Welcome to the concluding article of this series. In previous articles, we have dealt with Cisco firewall technologies, securing the management, control and data planes of the Cisco IOS device, reporting using Syslog, and most recently, AAA on Cisco devices. In this article, we will be discussing Intrusion Prevention Systems (IPS) and configuring the Cisco IOS IPS.
Intrusion Prevention System (IPS) versus Intrusion Detection System (IDS)
Attacks can occur on a network when a user downloads a virus-ridden email for example. These attacks can be difficult to prevent because they may be seen as legitimate traffic by the firewall and access rules for instance. Many network devices are restricted to lower layers (layers 2-4) of the OSI model and even those that have deep packet inspection features may only be able to handle attacks that misuse certain protocols. This is where Intrusion Detection/Prevention comes in. These devices are purposely built to inspect traffic through a network (or computer system), raise alarms when attacks are detected, and possibly attempt to stop such attacks.
An IDS functions only to detect attacks on a network. This is because the IDS is placed out-of-band of the traffic flow, i.e. the device is not in the path of the traffic; it only receives copies of the traffic for inspection. An IPS on the other hand is placed inline of traffic flow. This means an IPS can not only inspect traffic, but it can also take actions on such traffic if an attack is detected. In other words, an IPS is an IDS that can (attempt to) stop attacks on a network (or computer system).
Note: It is possible however to have some actions other than raising alarms when using an IDS. This can be achieved with collaboration with other devices. For example, the IDS can instruct a router to apply an access-list to deny a particular malicious traffic.
Let’s take an everyday example to drive home the point. When there’s a fire in a building, a system may be able to detect the fire and sound an alarm. The alarm is to warn people of danger. If this is all the system does, then it can be said to be similar to an IDS. If however the system also has water sprinklers included in it and after it has sounded the alarm, it also releases water from these sprinklers to attempt to stop the fire, then it can be said to be similar to an IPS.
Let’s think about the disadvantages and advantages of each type of system for a moment. The IDS can only detect attacks and its prevention capabilities are limited (it cannot prevent attacks by itself). However, since the IDS is not in the path of traffic, there’s no delay or latency in traffic. On the IPS side, it can prevent attacks making it more beneficial. However, being inline of traffic can introduce delay and latency. Also, if the IPS fails for any reason, traffic is essentially black holed if there’s no alternative path through (or if the IPS does not fail open).
Intrusion Detection Methodologies
There are several methods through which IDS/IPS devices detect attacks and intrusions. According to the National Institute of Standards and Technology (NIST), there are three primary methods:
Attacks may be carried out in a particular way; thus these attacks may have “signatures”. For example, it may be known that a virus spreads through an email with the title “pass your CCNA 100%” and an attached file known as “ccna-pass-free.exe”. This is an example of a signature. Thus a signature-based IDS/IPS will look through emails and flag the ones that have “pass your CCNA 100%” as the title and also “ccna-pass-free.exe” as an attachment.
The problem with this detection method is that it can only detect known attacks. If a new attack is discovered today, you will have to wait for an updated signature. However, signature-based detection can be very effective and is usually the most used method of detection.
An anomaly is something that is not normal. Therefore, this detection method compares activities to a baseline of what is considered normal activity. For example if you have a user who only sends emails, therefore does not use a lot of Internet bandwidth, and that user suddenly starts using up 50% of the bandwidth, that kind of behaviour is anomalous and the IDS/IPS that uses this detection method can raise an alarm. This detection method is very effective for previously unknown attacks thus providing protection against “day-zero attacks”.
Stateful Protocol Analysis
This is similar to deep packet inspection that includes not just network-based activities but also host-based activities. Take the TCP three-way handshake for example: SYN, SYN+ACK and then ACK. If a SYN+ACK packet is received before a SYN packet, then this means the protocol is being used in a way it is not intended to be used.
Other detection methodologies include policy-based and reputation-based detection. Many IDS/IPS devices (including Cisco) implement more than one of these detection methods and, as such, can be seen as hybrid systems.
Possible Response actions
When an attack or intrusion has been detected, there are numerous actions that can be taken by the IDS or IPS device. Since these actions fall more into prevention capabilities, the IPS usually has more actions that can be taken when compared to the IDS. Examples of actions that are specific to the IPS (Cisco’s implementation) include Deny attacker inline, Deny connection inline and Deny packet inline. Preventive actions that can be taken by the IDS (and also the IPS) include Request block connection and Request block host. Other actions include producing an alert, logging actions, and resetting TCP connections.
