In this post I will be covering the following topics from the CCNA Security exam topics blue print.
• Define network based vs. host based intrusion detection and prevention
• Explain IPS technologies, attack responses, and monitoring options
• Enable and verify Cisco IOS IPS operations using SDM
Network vs. Host Based Intrusion Detection & Prevention
What is IDS & IPS? Well the simple explanation is “Intrusion Detection” has a copy of the traffic and isn’t in the traffic path where are “Intrusion Prevention” is in the traffic path. This means that IPS reacts to stop malicious traffic as soon as “sensor” detects it, as seen in fig 2. With IDS having a copy of the traffic it won’t be able to react immediately and a small amount of malicious data will get through, as seen in fig 1. IDS will either send an alert or a notification to another device to take action. Both of these scenarios are considered Network biased solutions.
Fig 1 – Network IDS
Fig 2 – Network IPS
Hack attempt stopped by NIPS
What is a HIPS & HIDS? Host based intrusion detection/prevention are software products that are installed on end points, these end points can be Servers, PCs or Laptops to name a few. The complete list of functions that a HIDS varies from vendor to vendor but their main job is to permit or deny System calls from Applications or other parts of the OS to the Kernel.
Fig 3 – Abstract of Application system call.
IPS technologies, attack responses, and monitoring options
Well we have briefly discussed the difference between NIPS/NIDS & HIPS/HIDS, so we can move onto looking at what form of devices these come in. Cisco has a range of product that act as “sensors”, the table below lists them ASA5500 firewall with the AIP-SSM
| ASA5505 with AIP-SSM |
Adaptive Security Appliance 5500 with the Advanced Inspection & Prevention Security Services Module |
| IPS 4200 Series Sensor |
| Catalyst 6500 with IDSM-2 module |
Intrusion Detection System Service Module |
| IPS AIM for ISR routers |
Advanced Integration Module for Integrated Services routers |
All of the above devices run the same code which make moving to a more capable platform easier.
This Table lists terms specific to this topic and the meaning of them, this is what I think will be relevant for the exam.
| Term |
Meaning |
| IPS Signature Alarms |
| False Positive |
Normal traffic or a non-malicious action causes the signature to fire. |
| True Positive |
An attack is properly detected by the IPS. |
| False Negative |
An attack is not detected by the IPS |
| True Negative |
Legitimate traffic does not cause signatures to fire |
|
| Sensor |
One of the IPS/IDS products, |
|
|
Enable and verify Cisco IOS IPS operations using SDM
From within SDM click configure > Intrusion Prevention, then click the Launch IPS rules Wizard.
You will then see the following screen, reading the blurb you can see what the wizard will configure. It will configure which interfaces will have IPS rules applied, the direction in which the rules will be applied & it will specify the SDF (Signature Definition File) used. Click next
Now select the interface or interfaces and the direction in which the rules will be applied, I have selected the vLAN 1 (outside) & vLAN2 (inside) both in the inbound direction. Once selected click next.
Now we can select the SDF files to use, the router I have been using already had the 128MB.sdf located in flash but you should be able to download an SDF file from Cisco (if you have a CCO login).
The SDF file you use depends on the amount of RAM on the router, this router has 128mb
I selected the add button
Then I selected the 128MB.sdf from the flash directory on the router. Clicked ok
Notice the tick “Use built-in signatures (as backup) this will load the limited backup signatures from the IOS in the event of missing or failed signatures.
Click next
You now get a Summary of what will be applied
The commands will then be delivered to the router, also the signatures will get built an applied. You should then be automatically presented with the Edit IPS TAB, showing the IPS Polices. In this windows you can see the interfaces, IP addresses and if/what direction the IPS rules are applied. VFR = virtual fragment reassembly = the router will reassemble fragmented packets so the IPS engine can inspect them.
Selecting one of the rule will display information about it in the below panel, notice vLAN1 is selected and the info about it reads “IPS rule is enabled, but there is no filter configured for this rule, IPS will scan all Inbound traffic.”
