The course of the young fighter: defended by the router. Continued: IPS
Intrusion Prevention System (IPS).
In general, the line of products on the intrusion prevention system of cisco is quite wide. These include the standalone IPS 42XX series sensors, the 6500 module - IDSM2, the module in ASA - AIP-SSM, the module in the router (ISR) - NME-IPS, the "card" in the ISR - AIM-IPS. The tsiska tries to bring the same ideology into software solutions based on ISR, adding the corresponding functionality to IOS.
The whole ideology of intrusion detection and prevention is based on the concept of a signature. A signature is essentially a “wrong” pattern in one package or stream.
')
“Irregularities” are different, ranging from typical intelligence methods to network worms. These templates are carefully written by tsisk programmers and reach the user in the form of updates. Those. the system is reactive in its essence and is based on constant updates that cost money. Licenses for updates are tied to each piece of hardware directly. Without a license, you can change the OS, but you can not roll up signature updates.
A little history of intrusion detection and prevention systems based on routers.
The first IDS (Intrusion Detection System) system was implemented on IOS 12.2.8T routers with a firewall feature set. Then these were the 26XX and 36XX routers. The system consisted of several dozen (maximum 105) signatures. They could only be disabled or set to not work for all traffic.
This system was activated by the teams.
ip audit name IDS attack action {alarm, drop, reset}
ip audit name IDS info action {alarm, drop, reset}
int f0 / 0
ip audit IDS {in | out}
It was a thing in itself. No agile customization, no updates, no clue about what is in the signatures.
The next step was made with the introduction of a separate signature definition file. This special file was loaded onto the router, it was pointed out in the configuration, it contained all the signatures and their parameters. This construction was configured as follows:
ip ips sdf location flash: {256MB.sdf | 128MB.sdf | attack-drop.sdf}
The file is selected based on the amount of RAM on the router. The largest file - 256MB.sdf - contained more than 1500 signatures and required at least 256 megabytes of RAM
ip ips name IPS
int f0 / 0
ip ips ips {in | out}
After attaching the IPS rules to the interface, the tsiska loaded the signatures from the file into memory and made it possible to configure them both via the console and via the web GUI (by the way, the GUI called Security Device Manager, SDM, is very convenient when setting up IPS)
For backwards compatibility in IOSs (up to 12.4.T (11)), embedded signatures remained. When using an external file, it was recommended to disable them.
no ip ips sdf builtin
It was possible to demand that traffic be blocked if it is impossible to load the sdf file or if the IPS subsystem failed
ip ips fail close
But the format of the signatures here was the same as in the sensors of IPS version 4. This format did not allow deeper analysis of traffic and cut off new tricky attacks. On the IPS sensors themselves, a new format appeared by that time - 5, in which you can adjust the accumulative parameters of the risk of attack (Risk Rating), create zones of closer attention (Target Value Rating) and much more.
Therefore, since version 12.4.T (11), the old format is no longer supported, updates of format 4 signatures ceased in August 2008.
To switch to a new format and flexibly protect the network using the IPS system, you must now load another file.
IOS-S ### - CLI.pkg
in which the encrypted actual signatures and their parameters are stored. Number ### is constantly increasing, updates need to be constantly uploaded. By the way, this can be done automatically with the command
ip ips auto-update
Next, you need to install a cisco key on the router to decrypt (or rather, verify the digital signature) the downloaded file
We do this:
crypto key pubkey-chain rsa
named-key realm-cisco.pub signature
key-string
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
F3020301 0001
quit
These commands can simply be driven into the mode
Ro (config) #
copy-paste The key is one for all.
It is advisable to create a separate folder in the router’s flash for IPS files.
Ro # mkdir flash: / IPS
There you need to copy the file IOS-S ### - CLI.pkg, and also indicate that it will store the necessary files for work
Ro (config) # ip ips config location flash: / IPS /
Now it remains to install these most necessary files. This is done by a tricky team.
