|
0:00:13
|
In our next section we are going to begin our discussion of the IPS
|
|
0:00:17
|
4200 sensor
|
|
0:00:19
|
we will look at its configuration both in the
|
|
0:00:21
|
the promiscuous mode and in the inline mode
|
|
0:00:24
|
both from the command line interface and from the GUI interface of the IPS device manager
|
|
0:00:32
|
and the overall goal of the IPS
|
|
0:00:34
|
is to stop network threats
|
|
0:00:36
|
based on a set of
|
|
0:00:38
|
pre defined signatures
|
|
0:00:40
|
that we are going to be monitoring traffic with
|
|
0:00:42
|
anywhere from layer2, all the way up
|
|
0:00:44
|
to the application layer
|
|
0:00:46
|
so similar to how we saw
|
|
0:00:48
|
on the
|
|
0:00:49
|
ASA and then the cisco IOS with the zone based policy firewall
|
|
0:00:53
|
when we doing our application level inspections
|
|
0:00:56
|
thats essentially, what the IPS is doing
|
|
0:00:58
|
but we are going to have more granular control
|
|
0:01:00
|
of what exactly we do
|
|
0:01:02
|
once those signatures are triggered
|
|
0:01:06
|
so once these types of signatures are detected by the IPS
|
|
0:01:09
|
there is a number of different actions that we can perform
|
|
0:01:11
|
such as generating alert
|
|
0:01:13
|
which would be like a syslog message or an SNMP trap
|
|
0:01:17
|
we could log the actual packets, the payloads, to figure out what exactly is going on with this attack
|
|
0:01:23
|
We could stop the attacker from
|
|
0:01:25
|
continuing to generate the attack
|
|
0:01:29
|
we could deny traffic from the originating attacker
|
|
0:01:32
|
which is also known as shunning
|
|
0:01:34
|
or block the service, which would be like the actual application, whether this
|
|
0:01:38
|
be telnet or web browsing etc
|
|
0:01:41
|
we could generate a tcp reset
|
|
0:01:44
|
which is going to drop like a web browsing session, or a SSH session
|
|
0:01:50
|
and we will have different various sections depending on individual sections that we are looking at
|
|
0:01:56
|
Now the two different modes of operation that I mentioned are the
|
|
0:01:59
|
the promiscuous mode and the inline mode
|
|
0:02:02
|
which are going to control whether the sensor is actually in the
|
|
0:02:05
|
physical transit path for the traffic
|
|
0:02:08
|
or whether it is just passively listening for the traffic
|
|
0:02:13
|
the first of which, which is the promiscuous mode
|
|
0:02:16
|
is when the sensor is just passively looking for traffic
|
|
0:02:19
|
and the segment that is being monitored
|
|
0:02:22
|
the traffic is then being
|
|
0:02:23
|
copied to the sensing interface
|
|
0:02:27
|
Now this is typically what you would think of, when you have a
|
|
0:02:29
|
packet analyzer like wire shark or sniffer
|
|
0:02:33
|
where you are grabbing traffic
|
|
0:02:34
|
from a certain segment in the network
|
|
0:02:37
|
and then redirecting it to this device
|
|
0:02:39
|
for further analysis
|
|
0:02:42
|
Now the key point about the promiscuous mode
|
|
0:02:44
|
is that the traffic does not actually transit through
|
|
0:02:47
|
the IPS's interfaces
|
|
0:02:49
|
which means we are going to rely on some sort of other mechanism on layer2
|
|
0:02:54
|
in order to get the traffic copied over to the monitoring interface of the IPS
|
|
0:02:59
|
and in the case of the
|
|
0:03:01
|
catalyst switches, this is going to be the Switch
|
|
0:03:03
|
Port Analyser or SPAN feature
|
|
0:03:05
|
and the Remote
|
|
0:03:06
|
Switch Port Analyser or RSPAN feature
|
|
0:03:10
|
once the traffic is actually being copied on to
|
|
0:03:13
|
the sensing interface
|
|
0:03:15
|
in order to take actions
|
|
0:03:17
|
the IPS is going to rely on whats known as the blocking devices
|
|
0:03:21
|
to initiate either a telnet session or an SSH
|
|
0:03:24
|
SSH session into the device
|
|
0:03:26
|
in order to issue commands
|
|
0:03:29
|
So for example, we could have the
|
|
0:03:31
|
sensor listening for a particular attack
|
|
0:03:33
|
then based on the results of it
|
|
0:03:35
|
you could telnet into a router and configure an access list
|
|
0:03:38
|
that is going to deny that
|
|
0:03:39
|
particular source address, which is the attacker
|
|
0:03:42
|
or may be the individual service, like
|
|
0:03:44
|
the tcp port values
|
|
0:03:47
|
we could configure it to do
|
|
0:03:48
|
policing on the routers
|
|
0:03:50
|
and in the case of the ASA or the
|
|
0:03:52
|
the PIX, you can do shunning
|
|
0:03:54
|
which is similar to an access list
|
|
0:03:56
|
but its more
|
|
0:03:57
|
more analyst to like a null route
|
|
0:03:59
|
on the router, where we are just saying that is traffic comes in from this particular source, I am going to discard
|
|
0:04:06
|
Now if we were to visualize the difference between
|
|
0:04:08
|
between the SPAN and the RSPAN feature
|
|
0:04:12
|
in the promiscuous mode
|
|
0:04:14
|
the difference between them
|
|
0:04:15
|
really is dependent on the sensor itself
|
|
0:04:19
|
and where the sensing
|
|
0:04:21
|
interface
|
|
0:04:22
|
which is sometimes called the virtual
|
|
0:04:25
|
sensing or the VS interface
|
|
0:04:27
|
where that is located in respect
|
|
0:04:29
|
to the segment that we are actually trying to monitor
|
|
0:04:33
|
so lets say for example that we have a segment that is
|
|
0:04:36
|
between router1 and router2
|
|
0:04:39
|
and on the LAN segment between them
|
|
0:04:42
|
we want to monitor traffic that is 1 to 2
|
|
0:04:45
|
then based on this signatures triggering we are going to perform some actions
|
|
0:04:50
|
Now if all three of these devices are attached to the same
|
|
0:04:54
|
