Sie sind auf Seite 1von 409
CCIE Security V4 Lab Workbook Vol. 2 Piotr Matusiak CCIE #19860 dS Qcacwestoeli via C\EH, CCSI #33705 Narbik Kocharians CCIE #12410 Rasen NaS CCSI #30832 CCIE SECURTY v4 Lab Workbook Table of Contents Content Security - IPS LAB 21. LAB 22. LAB 23, LAB 24. LAB25. LAB26. LAB 27. LAB 28. LAB29. LAB 2.10. LAB 2.11. LAB 2.12. LAB 2.13. LAB 2.14. ‘LAB 2.15, INLINE VLAN PAIR MODE (ON-A-STICK) ... SIGNATURE TUNING ssssnosesesnonnentsnonneneinannenmannmininnnnmaninnnsemnsnnte 5 CUSTOM HTTP SIGNATURE sss sunssesnonnonesnninonininiinnaninninnrnninnasmnninnte 6B CUSTOM STRING TCP SIGNATURE een snnssesnsnnsnesnnninninniniininnnasnmnesmnasnnie 1D CUSTOM ATOMIC IP SIGNATURE. sneer 79 META SIGNATURE eesssesn ours onniienonnineinininesininminninnnmnnnnitmansnnie BT BLOCKING AND RATE LIMITING -esssnosresesnnnesesnnnennmnnmnnianmnnsnnannnsnine 99 RULES ess sursnninonrnienonnninonnenannnsiannnsmannminnnnninnasmnnnasmnne 3M ANOMALY DETECTION sesssnesnonnosesnonneneinannineinannmnininnmenmnnnmiennsn M9 VIRTUAL SENSORS..... ee sone 1ST EVENT SUMMARIZATION eset ossostsnosnonsinnnisinninsnnnrnnnnasnnsnaeennns OT APPLICATION INSPECTION AND LOGGING .wsevovesneseronnennnenenvnnnnennnnn 182 Content Security - WSA LAB 2.16. ‘LAB 2.17. LAB 2.18. LAB 2.19. LAB 2.20. LAB 2.21. LAB 222. LAB 2.23. LAB 2.24. LAB 228. LAB 2.26. WSA BOOTSTRAPPING (OPTIONAL) ss sunssesnssnosesnanininninninniniannnniniienanini IT DNS AND ROUTING CONFIGRATION ovsenoussnesnontsnevenonnensnnmnmesnnnneennn 207 WSA IDENTITIES AND ACCESS POLICIES ssnssnssesnsninsnnisinninirinniniiennninin AS ACTIVE DIRECTORY INTEGRATION evsenovssnesnontsnevenennenvenneniennnnnenennn 24 USER AUTHENTICATION vrssesnosnenesnonnoneninoneinininaninninmasmninnisnsnin 2D CUSTOM URL CATEGORIES... ssnssesnonnenesnannentinannmninnmnnmanmnnninnsnin 4 DECRYPTION POLICIES..... one sane 250 BANDWIDTH AND FILE TYPE LIMITS .sscosesnesnosesnennonnsnninsnniannnniniienninn 286 APPLICATION VISIBILITY AND CONTROL wsnouesnesenonrenenenenensenenennenenen 261 WEB REPUTATION AND DVS. sunsstsnounosesnnineneininsnininmnirninnisennie 266 ‘TRANSPARENT PROXY WITH ASA wssnssnssesnennonesnennenninninmnnianinninniennninin 272 Page 2 of 403 CCIE SECURTY v4 Lab Workbook Identity Management - ACS LAB 2.27. LAB 2.28. LAB 2.29, LAB 2.30. LAB231. LAB 232, LAB 2.33. LAB 234. LAB 2.35. LAB 2.36, ACS BOOTSTRAPPING ws eoseceo sa 282 SETUP AAA CLIENTS wsnsursesnosnoneinninnieinisineienisnmnnisnannnesanmnnnen 21 USER AUTHENTICATION AND AUTHORIZATION (108) srsvsssersnnsesersnnsnonesnne 301 LOCAL USER AUTHENTICATION AND AUTHORIZATION USING AAA (IOS)......307 TACACS+ USER AUTHENTICATION (108) sssnesnssesnennenninninninieninniniennnsiin 19 ‘TACACS+ AUTHENTICATION AND AUTHORIZATION (IOS) .evssevssennsnsesnesnnseen 387 ACCOUNTING USING TACACS+ AND RADIUS (108) wssrssnssnnsnninnnnininennninin 388 IOS AUTHENTICATION PROWY ..... 368 AUTHENTICATION PROXY ON ASA sssunssesnsnnonesnnininnininninannniniennnsnie 387 ACS EXTERNAL IDENTITY STORE wrsnvsvnesesnenentsnannennmnnnsninmnnsnnenne 396 Page 3 of 403, CCIE SECURTY v4 Lab Workbook Physical Topology Page 4 of 403 CCIE SECURTY v4 Lab Workbook Page 5 of 403, CCIE SECURTY v4 Lab Workbook Advanced CCIE SECURTY v4 LAB WORKBOOK Content Security IPS Narbik Kocharians CCIE #12410 (R&S, Security, SP) CCSI #30832 Piotr Matusiak CCIE #19860 (R&S, Security) CIEH, CCSI #33705 www.MicronicsTraining.com Page 6 of 403, CCIE SECURTY v4 Lab Workbook LAB 2.1. Sensor Initialization 20 Gono E00| .10 VLAN 102 -10-4.102.0124 I) Lab Setup > Rt1's F0/0 and ASA’s E0/1 interface should be configured in VLAN 101 > R2’s GO/0 and ASA’s E0/0 interface should be configured in VLAN 102 > PC should be configured in VLAN 101 > IPS Command and Control (C&C) interface should be configured in VLAN 101 > Configure Telnet on all routers using password “cisco” > Configure RIPv2 on all devices (except PC and IPS) IP Addressing pret Interface (ifname) errs R1 FO/0 10.1.101.1 124 R2 G00 10.1.102.2 124 ‘ASA-FW. E0/0 (Outside, Security 0) | 10.1.102.10 24 E0/1 (Inside, Security 100) | 10.1.101.10 24 Page 7 of 403 CCIE SECURTY v4 Lab Workbook Task 1 Configure IPS Sensor with the following settings: Hostname: IPS-CCIE IP address: 10.1.101.100/24 Default Gateway: 10.1.101.10 Allowed Hosts: 10.1.101.200 Configure IPS management interface (m0/0) in VLAN 101. The Cisco IPS must be correctly pre-configured in orderto make it available in the network and ‘manage i using GUI called IDM (IPS Device Manager). Although, many configuration things may be done from the CLI, the IDM is more user-friendly and easy to use. The/DM Is avallable during the lab Abasie configuration must be done from CLI after first connection through the console. Just after login the Setup script launches and asks for basic settings like: management IP address, default gateway (the IPS does not use dynamic nor static routes) and allowed hosts from which we can ‘manage using IDM. After afew basic steps, the IPS Is ready to connect toitusing IDM. All baste setup configuration Is related to C&C (Command & Control) management intetace. Complete these steps: Step 1 IPS first configuration. ‘sensor login: cisco Password: ‘This product contains eryptogrephic Features and Le subject to United states of Cisco cryptographic products does not imply third-party autherity to import, export, distribute or use enryption. Iepertare, exporters, distributors and lussrs are responsible for compliance with U.S. and local country laws. By using ‘this product you agres to comply with applicable laws and regulations. If you fare unsble to camply with U.S. and local lave, return this product demediately, A mumary of 0.8. laws goveming Cisco eryptographic products may be found at: ‘http://w. ct eco con /l/export/arypto/ tocl/starg. html, Tf you require further assistance please contact us by sending email to exportteteco. com, ‘Tare is no License key installed on the 125-4240. ‘The system will contime to operate with the currently installed Page 8 of 403, CCIE SECURTY v4 Lab Workbook signature set, A valid License must be obtained in oxdar to apply ‘signature updates. Please go to http://wv.cleco.ccn/go/1soense Basie setup ‘system Configuration Dialog [At any point you may enter a question mirk '7' for help. User ctri-c to abort configuration dialog at any prompt. Default settings are in square brackets '(]' current time: Sat Feb 6 11:10:51 2010 ‘setup Configuration last modified: Sat Feb 06 11:03:34 2010 Enter host name[sensor]: ERSSCCTE Enter IP interface[i92.168.1.2/24,192.168.1.2] 10;1,101;100/24,10.4-201.20 Note that you mist write all information in one Line without any spaces. Modify current access List? [no]: $85 ‘To modify an ACL for management purposes you mst answer “yes” for above question, current access list entries: ermit: $0;a/i031200/32 If you want to configure only one host, you mst provide /32 musk. I€ you want to configure whole network use a network Address with correct mask, Hit enter twice when finished. Femit: Modify system clock settings? {no} The following configuration was entered. service host network-settings host-ip 10.1101, 100/24,10. 1.101.210 host-name TPS-CcrE telnet-option disabled access-List 10.1.101.200/32 fep-timeout 300 Page 9 of 403 CCIE SECURTY v4 Lab Workbook Verification sensor# exi no login-banner-text exit, time-aone-settings offset 0 atandard-time-zone-nane UIC oxi, ‘sumertime-option disabled neproption disabled exit, [01 G© to the command prompt without saving this config. [2] Return to setup without saving this config. [2] Save this configuration and exit setup. [31 Continue to Advanced setup. Enter your selection{3] ‘Select second option to save basic config and end setup utility. configuration saved Complete the advanced setup using CLI or IDM, ‘To use IOM,point your web brovser at https: //. EPSHECEE login: cisco Mote that sensor name is refreshed after relogin. ‘This product contains cryptographic features and is subject to united states ‘and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using ‘this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. Page 10 of 405 CCIE SECURTY v4 Lab Workbook ‘A sumary of U.S. laws governing Cisco cryptographic products may be found at: ttp://wnr.ci sco.con/ww1/export/erypto/tool /stqrg.htm, If you require further assistance please contact us by sending email to exportcisco. com. ‘s+*LICENSE NoTIcES** ‘There is no License key installed on the 1PS-4240. ‘The system will continue to operate with the currently installed signature set. A valid license must be obtained in order to apply signature updates. Please go to http: //wnt.ckeco.com/go/License to obtain a new License or install a 1icent IPS-CCTEH sh configuration 1 Current configuration last modified sat Feb 06 11:11:59 2010 1 Version 6.1(2) 1 most: 1 Realm Keys keyi.o 1 Signature Definition: 1 Signature Update $372.0 2008-12-10, 1 Virus Update va. 2007-03-02 service host, network-settings host-ip 10,1, 101,100/24,10.1.101.10 host-name 1PS-cCrE access-List 10,1,101.200/32 exit Page ii of 409 CCIE SECURTY v4 Lab Workbook service signature-definition sigl service trusted-certificates service web-server exit EpS-ccrE# ping 10.1.101.2 PING 10.1.101-1 (10.1.101.1): 56 data bytes 64 bytes from 10.1.101.1: icmp seq-0 tt1=255 timen2.8 64 bytes from 10.1.101.1: demp seq=i tt1=255 timeni.4 64 bytes from 10.1.101.1: icmp _seq=2 tt1=255 time=0.7 64 bytes from 10.1.101.1: icmp_seq=3 tt19255 timeni.4 20.1.101.1 ping statistics — 4 packets transmitted, 4 packets received, 0b packet loss round-trip min/avg/max = 0.7/1.5/2. 1ps-ccrEl You may ping the sensor from the management station. This ping works only fron IP addresses provided in management ACL. Task2 Using graphical user interface (GUI), configure IPS Sensor to allow management via TELNET (port 23) and HTTPS on port 8090. Disable password recovery function. Page 12 of 409 CCIE SECURTY v4 Lab Workbook The standard IPS management too! Is IDM which Is avaiable using web browser and uses HTTPS {for secure connectivity. It uses standard HTTPS port of 443 but can (should) be altered, Also there 1s. way for enabling TELNET access (not recommended in real world scenarios). All those settings an be done from CLI but we will use IDM. Configuration Complete these steps: Step 1 IPS GUI. 1. Configure IP address of 10.1.101.200/24 on the ACS/PC host. c:\>4peontig Windows IP configuration Behernet adapter Lab Connection: ‘connection-speci fic DNS suffix ‘Autoconfiguration IP Address... + Subnet MABE 40:1:201.200 255,255.255.0 output omited> 2. Run IE/FF (Internet Explorer/FireFox) and go to https://10.1.101.100. Accept security warning message. loan ny change ih isle ce be ved hie ihe Hats tases vibe ae 2 Tegan cece mrnniy congas tne Souwetovudte cayraaihaty Te meutceeae bar sotedaier edd Tips clea areca ame Doses ret noc? os Cone 3. Click on Run IDM to download and run ActiveX applet. Page 13 of 409 CCIE SECURTY v4 Lab Workbook weet OD d Goes Grom Gee GIES es oe kar Gong aden B+ | mamatr Gira ose Va sera 4. Accepta series of warining messgaes. poe ener re tb? Pate aatercycan a beefed Brn sattiecttremerttect Qyrnnenteactnnnnnnt es es A Seperate Aik eta tn (Qe sey ed eee capa Stn wane cnet Yura ‘Byala cotee antun aspern cantar aes te |e |_owe | oukyou Hate ceo dsp andtarmerushotatstor a |_cetne Page 14 of 409 CCIE SECURTY v4 Lab Workbook 5. Provide user and password. EAL, Cisco ASDM-OM Launcher hse ee sone sinc ip 04 | eocen]| 6. After successful logging you should see IPS Dashboard. 7. Click on Configuration -> Network and change settings as follows. Page 15 of 409 CCIE SECURTY v4 Lab Workbook You must close IDM and open it up again to make changes to the IPS configuration. You will see an error message saying that IME cannot retrieve IPS configuration. 8. Use https.//10.1.101.100:8090 in you web browser to connect to the sensor. Page 16 of 405 CCIE SECURTY v4 Lab Workbook a | Youn as atic auntsto nei (oer a owe Task 3 Configure IPS as NTP client to NTP server located on R1 and change the timezone to GMT+1. Add the following users to the sensor: Ces Role eer ipsadmin ‘Administrator ‘Admin1234 ipsoper Operator Oper1234 ipsview Viewer View1234 Configuration Complete these steps: Step 1 IPS configuration. 1. Goto Configuration > Time and set appropriate Zone Name and set NTP server. Page 7 of 403 CCIE SECURTY v4 Lab Workbook 2. After the reboot go to Configuration > Users and click on Add button. Page 18 of 405 CCIE SECURTY v4 Lab Workbook 3. Provide username and password for all required users. Chose appropriate user role during this step. Username: fossinin ee | Pann — (ee) erat | veanane fraser | Penns [ronenr (ee) erat | Page 19 of 409 CCIE SECURTY v4 Lab Workbook Ce es (ee ena | Verification 1. Re-run IDM and authenticate using “ipview” username. AL, Cisen ASOMAIDM Launcher 25 tte urrenesnd pened 0h 20m eerie: E59 Meet ala allowed to modify the contig. 2. Goto Configuration > Network. You should see an error message saying you're not BY erstre cet ita tance Page 20 of 403 CCIE SECURTY v4 Lab Workbook LAB 2.2. Promiscuous Mode joo = 200 ‘VLAN 101 -10.1.101.024 Eon| .10 Eeal “ p= con E00 | .10 VLAN 102 - 104.102.0724) ol 2 =I This lab is based on the topology and configuration from the previous lab. Task 1 Configure the IPS sensor to detect attacks in VLAN 102 using promiscuous mode. Make sure the IPS sensor can send TCP reset packets into the VLAN 102. ‘By default, the monoring Interface of a Cisco sensor works In promiscuous mode, which means ‘hat K monitors all raffle on the local network via a network device that captures traf for the ‘sensor. The network device sends copies of packets to the sensor for analysis. Hthe traffic ‘matches a signature, the signature fires. The sensor can send an alarm to the management console ‘and take response action such as initiating a block or resetting the connection. ‘Sensors running in promiscuous mode are IDS (Intrusion Detection Systems). You must contigure a switch to capture packets within a VLAN or sourcedidestined fo aport to the ort where IPS sensor Is connected. The solution depends on the L2 topology. ithe sources connected to aifferent switch than the sensor, there must be RSPAN (Remote Switched Port Analyzer) configured. {In promiscuous mode, packets do not flow through the sensor. The sensor analyzes a copy of the ‘monitored traf rather than the actual forwarded packet. The advantage of operating in Page 21 of 409 CCIE SECURTY v4 Lab Workbook promiscuous mode Is that the sensor does not affect the packet flow. Configur: Complete these steps: Step 1 Step Step Step SW1 configuration. ‘Swi (config) #vian 666 ‘sw (config-vlan) #renote-span ‘51 (contig-vian) Hex ‘SWi (config) #moniter session 1 source vian 102 rx ‘Swi (config) tmonitor session i destination renote vlan 666 ‘SWB configuration. sH3(config)#vian 66 ‘943 (config-vlan) #renote-span ‘5H3(config-vian) fext ‘543 (config) monitor session 1 source vian 102 rx ‘513 (config) tmonitor session i destination renote vlan 666 S\4 configuration. ‘Sw4(config) monitor session 1 source remote vian 666 ‘sw4(config) monitor session i destination interface £0/15 ingress vlan 102 % warning: specified default VIAN (102) for ingress on dest port does not exit. Be careful here, as VIAN 102 does not exist on sWw4. You mst create it Af you need to inject traffic into this VIAN (TCP reset packets from the IPS for example). ‘sw4 (contig) #vian 102 ‘sw4(contig-vian) Bexi IPS configuration. 1. Goto Configuration > Interfaces, select GigabitEthernet0” interface and click Enable button. Page 22 of 403 CCIE SECURTY v4 Lab Workbook 2. Goto Configuration > Policies > IPS Policies, select “vs0” virtual ‘sensor on the list and click Edit. te a dg | coroner [tT nia | Stauton emt [ascarr [orew) PM “ofgygon rem nt son anche net eerste teat Sater Bose + oe 3. Highlight GigabitEthernet0/0 interface on the list and click Assign button. Then click OK and Apply the changes to the sensor. Page 23 of 409 CCIE SECURTY v4 Lab Workbook esmeeons [fame Soke a FF geet = TE cipoteteret2 Frensapus tetas Fo Gita Pemeaousleatace Signature Definition semnrepetreontoky: [5 =] vent Action le vert acennlesrocy © fueso =] IF Uneven Coc (ara ace ni) noma Detection onayetecenPty: [FD] 50 owed se: ote =] ce | coe | teh Verification ‘Switen monitor session 1 det Session 1 Type : Remote Source session Description - source Porte x only 7% only Both Source VIANE Rx only, 7% only Both Source RSPRN VIAN Destination Porte Filter VIAN Page 24 of 409 CCIE SECURTY v4 Lab Workbook Dest RSPAN VIAN 2 666 ‘This port (F0/10) cannot be used on the svitch as the asic from this port is now used for TPS purposes. Swifsn int £0/10 astEthemnet0/10 i up, ine protocol |s/ down’ (monitoring) Hardware is Fast Ethernet, address is 0012.0183.3b0a (bia 0012.0183.3b0a) MIU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, reliability 255/255, txload 1/255, reload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s, media type is 10/100BaseTs Anput flow-control is off, output flow-control is unsupported [ARP type: AREA, ARP Timeout 04::00:00 ast input never, output 00:17:16, output hang never ast clearing of "show interface" counters never Input queue: 0/75/0/0 (size/nax/drope/flushes) : Total output drops: 0 Queueing strategy: fifo output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 188 packets input, 15415 bytes, 0 no buffer Received 56 broadcasts (0 miticasts) © munts, 0 giants, 0 throttles © Anput exrors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, $6 multicast, 0 pause input © input packets with dritble condition detected 164 packets output, 15835 bytes, 0 underruns: © output errors, 0 collisions, 1 interface resets 0 babies, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output, © output buffer failures, 0 output buffers swapped out Description - source Ports RX only 7 only Both Source ViANs Rt only ™% only Both Source RSERN VLAN Destination Forts Filter vias Page 25 of 409 CCIE SECURTY v4 Lab Workbook Dest RSPAN VIAN 2 666 Description - Source Ports RX only, : Mone 7 only + None Both : None Source VIANE x only + one 7% only + None Both + None Source RSEAN VIAN: 666 Destination Ports Fa0/35 Encapsulation: ‘Native Ingress Enabled, default viaw = 102 Ingress encap : Untagged Filter VIAN + None Dest RSPAN VLAN + one swaten int £0/15 astethemet0/15 i up,_ Line) protocol |is/ down’ (monitoring) Hardware is Fast Ethernet, address is 0018.b9ff.ad91 (bia 0018.b9ff.ad91) MIU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, reload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s, media type is 10/100BaseTs Anput flow-control is off, output flow-control is unsupported [ARP type: AREA, ARP Timeout 04: 00:00 ast input never, output 00:04:36, output hang never Last clearing of “show interface" counters never Input queue: 0/75/0/0 (size/nax/drope/flushes) : Total output drops: 0 Queueing strategy: fifo output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec © packets input, 0 bytes, 0 no buffer Received 0 broadcasts (0 miticasts) © mumts, 0 giants, 0 throttles © input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored © watchdog, 0 miticast, 0 pause input © Anput packets with dribble condition detected 3644 packets output, 363373 bytes, 0 underruns © output errors, 0 collisions, 1 interface resets 0 babbles, 0 late collision, 0 deferred Page 26 of 409 CCIE SECURTY v4 Lab Workbook 0 lost carrier, 0 no carrier, 0 PAUSE output, © output buffer failures, 0 output buffers swapped out To test it, let/s simiate an attack. Connect to HTTP server enabled on R2 and enter the following GET request. Tt will similate 115 Unicode attack and should trigger some signature on the IPS if everything is configured correctly Riftel 10.1.102.2 60 ‘eying 10.1.102.2, 60... open cer /..4c08: PTP/1.1 400 Bad Request Date: Sun, 07 Feb 2010 14:29:16 or Server: cisco-t0s connection: close ‘Accept-Ranges: none 400 Bad Request. [connection to 10.1.102.2 closed by foreign host] Go to Monitoring > Events, check Show past events radio button and select 5 minutes. Then click on View button. fal —— (eros Fm) EDF Oo fee SL ea! ‘See the fired signature 5114 on the event list. Page 27 of 408 CCIE SECURTY v4 Lab Workbook Ee Ec oupento east cok |e | cme | Double click on the event to see more details. Here's the text output for event details. evideALert: eventrde1259971047105390102 vendor=Ciaco severity=high originator hostid: 1PS-corE applane! sensoxnpp appinstancerd: 402 time: Feb 06, 2010 14:11:36 UTC offeet~60 timezone=c4r+01:00 ‘signature: deseriptionwer 1rsiUniesde| Attack /4d=5114 version=s355 typerother ‘created=20000101 subsigid: 1 sigpetains: |. teotat..