Now looking at the “Global Settings” I can see IPS option and where the SDM files are located.
Clicking the Signature button on the left will show you the signatures that are loaded. I can see that I have 351 signatures. I can see all the signatures or I can select different folders in the tree to view groups of signatures.
If I want to see if any signatures have been fired then I can go into the Monitor tab at the top of SDM and then into the logging screen. The tab at the top SDEE Message log will show you a the logs generated from the IPS, I can see that there are lots of messages.
Moving over to the IPS button with in the monitoring tab show all of the signature and a Hit & Drop count. The alerts relate to DNS queries. If I wanted to change what action the signature take then I can go over to the configure section and then find the signature.
In the edit window under the Signatures button on the left I can look in the tree for DNS and then for signature, I noted that it was signature 4620 sub-signature 0, so I select it.
I then see this screen, under EventAction its usually a green square when its configured as default to change it I select the square then the action I want. This occasion its “denyFlowInline” then I click OK.
Now I am back looking at the signatures, notice the orange circle next to the signature number, this means that the changes haven’t yet been applied by SDM, the commit the changes select Apply Changes at the bottom.
You will then see the Signature Compilation Status window and when its done you will see the below. Notice the changes only effected the ATOMIC:UDP micro engine.
Supplemental – Enable and verify Cisco IOS IPS operations using the cli
LAB-877w#sh ip ips all
Configured SDF Locations:
flash://sdmips.sdf
flash://128MB.sdf
Builtin signatures are enabled but not loaded
Last successful SDF load time: 11:40:32 UTC Jan 30 2011
IPS fail closed is disabled
Fastpath ips is enabled
Quick run mode is enabled
Event notification through syslog is enabled
Event notification through SDEE is enabled
Total Active Signatures: 351
Total Inactive Signatures: 0
Signature 11207:0 disable
Signature 11208:0 disable
Signature 11209:0 disable
Signature 3325:0 disable
Signature 11200:0 disable
Signature 11201:0 disable
Signature 11202:0 disable
Signature 11222:0 disable
Signature 11224:0 disable
Signature 11225:0 disable
Signature 5050:0 disable
Signature 5085:0 disable
Signature 5322:0 disable
Signature 5322:1 disable
Signature 11210:0 disable
Signature 11211:0 disable
Signature 11212:0 disable
Signature 50000:0 disable
Signature 50000:2 disable
Signature 50000:1 disable
IPS Rule Configuration
IPS name sdm_ips_rule
Interface Configuration
Interface Vlan2
Inbound IPS rule is sdm_ips_rule
Outgoing IPS rule is not set
Interface Vlan1
Inbound IPS rule is sdm_ips_rule
Outgoing IPS rule is not set
Established Sessions
Session 8378EF0C (10.99.99.3:51937)=>(10.56.87.31:80) tcp SIS_OPEN
Session 837884AC (10.99.99.3:51370)=>(10.56.87.73:1433) tcp SIS_OPEN
Session 83788A6C (10.99.99.3:49501)=>(10.0.0.77:13510) tcp SIS_OPEN
Session 8378B86C (10.99.99.3:49556)=>(10.56.87.14:8194) tcp SIS_OPEN
Session 837850EC (10.99.99.3:51372)=>(10.56.87.73:1433) tcp SIS_OPEN
Session 837811AC (10.99.99.3:51718)=>(4.26.237.126:80) tcp SIS_OPEN
Session 83789BAC (10.99.99.3:50038)=>(128.242.250.183:443) tcp SIS_OPEN
Session 8378708C (10.99.99.3:51721)=>(10.56.87.55:21295) tcp SIS_OPEN
Session 837898CC (10.99.99.3:49523)=>(10.0.0.77:13510) tcp SIS_OPEN
Session 8378736C (10.99.99.3:51349)=>(10.56.87.9:1025) tcp SIS_OPEN
Session 837839EC (10.99.99.3:51719)=>(209.85.146.118:80) tcp SIS_OPEN
LAB-877w#clear ip ips con
LAB-877w#clear ip ips configuration
LAB-877w#
000616: Jan 30 11:50:05.052 UTC: %IPS-2-DISABLED: IPS removed from all interfaces - IPS disabled
LAB-877w#conf t
Enter configuration commands, one per line. End with CNTL/Z.