layer2 switch, lets say we have switch1 in the middle
|
|
0:04:58
|
then as traffic is transiting
|
|
0:05:00
|
from router1 to router2
|
|
0:05:03
|
we can take a copy of this
|
|
0:05:05
|
and send it on
|
|
0:05:06
|
to the sensing interface
|
|
0:05:08
|
again when we are running in promiscuous mode
|
|
0:05:14
|
Now here note that the sensor is not in the physical transit path, so its not actually
|
|
0:05:18
|
filtering any of the traffic that is going between router1 and router2
|
|
0:05:22
|
but we could configure it
|
|
0:05:24
|
from an outside interface, from its management interface
|
|
0:05:30
|
to perform some sort of actions, may we are going to telnet into router2
|
|
0:05:34
|
and then perform an action
|
|
0:05:36
|
like configuring an access list to configuring policing
|
|
0:05:39
|
based on some signatures that is being triggered
|
|
0:05:43
|
but the key point here is that the traffic is not
|
|
0:05:45
|
physically transiting through the IPS
|
|
0:05:47
|
so we need to redirect it with the
|
|
0:05:49
|
SPAN session, or the Switch Port Analyzer
|
|
0:05:53
|
now this type of physical design here would
|
|
0:05:55
|
be considered a SPAN session on the switch
|
|
0:05:58
|
because the source of the traffic
|
|
0:06:00
|
which is either of the ports that are connected to router1 and router2
|
|
0:06:04
|
is on the same physical device that the destination is
|
|
0:06:08
|
which is towards the sensing interface of the sensor
|
|
0:06:12
|
Now in the case where there is
|
|
0:06:15
|
between where the sensor is located
|
|
0:06:19
|
and where the monitor segment located
|
|
0:06:22
|
So lets say that we have
|
|
0:06:24
|
router1 and router2
|
|
0:06:26
|
connected to switch1
|
|
0:06:28
|
but then the IPS sensor
|
|
0:06:31
|
is connected to some other device, lets say switch2
|
|
0:06:34
|
and may be we have multiple layer2 switches in the transit path, so we go from switch2 to switch3
|
|
0:06:40
|
then we go down to switch1
|
|
0:06:44
|
where in this type of design the source of the session
|
|
0:06:47
|
is located on one switch
|
|
0:06:49
|
and the destination of the session is located
|
|
0:06:51
|
on another one
|
|
0:06:53
|
this is what we would consider on RSPAN session or Remote Switch Port Analyser
|
|
0:06:59
|
where switch1 is going to say as traffic is coming in from router1
|
|
0:07:03
|
I am going to make a copy of it on to our particular VLAN
|
|
0:07:06
|
this is then going to be forwarded across the layer2 trunk links
|
|
0:07:10
|
until it get sent out of the final destination
|
|
0:07:15
|
Now the difference between these, the SPAN and the RSPAN is then going to be depended on the
|
|
0:07:19
|
physical design of the network
|
|
0:07:22
|
So if you are using promiscuous mode
|
|
0:07:24
|
you need to consider, Are the devices on the same physical segment?
|
|
0:07:28
|
in which case you are going to be running the SPAN feature
|
|
0:07:32
|
or after a different
|
|
0:07:33
|
layer2 devices, we are going to be running RSPAN
|
|
0:07:36
|
which assumes that we have a layer
|
|
0:07:38
|
2 trunking
|
|
0:07:39
|
transit path between the switch
|
|
0:07:44
|
Now the mode that is much easier
|
|
0:07:46
|
from a design point of view
|
|
0:07:48
|
is the inline mode
|
|
0:07:49
|
where in the case of the inline the traffic is actually transiting
|
|
0:07:53
|
through the IPS's interfaces
|
|
0:07:55
|
where sometimes this is considered a bump in the wire
|
|
0:07:58
|
where like a transparent firewall
|
|
0:08:01
|
the devices on the LAN segment
|
|
0:08:04
|
are in the same IP network
|
|
0:08:07
|
but they are in different layer2 segments
|
|
0:08:10
|
Now as opposed to the promiscuous monitoring
|
|
0:08:13
|
where we are redirecting the traffic to the sensor
|
|
0:08:16
|
in the case of inline we simply have the IPS
|
|
0:08:20
|
connecting to essentially an inside and an outside network
|
|
0:08:24
|
where we have router1 and router2
|
|
0:08:27
|
then router1 may be on the network
|
|
0:08:29
|
10.0.0.1
|
|
0:08:31
|
router2 is 10.0.0.2
|
|
0:08:34
|
but we have separate VLANs, may be VLAN
|
|
0:08:36
|
10 on the inside
|
|
0:08:38
|
and VLAN
|
|
0:08:39
|
20 on the outside
|
|
0:08:41
|
So there is no way for the traffic to get to router1
|
|
0:08:44
|
or from router1 to router2 without
|
|
0:08:46
|
physically transiting through the IPS sensor
|
|
0:08:50
|
So the traffic, since it is actually going
|
|
0:08:52
|
in one interface, and then out another interface
|
|
0:08:55
|
this is considered the inline mode
|
|
0:08:59
|
Now with the inline mode, the disadvantage is
|
|
0:09:02
|
would be since we have to actually
|
|
0:09:04
|
switch the packets between the interfaces
|
|
0:09:06
|
then generally this is going to be slowering
|
|
0:09:08
|
slower from a forwarding point of view than the promiscuous mode
|
|
0:09:12
|
but the advantage of this is that the action response time is going to be faster
|
|
0:09:17
|
and we have more granular control over exactly what the actions are
|
|
0:09:21
|
because all of the packets are
|
|
0:09:22
|
physically transitting through their paths
|
|
0:09:28
|
Now configuration wise for this platform
|
|
0:09:31
|
we are going to have two different options
|
|
0:09:32
|
from the either the command line interface
|
|
0:09:35
|
or from the web interface which is the IDS
|
|
0:09:38
|
Device Manager, the IDM
|
|
0:09:40
|
and in the case of the scope of the CCIE lab exam
|
|
0:09:43
|
you will have access to both
|
|
0:09:45
|
their command line and the IDM
|
|
0:09:48
|
Now the CLI, just like the routers or the ASA's CLI
|
|
0:09:53
|
