5.4.1.1 Lab - Configure An Intrusion Prevention System (IPS) PDF
5.4.1.1 Lab - Configure An Intrusion Prevention System (IPS) PDF
5.4.1.1 Lab - Configure An Intrusion Prevention System (IPS) PDF
© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 21
Lab – Configure an Intrusion Prevention System (IPS)
IP Addressing Table
Objectives
Part 1: Configure Basic Router Settings
Configure hostname, interface IP addresses, and access passwords.
Configure the static routing.
Part 2: Use CLI to Configure an IOS IPS
Configure IOS IPS using CLI.
Modify IPS signatures.
Examine the resulting IPS configuration.
Verify IPS functionality.
Log IPS messages to a syslog server.
Part 3: Simulate an Attack
Use a scanning tool to simulate an attack.
Background/Scenario
In this lab, you will configure the Cisco IOS IPS, which is part of the Cisco IOS Firewall feature set. IPS
examines certain attack patterns and alerts or mitigates when those patterns occur. IPS alone is not enough
to make a router into a secure Internet firewall, but when added to other security features, it can be a powerful
defense.
You will configure IPS using the Cisco IOS CLI and then test IPS functionality. You will load the IPS Signature
package from a TFTP server and configure the public crypto key using the Cisco IOS.
Note: The router commands and output in this lab are from a Cisco 1941 router with Cisco IOS Release
15.4(3)M2. Other routers and Cisco IOS versions can be used. See the Router Interface Summary Table at
the end of the lab to determine which interface identifiers to use based on the equipment in the lab. The
commands available and output produced are determined by the router model and Cisco IOS version used.
Therefore, they might vary from what is shown in this lab.
Note: Ensure that the routers and switches have been erased and have no startup configurations.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of 21
Lab – Configure an Intrusion Prevention System (IPS)
Required Resources
3 routers (Cisco 1941 with Cisco IOS Release 15.4(3)M2)
2 switches (Cisco 2960 or comparable)
2 PCs (Windows Vista or Windows 7, Tftpd32 server, Nmap/Zenmap, the latest version of Java, Internet
Explorer, and Flash Player)
Serial and Ethernet cables as shown in the topology
Console cables to configure Cisco networking devices
IPS Signature package and public crypto key files on PC-A and PC-C (provided by the instructor)
© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 3 of 21
Lab – Configure an Intrusion Prevention System (IPS)
Note: If you can ping from PC-A to PC-C, you have demonstrated that the static routing protocol is configured
and functioning correctly. If you cannot ping, but the device interfaces are up and IP addresses are correct,
use the show run and show ip route commands to identify routing protocol-related problems.
Step 6: Configure a user account, encrypted passwords, and crypto keys for SSH.
Note: Passwords in this task are set to a minimum of 10 characters but are relatively simple for the benefit of
performing the lab. More complex passwords are recommended in a production network.
a. Configure a minimum password length using the security passwords command to set a minimum
password length of 10 characters.
R1(config)# security passwords min-length 10
b. Configure a domain name.
R1(config)# ip domain-name ccnasecurity.com
c. Configure crypto keys for SSH
R1(config)# crypto key generate rsa general-keys modulus 1024
d. Configure an admin01 user account using algorithm-type scrypt for encryption and a password of
cisco12345.
R1(config)# username admin01 algorithm-type scrypt secret cisco12345
e. Configure line console 0 to use the local user database for logins. For additional security, the exec-
timeout command causes the line to log out after five minutes of inactivity. The logging synchronous
command prevents console messages from interrupting command entry.
Note: To avoid repetitive logins during this lab, the exec-timeout command can be set to 0 0, which
prevents it from expiring. However, this is not considered a good security practice.
R1(config)# line console 0
R1(config-line)# login local
R1(config-line)# exec-timeout 5 0
R1(config-line)# logging synchronous
f. Configure line aux 0 to use the local user database for logins.
R1(config)# line aux 0
R1(config-line)# login local
R1(config-line)# exec-timeout 5 0
g. Configure line vty 0 4 to use the local user database for logins and restrict access to only SSH
connections.