*nrre marscategory: Penetrate/Evasion/web marscategory: Penetrate/Nimdaworm marsCategory: Penet rate/RembtendExec/Web marscategory: Penet rate/Renbt eCndExec/Web/115 Anterfacesroup: vs0 vian: 0 participants: attacker: AE) TOFINTOLNT ocaiieysour port: 31997 target: Y0pU022 1ocalsty-ovr 80 000000 47 45 54 20 2F 2E 2E 25 63 30 25 61 66 2B 2E © GET//ssHEONAELY riskRatingValue: 65 targetValueRating-mediun threatRatingvalue: 85 interface! ge0_o protocol: top Page 28 of 409 Task 2 CCIE SECURTY v4 Lab Workbook Configure the IPS sensor to detect attacks in VLAN 101 using promiscuous mode. The IPS sensor must monitor this VLAN using its G0/2 interface and be able to inject traffic into VLAN 101. M The sensor in promiscuous mode sees the traffic copled to the sensor's port but ican also prevent {from some attack by sending outa TCP reset packet fo the source of the attack. This can be useful {in some cases but unfortunately does not protect against some type of attacks as usually the rst ‘attacker packet reaches the destination and then the sensor sends the TCP reset. I's hard to block every attacker packet in promiscuous mode. The sensor uses a future of L2 switch called “Ingress vlan", when the TCP reset is Infected into the ‘Sensorport and correctly tagged so that It can reach the attack source within the correct VLAN. The sensor may also send TCP reset using any other monitoring port if configured. Complete these steps: Step 1 SW1 configuration. Ensure you Use different Ranote SPAN VLAN and different SPAN session! ‘smi (config) #vian 667 ‘sw (config-van) #renote-span ‘5wi (contig-vian) Bexi ‘SWi (config) tmoniter session 2 source vian 101 rx ‘5W1 (config) tmonitor session 2 destination renote vlan 667 Step 2 SW configuration. ‘5H3(contig) vlan 67 ‘sH3(config-vian) #renote-span ‘93 (config-vlan) Hexi ‘5H3(config) moniter session 2 source vlan 101 rx ‘sH3(config) monitor session 2 destination renote vlan 667 Step 3 SW4 configuration. ‘ona contig) vlan 667 ‘sw4(config-vian) #renote-span Page 29 of 409 CCIE SECURTY v4 Lab Workbook Step 4 ‘sw4(config-vian)#vian 101 ‘9x4 contig-vlan) Hexi ‘sW4(config) tmonitor session 2 source renote vian 667 ‘Sw4(config) monitor session 2 destination interface £0/17 ingress vlan 101 IPS configuration. 1. 2. Go to Configuration > Interfaces, select GigabitEthernet0/2 interface and click Enable button. SCaEIEAICnInEa a == Sel = Se ee l, 24 ee Je aaa =e Go to Configuration > Policies > IPS Policies, select “vs0” virtual ‘sensor on the list and click Edit. Page 30 of 403 3. CCIE SECURTY v4 Lab Workbook F 4 tno Peg [See [eee ce [Sea] 2 oBgLonmns osteo sesaten a ecru Dat oat Highlight GigabitEthernet0/2 interface on the listand click Assign button. Then click OK and Apply the changes to the sensor. Page 31 of 409 CCIE SECURTY v4 Lab Workbook —— al r= aa = 1 apaithenafo —— Faneansinta Fatima Pans trafon 0 PRR a Pee oct Ponaartion sannwoostin ry: [a=] vert action Re ont tai: aT] Pes a TT a eT a ] tae seomaipotecton vanced tine » Verit SWifsh monitor session all Session 1 Source ViaANs RX only 2 102 Reflector Port Fa0/10 Dest RSPAN VIAN 2 666 ox | covet |e Remote Source Session 1 Remote Source Session Page 32 of 409 CCIE SECURTY v4 Lab Workbook Rx only : tot Reflector Port + Fa0/iz Dest RSPAN VLAN 667 Swish monitor session 2 datatl Type + Remote Source Session Description - Source Ports RX only None 7% only + None Both + one Source VIANe x only #102 7% only + None Both + one Source RSEAN VIAN None Destination Forts None Filter ViANs : None Dest RSPAW VIAN 667 suifsn int £0/12 astetheret0/12 ig tp, Line) protocol! ts/down (monitoring) Hardware is Fast Ethernet, address is 0012.0183.360e (bia 0012.0183.3b0e) MIU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s, media type is 10/100Baser* Anput flow-control is off, output flow-control is unsupported [ARP type: ARPA, ARP Timeout 04: 00:00 ast input never, output 00:04: 46, output hang never ast clearing of "show interface" counters never Input queue: 0/75/0/0 (size/nax/drops/flushes) ; Total output drops: 0 Queueing strategy: fifo output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 120 packets input, 17800 bytes, 0 no buffer Received 21 broadcasts (0 miticasts) © runts, 0 giants, 0 throttles © Anput exrors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 15 miticast, 0 pause input © Anput packets with dribble condition detected 122 packets output, 17958 bytes, 0 underruns © output errors, 0 collisions, 1 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output Page 33 of 409 CCIE SECURTY v4 Lab Workbook © output buffer failures, 0 output buffers swapped out w3Hen monitor session 2 detail Type + Remote Source Session Description - Source Ports : RX only, : Mone 7 only + None Both : None Source VIANE : x only #101 7% only None Both None Destination Ports: ‘None Filter VIAN : None Dest RSPAN VIAN £67 SWAtsn monitor session 2 detail Session 2 1 Remote Destination session Description 4 RX only + tone 7 only + Mone Both + None RX only : None ™ only + one Both one ‘Source RSERN VIEW 667 Destination ports Fa0/17 Encapsulation —: ‘Native Ingress: Enabled, default viaw = 101 Ingress encap : Untagged Filter ViANe 2 None Dest RSPAN VLAN + None Riftel 10.1.102.2 60 ‘eying 10.1.102.2, 80... open Ger /..Aebat../.. PTP/1.1 400 Bad Request Date: Sun, 07 Feb 2010 15:1! Server: cisco-108 connection: close Page 34 of 409 CCIE SECURTY v4 Lab Workbook ‘Accept~Ranges: none 400 Bad Request. [Connection to 10.1.102.2 closed by foreign host) Go to Monitoring > Events, check Show past events radio button and select 5 minutes. Then click on View button. etn FF Prat as Pal exon Fmd os Peano \ a st ‘See the fired signature 5114 on the event list. LT | Eee Ee] Double click on the event to see more details. Here's the text output for event details. evidenlert: eventide1259871847105290122 vendor=Ciaco severity=high Page 35 of 409 CCIE SECURTY v4 Lab Workbook originator: hostid: 1PS-CorE appNane: sensoxapp appinstancerd: 402 time: Feb 06, 2010 14:41:43 UTC offeet~60 timezone=cr+01:00 signature: description-mer 115 Unicode Attack id=5114 version=s355 ‘created=20000101 subsigid: 1 sigpetails: ..te0tat. «HTTP marscategory: Penetrate/Evasion/Web marscategory: Penetrate/Nimdaworm marscategory: Penst rate/Rembt eCndExec/Web marscategory: Penet rate/Rembt eCndExec/Web/115 Anterfacesroup: vian: 0 participants: attacker: addr: 10,1.101.1 lecalitysour port: 63434 target: 1 10,1.102.2 locality=our + 80 veo 000000 47 45 54 20 2F 2E 2 25 63.30 25.6166 2E2E GET /..tcOtat. riskRatingValue: 65 targetValueRating-mediun ‘threatRatingvalue: 85 Anterface: ge0_2 protocol: top typerother How do we know the attack has been blocked in VIAN 101. the event log indicates st was blocked on IPS interface g0/2. Page 36 of 409 CCIE SECURTY v4 Lab Workbook LAB 2.3. Inline Mode jo == 200 VLAN 101 -10.1.101.024 Eo] 0 E9/0 | 10 wan 00 | GO/0 Gon WLAN 102 10.102.0724 Lab Setup » R1's F0/0 and ASA’s E0/1 interface should be configured in VLAN 101 ASA's E0/0 and IPS G0/0 interface should be configured in VLAN 100 R2's GO/0 and IPS G0/1 interface should be configured in VLAN 102 PC should be configured in VLAN 101 IPS Command and Control (C&C) interface should be configured in VLAN 101 Configure Telnet on all routers using password “cisco” Configure RIPv2 on all devices (except PC and IPS) vvv vvv IP Addressing press Interface (ifname) errs Rt FOI 10.1.101.1/24 R2 G0 10.1.102.2/24 ASA-FW E0/0 (Outside, Security 0) | 10.1.102.10/24 Page 37 of 409 CCIE SECURTY v4 Lab Workbook E0/1 (Inside, Security 100) | 10.1.101.10/24 Task4 Configure IPS Sensor in inline mode using its G0/0 and G0/1 interfaces configured in VLAN 100 and VLAN 102 respectively. Use the following ini settings: Hostname: IPS-CCIE IP address: 10.1.101.100/24 Default Gateway: 10.1.101.10 Allowed Hosts: 10.1.101.200 Configure IPS management interface (m0/0) in VLAN 101. M Operating a sensor in inline mode puts the sensor directly into the traffe low and enables itto prevent attacks by dropping malicious traffic before it reaches the Intended target. Fora sensor fo operatein infne mode, you must configure two monitoring interfaces as a pair. The inline port pair operates n a transparent Layer 2 repeater mode in which packets entering ‘one interface ofthe port pair are transmitted out the other interface of the port pair, unless @ defined signature action results in a packet being dropped. The inline interfaces are transparent ‘and do not havo IP addresses. Configuration Complete these steps: Step 1 IPS CLI configuration. sensor login: cisco Password: ‘This product contains cryptographic features and Le abject to United states land local country lave governing import, expert, transfor and uss. Delivery of Cisco eryptographic products does not imply third-party autherity to import, users are responsible for coplisnas with U.S. and local country lave. By using ‘this product you agree to comply With applicable laws and regulations. Tf you ‘A summary of U.5. lave governing Cleco cryptographic producte may be fcund at: ‘nttp://nw ci eco con /w/export/arypto/ tocl/starg. html, Tf you require further assistance please contact us by sending email to emparttoizco.: ‘There is no License key installed on the 175-420, Page 38 of 409 CCIE SECURTY v4 Lab Workbook ‘The syeten will continue to operate with the currently installed signature set. A valid License mst be obtained in order to apply ‘signature updates, Please go to http://www. ctece.cca/go/1icense Basic Setup ‘system Configuration Dialog ‘At any point you may enter a question mark ‘2! for help. User ctri-c to abort configuration dialog at any prompt. Default settings are in square brackets ‘[]'. current time: sat Feb 6 21:44:04 2010 Setup Configuration last modified: Sat Feb 06 21:42:16 2010 Enter host nane[sensor]: 1PS-ccrE Enter IP interface[i92.160.1.2/24,192.168.1.1]: 10.1.101.100/24,10.1.101-10 Modify current access list?{no]: yes current access list entries: Permit: 10.1.101.200/32 emit: Modify system clock settings? {no}: ‘The folloving configuration was entered. service host network-settings host-ip 10.1.101.100/24,10.1.101.10 host-name IPS-COrE telnet-option disabled access-list 10.1.101.200/32 fep-timeout 300 no login-banner-text exit time-aone-settings offset 0 atandard-time-zone-nane UIC exit, ‘sumertime-option disabled neproption disabled exit, [01 Go to the command prompt without saving this config. [2] Return to setup without saving this config. [2] Save this configuration and exit setup. Page 39 of 409 CCIE SECURTY v4 Lab Workbook Step 2 [31 Continue to Advanced setup. mnter your selection{3]: 2 == configuration saved --- Complete the advanced setup using CLI or IDM, ‘To use IDM,point your web browser at https: //. sensor# exit IPS-CCTE Login: IPS GUI configuration. 1. Go to Configuration > Interfaces, select GigabitEthernet0/and GigabitEthernetO/ interfaces and click Enable button. 2. Goto Configuration > Interface Pairs > click on Add. Then enter a name for Interface Pair, select G0/0 and G0/1 interfaces on the list, make some description and click on OK. Page 40 of 409 CCIE SECURTY v4 Lab Workbook changes to the sensor. 4. Goto Configuration > Policies > IPS Policies, select “vs0” virtual sensor on the list and click Edit. Select newly created Interface Pair on the list and click on Assign. Then click OK and Apply the changes to the sensor. Page 41 of 409 CCIE SECURTY v4 Lab Workbook Ffadtoral ver Page 42 of 405 CCIE SECURTY v4 Lab Workbook Verification ASA-PW (config) # pi 10.1..102.2 ‘Type escape sequence to abort. Sending 5, 100-byte IGMP Echos to 10.1.102.2, timeout is 2 seconds: Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms ‘ASAPH (config) Task2 Enable ICMP Echo Request signature to produce an alert when ICMP echo request packet is seen. ‘By default some signatures are disabled. This is because itis up to the administrator to tuneup and enable signatures that sults his network and will not cause network collapse after enabling them. There are two basie signatures for ICMP trae which Is very useful In tes ing basic IPS settings and capabilities. Those signatures are: ICMP Echo Request - Sig ID 2004/0 {ICMP Echo Reply - Sig 1D 2000/0 ‘Those are informational signatures with Alert action configured. tis recommended to enable at east one (2004) fo see if trafic fs golng through the IPS in Inline mode. Complete these steps: Step 1 IPS configuration. 1. Goto Configuration > Policies > sig0 > Active Signatures. From Filter drop-down list select Sig Name and enter “Iemp echo” string. Then click on Filter button. Highlight the signature ID 2004/0 and click ‘on Enable. Then Apply the changes to the sensor. Page 43 of 409 CCIE SECURTY v4 Lab Workbook eatin Qe pte Qanenotne Grete Ga on Bae IE fw Briss =] esis riser) spend ee a ‘To verify the) solution, we need to be able to ping through the ASA. As we already know there are two ways to do that: (1) applying an ACL on the outside in the inbound direction to allow returned ICMP replies; (2) enabling To Anspection. te second option is simpler/faster, so ve will use it here. ASR-EW (config) policy-map global_policy ASACEW(config-pmap)# class inspection default, ASR-EW(config-pmap-c)# inspect Lemp ASACEW(config-pmap-c)# ext. ASAPH (config-pmap)# ext 10. 102.2 ‘Type escape sequence to abort. Sending 5, 100-byte IGMP Echos to 10.1.102.2, timeout is 2 seconds: Success rate is 100 percent (5/5), round-trip min/avg/max = 1/7/28 ms Ru Go to Monitoring > Events, check Show past events radio button and select 10 minutes. Then click on View button. Page 44 of 409 CCIE SECURTY v4 Lab Workbook ett FF ae femcmrcs Fel 6 earn: FO SES] ao | toe See the fired signature 2004 on the event list. =p [everclear at| eam [oe [ago fio bm 0, stem. eesegas | at nse 2 AEN ae Double click on the event to see more details. Here's the text output for event details. ‘evidenlert: event1de1259879667105390098 vendor=cieco severity=informational originato: nostra: 1PS-corE applane: sensozApp appinstancerd: 366 ‘time: Feb 06, 2010 22:04:18 UNC offeet=0 timezone=UNC \Hignaltite?/||/aeseripeion=1eW|Reto|Reqiest//a=2004 version-s1 type-otner ‘created=20001127 subsigta: Page 45 of 409 CCIE SECURTY v4 Lab Workbook attacker: ASAE /TOUTOLT ocarsey-our target: addr /TOLUT0I2 ocarity-our 08: Adsourcesunknown typesunknown relevancesrelevant. riskRatingValue: 35 targetValueRating-medium attackRelevanceRating-relevant ‘threatRatingvalue: 35 Anterface: ge0_0 Protocol: icmp ‘The second event is a Summary. We will look into that in later labs. ‘evidenlert: eventtde1259878667105390099 vendor=Cisco severity=informational, originator: hostrd: 1Ps-ccrE applane: sensozApp appInstancerd: 366 ‘time: Feb 06, 2010 22:04:48 UNC offeet=0 timezone=UC \Hignaltite?/||/aeseription=1eW|Reto|Reqiest|/a=2004 version-s1 type-other ‘ereated=20001127 supsigid: 0 marsCategory: Into/ALisession Anterfacecroup: vs0 vlan: 0 participants: attacker: addr: 10.1.101.1 localsty=our target: addr: 10,1.102.2 Localsty=our 08: Adsource-unknown type-unknown relevance=relevant, sumary: § final=true initialAlert=1259670667105290098 summaryType-Regular alertDetails: Regular Sumary: 5 events this interval ; riskRatingValue: 35 targetValuenatingemediun attackRelevanceRating=relevant ‘threatRatingValue: 35 Anterface: ge0_0 Protocol: icmp Page 46 of 409 CCIE SECURTY v4 Lab Workbook LAB 2.4. Inline VLAN Pair Mode (on-a-stick) 200 FO/0 VLAN 100 -10.1.101.024 VLAN 200- 404.101.0724 Lab Setup » R1's F0/0 interface should be configured in VLAN 100 » R2's GOA interface should be configured in VLAN 200 > PC and IPS Command and Control (C&C) interface should be configured in VLAN 100 IP Addressing press Interface (ifname) eCrssy R1 FOI 10.1.101.1/24 R2 G00 10.1.101.2/24 Task Configure IPS Sensor to monitor traffic going between VLANs 100 and 200 using only one physical interface (G0/0). Use the following initial settings: Hostname: IPS-CCIE IP address: 10.1.101.100/24 Default Gateway: 10.1.101.10 Page 47 of 409 CCIE SECURTY v4 Lab Workbook Allowed Hosts: 10.1.101.200 Configure IPS management interface (m0/0) in VLAN 100. You can associate VLANS in pairs on a physical interface. This configuration is known as ““nline-on-a-stick.” Packets received on one of the paired VLANS are analyzed and then {forwarded to the other VLAN in the pa. Inline VLAN pak mode Is an active monitoring mode where a montoring interface acts as an {IEEE 802.1@ trunk port, and the sensor performs VLAN bridging between pairs of VLANs on the trunk. The sensor inspects the traffic that Itreceives on each VLAN in each pair, and can cither forward the packets on the other VLAN in the pair, or drop the packet if an intrusion ‘attempts detected. You can configure a Cisco IPS sensor to simultaneously bridge up fo 255 VLAN pairs on each ‘monitoring interface. The sensor replaces the VLAN ID field in the 802.10 header of each received packet with the ID of the egress VLAN to which the sensor forwards the packet. The ‘sensor drops all packets received on any VLANs that are not assigned to inline VLAN pairs. Configuration Complete these steps: Step 1 SW4 configuration. ‘sW4(contig) Hylan 200 ‘9x4 (contig-vlan) text ‘sw4(config) Finterface FastEthernet0/15 ‘SW4(config-if)Hewitehport trunk encapsulation dotig ‘sw4(config-if)#evitchport trunk allowed vlan 100,200 ‘SW4(contigrif)Hewitehport mode trunk Vio need to have a trunk between the switch and IPS monitoring Anterface to send a pair of VLANs. Step 2 IPS CLI configuration. ‘This product contains cryptographic features and is subject to united states fend local country lave governieg import, expert, transfer and use. Delivery of Ciace oryptographic products does not imply third-party authority to import, export, distribute or use eneryption. Ieperters, exporters, distributors and users are responsible for copliance with U.S. and local country lave. By using ‘this product you agres to comply with applicable laws and regulations. If you fare unable to coply vith U.S. and local laws, retum this product iamediately, [A swmary of 0.5. lave governing Cisco eryptographic products may be found at Ineepi/ ww ctsce.con /wi/expert/erypte/ tool/ stag htm, Page 48 of 409 CCIE SECURTY v4 Lab Workbook 3 you require further assistance please contact ur by sending email to exportteteco, com, ‘There 16 no License bey installed on the 125-£240, ‘Tha eyetan will continue to cparate with the currently installed siguabure set. A valid License mst be obtained in onder to apply ‘signature updates, Please go to http://w. clece.cca/go/1icense Basic Setup ‘system Configuration Dialog [At any point you may enter a question mark '?' for help. User ctrl-c te abort configuration dialog at any prompt. Default settings are in square brackets ‘(1 current time: sun Feb 7 20:00:22 2010 ‘Setup Configuration last modified: Sun Feb 07 20:00:00 2010 moter host name[sensor]: 1PS-ccrE Enter IP interface[i92.160.1.2/24,192.168.1.1] Modify current access ist? [no]: yes current access list entries: 410.1, 101.100/24,10.1.101.10 No entries Permit: 10.1.101.200/32 Perit: Modify system clock settings? ino]: ‘The following configuration was entered. service host network-settings host-ip 10.1101, 100/24,10. 