CCIE Security Advanced Technologies Class - IPS Virtual Sensors and Signature Engines

Transcript

1	Introduction	0h 37m
2	CCIE Security Preparation Resources	0h 50m
3	ASA Overview	0h 37m
4	Basic ASA Initialization	1h 02m
5	ASA Routing	0h 37m
6	ASA Reliable Static Routing	0h 20m
7	ASA Access Control Lists (ACLs)	0h 41m
8	ASA Modular Policy Framework (MPF) Overview	0h 53m
9	ASA Modular Policy Framework (MPF) Configuration	0h 51m
10	ASA Advanced TCP Inspection with MPF	0h 40m
11	ASA Advanced Application Inspection with MPF	0h 36m
12	ASA Quality of Service (QoS)	0h 30m
13	ASA Network Address Translation (NAT) Part 1	0h 50m
14	ASA Network Address Translation (NAT) Part 2	0h 30m
15	ASA Transparent Firewall Overview	0h 25m
16	ASA Transparent Firewall Configuration	0h 43m
17	ASA ARP Inspection with Transparent Firewall	0h 21m
18	ASA Multiple Context Mode Overview	0h 42m
19	ASA Multiple Context Mode Configuration	0h 59m
20	ASA Redundant Interfaces	0h 22m
21	ASA Failover Overview	0h 19m
22	ASA Active/Standby Failover Routed Firewall Configuration	0h 29m
23	ASA Active/Standby Failover Transparent Firewall Configuration	0h 17m
24	ASA Active/Active Failover Routed Firewall Configuration	0h 37m
25	ASA Multiple Context Transparent Firewall Configuration	0h 29m
26	ASA Active/Active Failover Transparent Firewall Configuration	0h 29m
27	IOS Access Control Lists (ACLs)	0h 23m
28	IOS Time Based ACLs	0h 13m
29	IOS Lock & Key Security with Dynamic ACLs	0h 24m
30	IOS Reflexive ACLs	0h 44m
31	IOS TCP Intercept and Content Based Access Control (CBAC)	0h 39m
32	Zone Based Policy Firewall Overview	0h 26m
33	Zone Based Policy Firewall Configuration	0h 44m
34	ZBPF Self Zone & ZBPF Exceptions	0h 48m
35	Port to Application Mapping (PAM)	0h 32m
36	ZBPF Parameter Tuning	0h 32m
37	ZBPF Application Inspection	0h 27m
38	IOS Transparent Firewall	0h 28m
39	IPsec Overview	0h 37m
40	IOS IPsec LAN-to-LAN Configuration	0h 58m
41	IPsec Troubleshooting	0h 42m
42	GRE over IPsec, IPsec Profiles, & VTIs	0h 51m
43	ASA IPsec Overview	0h 24m
44	ASA IPsec LAN-to-LAN Configuration	0h 20m
45	Certificate Authority (CA) Overview	0h 16m
46	IOS & ASA LAN-to-LAN IPsec with Certificates	0h 57m
47	Easy VPN Overview	0h 12m
48	IOS Easy VPN Server	1h 10m
49	IOS Easy VPN Client	0h 30m
50	IOS Easy VPN with Dynamic VTIs, ISAKMP Profiles	0h 49m
51	ASA Easy VPN Server	0h 51m
52	ASA Easy VPN Server & IOS Easy VPN Client	0h 17m
53	ASA Clientless & AnyConnect SSL VPN	1h 04m
54	DMVPN	1h 05m
55	IPS Overview, Promiscuous Mode & SPAN	0h 43m
56	IPS Promiscuous Mode & RSPAN	0h 28m
57	IPS Blocking Devices & Custom Signatures	0h 50m
58	IPS Inline Mode, VLAN Pairing	0h 15m
59	IPS Virtual Sensors and Signature Engines	0h 16m
60	AAA Overview, Local AAA, & Role Based CLI	0h 51m
61	RADIUS, TACACS+, & Cisco Secure ACS Configuration	0h 51m
62	RADIUS & TACACS+ Exec Authorization & Accounting	0h 39m
63	TACACS+ Command Accounting	0h 30m
64	RADIUS & TACACS+ Enable Authentication	0h 14m
65	IOS Authentication Proxy	0h 33m
Total Duration		39h 19m