LAB-877w(config)#ip
LAB-877w(config)#ip ips
LAB-877w(config)#ip ips ?
deny-action Specify Deny action
fail Specify what to do during any failures
name Specify an IPS rule
notify Specify the notification mechanisms (SDEE, nr-director or log)
for the alarms
sdf Specify the location of the signature definition file
signature Add a policy to a signature
LAB-877w(config)#exit
LAB-877w#
LAB-877w#
LAB-877w#
000617: Jan 30 11:51:24.514 UTC: %SYS-5-CONFIG_I: Configured from console by console
LAB-877w#
LAB-877w#sh ip ips configuration
Configured SDF Locations:
flash://sdmips.sdf
flash://128MB.sdf
Builtin signatures are enabled but not loaded
Last successful SDF load time: 11:40:32 UTC Jan 30 2011
IPS fail closed is disabled
Fastpath ips is enabled
Quick run mode is enabled
Event notification through syslog is enabled
Event notification through SDEE is enabled
Total Active Signatures: 0
Total Inactive Signatures: 0
LAB-877w#conf t
Enter configuration commands, one per line. End with CNTL/Z.
LAB-877w(config)#ip ips name cli_ips_rule
LAB-877w(config)#int vlan 1
LAB-877w(config-if)#ip ips cli_ips_rule in ?
LAB-877w(config-if)#ip ips cli_ips_rule in
000618: Jan 30 11:58:28.693 UTC: %IPS-6-SDF_LOAD_SUCCESS: SDF loaded successfully from flash://sdmips.sdf
000619: Jan 30 11:58:28.697 UTC: %IPS-6-ENGINE_BUILDING: OTHER - 8 signatures - 1 of 15 engines
000620: Jan 30 11:58:28.697 UTC: %IPS-6-ENGINE_READY: OTHER - 0 ms - packets for this engine will be scanned
000621: Jan 30 11:58:28.697 UTC: %IPS-6-ENGINE_BUILDING: MULTI-STRING - 0 signatures - 2 of 15 engines
000622: Jan 30 11:58:28.697 UTC: %IPS-6-ENGINE_BUILD_SKIPPED: MULTI-STRING - there are no new signature definitions for this engine
000623: Jan 30 11:58:28.697 UTC: %IPS-6-ENGINE_BUILDING: STRING.ICMP - 2 signatures - 3 of 15 engines
000624: Jan 30 11:58:28.721 UTC: %IPS-6-ENGINE_READY: STRING.ICMP - 24 ms - packets for this engine will be scanned
000625: Jan 30 11:58:28.721 UTC: %IPS-6-ENGINE_BUILDING: STRING.UDP - 24 signatures - 4 of 15 engines
000626: Jan 30 11:58:29.532 UTC: %IPS-6-ENGINE_READY: STRING.UDP - 812 ms - packets for this engine will be scanned
000627: Jan 30 11:58:29.532 UTC: %IPS-6-ENGINE_BUILDING: STRING.TCP - 125 signatures - 5 of 15 engines
000628: Jan 30 11:58:50.056 UTC: %IPS-6-ENGINE_READY: STRING.TCP - 20528 ms - packets for this engine will be scanned
000629: Jan 30 11:58:50.056 UTC: %IPS-6-ENGINE_BUILDING: SERVICE.FTP - 1 signatures - 6 of 15 engines
000630: Jan 30 11:58:50.072 UTC: %IPS-6-ENGINE_READY: SERVICE.FTP - 16 ms - packets for this engine will be scanned
000631: Jan 30 11:58:50.072 UTC: %IPS-6-ENGINE_BUILDING: SERVICE.SMTP - 3 signatures - 7 of 15 engines
000632: Jan 30 11:58:50.124 UTC: %IPS-6-ENGINE_READY: SERVICE.SMTP - 52 ms - packets for this engine will be scanned
000633: Jan 30 11:58:50.124 UTC: %IPS-6-ENGINE_BUILDING: SERVICE.RPC - 38 signatures - 8 of 15 engines