1.101.210 host-name IPS-COrE telnet-option disabled access-list 10.1.101.200/32 fep-timeout 300 no login-banner-text exit time-aone-settings ofteat 0 atandard-time-zone-name UIC exit, sumertine-option disabled neproption disabled Page 49 of 409 CCIE SECURTY v4 Lab Workbook exit [0] G0 to the command prompt without saving this config. [2] Return to setup without saving this contig. [2] save this configuration and exit setup. [31 Continue to Advanced setup. Enter your selection{3]: 2 w-- Configuration saved —-- Complete the advanced setup using CLI or IDM. ‘To use IDM,point your web brovser at https :// IPS-ccrE Login: Step 3. IPS GUI configuration. 1. Goto Configuration > Interfaces, select GigabitEthernet00 interface and click Enable button. 2. Then go to configuration > Interfaces > VLAN Pairs and click on ‘Add. Select the GigabitEthernet0/0 interface from the drop-down list and enter the VLAN information as follows: Page 50 of 409 CCIE SECURTY v4 Lab Workbook vestestone: — fegieaterar =] saint tints fF — ana: i same: Ee opt fro eerionlaradm ce [co | toe 3. Go to Configuration > Policies > IPS Policies, select “vs0” virtual ‘sensor on the list and click Edit. Highlight GigabitEthernet0/0.1 interface on the list and click Assign button. Then click OK and Apply the changes to the sensor. Sore Corti Pay: Fro? vet eon RderPok: fled =] IF usceeert ation once boop OectonPoky: [a=] 10 Cematond Yoda =] ox | contre Page 5i of 409 CCIE SECURTY v4 Lab Workbook Verification To verify, enable SIG ID 2004 and ping R2 from R1. Go to Configuration > Policies > sig0 > Active Signatures. From Filter drop-down list select ‘Sig Name and enter “icmp echo” string. Then click on Filter button. Highlight the signature ID 2004/0 and click on Enable. Then Apply the changes to the sensor. ty ue i a i ir ) i tpt 10.1.101.2 ‘Type escape sequence to abort. Sending 5, 100-byte IGMP Echos to 10.1.101.2, timeout te 2 seconde: Success rate is 60 percent (4/5), round-trip min/avg/max = 1/8/28 ms me Go to Monitoring > Events, check Show past events radio button and select 5 minutes. Then click on View button. See the fired signature on the event list. Page 52 of 409 CCIE SECURTY v4 Lab Workbook eee ee ee a rere RT| Leet 010 soecan rerras| || Er Double click on the event to see more details. Here's the text output for event details. evidenlert: SeHETd#1259905487105390087 vendor=Cisco severity=informational, originator: hostrd: 1P5-ccrE appNane: sensozApp appinstancerd: 363, ‘time: Feb 11, 2010 21:02:16 UTC offset=0 timezone=uTC ‘signature: descriptione1CHP Echo Request id=2004 version=s1 type=other ‘ereated=20001127 subsigta: 0 marsCategory: Into/ALisession inverfacesroup: vs0 ian!) 100 participants: attacker: ABAEY/TOLUTOLIT ocaasey-our target: SAEY/TOULOLI2 rocarsey-our 08: Adsourcesunknown typesunknown relevancesrelevant. riskRatingValue: 35 targetValueRating-medium attackRelevanceRating-relevant threatratingvalue: 35 Antertace: ge0_0 protocol: Lemp Page 53 of 409 CCIE SECURTY v4 Lab Workbook LAB 2.5. Signature tuning Loo VLAN 401 - L08 AAA eo 10.1.101.0124 2222n2 2 con oon con VLAN 100- 10.1.12.0724 VLAN 200 -10.1.12.0728 Lab Setup » R1's FO/0 and R2's G0/0 interface should be configured in VLAN 100 and VLAN 200 respectively > PC and IPS Command and Control (C&C) interface should be configured in VLAN 101 > Configure Telnet on all routers using password “cisco” > Configure RIPv2 on all devices (except PC and IPS) IP Addressin Dries Interface (ifname) eCrssy R1 FO/0 10.1.12.1/24 Loo 111.182 R2 G00 10.1.12.2124 Loo 2.2.2.2132 Task1 Configure IPS Sensor in inline mode using its GO/0 and G0/1 interfaces configured in VLAN 100 and VLAN 200 respectively. Use the following initial settings: * Hostname: IPS-CCIE * IP address: 10.1.101.100/24 * Default Gateway: 10.1.101.10 * Allowed Hosts: 10.1.101.200 Page 54 of 409 CCIE SECURTY v4 Lab Workbook + IPS management interface (m0/0) in VLAN 101. Configure signature named “Fragmented ICMP Traffic” to trigger when fragmented ICMP Echo packets are seen between R1’s F0/0 and R2’s G0/0 interface. You must use existing signature to block the attacker inline and generate an alert. Configuration Complete these steps: Step 1 Step 2 SW4 configuration. ‘sw4(config) Finterface FastEthernet0/15 ‘Sw4(config-if)#evitchport mode access ‘SW4(contig-if)Hewitehport access vian 100 ‘oK4 config) Hinterface FastEtherneto/16 ‘sw4(config-if)#ewitchport mode access ‘SH4(config-it)Hewitehport access vian 200 IPS CLI configuration. sensor login: cisco Password: ‘This product contains cryptographic Features and 6 subject to United states of cisco cryptographic products does not imply third-party authority to import, export, distribute or use eneryption. Iepertare, exporters, distributors and users are responsible for compliance with U.S. and local country lave. By using ‘this product you agree to comply With applicable laws and regulations. Tf you fare unable to comply with U.S. and local laws, retum this product immediately, [A swmary of 0.5. lave governing Cisco cryptographic products may be found at: inttp://ww ci ec0.con/wwl /export/arypto/ tocl/starg. html, Tf you require further assistance please contact us by sending email to emporttoisce.com. ‘Tare e no License bay inetalied on the 1Ps~£240. ‘The system will continue to operate with the currently installed signature et. A valid License mist be obtained in onder to epply ‘signature updates. Please go to http://w. ci.eco.ccn/go/1soense Basic setup --~ n= system configuration Dialog --- Page 55 of 409 CCIE SECURTY v4 Lab Workbook ‘At any point you may enter a question mark '?! for help. User ctri-c to abort configuration dialog at any prompt. Default settings are in square brackets '[1'. current time: gun Feb 7 20:00:22 2010 ‘Setup Configuration last modified: sun Feb 07 20:00:00 2010 Enter host name[sensor]: 1PS-ccrE Enter IP interface[i92.168.1.2/24,192.168.1.1]: 10.1. 101.100/24,10.2.101.10 Modify current access list?(no]: yes current access list entries: Permit: 10.1.101.200/32 Modify system clock settings? [no]: ‘The folloving configuration was entered. service host. network-settings host-tp 10.1101. 100/24,10.1.101.10 host-name IPS-Ccre telnet-option disabled access-list 10.1.101.200/32 Eep-timeout 300 no login-banner-text exit. time-aone-settings oftset 0 atandard-time-zone-nae UIC exit ‘sumertime-option disabled ntp-option disabled [01 Go to the command prompt without saving this config. [2] Return to setup without saving this config. [2] save this configuration and exit setup. [31 Continue to Advanced setup. Enter your selection{3}: 2 configuration saved Complete the advanced setup using CLE or IM. ‘To use IDM,point your web brovser at https: // Page 56 of 409 CCIE SECURTY v4 Lab Workbook sensor ext IPS-ccTE Login: Step 3_ IPS GUI configuration. 1. Go to Configuration > Interfaces > Interfaces, select GigabitEthernet00 and GigabitEthernet0/1 interfaces and click Enable 2. Goto Configuration > Interfaces > Interface Pairs and click on Add. Enter a name for Inteface Pair, select two interfaces from the list and make some description. Click OK and Apply button. = 3) ImocePernemes (AEREPRR ‘elt race esreton [restacepor tern andee cx | coe | eh Page 57 of 409 CCIE SECURTY v4 Lab Workbook Go to Configuration > Policies > IPS Policies, select “vs0” virtual sensor on the list and click Edit. Highlight newly created Inline Interface Pair on the list and click Assign button. Then click OK and Apply the changes to the sensor. esapson: fevered senses [Wee Pn) tat T_ Gpteherent2 emus ere Feathers Sinature Definition semnrecetreentoky: [2 =] vent action ale vert acennuesrocy furs =] IF Uneven Coe ara nee at a Saar Spender ce | coves | ve Go to Configuration > Policies > sig0 > Active Signatures. From Filter drop-down list select Sig Name and enter “fragmented icmp” string. Then click on Filter button. Highlight the signature ID 2150/0 and click on Enable. Page 58 of 409 CCIE SECURTY v4 Lab Workbook Then click on Edit Actions button and select Deny Attacker Inline and Produce Alert items on the list. Click on OK. ree ean ett irony Ppregies ee ener] feta Re aE [eh ven Pan [Fe era ramts [FGdregme see tp IF © ooryPacar ire trim) JF © peng canton bene 3) [> © very ataserYeintar ieee ot |__| Click on Edit button to see details for selected signature. Enter “8” for ICMP Type and “0” for ICMP Code. Specify Source IP Address Range and Destination IP Address Range as follows: Page 59 of 409 CCIE SECURTY v4 Lab Workbook al eattean feu ish ie [Rawat Saher te Shep sence ear say He eh ah snot Patra Seah Pa th Soot Pena ee Snap eee Sesh Pop an Ag) eee eee ele ayia a Fle |a\e | fe (© branes svcd am. Oni toes a ae, a ex te Verification tps 10.12.12. ‘Type escape sequence to abort. Sending 5, 100-byte IOMP Echos to 10.1.12.2, timeout is 2 seconds: rate is 100 percent (5/3), round-trip min/avg/max = 1/2/4 ms ‘Standard ping is successful as there 4s no fragmentation (ICMP packets by default have size of 100 bytes) 30.1.12.2 2000 ‘Type escape sequence to abort. Sending 5, 2000-byte ICMP Echos to 10.1.12.2, timeout is 2 seconds Success rate is 0 percent (0/5) Large ping has been blocked as there are fragments. The default MIU on Ethernet, segment is 1500 byt: Page 60 of 409 CCIE SECURTY v4 Lab Workbook os 120 100 size 2000 ‘Type escape sequence to abort. Sending 5, 2000-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds: Packet sent with a source address of 1.1.1.1 Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms ‘This ping is successful as it does not trigger the signature due to wrong source IP address. Go to Monitoring > Events, check Show past events radio button and select 5 minutes. Then click on View button. See the fired signature 2150 on the event list. \atipazea aineanat ow ic ee JT Double click on the event to see more details. Here's the text output for event details. evidsnlert: eventTds1259892307105390105 vendorscisco severitysintormational originator: hostrd: ccrE-1Ps applame: sensozApp appInstancerd: 366 ‘time: Feb 12, 2010 12:06:42 UNC offeet=0 timezone=UC signature: descriptionsFragnented IcNP Traffic idw2i50 version=s2? typesother created=20010202 susigid: 0 marsCategory: DoS/Host Anterfacecroup: vs0 vian: 0 participants: attacker: dAEY/LOVIIZIA Local ity-our target: OVL/12:2 local sty-our 08: Adsourcesunknown type-unknown relevance=relevant, deniedttacker! true Page 61 of 409 CCIE SECURTY v4 Lab Workbook riskRatingValue: 35 targetValueRating-medium attackRelevanceRating-relevant ‘threatnatingValue: 0 Anterface: ge0_0 protocol: icmp jailable only Note that action 4s available in the event log. This action 4 in Inline mode as the IPS itself must block the traffic. the blocked traffic sources are Listed undar the following page in IDM: Go to Monitoring > Time-Based Actions > Denied Attackers. There should be R1's F0/0 IP address on the list. Page 62 of 403 CCIE SECURTY v4 Lab Workbook LAB 2.6. Custom HTTP signature This lab is based on the configuration from the previous lab Loo. VLAN 401 - 104.401.0724 22.2212 2 con oun con 10142024 VLAN 200 -10.1.12.0724 Task4 Create new signature to reset connections to the HTTP server located on R2. The TCP Reset should be sent to the attacker if there is a string “cisco.com” seen in the URI field and the packet is destined to one of the following ports 80, 8080, 888 and the URI field is no longer than 10 characters. Each Cisco IPS signature is created by @ signature engine specifically designed for the type of traffic being monitored. A signature engine is @ component of the sensor that supports a category of signatures. An engine is composed of @ parser and an inspector. Each engine has a set of legal parameters that have allowable ranges or sets of values. Cisco IPS signature engines enable network security administrators to tune and create signatures unique to thelr network environment. Hore are some of the general categories of Cisco IPS signature engines: ‘+ ATOMIC: Used to perform per-packet inspection (The ATOMIC engines support signatures that tigger on the analysis of a single packet) + FLOOD: Used to detect attempts to cause dental of service (DoS) + META: Used t0 perform event correlation on the sensor + NORMALIZER: Used to detect ambiguities and abnormalities in the traffic stream + SERVICE: Used when services with Layers 5, 6, and 7 require protocol analysis + STATE: Used for state-based and regular expression-based pattem inspection and ‘alarming functionality for TCP streams ‘+ STRING: Used for regular expression-based pattern Inspection and alarm functonallty for ‘multiple transport protocols, including TCP, UDP, and ICMP + SWEEP: Used fo detect network reconnaissance + TRAFFIC: Identifies trafic irregularities + TROJAN: Used to detect BackOrifice Trojan horse traffic and Tribe Flood Network 2000 Page 63 of 409 CCIE SECURTY v4 Lab Workbook (TFN2K), Trojan, or disuibuted denial of sendice (DD0S) trate + Alc (Alarm interface Controller: Used for deep-packet inspection of FTP and HTTP wattle ‘Signature engines use their parameters fo provi the configuration of signatures. An engine parameter is a name.and value pair. The parameter name is constant across all signaturesin a particular engine, but the value can be different for the various signatures in an engine group. Some parameters are common to all engines while others are engine Policies > sig0 > Active Signatures and click ‘on Signature Wizard. Select Service HTTP from the drop-down list and click Next. 2. Enter the name for new signature, make some Notes and Comments and click on Next. Page 64 of 405 CCIE SECURTY v4 Lab Workbook sorte: fama stapavep: F#——— Seeewanine PS tists Fox ndaetiornTP amy Uercamets: Fone crm 3. On the Engine Specific Parameters screen, click on Event Action and select Produce Alert and Reset TCP Connection from the list. Then click OK. iy aacorriee Fite iis | ip Sey caraete eee TF spare ens ise rae F lr vcinoe 4. Set the Max URI Field Length to 10 and URI regex to “cisco.com”. ‘Make sure there are Service Ports of 80, 8080 and 888. Then click Next. Page 65 of 409 CCIE SECURTY v4 Lab Workbook 5. Set Signature Fidelity Rating to 75 Click Next. igen erential mena Sess ees tev 1 Crema SpetyMocum eight posunt tect i Seetimacrelerah SoetiMectankrrelengh Sontitectepmt Fatah) Ye fox Sicty un oe we Spy atanetasee ‘ Spt ind ace rs spew rag % and Action Severity to Medium. Sunset Bah Sie ee tomas, apaccraktnares ay ‘Shepestuneef'tuum ntenhepsctonne nt actesteni fan be toa’t -— a=) coat |_ tb 6. Leave default settings for Alert Behavior and click Finish to close the wizard. Page 66 of 409 Verit CCIE SECURTY v4 Lab Workbook ‘san ln tte) pater carts teamton nde R2 (config) Hip http server Riftel 10.1.12.2 90 ‘eying 10.1.12.2, 60 ... open Ger cisco.com/attack.htm [Connection to 10. 1.12.2 closed by foreign host) Note that the connection has been closed immediately. All conditions have been met: (1) “eleco.con” 4s in the URE, (2) the URI ie longer than 10 characters and (3) the destination port was 80. Ritel 10.1.12.2 80 ‘Trying 10.1.12.2, 80... open cer test nem HPTP/1.1 400 Bad Request Date: Sun, 14 Feb 2010 13:20:51 GMT Server: cisco-10s Accept-Ranges: none 400 Bad Request. [Connection to 10.1.12.2 closed by foreign host} Rue Page 67 of 409 CCIE SECURTY v4 Lab Workbook ‘The packet has reached the destination. There is no “cisco.com” in the URI. Riftel 10.1.12.2 00 ‘Trying 10.1.12.2, 60... open GET cisco.com PTP/1.1 400 Bad Request Date: Sun, 14 Feb 2010 13:34:34 GT Server: cisco-10s ‘Accept-Ranges: none 400 Bad Request, [connection to 10.1.12.2 closed by foreign host] ‘the packet is allowed as “cisco.com” has only 9 characters. Go to Monitoring > Events, check Show past events radio button and select 5 minutes. Then click on View button. See the custom signature fired. « Loripsreacoeore om s | ose | Double click on the event to see more details. Here's the text output for event details. evidenlert: SventTdS1259892307105390141 vendor=Cisco severity-mediun originator hostid: CcrE-rPs appName: sensoxapp appinstanceld: 366 time: Feb 13, 2010 19:02:19 UTC offset=0 timezonesurc signature: desGHIption=B16ck|MTTP)/StEing!/44=60000 version=custon type-other ‘ereated=20000101, ‘subeigra: 0 sigpetails: Reset and Alert for HTTP string mareCategory: Info/Mise Anterfacecroup: vs0 vian: 0 participant: attacker: addEY/1OVUIZI2 Local ity-ovr Page 68 of 409 CCIE SECURTY v4 Lab Workbook port: 62469 aaEH/LOTANTZI2 Local iey-our port: 80 08: AdSourcesunknown typesunknown relevance=relevant, fromattackert 000000 47 45 54 20 63 69 73 63 GF 2E 63 GF GD 2F 61 74 GER/GISCOLECR/At 000010 74 61 62 6B 2E 68 74 tack. nem riskRatingValue: 66 targetValueRating-mediun attackRelevanceRating-relevant ‘threatRatingvalue: 46 Anterface: ge0_o protocol: top Page 69 of 409 CCIE SECURTY v4 Lab Workbook LAB 2.7. Custom String TCP signature This lab is based on the configuration from the previous lab Loo Loo wansor satan amaotas 222272 2 oun oun cow Wan s00-40.t2a24 Wan 200 -104.12.0704 Task Create new signature to reset TELNET sessions where string “erase” is found. The signature must ignore the case of that string (case in-sensitive). You must log attacker packets and generate an alert for forensics reasons. Configuration Complete these steps: Step 1 IPS configuration. ‘There is no TELNET specific engine so that we need to use a general engine of “string TCP’, This is useful for inspecting strings carried by TEP packets. 