Using SDM to Configure Cisco Ios Ips

Although Cisco offers IPS services on a wide variety of platforms, this section focuses on configuring IOS-based IPS using Cisco's Security Device Manager (SDM). Cisco's SDM is a graphical interface that supports a wizard-like configuration tool for configuring a variety of IOS features, including IOS-based IPS.

Launching the Intrusion Prevention Wizard

To begin configuring IPS on a Cisco IOS router using SDM, launch the SDM interface. The SDM home page, shown in Figure 11-11, provides summary information about the router.

To begin a configuration task using SDM, click the Configure button at the top of the SDM home page. The configuration screen, as shown in Figure 11-12, has a column of tasks along the left side of the page.

402 Chapter 11: Using Cisco IOS IPS to Secure the Network Figure 11-11 SDM Home Page

Figure 11-12 SDM Configuration Page

A wide range of tasks, including configuring an IOS-based firewall or a virtual private network (VPN), is available. To configure an IOS-based IPS, click the Intrusion Prevention option in the Tasks column. The Intrusion Prevention System (IPS) configuration screen appears, as shown in Figure 11-13. This screen has three tabs: Create IPS, Edit IPS, and Security Dashboard.

Figure 11-13 Intrusion Prevention System (IPS) Configuration Page

Figure 11-13 Intrusion Prevention System (IPS) Configuration Page

The default tab is Create IPS; notice the Launch IPS Rule Wizard button. Click this button to begin the wizard.

An Information window appears, similar to the one shown in Figure 11-14, indicating that the router does not currently have SDEE notification enabled. By clicking OK in this window, you allow SDM to enable SDEE notification on the router.

Figure 11-14 SDEE Notification Window

Figure 11-14 SDEE Notification Window

Another information window appears, like the one shown in Figure 11-15. It lets you know that SDM will open a subscription with the router to get the SDEE events.

Figure 11-15 SDEE Subscription Window

Figure 11-15 SDEE Subscription Window

IPS Policies Wizard

After you confirm the SDEE messages, the IPS Policies Wizard window appears, as shown in Figure 11-16.

The initial screen explains that the IPS Policies Wizard helps you with the following tasks: — ■ Selecting the interface to which the IPS rule will be applied

Key Topic

■ Selecting the direction of traffic that will be inspected

■ Selecting the SDF file to be used by the router

After you click Next, the IPS Wizard prompts you to select the interface(s) to which the IPS rule should be applied, in addition to the direction of traffic (that is, inbound or outbound). In the example shown in Figure 11-17, the IPS Wizard has been instructed to apply the IPS rule to inbound traffic for interface Serial 1/0.

Figure 11-16 IPS Wizard Welcome Screen

Figure 11-16 IPS Wizard Welcome Screen

Figure 11-17 Interface Selection Screen

After you click Next again, the SDF Locations screen appears, as shown in Figure 11-18. It allows you to specify one or more locations for the router to retrieve an SDF file. You can set the order of the locations using the Move Up and Move Down buttons.

Figure 11-18 SDF Locations Screen

Figure 11-18 SDF Locations Screen

Click the Add button to bring up the Add a Signature Location window, as shown in Figure 11-19. From this window you can specify an SDF location in the router's flash or at a specific URL. Also, notice the autosave checkbox. Checking this option allows the router to save the SDF file in the event of a router crash, eliminating the need to reconfigure the SDF location after the router comes back up.

Figure 11-19 Specifying a Signature Location

In Figure 11-20, the 128MB.sdf SDF file stored in flash is specified. This particular file was selected because of the router's memory. If the router contained 256 MB of RAM, the 256MB.sdf file could have been used instead, to provide a larger signature database.

Figure 11-20 Flash Selected as the SDF Location

The newly configured SDF location then appears in the SDF Locations pane, as shown in Figure 11-21. Multiple SDF locations could be specified, and the router would attempt to load the SDF from the first location in the list. If it failed, the next SDF location would be attempted. However, in this example, only a single SDF location is specified.

Figure 11-21 SDF Location Listing

Figure 11-21 SDF Location Listing

Also notice the Use Built-In Signatures (as backup) checkbox. Checking this box allows IPS to use the Cisco IOS built-in signatures if a signature definition file cannot be found. After you add one or more SDF locations, click the Next button to continue.

