An intrusion prevention system (IPS) is a network security tool is also known as Intrusion Detection and Prevention System. (which can be a hardware device or software). An intrusion prevention system (IPS) continuously monitors a network for malicious activity and takes action to prevent it, including reporting, blocking, or dropping it, when it does occur. intrusion prevention system (IPS) is placed inline in the network traffic flow between the source and destination. IPS analyzes all traffic flows that enter the network and can detect or prevent network security attacks.
What do IPS and
IDS sensors do?
An IPS/IDS sensor is a device that continuously monitors
the traffic on the network and then
makes a decision based on a set of rules to indicate whether that traffic is
okay or whether it is malicious in some way.
An intrusion prevention system (IPS) is placed directly inline with the flow of network traffic and each packet goes through the IPS sensor on its way. if the malicious traffic is found by the IPS it can drop the packet and deny reaching the destination based on the rules configured. this concept is called IPS. The IPS adds a small amount of delay before forwarding packets. because the IPS is inline, it can manipulate traffic inline based on a current set of rules.
What is the inline sensor?
A sensor is placed inline with the traffic, which means whatever the network traffic is going through the network is forced to go in one physical port on the sensor and the sensor is going to analyze the traffic. let's take a look at inline topology.
The instruction detection system also continuously monitors the network traffic analyzes
the traffic identifies the malicious packets and generates alerts but IDS
can not prevent the attack by dropping the packets because this is an intrusion
detection system not prevention. The original packet is already on its way to
reach the destination so how it can drop the packet. IDS is not inline with the
flow of network traffic, IDS is sent copies of the original packets. IPS adds a small amount of delay but IDS does not add any delay to the original network
traffic. IDS cannot manipulate any original inline traffic. let's take a look of IDS not inline.
IPS/IDS
sensor platform
We must use
IPS/IDS sensors in our network and enhance network protection. Cisco has
several IPS/IDS sensor platforms that enable us to implement network
protection as follows:
- A dedicated
IPS appliance
- Software based
on the router
- A module in
an IOS router like AIM-IPS, NME-IPS
- A multilayer
switches a blade that works in a 6500 series
- Cisco firepower7000/8000
series appliance
- ASA with
firepower services
Malicious traffic
on the network identification
IPS/IDS
sensors can identify the malicious packets in the network in many different
ways based on the rules that are placed in the sensors, some of the rules are
default, and some we can create or modify. There are several different methods
IPS/IDS sensors can be configured for identifying malicious traffic.
- Signature-based
IPS/IDS
- Policy-based
IPS/IDS
- Anomaly-based
IPS/IDS
- Reputation-based
IPS/IDS
(in the
next we will look deeply into these methods and actions)
Let's see how to configure the IOS Intrusion Prevention System (IPS)
Topology:-configure IOS Intrusion Prevention System (IPS)
Goal: The task is to enable IPS on R1 to scan traffic entering the 192.168.10.0 network. the Syslog server 192.168.10.20 is used to log IPS messages. From the pc-red zone attempting to ping the PC-green zone should fail and from the pc-green zone attempting to ping the PC-red zone should pass.
- Enable IOS IPS
- Enable the security technology package
- Verify network connectivity
- Create an IOS IPS configuration directory in Flash
- Configure the IPS signature location
- Create an IPS rule
- Enable logging
- Configure IOS IPS to use the signature categories
- Apply the IPS rule to an interface
- Modify the signature
- Change the event action of the signature
- Verify that IPS is working properly
- Fom pc-redzone attempt to ping PC-greenzone should fail
- From pc-greenzone attempt to ping PC-redzone should pass
- View the Syslog messages
Router(config)#interface gigabitEthernet 0/0
Router(config-if)#ip address 192.168.20.1 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#interface gigabitethernet 0/1
Router(config-if)#ip address 192.168.10.1 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#ip route 192.168.40.0 255.255.255.0 192.168.20.2
Router(config)#exit
Router2(config)#interface gigabitEthernet 0/1
Router2(config-if)#ip address 192.168.20.2 255.255.255.0
Router2(config-if)#no shutdown
Router2(config-if)#exit
Router2(config)#interface gigabitEthernet 0/0
Router2(config-if)#ip address 192.168.30.1 255.255.255.0
Router2(config-if)#no shutdown
Router2(config-if)#exit
Router2(config)#ip route 192.168.10.0 255.255.255.0 192.168.20.1
Router2(config)#ip route
192.168.40.0 255.255.255.0 192.168.30.2
Router2(config)#exit
Router3(config)#interface gigabitEthernet 0/0
Router3(config-if)#ip address 192.168.30.2 255.255.255.0
Router3(config-if)#no shutdown
Router3(config-if)#exit
Router3(config)#interface gigabitEthernet 0/1