1. Goto Configuration > Policies > sig0 > Active Signatures and click ‘on Signature Wizard. Select String TCP from the drop-down list and click Next. Page 70 of 409 CCIE SECURTY v4 Lab Workbook \eemetathe catem e Wen. tered flue thas epoca fog reer Ds yoshi Sarees fer aon shee? 2. Enter the name for new signature, make some Notes and Comments and click on Next. cto ee Spun easton anette he ate ror ae _| SSrewcterocs Yosmuaspctyaayaeet on snapaccD, scene Fee dee de tetate et eligi syawe fear ategatsen: fF ——— sovtvetone [Farsi enteee: — Fextanlabiten ged Mra hTand — eomets Fgcawne cee [mets | oer | cinet | te 3. Onthe Engine Specific Parameters screen, click on Event Action and select Produce Alert, Log Attacker Packets and Reset TCP Connection from the list. Then click OK. Page 71 of 409 Sor TF beny attacker inne TE Deny Attacker Service Pat nine Select ll TE ony Attackor Vit Paie ino TE beny Connection Inne Select Nene T deny Packet rine (ICSE TF tog Pa Baia Log etn Pachate I Produce Alot TF Produce Verbose Ale TE Request block correction TE Request block Host TE Request SUMP Trep I Rosct To? Connocton ox | cont CCIE SECURTY v4 Lab Workbook 4. Enter Regex String of “[EeJRr[Aa][Ss[Ee]" and set the Service Port to 23. Then click Next. sprotyesaaranatiet “ore taeh Ot Sot naan ore 1 Sap Arad vet sek twos | oer | cine [ae 5. Set Signature Fidelity Rating to 100 and Action Severity to High. Click Next. Page 72 of 409 CCIE SECURTY v4 Lab Workbook ‘ean aap tetera theatre re hau arene ny p| ests avon wan uc Hones cohaeoaitcgse Te tered {ah ctl kes nhfees tomo vha: st oostan thy Poe He spetuersty ttre: oy Senmyetteset: [ah] 6. Leave default settings for Alert Behavior and click Finish to close the “sera ee et aaa tne una ah te a {fesny decers cao romsinstie cd a ro: on ead Sirti cate pte Hee Reanaty carts ae fg: narater ibe ‘ese atematelgust dana a toed amrtcornate, rei Yechaagethemetthchwin,eacaaranees AH ok | one Page 73 of 409 CCIE SECURTY v4 Lab Workbook [tWeanere|Qmak gente Grteenn Chan Oak rsh A Sick IE fw ES] rine) sre Hi i | fees i i | Bl ; EIRLELEEEECErE TE sec cecmsececles User Access Verification Password: R2>¢h users Line User Host (s) tale tocation 0 con 0 sate s514 vey 0 Adie 00:00:00 10.2.32.1 Interface User Mode Idle Peer Address Roseras [connection to 10.1.12.2 closed by foreign host] Rue Note that the connection has been terminated just after last character of the word “erase” has been sent. Go to Monitoring > Events, check Show past events radio button and select 5 minutes. Then click on View button. See the custom signature fired. Page 74 of 409 CCIE SECURTY v4 Lab Workbook Lr unetci0 eet cost | iene | coef Double click on the event to see more details. Here's the text output for event details. eviderLert: SvenETS=1259992907105990182 vendor=cisco severity=high originator: hostid: CcrE-rPs applane: sensoxpp appinstanceld: 366 ‘time: Feb 13, 2010 14:23:59 UTC offeet=0 timezone=uTC signature: desGHIpEiSHeTCP|stiing /BIScking||A=60001 version-custon typerother ‘created=20000101, subsigid: 0 sigpetails: Reset and Alert when specific string is found marscategory: Into/Mise Anterfacecroup: vs0 vlan: 0 participant: attacker: dAEY/LOVUIZI2 Local ity-ovr port: 59742 target: addr: OUII2I2 Iocarity-our portr 23 Adsource-unknown typenunknown relevance=relevant, fronmarget 000000 20 20 48 GF 72 74 28 73 29 20 20 20 20 20 20 20 000010 20 20 20 20 20 20 20 49 64 6c 65 20 20 20 20 20 000020 20 20 4c GF 63 61 74 69 GF GE OD OA 20 20 20 30 000030 20 63 GF GE 20 30 20 20 20 20 20 20 20 20 20 20 00040 20 20 20 20 20 20 69 64 6c 65 20 20 20 20 20 20 000080 20 20 20 20 20 20 20 20 20 20 20 20 20 2A 20 20 Page 75 of 409 CCIE SECURTY v4 Lab Workbook 00060 2A 22 22 20 20 20 OD OA 2A25 21.2420 7674 79 122 ..514 vty 000070 20 20 20 20 20 20 20 20 20 20 20 20 20 2020.20 0 000080 20 20 69 64 6c 65 20 20 20 20 202020 2020 20 idle 000090 20 20 20 20 20 20 20 20 30 2A 30 30 2A 20 20 20 00: 00:00 0000R0 31 30 2E 31 2E 31 32 2 31 OD GA OD OA 2020 49 10.2.12.1.... T 000080 GE 74 65 72 66 61.62 6S 20 20 20.2055 72.65 72 nterface User 000co 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 4D ™ 000000 GF 64 65 20 20 20 20 20 2020 20 20 49 64 6c 6S ode dle 000080 20 20 20 20 20 50 65 65 72 20 41 64 G4 72 65 73 Peer addres 00000 73 OD OA OD OA $2 32 3 65 08 2008 65 72 6172 a....RODe, BERS fromittacke: 000000 FF FD 02 000010 Fc 18 FF Fo 20 63 69 000020 73 63 6F OD 0A 72 68 20 7573 65727 OD OA 65 co..sh users..¢ 000030 7F 65 72 61 73 65 erase Aplogtds: Aphogid: 1701868398 riskRatingValue: 100 targetValueRating-mediun attackRelevanceRat ing-relevant, ‘threatRatingValue: 65 Anterface: ge0_0 protocol: top ‘S00 that tazyet got only “eras” string (fronaryet log) as it is blocked before Ae bite the destination (fromattacker log) Rifeel 10.1.12.2 ‘eying 10.1.12.2 ... open User Access Verification Passwor Ra>erne [Connection to 10. 1.12.2 closed by foreign host) me Go to Monitoring > Events, check Show past events radio button and select 5 minutes. Then click on View button. See the custom signature fired. Page 76 of 409 CCIE SECURTY v4 Lab Workbook = a Es oe apes noes st_|_ tiny | eee] we Double click on the event to see more details. Here's the text output for event details. evidentert: 6VeHETs#1259992307105990200 vendor=cisco severity=high originator: nostra: CorE-1Ps appNane: sensozApp appinstancerd: 366 ‘time: Feb 13, 2010 14:22:50 URC offeet=0 timezone-UC signature: GesGEiptionenCP!Steing(/bISCKAng||X4560001 version=custom typesother created=20000101, susigid: 0 sigdetails: Reset and Alert when specific string is found marscategory: Info/Mise Anterfacesroup: vs0 vian: 0 participants: attacker: AE|TOLNEZIA Local iey=our port: «147 target: daEy/ 1011212 Local ity-ovr port: 23 08: Adsourcesunknown type-unknown relevance=relevant, actions: Aphoggingnctivated: true topResetsent: true droppedPacket: true deniedFlow: true JogattackerPacketenctivated: true ‘teponewayResetsent: true context: frommarget: 000000 FF FB OL FF FB 02 FF FD 19 FF FD 1F 0D 0A 0D OA 000010 55 72 65 72 20 41 62 62 6572 72 2056 65 72 69 000020 66 69 62 61 74 69 GF GE OD OA OD 0A 50 61 73 73 000030 77 6F 72 64 3n 20 FF FE 20 FF FD 21 FF FA 21 00 000080 FF FO FF FE 16 OD OA 52 92 9 6572 41 73, Page 77 of 403 CCIE SECURTY v4 Lab Workbook Eromattackert 000000 FP FD 03 FF FB 20 FF FB 1F FF FB 21 FF DOL FF . 000010 FC 18 FF FA IF 00 50 00 19 FF FO FF FC 2063 69 . 000020 73 63 6F OD on 65 72 41 73 65 200. SERSE Aptogras: Aplogid: 1701868399 riskRatingValue: 100 targetValueRating-mediun attackRelevanceRat ing-relevant, ‘threatRatingValue: 65 Anterface: ge0_0 protocol: top Page 78 of 409 CCIE SECURTY v4 Lab Workbook LAB 2.8. Custom ATOMIC IP signature This lab is based on the configuration from the previous lab Loo Loo wansor satan amaotas 222272 2 oun oun cow Wan s00-40.t2a24 Wan 200 -104.12.0704 Task Create new signature with ID of 60002 to drop ICMP Echo Requests packets with an IP payload length between 500 and 600 bytes. The signature should be triggered only for RFC1918 IP addresses and should generate alert and save dump of sniffed packets for further investigation. Configuration Complete these steps: Step 1 IPS configuration. Mare we're locking for one specific packet so that it 4s partect ‘occasion to use “Atomic IP” engine. This engine is developed to catch on packets basis and we can use it to use deep packet matching. 1. Goto Configuration > Policies > sig0 > Active Signatures and click ‘on Signature Wizard. Select Atomic IP from the drop-down list and click Next. Page 79 of 409 CCIE SECURTY v4 Lab Workbook \eemetathe catem e Wen. tered flue thas epoca fog reer Ds yoshi Sarees fer aon shee? 6 ve See nm 2. Set Signature ID to 60002, enter the name for new signature, make some Notes and Comments and click on Next. ‘Ste erahstn enero tea he ve drone ‘Spmctaroves YormuaspctyaayatweD en snapace’D, scrote fePeatei cc eabet ls ragtctate ot wali wr uaa. paves fe abegesse@: F——— rsuetins Fasen MONE Depa sennees iets eects fine cae | mets | oer | cin | te 3. Onthe Engine Specific Parameters screen, click on Event Action and select Produce Alert and Deny Packet Inline from the list. Then click OK. Page 80 of 403 CCIE SECURTY v4 Lab Workbook Sor TF beny attacker inne TE Deny Attacker Service Pat nine Select ll TE ony Attackor Vit Paie ino — TE deny Connection Inne Select Nene orn ——_— Loo attacker Packets tog Pa Pacats og iets Pachate I Produce Alot TF Produce Verbose Ale TE Request block correction TE Request block Host TE Request Su Trep PF Rosct Tc? Connocton ox | cont Set Specific Layer 4 Protocol item to Yes, and chose ICMP Protocol for Layer 4 Protocol setting. Configure ICMP Type to 8 and ICMP code t00. Then, set Specify IP Payload Length item to Yes and enter 500- 600 in a field for IP Payload Length option. Make sure you also check RFC 1918 Address in IP Address Options item. ‘rope satan: duets Wate siyataslooshi i wh caussthe sts (ahve ose beta ee Dette patantessia esune a. wean ‘ate aad Pas 1 ragnerstene ey b ctyiner sce te ‘eof senunce te Seer Pine sect NP Code te Seat ere rs SeoiyIP redone st Papa acct rs pat ater te oh soe ‘peat eederareth Seah Pht ice rs pot Maes te es i a te Sot oalerh te seat opin gen rs [st air cers es asiesontins RCIA 1 sap adr » sees [mets | oes | cinet | ta Page Bi of 409 CCIE SECURTY v4 Lab Workbook 5. Set Signature Fidelity Rating to 75 and Action Severity to Medium. Click Next. ‘puss ibs aster fey {She maim metistreina shrees deme sears masta the See Siow Fock Raires somivettetet: [faa =] “eer ee et raat nde sana ah te a ‘te nama de cis fens oman eth le at econ aed ecw titted avrg ‘eser ro aewtyya( oas ohd anracat me, ckreah Yo chonge the serch car aananed exh | sets | ruth Page 82 of 409 CCIE SECURTY v4 Lab Workbook SSS SSE SS rel =I = won] [Be [ Feres ores im Tagan ma a, Fo Shin im edhe Oe a t-fac—woete ses | eter ms sgar ons Fo Shin im hace One Ta far —porte—s (| a Verification ‘Type escape sequence to abort. Sending 5, SOObYESIXCMPIREHOS to 10.1.12.2, timeout is 2 seconds: ' Success rate is 100 percent (5/3), round-trip min/avg/max = 1/2/4 ms 20. 12.2 size 501 ‘Type escape sequence to abort. Sending 5, SOL-bYESIXOMPIECHOE to 10.1.12.2, timeout is 2 seconds: ' Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms ‘The IcMP packets of size 500 bytes and 501 bytes are not getting blocked. size 520 ‘Type escape sequence to abort. Sending 5, S20-bYESIXOMPIECHOE to 10.1.12.2, timeout is 2 seconds: Success rate is 0 percent (0/5) ‘The IO packets of size 520 bytes are being blocked. This is because there is ‘addi tional 20 bytes of IP Header in the packet ‘ry lower size to see that: Page 83 of 409 CCIE SECURTY v4 Lab Workbook ping 10.1.12.2 size 519 ‘Type escape sequence to abort. Sending 5, SISbYESITCMPIEGHOS to 10.1.12.2, timeout is 2 seconds: mo Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms size 620 ‘Type escape sequence to abort. Sending 5, 620:bYE6XCMPIEGHOS to 10.1.12.2, timeout is 2 seconds: Success rate is 0 percent (0/5) ‘Type escape sequence to abort. Sending 5, 621:bj€8)TCMPIEEHES to 10.1.12.2, timeout is 2 seconds: no Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms me Note that there is a difference in IG@ implementation in cisco and Microsoft, Windows. When you ping on Cisco using 1000 bytes packets there will be 980 bytes of data in the 10% packet so that the overall IP packet length will be 11000 bytes. However, when you ping using MS Windows a 1000 bytes packet will have 1000 bytes of IGMP data and additional 20 bytes of IP Header. Go to Monitoring > Events, check Show past events radio button and select § minutes. Then click on View button. See the custom signature fired. fp ee Dee raat] Page 84 of 409 CCIE SECURTY v4 Lab Workbook Double click on the event to see more details. Here's the text output for event details. evidenlert: eventTd=1259892307105390325 vendor=Ciaco severity-mediun originator: hostid: CcrE-rPs applane: sensozApp appinstanceld: 366 ‘time: Feb 13, 2010 16:44:51 UTC offset=0 timezone=UTC signature: deseriptYonscustom| AoNzC|xP|signature|//Hd60002 versionscuston typerother created=20000101 ‘subeigra: 0 sigdetails: My Sig Info mareCategory: Info/Mise Anterfacecroup: vs0 vian: 0 aaey/LOFANT2IA Local iey-our target: addr: AOUIA2I2 local ity-our Adsource-unknown typenunknown relevance=relevant, actions: Aphoggingactivated: true droppedPacket: true JogpairPacketsactivated:/true splogias: Aptogra: 1701868403 riskRatingValue: 66 targetValueRating-medium attackRelevanceRating-relevant ‘threatRatingvalue: 31 Anterface: ge0_0 protocol: icmp evidenlert: SveHETd#1259992307105390326 vendor=cisco severity-mediun originator: hostid: CCrE-1PS applane: sensoxApp appinstancerd: 366 time: Feb 13, 2010 16:45:06 UTC offeet=0 timezone=uTC signature: description-Custom ATOMIC IP signature id=60002 version=custom typesother createds20000101 subsigid: 0 ‘sigpetaile: My sig info marsCategory: Info/Misc Anterfacesroup: vs0 vlan: 0 participants: attacker: SAEY/TOLUTZIA toca ity-our target: Page 85 of 409 CCIE SECURTY v4 Lab Workbook addr: 0.0.0.0 locality=our 08: Adsourcesunknown typemunknown relevance=unknown summazy: 4 finalstrue initialalerts1259892307108390325 | sunmaryrype-Regular alertDetails: Regular Sumary: 4 events this interval 7 riskRatingValue: 56 targetValueRating-mediun ‘threatRatingValue: 56 Anterface: ge0_0 protocol: semp ‘This is a sumary for 4 IO@ packets. This event is “attached” to the previous event by specifying “ini tialAlert” number. Go to Monitoring > IP Logging and see packet capture triggered by the custom signature. The AlertiD identifies the event which has triggered the IP logging. 2.2.2.2 s0 100 size 550 ‘Type escape sequence to abort. Sending 5, SSO=bjtS/TCMP|ESHOS|tS|2/27212, timeout is 2 seconds: Packet sent with a source address of 1.1.1.1 oy Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms me his de not RFCLOI@ IP addr: ‘That’s why the signature has not been triggered. Page 86 of 409 CCIE SECURTY v4 Lab Workbook LAB 2.9. META signature This lab is based on the configuration from the previous lab Loo Loo wansor satan amaotas 222272 2 oun oun cow Wan s00-40.t2a24 Wan 200 -104.12.0704 Configure a new signature so that it triggers when someone pings R2’s GO/0 IP address with ICMP Echo Request packet of size bigger than 2000 bytes and in the time window of 30 seconds someone tries to connect to the HTTP server located at R2 and tries to get attack.bet file. You must generate an alert when those conditions are met and block attacker inline for 2 hours. The META engine provides event correlation on the sensor. Using the META engine can dramatically reduce the number of alerts by combining signatures. The META engine enables you to disable the component signatures, 50 that they do not generate alerts and receive only a META alert ‘hat Indicates thatthe attack is happening. By doing the correlation on the sensor itself rather than ‘at amanagement console, the sensor can take action Immediatay. Configuration Complete these steps: Step IPS configuration. 1 1. Go to Configuration > Policies > sig0 > Active Signatures and click ‘on Signature Wizard. Select Atomic IP from the drop-down list and click Next. Page 87 of 409 CCIE SECURTY v4 Lab Workbook ‘lone tite ato Sars Wed tered fle thse poco spa On momrvtc Sarason ante efron sah? Skate src? = 2. Enter the name for new signature, make some Notes and Comments and click on Next. _grtecrton panna ira et tante eae nese tte ef fornmapey asian ing sbapator' nce Gioia hvaat vests bt web sch ar) arava stsizere 7 Sgvductins: [ESPete more sees: sate Uueecomer [gn CH Ea Pref ee DFE sock [nits 3. On the Engine Specific Parameters screen, disable any of Event Actions associated with the signature, select ICMP Protocol as Layer 4 Protocol and use ICMP Type of 8 and ICMP Code of 0. Set IP Payload Length to Page 88 of 409 CCIE SECURTY v4 Lab Workbook the range of 2000-65535 and Destination IP Address Range to 10.1.12.2. Engine pants deen atthe smatsnas fd he cometh ate (She fosemon he stn tone ene parame ware oanae a | vee oa S rons im seem i Speen emma Seiyesmne Eaearor ne 7 AS woes : \ esac aaN\\\ el oincde serarient a) So nt Pat ote i sec Pettus entre seyret as Suton se Secnipenstn Scone Sanne orem ohicmmineenes Renate Sp acer tn ” srinfed thes Cesena aed, ee cot |b 4. Set Signature Fidelity Rating to 75 and Action Severity to Medium. Click Next. Page 89 of 409 CCIE SECURTY v4 Lab Workbook “eesti tet nos nn say ali de par ae ear avet ase ecee eecemaee “eset oro aunty pier dened amet icLfa To chante ser bv Aarae 6. Open up the Signature Wizard again and select Service HTTP from the drop-down list and click Next. Page 90 of 409 CCIE SECURTY v4 Lab Workbook ‘lone tite ato Sars Wed tered fle thse poco spa On momrvtc Sarason ante efron sah? o> ESSN =] 7. Enter the name for new signature, make some Notes and Comments and click on Next. toga suemuorunne rt Sreue ssa: F——— Sipstwename: [ATP seen fen 8 On the Engine Specific Parameters screen, disable any of Event Actions associated with the signature; configure Regex/Specify URI Regex/URI Regex to “attack.txt” and Service Ports to 8888. Page 91 of 409 CCIE SECURTY v4 Lab Workbook re pete paciae dears athe certasesst aa nica ate _] Re falas ne tacungsavce i enguepaanet ucts bisaetue Weert aces “pry tesa aah Sort Merger Sort Hao Fi nth Spry Hactegt Frat eee Spt Ree Uta Sowa ghana ogec er Pt etna hen aa ‘euzanseagntefeung ie teat eh arene ny | ens Roneotan nah oo tog ones cotaeeait cys entered (ahaa andza esa wees tomo at ost Poe He ptuersytte: FE sentient Fram] 10. Leave default settings for Alert Behavior and click Finish to close the wizard. Page 92 of 409 CCIE SECURTY v4 Lab Workbook “esr ee et Fo cat nthe sana ah te a ‘fesunnay dor cat te saye Yomi sti ct a dco: on ead Stra tte oft Sete pr te Hehe Realy earts ae fg: nanahe sites, ‘ester re eid paint dane ted arte, ctfneh To change the mere howl cick avonced. 11. Go to Configuration > Policies > sig > Active Signatures and click ‘on Signature Wizard. Select Meta from the drop-down list and click Next. Enter the name for new signature, make some Notes and Comments and click on Next. On the Engine Specific Parameters screen, click on Event Action and select Produce Alert and Deny Packet Inline from the list. Then click OK. Se) TE beny attacker inne TE Deny Attacker Service Pat nine Select ll TE ony Attackor Vit Paie ino —<—= TE deny Convection iin (Re T Loo atta Packets I tog Pa Pacats og etn Pachate I Produce Alort TF Produce Verbose Alert TE Request block cornectcn Request block Hos: TE Request Su Trep PF osct Tc? Connocton ok cont Select Nene 12. Click on Component List option and click Add button. Enter the first Page 93 of 409 CCIE SECURTY v4 Lab Workbook ‘Sub-signature name (itcan be some arbitrary name), set Component Sig ID to 60003 (must be real signature ID). Click OK. | a es — a= [ee] == 13. Click Add button again to add second sub-signature. Enter some name (it can be some arbitrary name), set Component Sig ID to 60004 (must be real signature ID). Click OK. | SS ae TS ee =< : [coe] cere 14, Both sub-signatures are listed under Inactive Entries column. Highlight them and click on Select button to move them to right column (Active entries). Then click OK. Page 94 of 409 CCIE SECURTY v4 Lab Workbook a | as [oc cot 18. On the Meta signature settings page, set Meta Reset Interval to 30 seconds. Click OK. Spare ie aunty sa 1 neste a © Soeneatine retasunae 1 sputueceataone rowel eters ne © rte ey adr ci it 1 sap ater on * neste nd = meant ot fGekorinoreitin a 1 cangretin nnde © 1 A canpreno Rae te 1 pert custiy see ent tot er me ammeter sade ee al 12 roananr set ater bettie, Cet be ent eget awh ee =a te Page 95 of 409 CCIE SECURTY v4 Lab Workbook Note that only META signature has Action configured. 