Module 2: Configure Network Intrusion Detection and ...

1© 2005 Cisco Systems, Inc. All rights reserved. 111© 2004, Cisco Systems, Inc. All rights reserved.

2© 2005 Cisco Systems, Inc. All rights reserved.

Network Security 2

Module 2 – Configure Network Intrusion Detection and Prevention Modified by Joanne Wagner,

CCNP, CCAI, CCSP



Learning Objectives

2.1 Cisco IOS Intrusion Prevention System

2.2 Configure Attack Guards on the PIX Security Appliance

2.3 Configure Intrusion Prevention on the PIX Security Appliance

2.4 Configure Shunning on the PIX Security Appliance


Module 2 – Configure Network Intrusion Detection and Prevention

2.1 Cisco IOS Intrusion Prevention System



2.1.1 Cisco IOS Intrusion Prevention System (IPS)


Cisco IOS Intrusion Prevention System

1 Attack2

Drop Packet3

Reset Connection

4 Alarm

Cisco Security Monitor

The current Cisco IOS IPS monitors anddetects over 1600 of the most common attacks using signatures to detect patterns ofmisuse in network traffic. The IPS can automatically reset, drop, or alert you of suspicious packets.



2.1.2 Cisco IOS IPS Signatures


Signatures

Each signature can be set to send an alarm, drop the connection, or reset the connection:

• Alarm – sends a notification about the attack

• TCP reset – sends a reset to both the source and destination addresses

• Drop – discards the packet without sending a reset


Origin of Cisco IOS IPS

The primary difference between Cisco IOS Software IDS and the new, enhanced Cisco IOS IPS:

• An intrusion detection system monitors traffic and sends an alert when suspicious patterns are detected

• An intrusion prevention system can drop traffic, send an alarm, or reset the connection

• Cisco IOS IPS can download IPS signatures without the need for a Cisco IOS Software image update


Origin of Cisco IOS IPS (Cont.)

• Cisco IOS IPS inherited the built-in 132 signatures from Cisco IOS Software IDS technology.

• With the introduction of inline IPS capability, new signatures can be added by downloading a signature definition file (SDF) into the Flash memory of the router.

• New signatures are released every two weeks, with emergency signature updates posed as needed (Cisco.com)


Signature Micro-Engines (SMEs)

• A signature engine is a component of the sensor that supports a category of signatures.

• Cisco IOS IPS uses SMEs to load the SDF and scan signatures.

• Each engine categorizes a group of signatures, and each signature detects patterns of misuse in network traffic.


Engine Usage

Engine Category Usage

Atomic Used for single-packet inspection

Flood Used to detect attempts to cause a DoS

Meta Used to perform event correlation on the sensor

Normalizer Used to detect ambiguities and abnormalities in the traffic stream


Engine Usage (Cont.)

Engine Category Usage

Service Used when Layer 5, 6, and 7 services require protocol analysis

State Used for state-based and regular expression-based pattern inspection and alarming functionality for TCP streams

String Used for regular expression-based pattern inspection and alarm functionality for multiple transport protocols


attack-drop.sdf

• Available in Flash on all Cisco access routers shopped with Cisco IOS Release 12.3(8)T or later.

• Can be loaded directly from Flash into the Cisco IOS IPS system.

• If Flash is erased, the attack-drop.sdf file will be erased and the router refers to the built-in signatures within the Cisco IOS image.


Pre-built SDFs

Memory Available

Recommended SDF

256 MB or lower 256MB.sdf (500 signatures)

128 MB or lower 128MB.sdf (300 signatures)

64 MB or lower Attack-drop.sdf (82 signatures)

The number of signatures that can go onyour router is completely memory dependent


Cisco IOS IPS Signature Download


Cisco IOS IPS Signature Download (Cont)



2.1.3 Cisco IOS IPS Initial Configuration Tasks


Installing Cisco IOS IPS

1. Install the Cisco IOS IPS on the router for the first time.

1.1 Configure the router to use the built in sdf

1.2 Create an IPS rule

1.3 Attach a policy to a signature (Optional)

1.4 Apply IPS rule at an interface

2. Configure Logging using Syslog or SDEE

3. Verify the configuration.


ip ips sdf builtin

Router(config)#

Router(config)#ip ips sdf builtin

Step 1.1 Configure router to use built in sdf

Configure the router to use the built in signaturedefinition file (SDF)


Step 1.2 Create an IPS rule

ip ips name ips-name [list acl]

• Creates an IPS rule.

Router (config)#

Router(config)# ip ips name SECURIPS

• Creates an IPS rule named SECURIPS that will be applied to an interface.


ip ips signature signature-id [:sub-signature-id] {delete | disable | list acl-list}

• Attaches a policy to a given signature (optional).

Router (config)#

Router(config)# ip ips signature 4050 disable

Step 1.3 Attach policy to given signature (optional)

• Disables signature 4050 in the signature definition file.


