![Page 1: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/1.jpg)
1© 2005 Cisco Systems, Inc. All rights reserved. 111© 2004, Cisco Systems, Inc. All rights reserved.
![Page 2: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/2.jpg)
2© 2005 Cisco Systems, Inc. All rights reserved.
Network Security 2
Module 2 – Configure Network Intrusion Detection and Prevention Modified by Joanne Wagner,
CCNP, CCAI, CCSP
![Page 3: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/3.jpg)
3© 2005 Cisco Systems, Inc. All rights reserved.
![Page 4: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/4.jpg)
4© 2005 Cisco Systems, Inc. All rights reserved.
Learning Objectives
2.1 Cisco IOS Intrusion Prevention System
2.2 Configure Attack Guards on the PIX Security Appliance
2.3 Configure Intrusion Prevention on the PIX Security Appliance
2.4 Configure Shunning on the PIX Security Appliance
![Page 5: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/5.jpg)
5© 2005 Cisco Systems, Inc. All rights reserved.
Module 2 – Configure Network Intrusion Detection and Prevention
2.1 Cisco IOS Intrusion Prevention System
![Page 6: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/6.jpg)
6© 2005 Cisco Systems, Inc. All rights reserved.
Module 2 – Configure Network Intrusion Detection and Prevention
2.1.1 Cisco IOS Intrusion Prevention System (IPS)
![Page 7: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/7.jpg)
7© 2005 Cisco Systems, Inc. All rights reserved.
Cisco IOS Intrusion Prevention System
1 Attack2
Drop Packet3
Reset Connection
4 Alarm
Cisco Security Monitor
The current Cisco IOS IPS monitors anddetects over 1600 of the most common attacks using signatures to detect patterns ofmisuse in network traffic. The IPS can automatically reset, drop, or alert you of suspicious packets.
![Page 8: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/8.jpg)
8© 2005 Cisco Systems, Inc. All rights reserved.
Module 2 – Configure Network Intrusion Detection and Prevention
2.1.2 Cisco IOS IPS Signatures
![Page 9: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/9.jpg)
9© 2005 Cisco Systems, Inc. All rights reserved.
Signatures
Each signature can be set to send an alarm, drop the connection, or reset the connection:
• Alarm – sends a notification about the attack
• TCP reset – sends a reset to both the source and destination addresses
• Drop – discards the packet without sending a reset
![Page 10: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/10.jpg)
10© 2005 Cisco Systems, Inc. All rights reserved.
Origin of Cisco IOS IPS
The primary difference between Cisco IOS Software IDS and the new, enhanced Cisco IOS IPS:
• An intrusion detection system monitors traffic and sends an alert when suspicious patterns are detected
• An intrusion prevention system can drop traffic, send an alarm, or reset the connection
• Cisco IOS IPS can download IPS signatures without the need for a Cisco IOS Software image update
![Page 11: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/11.jpg)
11© 2005 Cisco Systems, Inc. All rights reserved.
Origin of Cisco IOS IPS (Cont.)
• Cisco IOS IPS inherited the built-in 132 signatures from Cisco IOS Software IDS technology.
• With the introduction of inline IPS capability, new signatures can be added by downloading a signature definition file (SDF) into the Flash memory of the router.
• New signatures are released every two weeks, with emergency signature updates posed as needed (Cisco.com)
![Page 12: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/12.jpg)
12© 2005 Cisco Systems, Inc. All rights reserved.
Signature Micro-Engines (SMEs)
• A signature engine is a component of the sensor that supports a category of signatures.
• Cisco IOS IPS uses SMEs to load the SDF and scan signatures.
• Each engine categorizes a group of signatures, and each signature detects patterns of misuse in network traffic.
![Page 13: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/13.jpg)
13© 2005 Cisco Systems, Inc. All rights reserved.
Engine Usage
Engine Category Usage
Atomic Used for single-packet inspection
Flood Used to detect attempts to cause a DoS
Meta Used to perform event correlation on the sensor
Normalizer Used to detect ambiguities and abnormalities in the traffic stream
![Page 14: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/14.jpg)
14© 2005 Cisco Systems, Inc. All rights reserved.
