In this article i will try and setup a very simple example using Cisco IOS IPS (Intrusion Prevention System).
As before, a simple topology consisting of 3 routers will suffice.
They are configured as follows:
R1 will act as our source host. From this machine i will simulate an attacker trying to gain access to R3 through R2. This means R2 will be the device where we will be configuring the IPS functionality.
I have reachability using RIPv2:
R3:
R3 has the built-in webserver enabled:
Before we begin, lets verify reachability:
R1:
So we have verified that we can access the webserver on R3.
Now lets get to the gritty details surround the IPS.
To understand the IPS feature, one has to understand that signature categories contain categories of things to “scan” and how to do it, while signature definitions contain information on what to do.
First off, you need Ciscos definition files which you can obtain from Cisco.
Right now, the IOS-S556-CLI.pkg is the newest one available.
Also, in order to verify the signature file, you will need Ciscos public key. If you dont have this, the router will not accept the signature file at all.
In order to do that, use the following code snippet (available through Cisco documentation):
Next up, lets define an IPS rule:
Lets create a directory for the IPS information on flash:
Now we need to tell IPS to use this directory for configuration information:
I also want to receive IPS events as syslog messages:
Now lets enable/disable some of the signature categories:
Here i only enable the basic ios_ips signatures. I “retire” everything else
Lets apply this to an interface, before we can proceed:
Next up i want to copy my signature file into memory, and i do this using the following command:
Now, this is what takes quite a while, so grab a coffee while you wait for your router to finish.
In the meantime we can verify the IPS using (using telnet from R1 for example):
As we can see, the signature files are still not done loading.
Eventually it will finish, and our verification should show something like this:
Again, lets try our verification from R1 to R3:
We are still going through. But now lets attempt to invoke the IPS on R2:
On R2, we now get the following log message:
This means that our IPS is working.
To tweak the behavior of the IPS, we can go into the signature with an ID of 5081 and modify it:
We can now tell it to reset the entire TCP connection:
After this, the compilation of the signature begins once again:
Fortunally, it is only the changes that will be recompiled:
Even though that in our testing resetting the TCP connection doesnt do much since we are immediately terminated anyways, this behavior will shut down the entire TCP connection and all state information regarding the “attack”, which would be very helpful.
We can observe that we are immediately disconnected from the http server, and since we also used the “produce-alert” keyword, we also get a log message on R2, just as we did before the change:
Now all of this is just a very very small portion of what can be done with the IPS feature, and I am in no way a security guy, but I do believe this is an under-utilized feature, which is a shame since it is “real” security in my eyes.
I hope it has been useful. Any comments will be appreciated.