R1(config)# line vty 0 4
R1(config-line)# login local
R1(config-line)# transport input ssh
R1(config-line)# exec-timeout 5 0
h. Configure the enable password with strong encryption.
R1(config)# enable algorithm-type scrypt secret class12345
© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 4 of 21
Lab – Configure an Intrusion Prevention System (IPS)
© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 5 of 21
Lab – Configure an Intrusion Prevention System (IPS)
b. From the R1 CLI, display the contents of flash memory using the show flash command and check for the
ipsdir directory.
R1# show flash
c. If the ipsdir directory is not listed, create it in privileged EXEC mode.
R1# mkdir ipsdir
Create directory filename [ipsdir]? <Enter>
Created dir flash:ipsdir
d. If the directory already exists, the following message displays:
%Error Creating dir flash:ipsdir (Can't create a file that exists)
Use the delete command to erase the content of ipsdir directory.
R1# delete flash:ipsdir/*
Delete filename [/ipsdir/*]?
Delete flash:/ipsdir/R1-sigdef-default.xml? [confirm]
Delete flash:/ipsdir/R1-sigdef-delta.xml? [confirm]
Delete flash:/ipsdir/R1-sigdef-typedef.xml? [confirm]
Delete flash:/ipsdir/R1-sigdef-category.xml? [confirm]
Delete flash:/ipsdir/R1-seap-delta.xml? [confirm]
Delete flash:/ipsdir/R1-seap-typedef.xml? [confirm]
Note: Use this command with caution. If there are no files in the ipsdir directory, the following message
displays:
R1# delete flash:ipsdir/*
Delete filename [/ipsdir/*]?
No such file
e. From the R1 CLI, verify that the directory is present using the dir flash: or dir flash:ipsdir command.
R1# dir flash:
Directory of flash:/
Directory of flash:/ipsdir/
No files in directory
Note: The directory exists, but there are currently no files in it.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 6 of 21
Lab – Configure an Intrusion Prevention System (IPS)
Step 1: Copy and paste the crypto key file into R1.
In global configuration mode, select and copy the crypto key file named realm-cisco.pub.key.txt.
crypto key pubkey-chain rsa
named-key realm-cisco.pub signature
key-string
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
F3020301 0001
quit
© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 7 of 21
Lab – Configure an Intrusion Prevention System (IPS)
Step 2: Configure the IPS Signature storage location in router flash memory.
The IPS files will be stored in the ipsdir directory that was created in Task 2, Step 2. Configure the location
using the ip ips config location command.
R1(config)# ip ips config location flash:ipsdir
© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 8 of 21
Lab – Configure an Intrusion Prevention System (IPS)
d. To send log messages to the syslog server on PC-A, use the following command:
R1(config)# logging 192.168.1.3
e. To see the type and level of logging enabled on R1, use the show logging command.
R1# show logging
Note: Verify that you have connectivity between R1 and PC-A by pinging from PC-A to the R1 Fa0/1 interface
IP address 192.168.1.1. If it is not successful, troubleshoot as necessary before continuing.
The next step describes how to download one of the freeware syslog servers if one is unavailable on PC-A.
Step 6: Configure IOS IPS to use one of the pre-defined signature categories.
IOS IPS with Cisco 5.x format signatures operates with signature categories, just like Cisco IPS appliances
do. All signatures are pre-grouped into categories, and the categories are hierarchical. This helps classify
signatures for easy grouping and tuning.
Warning: The “all” signature category contains all signatures in a signature release. Do not unretired the “all”
category because IOS IPS cannot compile and use all the signatures contained in a signature release at one
time. The router will run out of memory.
Note: When configuring IOS IPS, it is required to first retire all the signatures in the “all” category and then
unretire selected signature categories.
In the following example, all signatures in the all category are retired, and then the ios_ips basic category is
unretired.
