IOS IPS: CCIE RS, CCIE SC

IOS IPS is fair game for the CCIE Security and CCIE R/S labs. With IOS IPS now using v5 signatures, (just like the sensor appliance), the ability to setup up IOS is not as simple, but very important. The intention of this post is to provide a streamlined process to use as a jumpstart into IOS IPS. For full details, examples and explanations, please refer to our lab workbooks. Both RS and Security cover the topic. Lets get started!

First, we need a place for IPS configuration files to call home. IPS wants a folder. Lets make a directory on the router flash. Optionally if there were other IOS file systems present, we could use those writable file systems as well.

R6#mkdir ips

Create directory filename [ips]?

Created dir flash:/ips

R6#

IOS IPS uses a crypto key to verify the digital signature for the master signature file, which is signed using a private key. To verify the signature, we need a corresponding public key. This key is available as a text file on Cisco’s site. The file is called realm-cisco.pub.key.txt. To inject the public key into the router config, we would do the following:

R6(config)#crypto key pubkey-chain rsa

R6(config-pubkey-chain)#named-key realm-cisco.pub signature

Translating "realm-cisco.pub"

R6(config-pubkey-key)#key-string

Enter a public key as a hexidecimal number ....

!  Note:   The $ to the left of the hex characters represent there are more numbers present than would fit on one line.

R6(config-pubkey)#$2A864886 F70D0101 01050003 82010F00 3082010A 02820101

R6(config-pubkey)#$D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16

R6(config-pubkey)#$912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128

R6(config-pubkey)#$085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E

R6(config-pubkey)#$0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35

R6(config-pubkey)#$994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85

R6(config-pubkey)#$5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36

R6(config-pubkey)#$A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE

R6(config-pubkey)#$80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3

R6(config-pubkey)#   F3020301 0001

R6(config-pubkey)#  quit

R6(config-pubkey-key)#end

We’ll save the configuration, just to be safe.

R6#wr

Building configuration...

Let’s check the ips folder we created on flash. It should still be empty.

R6#cd ips
R6#dir
Directory of flash:/ips/

No files in directory

255967232 bytes total (187428864 bytes free)
R6#cd ..

Once we complete the IPS configuration, the router can monitor all traffic on the interface and direction we specify. If we want to limit the traffic that goes through the IPS processing, we can use an access-list to filter. Only traffic permitted in the ACL will be subjected to IPS analysis. Let’s create an ACL that matches only on traffic destined to 6.6.6.6, which is the loopback of R6.

R6(config)#<strong>access-list 123 permit ip any host 6.6.6.6</strong>

Next we will create an IPS rule named “IOS-IPS”, and associate the ACL we just created. In a later step, we will apply IPS rule to an interface.

R6(config)#<strong>ip ips name IOS-IPS list 123</strong>

IPS needs to know where to keep it’s signature definitions and configurations. It just so happens that we have a folder on flash we created earlier named “ips”. We will use that directory.

R6(config)#<strong>ip ips config location flash:/ips</strong>

The router can send alerts using Security Device Event Exchange (SDEE) and/or Syslog. We will configure both, and allow up to 2 simultaneous SDEE managers to setup up requests for alerts called subscriptions. To use SDEE, http server must be enabled on the router. Lets take care of these items next.

R6(config)#ip ips notify sdee

R6(config)#ip sdee subscriptions 2

R6(config)#ip ips notify log

R6(config)#ip http server

Before we apply the IPS rule to an interface, we are going to set up some safety. We will retire all the signatures, and then enable just the signatures in the “advanced” default set. If we un-retired the “all” category, it is possible that the router could run out of memory. (Your mileage may vary☺) As we exit out of the configuration, we are prompted to accept the changes.

R6(config)#ip ips signature-category

R6(config-ips-category)#category all

R6(config-ips-category-action)#retired true

R6(config-ips-category-action)#exit

R6(config-ips-category)#

R6(config-ips-category)#category ios_ips advanced

R6(config-ips-category-action)#retired false

R6(config-ips-category-action)#end

Do you want to accept these changes? [confirm]

R6#

Applying Category configuration to signatures ...

R6#

Next we will apply the ips rule we created to an interface. We also enable virtual-reassembly so that IPS can better analyze sessions and attacks that comprise multiple packets.

R6(config)#interface FastEthernet0/0

R6(config-if)#ip ips IOS-IPS in

R6(config-if)#ip virtual-reassembly

Notice that after we apply the IPS rule to an interface, the router begins to compile signatures. This won’t take long at this point, due to the fact that we haven’t given the router a signature package (yet).