000634: Jan 30 11:58:50.288 UTC: %IPS-6-ENGINE_READY: SERVICE.RPC - 164 ms - packets for this engine will be scanned
000635: Jan 30 11:58:50.288 UTC: %IPS-6-ENGINE_BUILDING: SERVICE.DNS - 29 signatures - 9 of 15 engines
000636: Jan 30 11:58:50.324 UTC: %IPS-6-ENGINE_READY: SERVICE.DNS - 36 ms - packets for this engine will be scanned
000637: Jan 30 11:58:50.324 UTC: %IPS-6-ENGINE_BUILDING: SERVICE.HTTP - 100 signatures - 10 of 15 engines
000638: Jan 30 11:58:58.221 UTC: %IPS-6-ENGINE_READY: SERVICE.HTTP - 7900 ms - packets for this engine will be scanned
000639: Jan 30 11:58:58.221 UTC: %IPS-6-ENGINE_BUILDING: ATOMIC.TCP - 7 signatures - 11 of 15 engines
000640: Jan 30 11:58:58.229 UTC: %IPS-6-ENGINE_READY: ATOMIC.TCP - 8 ms - packets for this engine will be scanned
000641: Jan 30 11:58:58.229 UTC: %IPS-6-ENGINE_BUILDING: ATOMIC.UDP - 3 signatures - 12 of 15 engines
000642: Jan 30 11:58:58.233 UTC: %IPS-6-ENGINE_READY: ATOMIC.UDP - 4 ms - packets for this engine will be scanned
000643: Jan 30 11:58:58.233 UTC: %IPS-6-ENGINE_BUILDING: ATOMIC.ICMP - 3 signatures - 13 of 15 engines
000644: Jan 30 11:58:58.233 UTC: %IPS-6-ENGINE_READY: ATOMIC.ICMP - 0 ms - packets for this engine will be scanned
000645: Jan 30 11:58:58.237 UTC: %IPS-6-ENGINE_BUILDING: ATOMIC.IPOPTIONS - 2 signatures - 14 of 15 engines
000646: Jan 30 11:58:58.237 UTC: %IPS-6-ENGINE_READY: ATOMIC.IPOPTIONS - 0 ms - packets for this engine will be scanned
000647: Jan 30 11:58:58.237 UTC: %IPS-6-ENGINE_BUILDING: ATOMIC.L3.IP - 6 signatures - 15 of 15 engines
LAB-877w(config-if)#
LAB-877w(config-if)#int vlan 2
LAB-877w(config-if)#ip ips cli_ips_rule in
LAB-877w(config-if)#exit
LAB-877w(config)#exit
000649: Jan 30 11:59:37.057 UTC: %SYS-5-CONFIG_I: Configured from console by console
LAB-877w#sh ip ips conf
Configured SDF Locations:
flash://sdmips.sdf
flash://128MB.sdf
Builtin signatures are enabled but not loaded
Last successful SDF load time: 11:58:28 UTC Jan 30 2011
IPS fail closed is disabled
Fastpath ips is enabled
Quick run mode is enabled
Event notification through syslog is enabled
Event notification through SDEE is enabled
Total Active Signatures: 351
Total Inactive Signatures: 0
Signature 11207:0 disable
Signature 11208:0 disable
Signature 11209:0 disable
Signature 3325:0 disable
Signature 11200:0 disable
Signature 11201:0 disable
Signature 11202:0 disable
Signature 11222:0 disable
Signature 11224:0 disable
Signature 11225:0 disable
Signature 5050:0 disable
Signature 5085:0 disable
Signature 5322:0 disable
Signature 5322:1 disable
Signature 11210:0 disable
Signature 11211:0 disable
Signature 11212:0 disable
Signature 50000:0 disable
Signature 50000:1 disable
Signature 50000:2 disable
IPS Rule Configuration
IPS name cli_ips_rule
Interface Configuration
Interface Vlan1
Inbound IPS rule is cli_ips_rule
Outgoing IPS rule is not set
Interface Vlan2
Inbound IPS rule is cli_ips_rule
Outgoing IPS rule is not set
LAB-877w#sh ip ips ?