Base Configs

Diagrams

Slides - Introduction

Slides - ASA

Slides - IOS Firewall

Slides - VPN

Slides - IPS

Slides - Identity Management

0:00:13	In our next section on the IPS
0:00:16	we are going to look at running multiple virtual sensors with different signature policies
0:00:21	when we are running the inline vlan pairing
0:00:25	where with our previous example we have the ips
0:00:27	on VLAN 125
0:00:30	that as traffic is moving from ASA2 to router5 and vice versa
0:00:35	they was being sent to
0:00:36	the virtual sensor 0
0:00:38	which was assigned the signature zero set
0:00:43	in addition to this we are also going to put another sensor
0:00:46	on the segment between router3
0:00:48	and router4
0:00:51	we will say that this is virtual sensor1
0:00:56	that is going to use a separate set of signature, we will say that this would be signature definition1
0:01:02	that then can have different
0:01:03	custom signatures or different
0:01:05	enabled or disabled signatures
0:01:08	based up on exactly what we are trying to protect
0:01:13	so similar to the ASA where we can have the multiple context
0:01:16	we are essentially taking the one physical box at the IPS
0:01:20	and then splitting it into multiple logical devices
0:01:24	Now in order to do this, just like we did with the last example in the
0:01:28	inline VLAN pairing
0:01:30	we now need to separate router3
0:01:32	and router4
0:01:34	into separate segments
0:01:37	where previously
0:01:40	the traffic from 3 to 4 was using VLAN 34
0:01:46	we need to now split this into two different segment
0:01:48	we will say that this is VLAN30
0:01:52	and the connection to router3
0:01:54	and then VLAN40
0:01:56	on the connection to router4
0:02:01	Now we already have the sensor on the switches configured as a trunk
0:02:05	So really the only thing that I need to do
0:02:08	is go to the switch
0:02:09	that is connecting to router4
0:02:13	which is switch1, lets say show run interface fastethernet4
0:02:18	I am going to put this in
0:02:20	VLAN40, so we will say switch port access VLAN 40
0:02:26	that I also need to make sure that both of these are created, so VLAN 30 and 40
0:02:31	then on the connection to router3
0:02:33	which is switch2's port fastethernet3
0:02:37	I am going to put this one in VLAN 30
0:02:40	switch port access VLAN 30
0:02:45	and both of the this switch know about both of the VLANs
0:02:49	Now eventually when we look at the show interface fastethernet10 trunk
0:02:54	which is the link that is going to the sensor
0:02:57	I eventually will see VLAN 30 and 40
0:03:00	30 and 40 forwarding
0:03:05	on to interface
0:03:08	Now typically when you do this from an
0:03:10	real design point of view
0:03:12	I would not want all of the VLANs
0:03:14	going to the sensor
0:03:16	because really we are only using
0:03:18	VLANs 125 and 555
0:03:21	for the pairing between router5 and ASA2
0:03:25	and then VLANs 30 and 40 for this particular pairing
0:03:28	So to cut down the amount of traffic
0:03:30	It would normally be a good idea to go to the trunk link
0:03:33	and then limit the number of VLAN
0:03:36	so we will say switch port trunk allowed
0:03:39	is VLANs 30
0:03:41	40 125 555
0:03:45	so two separate pairings
0:03:47	30 and 40, this is routers 3 and 4
0:03:50	and 125 and 555, this is router5 and the ASA
0:03:59	next if we go to the IDM
0:04:03	under the signatures
0:04:06	So we have signature definitions for 60
0:04:12	I am going to clone
0:04:13	or basically copy, the previous
0:04:16	definition of signatures will say that this is sig1
0:04:25	then under the virtual sensors
0:04:27	I am going to add a new one, we are going to call this VS1
0:04:33	the description will be the
0:04:35	say R3 to R4
0:04:39	virtual sensor
0:04:48	actually VS1, I wanted to name it, not VS2, thats ok
0:04:52	So this is virtual sensor2
0:04:54	then under the VLAN pairing
0:04:57	we are going to add new pairing
0:04:58	that is on the same interface, because we only have one physical link
0:05:01	we will say that this sub interface 2
0:05:03	that is pairing between VLANs 30 and 40
0:05:06	this is the R3 to
0:05:08	R4 pairing
0:05:15	where then if we go back to the virtual sensor
0:05:18	I want this one applied
0:05:20	to that second pairing