16. Go to Configuration > Policies > Event Action Rules > rules0 -> (tab) General and set Block Action Duration to 120 minutes. Verification R2 (config) #ip http port 9888 Page 96 of 409 CCIE SECURTY v4 Lab Workbook ‘Type escape sequence to abort. Sending 5, SOOO8YE#)TCHP|EEHGS to 10.1.12.2, timeout is 2 seconds: mo Success rate is 100 percent (5/5), round-trip min/avg/nax = 4/5/8 ms Riftel 10.1.12.2 ese ‘eying 10.1.12.2, 8888 ... open cer attack.txt session hangs. wo “attacks” have been generated withing 30 seconds. Go to Monitoring > Events, check Show past events radio button and select 5 minutes. Then click on View button. See the custom META Signature fired. Double click on the event to see more details. Here's the text output for event details. evidenert: 6ventTd=12599923907105990597 vendor=cisco severity-mediun originator hostid: CCrE-1PS AappName: sensoxapp appinstancerd: 366 time: Reb 13, 2010 22:26:17 UTC offeet=0 timezonesurc signature: desGHpELSHSNETA|SignatuFe||EA=60005 version-custon type-other ‘created=20000101 subsigid: 0 sigpetaiis: My Sig Info mareCategory: Info/Misc Anterfacecroup: vs0 vian: 0 participants: attacker: Page 97 of 409 CCIE SECURTY v4 Lab Workbook saEY/LOVIIZI2 Local ity-our actions: deniednttacker: true alertpetaiis: Component /Sighatie|isti//60003/0/600040 riskRatingValue: 56 targetValuerating-mediun ‘threatRatingValue: 11 Anterface: ge0_0 protocol: top ‘two component signatures triggered within 30 seconds so that the META signature hhas been triggered generating an alert and blocking the attacker. Go to Monitoring > Time-Based Actions > Denied Attackers to see if there is R1’s FO/0 Interface IP address on the list. Lama] rm | win | ro | ns ice mn Page 98 of 409 CCIE SECURTY v4 Lab Workbook LAB 2.10. Blocking and rate limiting “ Fo MAN tot- sosaonans R1’s F0/0 and R2’s G00 interface should be configured in VLAN 100 R2's GO/1 and ASA’s E0/0 interface should be configured in VLAN 102 Ré4’s F0/0 and ASA's E0/1 interface should be configured in VLAN 101 PC and IPS Command and Control (C&C) interface should be configured in VLAN 101 Configure Telnet on all routers using password “cisco” Configure RIPv2 on all devices (except PC and IPS) IP Addressing Crear Interface (ifname) (GET ICeey R1 FO/O 10.1.100.1/24 R2 GON 10.1.100.2/24 G0/0 10.1.102.2/24 R4 FO/0 10.1.101.4/24 ASA-FW E0/0 (Outside, Security 0) | 10.1.102.10/24 E0/1 (Inside, Security 100) | 10.1.101.10/24 Page 99 of 409 CCIE SECURTY v4 Lab Workbook Task 1 Use the following initial settings for IPS sensor configuration: * Hostname: IPS-CCIE * IP address: 10.1.101.100/24 * Default Gateway: 10.1.101.10 * Allowed Hosts: 10.1.101.200 * IPS management interface (m0/0) in VLAN 101. Configure sensor to monitor traffic in VLAN 100 using promiscuous mode and its 0/0 interface. Tune up the ICMP Echo Request signature so that it triggers for packets destined to R4’s F0/0 interface IP address. Configure connection blocking for that signature using R2’s GO/0 interface (use TELNET connection) and ensure that IPS management station (PC) IP address is not getting accidently blocked. M (cise IPS has a blocking feature that prevents packets from reaching their destination. Blocking is Inidated by a sensor and performed by another Cisco device atthe request of the sensor. A ‘locking application on the sensor Is called Attack Response Controller (ARC). The ARC starts and ‘stops blocks. It monitors the time for the block and removes the block after the time has expired. ARCs also used in rate limiting. Configuration Complete these steps: Step 1 SWI configuration. ‘Swi (contig) vlan 66 ‘51 (config-vian) #renote-span ‘sui (configvian) text ‘Swi (config) moniter session 1 source vlan 100 rx ‘51 (config) monitor session 1 destination remote vlan 66 Step 2 SW4 configuration. ‘sw4 contig) Fvian ‘sw4(config-vian) #renote-span ‘sw4(contig-vian) fexi ‘sw4(config)tmonitor session 1 source renote vian 666 ‘9K4 config) Imonitor session 1 destination interface £0/15 Page 100 of 403, CCIE SECURTY v4 Lab Workbook Step 3 IPS CLI configuration. sensor login: cisco Password: ‘mae protact contains ortopriphic fastames and 1a abject to Unita states fd too countey Lae governing import, aapert, teanafer and use, Delivery of cinco onptogaphic products dove not imply thizd-party authority to imac, rport, distribute or use enorption. mpertere, emporters, diateibators sd sere Are reponaibie for campliance With 0.5, snd local country Lae. By ueing ‘ene profoct yoo age to campy wth spplicibie Iave and reguiations. 1€ yeu fare mnie to cowply Wth U.8. and looal lave, satarn this produot immadiataly. A mamary of 0.5. tere governing Glace cewtogriphic peoaicte may be found a: 1etp:/ fn. choo. con/w anpeet/ nyptn [ton /at gry Re 1 you megize further asristance plause contact us by eméing email to eperttataes. oe ‘Ree A no Lioerne Rep Anatalied on the 178-4240 sigutum svt. A valid Momus mont be ebtained in ontar t spy ‘igutaoe cpaites. Flaaan gp to Detp://nw.ciaco.con/go/Lioanee Basic setup ‘system Configuration Dialog [At any point you may enter a question mark ‘2! for help. User ctri-c to abort configuration dialog at any prompt. Default settings are in square brackets ‘[] current time: sun Feb 7 20:00:22 2010 Setup Configuration last modified: Sun Feb 07 20:00:00 2010 moter host nane[sensor]: 1PS-ccrE Enter IP interface[i92.160.1.2/24,192.168.1.1]: 10.1.101.100/24,10.1.101.10 Modify current access list?(no]: yes current access list entries: No entries Permit: 10.1.101.200/32 Perit: Modify system clock settings? no]: The folloving configuration was entered. service host network-settings Page 101 of 403, CCIE SECURTY v4 Lab Workbook host-ip 10.1.101.100/24,10.1.101.10 host-name IPS-CCrE telnet-option disabled access-list 10.1.101.200/32 fep-timeout 300 no login-banner-text time-aone-settings offset 0 standard-time-zone-name OTC exit summartime-option disabled ntp-option disabled [01 Go to the command prompt without saving this config. [2] Return to setup without saving this contig. [2] save this configuration and exit setup. [31 Continue to Advanced setup. Enter your selection{3]: 2 configuration Saved --- Complete the advanced setup using CLE or IDM. ‘To use IDM,point your web brovser at https: // IPS-ccrE Login: Step 4 IPS GUI configuration. 1. Goto Configuration > Interfaces > Interfaces, select GigabitEthernet0/0 interface and click Enable button. Page 102 of 403, 2. CCIE SECURTY v4 Lab Workbook Go to Configuration > Policies > IPS Policies, select “vs0” virtual ‘sensor on the list and click Edit. Highlight GigabitEthernet0/0 interface ‘on the list and click Assign button. Then click OK and Apply the changes to the sensor. Page 103 of 403, CCIE SECURTY v4 Lab Workbook esapson: fevaemuslerwed sole r seen connote Freneonur its Tr Gooner Sree enave Sianatie Detnton soonre oetnnon poke: [om =) vent Aton Re sere zcinuesPtoe © fee =] 1 esr in Omir (“Farag ars nnd edt Anomaly Detection peepee panama itg oe | coc | ee caltale ‘isco’ Page 104 of 403, CCIE SECURTY v4 Lab Workbook 3. Goto Configuration > Policies > sig0 > Active Signatures. From Filter drop-down list select Sig Name and enter “icmp echo” string. Then click on Filter button. Highlight the signature ID 2004/0 and click ‘on Enable. Then Apply the changes to the sensor. 4. Click on Edit button to see detailed signature settings. Enter 10.1.101.4 as Destination IP Address Range. Click OK. Page 105 of 403, CCIE SECURTY v4 Lab Workbook Spa DTustalae Cy al on te ect oretarah cs mf pom woaton fe be ce as ore te Ets cptre lees [set seats & bcperomranne tate oe say ie Sawai eet ets samy Tea ee B eves Ss 12 roast eerie, Centre i tv oe cart Es 5. Click on Edit Actions and check Produce Alert and Request Block Connection items. Click OK. Page 106 of 403, CCIE SECURTY v4 Lab Workbook “osennan anette hecho tite an, Ace reer ‘fen se poruned face ok neat be tn nd nee fled Agcy cect iat renin are le Gocbraweryo ee pax rdtog sce [ra@rsccne [reg reteset JE orate sas Ie uvenrasie [Fed corerraine [Fe pone se ap ee ek comet 6. Goto Configuration > Sensor Management > Blocking > Blocking Properities and click Add button. Enter the IPS management station (PC) IP address and 32 bit mask in the following window. Click OK. asteen FOTOS ties osesseen —) conat_| tp 7. Make sure that Enable Blocking checkbox is selected. Page 107 of 403, CCIE SECURTY v4 Lab Workbook 8. Goto Configuration > Sensor Management > Device Login Profiles and click Add. This login profile will be for R2 router so enter Profile ‘Name (can be arbitrary name) and Login/Enable passwords. Click OK. a ee eget | — aes ters) ae ‘| too | Page 108 of 403, 9. CCIE SECURTY v4 Lab Workbook Go to Configuration > Sensor Management > Blocking Devices and click Add. Configure R2’s IP address, select previously configured Device Login Profile and set Device Type to Cisco Router. For Response Capabilities check Block option. Communication must be ‘set to Telnet. Click OK when finished. atom firme Severs NAT Ahern san the | nese Fm — a] emote capt: tse Resin a =a eam =i Page 109 of 403, CCIE SECURTY v4 Lab Workbook (a a ec ose [] 10. Go to Configuration > Sensor Management > Router Blocking Device Interfaces and click Add, Select R2's IP address form drop- down list and configure g0/0 interface to apply the ACL in the Inbound direction. Click OK when finished. fouterBockngpowce: “fftaan2 =] seinoitetaces ify bre ha resbckact (ote: [oO Petting tra: (a) eet Verit nm ASACEW (config) # access-list OUTSIDE_IN permit ip any any [ASAGFW (config) # access-group OUISIDE_IN in interface outside 20.1.101.4 rep 100 ‘Type escape sequence to abort. Sending 100, 100-byte IGMP Echos to 10.1.101.4, timeout is 2 seconds: Page 110 of 403, CCIE SECURTY v4 Lab Workbook <..-output omitted. Ree 'SYS-S-CONFIG_I: Configured from console by vty0 (10.1-101.100) Ree $8Y5-S-CONFIG_I: Configured from console by vtyO (10.1.101.100) Roten iste Extended IP access List ZDS/g0/0/in/a 10 permit ip host 10.1.101.100 any» «& This 4s Never Block Address 20 BenyWeRp NORE LOLLSTOONANEGEAOVIIOIA © < mnie ie Request Block Connection 30 permit ip any any Go to Monitoring > Time-Based Actions > Host Blocks and check if there is R1's IP address on the list. Gone = On O—> 2 J cco sown rmmmee were] pres] Jaa) ea | ew [ea | Sd Go to Monitoring > Events, check Show past events radio button and select § minutes. Then click on View button. See the fired signature 2004 on the event list. Page it of 403, CCIE SECURTY v4 Lab Workbook Double click on the event to see more details. Here's the text output for event details. evidenlert: SventTdS1259899127105390112 vendor=Ciaco severity=informational, originator: hostid: CcrE-rPs appName: sensozApp appInstancerd: 366 ‘time: Feb 14, 2010 12:45:17 UTC offset=0 timezone=uTC ‘signature: deaGElpEYeneYCHP|Reho|REquesE|HA=2004 version=s1 type-other ‘ereated=20001127 subsigta: 0 marscategory: Info/ALlsession inter facecroup: vs0 vian: 0 participants: attacker: BAEY|IOLULOOLT ocarsty-our target: SAEY/TOLUTOL rocarsty-our Adsourcesunknown typesunknown relevancesrelevant, actions blockconnectionRequested: true riskRatingValue: 35 targetValueRating-medium attackRelevanceRating-relevant threatratingvalue: 15 Anterface: ge0_0 protocol: icmp evidsnlert: SVenETGSI259899127105390114 vendorscisco severitysintormational originator: hostid: CcrE-1Ps applane: sensozApp appInstancerd: 366 time: Feb 14, 2010 12:45:47 UNC offeet=0 timezone=UNC signature: description-1cMP Echo Request id=2004 version=s1 type-other cereated=20001127 subsigid: 0 marscategory: Info/ALlSession Page 112 of 403, CCIE SECURTY v4 Lab Workbook alertbetail addr: 10.1.101.4 localitysour Adsource-uninown type-unknown relevance=relevant fummazy: 10 final=true nitia1Alert=1259099127105390112 surmaryType-Regular Regular Sumary: 10 events this interval riskRatingValue: 35 targetValueRating-medium attackRelevanceRating-relevant, ‘threatRatingValue: 35 Anterface: ge0_o protocol: icmp Task 2 Configure sensor to monitor traffic in VLAN 102 using promiscuous mode and its GO/ interface. Create a custom signature so that it blocks host telnetting on port TCP 3005 (SYN packet). The signature must connect to the ASA using SSH and ‘shun the attacker. Set enable password to “cisco123” on the ASA and configure a new user named “sensor” with password of “sensor123” and use it for shunning. M The sensor must be able fo communicate withthe blocking device. The sensor must have aroute to (only default route Is possible), ormust be on the same subnet as, the managed firewall. The blocking device must also have one of the following configured: TELNET: Tenet access should be allowed from the sensor. ‘SSH: SSH access should be allowed from the sensor. |SSHis the default communication mechanism between the sensor and the blocking device. SSH Isused, the blocking device must have @ software license that supports DES or IDES encryption. ‘As soon as the blocking devices configured on the sensor, the sensor attempts to log Into the blocking device using the specified credentials and access protocol, Telnet or SSH. Ifthe sensor logs in successfully, auser connection Is maintained between the sensor and the blocking device. This persistent connection allows the sensor fo immediately and dynamically configure blocking rules on the blocking device as required. local authentication, not AAA, ls used for SSH on the ASA, the SSH usernames always “pix” and the password s the samo as enable password on the device. The ASA uses “shun” fo enable blocking. The “shun” commands imied to blocking hosts; it does ‘not support blocking of specific host connections or manual blocking of entire networks or subnetworks. Page 113 of 403, CCIE SECURTY v4 Lab Workbook Complete these steps: Step 1 Step 2 Step 3 Step 4 SW4 configuration. ‘sw4(config)#vlan 998 ‘sw4(config-vlan) fname RSPAN ‘sw4(config-vian) #renote-span ‘sw4(contig-vian) text ‘sw4(config) monitor session 2 source renote vian 888 ‘9K4 config) Imonitor seesion 2 destination interface £0/16 SW2 and SWS configuration. ‘sw2(contig)#vian 888 ‘sw2(config-vlan) fname SPAN ‘sN2(config-vian) #renote-span ‘5H2(config-vian) fext ‘sH2(config) tmonitor session 2 source vian 102 ‘sw2 (config) tmonitor session 2 destination renote vlan 833 SSH configuration on ASA. ASA-FW(config)# sh 10.1.101.100 255.255.255.255 tneide ASA-FW(config)# enable password cisco123 ASA-FW(config)# username sensor password sensor123 ASA-FW(config)# aaa authentication ssh console LOCAL Vio need to use a specific usernane and password to enable blocking on the ASA. Hence, we need to configure local AAA. IPS configuration. 1. Goto Configuration > Interfaces > Interfaces, select GigabitEthemnet0/ interface and click Enable button. Page 114 of 403, CCIE SECURTY v4 Lab Workbook Go to Configuration > Policies > IPS Policies, select “vs0” virtual ‘sensor on the list and click Edit. Highlight GigabitEthernet0/1 interface ‘on the list and click Assign button. Then click OK and Apply the changes to the sensor. Page 115 of 403, CCIE SECURTY v4 Lab Workbook ecniy Patan Ted rm seh TF Goatim asi TP Ganstrm Pr ayetteereas rowan tte ener sepasoatsentaty: FB] owe amen nuestacy fae Z) 1 ae Ee tn ries et raat ecto sexwayOneconPac f=), MOpsaseatbcn: [ant =] anced os x | ret | de 3. Go to Configuration > Policies > sig0 > Active Signatures and click ‘on Signature Wizard, Select No option on the first page and click Next. Page 116 of 403, CCIE SECURTY v4 Lab Workbook ett en sr in hens i use epee ts 4. Check TCP as protocol type and click Next. cat |b _| 5. Select Siingle Packet option to use Atomic IP engine and click on Next, Page 117 of 403, CCIE SECURTY v4 Lab Workbook once azonrta ident nt Sect center bon 6 serait cetednazoepesetooc) = fe cosrtovese sae pet © Sich Gert oc ER] ce | ct |e 6. Enter the name for new signature, make some Notes and Comments and click on Next, ‘Sgstas cenfen eerefyecane ahs eco e e ‘ont tebarlognue-nacya sonar sian, uc oenc the Cea eee ee seano: fame sutsaedue is fp Stree: osc TaDeT arvana noes octies — FrSae ea, 7. Onthe Engine Specific Parameters screen, click on Event Action and select Produce Alert and Request Block Host from the list. Then click Page 118 of 403, CCIE SECURTY v4 Lab Workbook OK. Toe ein ire IF em nde ence Hem [FS masa vem IF bat craton Fem tat ne IF isparasas se F tsar rates teatime IF nesueraae Pesce toc at tess te cre Toresien a ent center a | cot Remenber that ASA does not support connection blocking. Thus, the only ‘option here is to enable ‘Request Block Host”. 8. Set Specify Layer 4 Protocol/Layer 4 Protocol to TCP Protocol and TCP Flags to SYN. Destination Port Range should be set to 3005. 2 Sate Se orate AE Pinecone Samet ct 1 a © octet © ot Tr cS Seat ominecn ee t= setenv cS ‘e remee um aod: Gaetan kab a cre te 9. Set Signature Fidelity Rating to 75 and Action Severity to Medium. Click Next. Page 119 of 403, CCIE SECURTY v4 Lab Workbook Yocan asus Kora ns oestrone htt Uthat atest oe tat cect Tloaase ran Rng ey | mie ren ta etn tng overeat theatre Tenn usd (Ghepckusetofaatny aniepsaaareeita aissrean an etna Ce Spare smawonityeane: Fe seunttetee [faaw —] oc (CE) ce | cot |e 10. Leave default settings for Alert Behavior and click Finish to close the Thos seis eit fur ca alesse, itn asnmay alts Sets arene ates cu hrest cre raya has Mayne ao es snd sid peter dara btn crmarton roe ‘seaman siaeatestance Page 120 of 403, CCIE SECURTY v4 Lab Workbook eho @enth Binth Gaereoian eine Gtk Onl ede Sacre Pree Gora [ie beeoere ‘a oo gan toga ra tae eae sae ca tame ces tae tae tae SERLELERREEEE 11. Go to Configuration > Sensor Management > Device Login Profiles ‘and click Add. This login profile will be for ASA so enter Profile Name (can be arbitrary name) and Username of “sensor” and its associate Login/Enable passwords. Click OK. SS || a — | earn ptna: fewer loanenerd tert | an. | nat Per rb ee | cot] Page 121 of 403, CCIE SECURTY v4 Lab Workbook 12. Go to Configuration -> Sensor management --> SSH --> Known Host Keys and click Add. Enter IP address of ASA device and click Retrieve Host Key button. wadtes: found =H Hoahetenshy [| reesenens, [ cna (crt | 13. IPS sensor will try to contact the ASA to get its Public SSH key and store it. After successful key retrieval, the following message appear: Page 122 of 403, CCIE SECURTY v4 Lab Workbook @ ‘The rewhost bey wasretneved cessful 14. The key is shown on the window. Click OK to accept it. adios: (MMMM feaasteghs [lee a crs Page 123 of 403, CCIE SECURTY v4 Lab Workbook 15. Go to Configuration > Sensor Management > Blocking Devices and click Add. Configure ASA’s IP address, select previously configured Device Login Profile and set Device Type to PIX/ASA. Communication must be set to SSH 3DES. Click OK when finished. atom im _ Severs NAT Ahern san the | nes oe 7a a] ee ee ee eel eee el ea Verification Rattel 10. Trying 10. 3008 ... Open Verification Page 124 of 403, CCIE SECURTY v4 Lab Workbook <..