CCIE Security Advanced Technologies Class - IPS Inline Mode, VLAN Pairing

Transcript

1	Introduction	0h 37m
2	CCIE Security Preparation Resources	0h 50m
3	ASA Overview	0h 37m
4	Basic ASA Initialization	1h 02m
5	ASA Routing	0h 37m
6	ASA Reliable Static Routing	0h 20m
7	ASA Access Control Lists (ACLs)	0h 41m
8	ASA Modular Policy Framework (MPF) Overview	0h 53m
9	ASA Modular Policy Framework (MPF) Configuration	0h 51m
10	ASA Advanced TCP Inspection with MPF	0h 40m
11	ASA Advanced Application Inspection with MPF	0h 36m
12	ASA Quality of Service (QoS)	0h 30m
13	ASA Network Address Translation (NAT) Part 1	0h 50m
14	ASA Network Address Translation (NAT) Part 2	0h 30m
15	ASA Transparent Firewall Overview	0h 25m
16	ASA Transparent Firewall Configuration	0h 43m
17	ASA ARP Inspection with Transparent Firewall	0h 21m
18	ASA Multiple Context Mode Overview	0h 42m
19	ASA Multiple Context Mode Configuration	0h 59m
20	ASA Redundant Interfaces	0h 22m
21	ASA Failover Overview	0h 19m
22	ASA Active/Standby Failover Routed Firewall Configuration	0h 29m
23	ASA Active/Standby Failover Transparent Firewall Configuration	0h 17m
24	ASA Active/Active Failover Routed Firewall Configuration	0h 37m
25	ASA Multiple Context Transparent Firewall Configuration	0h 29m
26	ASA Active/Active Failover Transparent Firewall Configuration	0h 29m
27	IOS Access Control Lists (ACLs)	0h 23m
28	IOS Time Based ACLs	0h 13m
29	IOS Lock & Key Security with Dynamic ACLs	0h 24m
30	IOS Reflexive ACLs	0h 44m
31	IOS TCP Intercept and Content Based Access Control (CBAC)	0h 39m
32	Zone Based Policy Firewall Overview	0h 26m
33	Zone Based Policy Firewall Configuration	0h 44m
34	ZBPF Self Zone & ZBPF Exceptions	0h 48m
35	Port to Application Mapping (PAM)	0h 32m
36	ZBPF Parameter Tuning	0h 32m
37	ZBPF Application Inspection	0h 27m
38	IOS Transparent Firewall	0h 28m
39	IPsec Overview	0h 37m
40	IOS IPsec LAN-to-LAN Configuration	0h 58m
41	IPsec Troubleshooting	0h 42m
42	GRE over IPsec, IPsec Profiles, & VTIs	0h 51m
43	ASA IPsec Overview	0h 24m
44	ASA IPsec LAN-to-LAN Configuration	0h 20m
45	Certificate Authority (CA) Overview	0h 16m
46	IOS & ASA LAN-to-LAN IPsec with Certificates	0h 57m
47	Easy VPN Overview	0h 12m
48	IOS Easy VPN Server	1h 10m
49	IOS Easy VPN Client	0h 30m
50	IOS Easy VPN with Dynamic VTIs, ISAKMP Profiles	0h 49m
51	ASA Easy VPN Server	0h 51m
52	ASA Easy VPN Server & IOS Easy VPN Client	0h 17m
53	ASA Clientless & AnyConnect SSL VPN	1h 04m
54	DMVPN	1h 05m
55	IPS Overview, Promiscuous Mode & SPAN	0h 43m
56	IPS Promiscuous Mode & RSPAN	0h 28m
57	IPS Blocking Devices & Custom Signatures	0h 50m
58	IPS Inline Mode, VLAN Pairing	0h 15m
59	IPS Virtual Sensors and Signature Engines	0h 16m
60	AAA Overview, Local AAA, & Role Based CLI	0h 51m
61	RADIUS, TACACS+, & Cisco Secure ACS Configuration	0h 51m
62	RADIUS & TACACS+ Exec Authorization & Accounting	0h 39m
63	TACACS+ Command Accounting	0h 30m
64	RADIUS & TACACS+ Enable Authentication	0h 14m
65	IOS Authentication Proxy	0h 33m
Total Duration		39h 19m