R6#

%IPS-6-ENGINE_BUILDS_STARTED:  Jan 14 2010

%IPS-6-ENGINE_BUILDING: atomic-ip - 3 signatures - 1 of 13 engines

%IPS-6-ENGINE_READY: atomic-ip - build time 8 ms - packets for this engine will be scanned

%IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 12 ms

Lets take a peek at the ips directory that was empty just few minutes ago.

R6#cd ips
R6#dir
Directory of flash:/ips/

52 -rw- 719 Jan 14 2010 20:00:26 +00:00 R6-sigdef-default.xml
9 -rw- 271 Jan 14 2010 20:00:26 +00:00 R6-sigdef-delta.xml
59 -rw- 4365 Jan 14 2010 20:00:28 +00:00 R6-sigdef-typedef.xml
4 -rw- 1469 Jan 14 2010 20:00:28 +00:00 R6-sigdef-category.xml
7 -rw- 257 Jan 14 2010 20:00:28 +00:00 R6-seap-delta.xml
16 -rw- 491 Jan 14 2010 20:00:28 +00:00 R6-seap-typedef.xml

255967232 bytes total (187400192 bytes free)
R6#cd ..

Cool beans! Here is what those files contain:
R6-sigdef-default.xml: factory default signature definitions
R6-sigdef-delta.xml: signature definitions which were changed from the default
R6-sigdef-typedef.xml: signature parameter definitions
R6-sigdef-category.xml: signature category information, such as category ios_ips basic and advanced
R6-seap-delta.xml: has changes made to the default SEAP parameters
R6-seap-typedef.xml: has the default SEAP parameter definitions
SEAP = Signature Event Action Processor. Event Overrides/Filters, etc

Now lets give the router some signature information to crunch. We can download the latest signature packages from cisco.com, and put them on a local server. Here, R6 is copying the .pkg file from a local tftp server.

R6#copy tftp://40.0.0.101/IOS-S456-CLI.pkg idconf

Loading IOS-S456-CLI.pkg from 40.0.0.101 (via FastEthernet0/0): !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

[OK - 11085111 bytes]

Now check out the console, while the router digests the file, and compiles all the signatures from the “advanced” set. This will take a while, and if on a production router, could case a DoS. CPU skyrockets, and it takes about 1 – 5 minutes to complete.

R6#

%IPS-6-ENGINE_BUILDS_STARTED:  20:03:39 UTC Jan 14 2010

%IPS-6-ENGINE_BUILDING: multi-string - 40 signatures - 1 of 13 engines

%IPS-6-ENGINE_READY: multi-string - build time 164 ms - packets for this engine will be scanned

%IPS-6-ENGINE_BUILDING: service-http - 801 signatures - 2 of 13 engines

%IPS-6-ENGINE_READY: service-http - build time 17456 ms - packets for this engine will be scanned

%IPS-6-ENGINE_BUILDING: string-tcp - 2058 signatures - 3 of 13 engines

%IPS-6-ENGINE_READY: string-tcp - build time 59236 ms - packets for this engine will be scanned

%IPS-6-ENGINE_BUILDING: string-udp - 79 signatures - 4 of 13 engines

%IPS-6-ENGINE_READY: string-udp - build time 52 ms - packets for this engine will be scanned

%IPS-6-ENGINE_BUILDING: state - 37 signatures - 5 of 13 engines

%IPS-6-ENGINE_READY: state - build time 648 ms - packets for this engine will be scanned

%IPS-6-ENGINE_BUILDING: atomic-ip - 373 signatures - 6 of 13 engines

%IPS-6-ENGINE_READY: atomic-ip - build time 5548 ms - packets for this engine will be scanned

%IPS-6-ENGINE_BUILDING: string-icmp - 3 signatures - 7 of 13 engines

%IPS-6-ENGINE_READY: string-icmp - build time 0 ms - packets for this engine will be scanned

%IPS-6-ENGINE_BUILDING: service-ftp - 3 signatures - 8 of 13 engines

%IPS-6-ENGINE_READY: service-ftp - build time 20 ms - packets for this engine will be scanned

%IPS-6-ENGINE_BUILDING: service-rpc - 76 signatures - 9 of 13 engines

%IPS-6-ENGINE_READY: service-rpc - build time 204 ms - packets for this engine will be scanned

%IPS-6-ENGINE_BUILDING: service-dns - 39 signatures - 10 of 13 engines

%IPS-6-ENGINE_READY: service-dns - build time 60 ms - packets for this engine will be scanned

