Tuesday 11 June 2024

What is Cisco intrusion detection systems (IDS) and intrusion prevention systems (IPS)? | What is the difference between IPS and IDS? | How to configure Cisco intrusion prevention systems (IPS)? cyber security | intrusion prevention

 An intrusion prevention system (IPS) is a network security tool is also known as Intrusion Detection and Prevention System. (which can be a hardware device or software). An intrusion prevention system (IPS) continuously monitors a network for malicious activity and takes action to prevent it, including reporting, blocking, or dropping it, when it does occur. intrusion prevention system (IPS) is placed inline in the network traffic flow between the source and destination. IPS analyzes all traffic flows that enter the network and can detect or prevent network security attacks.




What do IPS and IDS sensors do?

An IPS/IDS sensor is a device that continuously monitors the  traffic on the network and then makes a decision based on a set of rules to indicate whether that traffic is okay or whether it is malicious in some way. 


An intrusion prevention system (IPS) is placed directly inline with the flow of network traffic and each packet goes through the IPS sensor on its way. if the malicious traffic is found by the IPS it can drop the packet and deny reaching the destination based on the rules configured. this concept is called IPS. The IPS adds a small amount of delay before forwarding packets. because the IPS is inline, it can manipulate traffic inline based on a current set of rules. 

What is the inline sensor?

A sensor is placed inline with the traffic, which means whatever the network traffic is going through the network is forced to go in one physical port on the sensor and the sensor is going to analyze the traffic. let's take a look at inline topology. 




The instruction detection system also continuously monitors the network traffic analyzes the traffic identifies the malicious packets and generates alerts but IDS can not prevent the attack by dropping the packets because this is an intrusion detection system not prevention. The original packet is already on its way to reach the destination so how it can drop the packet. IDS is not inline with the flow of network traffic, IDS is sent copies of the original packets. IPS adds a small amount of delay but IDS does not add any delay to the original network traffic. IDS cannot manipulate any original inline traffic. let's take a look of IDS not inline. 



IPS/IDS sensor platform

We must use IPS/IDS sensors in our network and enhance network protection. Cisco has several IPS/IDS sensor platforms that enable us to implement network protection as follows:

  • A dedicated IPS appliance
  • Software based on the router
  • A module in an IOS router like AIM-IPS, NME-IPS
  • A multilayer switches a blade that works in a 6500 series
  • Cisco firepower7000/8000 series appliance
  • ASA with firepower services 


Malicious traffic on the network identification

IPS/IDS sensors can identify the malicious packets in the network in many different ways based on the rules that are placed in the sensors, some of the rules are default, and some we can create or modify. There are several different methods IPS/IDS sensors can be configured for identifying malicious traffic.

  • Signature-based IPS/IDS
  • Policy-based IPS/IDS
  • Anomaly-based IPS/IDS
  • Reputation-based IPS/IDS

(in the next we will look deeply into these methods and actions)


Let's see how to configure the IOS Intrusion Prevention System (IPS)

Topology:-configure IOS Intrusion Prevention System (IPS)




Goal: The task is to enable IPS on R1 to scan traffic entering the 192.168.10.0 network. the Syslog server 192.168.10.20 is used to log IPS messages. From the pc-red zone attempting to ping the PC-green zone should fail and from the pc-green zone attempting to ping the PC-red zone should pass.