Base Configs

Diagrams

Slides - Introduction

Slides - ASA

Slides - IOS Firewall

Slides - VPN

Slides - IPS

Slides - Identity Management

0:00:14	In our next section for the IPS sensor
0:00:17	we are going to look at the configuration in inline mode
0:00:20	and also creating multiple virtual sensors and multiple signature definition engines
0:00:26	So we can apply it to multiple portions of the network at the same time
0:00:31	Now in our previous example with the promiscuous mode
0:00:35	we had the network configured so that as traffic was transiting to VLAN 125 segment
0:00:40	or specifically leaving the ASA
0:00:43	the switch that was attached
0:00:44	was then redirecting the traffic
0:00:47	through an RSPAN session from switch1 to switch2
0:00:50	switch2 is then sending this to the sensing interface to the IPS
0:00:55	from that point on whenever the IPS was triggering an event
0:00:59	and wanted to take an action, like to
0:01:01	reset the session or to request a blocking of the connection
0:01:05	it had to do this out of band
0:01:08	with an SSH or telnet session
0:01:10	that was going to ASA2 or that was going to router5
0:01:15	Now we are going to change this design, so the IPS
0:01:18	is actually going to be inline
0:01:20	of the segment between
0:01:22	router5 and ASA2
0:01:26	so the traffic is going to be received in one interface
0:01:28	and then it is going to be forwarded out a different interface
0:01:33	Now specifically to do this
0:01:35	what we now need to change
0:01:37	is the separation of the layer2 networks
0:01:40	between the ASA and
0:01:43	the IPS and then finally to router5
0:01:47	where previously all of this was
0:01:49	signed as VLAN 125
0:01:52	I now need to split this into two separate layer2 segment
0:01:57	where VLAN 125, I will leave this between the ASA and the IPS
0:02:02	but then I will use a different VLAN, lets say VLAN 555
0:02:07	between the IPS and router5
0:02:12	Now what this means is that the ASA is not going to be able to send any traffic to router5
0:02:16	without having it going through the IPS first
0:02:20	So even though they are still on the same ip network
0:02:23	the ASA is 10.0.125.12
0:02:27	and router5 is 10.0.125.5
0:02:33	they are on the same ip network but they are no longer on the same layer2 network
0:02:38	So similar to the transparent
0:02:40	firewall on the ASA, or the transparent firewall on IOS
0:02:44	we are putting this, quote unquote, bump on the wire, between the devices
0:02:48	So now all the traffic is going to have to transit through them
0:02:53	So now the first thing that I need to change then
0:02:56	is going to be the VLAN assignments
0:02:58	and how the layer2 switch is talking to the sensing interface of the IPS
0:03:06	where previously we were doing this promiscuously
0:03:09	by doing the SPAN or the RSPAN feature
0:03:13	So first I need to remove the
0:03:15	the previous monitor session config that we have
0:03:19	So lets say no monitor
0:03:21	session1
0:03:28	and then the same thing on
0:03:30	switch2 as well
0:03:33	So we are no longer
0:03:34	no longer doing any redirection
0:03:37	Now the sensing interface
0:03:39	of the IPS
0:03:41	is located on fastethernet0/10 of switch2
0:03:47	So what I need now, need now, to save for this interface is that, this is going to be a trunk
0:03:52	So this switch port mode is trunk
0:03:55	the switch port trunk encapsulation is dot1q
0:03:59	because the reason why is that I only have one sensing interface
0:04:03	So essentially doing like a router on a stick type configuration
0:04:06	with multiple dot1q subinterfaces
0:04:09	as opposed to using separate
0:04:11	physical sensing interfaces
0:04:14	we will see when we configure inline pairing
0:04:17	on the IPS
0:04:19	really the only difference between doing the inline pair and inline VLAN pair
0:04:24	is that with this example
0:04:26	the VLAN pairing were simply specifying the sub interfaces
0:04:29	as opposed to the actual physical link
0:04:33	Now again this is going to be using VLAN 125, which we already have
0:04:38	and then the new VLAN 555, so need to make sure to create this
0:04:43	then VLAN 555, this is going to be assigned o
0:04:46	the link that is going to router5
0:04:50	So switch port access vlan 555
0:04:55	so I will go to router5 and ping
0:04:57	10.0.125.12, which is the ASA
0:05:01	we would see that they no longer have connectivity
0:05:05	because they are now in two separate layer2 segment