Engine Usage (Cont.)
Engine Category Usage
Service Used when Layer 5, 6, and 7 services require protocol analysis
State Used for state-based and regular expression-based pattern inspection and alarming functionality for TCP streams
String Used for regular expression-based pattern inspection and alarm functionality for multiple transport protocols
![Page 15: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/15.jpg)
15© 2005 Cisco Systems, Inc. All rights reserved.
attack-drop.sdf
• Available in Flash on all Cisco access routers shopped with Cisco IOS Release 12.3(8)T or later.
• Can be loaded directly from Flash into the Cisco IOS IPS system.
• If Flash is erased, the attack-drop.sdf file will be erased and the router refers to the built-in signatures within the Cisco IOS image.
![Page 16: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/16.jpg)
16© 2005 Cisco Systems, Inc. All rights reserved.
Pre-built SDFs
Memory Available
Recommended SDF
256 MB or lower 256MB.sdf (500 signatures)
128 MB or lower 128MB.sdf (300 signatures)
64 MB or lower Attack-drop.sdf (82 signatures)
The number of signatures that can go onyour router is completely memory dependent
![Page 17: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/17.jpg)
17© 2005 Cisco Systems, Inc. All rights reserved.
Cisco IOS IPS Signature Download
![Page 18: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/18.jpg)
18© 2005 Cisco Systems, Inc. All rights reserved.
Cisco IOS IPS Signature Download (Cont)
![Page 19: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/19.jpg)
19© 2005 Cisco Systems, Inc. All rights reserved.
Module 2 – Configure Network Intrusion Detection and Prevention
2.1.3 Cisco IOS IPS Initial Configuration Tasks
![Page 20: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/20.jpg)
20© 2005 Cisco Systems, Inc. All rights reserved.
Installing Cisco IOS IPS
1. Install the Cisco IOS IPS on the router for the first time.
1.1 Configure the router to use the built in sdf
1.2 Create an IPS rule
1.3 Attach a policy to a signature (Optional)
1.4 Apply IPS rule at an interface
2. Configure Logging using Syslog or SDEE
3. Verify the configuration.
![Page 21: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/21.jpg)
21© 2005 Cisco Systems, Inc. All rights reserved.
ip ips sdf builtin
Router(config)#
Router(config)#ip ips sdf builtin
Step 1.1 Configure router to use built in sdf
Configure the router to use the built in signaturedefinition file (SDF)
![Page 22: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/22.jpg)
22© 2005 Cisco Systems, Inc. All rights reserved.
Step 1.2 Create an IPS rule
ip ips name ips-name [list acl]
• Creates an IPS rule.
Router (config)#
Router(config)# ip ips name SECURIPS
• Creates an IPS rule named SECURIPS that will be applied to an interface.
![Page 23: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/23.jpg)
23© 2005 Cisco Systems, Inc. All rights reserved.
ip ips signature signature-id [:sub-signature-id] {delete | disable | list acl-list}
• Attaches a policy to a given signature (optional).
Router (config)#
Router(config)# ip ips signature 4050 disable
Step 1.3 Attach policy to given signature (optional)
• Disables signature 4050 in the signature definition file.
![Page 24: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/24.jpg)
24© 2005 Cisco Systems, Inc. All rights reserved.
Router(config)# ip ips signature 4050 disable
Step 1.3: Attach policy to given signature (optional) - continued
• Disables signature 4050 in the signature definition file.
Router(config)# ip ips signature 4050 list 101
• Relies on additional policy configuration
![Page 25: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/25.jpg)
25© 2005 Cisco Systems, Inc. All rights reserved.
ip ips ips-name {in | out}
• Applies an IPS rule at an interface.
Router (config-if)#
Router(config-if)# ip ips SECURIPS in
Step 1.4: Apply the IPS rule
This command automatically loads the builtin signatures andbuilds the signature engines.
![Page 26: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/26.jpg)
26© 2005 Cisco Systems, Inc. All rights reserved.
logging ip addresslogging trap levellogging on
• Configure logging using Syslog.