-sesaion hangs. ASA does NOT support Connection Blocking!!! Thue, we see “host” block only. ASA-PW(config) # sh shun ‘shun (Outside) 10.1.102.2/0.0-0:0 0.00 ASA-FW(contig)# Go to Monitoring > Sensor monitoring > Time-Based Actions > Host Blocks and see if there's R2's IP address. Go to Monitoring > Events, check Show past events radio button and select 5 minutes. Then click on View button. See the custom signature fired. [seco ae fouae Seer Santon umtomne J! Double click on the event to see more details. Here's the text output for event details. evidenlert: SventTd=1259899127105390843 vendor=Cisco severity-mediun originator nostra: CorE-1Ps appNane: sensozApp appinstancerd: 366 ‘time: Feb 14, 2010 21:02:56 UNC offeet=0 timezone=UC ‘signature: deseripeLonsBlock TEINET connection# on port 3005 4d=60000 version-custom typerother created=20000101 subsigh sigdetails: My Sig Into marscategory: Info/Mise inter facecroup: vs0 vian: 0 participants: 02/2 Localiey=our s7266, + LOWLLOIM Locality=our Page 125 of 403, CCIE SECURTY v4 Lab Workbook port: 3005, 08: Adsource-unknown type-unknown relevance=relevant, actions: ‘shunRequested: true riskRatingValue: 66 targetValuenatingmedium attackRelevanceRating=relevant 246 Note that “shunRequested: true” does not indicate that the blocking is successful. Tt only says that the IPS triggered ARC process to block the traffic. If for some reason the IPS cannot contact the blocking device, there ie another event saying that. ‘evidenlert: GVEHETH#1259999127105390845 vendor=cisco severity-mediun originator: hostrd: ccrE-1Ps applane: sensozApp appinstancerd: 366 ‘time: Feb 14, 2010 21:02:11 UNC offeet=0 timezone=UNC signature: description-Block TELNET connections on port 3005 id=60000 versionscustom typesother created=20000101 subsigid: 0 ‘sigpetatle: My Sig into marscategory: Info/Mise Anterfacesroup: vs0 vlan: 0 participants: attacker: ‘addr: 10.1.102.2 locality=our port: 0 target: addr: 0.0.0.0 locality-our port: 0 08: Adsourcesunknown typesunknown relevancesunknown fummary: 12 final-true nitia1Alert=1259099127105390043 surmaryType-Regular alertpetails: Regular Sumary: 12 events this interval + ristRatingValue: 56 targetValueRating-mediun ‘threatRatingvalue: 56 Anterface: ge0_t protocol: top Page 126 of 403, CCIE SECURTY v4 Lab Workbook Task 3 Configure signature “ICMP Flood” so that it triggers when level of 50 packets-per- ‘second is reached. R2 should be used to rate limit the connection speed to 10% ofits G0/0 interface speed. The IPS can also re-configure remote devices to limit the packets going through them. This can be done only on routers and is using MQC (Modular Quality of Service Command Line Interface) to configure that. Simply speaking when the Request Rate Limit action is triggered for the signature, the IPS sends out a couple of commands to the router with traffic policing configuration. There is 170 option that using traffic shaping non-conformed trafic will be dropped. Configuration Complete these steps: Step 1 IPS configuration. 1. Goto Configuration > Sensor Management > Blocking Devices, highlight entry for R2 device and click Edit. SS is | ev si aoe Ser 2. Select Rate Limit checkbox. Page 127 of 403, CCIE SECURTY v4 Lab Workbook aches ns.at22 Sera?’ WAT Ades opens [_____ ec ype [eeeoroner =] oseneecoptines FF Weck fit ‘camnrieatn fide (acres | te 3. Go to Configuration > Policies > sig0 > Active Signatures. From Filter drop-down list select Sig Name and enter “icmp flood” string. Then click on Filter button. Highlight the signature ID 2152/0 and click on Enable. eho Qenth Bint Gaereoias eam eh Onl Bon Sacer reframe ult ern 4. Then click on Edit Actions and check Produce Alert and Request Rate Limit actions from the list. Click OK. Page 128 of 403, CCIE SECURTY v4 Lab Workbook 5. Toe ator ire IF em rece Hem [FS masa vem bar rate IF teaser ne IF issea res Eicon I een dt TF pete ator at eereres Pease nn 8 cot Click on Edit button and set Engine/Event Action settings/External Rate Limit Type/External Rate Limit Percentage to 10. The Rate item should be set to 50. Click OK and Apply the changes. SL i eg guetta © saison 3 1 soporte a 2 spoetan 1 Sree unta 1 spe pe he 7 bean Produ bt Pans te © cers tastntrocnane 2 © athe ve takes (Ff Geko new oe te det escaeuey Dos neon TO 1 rosmearant erst ke, Ct ow coe te Page 129 of 403, CCIE SECURTY v4 Lab Workbook 10.1.,102.10 rep 100 ‘Type escape sequence to abort. Sending 100, 100-byte IGMP Echos to 10.1.102.10, timeout is 2 seconda: ' ' ' ' Success rate is 100 percent (100/100), round-trip min/avg/max = 1/1/4 ms Rue ‘The ping 1s successful, see if this trageic was matched by the policer: R2teh policy-map interface 40/0 Gigabitetherneto/o Service-policy input: 1Ds_Rt, POLICY_MAP_1 (Class-map: 10S_RL_CIASS_NAP_Lomp-xxBx-8-10_1 (match-any) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: access-group name IDS_RI_ACL_Scmp-xxBx-8-10_1 0 packets, 0 bytes 5 minute rate 0 bps police: cir ioe ‘ek 100000000 bps, be 2125000 bytes confomed 0 packets, 0 bytes; actions ‘eranemit ‘exceeded 0 packets, 0 bytes: actions: arop. conformed 0 bps, exceed 0 bps Class-map: class-default (match-any) © packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any No At wasn’t! Why? This is because the router was reconfigured by the IPS when the signature was triggered. Thus, it took some time to enable rate limiting on the router: ‘Tey to ping again and see nov everything is OK. 100 ‘Type escape sequence to abort. Sending 100, 100-byte ICMP Echos to 10.1.102.10, timeout 4s 2 second: rate is 100 percent (100/100), round-trip min/avg/max = 1/2/4 ms Page 130 of 403, CCIE SECURTY v4 Lab Workbook Raitsh policy-map interface 90/0 Gigabitetherneto/o Service-policy input: 1DS_Ri_POLICY_MAP_1 (class-map: 10S_RL_CIASS_NAP_Lomp-xxBx-8-10_1 (match-any) 100 packets, 11400 bytes 5 minute offered rate 2000 bps, drop rate 0 bps Match: access-group name IDS_Ri, ACL_icup-xxBx-8-10_1 00 packet's, 11400 bytes 5 minute rate 2000 bps police: cir ioe ‘ek 100000000 bps, be 2125000 bytes ‘conformed 100 packets, 11400 bytes; actions: ‘tranenit ‘exceeded 0 packets, 0 bytes: actions: drop. ‘conformed 2000 bps, exceed 0 bps Clase-map: class-default (match-any) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any Mow all packets have been matched and conformed to the policy configured. Go to Monitoring > Time-Based Actions > Rate Limits and check if you see the Rate Limit for ICMP. Page 131 of 403, CCIE SECURTY v4 Lab Workbook Go to Monitoring > Events, check Show past events radio button and select 5 minutes. Then click on View button. See the fired signature 2152 on the event list. [Keen ee ee Double click on the event to see more details. Here's the text output for event details. evidenlert: GVEHETH#1259899127108390680 vendor=cisco severity-mediun originator: hostrd: CcrE-1Ps appName: sensozApp appinstancerd: 366 ‘time: Feb 14, 2010 19:20:19 UTC offset=0 timezone-uTe signature: descEiptionsroMm Pidod (442152 versionss354 typeother created=20000101, subsigtd: 0 marscategory: DoS/Metwork/IOMP Anterfacecroup: vs0 vlan: 0 participants: attacker: BAEY/TOLUNLOOLT ocarsey-our target: addr: YOVULOZIO rocanity-cur Adsourcesunknown typeunknown relevancesrelevant ratelini tRequested?| true riskRatingValue: 85 targetValueRating-mediun attackRelevanceRating-relevant ‘threatRatingvalue: 65 Anterface: ge0_t Protocol: icmp evidenLert: GenEXS=I259999127105990605 vendor=cisco severity-mediun originator: hostid: CcrE-rPs AappName: sensoxapp appinstanceld: 366 Page 132 of 403, CCIE SECURTY v4 Lab Workbook time: Feb 14, 2010 19:20:49 URC offeat=0 timezone=UC signature: description-10¥P Flood id-2152 version=s354 typecother crested=20000101, subsigid: 0 mareCategory: DoS/Network/TOMP ved + 0.0.0.0 localsty=our + 10,1.102.10 locality=our Adsource-unknown type-unknown relevance=relevant summazy: 27 finalstrue initialAlert=1259699127108390680 sunmaryType-Regular alertDetails: Regular Sumary: 27 events this interval 7 riskRatingValue: 65 targetValueRating-medium attackRelevanceRating=relevant ‘threatRatingValue: 85 Anterface: ge0_1 protocol: icmp Page 133 of 403, CCIE SECURTY v4 Lab Workbook LAB 2.11. Rules uration from the previous lab 200 con, on “ Fo 2 2 a | wander con con zon] 10-t101.028 WLAN 100- t0-.s00026 Wan 402-s04-1020724 Task4 R4 is an important asset for your company. Configure rules so that R4 will be treated as High TVR (Target Value Rating) and use risk rating mechanism to enable alerting with packets dump for every signature getting RR (Risk Rating) between 85 and 89. You may NOT use an IP address in TVR configuration. Remove blocking actions for the signature 2004 to test your solution. positives. There are a couple of rules fo configure depends on what you want o achieve: ‘+ Event Action Overrides use them to change the actions associated with an event based on the catculated risk PS Rules is the most common method of IPS tuning and s the best method to decrease false Event Action Filters — use them to remove specific actions from an event orto discard an entire event and prevent further processing by the sensor. You can also use the variables that you defined on the Event Variables panel to group addresses for your filters. For example, by specilying the source of waffle that Is wlggering false positives, you can prevent ‘he sensor from generating unnecessary alerts To make this process more flexible, there are some variables to be defined and used in the “Alters” ‘and “overrides”. Those verlables are: ‘+ Event Variables -if you want to use the same value within multiple filters, use a variable. When you change the value of the variable, any filter using that variable is updated with the new value. Note that you must preface the variable with a dolar sign ($) fo indicate that you are using a variable rather than a string. Page 134 of 403 CCIE SECURTY v4 Lab Workbook ‘Target Value Rating (TVR)- you can assign a TVR to your network assets. The TVRis one of the factors used to calculate the risk rating value for each alert. Events witha higher ‘isk rating tigger more severe signature event actions. These valves areavallable: 2 Low Medium © High © Mission Critical No Value ‘Fisk Rating System {In contrast to simplistic alert rating models that are commonly used inthe industry, Cisco IPS delivers unique risk ratings that are assigned to alerts generated from the IPS sensors, The risk ‘ating Is an integer value in the range from 0 f0 100, The higher the value, the greater the security ‘sk of the tigger event for the associated alert. The risk rating Is a calculated number that s based ‘on several components and is used by event action overrides. There are six values used fo calculate the risk rating: Attack Severity Rating (ASR) - this Is nothing more than the severty level configured for the signature. The ASR is nota determination of the accuracy of the signature definidon. It's only an Indication of the seriousness of the attack. Each of severity has an associated numeric value which ‘the risk rating formula uses for the ASR value: + Informational (28) = Low 60) = Medium (75) + High (400) Target Value Rating (IVR) - this is @ user-configurable Value that identifies the importance of a network asset, through its IP address. The following are the current numeric values for the ‘configured targets: + Zero (50) = Low 75) + Medium (100) + High 180) + Mission Criseal (200) Shunature Fidelity Rating (SFR) — this is configurable value on a per-signature basis. tis an Indication of the confidence that the signature writer has In the signature accuracy, K Is not an Indication of he seriousness of the potential attack. Valid numbers are 0-100. Attack Relovancy Rating (ARR). this Is @ derived value. Is not configurable, It describes how relevant the attack isto the target system. For example, a Microsoft web server (iS) buffer overflow ‘attack is serious. Butt itis launched against an Apache server, its not relevant. The relevancy of any target operating system Is determined at the time ofthe alert. ARR values are: + Relevant (10) Unknown () + Not Relevant (-10) Promiscuous Delta (PD)- this value lowers the risk rating of certain alerts in promiscuous mode. is configured on apersignature basis with numbers of 0-30. The PD is relevant only when the ‘sensor's in promiscuous mode. When the sensor Is inline, the PD Is subtracted from the risk rating. Watch List Rating (WLR) - this Is a value of 0-100 derived from Cisco Security Agent (CSA) ‘Management Center. ithe attacker for the alert is found on the watch list, the WLR for that attacker Is added to the rating. Page 135 of 408 CCIE SECURTY v4 Lab Workbook The risk rating is calculated by the following formula: RR = (ASR *TVR* SFR) / 10000 + ARR- PD + WLR Valid numbers are from 0-100, Configuration Complete these steps: Step 1 IPS configuration. 1. Find out the signature ID 2004 (ICMP Echo Request) by filtering Active ‘Signatures database. Then, click on Edit Actions button and remove blocking actions. Make sure that Alert Severity is Low. Page 136 of 403, CCIE SECURTY v4 Lab Workbook “osennan anette hecho tite an, Ace reer ‘fe saunaeporcmed tcc oats bond fled Agcy cect iat renin are le Gocbraweryo ee © peers oy Seppe towed t= ‘2 Prominent snake tnt « cot ve 2. Ping R4 from Rt to check if the signature triggers. Riping 10.1.101.4 Page 137 of 403, CCIE SECURTY v4 Lab Workbook ‘Type escape sequence to abort. Sending 5, 100-byte IGMP Echos to 10.1.101.4, timeout is 2 seconds: ' Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms Rue Go to Monitoring > Events, check Show past events radio button and select 5 minutes. Then click on View button. See the fired signature 2004 on the event list. == ae upaes supiseascao Double click on the event to see more details. Here’s the text output for event details. evidenlert: @ventT4#1259999127105991670 vendor=cisco #eveHEysIoH originator: host Id: CCrE-1PS. appHane: sensorApp apptnstanceld: 366 time: Feb 16, 2010 20:24:46 UTC offset=0 timezonesUTC signature: desex\ptlonsICMP Reho Request’ 1482004 veresones1 typesother created=20001127 subsigid: 0 marsCategory: Info/ALisession Anterfacecroup: vs0 vlan 0 participants: attacker: 4azH/100110001 ocality-our target: S4aE/1OFIN10104 ocality-our 08: Adsourcesunknown typesunknown relevancesrelevant Fiskratingvalue: 60 targetValueratingemediun attackRelevanceRating-relevant, threatRatingvalue: 60 Anterface: ge0_0 Page 138 of 403, CCIE SECURTY v4 Lab Workbook protocol: icmp See that Risk Rating 12 60 for that alert. 3. Go to Configuration > Policies > Event Action Rules > rules0 > Risk Category (tab) and click Add. Enter “SIGNIFICANT” for the Risk ‘Name and set the Risk Threshold to 85. Select Yes to activate the risk level and click OK. Eon | ee | Kees Yen te cx | cast | tab 4. Go to Configuration > Policies > Event Action Rules > rules0 > Event Variables (tab) and click Add. Create the variable named “R4” of 1a type in Address and the Value of 10.1.101.4. This variable will be used when creating action rules. Page 139 of 403, CCIE SECURTY v4 Lab Workbook = eo 5. Goto Configuration > Policies > Event Action Rules > rules0 > IPv4 Target Value Rating (tab) and click Add. From the Target Value Rating (TVR) drop-down list select High and use the variable of “SR4” in the Target IPv4 Address(es) field. Click OK. ea eae Remenber that you can use variables in the configuration. You mst use a dollar sign ($) to use the variable. Also note that you must comit changes on the sensor (Apply the changes) before using the variable so that the sensor knows about it before first use. 6. Goto Configuration > Policies > Event Action Rules > rules0 > Event Action Override (tab) and click Add. For the Risk Rating named SIGNIFICANT add an action of Produce Verbose Alert by selecting Assigned checkbox next to that alert name. Page 140 of 403, CCIE SECURTY v4 Lab Workbook kann roan =] i a a Obey Ras ae oreo 1 tayo Fr Dy Atco Sovcarecea seine) 1 rey resee ren) gma nae Gl arerases Elinwanreses Aes. {Stoo crear Booster Bonaerrasire toast Ateartoconesin neugeaua Stata aaany cx | coes | e ‘Type escape sequence to abort. Sending 5, 100-byte IGMP Echos to 10.1.101.4, timeout is 2 seconds: Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms Page 141 of 403, CCIE SECURTY v4 Lab Workbook nue Go to Monitoring > Events, check Show past events radio button and select 5 minutes. Then click on View button. See the fired signature 2004 on the event list. a oem ae we |_om |_me Double click on the event to see more details. Here's the text output for event details. evidenlert: GVEHETHH1259699127105391685 vendor=cisco SeVEHEYSIOH originator hostrd: ccrE-1Ps applane: sensozApp appInstancerd: 366 ‘time: Feb 16, 2010 20:35:22 UTC offset=0 timezone=UTC ‘signature: deB@EipeYOnSTCHP|Echo|REqUESEN|HA=2004 version=si type~other ‘ereated=20001127 subsigta: 0 marscategory: Info/ALisession inverfacesroup: vs0 vian: 0 participants: attacker: ABAEY/TOLULOONT ocarsey-our target: daEY/TOALOLA rocalsey-Ra Adsourcesunknown typesunknown relevancesrelevant. triggerpacket: 000000 00 1 AL GF GC FO 00 19 30 10 86 19 08 00 45 00 000010 00 64 75 B1 00 68 EL 0A 01 64 01 0A 01 du. 000020 65 03 08 00 09 99 00 1F 00 00 00 00 00 00 0c 60 (000030 68 38 AB CD AB CD AB CD ABCD ABCD AB CD AB CD he. 000040 AB CD AB CD AB CD AB CD AB CD AB CD AB CD AB CD (000080 AB CD AB CD AB CD AB CD AB CD AB CD AB CD AB cD 000060 AB CD AB CD AB CD AB CD AB CD AB CD AB CD AB CD 000070 AaB cD gees Page 142 of 403, CCIE SECURTY v4 Lab Workbook HiskRatingValue:/@5 fargetValueRatingshigh attacknelevanceRating=relevant, ‘threatRatingValue: 85 Anterface: ge0_0 protocol: icmp Now, as the Ré is treated some action override can be applied. HIGH valued asset, the Risk rating is 85. Hence Task 2 The ICMP Flood (ID 2152) signature is triggered when pinging R4. Configure Event Action Filters to subtract Rate Limiting action from triggered signature when the ping is issued from R1. ‘Acton Filters are used fo subtract some actions from the signature. we do not want tigger 4 ‘some actions on the signatures tiggered for specific host, we can subtract those actions here. ‘Complete these steps: Step 1 Before any configuration. ‘Before configuring the solution: Riding 10.1.101.4 rep 100 ‘Type escape sequence to abort. Sending 100, 100-byte ICMP Echos to 10.1.101.4, timeout is 2 seconds: Success rate is 100 percent (100/100), round-trip min/avg/max = 1/2/4 ms Go to Monitoring > Events, check Show past events radio button and select 5 minutes. Then click on View button. See the signature ID 2152 on the event list. Page 143 of 403, CCIE SECURTY v4 Lab Workbook ES eal Letupsind 21D BSH vs | om | ne Double click on the event to see more details. Here's the text output for event details. evidenlert: SventTdS1259899127108201695 vendor=Cisco severity-mediun originator: hostid: CcrE-rPs appNane: sensorApp appinstanceld: 366 ‘time: Feb 16, 2010 20:48:14 UTC offset=0 timezone=uTC ‘signature: descriptions ICMP Flood 192152 versLones354 typenother ‘created=20000101 subsigta: 0 marscategory: DoS/Network/ICMP inter facecroup: vs0 vian: 0 participan attacker: BAEY/TOLULOONT ocansty-cur target: @aEY/TOVALOLA rocansey=Ra 08: Adsourcesunknown typesunknown relevancesrelevant. actions: denyPacketRequestecNotPerformed: true This ie because there ie Event Action Override configured for HIGHRISK signatures which automatically enforces an action of Deny Packet Inline, As in our example we use promiscuous mode, this request is ignored. rateLini tnequested: true HiskRatingValue: 100 targetValuerating=high at tackRelevanceRating= relevant. Page 144 of 403, CCIE SECURTY v4 Lab Workbook Step 2. IPS configuration. 