this is where we would connect to the console
|
|
0:09:56
|
or remotely through either telnet or SSH
|
|
0:10:00
|
the CLI is going to be good for some of our basic initial configurations
|
|
0:10:03
|
like configuring IP address, configuring basic interface parameters
|
|
0:10:08
|
but its going to be much
|
|
0:10:09
|
more difficult and much less intuitive
|
|
0:10:11
|
to do advance configurations
|
|
0:10:14
|
then the GUI interface is
|
|
0:10:17
|
Now for the IDM
|
|
0:10:19
|
this is going to be better
|
|
0:10:21
|
for any type of advanced configuration
|
|
0:10:23
|
like for example, the custom signature wizard
|
|
0:10:26
|
you technically can do this from the command line interface
|
|
0:10:29
|
but its going to be much more configuration intensive
|
|
0:10:32
|
and really the logic is not that straight forward, when we look at the CLI
|
|
0:10:35
|
versus the GUI interface for some of these configurations
|
|
0:10:40
|
Now unfortunately the particular versions
|
|
0:10:43
|
that they use in the CCIE lab exam
|
|
0:10:45
|
sometimes there are problems
|
|
0:10:47
|
with configuring certain options
|
|
0:10:48
|
from the IDM interface
|
|
0:10:51
|
So you do want to make sure that when you go through these advanced customizations
|
|
0:10:54
|
you atleast look at the result of that on the command line
|
|
0:10:58
|
So worse case scenario of that IDM is now working
|
|
0:11:00
|
you should be able to piece this configuration together from the CLI
|
|
0:11:06
|
Now the basics of the CLI configuration
|
|
0:11:10
|
the first thing we would do for the initialization of the device
|
|
0:11:12
|
is going to be to configure an IP address on it
|
|
0:11:16
|
Now structure of the command line is
|
|
0:11:19
|
basically different in any other platform
|
|
0:11:21
|
that we have seen upto this point
|
|
0:11:23
|
its really not very similar to the IOS, its not very similar to the ASA
|
|
0:11:27
|
So you do definitely
|
|
0:11:29
|
definitely need to spend some time getting familiar with
|
|
0:11:31
|
How this interface works?
|
|
0:11:33
|
Now it does have a hierarchy just like the routers
|
|
0:11:36
|
have or we have our
|
|
0:11:38
|
exit mode, global configuration mode, interface mode etc
|
|
0:11:42
|
but from the IPS, they call this different services
|
|
0:11:46
|
where we would have service host, service interface
|
|
0:11:50
|
that is going to control
|
|
0:11:51
|
different type of parameters
|
|
0:11:53
|
and you don't necessarily need to memorize exactly
|
|
0:11:56
|
what the structure of the sub configuration modes is
|
|
0:12:00
|
because their are some shortcuts we can use from the command line
|
|
0:12:04
|
to figure out exactly what these settings look like
|
|
0:12:08
|
So lets say for example within our topology
|
|
0:12:11
|
that we want to configure an IP address on the IPS sensor
|
|
0:12:15
|
which is going to be located on this VLAN10
|
|
0:12:19
|
its address is going to be 10.0.0.13
|
|
0:12:23
|
and we want it to be managed
|
|
0:12:24
|
from the ACS
|
|
0:12:26
|
server
|
|
0:12:27
|
which is 10.0.0.100
|
|
0:12:31
|
this is generally going to be your
|
|
0:12:33
|
your basic first step to configuration
|
|
0:12:35
|
because without the address configured and without
|
|
0:12:37
|
the access list configured
|
|
0:12:39
|
you cannot get into the IDM in order to do any other more advanced
|
|
0:12:43
|
configuration from the web interface
|
|
0:12:47
|
So lets take a look at the CLI of the
|
|
0:12:50
|
IPS sensor
|
|
0:12:52
|
and assuming that you are not the one thats going through the basic initial setup
|
|
0:12:56
|
you will need to have the specific login information
|
|
0:12:59
|
for the sensor, it does always require a login
|
|
0:13:02
|
So whatever the particular
|
|
0:13:05
|
device information is
|
|
0:13:06
|
within the scope of lab exam, they will be providing you with this
|
|
0:13:14
|
and once we login, we are going to be placed in exact mode
|
|
0:13:18
|
Now the equivalent of the show run
|
|
0:13:21
|
from IOS
|
|
0:13:22
|
is going to be the more
|
|
0:13:24
|
current-config
|
|
0:13:33
|
right now we can see that there is not many settings configured here
|
|
0:13:36
|
because we have a blank configuration
|
|
0:13:39
|
it does however have some defaults
|
|
0:13:40
|
for the
|
|
0:13:43
|
IP address configured on the interface
|
|
0:13:46
|
but somebody in here is defaulting to 10.1.9.102
|
|
0:13:50
|
with a subnet mask of /24
|
|
0:13:52
|
and its default gateway is 10.1.9.1
|
|
0:13:56
|
we could see this is under the
|
|
0:13:59
|
the first hierarchy of service host
|
|
0:14:01
|
then from there its under network settings, and then its the host IP
|
|
0:14:06
|
So if we were to go in the global configuration, we will say config t
|
|
0:14:10
|
and then service
|
|
0:14:13
|
this particular case, its going to be under service host
|
|
0:14:15
|
once you get under this main configuration mode, you could look at the show settings
|
|
0:14:21
|
which is not only going to show us
|
|
0:14:23
|
the different default values that are configured
|
|
0:14:26
|
but its also going to show us the hierarchy of that sub configuration mode
|
|
0:14:31
|
where in this particular case
|
|
0:14:32
|
one of the first levels is network settings
|
|
0:14:34
|
then under network settings, we have the host ip, the host name, the access list
|
|
0:14:39
|
then under the access list we could add different entries
|
|
0:14:42
|
which is ultimately going to control who can telnet
|
|
0:14:45
|
into the sensor
|
|
0:14:46
|
or who can manage it from the IDM
|
|
0:14:56
|