Router (config)#
Router(config)# logging 10.0.P.12Router(config)# logging trap warningsRouter(config)# logging on
Step 2 Configure logging
![Page 27: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/27.jpg)
27© 2005 Cisco Systems, Inc. All rights reserved.
Module 2 – Configure Network Intrusion Detection and Prevention
2.1.4 Cisco IOS IPS Upgrade Configuration Tasks
![Page 28: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/28.jpg)
28© 2005 Cisco Systems, Inc. All rights reserved.
Show ip ips configuration
• Verify IPS configuration.
Router#
Router# show ip ips configuration
Step 3: Verify the Configuration
![Page 29: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/29.jpg)
29© 2005 Cisco Systems, Inc. All rights reserved.
Replace Existing Signatures in the routerwith the latest sdf
1. Load Latest Signatures.
1.1 Load the latest sdf file into flash memory of router
1.2 Specify location of the Signature Definition File (SDF)
1.3 Create an IPS rule
1.4 Configure router to drop packets until signature engine is built
1.5 Instruct not to load built-in file
1.6 Remove the existing IPS rule
1.7 Apply IPS rule at an interface
2. Configure Logging using Syslog or SDEE
3. Verify the configuration
![Page 30: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/30.jpg)
30© 2005 Cisco Systems, Inc. All rights reserved.
copy tftp://10.0.P.12/attack-drop.sdf flash:attack-drop.sdf
Router#
Router# copy tftp://10.0.P.12/attack-drop.sdf flash:attack-drop.sdf
Step 1.1 Load the latest SDF file
Load the latest SDF file into the flash memoryof the router.
The latest attack-drop.sdf file can be downloaded fromhttp://www.cisco.com/cgi-bin/tablebuild.pl/ios-sigup
![Page 31: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/31.jpg)
31© 2005 Cisco Systems, Inc. All rights reserved.
ip ips sdf location url
Router (config)#
Router(config)# ip ips sdf location flash:attack-drop.sdf
Step 1.2 Specify the location of the sdf file
Specify the location of the sdf
![Page 32: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/32.jpg)
32© 2005 Cisco Systems, Inc. All rights reserved.
Step 1.3 Create IPS rule
ip ips name ips-name [list acl]
• Creates an IPS rule.
Router (config)#
Router(config)# ip ips name SECURIPS
• Creates an IPS rule named SECURIPS that will be applied to an interface.
![Page 33: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/33.jpg)
33© 2005 Cisco Systems, Inc. All rights reserved.
Step 1.4 Configure the router to temporarily drop packets
ip ips fail closed
• Configure the router to drop all packets until
the signature engine is built and ready to scan
traffic.
Router (config)#
Router(config)# ip ips fail closed
![Page 34: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/34.jpg)
34© 2005 Cisco Systems, Inc. All rights reserved.
Step 1.5 Instruct not to load built-in file
no ip ips sdf builtin
• Instructs the router not to load the built-in signatures.
Router (config)#
Router(config)# no ip ips builtin
![Page 35: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/35.jpg)
35© 2005 Cisco Systems, Inc. All rights reserved.
no ip ips SECURIPS in
• Remove the existing IPS rule.
Router (config-if)#
Router(config-if)# no ip ips SECURIPS in
Step 1.6 Remove existing IPS rule
![Page 36: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/36.jpg)
36© 2005 Cisco Systems, Inc. All rights reserved.
ip ips ips-name {in | out}
• Applies an IPS rule at an interface.
Router (config-if)#
Router(config-if)# ip ips MYIPS in
Step 1.7 Apply the new IPS rule
This command automatically loads the signatures andbuilds the signature engines.
![Page 37: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/37.jpg)
37© 2005 Cisco Systems, Inc. All rights reserved.
logging ip addresslogging trap levellogging on
• Configure logging using Syslog.
Router (config)#
Router(config)# logging 10.0.P.12Router(config)# logging trap warningsRouter(config)# logging on
Step 2 Configure logging
![Page 38: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/38.jpg)
38© 2005 Cisco Systems, Inc. All rights reserved.
show ip ips configuration
• Verify IPS configuration.
