Cisco Intrusion Detection System 5 Points

The Cisco intrusion detection system is connected to the inside interface of the PIX and the segment connecting R4 and R5.

The IDS in Figure 8-1 is configured for IP. Figure 8-8 displays all the details you need to complete this section.

Figure 8-8 IDS Configuration

Figure 8-8 IDS Configuration

The following list outlines key details to answer the lab exam questions:

■ The IP address of the control interface is 144.254.5.3/27.

■ The sniffing interface is connected to the PIX and R1 LAN.

■ Ensure that only the subnet 144.254.6.0/29 can manage the IDS device.

■ Change the custom signature 50000 to trigger a severity level of high when a Telnet session tries to change the password on any device. (By default, the IDS sniffing interface is shut down. You need to un-shut the interface to receive the spanned traffic.)

Cisco Intrusion Detection System Solution

The IDS sensor has the IP address 144.254.5.3. You need to web browse the IDS device by using HTTPs. The URL you must enter with your browser is:

https://144.254.5.3/

Figure 8-9 displays the opening screen after Internet Explorer (available in the CCIE lab) sessions to the IDS.

Figure 8-9 IDS Device Manager Opening Screen

Figure 8-9 IDS Device Manager Opening Screen

Figure 8-9 displays the menu-driven welcome screen. Notice that the section labeled "You Are Here" advises you that your current screen location is the setting Device>Sensor Setup.

By clicking Network, you can confirm the IP address. Figure 8-10 confirms the correct IP address as 144.254.5.3/24.

Figure 8-10 IDS Device Manager IP Address Confirmation

Figure 8-10 IDS Device Manager IP Address Confirmation

Click Allowed Hosts to enter the permitted subnet 144.254.6.0/29 to manage the IDS, as Figure 8-11 confirms.

Figure 8-11 IDS Device Manager Allowed Subnets/Hosts

Figure 8-11 IDS Device Manager Allowed Subnets/Hosts

Finally, you need to create a custom IDS signature to monitor any IP packets that are changing the passwords on the network.

To create a custom signature, click the Configuration tab. Click Signature Configuration Mode > Signature Wizard on the left menu bar. Figure 8-12 displays the screen when creating a customized signature.

Figure 8-12 Selecting the Signature Wizard

Figure 8-12 Selecting the Signature Wizard

The next eight figures display the simple procedure of creating a signature by following the intuitive steps the wizard walks you through.

Figure 8-13 displays the welcome screen when creating customized signatures. Click Start the Wizard.

Figure 8-13 Custom Signature Wizard Welcome Screen

Figure 8-13 Custom Signature Wizard Welcome Screen

Figure 8-14 displays the first wizard screen.

Figure 8-14 Custom Signature Wizard First Screen

Figure 8-14 Custom Signature Wizard First Screen

Figure 8-14 requires no changes; simply click the Next button to display the features available.

Figure 8-15 configures the IDS signature numbered 50000 and a random signature name of STRING.TCP.

Figure 8-15 Custom Signature Wizard Signature Identification Screen

Figure 8-15 Custom Signature Wizard Signature Identification Screen

Figure 8-16 displays the configuration to alert administrators whenever the word "password" is shown in any Telnet connection. Cisco routers, for example, use the command enable password for setting the enable password, which will trigger an alert in this case.

Figure 8-16 Custom Signature Wizard TCP Stream Signature Screen

Figure 8-16 Custom Signature Wizard TCP Stream Signature Screen

Figure 8-17 configures the severity level to high as required by this lab.

Figure 8-17 Custom Signature Wizard Alert Response Actions Screen

Figure 8-17 Custom Signature Wizard Alert Response Actions Screen

Figure 8-18 shows the alert behavior screen.

Figure 8-18 Custom Signature Wizard

Figure 8-18 Custom Signature Wizard

Notice that the Wizard Tasks box on the left tracks your progress through the wizard as you advance through the screens. Advance through the next two screens to complete the final steps of the wizard. Figure 8-19 and Figure 8-20 confirm the wizard completion.

Figure 8-19 Custom Signature Wizard Ready Confirmation Screen

Figure 8-19 Custom Signature Wizard Ready Confirmation Screen

Figure 8-20 Custom Signature Wizard Completion Screen i.rryi-r

Note that you must configure the switch port on the PIX inside interface to span (monitor or mirror) so that the IDS device can check all traffic. This completes the sample Security lab.

Was this article helpful?

0 0

Post a comment