all IPS all available information
configuration IPS configuration
interfaces IPS interfaces
name IPS name
sessions IPS sessions
signatures IPS signatures
statistics IPS statistics
LAB-877w#sh ip ips sessions
Established Sessions
Session 8378F1EC (10.99.99.3:52074)=>(75.101.142.23:80) tcp SIS_OPEN
Session 83785F4C (10.99.99.3:51964)=>(72.21.211.174:80) tcp SIS_OPEN
Session 83788A6C (10.99.99.3:52062)=>(173.230.154.207:80) tcp SIS_OPEN
Session 8377FD8C (10.99.99.3:52068)=>(90.84.54.35:80) tcp SIS_OPEN
Session 8378C9AC (10.99.99.3:51971)=>(199.93.42.126:80) tcp SIS_OPEN
Session 83789BAC (10.99.99.3:52063)=>(74.125.77.121:80) tcp SIS_OPEN
Session 837853CC (10.99.99.3:51966)=>(74.125.77.121:80) tcp SIS_OPEN
Session 8378DDCC (10.99.99.3:52075)=>(128.242.250.183:443) tcp SIS_OPEN
Session 8378B86C (10.99.99.3:49556)=>(10.56.87.14:8194) tcp SIS_OPEN
Session 8378902C (10.99.99.3:51968)=>(217.89.107.16:80) tcp SIS_OPEN
Session 837850EC (10.99.99.3:51372)=>(10.56.87.73:1433) tcp SIS_OPEN
Session 837811AC (10.99.99.3:51718)=>(4.26.237.126:80) tcp SIS_OPEN
Session 8378C3EC (10.99.99.3:52073)=>(10.0.200.9:445) tcp SIS_OPEN
Session 8378708C (10.99.99.3:51721)=>(10.56.87.55:21295) tcp SIS_OPEN
Session 83787C0C (10.99.99.3:52067)=>(90.84.54.35:80) tcp SIS_OPEN
Session 8378EF0C (10.99.99.3:51969)=>(199.93.42.126:80) tcp SIS_OPEN
Session 83783FAC (10.99.99.3:51967)=>(217.89.107.50:80) tcp SIS_OPEN
Session 8378736C (10.99.99.3:52064)=>(217.89.107.49:80) tcp SIS_OPEN
Session 8378BB4C (10.99.99.3:52072)=>(10.56.87.52:139) tcp SIS_OPEN
Session 837825CC (10.99.99.3:52066)=>(217.89.107.49:80) tcp SIS_OPEN
Session 837822EC (10.99.99.3:51970)=>(217.89.107.49:80) tcp SIS_OPEN
Session 837884AC (10.99.99.3:52060)=>(72.21.211.174:80) tcp SIS_OPEN
Session 83787EEC (10.99.99.3:51963)=>(75.101.142.23:80) tcp SIS_OPEN
Session 837839EC (10.99.99.3:51719)=>(209.85.146.118:80) tcp SIS_OPEN
Session 83780ECC (10.99.99.3:51965)=>(173.230.154.207:80) tcp SIS_OPEN
Session 8378A44C (10.99.99.3:52081)=>(168.143.171.189:443) tcp SIS_OPEN
Session 8378148C (10.99.99.3:52065)=>(217.89.107.16:80) tcp SIS_OPEN
Half-open Sessions
Session 8378E38C (10.56.87.52:389)=>(10.99.99.3:56697) udp SIS_OPENING
LAB-877w#sh ip ips sessions ?