Router#
Router# show ip ips configuration
Step 3 Verify the IPS configuration
![Page 39: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/39.jpg)
39© 2005 Cisco Systems, Inc. All rights reserved.
Module 2 – Configure Network Intrusion Detection and Prevention
2.1.5 Configure Logging Using Syslog or SDEE
![Page 40: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/40.jpg)
40© 2005 Cisco Systems, Inc. All rights reserved.
Monitoring Cisco IOS IPS Signatures
Network Management Console
Alarm
SDEE Protocol
Syslog Server
AlertSyslog
ICSA Labs proposing SDEE as industry standard forcommunicating events to a network managementapplication.
![Page 41: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/41.jpg)
41© 2005 Cisco Systems, Inc. All rights reserved.
Security Device Event Exchange (SDEE) Benefits
• Vendor Interoperability – SDEE is a standard format for used by vendors to communicate events to a network management application. This lowers the cost of supporting proprietary vendor formats and potentially multiple network management platforms.
• Secured transport – The use of HTTP over SSL or HTTPS ensures that data is secured as it traverses the network
• Product independent standard (see www.icsalabs.com/html/communities/ids/sdee/index.shtml).
![Page 42: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/42.jpg)
42© 2005 Cisco Systems, Inc. All rights reserved.
Security Device Event Exchange (SDEE)
• When SDEE notification is enabled using the ip ips notify sdee command, 200 events can automatically be stored in the buffer (default number is 100).
• The buffer is circular. When the end of the buffer is reached, the buffer will start overwriting the earliest stored events.
• If a new, smaller buffer is requested, all events that are stored in the previous buffer will be lost.
• If a new, larger buffer is requested, all existing events will be saved.
• Requires that you enable the HTTP server with the ip http server command (so that the router can see the client requests)
![Page 43: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/43.jpg)
43© 2005 Cisco Systems, Inc. All rights reserved.
ip ips notify [log | sdee]
• Sets notification type
Set Notification Type
Router (config)#
Router(config)# ip ips notify sdeeRouter(config)# ip ips notify log
ip sdee events num_of_events
Router (config)#
![Page 44: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/44.jpg)
44© 2005 Cisco Systems, Inc. All rights reserved.
Module 2 – Configure Network Intrusion Detection and Prevention
2.1.6 Verify the IPS Configuration
![Page 45: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/45.jpg)
45© 2005 Cisco Systems, Inc. All rights reserved.
show Commands
show ip ips configuration
• Verifies that Cisco IOS IPS is properly configured.
Router#
show ip ips signatures [detailed]
• Verifies signature configuration, such as signatures that have been disabled.
Router#
show ip ips interface
• Display the interface configuration
Router#
![Page 46: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/46.jpg)
46© 2005 Cisco Systems, Inc. All rights reserved.
clear ip ips configuration
• Remove all intrusion prevention configuration entries, and release dynamic resources.
clear Commands
Router#
clear ip ips statistics
• Reset statistics on packets analyzed and alarms sent
Router#
clear ip sdee {events | subscriptions}
• Clear SDEE events or subscriptions.
Router#
![Page 47: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/47.jpg)
47© 2005 Cisco Systems, Inc. All rights reserved.
Router# debug ip ips timersRouter# debug ip ips object-creationRouter# debug ip ips object-deletionRouter# debug ip ips function traceRouter# debug ip ips detailedRouter# debug ip ips ftp-cmdRouter# debug ip ips ftp-tokenRouter# debug ip ips icmpRouter# debug ip ips ipRouter# debug ip ips rpcRouter# debug ip ips smtpRouter# debug ip ips tcpRouter# debug ip ips tftpRouter# debug ip ips udp
• Instead of no, undebug may be used
debug Commands
![Page 48: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/48.jpg)
48© 2005 Cisco Systems, Inc. All rights reserved.
Module 2 – Configure Network Intrusion Detection and Prevention
2.2 Configure Attack Guards on the PIX Security Appliance
![Page 49: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/49.jpg)
49© 2005 Cisco Systems, Inc. All rights reserved.