Ro # copy flash: / IPS / IOS-S ### - CLI.pkg idconf
This procedure will take significant time (a few minutes) and you will see the results in the flash
21 0 May 27 2009 14:22:58 +04: 00 IPS
22 8662169 May 27 2009 14:24:22 +04: 00 IPS / IOS-S399-CLI.pkg
23 284871 May 28 2009 22:48:00 +04: 00 IPS / ccmt-2811-sigdef-default.xml
24 255 May 27 2009 16:35:56 +04: 00 IPS / ccmt-2811-sigdef-delta.xml
25 34761 May 28 2009 22:43:44 +04: 00 IPS / ccmt-2811-sigdef-category.xml
26 304 May 27 2009 16:35:56 +04: 00 IPS / ccmt-2811-seap-delta.xml
27 8509 May 28 2009 22:43:40 +04: 00 IPS / ccmt-2811-sigdef-typedef.xml
28 491 May 27 2009 17:05:00 +04: 00 IPS / ccmt-2811-seap-typedef.xml
These xml files contain default settings, your changes, blocking parameters, etc.
Almost everything. You just need to create a rule and hang it on the interface, as it was done before:
ip ips name IPS
int f0 / 0
ip ips ips {in | out}
After that, the signatures will be loaded into memory, and those that are enabled by default will immediately begin to work.
Remember that many signatures, they eat a lot of memory and processor, so the tsiska strongly recommends that you do the following.
1. Disable signature category all
Ro (config) # ip ips signature-category
Ro (config-ips-category) # category all
Ro (config-ips-category-action) # retired true
2. Include for starters a category designed for IOS, and in the basic version
Ro (config) # ip ips signature-category
Ro (config-ips-category) # category ios_ips basic
Ro (config-ips-category-action) # retired false
Ro (config-ips-category-action) # enabled true
The config is updated after exiting back to the mode (config) #
3. Further, following the memory and CPU usage, you can add other categories of signatures. Setting the signatures themselves is possible as a console from the mode
ip ips signature-definition
so through SDM or newer WEB-GUI - CCE (Cisco Configuration Expert)
The parameters and the signature setting mechanism are as close as possible to the settings on the sensors, so if you have experience in setting up AIP-SSM, 42XX or IDMS2 sensors, you can safely get down to business. If there is no such experience, it is better to read about signature configuration. Or go to the course IPS 6.0 :)
In general, the line of products on the intrusion prevention system of cisco is quite wide. These include the standalone IPS 42XX series sensors, the 6500 module - IDSM2, the module in ASA - AIP-SSM, the module in the router (ISR) - NME-IPS, the "card" in the ISR - AIM-IPS. The tsiska tries to bring the same ideology into software solutions based on ISR, adding the corresponding functionality to IOS.
The whole ideology of intrusion detection and prevention is based on the concept of a signature. A signature is essentially a “wrong” pattern in one package or stream.
')
“Irregularities” are different, ranging from typical intelligence methods to network worms. These templates are carefully written by tsisk programmers and reach the user in the form of updates. Those. the system is reactive in its essence and is based on constant updates that cost money. Licenses for updates are tied to each piece of hardware directly. Without a license, you can change the OS, but you can not roll up signature updates.
A little history of intrusion detection and prevention systems based on routers.
The first IDS (Intrusion Detection System) system was implemented on IOS 12.2.8T routers with a firewall feature set. Then these were the 26XX and 36XX routers. The system consisted of several dozen (maximum 105) signatures. They could only be disabled or set to not work for all traffic.
This system was activated by the teams.
ip audit name IDS attack action {alarm, drop, reset}
ip audit name IDS info action {alarm, drop, reset}
int f0 / 0
ip audit IDS {in | out}
It was a thing in itself. No agile customization, no updates, no clue about what is in the signatures.
The next step was made with the introduction of a separate signature definition file. This special file was loaded onto the router, it was pointed out in the configuration, it contained all the signatures and their parameters. This construction was configured as follows:
ip ips sdf location flash: {256MB.sdf | 128MB.sdf | attack-drop.sdf}
The file is selected based on the amount of RAM on the router. The largest file - 256MB.sdf - contained more than 1500 signatures and required at least 256 megabytes of RAM
ip ips name IPS
int f0 / 0
ip ips ips {in | out}
After attaching the IPS rules to the interface, the tsiska loaded the signatures from the file into memory and made it possible to configure them both via the console and via the web GUI (by the way, the GUI called Security Device Manager, SDM, is very convenient when setting up IPS)
For backwards compatibility in IOSs (up to 12.4.T (11)), embedded signatures remained. When using an external file, it was recommended to disable them.