then if we continue to scroll down, we can see that the
|
|
0:14:59
|
the timezone is not set
|
|
0:15:01
|
there is not NTP configured
|
|
0:15:04
|
there is a crypto key
|
|
0:15:06
|
which is my public key
|
|
0:15:08
|
this is going to be then used for SSH
|
|
0:15:11
|
or for SSL access
|
|
0:15:14
|
to the IDM web interface
|
|
0:15:19
|
and it says the password recovery is allowed
|
|
0:15:23
|
so from here the basic changes that we are going to make
|
|
0:15:25
|
to our, the
|
|
0:15:27
|
under
|
|
0:15:28
|
network settings, which you can here see, were under service , then under network settings
|
|
0:15:34
|
I want to change the host IP
|
|
0:15:39
|
where in this
|
|
0:15:41
|
topology again my address is going to be 10.0.0.13/24
|
|
0:15:48
|
and I will say that the default gateway
|
|
0:15:50
|
So ?? the gateway, the gateway is going to be
|
|
0:15:52
|
the ASA's DMZ interface, thats .12
|
|
0:15:56
|
10.0
|
|
0:15:59
|
10.0.0.12
|
|
0:16:02
|
Now once I make these changes, I have to exit all the way out of exit mode to actually apply them
|
|
0:16:08
|
So remember that whether you are making the changes from the CLI or from the IDM, you always need to
|
|
0:16:13
|
apply your changes
|
|
0:16:14
|
before they go into the active current configuration
|
|
0:16:19
|
So lets also set the hostname
|
|
0:16:21
|
we will say rack9
|
|
0:16:25
|
IPS
|
|
0:16:27
|
we exit out here, Apply the changes? - Yes
|
|
0:16:37
|
so we exit all the way out, we could see now the hostname is changed
|
|
0:16:42
|
if we look at the more
|
|
0:16:44
|
current config, which again is the equivalent of show run
|
|
0:16:56
|
we could see under surface host, we change the address, its now 10.0.0.13/24
|
|
0:17:02
|
and this is our default gateway
|
|
0:17:05
|
additionally telnet is disabled by default
|
|
0:17:08
|
we could enable that if we want to telnet access
|
|
0:17:11
|
but for a security device like this, you would typically not
|
|
0:17:14
|
you want to use SSH or your https
|
|
0:17:17
|
access through the IDM
|
|
0:17:21
|
So now if now we were to go to the ASA, which is on that same segment
|
|
0:17:26
|
and pint 10.0.0.13
|
|
0:17:32
|
we could see at this pint we do not have access
|
|
0:17:36
|
from
|
|
0:17:37
|
basic ping, basic ICMP ping
|
|
0:17:39
|
to the IDM's management interface
|
|
0:17:42
|
we ping 10.0.0.100
|
|
0:17:46
|
thats the windows machine, the ACS server on that segment
|
|
0:17:50
|
So there is connectivity right now between these two hosts
|
|
0:17:53
|
but not from the ASA to the sensor
|
|
0:17:56
|
and, must try this from the Windows machine as well, so lets go to AAA server
|
|
0:18:02
|
and ping
|
|
0:18:03
|
10.0.0.13
|
|
0:18:06
|
we can see this is denied as well
|
|
0:18:09
|
the reason why is that for all
|
|
0:18:11
|
access
|
|
0:18:13
|
to the management interface
|
|
0:18:14
|
whether its telnet or SSH or the IDM or even for pings
|
|
0:18:19
|
the sensor is going to deny this
|
|
0:18:23
|
unless
|
|
0:18:23
|
that individual host is listed in the access list
|
|
0:18:27
|
under the service host configuration
|
|
0:18:30
|
So this is also, we are going to put the trusted host for the IDM management
|
|
0:18:35
|
So under the service host, network settings
|
|
0:18:38
|
then we have an access list that specifying who are the management stations
|
|
0:18:43
|
So lets go back to global configs under service host
|
|
0:18:46
|
we could see that again, if we look at show settings
|
|
0:18:51
|
says the access list doesn't have any options
|
|
0:18:54
|
So lets go to access list
|
|
0:19:01
|
under network settings first
|
|
0:19:05
|
then access list
|
|
0:19:09
|
this is going to include the
|
|
0:19:12
|
ACS server, which is 10.0.0.100
|
|
0:19:17
|
/32
|
|
0:19:19
|
and lets also say
|
|
0:19:23
|
the ASA, which is 10.0.0.12
|
|
0:19:28
|
So if we exit all the way out, Apply the changes? - Yes
|
|
0:19:31
|
the I should now see from the ASA
|
|
0:19:35
|
should be able to ping the IPS sensor, which we can
|
|
0:19:39
|
from the windows machine
|
|
0:19:40
|
likewise I should be able to ping there
|
|
0:19:43
|
which I can
|
|
0:19:44
|
However since telnet is disabled
|
|
0:19:47
|
I am not going to have access in the command line
|
|
0:19:51
|
at this point now, I should atleast
|
|
0:19:53
|
be able to get to the
|
|
0:19:54
|
to the IDM, in order to start
|
|
0:19:57
|
doing my additional configuration
|
|
0:20:00
|
So open up our web browser
|
|
0:20:02
|
and go to
|
|
0:20:04
|
https
|
|
0:20:07
|
the address here is 10.0.0.12
|
|
0:20:11
|
or actually excuse me 10.0.0.13
|
|
0:20:19
|
we should not be able to get to the IDM
|
|
0:20:21
|
it should ask us for the same
|
|
0:20:22
|
login information
|
|
0:20:25
|
so whatever the username and password you provided with
|
|
0:20:28
|
and now we could see, we have access to the web interface
|
|
0:20:32
|
Now from here we could see it says that
|
|
0:20:34
|
we have two interfaces gigabit
|
|
0:20:37
|
0/0 and gig0/1
|
|
0:20:39
|
one of them is for management and one of them is for sensing
|
|
0:20:43
|
for most of the platforms, you are going to have one interface, you can use for sensing
|
|
0:20:48
|
but we will look at some variations, where we can
|
|
0:20:50
|
sub divide this into
|
|
0:20:52
|
basically VLAN sub interfaces with trunking
|
|
0:20:56
|
So the only difference between having
|
|
0:20:57
|
multiple physical interfaces in one physical interface
|
|
0:21:01
|
is that we can have, a larger aggregate bandwidth or a larger aggregate
|
|
0:21:04
|
forwarding, if we have multiple
|
|
0:21:06
|
physical interfaces versus just one