0:05:08	and we could see now the eigrp relationship between them goes down
0:05:14	So the next thing I need to do is to go back to the sensor, lets go back to the IDM
0:05:19	and we are going to change how the
0:05:21	physical interfaces are allocated
0:05:25	So if we go to the interfaces
0:05:27	it says now gig0/0
0:05:33	is enabled, the speed and duplex is auto, which is fine
0:05:37	the
0:05:38	if we go on the summary, it says that this is a promiscuous interface
0:05:41	that is assigned to virtual sensor zero
0:05:45	which is what I need to change now
0:05:47	I am going to now configure this as a VLAN pairing
0:05:53	says no interfaces are available for creating inline pairs, all interfaces might have been paired
0:05:57	or currently assigned in the virtual sensor
0:06:00	so what I now need to do is go to the virtual sensor
0:06:03	and deallocate
0:06:05	that inerface
0:06:07	so one of the analysis engine virtual sensors
0:06:10	I am going to delete that current association
0:06:13	or lets add at this and
0:06:17	remove the physical interface
0:06:28	so we are basically undoing the previous initial configuration that we did
0:06:31	on the sensor
0:06:34	So now under VLAN pairs
0:06:36	we are going to add a new pairing
0:06:40	that is for only interface left that is, gig 0/0
0:06:43	we have sub interface
0:06:45	lets say 1, doesn't really matter what the number is here
0:06:48	but we are going to have the pairing between VLAN 125 and VLAN 555
0:06:55	I will say this is the
0:06:56	ASA2
0:06:58	to router5 pairing
0:07:07	So essentially what this is doing is creating the sub interfaces
0:07:11	Now under the virtual sensor
0:07:14	So under analysis engine, virtual sensor
0:07:17	I am going to assign the VLAN pairing
0:07:21	which is from VLAN 125 to VLAN 555
0:07:25	to virtual sensor 0
0:07:28	which is getting signature definition 0
0:07:30	event detection rule 0 and anomaly detection 0, these are all the default
0:07:36	So again remember, I can create an additional ones of these
0:07:38	if I have multiple virtual sensors
0:07:42	that I want to assign different policy
0:07:45	and we look at that creating another virutal sensor after we have the basic configuration of this one going
0:07:53	So now we have the inline pairing
0:07:56	what we should now see, if we were to look at our signature definition
0:08:01	and previously the ones that I enabled
0:08:05	where the custom signature 60000 which was for deleting the flash
0:08:10	but then also signatures
0:08:17	2000 and 2004, which were the echos, and echo reply
0:08:23	So the echo request is on, which is the ping request
0:08:27	says that if this is true, we are going to produce an alert
0:08:30	So what should now happen if we really go back to the sensor
0:08:35	and we are looking at the show
0:08:38	event, alerts
0:08:42	then if I were to go to the sensor
0:08:45	and ping 10.0.125.5
0:08:50	I could see now there is a connection between router5 and ASA
0:08:56	and the sensor said that
0:08:59	it did get the ICMP packet
0:09:03	So now even though they are on two separate
0:09:05	layer2, networks, they are on the same layer3 network
0:09:10	and notice now that the
0:09:13	eigrp adjacency over the ethernet is now back
0:09:19	Now also we can see that the ips is making changes
0:09:22	from the VTY line
0:09:24	if we look at the show
0:09:27	archive log config
0:09:31	lets look at all and then we will go on to that very
0:09:37	final session
0:09:47	the changes that it was making was creating a policy map again, it was creating the
0:09:52	the access list
0:09:53	we no longer need this configuration though
0:09:56	because router5 is not going to be a blocking device
0:10:00	since the IPS is now directly
0:10:02	inline between ASA
0:10:04	to in router5
0:10:05	we do not need to telnet or to SSH into other devices
0:10:09	in order to ask them to block on or behalf
0:10:13	So on the IDS, lets go back to
0:10:16	the
0:10:17	the IDM and under the
0:10:19	the blocking devices
0:10:21	I am going to delete router5 here
0:10:26	then if we look at monitoring and the active host plugs
0:10:30	we something being filtered out from before
0:10:33	based on that delete flash signature
0:10:36	So I will delete this here
0:10:40	then on router5
0:10:43	if we show show run include access list
0:10:49	lest remove what the sensor was using before, so we will delete its access list