%IPS-6-ENGINE_BUILDING: normalizer - 9 signatures - 11 of 13 engines

%IPS-6-ENGINE_READY: normalizer - build time 4 ms - packets for this engine will be scanned

%IPS-6-ENGINE_READY: service-smb-advanced - build time 3024 ms - packets for this engine will be scanned

%IPS-6-ENGINE_BUILDING: service-msrpc - 35 signatures - 13 of 13 engines

%IPS-6-ENGINE_READY: service-msrpc - build time 2208 ms - packets for this engine will be scanned

%IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 88876 ms

R6#

Wow, only 88,876 ms to complete. About 1.5 minutes. Lets do some show commands to verify our install.

R6#show ip ips signature count

Cisco SDF release version S456.0
Trend SDF release version V0.0

Signature Micro-Engine: multi-string: Total Signatures 40
multi-string enabled signatures: 34
multi-string retired signatures: 34
multi-string compiled signatures: 6

Signature Micro-Engine: service-http: Total Signatures 801
service-http enabled signatures: 133
service-http retired signatures: 667
service-http compiled signatures: 134
service-http obsoleted signatures: 3

Signature Micro-Engine: string-tcp: Total Signatures 2058
string-tcp enabled signatures: 675
string-tcp retired signatures: 1810
string-tcp compiled signatures: 248
string-tcp obsoleted signatures: 22

Signature Micro-Engine: string-udp: Total Signatures 79
string-udp enabled signatures: 0
string-udp retired signatures: 78
string-udp compiled signatures: 1
string-udp obsoleted signatures: 2

Signature Micro-Engine: state: Total Signatures 37
state enabled signatures: 16
state retired signatures: 24
state compiled signatures: 13

Signature Micro-Engine: atomic-ip: Total Signatures 373
atomic-ip enabled signatures: 90
atomic-ip retired signatures: 307
atomic-ip compiled signatures: 66

Signature Micro-Engine: string-icmp: Total Signatures 3
string-icmp enabled signatures: 0
string-icmp retired signatures: 3

Signature Micro-Engine: service-ftp: Total Signatures 3
service-ftp enabled signatures: 1
service-ftp retired signatures: 2
service-ftp compiled signatures: 1

Signature Micro-Engine: service-rpc: Total Signatures 76
service-rpc enabled signatures: 44
service-rpc retired signatures: 50
service-rpc compiled signatures: 26

Signature Micro-Engine: service-dns: Total Signatures 39
service-dns enabled signatures: 27
service-dns retired signatures: 10
service-dns compiled signatures: 29
service-dns obsoleted signatures: 1

Signature Micro-Engine: normalizer: Total Signatures 9
normalizer enabled signatures: 8
normalizer retired signatures: 1
normalizer compiled signatures: 8

Signature Micro-Engine: service-smb-advanced: Total Signatures 49
service-smb-advanced enabled signatures: 40
service-smb-advanced retired signatures: 30
service-smb-advanced compiled signatures: 19

Signature Micro-Engine: service-msrpc: Total Signatures 35
service-msrpc enabled signatures: 17
service-msrpc retired signatures: 28
service-msrpc compiled signatures: 7
service-msrpc obsoleted signatures: 1

Total Signatures: 3602
Total Enabled Signatures: 1085
Total Retired Signatures: 3044
Total Compiled Signatures: 558
Total Obsoleted Signatures: 29

R6#show ip ips configuration

IPS Signature File Configuration Status
Configured Config Locations: flash:/ips/
Last signature default load time: Jan 14 2010
Last signature delta load time: Jan 14 2010
Last event action (SEAP) load time: -none-

General SEAP Config:
Global Deny Timeout: 3600 seconds
Global Overrides Status: Enabled
Global Filters Status: Enabled

IPS Auto Update is not currently configured

IPS Syslog and SDEE Notification Status
Event notification through syslog is enabled Event notification through SDEE is enabled

IPS Signature Status
Total Active Signatures: 558
Total Inactive Signatures: 3044

IPS Packet Scanning and Interface Status
IPS Rule Configuration IPS name IOS-IPS acl list 123
IPS fail closed is disabled
IPS deny-action ips-interface is false
Interface Configuration
Interface FastEthernet0/0
Inbound IPS rule is IOS-IPS acl list 123
Outgoing IPS rule is not set

IPS Category CLI Configuration:
Category all:
Retire: True
Category ios_ips advanced: Retire: False

R6#

Ok, how do we modify signatures? Simple, use Security Device Manager, the GUI. Unfortunately in the lab, that option is not available, so lets take a look at how to do it from CLI. We’ll modify the signature for ICMP echo request. If you are in a security lab, the IPS Sensor GUI (IDM) could be used on an appliance to discover which signature number is ICMP echo. In the R/S lab, online doc or the signature number in a task would be helpful. Signature 2004, sub-signature 0 is the signature for ICMP echo.