R1(config)# ip ips signature-category
R1(config-ips-category)# category all
R1(config-ips-category-action)# retired true
R1(config-ips-category-action)# exit
R1(config-ips-category)# category ios_ips basic
R1(config-ips-category-action)# retired false
R1(config-ips-category-action)# exit
R1(config-ips-category)# exit
Do you want to accept these changes? [confirm] <Enter>
© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 9 of 21
Lab – Configure an Intrusion Prevention System (IPS)
The message also displays on the syslog server if it is enabled. The Tftpd32 syslog server is shown here.
Note: The following message may display if the router does not have a built-in IOS signature file.
*******************************************************************
The signature package is missing or was saved by a previous version
IPS Please load a new signature package
*******************************************************************
Jan 6 01:22:17.383: %IPS-3-SIG_UPDATE_REQUIRED: IOS IPS requires a signature update
package to be loaded
b. Although the R1 Fa0/1 interface is an internal interface, configure it with IPS to respond to internal
attacks. Apply the IPS rule to the R1 Fa0/1 interface in the inbound direction.
R1(config)# interface g0/1
R1(config-if)# ip ips iosips in
© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 10 of 21
Lab – Configure an Intrusion Prevention System (IPS)
Step 2: Start the TFTP server on PC-A and verify the IPS file directory.
a. Verify connectivity between R1 and PC-A and the TFTP server using the ping command.
b. Verify that the PC has the IPS Signature package file in a directory on the TFTP server. This file is
typically named IOS-Sxxx-CLI.pkg, where xxx is the signature file version.
Note: If this file is not present, contact your instructor before continuing.
c. Start Tftpd32 or another TFTP server and set the server interface to PC-A’s network interface
(192.168.1.3), and set the default directory to the one with the IPS Signature package in it. The Tftpd32
screen is shown below with the C:\tftp-folder\ directory contents displayed. Take note of the filename for
use in the next step.
Note: It is recommended to use the latest signature file available in a production environment. However, if
the amount of router flash memory is an issue in a lab environment, you may use an older version 5.x
signature, which requires less memory. The S364 file is used with this lab for demonstration purposes,
although newer versions are available. Consult CCO to determine the latest version.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 11 of 21
Lab – Configure an Intrusion Prevention System (IPS)
Step 3: Copy the signature package from the TFTP server to the router.
If you do not have a TFTP server available, and you are using a router with a USB port, go to Step 5 and use
the procedure described there.
a. Use the copy tftp command to retrieve the signature file and load it into the Intrusion Detection
Configuration. Use the idconf keyword at the end of the copy command.
Note: Signature compiling begins immediately after the signature package is loaded to the router. You
can see the messages on the router with logging level 6 or above enabled.
# copy tftp://192.168.1.3/IOS-S855-CLI.pkg idconf
Loading IOS-S855-CLI.pkg from 192.168.1.3 (via GigabitEthernet0/1): !!!!!OO!!
Mar 8 03:43:59.495: %IPS-5-PACKET_UNSCANNED: atomic-ip - fail open - packets
passed
unscanned!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Mar 8 03:44:59.495: %IPS-5-PACKET_UNSCANNED: atomic-ip - fail open - packets
passed unscanned!!!!!!!!!!!!!!!!
[OK - 22561682 bytes]
© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 12 of 21
Lab – Configure an Intrusion Prevention System (IPS)
© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 13 of 21
Lab – Configure an Intrusion Prevention System (IPS)
<Output Omitted>
© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 14 of 21
Lab – Configure an Intrusion Prevention System (IPS)
Step 5: (Optional) Alternative methods of copying the signature package to the router.
If you used TFTP to copy the file and will not use one of these alternative methods, read through the
procedures described here to become familiar with them. If you use one of these methods instead of TFTP,
return to Step 4 to verify that the signature package loaded properly.
FTP method: Although the TFTP method is generally adequate, the signature file is rather large and FTP can
provide another method of copying the file. You can use an FTP server to copy the signature file to the router
with this command:
copy ftp://<ftp_user:password@Server_IP_address>/<signature_package> idconf
In the following example, the user admin must be defined on the FTP server with a password of cisco.