0:05:26	so again similar to the context, we now have
0:05:28	two different sensors internally
0:05:31	that have
0:05:34	I will see there, both actually assigned the same signature policy, which I will
0:05:37	need to change this, I would say
0:05:40	I want signature policy1 for the second sensor
0:05:43	then I could add new event action rules or new
0:05:46	anomaly detection
0:05:48	really depends on how granular I want to be for this new policy
0:05:56	Now since the signature
0:05:57	definition1, sig1 was copied for sig0
0:06:01	what we should see
0:06:04	is that once the traffic is transiting
0:06:06	from 3 to 4
0:06:09	we will have the same monitoring policy as we did before
0:06:13	which means that the ICMP echos
0:06:15	should be generating the alerts
0:06:17	and that custom signature, where we were deleting the flash
0:06:21	that should also be
0:06:22	used to block the connection pair inline
0:06:27	So if we were to now go to the sensor
0:06:30	and were still looking at the show event
0:06:33	alerts
0:06:36	then if we were to go to router3
0:06:39	and ping router4
0:06:44	we should see that the alert is generated, which it did
0:06:49	so I now know that the pairing between router3 and router4 is properly working
0:06:53	if I were to go to router3 and telnet to 4
0:07:00	and then say delete flash
0:07:03	Ideally we would want the signature to trigger as well
0:07:08	so lets go back to the IDM and lets see if that custom signature actually got copied from
0:07:13	sig0 to sig1
0:07:16	so now under signature policy, signature definitions, notice that we have the sig1 as well
0:07:25	We do have 60000
0:07:28	where 60000 says again
0:07:32	string tcp, we are going to deny the attacker
0:07:34	service pair inline and produce an alert
0:07:39	if delete flash is heard
0:07:44	for port number 23 and we are going
0:07:46	towards the service
0:07:56	so lets try this again from the other side, lets go to 4
0:08:01	and from router4, we will telnet out to 3
0:08:13	so no this connection is dropped
0:08:15	if we look at the ips, it says that
0:08:19	the attacker was 4, the victim was 3
0:08:22	the result is that we denied the attacker service pair inline
0:08:28	and lets try this again from the other direction , from
0:08:30	3 lets telnet to 4
0:08:35	then we will say delete flash
0:08:38	so it is actually working
0:08:40	it just that it took some while to apply new signature policy
0:08:45	sometimes you will see with this platform, specially some of the older ones
0:08:48	like we have here, which is the 4235
0:08:53	you may see that sometimes the signatures don't work exactly as you want
0:08:57	a lot of the times, if you simply
0:09:00	disable the signature and then re enable it
0:09:03	or as a worse case scenario reboot
0:09:06	that you, you don't want to
0:09:09	to exclude that from your troubleshooting process
0:09:13	so it should happen in both directions that the
0:09:15	the signature is being triggered
0:09:19	but lets say now for this particular policy
0:09:22	we want a more granular signature where
0:09:25	may be router4 is running a web service
0:09:28	and we want to filter the specific urls
0:09:31	that the test pc is able to access
0:09:35	so its going to be just like the application inspection
0:09:38	on the ASA or on the IOS
0:09:41	where we could look at those individual fields
0:09:43	like the http methods
0:09:45	or the http uri and look for
0:09:48	different strings in the header or body
0:09:51	and then based on that we can perform our different action
0:09:55	but the key now
0:09:56	is that since we have two different signature engines
0:09:59	I could apply a new customer signature
0:10:02	under sig1
0:10:03	that is not going to effect the traffic that is between
0:10:06	router5 and ASA2
0:10:11	So in sig1, lets go now through the
0:10:15	the custom signature wizard
0:10:18	where we will see this is going to be under the service http
0:10:24	where we have signature name, lets say
0:10:27	reset on
0:10:29	specific url
0:10:35	where we want to see what is the
0:10:37	the uri regular expression
0:10:41	So this is going to be whatever is in the
0:10:44	the actual header of the packet
0:10:48	So right now as a place where I will say this is the
