atomic-ip - 3 signatures - 1 of 13 engines %IPS-6-ENGINE_READY: atomic-ip - build time 8 ms - packets for this engine will be scanned %IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 12 msLets take a peek at the ips directory that was empty just few minutes ago.
R6#cd ips R6#dir Directory of flash:/ips/ 52 -rw- 719 Jan 14 2010 20:00:26 +00:00 R6-sigdef-default.xml 9 -rw- 271 Jan 14 2010 20:00:26 +00:00 R6-sigdef-delta.xml 59 -rw- 4365 Jan 14 2010 20:00:28 +00:00 R6-sigdef-typedef.xml 4 -rw- 1469 Jan 14 2010 20:00:28 +00:00 R6-sigdef-category.xml 7 -rw- 257 Jan 14 2010 20:00:28 +00:00 R6-seap-delta.xml 16 -rw- 491 Jan 14 2010 20:00:28 +00:00 R6-seap-typedef.xml 255967232 bytes total (187400192 bytes free) R6#cd ..Cool beans! Here is what those files contain:
R6-sigdef-default.xml: factory default signature definitions
R6-sigdef-delta.xml: signature definitions which were changed from the default
R6-sigdef-typedef.xml: signature parameter definitions
R6-sigdef-category.xml: signature category information, such as category ios_ips basic and advanced
R6-seap-delta.xml: has changes made to the default SEAP parameters
R6-seap-typedef.xml: has the default SEAP parameter definitions
SEAP = Signature Event Action Processor. Event Overrides/Filters, etc
Now lets give the router some signature information to crunch. We can download the latest signature packages from cisco.com, and put them on a local server. Here, R6 is copying the .pkg file from a local tftp server.
R6#copy tftp://40.0.0.101/IOS-S456-CLI.pkg idconf Loading IOS-S456-CLI.pkg from 40.0.0.101 (via FastEthernet0/0): !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! [OK - 11085111 bytes]Now check out the console, while the router digests the file, and compiles all the signatures from the “advanced” set. This will take a while, and if on a production router, could case a DoS. CPU skyrockets, and it takes about 1 – 5 minutes to complete.
R6# %IPS-6-ENGINE_BUILDS_STARTED: 20:03:39 UTC Jan 14 2010 %IPS-6-ENGINE_BUILDING: multi-string - 40 signatures - 1 of 13 engines %IPS-6-ENGINE_READY: multi-string - build time 164 ms - packets for this engine will be scanned %IPS-6-ENGINE_BUILDING: service-http - 801 signatures - 2 of 13 engines %IPS-6-ENGINE_READY: service-http - build time 17456 ms - packets for this engine will be scanned %IPS-6-ENGINE_BUILDING: string-tcp - 2058 signatures - 3 of 13 engines %IPS-6-ENGINE_READY: string-tcp - build time 59236 ms - packets for this engine will be scanned %IPS-6-ENGINE_BUILDING: string-udp - 79 signatures - 4 of 13 engines %IPS-6-ENGINE_READY: string-udp - build time 52 ms - packets for this engine will be scanned %IPS-6-ENGINE_BUILDING: state - 37 signatures - 5 of 13 engines %IPS-6-ENGINE_READY: state - build time 648 ms - packets for this engine will be scanned %IPS-6-ENGINE_BUILDING: atomic-ip - 373 signatures - 6 of 13 engines %IPS-6-ENGINE_READY: atomic-ip - build time 5548 ms - packets for this engine will be scanned %IPS-6-ENGINE_BUILDING: string-icmp - 3 signatures - 7 of 13 engines %IPS-6-ENGINE_READY: string-icmp - build time 0 ms - packets for this engine will be scanned %IPS-6-ENGINE_BUILDING: service-ftp - 3 signatures - 8 of 13 engines %IPS-6-ENGINE_READY: service-ftp - build time 20 ms - packets for this engine will be scanned %IPS-6-ENGINE_BUILDING: service-rpc - 76 signatures - 9 of 13 engines %IPS-6-ENGINE_READY: service-rpc - build time 204 ms - packets for this engine will be scanned %IPS-6-ENGINE_BUILDING: service-dns - 39 signatures - 10 of 13 engines %IPS-6-ENGINE_READY: service-dns - build time 60 ms - packets for this engine will be scanned %IPS-6-ENGINE_BUILDING: normalizer - 9 signatures - 11 of 13 engines %IPS-6-ENGINE_READY: normalizer - build time 4 ms - packets for this engine will be scanned %IPS-6-ENGINE_READY: service-smb-advanced - build time 3024 ms - packets for this engine will be scanned %IPS-6-ENGINE_BUILDING: service-msrpc - 35 signatures - 13 of 13 engines %IPS-6-ENGINE_READY: service-msrpc - build time 2208 ms - packets for this engine will be scanned %IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 88876 ms R6#Wow, only 88,876 ms to complete. About 1.5 minutes. Lets do some show commands to verify our install.