0:10:59	So again now we know that as the traffic is transiting through the IPS
0:11:03	the signatures are triggering, so the inline VLAN pairing is correct
0:11:08	from router5, if I were to ping
0:11:10	the ASA, if I ping 10.0.125.12
0:11:16	notice that the IPS is receiving this as well
0:11:20	so this signatures now are going
0:11:22	in both directions
0:11:26	where the IPS is listening for traffic coming from the ASA going to router5
0:11:31	and it is listening for traffic coming from router5, going to ASA
0:11:36	so this is not necessarily an inside and outside interface like we have
0:11:40	on the firewall filtering
0:11:43	we are trading the
0:11:45	the traffic to signature in both direction
0:11:49	where previously with the
0:11:50	SPAN or the RSPAN configuration
0:11:52	we had the choice to
0:11:54	determine whether we are doing just to receive traffic
0:11:57	the transmit traffic, or both of them at the same time
0:12:00	so next lets look at our other signatures
0:12:02	that we have configured the custom one
0:12:05	if we go back to our configuration
0:12:07	and signature definition 60
0:12:10	we have signature id 60000
0:12:14	that said, if someone issues the string, the tcp string, delete flash
0:12:18	the action is that, we are going to reset their tcp connection
0:12:22	now since we are now running inline
0:12:25	we have much more control over
0:12:28	what the actions that we are going to produce are
0:12:31	so instead of resending the connection, I will say that we will
0:12:34	deny the
0:12:37	we will say the service pair inline
0:12:41	where the service pair is going to be
0:12:43	both the source address and the destination address
0:12:46	the protocol, so tcp, udp, icmp
0:12:50	and the source and destination ports
0:12:54	Now if we go back to the IPS
0:12:56	and we are still looking at the show logs
0:12:59	if we do the same testing of the signature as before
0:13:03	where we are going to come from the outside, lets say we are coming from the test PC
0:13:07	I am going to telnet into router6
0:13:09	and trigger the signature by saying delete flash
0:13:20	so lets go to the command prompt
0:13:21	prompt, we will telnet to 10.0.6.6
0:13:27	if I say delete flash
0:13:30	and see that the last character didn't show up there
0:13:33	because the response time is actually much faster
0:13:36	dealing with the inline blocking
0:13:38	as opposed to the blocking hop
0:13:42	because with the blocking host, I have to start the SSH session
0:13:45	and then actually issue the commands
0:13:47	but here on the sensors, since the traffic is now transiting directly between interfaces
0:13:51	its much more straight forward to filter it out
0:13:56	so it says now deny the attacker service pair is true
0:13:59	which is the attacker was the test PC at this port
0:14:05	the target or the victim was router6 at that port
0:14:11	if we go back to the IDM
0:14:15	and under monitoring
0:14:18	we have denied attackers
0:14:21	if we look at the details here
0:14:25	this is
0:14:27	we can see the attacker ip was 192.168.118.100
0:14:31	if I were to test this from somewhere else, lets say from router3
0:14:35	and do the same thing, we telnet into router6
0:14:40	and say delete flash
0:14:42	then we go back to the IDM
0:14:46	and refresh this denied attackers
0:14:48	we could see router3 is listed there as well
0:14:53	So really the overall configuration of the inline pairing
0:14:57	is actually much more straight forward than the promiscuous
0:15:00	and it gives us a lot more control over to how we are processing the traffic
0:15:04	because now all of the traffic from router5 to the ASA
0:15:08	has to go through this sub interface on the IPS
0:15:12	and then we can control exactly what we are doing with it
0:15:15	once it is on those interfaces

Now Viewing

CCIE Security Advanced Technologies Class
Title:	CCIE Security Advanced Technologies Class
Duration:	39h 19m
The CCIE Security Advanced Technologies Class is the first step in understanding CCIE level technologies and is a companion to the Advanced Technologies Lab Workbook. Each technology you need to know for the CCIE Security lab will be described in detail using an instructor led hands on demonstration. The class consists of over 40 hours of in depth explanations and examples.
Get instant access to our entire library!
$159/month	Add to Cart
Download this Course
$299.00	Add to Cart

IPS Inline Mode, VLAN Pairing

Create Bookmark