11

PROJECT 15, CS_540PROJECT 15, CS_540GTOUP_2GTOUP_2

Configure a Cisco IDS Sensor that can Dynamically Configure a Cisco IDS Sensor that can Dynamically Modify the Configuration of a Cisco Switch, Modify the Configuration of a Cisco Switch,

Router, or Firewall in Response to Detection of Router, or Firewall in Response to Detection of Malicious TrafficMalicious Traffic..

IDS General DescriptionIDS General Description Configuring Device Management and Shunning on a Configuring Device Management and Shunning on a

RouterRouter Configure Pix Firewall Using IDS SensorConfigure Pix Firewall Using IDS Sensor

By Anna Anahit PaitianBy Anna Anahit PaitianMartin Jarnes OlsenMartin Jarnes Olsen

Yan WangYan Wang Winter, 2005, CSULAWinter, 2005, CSULA

22

IDS Device managementIDS Device managementDevice managementDevice management refers to the IDS refers to the IDS Sensor's ability to Sensor's ability to dynamically dynamically reconfigure the filters reconfigure the filters and access control and access control lists (ACL) on a lists (ACL) on a router, switch, and router, switch, and firewall to shun an firewall to shun an attacker. attacker.

This functionality is provided This functionality is provided by the by the managedmanaged service. service.

33

ShunningShunning

ShunningShunning refers to the IDS Sensor's refers to the IDS Sensor's ability to use a network device to deny ability to use a network device to deny entry to a specific network host or an entry to a specific network host or an entire network.entire network.

There are three major steps toward using There are three major steps toward using a router or other device to shun an a router or other device to shun an attacker:attacker:

44

DDeploying a Dynamic Intrusion eploying a Dynamic Intrusion Response SolutionResponse Solution

Set Up Device ManagementSet Up Device Management

Set Up ShunningSet Up Shunning

Set Up Intrusion DetectionSet Up Intrusion Detection

55

What is Sensor? What is Sensor? Structure and architecture of intrusion Structure and architecture of intrusion

detection systems.detection systems.

An intrusion detection systems has its core An intrusion detection systems has its core element - a sensor (an analysis engine) that is element - a sensor (an analysis engine) that is responsible for detecting intrusions. responsible for detecting intrusions.

Sensor properties Sensor properties

66

When responding to attacks, the When responding to attacks, the sensor can do the followingsensor can do the following

Each sensor maintains Each sensor maintains signatures configured signatures configured for the segment it for the segment it monitors.monitors.

-Inserts TCP resets via -Inserts TCP resets via the monitoring the monitoring interface.interface.

-Makes ACL changes to -Makes ACL changes to block traffic on routers block traffic on routers (or PIX Firewall or Cisco (or PIX Firewall or Cisco Catalyst 6000 switches) Catalyst 6000 switches) that the sensor that the sensor manages.manages.

-Provides information for -Provides information for alert response/behavioralert response/behavior

77

Where to locate sensors?Where to locate sensors?-In loc.1, the sensor is placed to monitor traffic between the protected -In loc.1, the sensor is placed to monitor traffic between the protected network and the Internet. network and the Internet. -In loc.2, the sensor is monitoring an extranet connection with a business -In loc.2, the sensor is monitoring an extranet connection with a business partner.partner.-In loc.3, the sensor is monitoring the network side of a remote access -In loc.3, the sensor is monitoring the network side of a remote access server.server.

In loc.4, the sensor is monitoring an intranet connectionIn loc.4, the sensor is monitoring an intranet connection

88

Set Up a Device ManagementSet Up a Device Managementon a Router.on a Router.

Step 1. Step 1. On the Director interface, click On the Director interface, click the remote machine you want to the remote machine you want to configure.configure.

Step 2. Step 2. Click Click ConfigureConfigure on the on the SecuritySecurity menu.menu.

99

This presentation uses the network setup shown in this diagram.

1010

Add the Sensor into the Director

1111

1212

After we add the sensor from the Main Menu, we After we add the sensor from the Main Menu, we should see sensor-2, as in this example should see sensor-2, as in this example

1313

Configuring shunning for the Configuring shunning for the Cisco IOS routerCisco IOS router

1414

. Add the range . Add the range 10.64.10.110.64.10.1 to to 10.64.10.25410.64.10.254 into the into the protected network, as shown in this example. protected network, as shown in this example.

1515

Enabling daemons: Enabling daemons:

1616

..Once the Sensor has detected the attack, and the ACL is Once the Sensor has detected the attack, and the ACL is downloaded, and this output is displayed on "House."downloaded, and this output is displayed on "House."

-house#-house#show access-listshow access-list Extended IP access list Extended IP access list IDS_FastEthernet0/0_in_0 permit ip host 10.64.10.49 any IDS_FastEthernet0/0_in_0 permit ip host 10.64.10.49 any deny ip host 100.100.100.2 any (459 matches)deny ip host 100.100.100.2 any (459 matches) permit ip permit ip any any any any

Fifteen Minutes later, "House" goes back to normal, because Fifteen Minutes later, "House" goes back to normal, because shunning was set to 15 minutes.shunning was set to 15 minutes.

-House#-House#show access-listshow access-list Extended IP access list Extended IP access list IDS_FastEthernet0/0_in_1 permit ip host 10.64.10.49 any IDS_FastEthernet0/0_in_1 permit ip host 10.64.10.49 any permit ip any any (12 matches)house# "Light" can ping permit ip any any (12 matches)house# "Light" can ping "House.""House."