Module 2 – Configure Network Intrusion Detection and Prevention
2.2.1 Mail Guard
![Page 50: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/50.jpg)
50© 2005 Cisco Systems, Inc. All rights reserved.
Mail Guard
Only the SMTP commands specified in RFC 821 section 4.5.1 are allowed to a mail server (HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT)
By default, the Cisco Secure PIX Security Appliance inspects port 25 connections for SMTP traffic
SMTP servers using ports other than port 25 must use the fixup protocol smtp command
It returns an “OK” to the user regardless of whether the command entered was passed on or denied. In this way, PIX confuses anyone that attempts an attack on the mail system.
Note: Version 7 of Finesse uses the ip inspect command, not fixup.
![Page 51: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/51.jpg)
51© 2005 Cisco Systems, Inc. All rights reserved.
Mail Guard Prior to version 7.0
fixup protocol smtp port [-port]
pixfirewall (config)#
pixfirewall(config)# fixup protocol smtp 2525pixfirewall(config)# fixup protocol smtp 2625-2635pixfirewall(config)# no fixup protocol smtp 25
• Defines ports on which to activate Mail Guard (default = 25)—Only allows RFC 821, section 4.5.1 commands: HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT.
• If disabled, all SMTP commands are allowed through the firewall—Potential mail server vulnerabilities are exposed.
Note: In PIX Security Appliance Version 7.0, the fixup command has been replacedwith the inspect command under the Modular Policy Framework (MPF) infrastructure.See next few slides for changes including how to delete/add port numbers.In 7.0 fixup commands you enter will be converted to MPF commands; not so in 7.1.
![Page 52: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/52.jpg)
52© 2005 Cisco Systems, Inc. All rights reserved.
PIX version 6.3 vs 7.0
When an inspect is configured for a protocol on ‘class inspection-default’, the protocol is automatically inspected on its default port, because this class matches the ‘default-inspection-traffic’ for each protocol.
Note: The port numbers are included in the “class inspection-default” implicitly.When an inspect is configured for a protocol on ‘class inspection-default’, theprotocol is automatically inspected on its default port, because this class matchesthe ‘default-inspection-traffic’ for each protocol.
![Page 53: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/53.jpg)
53© 2005 Cisco Systems, Inc. All rights reserved.
Default Protocol Inspection Policy
![Page 54: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/54.jpg)
54© 2005 Cisco Systems, Inc. All rights reserved.
Delete Inspection for a Protocol
![Page 55: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/55.jpg)
55© 2005 Cisco Systems, Inc. All rights reserved.
Add a Protocol Inspection Port Number
HTTP inspection is applied to traffic with TCP destination port 8080. These commands enablethe PIX Security Appliance to recognize that connections to port 8080 should be treated in thesame manner as connections to HTTP port 80
![Page 56: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/56.jpg)
56© 2005 Cisco Systems, Inc. All rights reserved.
Module 2 – Configure Network Intrusion Detection and Prevention
2.2.2 DNS Guard
![Page 57: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/57.jpg)
57© 2005 Cisco Systems, Inc. All rights reserved.
DNS Guard
DNS Guard is always on.
After the client does a DNS request, a dynamic conduit allows UDP packets to return from the DNS server. The default UDP timer expires in two minutes.
The DNS server response is recognized by the firewall, which closes the dynamic UDP conduit immediately. The PIX Security Appliance does not wait for the UDP timer to expire.
The DNS Guard automatically forms separate conduits if multiple servers are sent requests.
![Page 58: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/58.jpg)
58© 2005 Cisco Systems, Inc. All rights reserved.
Module 2 – Configure Network Intrusion Detection and Prevention
2.2.3 FragGuard and Virtual Reassembly
![Page 59: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/59.jpg)
59© 2005 Cisco Systems, Inc. All rights reserved.
FragGuard and Virtual Re-assembly
• The FragGuard and Virtual Re-assembly feature has the following characteristics:
Is on by default.
Verifies each fragment set for integrity and completeness.
Tags each fragment in a fragment set with the transport header.
Performs full reassembly of all ICMP error messages and virtual reassembly of the remaining IP fragments that are routed through the PIX Security Appliance.