R6#show ip ips signature count Cisco SDF release version S456.0 Trend SDF release version V0.0 Signature Micro-Engine: multi-string: Total Signatures 40 multi-string enabled signatures: 34 multi-string retired signatures: 34 multi-string compiled signatures: 6 Signature Micro-Engine: service-http: Total Signatures 801 service-http enabled signatures: 133 service-http retired signatures: 667 service-http compiled signatures: 134 service-http obsoleted signatures: 3 Signature Micro-Engine: string-tcp: Total Signatures 2058 string-tcp enabled signatures: 675 string-tcp retired signatures: 1810 string-tcp compiled signatures: 248 string-tcp obsoleted signatures: 22 Signature Micro-Engine: string-udp: Total Signatures 79 string-udp enabled signatures: 0 string-udp retired signatures: 78 string-udp compiled signatures: 1 string-udp obsoleted signatures: 2 Signature Micro-Engine: state: Total Signatures 37 state enabled signatures: 16 state retired signatures: 24 state compiled signatures: 13 Signature Micro-Engine: atomic-ip: Total Signatures 373 atomic-ip enabled signatures: 90 atomic-ip retired signatures: 307 atomic-ip compiled signatures: 66 Signature Micro-Engine: string-icmp: Total Signatures 3 string-icmp enabled signatures: 0 string-icmp retired signatures: 3 Signature Micro-Engine: service-ftp: Total Signatures 3 service-ftp enabled signatures: 1 service-ftp retired signatures: 2 service-ftp compiled signatures: 1 Signature Micro-Engine: service-rpc: Total Signatures 76 service-rpc enabled signatures: 44 service-rpc retired signatures: 50 service-rpc compiled signatures: 26 Signature Micro-Engine: service-dns: Total Signatures 39 service-dns enabled signatures: 27 service-dns retired signatures: 10 service-dns compiled signatures: 29 service-dns obsoleted signatures: 1 Signature Micro-Engine: normalizer: Total Signatures 9 normalizer enabled signatures: 8 normalizer retired signatures: 1 normalizer compiled signatures: 8 Signature Micro-Engine: service-smb-advanced: Total Signatures 49 service-smb-advanced enabled signatures: 40 service-smb-advanced retired signatures: 30 service-smb-advanced compiled signatures: 19 Signature Micro-Engine: service-msrpc: Total Signatures 35 service-msrpc enabled signatures: 17 service-msrpc retired signatures: 28 service-msrpc compiled signatures: 7 service-msrpc obsoleted signatures: 1 Total Signatures: 3602 Total Enabled Signatures: 1085 Total Retired Signatures: 3044 Total Compiled Signatures: 558 Total Obsoleted Signatures: 29 R6#show ip ips configuration IPS Signature File Configuration Status Configured Config Locations: flash:/ips/ Last signature default load time: Jan 14 2010 Last signature delta load time: Jan 14 2010 Last event action (SEAP) load time: -none- General SEAP Config: Global Deny Timeout: 3600 seconds Global Overrides Status: Enabled Global Filters Status: Enabled IPS Auto Update is not currently configured IPS Syslog and SDEE Notification Status Event notification through syslog is enabled Event notification through SDEE is enabled IPS Signature Status Total Active Signatures: 558 Total Inactive Signatures: 3044 IPS Packet Scanning and Interface Status IPS Rule Configuration IPS name IOS-IPS acl list 123 IPS fail closed is disabled IPS deny-action ips-interface is false Interface Configuration Interface FastEthernet0/0 Inbound IPS rule is IOS-IPS acl list 123 Outgoing IPS rule is not set IPS Category CLI Configuration: Category all: Retire: True Category ios_ips advanced: Retire: False R6#Ok, how do we modify signatures? Simple, use Security Device Manager, the GUI. Unfortunately in the lab, that option is not available, so lets take a look at how to do it from CLI. We’ll modify the signature for ICMP echo request. If you are in a security lab, the IPS Sensor GUI (IDM) could be used on an appliance to discover which signature number is ICMP echo. In the R/S lab, online doc or the signature number in a task would be helpful. Signature 2004, sub-signature 0 is the signature for ICMP echo.