True Positive, True Negative, False Positive and False Negative
These are terminologies that you should be familiar with not only for the certification exam but also as a network administrator. True positive means that malicious traffic passed through the network (or system) and the IDS/IPS generated an alarm. True negative means that non-malicious traffic passed through and the IDS/IPS did not generate any alarm. False positive occurs when non-malicious traffic passes through the network but the IDS/IPS falsely generates an alarm. False Negative occurs when malicious traffic passes through the network but the IDS/IPS lets it pass through without generating an alarm.
In the article, “Demystifying the CCNA Security exam”, I gave a simple method of remembering these terms: “True means the IPS did the right thing (passed). False means it did the wrong thing (failed). Positive means it generated an alert. Negative means it didn’t.”
Signature Micro Engines (SMEs)
As has been stated earlier, one of the most employed methods of detecting intrusions is through the use of signatures and this holds true also in Cisco IPS/IDS implementations. Similar signatures are grouped into a category known as a Signature Micro Engine. These SMEs include:
Atomic: Detects attacks in a single packet.
String: According to Cisco, these are generic pattern-matching inspection engines.
Multi-string: Inspects layer 4 protocols.
Service: Analyze Layer 5 and above traffic between two hosts.
Other SMEs not listed above include State and Normalizer.
Cisco IOS IPS
Now that we have discussed the basics of IPS/IDS devices, let’s get down to the configuration of the Cisco IOS IPS. The Cisco IOS IPS is a feature like the Cisco IOS ZFW which you can turn on, although you have to download and install some things from the Cisco site. The general steps required to configure Cisco IOS IPS are listed below:
If using the CCP Tool, steps 2-5 can be performed by using the IOS IPS Wizard. To implement the Cisco IOS IPS, we will use the network diagram shown below.
I have downloaded the IOS IPS files to the inside host. There are two important files to download: the signature package which is in the format IOS-Sxxx-CLI.pkg and Cisco’s public key named realm-cisco.pub.key.txt. We will configure the Cisco IOS IPS using the CCP tool and at the end, we will see the commands if we wanted to use the CLI to achieve the same thing.
After downloading the required files, connect to CCP and navigate to Configure » Security » Intrusion Prevention. Click on the ‘Launch IPS Rule Wizard…‘ button. If SDEE is not enabled, you will get a notification that SDEE will be turned on. Click OK.
When the IPS Policies Wizard comes up, click on the Next button to proceed. You will be presented with a screen to select the interfaces to which IPS should be applied either in the inbound or outbound direction. In our case, we would want traffic coming from the Internet (i.e. Fa0/1) to be inspected, i.e. inbound.
When you click on the Next button, you will then be required to specify the location of the signature file.
There are three options for specifying the location of the signature file: the Router’s flash (if it is already available on the flash), using a protocol like FTP if it is located on a server for example, or from the local PC on which you are running CCP. If you want to use the local PC option, you need to download another type of signature file in the format sigv5-SDM-Sxxx.zip. Since I have already downloaded the signature file to my PC, I can use FTP to get it (you must have an FTP server running).
Click OK and you are taken back to the main screen. There’s one more thing to do on this screen: specify Cisco’s public key. This key is used to ensure that the signature file is from a trusted source (which is Cisco). The name should be specified as “realm-cisco.pub“. Open the realm-cisco.pub.key.txt file and copy the public key, i.e. start copying from the numbers and stop before “quit”.
Click Next. You will then be asked to specify where the signature and configuration files should be stored. This can be on a separate folder on the flash of the router. If your router doesn’t support directory creation, you will get a dialog box telling you that the location will be “flash:/”.
Back at the IP Policies Wizard screen, you may choose the signature category to be installed. There are two options: Basic and Advanced. Depending on your memory and CPU, one may be more suitable, i.e. Basic is more suitable if you have less than 128MB of memory.
When you click the Next button, you are taken to the final page which is a summary of all that you have selected. Click the Finish button to enable Cisco IOS IPS. If you have the preview commands enabled, click the Deliver button to send the commands to the device.
When the commands have been delivered to the router, a dialog box appears that shows that signatures are being loaded on the router.
The router console also gives insight into the signatures being loaded. This process can be CPU intensive and can take several minutes. Also notice some of the SMEs we mentioned in the snapshot below.
When the router is done loading the signatures, CCP will show the Edit IPS tab where you can view the configuration for Cisco IOS IPS, add, view and tune signatures, and so on.
Notice that there are different properties that can be applied to signatures: Enable, Disable, Retire and Unretire. A retired signature means that the IOS IPS does not compile that signature into memory for scanning; unretired means that the signature is compiled into memory for scanning. An enabled signature means that the corresponding action for that signature will be taken if there’s a matching offending traffic. However, such signature has to be unretired and successfully compiled first. A disabled signature means that the corresponding action for such a signature will not be taken if there’s offending traffic (even if the signature is unretired). In summary, configured actions will only work with signatures that are enabled, unretired and successfully compiled.