Light#Light#ping 10.64.10.45ping 10.64.10.45

1717

Configure Pix Firewall using IDS Configure Pix Firewall using IDS SensorSensor

How to configure shunning on a PIX using How to configure shunning on a PIX using Cisco IDS UNIX Director (formerly known Cisco IDS UNIX Director (formerly known as Netranger Director) and Sensor. as Netranger Director) and Sensor.

1818

This configuration presentation This configuration presentation uses the network setup shown in uses the network setup shown in

the diagram below.the diagram below.

1919

The following steps describe how to configure the The following steps describe how to configure the Sensor.Sensor.

Telnet to Telnet to 10.66.79.19910.66.79.199 with username with username rootroot and password and password attackattack..Enter Enter sysconfig-sensorsysconfig-sensor..Enter the following information: Enter the following information:

IP Address : IP Address : 10.66.79.19910.66.79.199 IP Netmask : IP Netmask : 255.255.255.224255.255.255.224 IP Host Name: IP Host Name: sensor-2sensor-2 Default Route Default Route 10.66.79.19310.66.79.193 Network Access ControlNetwork Access Control

10.10. Communications Infrastructure Communications Infrastructure

Sensor Host ID: Sensor Host ID: 4949 Sensor Organization ID: Sensor Organization ID: 900900 Sensor Host Name: Sensor Host Name: sensor-2sensor-2 Sensor Organization Name: Sensor Organization Name: ciscocisco Sensor IP Address: Sensor IP Address: 10.66.79.19910.66.79.199 IDS Manager Host ID: IDS Manager Host ID: 5050 IDS Manager Organization ID: IDS Manager Organization ID: 900900 IDS Manager Host Name: IDS Manager Host Name: dir3dir3 IDS Manager Organization Name: IDS Manager Organization Name: ciscocisco IDS Manager IP Address: IDS Manager IP Address: 10.66.79.20110.66.79.201 Save the configuration and the Sensor will reboot.Save the configuration and the Sensor will reboot.

2020

Adding the Sensor Into the Director Adding the Sensor Into the Director

Telnet to Telnet to 10.66.79.20110.66.79.201 with username with username netrangrnetrangr and password and password attackattack Enter Enter ovw&ovw& to launch HP OpenView to launch HP OpenViewIn the Main Menu, go to In the Main Menu, go to SecuritySecurity > > ConfigureConfigure..In the Netranger Configuration Menu, go In the Netranger Configuration Menu, go to to FileFile > > Add HostAdd Host, and click , and click NextNext..Enter the following information, and click Enter the following information, and click NextNext. .

2121

2222

2323

You have successfully added the sensor into the directorYou have successfully added the sensor into the director. .

2424

Configuration of Shunning for PIXConfiguration of Shunning for PIX

In the Main Menu, go to In the Main Menu, go to SecuritySecurity > > ConfigureConfigure..

In the Netranger Configuration Menu, highlight In the Netranger Configuration Menu, highlight sensor-2sensor-2 and double click it. and double click it.

Open Open Device ManagementDevice Management. .

Click Click DevicesDevices > > AddAdd, enter the information as , enter the information as shown in the following example. Click shown in the following example. Click OKOK to to continue. The Telnet and enable password continue. The Telnet and enable password are both “Cisco.” are both “Cisco.”

2525

2626

Click Click ShunningShunning > > AddAdd. Add host . Add host 100.100.100.100100.100.100.100

2727

Click Shunning > Add, to select sensor-2.cisco as the Click Shunning > Add, to select sensor-2.cisco as the shunning servers. shunning servers.

2828

Open the Intrusion Detection window and click Open the Intrusion Detection window and click Protected Networks. Add 10.66.79.1 to Protected Networks. Add 10.66.79.1 to

10.66.79.254 into the protected network.10.66.79.254 into the protected network.

2929

Click Profile and select Manual Configuration > Modify Click Profile and select Manual Configuration > Modify Signatures. Select Large ICMP Traffic and ID: Signatures. Select Large ICMP Traffic and ID:

2151, click Modify, change the Action from None 2151, click Modify, change the Action from None

to Shun and Log. Click OK to continueto Shun and Log. Click OK to continue..

3030

Open the System Files folder, open the Daemons Open the System Files folder, open the Daemons window. Make sure you have enabled following window. Make sure you have enabled following

daemons.daemons.

3131

Click OK to continue, and select the version you just modified. Click OK to continue, and select the version you just modified. Click Save > Apply. Wait for the system to tell you the Sensor is Click Save > Apply. Wait for the system to tell you the Sensor is

finished, restart Services, and close all the windows for the finished, restart Services, and close all the windows for the

Netranger configurationNetranger configuration

3232

Verify / TestVerify / Test

Before Launching the Attack Before Launching the Attack Tiger(config)# Tiger(config)# show telnetshow telnet 10.66.79.199 10.66.79.199 255.255.255.255 inside255.255.255.255 inside Tiger(config)# Tiger(config)# whowho 0: 10.66.79.1990: 10.66.79.199

Tiger(config)# Tiger(config)# show xlateshow xlate 1 in use, 1 most 1 in use, 1 most used used Global 100.100.100.100 Local Global 100.100.100.100 Local 10.66.79.204 static10.66.79.204 static Light#Light#ping 100.100.100.100ping 100.100.100.100

3333

-Success rate is 100 percent (5/5), -Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms.round-trip min/avg/max = 1/3/4 ms.

-Shunning is done for indicated IP -Shunning is done for indicated IP addresses.addresses.

-Fifteen minutes later, it goes back to -Fifteen minutes later, it goes back to normal because the shunning is set to normal because the shunning is set to

15 minutes15 minutes..