A Summary window appears, as shown in Figure 11-22. It identifies the interface(s) on which IPS will be applied and in what direction(s) traffic will be analyzed as it crosses the interface. Additionally, the location of the SDF file is specified, and you can see if the Use Built-In Signatures (as back) checkbox is checked. If the summary information appears to be correct, click the Finish button.

Figure 11-22 Summary Window

Figure 11-22 Summary Window

IPS Wizard

Summary

Please click "Finish'to deliver to rouler

IPS Wizard

Summary

Please click "Finish'to deliver to rouler

IPS rule will be applied to the Incoming traffic on the following interfaces.

Serial1/G Signature File location:

flash://128MB.sdf Built-in:Enabled

IPS rule will be applied to the Incoming traffic on the following interfaces.

Serial1/G Signature File location:

flash://128MB.sdf Built-in:Enabled

The commands required to configure IOS-based IPS are then sent from SDM to the router. After the commands are delivered, click the OK button in the Commands Delivery Status window, shown in Figure 11-23.

Figure 11-23 Commands Delivery Status Window

Figure 11-23 Commands Delivery Status Window

When the Intrusion Prevention Wizard is finished, your view changes in the Edit IPS tab, as shown in Figure 11-24. From this tab, you can edit IPS rules, set global IPS settings, and configure IPS signatures.

Figure 11-24 Edit IPS Tab

Figure 11-24 Edit IPS Tab

Creating IPS Rules

The previously described configuration enabled IOS-based IPS for interface Serial 0/1. If you click the interface, the IPS Filter Details pane, as shown in Figure 11-25, reveals that although the IPS rule is enabled, no filtering is associated with this rule.

Figure 11-25 IPS Filter Details Pane

?q Cisco Router and Security Device Manager (SDM): 192.168.0.29

QD®

File Edit View

Tools Help

Home

ig^jj Conliguie

Refiesh Save

Seaich

Help

• 111.111. CISCO

Tasks

tr Intrusion Prevention System (IPS)

Create IPS Edit IPS Security Dashboard ]

1i IPS Policies

Interfaces: |ah Interfaces ^J | © Enable ET Edit ©Disable ^Disable All

Global Settings

Interface Name | IP | Inbound | Outbound | VFR status | Description

Signatures »

FastEthernetOiO 192.168.0.29 Disabled Disabled on FastEthernetOH 172.16.2.1 Disabled Disabled on

SeriaM/1 no IP address Disabled Disabled off SeriaM/2 no IP address Disabled Disabled off Serial1/3 no IP address Disabled Disabled off

i.

PS Filter Details ff nbeunû Filter i" Outbound Filter

IPS rule is enabled, bill there is no IiIihi coiiliijured for this rule. IPS will scan oil Inbound tratfi

PS Filter Details ff nbeunû Filter i" Outbound Filter

IPS rule is enabled, bill there is no IiIihi coiiliijured for this rule. IPS will scan oil Inbound tratfi

Warning That No Filtering Is Associated with This Rule

To see how to add an associated rule, consider the following scenario:

You want to block inbound Telnet traffic on interface Serial 0/1 while permitting all other traffic.

The following steps illustrate how to accomplish this objective:

Step 1 With the desired interface selected (that is, highlighted), click the Edit button. This action displays the Edit IPS on an Interface window, as shown in Figure 11-26.

Figure 11-26 Edit IPS on an Interface Window

Step 2 Verify that Inbound is the selected direction, and click the drop-down menu to the right of the Inbound Filter box. From the drop-down menu, choose Create a new rule(ACL) and select, as shown in Figure 11-27.

Figure 11-27 Edit IPS on an Interface Window Drop-Down Menu

Figure 11-27 Edit IPS on an Interface Window Drop-Down Menu

Step 3 When the Add a Rule window appears, as shown in Figure 11-28, enter a name or number for the rule. Also select the type of rule (that is, standard or extended) from the Type drop-down menu. Optionally, you can document the rule's purpose in the Description field.

Figure 11-28 Add a Rule Window

Add a Rule

IX,

Name/Number:

Type:

1 )no_telnet

(Extended Rule

Description:

1 Block all inbound Telnet traffic

Rule Entry

Edit. 1 1 Delete 1

1 move Up 1 1 Mcwe DownH

None.

Cancel

Help

Step 4 Click the Add button in the Add a Rule window to bring up the Add an Extended Rule Entry window (assuming that you selected Extended Rule as the type of rule). In this window, shown in Figure 11-29, using a series of drop-down menus and ... buttons, you can specify what traffic you want to permit or deny. In this example, the rule is configured to deny all traffic destined for the TCP Telnet service.