Router3(config-if)#ip address 192.168.40.1 255.255.255.0
Router3(config-if)#no shutdown
Router3(config-if)#exit
Router3(config)#ip route 192.168.10.0 255.255.255.0 192.168.30.1
Router3(config)#exit
Router#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B -
BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.10.0/24 is directly connected, GigabitEthernet0/1
L 192.168.10.1/32 is directly connected, GigabitEthernet0/1
192.168.20.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.20.0/24 is directly connected, GigabitEthernet0/0
L 192.168.20.1/32 is directly connected, GigabitEthernet0/0
S 192.168.40.0/24 [1/0] via
192.168.20.2
Router#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B -
BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.10.0/24 is directly connected, GigabitEthernet0/1
L 192.168.10.1/32 is directly connected, GigabitEthernet0/1
192.168.20.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.20.0/24 is directly connected, GigabitEthernet0/0
L 192.168.20.1/32 is directly connected, GigabitEthernet0/0
S 192.168.40.0/24 [1/0] via
192.168.20.2
Router#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B -
BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.10.0/24 is directly connected, GigabitEthernet0/1
L 192.168.10.1/32 is directly connected, GigabitEthernet0/1
192.168.20.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.20.0/24 is directly connected, GigabitEthernet0/0
L 192.168.20.1/32 is directly connected, GigabitEthernet0/0
S 192.168.40.0/24 [1/0] via
192.168.20.2
Router#show version
Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version
15.1(4)M4, RELEASE SOFTWARE (fc2)
License Info:
License UDI:
-------------------------------------------------
Device# PID SN
-------------------------------------------------
*0 CISCO1941/K9 FTX1524UTQ7-
Technology Package License Information for Module:'c1900'
----------------------------------------------------------------
Technology Technology-package Technology-package
Current Type Next reboot
-----------------------------------------------------------------
ipbase ipbasek9 Permanent ipbasek9
security None None None
data None None None
Configuration register is 0x2102
Router(config)#license boot module c1900
technology-package securityk9
PLEASE READ THE FOLLOWING TERMS CAREFULLY. INSTALLING THE
LICENSE
ACCEPT? [yes/no]: yes
% use 'write' command to make license
boot config take effect on next boot
Router(config)#:
%IOS_LICENSE_IMAGE_APPLICATION-6-LICENSE_LEVEL: Module name = C1900 Next reboot
level = securityk9 and License = securityk9
Router#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]
Router#reload
Proceed with reload?
[confirm]
Router#mkdir ipsdir
Create directory filename [ipsdir]?
Created dir flash:ipsdir
Router(config)#ip ips config location flash:ipsdir
Router(config)#ip ips ?
config Location of IPS configuration files
fail Specify what to do during any failures
name Specify an IPS rule
notify Specify the notification mechanisms (SDEE or log) for
the alarms
signature-category Signature Category
signature-definition Signature Definition
Router(config)#ip ips name
iosips
Router(config)#ip ips notify log
Router(config)#service
timestamps log datetime msec
Router(config)#logging host 192.168.10.20
Router(config)#ip ips
signature-category
Router(config-ips-category)#?
category Category keyword
exit Exit from Category Mode
no Negate or set default values of a command
Router(config-ips-category)#category all
Router(config-ips-category-action)#?
exit Exit from Category Actions Mode
no Negate or set default values of a command
retired Retire Category Signatures
Router(config-ips-category-action)#retired true
Router(config-ips-category-action)#exit
Router(config-ips-category)#category ?
all All Categories
ios_ips IOS IPS (more sub-categories
Router(config-ips-category)#category ios_ips basic
Router(config-ips-category-action)#retired false
Router(config-ips-category-action)#exit
Router(config-ips-category)#exit
Do you want to accept these changes? [confirm]
Applying Category configuration to signatures ...
%IPS-6-ENGINE_BUILDING: atomic-ip - 288 signatures - 6 of 13 engines
%IPS-6-ENGINE_READY: atomic-ip - build time 30 ms - packets for this engine will be scanned
Router(config)#interface gigabitEthernet 0/1
Router(config-if)#ip ips iosips out
Router(config-if)#exit
*Mar 01, 00:16:37.1616: %IPS-6-ENGINE_BUILDS_STARTED: 00:16:37 UTC Mar 01 1993
*Mar 01, 00:16:37.1616: %IPS-6-ENGINE_BUILDING: atomic-ip - 3 signatures - 1 of 13 engines
*Mar 01, 00:16:37.1616: %IPS-6-ENGINE_READY: atomic-ip - build time 8 ms - packets for this engine will be scanned
*Mar 01, 00:16:37.1616: %IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 8 ms
*Mar 01, 00:16:53.1616: %SYS-5-CONFIG_I: Configured from console by console
*Mar 01, 00:16:53.1616: *Mar 01, 00:16:53.1616: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.10.20 port 514 started - CLI initiated
Router(config)#ip ips signature-definition
Router(config-sigdef)#signature 2004 0
Router(config-sigdef-sig)#status
Router(config-sigdef-sig-status)#retired false
Router(config-sigdef-sig-status)#enable true
Router(config-sigdef-sig-status)#exit
Router(config-sigdef-sig)#?