Router(config)# ip ips signature 4050 disable

Step 1.3: Attach policy to given signature (optional) - continued

• Disables signature 4050 in the signature definition file.

Router(config)# ip ips signature 4050 list 101

• Relies on additional policy configuration


ip ips ips-name {in | out}

• Applies an IPS rule at an interface.

Router (config-if)#

Router(config-if)# ip ips SECURIPS in

Step 1.4: Apply the IPS rule

This command automatically loads the builtin signatures andbuilds the signature engines.


logging ip addresslogging trap levellogging on

• Configure logging using Syslog.

Router (config)#

Router(config)# logging 10.0.P.12Router(config)# logging trap warningsRouter(config)# logging on

Step 2 Configure logging



2.1.4 Cisco IOS IPS Upgrade Configuration Tasks


Show ip ips configuration

• Verify IPS configuration.

Router#

Router# show ip ips configuration

Step 3: Verify the Configuration


Replace Existing Signatures in the routerwith the latest sdf

1. Load Latest Signatures.

1.1 Load the latest sdf file into flash memory of router

1.2 Specify location of the Signature Definition File (SDF)

1.3 Create an IPS rule

1.4 Configure router to drop packets until signature engine is built

1.5 Instruct not to load built-in file

1.6 Remove the existing IPS rule

1.7 Apply IPS rule at an interface

2. Configure Logging using Syslog or SDEE

3. Verify the configuration


copy tftp://10.0.P.12/attack-drop.sdf flash:attack-drop.sdf

Router#

Router# copy tftp://10.0.P.12/attack-drop.sdf flash:attack-drop.sdf

Step 1.1 Load the latest SDF file

Load the latest SDF file into the flash memoryof the router.

The latest attack-drop.sdf file can be downloaded fromhttp://www.cisco.com/cgi-bin/tablebuild.pl/ios-sigup


ip ips sdf location url

Router (config)#

Router(config)# ip ips sdf location flash:attack-drop.sdf

Step 1.2 Specify the location of the sdf file

Specify the location of the sdf


Step 1.3 Create IPS rule

ip ips name ips-name [list acl]

• Creates an IPS rule.

Router (config)#

Router(config)# ip ips name SECURIPS

• Creates an IPS rule named SECURIPS that will be applied to an interface.


Step 1.4 Configure the router to temporarily drop packets

ip ips fail closed

• Configure the router to drop all packets until

the signature engine is built and ready to scan

traffic.

Router (config)#

Router(config)# ip ips fail closed


Step 1.5 Instruct not to load built-in file

no ip ips sdf builtin

• Instructs the router not to load the built-in signatures.

Router (config)#

Router(config)# no ip ips builtin


no ip ips SECURIPS in

• Remove the existing IPS rule.

Router (config-if)#

Router(config-if)# no ip ips SECURIPS in

Step 1.6 Remove existing IPS rule


ip ips ips-name {in | out}

• Applies an IPS rule at an interface.

Router (config-if)#

Router(config-if)# ip ips MYIPS in

Step 1.7 Apply the new IPS rule

This command automatically loads the signatures andbuilds the signature engines.


logging ip addresslogging trap levellogging on

• Configure logging using Syslog.

Router (config)#

Router(config)# logging 10.0.P.12Router(config)# logging trap warningsRouter(config)# logging on

Step 2 Configure logging


show ip ips configuration

• Verify IPS configuration.

Router#

Router# show ip ips configuration

Step 3 Verify the IPS configuration



2.1.5 Configure Logging Using Syslog or SDEE


Monitoring Cisco IOS IPS Signatures

Network Management Console

Alarm

SDEE Protocol

Syslog Server

AlertSyslog

ICSA Labs proposing SDEE as industry standard forcommunicating events to a network managementapplication.


Security Device Event Exchange (SDEE) Benefits

• Vendor Interoperability – SDEE is a standard format for used by vendors to communicate events to a network management application. This lowers the cost of supporting proprietary vendor formats and potentially multiple network management platforms.

• Secured transport – The use of HTTP over SSL or HTTPS ensures that data is secured as it traverses the network

• Product independent standard (see www.icsalabs.com/html/communities/ids/sdee/index.shtml).


Security Device Event Exchange (SDEE)

• When SDEE notification is enabled using the ip ips notify sdee command, 200 events can automatically be stored in the buffer (default number is 100).

• The buffer is circular. When the end of the buffer is reached, the buffer will start overwriting the earliest stored events.

• If a new, smaller buffer is requested, all events that are stored in the previous buffer will be lost.

• If a new, larger buffer is requested, all existing events will be saved.