|
|
0:21:09
|
Now additionally we can have different virtual sensors
|
|
0:21:13
|
different virtual signature engines, different virtual anomaly engines
|
|
0:21:18
|
that is
|
|
0:21:18
|
working similar to how the context work on the ASA
|
|
0:21:22
|
where we have one physical box
|
|
0:21:24
|
but then multiple unrelated
|
|
0:21:26
|
policies that could be assigned to different interfaces
|
|
0:21:30
|
Now in this case, I only have one physical link
|
|
0:21:33
|
I can't assign different sensors
|
|
0:21:35
|
when we are running in promiscuous mode
|
|
0:21:38
|
but we will see that when we are running
|
|
0:21:40
|
in inline mode
|
|
0:21:41
|
we can do inline pairing
|
|
0:21:44
|
between different VLAN sub interfaces
|
|
0:21:46
|
and I could have multiple virtual sensors at the same time
|
|
0:21:49
|
just by configuring
|
|
0:21:51
|
more than
|
|
0:21:52
|
two
|
|
0:21:53
|
VLAN sub interfaces
|
|
0:21:57
|
ok, so lets go back to the command line here
|
|
0:22:00
|
and the other basic configuration changes we would want to make here
|
|
0:22:04
|
would be to enable the interfaces
|
|
0:22:07
|
and to get the basic sensing working
|
|
0:22:10
|
So if we look at the more current config
|
|
0:22:29
|
the service interface
|
|
0:22:32
|
this is going to control the
|
|
0:22:34
|
the administrator, the interfaces like are they
|
|
0:22:36
|
the administratively shutdown or they are enabled
|
|
0:22:39
|
then under the service analysis engine
|
|
0:22:43
|
which is
|
|
0:22:47
|
this one down at the bottom
|
|
0:22:49
|
this is where we would activate the interface
|
|
0:22:52
|
and basically assign a sensor to it
|
|
0:22:55
|
which is then bound to a signature definition engine
|
|
0:22:59
|
and an anomaly detection engine
|
|
0:23:03
|
which again is going to be used for using multiple virtual sensors within the same physical box
|
|
0:23:10
|
So next thing I would want to do, if we go to global configs, lets go to service interface
|
|
0:23:15
|
if we look at the show settings
|
|
0:23:18
|
again this is going to show our defaults
|
|
0:23:21
|
where gig0/0, it says, right now
|
|
0:23:23
|
that the admin state is disabled
|
|
0:23:26
|
so this interface is shut down
|
|
0:23:29
|
gig0/1, this is the management interface
|
|
0:23:38
|
which is the
|
|
0:23:40
|
also known as the command in control, the c
|
|
0:23:44
|
So right now this is enabled
|
|
0:23:46
|
gigabit0/1, I would want to enable this, if I want to actually receive traffic on the interface
|
|
0:23:52
|
so lets now the go under physical interfaces
|
|
0:23:58
|
my physical interface here is gig0/0
|
|
0:24:04
|
and may need to type up the whole thing here, lets say
|
|
0:24:07
|
gigabit ethernet 0/0
|
|
0:24:12
|
and I want to change the admin state
|
|
0:24:16
|
to enabled
|
|
0:24:20
|
so once I exit all the way out of here, I can apply the changes
|
|
0:24:23
|
thats going to bring the interface up
|
|
0:24:25
|
if we go back to the IDM
|
|
0:24:27
|
and refresh this
|
|
0:24:29
|
then what we should see
|
|
0:24:31
|
is this interface here gig0/0 should change its link state up
|
|
0:24:35
|
which it now has
|
|
0:24:38
|
Now it says the mode is
|
|
0:24:40
|
unpaired for the interface
|
|
0:24:42
|
which essentially means the only thing we did so far was
|
|
0:24:45
|
saying no shut down
|
|
0:24:47
|
were physically enabling the link
|
|
0:24:50
|
but we haven't configured
|
|
0:24:51
|
it to actually start receiving any traffic
|
|
0:24:55
|
So for enabling it again, on the command line again, thats going to be under service interface
|
|
0:24:59
|
physical interfaces and then the admin state, whether its enabled or disabled
|
|
0:25:04
|
the other thing we would need to do from the CLI, just to get our basic
|
|
0:25:08
|
sensing up and running
|
|
0:25:10
|
is to assign the sensing interface
|
|
0:25:13
|
to a particular analysis engine, or to particular virtual sensor
|
|
0:25:18
|
So again this is under
|
|
0:25:20
|
service analysis engine
|
|
0:25:22
|
service analysis
|
|
0:25:28
|
we look at show settings
|
|
0:25:32
|
this would be virtual sensor
|
|
0:25:34
|
says the default one is vs0, we could define a new one, if we wanted to
|
|
0:25:39
|
but it says that
|
|
0:25:40
|
virtual sensor 0, by default
|
|
0:25:42
|
is assigned to signature definitions 60
|
|
0:25:45
|
and event action rules, rules0
|
|
0:25:48
|
and anomaly detection ad0
|
|
0:25:52
|
we will see when we get into more customization here
|
|
0:25:55
|
these different sets of rules we can change
|
|
0:25:57
|
to control
|
|
0:25:58
|
what particular types of traffic
|
|
0:26:01
|
is the sensor looking for, which is the signatures
|
|
0:26:04
|
and then if those are triggers
|
|
0:26:06
|
what exactly do we do
|
|
0:26:07
|
which is defined by the event actions
|
|
0:26:10
|
and then anomaly detection
|
|
0:26:12
|
is going to be for zero day type attacks
|
|
0:26:15
|
where there hasn't been a pre defined signature
|
|
0:26:18
|
but we are looking at a base line of network behavior
|
|
0:26:21
|
over a long term average
|
|
0:26:23
|
then once we go outside
|
|
0:26:25
|
of that normal behaviour, some anomaly occurs
|
|
0:26:28
|
then we can have the
|
|
0:26:29
|
the sensor perform an action
|
|
0:26:32
|
but really the only minimum thing that I need to do from here
|
|
0:26:36
|
is to go to the
|
|
0:26:40
|
the service analysis engine
|
|
0:26:42
|
then under the virtual sensor
|
|
0:26:44
|
for vs0
|
|
0:26:46
|
I would need to assign it
|
|
0:26:47
|
to the physical interface
|
|
0:26:50
|
if I was doing inline
|
|
0:26:52
|
interfaces with
|
|