engine Engine
exit Exit from Signature Definition Mode
status Status
Router(config-sigdef-sig)#engin
Router(config-sigdef-sig-engine)#event-action ?
deny-packet-inline Deny Packet
produce-alert Produce Alert
Router(config-sigdef-sig-engine)#event-action produce-alert
Router(config-sigdef-sig-engine)#event-action deny-packet-inline
Router(config-sigdef-sig-engine)#exit
Router(config-sigdef-sig)#exit
Router(config-sigdef)#exit
Do you want to accept these changes? [confirm]
%IPS-6-ENGINE_BUILDS_STARTED:
%IPS-6-ENGINE_BUILDING: atomic-ip - 303 signatures - 3 of 13 engines
%IPS-6-ENGINE_READY: atomic-ip - build time 480 ms - packets for this engine will be scanned
%IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 648 ms
Router#show ip ips all
IPS Signature File Configuration Status
Configured Config Locations: flash:ipsdir
Last signature default load time:
Last signature delta load time:
Last event action (SEAP) load time: -none-
General SEAP Config:
Global Deny Timeout: 3600 seconds
Global Overrides Status: Enabled
Global Filters Status: Enabled
IPS Auto Update is not currently configured
IPS Syslog and SDEE Notification Status
Event notification through syslog is enabled
Event notification through SDEE is enabled
IPS Signature Status
Total Active Signatures: 1
Total Inactive Signatures: 0
IPS Packet Scanning and Interface Status
IPS Rule Configuration
IPS name iosips
IPS fail closed is disabled
IPS deny-action ips-interface is false
Fastpath ips is enabled
Quick run mode is enabled
Interface Configuration
Interface GigabitEthernet0/1
Inbound IPS rule is not set
Outgoing IPS rule is iosips
IPS Category CLI Configuration:
Category all
Retire: True
Category ios_ips basic
Retire: False
C:\>ipconfig
FastEthernet0 Connection:(default port)
Link-local IPv6 Address.........: FE80::202:16FF:FE76:76AD
IP Address......................: 192.168.10.10
Subnet Mask.....................: 255.255.255.0
Default Gateway.................: 192.168.10.1
Bluetooth Connection:
Link-local IPv6 Address.........: ::
IP Address......................: 0.0.0.0
Subnet Mask.....................: 0.0.0.0
Default Gateway.................: 0.0.0.0
C:\>ping 192.168.40.10
Pinging 192.168.40.10 with 32 bytes of data:
Reply from 192.168.40.10: bytes=32 time<1ms TTL=125
Reply from 192.168.40.10: bytes=32 time<1ms TTL=125
Reply from 192.168.40.10: bytes=32 time<1ms TTL=125
Reply from 192.168.40.10: bytes=32 time=2ms TTL=125
Ping statistics for 192.168.40.10:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 2ms, Average = 0ms
C:\>ipconfig
FastEthernet0 Connection:(default port)
Link-local IPv6 Address.........: FE80::201:43FF:FEBA:6555
IP Address......................: 192.168.40.10
Subnet Mask.....................: 255.255.255.0
Default Gateway.................: 192.168.40.1
Bluetooth Connection:
Link-local IPv6 Address.........: ::
IP Address......................: 0.0.0.0
Subnet Mask.....................: 0.0.0.0
Default Gateway.................: 0.0.0.0
C:\>ping 192.168.10.10
Pinging 192.168.10.10 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 192.168.10.10:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\>ping 192.168.10.10
Pinging 192.168.10.10 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 192.168.10.10:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\>
Router#
*Mar 01, 00:25:49.2525: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:25 [192.168.40.10 -> 192.168.10.10:0] RiskRating:25
*Mar 01, 00:25:55.2525: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:25 [192.168.40.10 -> 192.168.10.10:0] RiskRating:25
*Mar 01, 00:26:01.2626: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:25 [192.168.40.10 -> 192.168.10.10:0] RiskRating:25
*Mar 01, 00:26:07.2626: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:25 [192.168.40.10 -> 192.168.10.10:0] RiskRating:25
*Mar 01, 00:27:35.2727: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:25 [192.168.40.10 -> 192.168.10.10:0] RiskRating:25
*Mar 01, 00:27:41.2727: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:25 [192.168.40.10 -> 192.168.10.10:0] RiskRating:25
*Mar 01, 00:27:47.2727: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:25 [192.168.40.10 -> 192.168.10.10:0] RiskRating:25
*Mar 01, 00:27:53.2727: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:25 [192.168.40.10 -> 192.168.10.10:0] RiskRating:25