• Requires that you enable the HTTP server with the ip http server command (so that the router can see the client requests)


ip ips notify [log | sdee]

• Sets notification type

Set Notification Type

Router (config)#

Router(config)# ip ips notify sdeeRouter(config)# ip ips notify log

ip sdee events num_of_events

Router (config)#



2.1.6 Verify the IPS Configuration


show Commands

show ip ips configuration

• Verifies that Cisco IOS IPS is properly configured.

Router#

show ip ips signatures [detailed]

• Verifies signature configuration, such as signatures that have been disabled.

Router#

show ip ips interface

• Display the interface configuration

Router#


clear ip ips configuration

• Remove all intrusion prevention configuration entries, and release dynamic resources.

clear Commands

Router#

clear ip ips statistics

• Reset statistics on packets analyzed and alarms sent

Router#

clear ip sdee {events | subscriptions}

• Clear SDEE events or subscriptions.

Router#


Router# debug ip ips timersRouter# debug ip ips object-creationRouter# debug ip ips object-deletionRouter# debug ip ips function traceRouter# debug ip ips detailedRouter# debug ip ips ftp-cmdRouter# debug ip ips ftp-tokenRouter# debug ip ips icmpRouter# debug ip ips ipRouter# debug ip ips rpcRouter# debug ip ips smtpRouter# debug ip ips tcpRouter# debug ip ips tftpRouter# debug ip ips udp

• Instead of no, undebug may be used

debug Commands



2.2 Configure Attack Guards on the PIX Security Appliance



2.2.1 Mail Guard


Mail Guard

Only the SMTP commands specified in RFC 821 section 4.5.1 are allowed to a mail server (HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT)

By default, the Cisco Secure PIX Security Appliance inspects port 25 connections for SMTP traffic

SMTP servers using ports other than port 25 must use the fixup protocol smtp command

It returns an “OK” to the user regardless of whether the command entered was passed on or denied. In this way, PIX confuses anyone that attempts an attack on the mail system.

Note: Version 7 of Finesse uses the ip inspect command, not fixup.


Mail Guard Prior to version 7.0

fixup protocol smtp port [-port]

pixfirewall (config)#

pixfirewall(config)# fixup protocol smtp 2525pixfirewall(config)# fixup protocol smtp 2625-2635pixfirewall(config)# no fixup protocol smtp 25

• Defines ports on which to activate Mail Guard (default = 25)—Only allows RFC 821, section 4.5.1 commands: HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT.

• If disabled, all SMTP commands are allowed through the firewall—Potential mail server vulnerabilities are exposed.

Note: In PIX Security Appliance Version 7.0, the fixup command has been replacedwith the inspect command under the Modular Policy Framework (MPF) infrastructure.See next few slides for changes including how to delete/add port numbers.In 7.0 fixup commands you enter will be converted to MPF commands; not so in 7.1.


PIX version 6.3 vs 7.0

When an inspect is configured for a protocol on ‘class inspection-default’, the protocol is automatically inspected on its default port, because this class matches the ‘default-inspection-traffic’ for each protocol.

Note: The port numbers are included in the “class inspection-default” implicitly.When an inspect is configured for a protocol on ‘class inspection-default’, theprotocol is automatically inspected on its default port, because this class matchesthe ‘default-inspection-traffic’ for each protocol.


Default Protocol Inspection Policy


Delete Inspection for a Protocol


Add a Protocol Inspection Port Number

HTTP inspection is applied to traffic with TCP destination port 8080. These commands enablethe PIX Security Appliance to recognize that connections to port 8080 should be treated in thesame manner as connections to HTTP port 80



2.2.2 DNS Guard


DNS Guard

DNS Guard is always on.

After the client does a DNS request, a dynamic conduit allows UDP packets to return from the DNS server. The default UDP timer expires in two minutes.

The DNS server response is recognized by the firewall, which closes the dynamic UDP conduit immediately. The PIX Security Appliance does not wait for the UDP timer to expire.

The DNS Guard automatically forms separate conduits if multiple servers are sent requests.



2.2.3 FragGuard and Virtual Reassembly


FragGuard and Virtual Re-assembly

• The FragGuard and Virtual Re-assembly feature has the following characteristics:

Is on by default.

Verifies each fragment set for integrity and completeness.

Tags each fragment in a fragment set with the transport header.

Performs full reassembly of all ICMP error messages and virtual reassembly of the remaining IP fragments that are routed through the PIX Security Appliance.

Uses Syslog to log fragment overlapping and small fragment offset anomalies.

As of PIX OS version 5.1, an initial fragment is not required.


fragment Command

Sets the maximum number of blocks that can be used for fragment reassembly. Default is 200 blocks.

fragment size database-limit [interface]


fragment chain chain-limit [interface]

fragment timeout seconds [interface]



• Specifies the maximum number of packets into which a full IP packet can be split. Default 24 fragments.

• Specifies the maximum number of seconds that the PIX waits before discarding a packet that is waiting to be reassembled. Default 5 secs.