1. Goto Configuration > Policies > Event Action Rules > rules0 > Event Action Filters (tab) and click Add. Configure the filter for ICMP Flood signature (ID 2152) to substract “Request Rate Limit” action from the signature when trigger due to Rt (10.1.101.1) attack. ‘oe: Fomrroe ——— cna ere some, fase sustrawe wm: [ee Te SS etinédiess: fo ee farang fi tf Acre toSitrat:leqrsttietne ———— Mm ON eo cary foi arm Ce enon yes na Pee ee | ct [tee Page 145 of 403, Veri CCIE SECURTY v4 Lab Workbook Gm iS | Om Orns mre Pm SS eae Lome oor fede lgegum se | om Ridping 10.1.101.4 sep 100 ‘Type escape sequence to abort. Sending 100, 100-byte TcMP Echos to 10. ' 101.4, timeout is 2 seconds Success rate is 100 percent (100/100), round-trip min/avg/max = 1/2/4 ms Go to Monitoring > Events, check Show past events radio button and select § minutes. Then click on View button. See the signature ID 2152 on the event list. Se ere ee c=an ets 2310 2H ws | om |) ne Page 146 of 403, CCIE SECURTY v4 Lab Workbook Double click on the event to see more details. Here's the text output for event details. evidenlert: SveHETH#1259999127105391704 vendor=Cisco severity-mediun originator: hostrd: ccrE-1Ps applane: sensozApp appInstancerd: 366 ‘time: Feb 16, 2010 20:55:56 UNC offeet=0 timezone=UC signature: desGHpELSHATCMP|Fl664//42152 version=s354 typerother created=20000101, supsigid: 0 marscategory: DoS/Metwork/IOMP Anterfacecroup: vs0 vlan: 0 participants: attacker: BAEY/TOLUNTOOLT ocarsty-our target: daEY/LOVULOLA ocalsty=Ra Adsourcesunknown typesunknown relevancesrelevant denyPacketRequestedNotPerformed: true HiskRatingValue: 100 targetValueRating=high attackRelevanceRating=relevant ‘threatRatingValue: 100 Anterface: ge0_1 Protocol: icmp Note that there is no Rate Limiting action applied! Let’ ping from another IP address. 10.1.101.4 rep 100 ‘Type escape sequence to abort. Sending 5, 100-byte IOP Echos to 10.1.101.3, timeout is 2 seconds: Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms Ree Go to Monitoring > Events, check Show past events radio button and select 5 minutes. Then click on View button. See the signature ID 2152 on the event list. Page 147 of 403, CCIE SECURTY v4 Lab Workbook Pte] a rm ES a Ee Le) Lets 2 0 2s wos | ce |e Double click on the event to see more details. Here's the text output for event details. eviderLert: 6venEXS=1259999127105991709 vendor=cisco severity-mediun originator: hostid: CcrE-rPs appName: sensoxapp appinstanceld: 366 ‘time: Feb 16, 2010 20:58:17 UTC offset=0 timezone=uTC signature: des6ziption=TGW|F1664/|44=2152 version-s354 type-other ‘reated=20000101, subsigta: 0 marscategory: DoS/Network/ICMP inter facecroup: vs0 vian: 0 participants: attacker: AAEY/TOFINHORI2 ocalieysour target: aaEY/TOALOLA rocarsey-Ra Adsource-uninown type-unknow relevance=relevant actions: denyPacketRequestedNotPerformed: true ateLinitRequested: true HABRRAENGVALUE?|100 EAEVEEVALUERAELNGSHGGH attackRelevanceRating=relevant ‘threatRatingValue: 60 interface: ge0_1 protocol: somp (ote that there is Rate Limit action applied to the ICMP Flood originated from R2. Page 148 of 403, CCIE SECURTY v4 Lab Workbook LAB 2.12. Anomaly Detection cae con, on “ Fo A 2 2 40 wan to1- ron con con swaserans This lab is based on the configuration from the previous lab A00 WLAN 100- t0-.s00026 Wan 402-s04-1020724 Task4 Configure Anomaly Detection (ad0) engine with the following characteristics: Knowledge learing must start every workday (Mo-Fri) at 9am A vulnerability assessment tool at IP address of 10.1.100.100 must be ‘excluded from anomaly detection leaming and detection Your internal zone consists of 10.1.101.0/24 valid host IP addresses Scanner threshold for TELNET protocol (TCP/23) must be set to 100 with a custom histogram of L=12 M=8 H=2 Scanner threshold for ICMP protocol must be set to 50 Illegal IP addresses in your network are from Class E address space ‘Anomaly detection (AD) features allow you fo Inithlly sot the IPS device Into learning mode which lows. When traffic flow deviates from what is expected, the anomaly detection engine will respond 4 ‘samples flows traversing your IPS appliance and establishes a baseline of known normal wale fo the deviation by either dropping traffic or notlying security responders of the anomalous behavior. {In general the AD engine looks for behavior on the network that Is Indicative that scanning worm fe present on the network, This detection engine |s not based on predefined signatures Instead i's based on network behavior. Learnin Page 149 of 403, CCIE SECURTY v4 Lab Workbook The fundamental objective of learning mode Is to establish normal behavior of the network. ‘Learning mode keeps track of behavior that may be attributed to worm scanning behavior such as. ‘+ TOP SYN packets that are not followed by a flow + UDP packets that are not followed by flows ‘+ ICMP packets that display scanning type behavior ‘egal IP address destinations, such as private addresses that aren't part of your network, bogon ‘addresses, addresses that are in predefined zones and should not be accessed by the host ‘sourcing the packet. The network profile, called a histogram, is @ table with an entry for every TCP and UDP destination port which carries significant network traffic. An entry in the table describes notjust a single threshold, but a complete histogram of the highest scan rates observed on this destination port. This might mean that on HTTP we don’t expect any source IP to make failed connection attempts fo ‘more than § different destination within a single one minute time interval; and that on ports ‘associated with Kazaa, we don’t expect to see concurrently more than 3 source IP's each making ‘more than § failed connection attempts during a single given one minute interval. ‘By building ths histogram profile of the network during quiet periods, when a certah source of set of sources becomes infected with worm, very quick and accurate detection Is possible, since the ‘network behavior for that port wil immediately differ from the one observed during peace-time Example for TOP service 80: Default Histogram = F Source Ips @ ‘WDeathation Ps 8 | 20_| Too Default Scanner threshold= 120 This means that: + Froma single source we do not expect to see more than 120umestablished connections {0 different destination IPs + We do not expect to see more than 18 sources generate un-established connections to 5 ‘ormore different destinations ‘+ We do not expect to see more than 6 sources generate un-established connections to 20 ‘ormore different destinations + We do not expect to See more than 2 sources generate un-established connections to 100 ‘ormore different destinations All values are for 60 seconds duration. Detection Basically AD detection mode kicks after a learned baseline is established. Detection uses the following characteristics: + AD monitors the network traffic and looks for wormiscanners by comparing trafic to the Knowledge Base histograms’ and scanners’ threshold + Once a scanner threshold is violated an alert is triggered for the appropriate signature + Once an histogram threshold is crossed the services considered to be under worm attack + ADwill try 0 detect and report infected hosts Configuration Each AD configuration incidents contains the following elements: Page 150 of 408 CCIE SECURTY v4 Lab Workbook ‘Scheduler schedule leaming mode and how often you want to save an AD knowledge database. Zones’ IP addresses — define zones and vald P addresses associated with those zones. IP adidresses to Ignore - defining IP addresses that can be Ignored, such as scanning the workstations that are being used by approved corporate security scanners ‘Services’ histograms and scanner threshold - manually defined thresholds and Parameters for each servicein histogram ‘AD uses nine signatures for alerts. The signatures are in the range 12000 13008. Each signature ‘has two sub signatures: 0- Scanner 4 Scanner during worm AD Zones The concept of zones is used In anomaly detection f0 help fo decrease alse positives. Below Is @ ‘summary of how zones areused by the AD engine: Zone information is used to subdivide the network to achieve lower false positives: A zone ie set of destination IP addresses. {An ilegal Zone contains Megal addresses and/or non allocated addresses, raffle toward illegal addresses might bea strong indication of worm activity and you may want (0 allow low thresholds for worm detection when wraffie destined fo these addresses are detected. ‘Internal Zone contains addresses within the protected network External Zone contains valid addresses that are not part ofthe protected zone Configuration Complete these steps: Step 1 IPS configuration. 1. Goto Configuration > Policies > Anomaly Detections > ad0 > (tab) Operation Settings and configure it as follows: Page 15 of 403, CCIE SECURTY v4 Lab Workbook or —— = Go to the (tab) Learning Accept Mode and select “Calendar Schedule” from the drop-down Schedule list. | son ra 3. Click Add and set the Start time to 9am. settee ff [aT Gthareken cx |__| Page 152 of 403, CCIE SECURTY v4 Lab Workbook 4. Select workdays (Mo-Fri) from the Days of the Week section. 5. Go to the (tab) Internal Zone and configure the range of 10.1.101.1- 10.1.101.254 6. Then click on TCP Protocol tab under the Internal Zone tab and click Add button. Page 153 of 408 CCIE SECURTY v4 Lab Workbook Page 154 of 409 CCIE SECURTY v4 Lab Workbook }. Change the tab to Other Protcols and click Add to configure the ‘options for protocol 1 (which is ICMP): ote ne F extiotesaeKo 7 OveribeSar Satie heehee [nner ofbearatin acer | nb Sar Dad] see ab Page 155 of 403, CCIE SECURTY v4 Lab Workbook Go to the (tab) Illegal Zone and configure the range of 240.0.0.1- 255,255, 255.254 (which is whole Class E). Page 156 of 403, CCIE SECURTY v4 Lab Workbook LAB 2.13. Virtual Sensors Task 1 his lab is based on the configuration from the previous lab 200 con, on “ Fo 2 0 © | wanses con con | 10.tt01.074 Change the configuration of GO/t interface so that it belongs to different Virtual Sensor and triggers ICMP Flood signature with a High severity. The new virtual sensor must have separate signature and rules defined. The Anomaly Detection must be disabled in VLAN 102 and no Action Override happens. M A virtual sensor can monitor multiple segments, and let you apply a diferent policy or configuration for each virtual sensor within a single physical sensor. You can setup a different policy per ‘monitored segment under analysis. You can also apply the same policy instance, for example, sg0, ‘les0, or ad0, to different virual sensors. You can assign interfaces, inline interface pairs, inline VLAN pairs, and VLAN groups to a virtsal sensor. Virtual sensors have the following advantages: + You can apply different configurations to diffrent sets of attic. + You can monitor two networks with overlapping IP address spaces with one sensor. + You can monitor both inside and outside ofa firewall or NAT device with one physical ‘sensor device. Each virtual sensor consists three components: + Signature defnition = Rules + Anomaly detection ‘By default there are sig0, rulesO andl ad0 components but you can create new ones with different configuration and then assign them to the new virtual sensor instance. Note thatthe defeult virtual sensor is “vs0.” You cannot delete the default virtual sensor. Page 157 of 403, CCIE SECURTY v4 Lab Workbook Configuration Complete these steps: Step IPS configuration. 1 1. Go to Configuration > Signature Definitions and click Add. Note that the newly created signature set is not assigned to any VS yet. Page 158 of 403, CCIE SECURTY v4 Lab Workbook reser mre eo. cotaoontank asa ne nyt ee 3. Go to Configuration > Policies > SIG-VLAN102 > Active Signatures. From Filter drop-down list select Sig Name and enter “icmp flood” string. Then click on Filter button. Highlight the signature ID 2152/0 and click on Enable. hho Qe Bind Gmenelet Gran (Fe Ont Bon Shae De ex rere — 3) renee slo) Qareerd 4. Select the signature from the list and click Edit. Change the Alert Severity to High. Page 159 of 403, CCIE SECURTY v4 Lab Workbook (yy 2 det i 1 Sarasa Fa Permittee |e Panter nt an, eno eta sn, ao cx te 5. Go to Configuration > Policies > Event Action Rules and click Add. ‘cisco a er | c= (acsszal) 6. Enter a name for the Policy (set of rules) and click OK. Page 160 of 403, CCIE SECURTY v4 Lab Workbook Note that the newly created ruleset is not assigned to any VS yet. 7. Go to Configuration > Policies > IPS Policies, select “vs0” virtual sensor on the list and click Edit. fay a | eros [tp ty [ere Sie [caer[eres| PW sraicter Doe + « [mee me fae | ntti Lee) omnes | 8. Highlight GigabitEthernet0/ interface on the list and click Remove button. Then click OK and Apply the changes to the sensor. Page 161 of 403, CCIE SECURTY v4 Lab Workbook —— faeei Tina aa = TF agantienatfo —— Fanner nas sm ere ponerse TT Goatitethemnetals Prombouus Ineerfa0s Lisi Ssonrocetutin Feb: ft] verte abstain fun =] [Pure buem ten Ovni ea |stsnoricanT Gi Procure verbose alare Ores had oa see neo ey: [az] 40 Orta [it =] Advanced Options : | cot |e Go to Configuration > Policies > IPS Policies and click Add Virtual ‘Sensor. Enter a name for virtual sensor i.e. VS-VLAN102. Highlight GigabitEthernet0/1 interface on the list and click Assign button. Select ‘SIG-VLAN102 as Signature Definition Policy and RULES-VLAN102 as Event Action Rules Policy. Uncheck Use Event Action Overrides option and set AD Operational Mode to “Inactive”. Page 162 of 403, CCIE SECURTY v4 Lab Workbook || Sit Ser ane: FRA esmpenns — ralsirerdrwane Seba a Gostlerm2 rises ef = Gnu Fromszuas taco oof Segre Detn ey: Fv =] rent action le vet Aen eo OREN] TF tee set on Overiche sat : at a ory OaecenPoy: [FEE] ‘Omron te: EET] ox | carat | ve ove owns | som fous, orliea fer] Stns Page 163 of 403, CCIE SECURTY v4 Lab Workbook Verification 10.1.101.4 ‘Type escape sequence to abort. Sending 5, 100-byte IGMP Echos to 10.1.101.4, timeout is 2 seconds: Success rate is 100 percent (5/3), round-trip min/avg/max = 1/1/4 ms Rue Go to Monitoring > Events, check Show past events radio button and select 5 minutes. Then click on View button. See there is only Signature ID 2004 on the event list. yore | ame | i Double click on the event to see more details. Here's the text output for event details. evidentert: 6@HET#1259999127105392009 vendorscisco severitysiow originator: nostra: CcrE-1Ps. appName: sensoxapp appinstancerd: 366 ‘time: Feb 17, 2010 22:03:54 UTC offeet=0 timezone=uTC signature: desGHiptions¥GW®Echo|Request|/H42004 version-si typeother ‘created=20001127 subsigid: 0 marscategory: Info/ALisession Anterfacecroup: vs0 vian: 0 participants: attacker: AAEY|IOFINHOOFT ocality-our target: addr: AOVMHONA Locarity=Re 08: idsourcesunknown type-unknown relevance=relevant, triggerPacket: 000000 90 2A AL 8c FO 00 19 30 10 86 18 08 00 45 00 Page 164 of 403, CCIE SECURTY v4 Lab Workbook 000010 00 64 75 CO 00 00 FF 01 68 D2 GA01 G4 01 0R 01 du. (000020 65 02 08 00 DS 40 00 22 00 00 00 00 00 09 11 D7, (000030 97 10 AB CD AB CD AB CD ABCD ABCD AB CD AB CD 000040 AB CD AB CD AB CD AB CD AB CD AB CD AB CD AB CD (000080 AB CD AB CD AB CD AB CD AB CD AB CD AB CD AB CD a 7 gees 000060 AB CD AB CD AB CD AB CD AR CD ABCD AB CD AB CD 000070 aB cD riskRatingValue: 05 targetValueRating-high attackRelevanceRating=relevant a ‘the above signature is triggered by Va0 only as VE-VLANIO2 has default settings and the signature 2004 is disabled by default. 120 ‘Type escape sequence to abort. Sending 120, 100-byte TcMP Echos to 10.1.101.4, timeout is 2 seconds: ' ' ' ' Success rate is 100 percent (120/120), round-trip min/avg/max = 1/2/4 ms me Go to Monitoring > Events, check Show past events radio button and select 5 minutes. Then click on View button. See the ICMP Flood signature has triggered. aa scaaiesnaineaeeeeneniemmla aie cere ee Ce] |_ on |__| Double click on the event to see more details. Here's the text output for event details. evidenlert: eventTd=1259899127105202130 vendor=cisco saverityshigh originator: hostid: CcrE-rPs appName: sensozApp Page 165 of 403, CCIE SECURTY v4 Lab Workbook appinstanceld: 366 ‘time: Feb 17, 2010 22:13:20 UTC offset=0 timezone=uTe signature: deseriptionsroMp|Fiocd|/4de2452 versions354 typesother ‘ereated=20000101, ‘subeigra: 0 marscategory: DoS/Network/IOMP Antertacesroup#| vS-vEAN102 vlan: 0 participants: attacker: BAEY/TOLUTOOIT ocarsey-our target: BAEY/TOLUTOL rocarsey-our 08: Adsourcesunknown typesunknown relevancesrelevant. HASERALNGVATUG?