Uses Syslog to log fragment overlapping and small fragment offset anomalies.
As of PIX OS version 5.1, an initial fragment is not required.
![Page 60: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/60.jpg)
60© 2005 Cisco Systems, Inc. All rights reserved.
fragment Command
Sets the maximum number of blocks that can be used for fragment reassembly. Default is 200 blocks.
fragment size database-limit [interface]
pixfirewall (config)#
fragment chain chain-limit [interface]
fragment timeout seconds [interface]
pixfirewall (config)#
pixfirewall (config)#
• Specifies the maximum number of packets into which a full IP packet can be split. Default 24 fragments.
• Specifies the maximum number of seconds that the PIX waits before discarding a packet that is waiting to be reassembled. Default 5 secs.
![Page 61: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/61.jpg)
61© 2005 Cisco Systems, Inc. All rights reserved.
• pixfirewall(config)# fragment size 100 outside
(The maximum number of packets in the fragment database is 100)
• pixfirewall(config)# fragment chain 15
(The maximum number of packets into which a packet can be fragmented is 15)
• Pixfirewall(config)# fragment timeout 5 outside
(The PIX will wait for 5 seconds after the first fragment is received before discarding a fragment waiting for reassembly)
![Page 62: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/62.jpg)
62© 2005 Cisco Systems, Inc. All rights reserved.
![Page 63: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/63.jpg)
63© 2005 Cisco Systems, Inc. All rights reserved.
Module 2 – Configure Network Intrusion Detection and Prevention
2.2.4 AAA Flood Guard
![Page 64: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/64.jpg)
64© 2005 Cisco Systems, Inc. All rights reserved.
AAA Flood Guard
floodguard enable | disable
pixfirewall (config)#
pixfirewall(config)# floodguard enable
• Reclaims attacked or overused AAA resourcesto help prevent DoS attacks on AAA services (default = enabled).
When additional resources are needed, the PIX will reclaim the ones that are not inactive state. This is done in the following order: timewait state, finwait state,embryonic state, and idle.
![Page 65: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/65.jpg)
65© 2005 Cisco Systems, Inc. All rights reserved.
Module 2 – Configure Network Intrusion Detection and Prevention
2.2.5 SYN Flood Guard
![Page 66: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/66.jpg)
66© 2005 Cisco Systems, Inc. All rights reserved.
SYN Flood Attack
The attacker spoofs a nonexistent source IP address and floods the target with SYN packets.
The target responds to the SYN packets by sending SYN-ACK packets to the spoofed hosts.
The target overflows its port buffer with embryonic connections and stops responding to legitimate requests.
![Page 67: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/67.jpg)
67© 2005 Cisco Systems, Inc. All rights reserved.
Embryonic Connections
• Half open TCP Connection
• It becomes a complete connection after the three-way handshake is complete.
![Page 68: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/68.jpg)
68© 2005 Cisco Systems, Inc. All rights reserved.
SYN Flood Guard Configuration
For inbound connections:
Use the em_limit to limit the number of embryonic connections.
Set the limit to a number lower than the server can handle.
For outbound connections:
Use the em_limit to limit the number of embryonic connections.
Set the limit to a number lower than the server can handle.
pixfirewall(config)# nat (inside) 1 0 0 0 10000pixfirewall(config)# static (inside,outside) 192.168.0.11172.16.0.2 0 1000
static [(prenat_interface, postnat_interface)] mapped_address | interface real_address [dns][netmask mask][norandomseq][connection_limit [em_limit]]
pixfirewall (config)#
nat [(if-name)]id address [netmask [outside] [dns] [norandomseq] [timeout hh:mm:ss] [conn_limit [em_limit]]]
pixfirewall (config)#
![Page 69: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/69.jpg)
69© 2005 Cisco Systems, Inc. All rights reserved.
TCP Intercept (5.2)
pixfirewall(config)# static (inside,outside) 192.168.0.10 10.0.0.11 netmask 255.255.255.255 1000 100
No special configuration needed
![Page 70: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/70.jpg)
70© 2005 Cisco Systems, Inc. All rights reserved.