all IPS all available information
configuration IPS configuration
interfaces IPS interfaces
name IPS name
sessions IPS sessions
signatures IPS signatures
statistics IPS statistics
LAB-877w#sh ip ips all
Configured SDF Locations:
flash://sdmips.sdf
flash://128MB.sdf
Builtin signatures are enabled but not loaded
Last successful SDF load time: 11:58:28 UTC Jan 30 2011
IPS fail closed is disabled
Fastpath ips is enabled
Quick run mode is enabled
Event notification through syslog is enabled
Event notification through SDEE is enabled
Total Active Signatures: 351
Total Inactive Signatures: 0
Signature 11207:0 disable
Signature 11208:0 disable
Signature 11209:0 disable
Signature 3325:0 disable
Signature 11200:0 disable
Signature 11201:0 disable
Signature 11202:0 disable
Signature 11222:0 disable
Signature 11224:0 disable
Signature 11225:0 disable
Signature 5050:0 disable
Signature 5085:0 disable
Signature 5322:0 disable
Signature 5322:1 disable
Signature 11210:0 disable
Signature 11211:0 disable
Signature 11212:0 disable
Signature 50000:0 disable
Signature 50000:1 disable
Signature 50000:2 disable
IPS Rule Configuration
IPS name cli_ips_rule
Interface Configuration
Interface Vlan1
Inbound IPS rule is cli_ips_rule
Outgoing IPS rule is not set
Interface Vlan2
Inbound IPS rule is cli_ips_rule
Outgoing IPS rule is not set
Established Sessions
Session 83785F4C (10.99.99.3:51964)=>(72.21.211.174:80) tcp SIS_OPEN
Session 8378C9AC (10.99.99.3:51971)=>(199.93.42.126:80) tcp SIS_OPEN
Session 837853CC (10.99.99.3:51966)=>(74.125.77.121:80) tcp SIS_OPEN
Session 8378DDCC (10.99.99.3:52075)=>(128.242.250.183:443) tcp SIS_OPEN
Session 8378B86C (10.99.99.3:49556)=>(10.56.87.14:8194) tcp SIS_OPEN
Session 8378902C (10.99.99.3:51968)=>(217.89.107.16:80) tcp SIS_OPEN
Session 837850EC (10.99.99.3:51372)=>(10.56.87.73:1433) tcp SIS_OPEN
Session 837811AC (10.99.99.3:51718)=>(4.26.237.126:80) tcp SIS_OPEN
Session 8378708C (10.99.99.3:51721)=>(10.56.87.55:21295) tcp SIS_OPEN
Session 8378EF0C (10.99.99.3:51969)=>(199.93.42.126:80) tcp SIS_OPEN
Session 83783FAC (10.99.99.3:51967)=>(217.89.107.50:80) tcp SIS_OPEN
Session 837822EC (10.99.99.3:51970)=>(217.89.107.49:80) tcp SIS_OPEN
Session 83787EEC (10.99.99.3:51963)=>(75.101.142.23:80) tcp SIS_OPEN
Session 837839EC (10.99.99.3:51719)=>(209.85.146.118:80) tcp SIS_OPEN
Session 83780ECC (10.99.99.3:51965)=>(173.230.154.207:80) tcp SIS_OPEN
LAB-877w#
This Table lists the abbreviations used in this post
| IPS |
Intrusion Prevention System |
| IDS |
Intrusion Detection System |
| NIPS |
Network based Intrusion Prevention System |
| NIDS |
Network based Intrusion Detection System |
| HIPS |
Host Based Intrusion Prevention System |
| HIDS |
Host based Intrusion Detection System |
| SDEE |
Security Device Event Exchange |
| SDM |
Security Device Manager |
| SDF |
Signature Definition file |
| VFR |
Virtual Fragment Reassembly |