Step 5 Click OK to add the rule. You are returned to the Add a Rule window, as shown in Figure 11-30. Notice that the rule that denies inbound Telnet traffic appears in the Rule Entry pane. However, these rules contain an implicit deny ip any any statement. Therefore, if another rule to permit traffic is not added, all traffic will be denied.

Figure 11-29 Add an Extended Rule Entry Window

Figure 11-29 Add an Extended Rule Entry Window

Figure 11-30 Confirmation of Rule Entry

Step 6 Click the Add button again to add a rule that permits any traffic to any destination, as shown in Figure 11-31.

Figure 11-31 Creating a Rule to Permit All Other Traffic

Figure 11-31 Creating a Rule to Permit All Other Traffic

Step 7 You are returned to the Add a Rule window. Notice, in Figure 11-32, that the newly configured permit ip any any rule is at the bottom of the rule list. The order of rules is critical, because they are processed top-down. You can optionally select one of the rules (by clicking it) and changing its order in the list using the Move Up and/or Move Down buttons. Click the OK button to complete the rule entry.

Step 8 The Edit IPS on an Interface window appears, as shown in Figure 11-33. From this window, you can specify whether you want the IOS router to perform Virtual Fragment Reassembly (VFR). Specifically, IOS-based IPS cannot thoroughly scan the contents of IP fragments, thus allowing fragmented traffic to pass through the router without being analyzed. When the Enable fragment checking on this interface checkbox is checked, the router uses the VFR feature to dynamically create access control lists to protect the network from fragmentation attacks. Click OK to deliver the configuration commands to the router.

Figure 11-32 Ordered List of Rules

The newly added rule is placed at the bottom of the rules list. Rule -entries are processed top down.

The newly added rule is placed at the bottom of the rules list. Rule -entries are processed top down.

Figure 11-33 Enabling Fragmentation Checking

Enables the VFR Feature, Which Helps Protect the Network -from Fragmentation Attacks

Enables the VFR Feature, Which Helps Protect the Network -from Fragmentation Attacks

Step 9 The Commands Delivery Status window, shown in Figure 11-34, informs you when the IPS rule configuration commands have been delivered to the router. After the delivery is complete, click the OK button.

Figure 11-34 Delivering Commands to the Router

Figure 11-34 Delivering Commands to the Router

Figure 11-35 Verifying IPS Filter Configuration
Details the Rules Contained in the NO_TELNET ACL

After the rules have been added to the interface, the rules appear in the IPS Filter Details pane. Figure 11-35 shows that the NO_TELNET inbound filter has been applied to the selected interface (Serial 1/0).

Manipulating Global IPS Settings

The Edit IPS tab also allows administrators to configure global IPS settings. Clicking the Global Settings button displays a screen similar to the one shown in Figure 11-36.

Figure 11-36 Global IPS Settings

Global Settings Include syslog, SDEE, and Engine Options

Figure 11-36 Global IPS Settings

Global Settings Include syslog, SDEE, and Engine Options

To configure these global settings, an administrator can double-click one of the shown parameters (Syslog, SDEE, or Engine Options). The Edit Global settings window appears, as shown in Figure 11-37.

Figure 11-37 Edit Global Settings Window: Syslog and SDEE Tab

Edit Global settings X

Syslog and SDEE 1 Global Engine

This option enables IPS to send alarm, event, and error messages via syslog services. For more information on syslog configuration, use

Number of concurrent SDEE subscriptions (1-3): ) 1

Maximum number of SDEE Alerts to store (10-2000): 1200

Maximum number of SDEE Messages to store (10-500): 1200

OK Cancel | Help

The Edit Global settings window has two tabs from which the administrator can configure global settings, as described in Table 11-5.

Table 11-5 Tabs in the Edit Global Settings Window

Tab

Description

Syslog and SDEE

With this tab, an administrator can cause the IPS feature to send alarm, event, and error information using syslog services. Additionally, SDEE parameters (for example, the maximum number of concurrent SDEE subscriptions) can be configured from this tab.

Global Engine

With this tab, shown in Figure 11-38, the administrator can configure a timeout for loading IPS signatures, in addition to the following options:

• Enable Engine Fail Closed: This option determines if the IOS-based IPS feature will drop or permit traffic for a particular IPS signature engine while a new signature for that engine is being compiled. If this option is enabled, traffic is dropped if IPS services are unavailable. If this option were disabled (which would be known as afail open configuration), traffic would be passed when IPS services are unavailable.