no ip ips sdf builtin
It was possible to demand that traffic be blocked if it is impossible to load the sdf file or if the IPS subsystem failed
ip ips fail close
But the format of the signatures here was the same as in the sensors of IPS version 4. This format did not allow deeper analysis of traffic and cut off new tricky attacks. On the IPS sensors themselves, a new format appeared by that time - 5, in which you can adjust the accumulative parameters of the risk of attack (Risk Rating), create zones of closer attention (Target Value Rating) and much more.
Therefore, since version 12.4.T (11), the old format is no longer supported, updates of format 4 signatures ceased in August 2008.
To switch to a new format and flexibly protect the network using the IPS system, you must now load another file.
IOS-S ### - CLI.pkg
in which the encrypted actual signatures and their parameters are stored. Number ### is constantly increasing, updates need to be constantly uploaded. By the way, this can be done automatically with the command
ip ips auto-update
Next, you need to install a cisco key on the router to decrypt (or rather, verify the digital signature) the downloaded file
We do this:
crypto key pubkey-chain rsa
named-key realm-cisco.pub signature
key-string
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
F3020301 0001
quit
These commands can simply be driven into the mode
Ro (config) #
copy-paste The key is one for all.
It is advisable to create a separate folder in the router’s flash for IPS files.
Ro # mkdir flash: / IPS
There you need to copy the file IOS-S ### - CLI.pkg, and also indicate that it will store the necessary files for work
Ro (config) # ip ips config location flash: / IPS /
Now it remains to install these most necessary files. This is done by a tricky team.
Ro # copy flash: / IPS / IOS-S ### - CLI.pkg idconf
This procedure will take significant time (a few minutes) and you will see the results in the flash
21 0 May 27 2009 14:22:58 +04: 00 IPS
22 8662169 May 27 2009 14:24:22 +04: 00 IPS / IOS-S399-CLI.pkg
23 284871 May 28 2009 22:48:00 +04: 00 IPS / ccmt-2811-sigdef-default.xml
24 255 May 27 2009 16:35:56 +04: 00 IPS / ccmt-2811-sigdef-delta.xml
25 34761 May 28 2009 22:43:44 +04: 00 IPS / ccmt-2811-sigdef-category.xml
26 304 May 27 2009 16:35:56 +04: 00 IPS / ccmt-2811-seap-delta.xml
27 8509 May 28 2009 22:43:40 +04: 00 IPS / ccmt-2811-sigdef-typedef.xml
28 491 May 27 2009 17:05:00 +04: 00 IPS / ccmt-2811-seap-typedef.xml
These xml files contain default settings, your changes, blocking parameters, etc.
Almost everything. You just need to create a rule and hang it on the interface, as it was done before:
ip ips name IPS
int f0 / 0
ip ips ips {in | out}
After that, the signatures will be loaded into memory, and those that are enabled by default will immediately begin to work.
Remember that many signatures, they eat a lot of memory and processor, so the tsiska strongly recommends that you do the following.
1. Disable signature category all
Ro (config) # ip ips signature-category
Ro (config-ips-category) # category all
Ro (config-ips-category-action) # retired true
2. Include for starters a category designed for IOS, and in the basic version
Ro (config) # ip ips signature-category
Ro (config-ips-category) # category ios_ips basic
Ro (config-ips-category-action) # retired false
Ro (config-ips-category-action) # enabled true
The config is updated after exiting back to the mode (config) #
3. Further, following the memory and CPU usage, you can add other categories of signatures. Setting the signatures themselves is possible as a console from the mode
ip ips signature-definition
so through SDM or newer WEB-GUI - CCE (Cisco Configuration Expert)
The parameters and the signature setting mechanism are as close as possible to the settings on the sensors, so if you have experience in setting up AIP-SSM, 42XX or IDMS2 sensors, you can safely get down to business. If there is no such experience, it is better to read about signature configuration. Or go to the course IPS 6.0 :)
To be continued...
Source: https://habr.com/ru/post/60769/
All Articles