SYN Cookies (6.2)
• The PIX responds to the SYN, which includes a cookie in the TCP header of the SYN/ACK. The cookie is a hash of parts of the TCP header and a secret key. The PIX keeps no state information.
• A legitimate client completes the handshake by sending the ACK back with the cookie.
• If the cookie is authentic, the firewall appliance proxies the TCP session
![Page 71: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/71.jpg)
71© 2005 Cisco Systems, Inc. All rights reserved.
Module 2 – Configure Network Intrusion Detection and Prevention
2.3 Configure Intrusion Prevention on the PIX Security Appliance
![Page 72: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/72.jpg)
72© 2005 Cisco Systems, Inc. All rights reserved.
Module 2 – Configure Network Intrusion Detection and Prevention
2.3.1 Intrusion Detection and the PIX
![Page 73: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/73.jpg)
73© 2005 Cisco Systems, Inc. All rights reserved.
Note:
• It can monitor packets for more than 55 intrusion detection signatures and can be configured to send an alarm to a Syslog server or a server running Cisco Security Monitor, drop the packet, or reset the TCP connection.
• The signatures supported by the PIX are a subset of the signatures supported by the Cisco IDS product family.
![Page 74: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/74.jpg)
74© 2005 Cisco Systems, Inc. All rights reserved.
Configure IDS
pixfirewall(config)#
ip audit name audit_name attack [action [alarm] [drop] [reset]]
ip audit interface if_name audit_name
pixfirewall(config)#
pixfirewall(config)# ip audit name ATTACKPOLICY attack action alarm reset
pixfirewall(config)# ip audit interface outside ATTACKPOLICY
pixfirewall(config)#
ip audit name audit_name info [action [alarm] [drop] [reset]]
• Creates a policy for informational signatures.
• Creates a policy for attack signatures.
• Applies a policy to an interface.
![Page 75: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/75.jpg)
75© 2005 Cisco Systems, Inc. All rights reserved.
Specify Default Actions for Signatures
pixfirewall(config)#
pixfirewall(config)#
ip audit attack [action [alarm] [drop] [reset]]
ip audit info [action [alarm] [drop] [reset]]
• Specifies the default actions for attack signatures.
• Specifies the default actions for informational signatures.
pixfirewall(config)# ip audit info action alarm drop
• When the PIX Security Appliance detects an info signature, it reports an event to all configured Syslog servers and drops the offending packet.
![Page 76: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/76.jpg)
76© 2005 Cisco Systems, Inc. All rights reserved.
pixfirewall(config)#
ip audit signature signature_number disable
pixfirewall(config)# ip audit signature 6102 disable
Disable Intrusion Detection Signatures
Excludes a signature from auditing.
• Disables signature 6102.
![Page 77: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/77.jpg)
77© 2005 Cisco Systems, Inc. All rights reserved.
Module 2 – Configure Network Intrusion Detection and Prevention
2.4 Configure Shunning on the PIX Security Appliance
![Page 78: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/78.jpg)
78© 2005 Cisco Systems, Inc. All rights reserved.
shun Command
Applies a blocking function to an interface under attack.
pixfirewall(config)#
shun src_ip [dst_ip sport dport [protocol]]
pixfirewall(config)# shun 172.26.26.45
• No further traffic from 172.26.26.45 is allowed.
![Page 79: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/79.jpg)
79© 2005 Cisco Systems, Inc. All rights reserved.
Shunning an Attacker
pixfirewall(config)# shun 172.26.26.45 192.168.0.10 4000 53
![Page 80: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/80.jpg)
80© 2005 Cisco Systems, Inc. All rights reserved.
Removing Blocked (Shunned) Hosts
To allow a host address that has been shunned to enter the PIX:
• The blocking function is removed by the Cisco IDS master unit.
• The blocking function is removed manually.
![Page 81: Module 2: Configure Network Intrusion Detection and](https://reader035.vdocument.in/reader035/viewer/2022081413/54990cd7b4795909208b4575/html5/thumbnails/81.jpg)
818181© 2005, Cisco Systems, Inc. All rights reserved.