  • Enable IOS IPS 
  • Enable the security technology package
  • Verify network connectivity
  • Create an IOS IPS configuration directory in Flash
  • Configure the IPS signature location
  • Create an IPS rule
  • Enable logging
  • Configure IOS IPS to use the signature categories
  • Apply the IPS rule to an interface

  • Modify the signature 
  • Change the event action of the signature
  • Verify that IPS is working properly 
  • Fom pc-redzone attempt to ping PC-greenzone should fail
  • From pc-greenzone attempt to ping PC-redzone should pass
  • View the Syslog messages





Router(config)#interface gigabitEthernet 0/0
Router(config-if)#ip address 192.168.20.1 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#exit
 
Router(config)#interface gigabitethernet 0/1
Router(config-if)#ip address 192.168.10.1 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#exit
 
Router(config)#ip route 192.168.40.0 255.255.255.0 192.168.20.2
Router(config)#exit
 
Router2(config)#interface gigabitEthernet 0/1
Router2(config-if)#ip address 192.168.20.2 255.255.255.0
Router2(config-if)#no shutdown
Router2(config-if)#exit
 
Router2(config)#interface gigabitEthernet 0/0
Router2(config-if)#ip address 192.168.30.1 255.255.255.0
Router2(config-if)#no shutdown
Router2(config-if)#exit
 
Router2(config)#ip route 192.168.10.0 255.255.255.0 192.168.20.1
Router2(config)#ip route 192.168.40.0 255.255.255.0 192.168.30.2
Router2(config)#exit
Router3(config)#interface gigabitEthernet 0/0
Router3(config-if)#ip address 192.168.30.2 255.255.255.0
Router3(config-if)#no shutdown
Router3(config-if)#exit
 
Router3(config)#interface gigabitEthernet 0/1
Router3(config-if)#ip address 192.168.40.1 255.255.255.0
Router3(config-if)#no shutdown
Router3(config-if)#exit
 
Router3(config)#ip route 192.168.10.0 255.255.255.0 192.168.30.1
Router3(config)#exit
 
 
 
Router#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
 
Gateway of last resort is not set
 
192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.10.0/24 is directly connected, GigabitEthernet0/1
L 192.168.10.1/32 is directly connected, GigabitEthernet0/1
192.168.20.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.20.0/24 is directly connected, GigabitEthernet0/0
L 192.168.20.1/32 is directly connected, GigabitEthernet0/0
S 192.168.40.0/24 [1/0] via 192.168.20.2
 
 
 
 
Router#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
 
Gateway of last resort is not set
 
192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.10.0/24 is directly connected, GigabitEthernet0/1
L 192.168.10.1/32 is directly connected, GigabitEthernet0/1
192.168.20.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.20.0/24 is directly connected, GigabitEthernet0/0
L 192.168.20.1/32 is directly connected, GigabitEthernet0/0
S 192.168.40.0/24 [1/0] via 192.168.20.2
 
Router#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
 
Gateway of last resort is not set
 
192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.10.0/24 is directly connected, GigabitEthernet0/1
L 192.168.10.1/32 is directly connected, GigabitEthernet0/1
192.168.20.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.20.0/24 is directly connected, GigabitEthernet0/0
L 192.168.20.1/32 is directly connected, GigabitEthernet0/0
S 192.168.40.0/24 [1/0] via 192.168.20.2
 
 
 
 
Router#show version
Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.1(4)M4, RELEASE SOFTWARE (fc2)
 
 
License Info:
 
License UDI:
 
-------------------------------------------------
Device# PID SN
-------------------------------------------------
*0 CISCO1941/K9 FTX1524UTQ7-
 
 
Technology Package License Information for Module:'c1900'
 
----------------------------------------------------------------
Technology Technology-package Technology-package
Current Type Next reboot
-----------------------------------------------------------------
ipbase ipbasek9 Permanent ipbasek9
security None None None
data None None None
 
Configuration register is 0x2102
 
 
Router(config)#license boot module c1900 technology-package securityk9
 
PLEASE READ THE FOLLOWING TERMS CAREFULLY. INSTALLING THE LICENSE
 
ACCEPT? [yes/no]: yes
% use 'write' command to make license boot config take effect on next boot
 
Router(config)#: %IOS_LICENSE_IMAGE_APPLICATION-6-LICENSE_LEVEL: Module name = C1900 Next reboot level = securityk9 and License = securityk9
 
Router#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]
 
Router#reload
Proceed with reload? [confirm]