0:26:53
|
different sub interfaces, I would
|
|
0:26:55
|
reply to the logical interface
|
|
0:26:57
|
but in this case its going to go to the physical one
|
|
0:27:00
|
So we will say virtual sensor
|
|
0:27:04
|
in this case its vs0, which is one of the defaults
|
|
0:27:08
|
and I want physical interface gigabit
|
|
0:27:10
|
ethernet0/0
|
|
0:27:17
|
if we now go back to the IDM
|
|
0:27:20
|
we should see that the mode
|
|
0:27:22
|
is that its assigned to
|
|
0:27:25
|
the virtual sensor
|
|
0:27:28
|
we could also see this, if we go to the configuration tab
|
|
0:27:33
|
then under our
|
|
0:27:34
|
interface configuration, if we go to the summary
|
|
0:27:37
|
it says gigabit
|
|
0:27:38
|
ethernet0/0, its now in promiscuous mode
|
|
0:27:41
|
its assigned to virtual sensor 0
|
|
0:27:46
|
Now the next thing, we would need to do
|
|
0:27:48
|
is to configure
|
|
0:27:49
|
the SPAN configuration
|
|
0:27:51
|
assuming that we are running in promiscuous mode
|
|
0:27:53
|
which is what the interface is doing by default
|
|
0:27:57
|
and again the SPAN or RSPAN configuration
|
|
0:28:00
|
is going to be used to actually redirect the traffic
|
|
0:28:02
|
to the sensor
|
|
0:28:04
|
so in designs where you are using
|
|
0:28:06
|
packet analysis, like with the sniffer
|
|
0:28:08
|
you would want to do SPAN
|
|
0:28:10
|
or in our case, currently here we are using an IPS
|
|
0:28:13
|
in promiscuous mode
|
|
0:28:15
|
where again there is two different mode of this, SPAN and RSPAN
|
|
0:28:19
|
SPAN means that the both the source
|
|
0:28:21
|
and the destination of the session are on the same local device
|
|
0:28:25
|
where RSPAN, it means that the source is local
|
|
0:28:28
|
but the destination is on some remote device
|
|
0:28:31
|
then vice versa, where the source is remote and the destination is local
|
|
0:28:39
|
Now in my particular example here if we look at the topology
|
|
0:28:42
|
what I am going to setup is that, the IPS sensor
|
|
0:28:46
|
has its
|
|
0:28:47
|
command in control interface or basically the management interface on VLAN 10
|
|
0:28:52
|
but the sensing interface
|
|
0:28:54
|
is going to be located on VLAN 125
|
|
0:28:58
|
so we have the sensing interface, which is gig0/0
|
|
0:29:02
|
which is assigned to virtual sensor 0
|
|
0:29:06
|
and I wanted to receive traffic
|
|
0:29:07
|
that is going on VLAN125
|
|
0:29:11
|
So we will say that this is the outside network
|
|
0:29:15
|
So we will say that this is the outside network
|
|
0:29:17
|
and the this is the inside network that I am trying to protect
|
|
0:29:21
|
So as the traffic is transiting through that
|
|
0:29:23
|
VLAN 125 segment
|
|
0:29:25
|
I want the IPS sensor to listen for it
|
|
0:29:28
|
Now there is a couple of different ways that I can do this
|
|
0:29:31
|
but its really dependent on what the
|
|
0:29:32
|
physical layer1 topology is
|
|
0:29:36
|
Now in my design here
|
|
0:29:39
|
the
|
|
0:29:40
|
IPS sensor
|
|
0:29:42
|
has its
|
|
0:29:44
|
sensing interface
|
|
0:29:46
|
which here we have assigned to vs0
|
|
0:29:49
|
this is, physically gig0/0
|
|
0:29:52
|
and this interface
|
|
0:29:54
|
is connecting to switch2's
|
|
0:29:57
|
port
|
|
0:29:58
|
fastethernet0/10
|
|
0:30:03
|
/10
|
|
0:30:05
|
Now additionally router5
|
|
0:30:07
|
has its fastethernet0/1 interface
|
|
0:30:10
|
connected to fast ethernet 0/5
|
|
0:30:15
|
then router5 is trying to talk to
|
|
0:30:17
|
the rest of the IP network, its going out to the ASA
|
|
0:30:21
|
that connection is on a different switch
|
|
0:30:25
|
Now what this means from a traffic
|
|
0:30:26
|
monitoring point of view, with the SPAN session or the RSPAN
|
|
0:30:30
|
what I want to do is listen for traffic as it
|
|
0:30:32
|
comes in to router5
|
|
0:30:35
|
and I want to make a copy of this and drop it off on the sensors
|
|
0:30:39
|
sensing interface
|
|
0:30:42
|
since now both the source and the destinations
|
|
0:30:45
|
are located on the same physical switch
|
|
0:30:48
|
it means that this can be configured with a
|
|
0:30:51
|
SPAN session
|
|
0:30:52
|
with a local SPAN not a remote SPAN
|
|
0:30:56
|
So now lets take a look at the command line of switch2
|
|
0:31:01
|
on switch2, if we look at the show
|
|
0:31:02
|
interface status
|
|
0:31:06
|
we could see based on the descriptions that I have configured here
|
|
0:31:09
|
that the sensing interface is on fastethernet0/10
|
|
0:31:13
|
and then router5's interface is on fastethernet0/1
|
|
0:31:17
|
so essentially what I want to do, is take any packets that are going
|
|
0:31:21
|
towards that interface
|
|
0:31:23
|
So I will say that they are going out to router
|
|
0:31:25
|
5, which will be transmitted
|
|
0:31:27
|
or I could say, if I want it to receive from router5
|
|
0:31:31
|
but I want to take these and I want to make a copy onto the sensing interface
|
|
0:31:35
|
which again is going to be from the local SPAN configuration
|
|
0:31:40
|
Now syntax wise, this is very straight forward, there is basically only two commands that we need to issue
|
|
0:31:45
|
the first one is to specify, what is the source of traffic
|
|
0:31:48
|
this the monitored session
|
|
0:31:50
|
we give it a locally significant number
|
|
0:31:53
|
specify what is the source interface, or what is the VLAN
|
|
0:31:57
|
where in the case of interface, we could specify the direction, whether inbound or outbound
|
|
0:32:01
|
the VLAN is going to be all traffic, that is forwarding through that VLAN
|
|
0:32:06
|
then we will specify whats the destination
|
|
0:32:09
|
So we are making a copy from the source