0:10:52	the url string
0:10:58	then once this happens, actually I need to say the service ports as well, so this is on port 80
0:11:05	and whatever I want to do once this is triggered, so I am going to produce an alert
0:11:09	lets say produce verbose alert, we will look at the more detail one
0:11:12	then I am going to
0:11:16	lets say deny the packet in line
0:11:18	So we are not deleting the ability, or we are not removing the ability for the
0:11:23	the center to start news sessions
0:11:26	its basically just dropping that individual packet
0:11:39	Now to test this I am going configure router4
0:11:41	as a web server
0:11:45	So this is running the web process
0:11:48	and then the test pc is going to be web client
0:11:51	So on router4
0:11:54	in global config, will simply say, ip http server
0:11:59	we already have username cisco and password cisco
0:12:03	that we can use for authentication
0:12:05	if we go to the test pc
0:12:07	and browse to
0:12:10	that server, lets say
0:12:15	to 172.16.4.4
0:12:22	from here we can get to the
0:12:24	the GUI management of router4
0:12:27	Now looked at some cases before this on the ASA and the IOS
0:12:31	where we are looking for specific strings
0:12:34	and one way I can do this is by
0:12:37	issuing a command, lets a command at level 15
0:12:41	where I say show ip route
0:12:46	and the way that this syntax format form, is that this string
0:12:51	is passed to the router inside
0:12:54	the uri or the url
0:12:57	where if I were to take this
0:13:01	and this full string, this is going to be whatever command that I want to issue
0:13:06	So if I say show ip route, if I say show ip
0:13:10	interface
0:13:12	/brief
0:13:15	its going to run whatever this command
0:13:17	but lets say I want the IPS
0:13:19	to listen for when
0:13:21	someone is saying
0:13:23	show ip route
0:13:25	and they are going to drop that connection
0:13:28	So where specifically, this is going to be in the uri
0:13:32	show/ip/route/
0:13:38	so from the IDM
0:13:40	I am going to go back to this particular signature
0:13:44	and we will specify that this is the, the url string
0:14:00	if we go back to the IPS's command line
0:14:02	we are looking at the show event alert
0:14:06	this is going to show our verbose
0:14:08	verbose alert, assuming that
0:14:10	the regular expression is correct
0:14:12	then from the test PC
0:14:15	if we say show ip
0:14:18	lets say show ip cef
0:14:21	So this one is fine
0:14:22	if we then say show ip route
0:14:28	we could see the payload of the web packet
0:14:31	the sensor says that this attacker
0:14:34	went to the victim at port 80
0:14:37	and was triggering
0:14:39	these signature reset on the specific
0:14:42	the result of that is that the packet is denied
0:14:49	Now these doesn't mean that I cannot to router4 at all
0:14:53	it just means that, that individual
0:14:56	packet flow was dropped
0:14:58	So its a little bit different than resetting the tcp session like we saw before
0:15:03	simply the packet is discarded and the IPS sensor is not telling the
0:15:07	the attacker that there wasn't any issue with
0:15:12	So the key with this, when we are doing multi different signature definition
0:15:17	or multiple event action rules or the anomaly detection
0:15:21	we can apply this to different virtual sensors
0:15:24	then depending on whether we have multiple
0:15:26	physical interfaces
0:15:27	or multiple inline VLAN pairs
0:15:30	we can put this the one physical sensor in multiple logical portions in the network at the same time
0:15:37	in order to have multiple separate policies

Now Viewing

CCIE Security Advanced Technologies Class
Title:	CCIE Security Advanced Technologies Class
Duration:	39h 19m
The CCIE Security Advanced Technologies Class is the first step in understanding CCIE level technologies and is a companion to the Advanced Technologies Lab Workbook. Each technology you need to know for the CCIE Security lab will be described in detail using an instructor led hands on demonstration. The class consists of over 40 hours of in depth explanations and examples.
Get instant access to our entire library!
$159/month	Add to Cart
Download this Course
$299.00	Add to Cart

IPS Virtual Sensors and Signature Engines

Create Bookmark