Router#mkdir ipsdir
Create directory filename [ipsdir]?
Created dir flash:ipsdir

Router(config)#ip ips config location flash:ipsdir

Router(config)#ip ips ?
config Location of IPS configuration files
fail Specify what to do during any failures
name Specify an IPS rule
notify Specify the notification mechanisms (SDEE or log) for
the alarms
signature-category Signature Category
signature-definition Signature Definition

Router(config)#ip ips name iosips
Router(config)#ip ips notify log
Router(config)#service timestamps log datetime msec
Router(config)#logging host 192.168.10.20
Router(config)#ip ips signature-category


Router(config-ips-category)#?

category Category keyword

exit Exit from Category Mode

no Negate or set default values of a command



Router(config-ips-category)#category all


Router(config-ips-category-action)#?

exit Exit from Category Actions Mode

no Negate or set default values of a command

retired Retire Category Signatures



Router(config-ips-category-action)#retired true

Router(config-ips-category-action)#exit


Router(config-ips-category)#category ?

all All Categories

ios_ips IOS IPS (more sub-categories


Router(config-ips-category)#category ios_ips basic

Router(config-ips-category-action)#retired false

Router(config-ips-category-action)#exit

Router(config-ips-category)#exit


Do you want to accept these changes? [confirm]

Applying Category configuration to signatures ...

%IPS-6-ENGINE_BUILDING: atomic-ip - 288 signatures - 6 of 13 engines

%IPS-6-ENGINE_READY: atomic-ip - build time 30 ms - packets for this engine will be scanned

Router(config)#interface gigabitEthernet 0/1

Router(config-if)#ip ips iosips out

Router(config-if)#exit


*Mar 01, 00:16:37.1616: %IPS-6-ENGINE_BUILDS_STARTED: 00:16:37 UTC Mar 01 1993

*Mar 01, 00:16:37.1616: %IPS-6-ENGINE_BUILDING: atomic-ip - 3 signatures - 1 of 13 engines

*Mar 01, 00:16:37.1616: %IPS-6-ENGINE_READY: atomic-ip - build time 8 ms - packets for this engine will be scanned

*Mar 01, 00:16:37.1616: %IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 8 ms


*Mar 01, 00:16:53.1616: %SYS-5-CONFIG_I: Configured from console by console

*Mar 01, 00:16:53.1616: *Mar 01, 00:16:53.1616: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.10.20 port 514 started - CLI initiated



Router(config)#ip ips signature-definition

Router(config-sigdef)#signature 2004 0

Router(config-sigdef-sig)#status

Router(config-sigdef-sig-status)#retired false

Router(config-sigdef-sig-status)#enable true

Router(config-sigdef-sig-status)#exit



Router(config-sigdef-sig)#?

engine Engine

exit Exit from Signature Definition Mode

status Status


Router(config-sigdef-sig)#engin

Router(config-sigdef-sig-engine)#event-action ?

deny-packet-inline Deny Packet

produce-alert Produce Alert

Router(config-sigdef-sig-engine)#event-action produce-alert

Router(config-sigdef-sig-engine)#event-action deny-packet-inline

Router(config-sigdef-sig-engine)#exit

Router(config-sigdef-sig)#exit

Router(config-sigdef)#exit


Do you want to accept these changes? [confirm]


%IPS-6-ENGINE_BUILDS_STARTED:

%IPS-6-ENGINE_BUILDING: atomic-ip - 303 signatures - 3 of 13 engines

%IPS-6-ENGINE_READY: atomic-ip - build time 480 ms - packets for this engine will be scanned

%IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 648 ms




Router#show ip ips all

IPS Signature File Configuration Status

Configured Config Locations: flash:ipsdir

Last signature default load time:

Last signature delta load time:

Last event action (SEAP) load time: -none-


General SEAP Config:

Global Deny Timeout: 3600 seconds

Global Overrides Status: Enabled

Global Filters Status: Enabled


IPS Auto Update is not currently configured


IPS Syslog and SDEE Notification Status

Event notification through syslog is enabled

Event notification through SDEE is enabled


IPS Signature Status

Total Active Signatures: 1

Total Inactive Signatures: 0


IPS Packet Scanning and Interface Status

IPS Rule Configuration

IPS name iosips

IPS fail closed is disabled

IPS deny-action ips-interface is false

Fastpath ips is enabled

Quick run mode is enabled

Interface Configuration

Interface GigabitEthernet0/1

Inbound IPS rule is not set

Outgoing IPS rule is iosips


IPS Category CLI Configuration:

Category all

Retire: True

Category ios_ips basic

Retire: False


C:\>ipconfig


FastEthernet0 Connection:(default port)


Link-local IPv6 Address.........: FE80::202:16FF:FE76:76AD

IP Address......................: 192.168.10.10

Subnet Mask.....................: 255.255.255.0

Default Gateway.................: 192.168.10.1


Bluetooth Connection:


Link-local IPv6 Address.........: ::

IP Address......................: 0.0.0.0

Subnet Mask.....................: 0.0.0.0

Default Gateway.................: 0.0.0.0


C:\>ping 192.168.40.10


Pinging 192.168.40.10 with 32 bytes of data:


Reply from 192.168.40.10: bytes=32 time<1ms TTL=125

Reply from 192.168.40.10: bytes=32 time<1ms TTL=125

Reply from 192.168.40.10: bytes=32 time<1ms TTL=125

Reply from 192.168.40.10: bytes=32 time=2ms TTL=125


Ping statistics for 192.168.40.10:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 2ms, Average = 0ms



C:\>ipconfig


FastEthernet0 Connection:(default port)


Link-local IPv6 Address.........: FE80::201:43FF:FEBA:6555

IP Address......................: 192.168.40.10

Subnet Mask.....................: 255.255.255.0

Default Gateway.................: 192.168.40.1


Bluetooth Connection:


Link-local IPv6 Address.........: ::

IP Address......................: 0.0.0.0

Subnet Mask.....................: 0.0.0.0

Default Gateway.................: 0.0.0.0


C:\>ping 192.168.10.10


Pinging 192.168.10.10 with 32 bytes of data:


Request timed out.

Request timed out.

Request timed out.

Request timed out.


Ping statistics for 192.168.10.10:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),


C:\>ping 192.168.10.10


Pinging 192.168.10.10 with 32 bytes of data:


Request timed out.

Request timed out.

Request timed out.

Request timed out.


Ping statistics for 192.168.10.10:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),


C:\>







Router#

*Mar 01, 00:25:49.2525: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:25 [192.168.40.10 -> 192.168.10.10:0] RiskRating:25

*Mar 01, 00:25:55.2525: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:25 [192.168.40.10 -> 192.168.10.10:0] RiskRating:25

*Mar 01, 00:26:01.2626: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:25 [192.168.40.10 -> 192.168.10.10:0] RiskRating:25

*Mar 01, 00:26:07.2626: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:25 [192.168.40.10 -> 192.168.10.10:0] RiskRating:25

*Mar 01, 00:27:35.2727: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:25 [192.168.40.10 -> 192.168.10.10:0] RiskRating:25

*Mar 01, 00:27:41.2727: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:25 [192.168.40.10 -> 192.168.10.10:0] RiskRating:25

*Mar 01, 00:27:47.2727: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:25 [192.168.40.10 -> 192.168.10.10:0] RiskRating:25

*Mar 01, 00:27:53.2727: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:25 [192.168.40.10 -> 192.168.10.10:0] RiskRating:25









No comments:

What is Cisco IOS Zone Based Firewall on router? How to configure ZBF on Cisco Routers?

 Zone Based Firewall ZBF (Zone Based Firewall) is the stateful firewall that is available on Cisco IOS routers, introduced in 2006. ZBF supp...