R1# copy ftp://admin:[email protected]/IOS-S855-CLI.pkg idconf
Loading IOS-S855-CLI.pkg !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[OK - 7608873/4096 bytes]
USB method: If there is no access to an FTP or a TFTP server, you can use a USB flash drive to load the
signature package to the router.
a. Copy the signature package onto the USB drive.
b. Connect the USB drive to one of the USB ports on the router.
c. Use the show file systems command to see the name of the USB drive. In the following output, a 4 GB
USB drive is connected to the USB port on the router as file system usbflash0:
R1# show file systems
File Systems:
© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 15 of 21
Lab – Configure an Intrusion Prevention System (IPS)
- - network rw tftp:
196600 185972 nvram rw nvram:
* 64012288 14811136 disk rw flash:#
- - opaque wo syslog:
- - opaque rw xmodem:
- - opaque rw ymodem:
- - network rw rcp:
- - network rw pram:
- - network rw http:
- - network rw ftp:
- - network rw scp:
- - opaque ro tar:
- - network rw https:
- - opaque ro cns:
4001378304 3807461376 usbflash rw usbflash0:
d. Verify the contents of the flash drive using the dir command.
R1# dir usbflash0:
Directory of usbflash0:/
© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 16 of 21
Lab – Configure an Intrusion Prevention System (IPS)
b. Notice the IPS messages from R1 on the syslog server screen below. How many messages were
generated from the R2 pings to R1 and PC-A?
© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 17 of 21
Lab – Configure an Intrusion Prevention System (IPS)
Note: The ICMP echo request IPS risk rating (severity level) is relatively low at 25. Risk rating can range from
0 to 100.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 18 of 21
Lab – Configure an Intrusion Prevention System (IPS)
c. Install Nmap/Zenmap.
c. After the scan is complete, review the results displayed in the Nmap Output tab.
d. Click the Ports/Hosts tab. How many open ports did Nmap find on R2? What are the associated port
numbers and services?
© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 19 of 21
Lab – Configure an Intrusion Prevention System (IPS)
e. Exit Zenmap.
a. What is the IPS risk rating or severity level (Sev:) of the TCP NULL Packet, signature 3040?
b. What is the IPS risk rating or severity level (Sev:) of the TCP SYN/FIN packet, signature 3041?
Reflection
1. If changes are made to a signature while using version 5.x signature files, are they visible in the router
running the configuration?
© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 20 of 21
Lab – Configure an Intrusion Prevention System (IPS)
Router Model Ethernet Interface #1 Ethernet Interface #2 Serial Interface #1 Serial Interface #2
1800 Fast Ethernet 0/0 Fast Ethernet 0/1 Serial 0/0/0 (S0/0/0) Serial 0/0/1 (S0/0/1)
(Fa0/0) (Fa0/1)
1900 Gigabit Ethernet 0/0 Gigabit Ethernet 0/1 Serial 0/0/0 (S0/0/0) Serial 0/0/1 (S0/0/1)
(G0/0) (G0/1)
2801 Fast Ethernet 0/0 Fast Ethernet 0/1 Serial 0/1/0 (S0/1/0) Serial 0/1/1 (S0/1/1)
(Fa0/0) (Fa0/1)
2811 Fast Ethernet 0/0 Fast Ethernet 0/1 Serial 0/0/0 (S0/0/0) Serial 0/0/1 (S0/0/1)
(Fa0/0) (Fa0/1)
2900 Gigabit Ethernet 0/0 Gigabit Ethernet 0/1 Serial 0/0/0 (S0/0/0) Serial 0/0/1 (S0/0/1)
(G0/0) (G0/1)
Note: To find out how the router is configured, look at the interfaces to identify the type of router and how many
interfaces the router has. There is no way to effectively list all the combinations of configurations for each router
class. This table includes identifiers for the possible combinations of Ethernet and Serial interfaces in the device.
The table does not include any other type of interface, even though a specific router may contain one. An
example of this might be an ISDN BRI interface. The string in parenthesis is the legal abbreviation that can be
used in Cisco IOS commands to represent the interface.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 21 of 21