Let’s test our Cisco IOS IPS. I have a Router on the Internet side with an IP address of 192.168.20.100. Currently, it can ping the inside host.
Now, let’s enable a signature on the Cisco IOS IPS that deals with ICMP Echo Request. To search for a signature by name for example, change the ‘View by:‘ to “Sig Name” and enter the search string.
The signature we want to tune has an ID of 2004. Notice that it is currently disabled and also retired, therefore we have to enable it and also unretire it. You do this by selecting the signature and clicking on the required buttons, i.e. Enable and Unretire in our case.
To view the actions associated with the signature, right-click on it and select Actions.
The ICMP Echo Request signature has the Produce Alert action associated with it. In this window, we can add more actions to that signature. Also, notice that there are 5 actions that the Cisco IOS IPS can be configured to take: Deny Attacker Inline, Deny Connection Inline, Deny Packet Inline, Produce Alert and Reset TCP Connection. Let’s also add the “Deny Packet Inline” action to this signature.
When you have made a change to a signature, you will notice the orange icon that appears telling you that the change has not been applied. When you are done, click the Apply Changes button at the bottom.
HINT: As much as possible, try to make all your changes in bulk before hitting the Apply Changes button because it can take several minutes to apply the changes you make, even the smallest one.
Notice now that the signature is enabled and also unretired. So let’s generate our ping packet again and see what happens.
It fails because we denied the packets. The messages are also logged on the router console.
Lastly, we can view the alerts on CCP by navigating to Monitor » Security » IPS Status » IPS Alert Statistics.
Equivalent CLI Configuration
Download Cisco IOS IPS Files
If you want to configure the Cisco IOS IPS using the CLI, you still have to download the Cisco IOS IPS Files.
Create IOS IPS Directory on flash
Next, you can create a directory on the flash of the router where the IOS IPS signature file and configuration file will be placed. You can do this using the mkdir <directory name> command. If your router doesn’t support it, you can leave the location as flash:/.
Configure the Cisco Public Key
Open the realm-cisco.pub.key.txt file and copy the contents into global configuration mode (configure terminal) of the router. This time, you have to copy the entire content of the file unlike when we only copied the public key when using CCP.
Enable IOS IPS
The first command specifies the name of the IPS instance. You can optionally configure an ACL so that only traffic matching the ACL will be inspected by the IPS. The second line specifies the location of the Cisco IOS IPS configuration. For event monitoring of the IOS IPS, you can enable SDEE (which is why we were able to see the events in CCP) or use logging, e.g. a Syslog server.
Next you will want to enable only a selected number of signatures and retire the rest. If you do not perform this section, your router will run out of memory and probably crash.
The above configuration retires the “all” category of signatures and then unretires only the signatures contained in the basic category. Optionally, you can enable only required signatures like the 2004 ICMP Echo Request that we tweaked above.
Finally, enable the IPS rule you have created on the interface and also specify the direction (inbound, outbound or both).
Load IOS IPS Signature package on router
It is important that this part of the configuration is done last or at least it is done after the “all” signature category has been retired. Copy the IOS IPS Signature package that you downloaded to a location “idconf” e.g.
The above command copies the IOS-S636-CLI.pkg file located on FTP server 192.168.0.5 using a username of “adeolu” and a password of “cisco” to the IDCONF location.
And that’s all! The relevant portion of the configuration on our router is shown below:
In this article, we have discussed Intrusion Prevention Systems and Intrusion Detection Systems. We have also seen the various detection methodologies that these devices can use. We differentiated true positive, true negative, false positive and false negative results. Finally, we configured and implemented the Cisco IOS IPS using both the CCP tool and the CLI.
This brings us to the end of this series of the CCNA Security Certification Exam. I hope this has been insightful and I wish you success in your studies.
Reference and Further Reading
Guide to Intrusion Detection and Prevention Systems (IDPS): http://csrc.nist.gov/publications/nistpubs/800-94/SP800-94.pdf
Getting Started with IOS IPS ― A Step-by-Step Guide: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/prod_white_paper0900aecd805c4ea8.html
How to Use CCP to Configure IOS IPS: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/prod_white_paper0900aecd8066d265.html
Cisco IOS Intrusion Prevention System Deployment Guide: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/prod_white_paper0900aecd8062acfb.html
Cisco IPS Intelligent Detection Technology: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/data_sheet_c78-459520.pdf