|
|
0:32:11
|
we are dropping it up on the destination interface
|
|
0:32:15
|
Normally when the switch has an outgoing
|
|
0:32:17
|
SPAN interface, which is the destination
|
|
0:32:20
|
any traffic then comes back
|
|
0:32:22
|
in on that link
|
|
0:32:23
|
is automatically going to be discarded
|
|
0:32:26
|
unless we use the ingress option
|
|
0:32:29
|
which in our particular design for the IPS
|
|
0:32:32
|
is going to be used when we are generating
|
|
0:32:34
|
TCP resets
|
|
0:32:36
|
out
|
|
0:32:37
|
the command and contro.., excuse me, not the command and control, out the sensing interface
|
|
0:32:42
|
so we look at some more details to that later were based on
|
|
0:32:46
|
certain signatures being triggered
|
|
0:32:48
|
we could tell the sensors to drop the tcp connection
|
|
0:32:52
|
by essentially spoofing a tcp reset
|
|
0:32:55
|
but in order to allow for this
|
|
0:32:57
|
I need to tell the layer2 switches
|
|
0:33:01
|
that when I make a copy
|
|
0:33:03
|
of the traffic from this segment
|
|
0:33:05
|
out to the sensor, so its going out
|
|
0:33:09
|
that particular port
|
|
0:33:10
|
the sensor is then going to be
|
|
0:33:12
|
replying with the tcp resets
|
|
0:33:15
|
I need to make sure that these resets look like they are
|
|
0:33:18
|
coming from VLAN 125
|
|
0:33:22
|
So essentially with the resets the IPS is spoofing
|
|
0:33:26
|
the attacker and the victim
|
|
0:33:27
|
in order to drop that particular session
|
|
0:33:34
|
So configuration wise, I am going to say that the source of the traffic
|
|
0:33:38
|
is fastethernet0/5
|
|
0:33:40
|
the destination is fastethernet0/10
|
|
0:33:43
|
and if the packet were to come back
|
|
0:33:45
|
in on the sensing interface
|
|
0:33:47
|
I want to treat it as if it was VLAN 125
|
|
0:33:53
|
So globally this is going to be the monitor
|
|
0:33:56
|
session command
|
|
0:33:59
|
the source
|
|
0:34:01
|
is interface fastethernet0/5
|
|
0:34:04
|
and I will say
|
|
0:34:06
|
both directions, so inbound or outbound
|
|
0:34:09
|
the monitor session
|
|
0:34:12
|
destination
|
|
0:34:14
|
is interface fastethernet10
|
|
0:34:17
|
and I will say that if traffic comes back in
|
|
0:34:20
|
treated as if it was coming
|
|
0:34:21
|
in on VLAN 125
|
|
0:34:26
|
where the only reason I need to do this
|
|
0:34:27
|
is because the IPS is going to be generating TCP resets on that link
|
|
0:34:33
|
if I had more than two
|
|
0:34:35
|
physical interfaces on the sensor
|
|
0:34:36
|
I could configure it to use other interfaces
|
|
0:34:39
|
as an alternate
|
|
0:34:41
|
tcp reset link
|
|
0:34:43
|
but with promiscuous mode, if you only have two interfaces
|
|
0:34:46
|
then the resets are going to be coming back in on the same interface that is used for the monitoring
|
|
0:34:55
|
if we look at the show monitor session 1
|
|
0:35:01
|
says right now packets should be coming in
|
|
0:35:03
|
or going out, fastethernet 0/5
|
|
0:35:06
|
we are going make a copy then on
|
|
0:35:08
|
fastethernet0/10
|
|
0:35:12
|
Now in order to test this out
|
|
0:35:15
|
we need to go to the sensor
|
|
0:35:17
|
and see if its actually receiving the traffic on
|
|
0:35:20
|
that interface
|
|
0:35:22
|
and an easy way to do this
|
|
0:35:24
|
is to turn on some of the very basic signatures
|
|
0:35:27
|
on the IPS
|
|
0:35:29
|
for management traffic
|
|
0:35:32
|
but say like for an ICMP ping
|
|
0:35:36
|
Now we can't do this from the CLI, or we could do this from the
|
|
0:35:39
|
the web interface
|
|
0:35:41
|
for the rest of the interface, I am going to be using the GUI interface, the IDM
|
|
0:35:45
|
because if you have the choice between the two of them
|
|
0:35:47
|
you would definitely prefer to do the IDM for
|
|
0:35:50
|
essentially everything else beyond this
|
|
0:35:55
|
so in the IDM
|
|
0:35:57
|
under configuration, we are going to go
|
|
0:35:59
|
signature definitions
|
|
0:36:01
|
and then signature engine 0, which is the default
|
|
0:36:06
|
Now at advanced configurations, again I
|
|
0:36:08
|
could have multiple signature engines
|
|
0:36:10
|
but in this case I am using all of the defaults
|
|
0:36:13
|
for everything upto this point
|
|
0:36:14
|
So signature engine 0
|
|
0:36:16
|
is then assigned to the sensor, virtual sensor 0
|
|
0:36:21
|
where virtual sensor 0
|
|
0:36:23
|
is then assigned to that interface in promiscuous mode
|
|
0:36:31
|
So under signature definitions, signature 0
|
|
0:36:34
|
this is going to show us all the possible
|
|
0:36:37
|
signatures that are currently supported
|
|
0:36:40
|
Now not all of them are necessarily going to be enabled, you can see under this column, some are on, by default
|
|
0:36:45
|
a lot of them are off by default
|
|
0:36:48
|
So I could actually do one these attacks
|
|
0:36:51
|
I had some application to generate unknown ip protocol
|
|
0:36:55
|
or to edit the ip options so that there is something wrong in that
|
|
0:36:59
|
the actual packet header
|
|
0:37:00
|
thats going to trigger the signature
|
|
0:37:02
|
but for my purposes, I am going to do something
|
|
0:37:04
|
in much more straight forward
|
|
0:37:06
|
where if we go down towards signatures 2000
|
|
0:37:12
|
signature 2000 and 2004
|
|
0:37:17
|
these are ICMP echos and ICMP echo request
|
|
0:37:20
|
or ICMP echo and ICMP echo replies
|
|
0:37:23
|
So ping and ping reply
|
|
0:37:26
|
Now for 2004, which is the echo request or ping
|
|
0:37:30
|
says this is not enabled, right now
|
|
0:37:33
|
So I am simple going to select this one
|
|
0:37:35
|
and enable it
|
|
0:37:37
|
So now it says enabled? - Yes