|100 targetvalueRating-mediun attackRelevanceRat ing-relevant, ‘threatRatingvalue: 100 Anterface: ge0_t protocol: icmp Note the serverity is High for that signature and it has triggered on VS~ vunmo2 evidenLert: eventTd=1259999127105992191 vendor=cisco severity=nediiin originator: hostid: CCIE-1PS: ‘applane: sensoxApp appinstanceld: 366 time: Feb 17, 2010 22:13:20 UEC offeet=0. timezone=uTC signature: desGHpELSHETCMP|PLeGd|/G4=2152 version=s354 typerother ‘created=20000101, subsigid: 0 marsCategory: DoS/Network/ICMP Antertacesroup: vs0 vian: 0 participants: attacker: SAAEY||IOFITOOFT ocality-our target: eazy /LOrATOLNA ocaliey=Re Adsource-uninown type-unknow relevance=relevant actions: denyPacketRequestedNotPerformed: true riskRatingValue: 100 targetValueRating-high attackRelevanceRating-relevant threatRatingvalue: 100 Anterface: ge0_0 protocol: icmp Page 166 of 403, CCIE SECURTY v4 Lab Workbook LAB 2.14. Event Summarization 200! Loo Loo VLAN 4101 - AAA No 10.1.101.0724 = 2 con con cow VLAN 100- 40.1.12.0728 VLAN 200 -10.1.12.0728 Lab Setup » R1's F0/0 and R2's G0/0 interface should be configured in VLAN 100 and VLAN 200 respectively » PC and IPS Command and Control (C&C) interface should be configured in VLAN 101 > Configure Telnet on all routers using password “cisco” > Configure RIPv2 on all devices (except PC and IPS) IP Addressin, Hostname Date) od R1 FOO 10.1.12.1/24 Lod 1.4.1.1/32 R2 G0 10.1.12.2/24 Loo 2.2.2.2/32 Task1 Configure IPS Sensor in inline mode using its G0/0 and GOV‘ interfaces configured in VLAN 100 and VLAN 200 respectively. Use the following initial settings: Hostname: IPS-CCIE IP address: 10.1.101.100/24 Default Gateway: 10.1.101.10 Page 167 of 403, CCIE SECURTY v4 Lab Workbook Allowed Hosts: 10.1.101.200 Enable ICMP Echo Request (ID 2004) signature so that it generates only one event no matter how many ICMP packets it seen. Enable ICMP Echo Reply (ID 2000) signature so that it summarize events in 10 sec interval using Victim Address as a key. Also, enable global summarization for this signature so that it generates global summary event after see 100 ICMP Echo Reply packets. M ‘Signature engines enable you to configure signatures by modifying thelr parameters. Some parameters are common across ail engines, and others are specialized for @ specific engine. (One of common signature properites is Event Counter. When expanded (In signature's properites) this displays the parameters that determine whether the signature fires. The Event Counter parameters enable you to configure how the sensor counts events. For example, you can specity that you only want the signature fo frei the activity t detects happens five times for the same ‘address set within a specified period of tin The Event Count enables you to prevent the signature from firing until the number of specified events is seen during the specified alert interval on the specified Event Count Key. The default value Is 1. Event Count Key- is used for counting mukiple firings of the signature. This key influences ‘signature fring by specifying the address sets on which the Event Count parameteris based. Khas the following settings: + Attacker address + Attacker address and victim port Attacker and vietim addresses + Attacker and victim addresses and ports + Victim address Alert interval (2-1000) Is the number of seconds during which the Event Count must be met ifthe signature Is to fre. {In addion fo event counting we may configure Alert Frequency, When expanded, this displays the parameters for configuring how often the sensor sends an alert fo the Event Store when the ‘Signature is fring. The Alert Frequency parameters enable you to control the number of alarms ‘generated by a specific signature. ‘Summary Mode- is a technique used to limit alarm frings. The Summary Mode has the following settings: ‘+ Fire Once: Sends the first alert and then deletes the Inspector + Fie All: Sonds all alorts ‘+ Summarize: Sends an interval summary alert + Global Summarize: Sends a global summary alert ‘Summary Key- Identifies the address set to use for counting events for event summarization. For Page 168 of 403, CCIE SECURTY v4 Lab Workbook ‘example, Ifyou want the sensor to count events based on whether they are from the same attacker, choose Attacker address as the Summary Key. Summary Key has the following settings: Attacker address + Attacker address and victim port Attacker and victim addresses ‘+ Attacker and victim addresses and ports + Vietim addres: Global Summary Threshold (1-65535)- This is the number of events required to automatically change the summary mode to Global Summarize. When the alert rate exceeds this threshold within ‘he summary interval, the sensor changes from sending a summary alert to sending a global ‘summary alert. When the rate during the interval drops below this threshold, the sensor reverts to {ts configured summary mode behavior. A global summary counts the signature firings on all of the attacker IP addresses and ports and all of the victim IP addresses and ports. Summary Interval (1-65535) defines the period of me used fo control alarm summarization. Configuration Complete these steps: Step 1 SW4 configuration. ‘944 (config) Hinterface PastEtherneto/15 ‘Sw4(config-if)#ewitchport mode access ‘sW4(contig-if)Hswitchport access vian 100 ‘oK4 config) Hinterface FastEtherneto/16 ‘sw4(config-if)#evitchport mode access ‘sw4(config-if)#ewitchport access vian 200 Step 2 IPS CLI configuration. ‘This product contains oryptographic features and is subject to United states land local country lave governing import, expert, transfer and uss. Delivery of claco oryptographic products does not imply third-party autherity to import, export, distribute or use encryption. Iepertare, exporters, distributors and ‘users are responsible for compliance with U.S. and local country laws. By using ‘this product you agree to comply with applicable laws and regulations. If you A summary of U.5. lave governing Cleco cryptographic producte may be fcund at: Intepi/ /ww. ci eco.con/wl/export/erypto/ tocl/starg. html, If you require further assistance please contact us by sending email to exporttoisce.com. Page 169 of 403, CCIE SECURTY v4 Lab Workbook ‘Tare is no License bey installed on the 125-1240. ‘The eyeten will continue to operate with the currently installed signature et. A valid License mist be obtained in onder to spply ‘signature updates. Please go to http://w. cise .con/go/License Basic setup system Configuration Dialog [At any point you may enter a question mark '?! for help. User ctri-c to abort configuration dialog at any prompt. Default settings are in square brackets '[1'. current time: gun Feb 7 20:00:22 2010 ‘Setup Configuration last modified: sun Feb 07 20:00:00 2010 Enter host name[sensor]: 1Ps-ccrE Enter IP interface[i92.168.1.2/24,192.168.1.1]: 10.1. 101,100/24,10.1.101.10 Modify current access list? [no]: yes carrent access list entries: Permit: 10.1.101.200/32 Modify system clock settings? [no]: ‘The folloving configuration was entered. service host netvork-settings host-ip 10.1.101.100/24,10.1.101.10 host-name IPS-CcrE telnet-option disabled access-list 10.1.101.200/32 fep-timeout 300 no login-banner-text time-aone-settings offset 0 summartime-option disabled ntp-option disabled [01 Go to the command prompt without saving this config. Page 170 of 403, CCIE SECURTY v4 Lab Workbook [1] Return to setup without saving this config. [2] Save this configuration and exit setup. [31 Continue to Advanced setup. mater your selection{3]: 2 n-- configuration Saved --- Complete the advanced setup using CLI or TDM. ‘To use IDM,point your web browser at https: //. sensort oxi ree-cerE Login: Step 3. IPS GUI configuration. 1. Go to Configuration > Interfaces > Interfaces, select GigabitEthernet00 and GigabitEthernet0/1 interfaces and click Enable 2. Goto Configuration > Interfaces > Interface Pairs and click Add. Enter a name for Interface Pair and select G0/0 and GO/ interface on the list. Click OK. Page 171 of 403, CCIE SECURTY v4 Lab Workbook ee cm a —— 3. Goto Configuration > Policies > IPS Policies, select “vs0” virtual ‘sensor on the list and click Edit. Highlight Inline Interface Pair on the list and click Assign button. Then click OK and Apply the changes to the sensor. Page 172 of 403, CCIE SECURTY v4 Lab Workbook cites fate oaTe Tegel rm iat sel Te Gitar’ Poneto Tr coastenetys ania eta a snttoodtten sty: FS] vet scannsnacy: fos =] 1 Lenn ten ete snaralyBetecton fexwaxasonras =] eo cgmeuna woos Feo =] enced tons x [pron eset | ve =f i erecta" i i ee | t il [as a _ eaten Te ony | eos |e [come (eres) PM i i i i ! Sha Bowl meow] soe fae] ey | eStore Go to Configuration > Policies > sig0 > Active Signatures. From Filter drop-down list select Sig ID and enter “2004" string. Then click on Filter button. Highlight the signature ID 2004/0 and click on Enable. Page 173 of 403, CCIE SECURTY v4 Lab Workbook Then Apply the changes to the sensor. eho @enth Bint Gtereoias eam eh Onl Bon Sacer ree rE 3] 5} isonet 5. Highlight the signature 2004 on the list and click Edit. Change the ‘Summary Mode to “Fire Once" and click OK. (ik view rei i) scape Inno | Panera ld Oh etree « cx te Page 174 of 403, CCIE SECURTY v4 Lab Workbook Verification fps 10..12.2 rep 5 ‘Type escape sequence to abort. Sending 5, 100-byte IGMP Echos to 10.1.12.2, timeout is 2 seconds: nut Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms 20 00 ‘Type escape sequence to abort. Sending 100, 100-byte ICMP Echos to 10.1.12.2, timeout is 2 seconds: Success rate is 100 percent (100/100), round-trip min/avg/max = 1/2/4 ms me Go to Monitoring > Events, check Show past events radio button and select 5 minutes. Then click on View button. See that there is only one event for signature ID 2004 on the event list. ar) etupss cm ee ae Double click on the event to see more details. Here's the text output for event details. ‘evidenlert: 6VSHETA#1259905947105390962 vendor=cisco severity=informational originator: nostra: 1PS-CorE lappName: sensoxapp apptnstancerd: 366 ‘time: Feb 19, 2010 21:08:58 UTC offeet=0 timezone=uTC signature: desGHiptions¥GW®Echo|Request|/E4S2004 version-si typeother ‘created=20001127 subsigid: 0 marscategory: Info/ALisession Anterfacecroup: vs0 Page 175 of 403, CCIE SECURTY v4 Lab Workbook @aEY/TOLAIZIA toca ity-our target: daEY/1OVUI2/2 Local ity-ovr 08: Adsourcesunknown typesunknown relevancesrelevant. riskRatingValue: 35 targetValueRating-medium attackRelevanceRating-relevant ‘threatRatingvalue: 35 Interface: ge0_0 protocol: icmp Configuration Complete these steps: Step 4 IPS GUI configuration. 1. Goto Configuration > Policies > sig0 > Active Signatures. From Filter drop-down list select Sig ID and enter “2000” string. Then click on Filter button. Highlight the signature ID 20000 and click on Enable. Then Apply the changes to the sensor. chon @ oak wnt Qmenelat Gren woe Oa Hoe ae De tee BE 3) 57 rset : = om [me [| ca fetid He | id TER 2. Highlight the signature on the list and click Edit. Change Event counter/Event Count Key to “Victim address”. Change the settings under Alert Frequency/Summary Mode as follows: Page 176 of 403, CCIE SECURTY v4 Lab Workbook SaahP hee os ote os Se Pie fe Prado i Seah Pop en te Sram cpare rs a St at cs ea tnd ey eat te fines (vies dy se maccany w= scape Inno | Panera ld Oh etree o cx te ‘Type escape sequence to abort. Sending 5, 100-byte IOP Echos to 10.1.12.2, timeout is 2 seconds: ‘Type escape sequence to abort. Sending 5, 100-byte IOMP Echos to 10.1.12.2, timeout is 2 seconds: Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms Rilleh clock 21:13:26,208 Unc Fri Feb 19 2010 € 16 seconds after the first packet Page 177 of 403, CCIE SECURTY v4 Lab Workbook ‘Type escape sequence to abort. Sending 5, 100-byte IGMP Echos to 10.1.12.2, timeout is 2 seconds: Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms tpt 10.1.12.2 rep 100 ‘Type escape sequence to abort. Sending 100, 100-byte TcMP Echos to 10.1.12.2, timeout is 2 seconds: Success rate is 100 percent (100/100), round-trip min/avg/max = 1/2/4 ms mug Go to Monitoring > Events, check Show past events radio button and select 5 minutes. Then lick on View button. There is only one event for ICMP Echo Request and four for ICMP Echo Reply. EEA OW ESOP Petate fle LEMEOTLOIY Joweseret| 2 et alts Plo, REMLINN JoweaRat 3 Tess Sea (ean usd a ee ere lonty one IGM Echo Request because of Fire Once summary mode: evidenlert: 6VeHETH#1259905947105390976 vendor=cisco severity=informational originator: hostrd: 1PS-corE applane: sensozApp appinstanceld: 386 ‘time: Feb 19, 2010 21:12:22 UNC offeet=0 timezone=UNC signature: desGEipeieneYGMP|Eeho|Reqiest//H4=2004 version=si type-otner created=20001127 susigid: 0 marscategory: Info/ALisession Anterfacecroup: vs0 vian: 0 Page 178 of 403, CCIE SECURTY v4 Lab Workbook aEY/1OVII2/2 Local ity-ovr Adsource-unknown typenunknown relevance=relevant, riskRatingValue: 35 targetValuenatingmmedium attacknelevancenating=relevant ‘threatRatingValue: 35 Anterface: ge0_0 protocol: temp First IOP Echo Reply: eviderLert: 6ventTd=1259905947105990377 vendor=cisco severity=informational originator: hostid: 1PS-CcrE ‘appNane: sensoxpp appinstancerd: 366 ‘time: Feb 19, 2010 21:12:22 UTC offeet=0 timezone=uTC signature: deScHIption=rCMe/Echo|Reply /4d=2000 version-si type-other ‘created=20001127 subsigid: 0 marscategory: Info/ALisession Anterfacecroup: vs0 vian: 0 participants: attacker: azH[LOTANI2I2 Local iey-our target: eazy /LOANTZIA Local iey-our Adsource-unknow type-unknown relevance=relevant, riskRatingValue: 35 targetValueRatingmmedium attackRelevancenating=relevant ‘threatRatingvalue: 35 Anterface: ge0_1 protocol: semp sumary for first two ping commands (10 packets) because both commands have bbeen entered within 10 seconds Summary Interval. Note that there is only an IP address of the victim. This is because the sumary key is set to Victim Address. evidenlert: SventTd=1259905947105390378 vendor=Cisco severity=informational originator: hostid: 1PS-corE appName: sensozApp appinstanceld: 366 ‘time: Feb 19, 2010 21:12:32 UTC offset=0 timezone=uTC ‘signature: dsS@HipEY6nSTCNE|Echo|REplyl|¥EE2000 version-si typenother ‘ereated=20001127 ‘subeigra: 0 marscategory: Info/ALlSession Anterfacesroup: vs0 vlan: 0 participants: Page 179 of 403, CCIE SECURTY v4 Lab Workbook attacker: BAEYOVOIONO rocanity-cur target: @aEY/TONAIZIA toca ity-our 08: Adsourcesunknown typesunknown relevancesrelevant, fummazy//10 final-true SnitialAlert=1259905947105390277 summaryType-Regular alertpetails: REgUIAE/SUMAEY: 10 events this interval + riskRatingValue: 35 targetValueRating-medium attackRelevanceRating-relevant ‘threatRatingvalue: 35 Anterface: ge0_1 protocol: icmp ‘This is first TOW Echo Reply packet which has been seen 16 seconds after previous ping comands (Global summary threshold i set to 10 seconds) evidenlert: 6veHETH#1259905947105390379 vendor=Cisco severity=informational, originator: hostrd: 1eS-ccrE applane: sensoxApp appinstancerd: 366 time: Feb 19, 2010 21:12:28 UNC offeet=0 timezone=UC signature: deaGHipeY6neTGWP|Beho|REply|/GE2000 versicn=s1 typemother ‘created=20001127 subsigta: 0 marscategory: Info/ALisession attacker: AEY/IOVIIZI2 Local ity-ovr target: adaey/LOVUI2/2 Local ity-our riskRatingValue: 35 targetValuenatingmmedium attacknelevancenating=relevant ‘threatRatingValue: 35 Anterface: ge0_1 protocol: icmp Adsource-unknown typenunknown relevance=relevant, After 10 seconds the IPs starts global sumarizing for the signature 1D 2000. Hence 5 packets + 100 packets equal 105 I0W@ Echo Reply packets summarized, Note that there are no Attacker/Victim IP addresses for Global summary event. evidenlert: eventTd=1259905947105390380 vendor=Cisco severity=informational, originator: hostid: 1pS-ccrE appNane: sensozApp appinstancerd: 366 ‘time: Feb 19, 2010 21:12:48 UNC offeet=0 timezone=UNC ‘signature: deS@HipeY6nsTCHE|Echo|Replyl|¥AE2000 version=si typenother ‘ereated=20001127 ‘subeigra: 0 Page 180 of 403, CCIE SECURTY v4 Lab Workbook Info/aLisession veo addr: 0.0.0.0 locality-our target: addr: 0.0.0.0 locality=our 08: Adsourcesunknown type-unknown relevance=unknown Gummazy//10S final-true initialAlert=1259905947105290379 sumaryType=Global alertDetaiis: GLOBAL SUAEY: 105 events this interval 7 riskRatingValue: 25 targetValueRating-mediun ‘threatRatingvalue: 25 Anterface: ge0_1 Protocol: icmp Page 181 of 403, CCIE SECURTY v4 Lab Workbook LAB 2.15. Application Inspection and Logging This lab is based on the configuration from the previous lab Loo. Loo VLAN 401 - sanz 1040104 22.22182 —— =, > con oon con 10142024 VLAN 200 -10.1.12.0724 Task1 Configure deep packets inspection for HTTP so that it blocks CONNECT method used by connections to port TCP/8100 in addition to the standard HTTP ports configured. You may use default signature id of 12678 to accomplish this task. Enable FTP packets inspection as well. The AIC engines, AIC HTTP and AIC FTP, provide Layer 4to Layer 7 packet Inspection for HTTP and FTP. By tuning the builtin AIC engine signatures, you can create granular policies for HTTP and FIP. The AIC engines can inspect HTTP traffic when it is received on AIC web ports. I tafe Is web traffic but is not received on a designated AIC web port the SERVICE HTTP engine is executed. Touse the AIC engines, you must first enable Application Policy enforcement. Application Policy enforcement i disabled by default for both HTTP and FTP. I you enable Application Policy enforcement for these protocols, the sensor checks fo be sure that the trafic Is compliant with thelr respective RFCs. Note that the AIC HTTP engine is @ superset of the SERVICE HTTP engine. enabled, the AIC HTTP engine handles the traditional SERVICE HTTP signatures. AICETP Engine Capabilities: + Controls which recognized FTP commands are permitted into the network + Controts whether unrecognized FTP commands are permitted nto the network The AIC FIP engine controls the following types of signatures ‘+ Define FTP command: Used to associate an action witha specific FTP command ‘+ Unrecognized FTP command: Used fo have the sensor take an action when It detects an FTP command that s not recognized AICHTIP Engine Capabilifes: Page 182 of 403, CCIE SECURTY v4 Lab Workbook + Enforces RFC compliance + Authorizes and enforces HTTP request methods ‘+ Validates response messages + Enforces MIME types + Validates transfer encoding types + Controls content based on message content and type of data being transferred + Enforces URI length + Enforces message size according to policy configured and the header ‘+ Enforces tunneling, peer-to-peer, and instant messaging applications Complete these steps: Step 1 IPS configuration. 1. Goto Configuration > Policies > Signature Definintions > sigd > Active Signatures > Advanced... > Signature Variables (tab) and click Edit. Cetin oa Gini Gmenetee Gran (Fe Ont Bon Share De i i SST REEEES EEF E5 2. Add 8100-8100 to the list of ports. Page 183 of 403, CCIE SECURTY v4 Lab Workbook a a) eat ae ee ae ce (Foe 3. Go to Miscellaneous tab and set “Yes” on Enable FTP option. Click OK. Page 184 of 403, CCIE SECURTY v4 Lab Workbook ————— | vente ommecenh Sonnet be ae ccm ein rae 4. Goto configuration > Policies > Signature Definitions > sigo > Active Signatures. From Filter drop-down list select “Engine” and “AIC HTTP” from the corresponding drop-down list. Then click on Filter button. Find the signature ID 12678 “Define request Method CONNECT” and enable it. Verification Enable HTTP Server on R2 on port 8100 (to be able to verify the solution). Page 185 of 403, CCIE SECURTY v4 Lab Workbook RZ (config) #ip http port 6100 R2 (config) ip hetp server Riftel 10.1.12.2 0100 ‘Trying 10.1.12.2, 6100 ... open commer 2.2.2.2:23 session freezes, Go to Monitoring > Events, check Show past events radio button and select 5 minutes. Then click on View button. See the signature 12678 on the event list. eee Fan Rel Double click on the event to see more details. Here's the text output for event details. evidenLert: SvehtTG=1259905947105390571 vendor=cisco severity=low originator: hostid: 1PS-ccrE appName: sensoxapp appinstanceld: 366 time: Reb 20, 2010 08:59:46 UTC offset=0 timezonesUrc signature: desGHIption=Define|ReqUEst|NGEhGA|CONNECT ic-12678 version=si49 typerother created=20050304 subsigid: 0 ‘sigpetails: Define Request Method CoMMECT marscategory: Info/Mise Anterfacecroup: vs0 vian: 0 participant: attacker: dey LO/II2I2 Local ity-our port: 49648 target: SAEY/TOUNIZI2 roca ity-our port 6100 Page 186 of 403, CCIE SECURTY v4 Lab Workbook 0s: idsource-unknown type-unknown relevance=relevant, actions: deniedriow: true riskRatingValue: 50 targetValueRating-mediun attackRelevanceRating-relevant, ‘threatRatingvalue: 15 Anterface: ge0_0 protocol: top ‘Session freezes due to Deny Connection Inline action configured on “Define Request Method CONNECT” signature. Task2 Configure IPS so that it logs all TELNET sessions (TCP/23) in order to see user passwords and store them in PCAP format on the sensor. Ensure that no more than 100 packets or 100Kb is logged for each session. Packets logging must be finish after 60 seconds. You should create custom signature to accomplish this task. Configuration Complete these steps: Step 1 IPS configuration. + Goto Configuration > Policies > Signature Definintions > sigo > Active Signatures > Advanced... > Miscellaneous (tab) and set IP Cee) Page 187 of 403,

Das könnte Ihnen auch gefallen