Lets look at the default for this signature first:
R6#show ip ips signature sigid 2004 subid 0 En - possible values are Y, Y*, N, or N* Y: signature is enabled N: enabled=false in the signature definition file *: retired=true in the signature definition file Cmp - possible values are Y, Ni, Nr, Nf, or No Y: signature is compiled Ni: signature not compiled due to invalid or missing parameters Nr: signature not compiled because it is retired Nf: signature compile failed No: signature is obsoleted Action=(A)lert, (D)eny, (R)eset, Deny-(H)ost, Deny-(F)low Trait=alert-traits EC=event-count AI=alert-interval GST=global-summary-threshold SI=summary-interval SM=summary-mode SW=swap-attacker-victim SFR=sig-fidelity-rating Rel=release SigID:SubID En Cmp Action Sev Trait EC AI GST SI SM SW SFR Rel ----------- -- ---- ------ --- ----- ---- ---- ----- --- -- -- --- --- 2004:0 N* Nr A INFO 0 1 0 200 30 FA N 100 S1 sig-name: ICMP Echo Request sig-string-info: My Sig Info sig-comment: Sig Comment Engine atomic-ip params: fragment-status : icmp-type : 8 l4-protocol : icmp R6#Now we will tweak this signature. Take a look at the config, and it is apparent what we are configuring: true. (you may get the joke, after looking at the config: true, or not: false
R6(config)#ip ips signature-definition R6(config-sigdef)#signature 2004 0 R6(config-sigdef-sig)#engine R6(config-sigdef-sig-engine)#event-action produce-alert R6(config-sigdef-sig-engine)#exit R6(config-sigdef-sig)#alert-severity high R6(config-sigdef-sig)#status R6(config-sigdef-sig-status)#enabled true R6(config-sigdef-sig-status)#retired false R6(config-sigdef-sig-status)#exit R6(config-sigdef-sig)#exit R6(config-sigdef)#exit Do you want to accept these changes? [confirm] R6(config)# %IPS-6-ENGINE_BUILDS_STARTED: Jan 14 2010 %IPS-6-ENGINE_BUILDING: atomic-ip - 373 signatures - 1 of 13 engines %IPS-6-ENGINE_READY: atomic-ip - build time 4764 ms - packets for this engine will be scanned %IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 5596 ms R6(config)#exitNow lets look at the results of the changes.
R6#show ip ips signature sigid 2004 subid 0 En - possible values are Y, Y*, N, or N* Y: signature is enabled N: enabled=false in the signature definition file *: retired=true in the signature definition file Cmp - possible values are Y, Ni, Nr, Nf, or No Y: signature is compiled Ni: signature not compiled due to invalid or missing parameters Nr: signature not compiled because it is retired Nf: signature compile failed No: signature is obsoleted Action=(A)lert, (D)eny, (R)eset, Deny-(H)ost, Deny-(F)low Trait=alert-traits EC=event-count AI=alert-interval GST=global-summary-threshold SI=summary-interval SM=summary-mode SW=swap-attacker-victim SFR=sig-fidelity-rating Rel=release SigID:SubID En Cmp Action Sev Trait EC AI GST SI SM SW SFR Rel ----------- -- ---- ------ --- ----- ---- ---- ----- --- -- -- --- --- 2004:0 Y Y A HIGH 0 1 0 200 30 FA N 100 S1 sig-name: ICMP Echo Request sig-string-info: My Sig Info sig-comment: Sig Comment Engine atomic-ip params: fragment-status : icmp-type : 8 l4-protocol : icmp R6#We can do a simple test by issuing a ping to 6.6.6.6 from a neighbor, R4.
Neighbor-R4#ping 6.6.6.6 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 6.6.6.6, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms R4#Now lets take a look at the console on R6. We did set the IPS to send syslog messages for alerts.
R6# %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:100 ICMP Echo Request [40.0.0.4:8 -> 6.6.6.6:0] VRF:NONE RiskRating:100 %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:100 ICMP Echo Request [40.0.0.4:8 -> 6.6.6.6:0] VRF:NONE RiskRating:100 %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:100 ICMP Echo Request [40.0.0.4:8 -> 6.6.6.6:0] VRF:NONE RiskRating:100 %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:100 ICMP Echo Request [40.0.0.4:8 -> 6.6.6.6:0] VRF:NONE RiskRating:100 %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:100 ICMP Echo Request [40.0.0.4:8 -> 6.6.6.6:0] VRF:NONE RiskRating:100 R6#
0 comments:
Post a Comment