• Use Built-In Signatures (as backup): This option, which is enabled by default, allows the IPS feature to use built-in IOS signatures if the configured signature fails to load.

• Enable deny action on IPS interface: This option allows an access control list to be configured on an interface that has IPS rules applied.

Figure 11-38 Edit Global Settings Window: Global Engine Tab

Edit Global settings X

Syslog and SDEE Global Engine

l~ Enable Engine Fail Closed

By default, while IOS compiles a new signature for a particular engine, it allows packets to pass through without scanning for the corresponding engine. Enable this option to make IOS drop packets during the compilation process.

W Use Built-in Signatures (as backup)

If IPS does not find orfails to load signatures from the specified location(s), it can use the Cisco IOS built-in signatures to enable IPS. This option is enabled by default.

P Enable deny action on IPS interface

Checkthis option if this router is performing load-balancing It allows IOS to create ACL filters on the same interface on which IPS rules are applied. Otherwise, ACLfilters will be created on the inbound direction of the interface on which the offending packet arrived.

Timeout(0-65535): 130

OK Cancel | Help

Signature Configuration

After enabling the IPS feature on a router, you might want to manipulate the default signature settings. For example, you might want to disable some of the signatures that are enabled by default, and vice versa. Also, you might want to alter the action or actions taken in response to a signature being triggered.

To configure such signature parameters, click the Signatures button on the Edit IPS tab. This displays a listing of signatures, as shown in Figure 11-39.

Notice that all known IPS signatures are listed in the right pane. If you know the name of the signature you are attempting to find, you can scroll through the list to locate it. Alternatively, notice that the signatures are categorized in a hierarchical fashion, under the OS, Attack, Service, L2/L3/L4 Protocol, and Releases categories.

Figure 11-39 Signature Listing

Figure 11-39 Signature Listing

To understand the editing of a signature, consider the following scenario:

You want to change the action taken in response to the POP Overflow signature being fired, such that an alarm is generated and the offending packet is dropped.

The following steps illustrate how to accomplish this objective:

Key Topic

Step 1 Scroll down in the right pane, and locate the desired signature, as shown in Figure 11-40.

Figure 11-40 Locating the Desired Signature

Locate the Desired Signature

Figure 11-40 Locating the Desired Signature

Locate the Desired Signature

Step 2 Double-click the signature to open the Edit Signature window, as shown in Figure 11-41.

Figure 11-41 Edit Signature Window

Edit Signature

E

Name

Value

-

SIGID:

3550

SigName:

POP Overflow

SubSig:

1 AI arm Interval:

■ AI arm Severity:

high

■ AlarmThrottle:

FireAII

■ AlarmTraits:

■ ChokeThreshold:

100

Direction:

ToService

■ Enabled:

True R

■ EndMatchOffset:

■ EventAction:

SEES^H

denyAttackerlnline denyFlowlnline drop reset

M M

H Parameter uses the Default Value. Click the icon to edit the value. # Parameter uses a User-Defined Value. Clickthe icon to restore the default value.

OK Cancel Help

Step 3 Notice that the configurable values are currently dimmed. To make one of the fields editable, click the green square to the left of the field. The green square changes into a red diamond after you click it, and the field can now be edited. In this example, you click the green square adjacent to the EventAction field, as shown in Figure 11-42. To meet the scenario objective, both the alarm and drop actions must be selected (that is, highlighted). To select more than one action, click the first action, hold down the Ctrl key, and click the subsequent action(s).

Figure 11-42 Configuring Signature Parameters

When editing a signature, click on the green square next to a signature property you want to change. The -green square changes to a red diamond, indicating that you can edit the property.

When editing a signature, click on the green square next to a signature property you want to change. The -green square changes to a red diamond, indicating that you can edit the property.

After the parameters are configured as desired, click the OK button at the bottom of the Edit Signature window. You are returned to the Edit IPS tab. Notice that the signature you edited now has a yellow octagon symbol with a minus sign in it, in the ! column, as shown in Figure 11-43. This symbol indicates that the changes you made have not yet been delivered to the router. Click the Apply Changes button, which is just below the signatures pane, to deliver the commands to the router and make the specified changes.

Figure 11-43 Changes Not Delivered to the Router

A yellow octagon with a minus sign indicates that a signature has been tuned.

Figure 11-43 Changes Not Delivered to the Router

0 0

Post a comment