Transcript cisco-ids2

PROJECT 15, CS_540
GTOUP_2
Configure a Cisco IDS Sensor that can Dynamically Modify
the Configuration of a Cisco Switch, Router, or Firewall in
Response to Detection of Malicious Traffic.
 IDS General Description
 Configuring Device Management and Shunning on a
Router
 Configure Pix Firewall Using IDS Sensor
By Anna Anahit Paitian
Martin Jarnes Olsen
Yan Wang
Winter, 2005, CSULA
1
IDS Device management
Device management
refers to the IDS
Sensor's ability to
dynamically
reconfigure the filters
and access control
lists (ACL) on a
router, switch, and
firewall to shun an
attacker.
This functionality is provided
by the managed service.
2
Shunning
Shunning refers to the IDS Sensor's
ability to use a network device to deny
entry to a specific network host or an
entire network.
There are three major steps toward using
a router or other device to shun an
attacker:
3
Deploying a Dynamic Intrusion
Response Solution
Set Up Device Management
Set Up Shunning
Set Up Intrusion Detection
4
What is Sensor?
Structure and architecture of intrusion
detection systems.
An intrusion detection systems has its core
element - a sensor (an analysis engine) that is
responsible for detecting intrusions.
Sensor properties 
5
When responding to attacks, the
sensor can do the following
Each sensor maintains
signatures configured
for the segment it
monitors.
-Inserts TCP resets via
the monitoring
interface.
-Makes ACL changes to
block traffic on routers
(or PIX Firewall or Cisco
Catalyst 6000 switches)
that the sensor
manages.
-Provides information for
alert response/behavior
6
Where to locate sensors?
-In loc.1, the sensor is placed to monitor traffic between the protected
network and the Internet.
-In loc.2, the sensor is monitoring an extranet connection with a business
partner.
-In loc.3, the sensor is monitoring the network side of a remote access
server.
In loc.4, the sensor is monitoring an intranet connection
7
Set Up a Device Management
on a Router.
Step 1. On the Director interface, click
the remote machine you want to
configure.
Step 2. Click Configure on the Security
menu.
8
This presentation uses the network setup shown in this diagram.
9
Add the Sensor into the Director
10
11
After we add the sensor from the Main Menu, we
should see sensor-2, as in this example
12
Configuring shunning for the
Cisco IOS router
13
. Add the range 10.64.10.1 to 10.64.10.254 into the
protected network, as shown in this example.
14
Enabling daemons:
15
Once the Sensor has detected the attack, and
. this output is
the ACL is downloaded, and
displayed on "House."
-house#show access-list Extended IP access list
IDS_FastEthernet0/0_in_0 permit ip host
10.64.10.49 any deny ip host 100.100.100.2
any (459 matches) permit ip any any
Fifteen Minutes later, "House" goes back to
normal, because shunning was set to 15
minutes.
-House#show access-list Extended IP access list
IDS_FastEthernet0/0_in_1 permit ip host
10.64.10.49 any permit ip any any (12
matches)house# "Light" can ping "House."
Light#ping 10.64.10.45
16
Configure Pix Firewall using IDS
Sensor
How to configure shunning on a PIX using
Cisco IDS UNIX Director (formerly known
as Netranger Director) and Sensor.
17
This configuration presentation
uses the network setup shown in
the diagram below.
18
The following steps describe how to configure the
Sensor.
Telnet to 10.66.79.199 with username root and password attack.
Enter sysconfig-sensor.
Enter the following information:





IP Address : 10.66.79.199
IP Netmask : 255.255.255.224
IP Host Name: sensor-2
Default Route 10.66.79.193
Network Access Control
10.

Communications Infrastructure
Sensor Host ID: 49
Sensor Organization ID: 900
Sensor Host Name: sensor-2
Sensor Organization Name: cisco
Sensor IP Address: 10.66.79.199
IDS Manager Host ID: 50
IDS Manager Organization ID: 900
IDS Manager Host Name: dir3
IDS Manager Organization Name: cisco
IDS Manager IP Address: 10.66.79.201
Save the configuration and the Sensor will reboot.
19
Adding the Sensor Into the Director
Telnet to 10.66.79.201 with username
netrangr and password attack
Enter ovw& to launch HP OpenView
In the Main Menu, go to Security >
Configure.
In the Netranger Configuration Menu, go
to File > Add Host, and click Next.
Enter the following information, and click
Next.
20
21
22
.
You have successfully added the sensor into the director
23
Configuration of Shunning for PIX
In the Main Menu, go to Security >
Configure.
In the Netranger Configuration Menu, highlight
sensor-2 and double click it.
Open Device Management.
Click Devices > Add, enter the information as
shown in the following example. Click OK to
continue. The Telnet and enable password are
both “Cisco.”
24
25
Click Shunning > Add. Add host 100.100.100.100
26
Click Shunning > Add, to select sensor-2.cisco as the
shunning servers.
27
Open the Intrusion Detection window and click
Protected Networks. Add 10.66.79.1 to
10.66.79.254 into the protected network.
28
Click Profile and select Manual Configuration > Modify
Signatures. Select Large ICMP Traffic and ID:
2151, click Modify, change the Action from None
to Shun and Log. Click OK to continue
.
29
Open the System Files folder, open the Daemons
window. Make sure you have enabled following
daemons.
30
Click OK to continue, and select the version you just modified.
Click Save > Apply. Wait for the system to tell you the Sensor is
finished, restart Services, and close all the windows for the
Netranger configuration
31
Verify / Test
Before Launching the Attack
Tiger(config)# show telnet 10.66.79.199
255.255.255.255 inside Tiger(config)#
who
0: 10.66.79.199
Tiger(config)# show xlate 1 in use, 1 most
used Global 100.100.100.100 Local
10.66.79.204 static
Light#ping 100.100.100.100
32
-Success rate is 100 percent (5/5),
round-trip min/avg/max = 1/3/4 ms.
-Shunning is done for indicated IP
addresses.
-Fifteen minutes later, it goes back to
normal because the shunning is set to
15 minutes.
33