|
|
0:37:40
|
then just like on the command line, I need to make sure to apply this
|
|
0:37:44
|
to go back down to 2000
|
|
0:37:48
|
what it says here is that for
|
|
0:37:50
|
this particular signature, if you double click and its going to show you details
|
|
0:37:54
|
says that if an echo reply is heard
|
|
0:37:57
|
the event action
|
|
0:37:59
|
that is performed, is I am going to produce an alert
|
|
0:38:03
|
which is basically like a log message
|
|
0:38:06
|
so now what I can do is go either
|
|
0:38:08
|
under the monitoring tab
|
|
0:38:11
|
go under advanced
|
|
0:38:14
|
and view the event log
|
|
0:38:17
|
Now the problem with this event log is that , its not a real time log
|
|
0:38:20
|
see, you constantly have to refresh it
|
|
0:38:24
|
or I could go to
|
|
0:38:26
|
the command line interface
|
|
0:38:28
|
and under the command line interface, we are going to look at the
|
|
0:38:32
|
show events
|
|
0:38:35
|
Now from here we can specify, what type of events that we want
|
|
0:38:39
|
specifically in this case I want alerts
|
|
0:38:43
|
where if I were to just say show advance and hidden errors, it also going to show me, all sorts of status messages, that I don't need to see
|
|
0:38:50
|
but before I am going to do this, I am going say the terminal link is zero
|
|
0:38:55
|
which means that when showing me the events, its automatically going to scroll through it without me having to hit
|
|
0:39:00
|
the space bar or enter
|
|
0:39:03
|
So I will say show events
|
|
0:39:06
|
and specifically the alerts
|
|
0:39:10
|
So, now what should happen is that if
|
|
0:39:14
|
a, an ICMP ping
|
|
0:39:18
|
comes in from somewhere
|
|
0:39:21
|
on the outside
|
|
0:39:23
|
transits this inside interface
|
|
0:39:26
|
what we should see happen is that its going to be redirected
|
|
0:39:31
|
from the VLAN 125, its going to be redirected to the sensor
|
|
0:39:37
|
since the sensor has the signature enabled
|
|
0:39:40
|
its then going to generate
|
|
0:39:41
|
an alert message
|
|
0:39:44
|
Now its not actually going to do anything other than that, because the event actions are just generate an alert
|
|
0:39:49
|
but if I can send the ping
|
|
0:39:51
|
and then see the output here under show events
|
|
0:39:53
|
I know at a minimum that my
|
|
0:39:55
|
basic SPAN configuration is correct
|
|
0:39:58
|
and the interface
|
|
0:39:59
|
assignments and the
|
|
0:40:01
|
the virtual sensor assignment
|
|
0:40:06
|
so lets try this from router1
|
|
0:40:10
|
lets ping
|
|
0:40:12
|
10.1.125.5
|
|
0:40:15
|
which is router5's interface
|
|
0:40:22
|
Now the sensor isn't getting any logs yet
|
|
0:40:26
|
and actually the reason why I forgot to change
|
|
0:40:29
|
is on the ASA, we are going to be dropping the packets as it comes
|
|
0:40:33
|
in on the outside interface
|
|
0:40:37
|
Now to take the ASA out of the equation, just for this particular example
|
|
0:40:41
|
what I am going to do is on
|
|
0:40:43
|
both the DMZ and then inside
|
|
0:40:46
|
excuse me, the DMZ and the outside interface
|
|
0:40:50
|
I am going to simple allow everything
|
|
0:40:52
|
So access list 100 permit any any
|
|
0:40:56
|
access group 100 in interface outside
|
|
0:41:00
|
and in interface DMZ
|
|
0:41:05
|
we will come back later and look at more specif filtering examples
|
|
0:41:08
|
but we would need to specifically permit or specifically deny
|
|
0:41:12
|
for the IPS sensor
|
|
0:41:15
|
So lets see now from router1 if we generate these pings
|
|
0:41:19
|
they get to router5
|
|
0:41:21
|
if the sensor triggered the signature
|
|
0:41:25
|
we now
|
|
0:41:28
|
we now know that our basic SPAN configuration are working
|
|
0:41:32
|
and that the
|
|
0:41:34
|
the sensors interface is configured correctly
|
|
0:41:37
|
Now we could see there from the output, it says that the signatures description is the ICMP echo
|
|
0:41:41
|
its identifies 2004
|
|
0:41:44
|
with a sub signature ID of 0
|
|
0:41:48
|
So this is sigid2004
|
|
0:41:52
|
sub id 0
|
|
0:41:56
|
this came in on interface, virtual sensor 0
|
|
0:42:00
|
the attacker was router1, thats where the packets came from
|
|
0:42:03
|
the target of the victim was router5
|
|
0:42:06
|
and the
|
|
0:42:09
|
result of this
|
|
0:42:11
|
the event action is basically
|
|
0:42:13
|
that we just produce an alert
|
|
0:42:16
|
Now if there was some other actions like we are going to do filtering
|
|
0:42:18
|
or we can do rate limiting
|
|
0:42:20
|
we would see another field here that says Event action
|
|
0:42:24
|
but we can also see some of the detail about the signature
|
|
0:42:27
|
it says that
|
|
0:42:30
|
we have a summarization of the event where it says
|
|
0:42:32
|
5 events happened in this interval
|
|
0:42:35
|
so even though we send more than one ping
|
|
0:42:38
|
its not generating a
|
|
0:42:39
|
an individual alert for all of them
|
|
0:42:42
|
we then have this Target Value Rating or the TVR
|
|
0:42:46
|
which it says, this is a medium severity
|
|
0:42:48
|
and a threat rating value of 35
|
|
0:42:52
|
where depending on
|
|
0:42:54
|
what type of signatures are triggering
|
|
0:42:57
|
we can have the sensors to perform actions once the threat value goes above a certain threshold
|
|
0:43:02
|
or we can give them different categories
|
|
0:43:04
|
or may be a high alert
|
|
0:43:07
|
I want to
|
|
0:43:08
|
block the connections versus a low alert, may I just want to generate a log message
|
|
0:43:15
|
but at least up to this point we know that the traffic
|
|
0:43:18
|
is being properly redirected to the sensors interface
|