Lets look at the default for this signature first:

R6#show ip ips signature sigid 2004 subid 0

En - possible values are Y, Y*, N, or N*
Y: signature is enabled
N: enabled=false in the signature definition file
*: retired=true in the signature definition file
Cmp - possible values are Y, Ni, Nr, Nf, or No
Y: signature is compiled
Ni: signature not compiled due to invalid or missing parameters
Nr: signature not compiled because it is retired
Nf: signature compile failed
No: signature is obsoleted
Action=(A)lert, (D)eny, (R)eset, Deny-(H)ost, Deny-(F)low
Trait=alert-traits EC=event-count AI=alert-interval
GST=global-summary-threshold SI=summary-interval SM=summary-mode
SW=swap-attacker-victim SFR=sig-fidelity-rating Rel=release

SigID:SubID En Cmp Action Sev Trait EC AI GST SI SM SW SFR Rel
----------- -- ---- ------ --- ----- ---- ---- ----- --- -- -- --- ---
2004:0 N* Nr A INFO 0 1 0 200 30 FA N 100 S1
sig-name: ICMP Echo Request
sig-string-info: My Sig Info
sig-comment: Sig Comment
Engine atomic-ip params:
fragment-status :
icmp-type : 8
l4-protocol : icmp
R6#

Now we will tweak this signature. Take a look at the config, and it is apparent what we are configuring: true. (you may get the joke, after looking at the config: true, or not: false :)

R6(config)#ip ips signature-definition

R6(config-sigdef)#signature 2004 0

R6(config-sigdef-sig)#engine

R6(config-sigdef-sig-engine)#event-action produce-alert

R6(config-sigdef-sig-engine)#exit

R6(config-sigdef-sig)#alert-severity high

R6(config-sigdef-sig)#status

R6(config-sigdef-sig-status)#enabled true

R6(config-sigdef-sig-status)#retired false

R6(config-sigdef-sig-status)#exit

R6(config-sigdef-sig)#exit

R6(config-sigdef)#exit

Do you want to accept these changes? [confirm]

R6(config)#

%IPS-6-ENGINE_BUILDS_STARTED: Jan 14 2010

%IPS-6-ENGINE_BUILDING: atomic-ip - 373 signatures - 1 of 13 engines

%IPS-6-ENGINE_READY: atomic-ip - build time 4764 ms - packets for this engine will be scanned

%IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 5596 ms

R6(config)#exit

Now lets look at the results of the changes.

R6#show ip ips signature sigid 2004 subid 0

SigID:SubID En Cmp Action Sev Trait EC AI GST SI SM SW SFR Rel
----------- -- ---- ------ --- ----- ---- ---- ----- --- -- -- --- ---
2004:0 Y Y A HIGH 0 1 0 200 30 FA N 100 S1
sig-name: ICMP Echo Request
sig-string-info: My Sig Info
sig-comment: Sig Comment
Engine atomic-ip params:
fragment-status :
icmp-type : 8
l4-protocol : icmp
R6#

We can do a simple test by issuing a ping to 6.6.6.6 from a neighbor, R4.

Neighbor-R4#ping 6.6.6.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 6.6.6.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
R4#

Now lets take a look at the console on R6. We did set the IPS to send syslog messages for alerts.

R6#

%IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:100 ICMP Echo Request [40.0.0.4:8 -> 6.6.6.6:0] VRF:NONE RiskRating:100

%IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:100 ICMP Echo Request [40.0.0.4:8 -> 6.6.6.6:0] VRF:NONE RiskRating:100

%IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:100 ICMP Echo Request [40.0.0.4:8 -> 6.6.6.6:0] VRF:NONE RiskRating:100

%IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:100 ICMP Echo Request [40.0.0.4:8 -> 6.6.6.6:0] VRF:NONE RiskRating:100

%IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:100 ICMP Echo Request [40.0.0.4:8 -> 6.6.6.6:0] VRF:NONE RiskRating:100

R6#

Enjoy your practice, and best wishes from all of us at INE!