• pixfirewall(config)# fragment size 100 outside

(The maximum number of packets in the fragment database is 100)

• pixfirewall(config)# fragment chain 15

(The maximum number of packets into which a packet can be fragmented is 15)

• Pixfirewall(config)# fragment timeout 5 outside

(The PIX will wait for 5 seconds after the first fragment is received before discarding a fragment waiting for reassembly)




2.2.4 AAA Flood Guard


AAA Flood Guard

floodguard enable | disable


pixfirewall(config)# floodguard enable

• Reclaims attacked or overused AAA resourcesto help prevent DoS attacks on AAA services (default = enabled).

When additional resources are needed, the PIX will reclaim the ones that are not inactive state. This is done in the following order: timewait state, finwait state,embryonic state, and idle.



2.2.5 SYN Flood Guard


SYN Flood Attack

The attacker spoofs a nonexistent source IP address and floods the target with SYN packets.

The target responds to the SYN packets by sending SYN-ACK packets to the spoofed hosts.

The target overflows its port buffer with embryonic connections and stops responding to legitimate requests.


Embryonic Connections

• Half open TCP Connection

• It becomes a complete connection after the three-way handshake is complete.


SYN Flood Guard Configuration

For inbound connections:

Use the em_limit to limit the number of embryonic connections.

Set the limit to a number lower than the server can handle.

For outbound connections:

Use the em_limit to limit the number of embryonic connections.

Set the limit to a number lower than the server can handle.

pixfirewall(config)# nat (inside) 1 0 0 0 10000pixfirewall(config)# static (inside,outside) 192.168.0.11172.16.0.2 0 1000

static [(prenat_interface, postnat_interface)] mapped_address | interface real_address [dns][netmask mask][norandomseq][connection_limit [em_limit]]


nat [(if-name)]id address [netmask [outside] [dns] [norandomseq] [timeout hh:mm:ss] [conn_limit [em_limit]]]



TCP Intercept (5.2)

pixfirewall(config)# static (inside,outside) 192.168.0.10 10.0.0.11 netmask 255.255.255.255 1000 100

No special configuration needed


SYN Cookies (6.2)

• The PIX responds to the SYN, which includes a cookie in the TCP header of the SYN/ACK. The cookie is a hash of parts of the TCP header and a secret key. The PIX keeps no state information.

• A legitimate client completes the handshake by sending the ACK back with the cookie.

• If the cookie is authentic, the firewall appliance proxies the TCP session



2.3 Configure Intrusion Prevention on the PIX Security Appliance



2.3.1 Intrusion Detection and the PIX


Note:

• It can monitor packets for more than 55 intrusion detection signatures and can be configured to send an alarm to a Syslog server or a server running Cisco Security Monitor, drop the packet, or reset the TCP connection.

• The signatures supported by the PIX are a subset of the signatures supported by the Cisco IDS product family.


Configure IDS

pixfirewall(config)#

ip audit name audit_name attack [action [alarm] [drop] [reset]]

ip audit interface if_name audit_name


pixfirewall(config)# ip audit name ATTACKPOLICY attack action alarm reset

pixfirewall(config)# ip audit interface outside ATTACKPOLICY


ip audit name audit_name info [action [alarm] [drop] [reset]]

• Creates a policy for informational signatures.

• Creates a policy for attack signatures.

• Applies a policy to an interface.


Specify Default Actions for Signatures



ip audit attack [action [alarm] [drop] [reset]]

ip audit info [action [alarm] [drop] [reset]]

• Specifies the default actions for attack signatures.

• Specifies the default actions for informational signatures.

pixfirewall(config)# ip audit info action alarm drop

• When the PIX Security Appliance detects an info signature, it reports an event to all configured Syslog servers and drops the offending packet.



ip audit signature signature_number disable

pixfirewall(config)# ip audit signature 6102 disable

Disable Intrusion Detection Signatures

Excludes a signature from auditing.

• Disables signature 6102.



2.4 Configure Shunning on the PIX Security Appliance


shun Command

Applies a blocking function to an interface under attack.


shun src_ip [dst_ip sport dport [protocol]]

pixfirewall(config)# shun 172.26.26.45

• No further traffic from 172.26.26.45 is allowed.


Shunning an Attacker

pixfirewall(config)# shun 172.26.26.45 192.168.0.10 4000 53


Removing Blocked (Shunned) Hosts

To allow a host address that has been shunned to enter the PIX:

• The blocking function is removed by the Cisco IDS master unit.

• The blocking function is removed manually.

818181© 2005, Cisco Systems, Inc. All rights reserved.

Module 2: Configure Network Intrusion Detection and ...

Documents

cisco ios ips signatures

cisco ios ips system

connection cisco ios

origin of cisco ios

enhanced cisco ios ips

cisco ios image

current cisco ios ips

cisco ios release