Cisco IDS IPS AIP IDSM-2 configuration Guides

Introduction To Cisco IPS Config Guide

This document is designed to assist in getting your Cisco IPS appliances off the ground. It includes an easy to use configuration and advice on how to achive the optimum performance out of your Cisco IPS appliance

The document bellow is meant to be used with some caution where specified and if at any time you feel you may be lost in too much technical detail you can always contact us to assist you in your endavours.

1.1.      Cisco IDS Cisco IPS cisco AIP cisco IDSM configuration example
1.2.      Cisco IDSM Background mode of operation and traffic flow
1.3.      IDSM2 Configuration Sequence
1.4.      Cisco IDSM configuration example Switch Side
1.5.      Cisco IDSM configuration example IDSM side
1.6.      Managing the IDSM1
1.7.      Initial Setup
1.8.      Default gateway setup
1.9.      IDSM and AIP Failover configuration notes
1.10.        Cisco AIP module Configuration example
1.11.        Operating Modes
1.12.        Configuration sequence Cisco ASA
1.13.        login to the AIP module device via ssh or session from the Cisco ASA..
1.14.        Cisco IPS 42xx Configuration Example
1.15.        Traffic flow
1.16.        Configuration sequence Cisco IPS 4200 model
1.17.        System Configuration Dialog
1.18.        Gui Configuration common for all the IPS ,IDSM ,AIP models
1.19.        System Basic settings
1.20.        Promiscuous mode configuration
1.21.        IPS signature Updates and Automatic updates signature update URL
1.22.        Cisco IPS Manager Express IME
1.23.        Upgrade procedure

Cisco IDS Cisco IPS cisco AIP cisco IDSM configuration example

The Cisco IPS systems no matter what shape or size have 1 thing in common they filter traffic out using a signature sets and traffic normalization features.The bellow sections will explain the way to get the IPS system off the ground by configuring its basic parameters like ip address network mask default gatways and trusted host parameters.Once thats out of the way all these IPS systems are configured easier by the GUI interface than the CLI .I have provided a configuration example at the end of the section describing these configuration parameters.

Cisco IDSM Background mode of operation and traffic flow

The Cisco IDSM supports the following traffic throughputs :
Aggregate Throughput promiscuous mode : 600 Mbps
Aggregate Throughput inline mode : 500 Mbps

For more info on the IDSM-2 please visit this page from cisco contatining a data sheet of the IDSM-2 device.
The Cisco IDSM inspects traffic flow passing through the backplane of the Cat 6509 and it’s configured to examine that traffic using the special filters and global alert categories settings. The device scans and reacts to network traffic according to the filter instructions, or action set. Each segment and device can use a different set of filters to manage and block traffic and malicious activity in order to provide optimal protection. The IDSM device can function in two primary modes promiscuous and inline.
Promiscuous mode means it just looks at a copy of the traffic flow and does not insert or block any of the traffic flow whilst the Inline mode is totally the opposite it inspects the actual traffic flow for the specified vlans assigned to it from the switch backplane. The bellow diagram explains the traffic flow in the Cisco IDSM-2

Action sets in these filters provide the instructions for the device to block, permit, and send alerts to the system. Filters include three pillars of filter categories:

Application Protection
Infrastructure Protection
Performance Protection

IDSM2 Configuration Sequence

Perform the following tasks to configure the IDSM2:
1. Configure the Catalyst 6500 series switch for command and control access to the IDSM2.
2. Log in to the IDSM2.
3. Configure the switch to send traffic to be monitored to the IDSM2.
4. Initialize the IDSM2.
Run the setup command to initialize the IDSM2. During setup, you can configure the interfaces of the IDSM2.
5. Create the service account.
6. Perform the other initial tasks, such as adding users, trusted hosts, and so forth.
7. Configure intrusion prevention.
8. Perform miscellaneous tasks to keep the IDSM2 running smoothly.
9. Upgrade the IPS software with new signature updates and service packs.
10. Reimage the application partition and the maintenance partition when needed.

Cisco IDSM configuration example Switch Side

Firstly you need to insert the IDSM- 2 blade into the Cat 6509 switch and wait for it to boot. In order to verify if the installation of the IDSM-2 is correct into the Cisco CAT 6509 switch issue the below command.

For Cisco IOS software:
router# show module
Mod Ports Card Type Model Serial No.
--- ----- -------------------------------------- ------------------ -----------
3 Anomaly Detector Module WS-SVC-ADM-1-K9 SAD084104JR
4 4 Intrusion Detection System WS-SVC-IDSM2 SAD05380608

As mentioned previously you need to divert the traffic on the CAT 6509 switch in order to send traffic to the module .The bellow example shows a promiscuous IDSM-2 switch side configuration.
intrusion-detection module 4 management-port access-vlan 201
intrusion-detection module 4 data-port 1 capture
intrusion-detection module 4 data-port 2 capture
intrusion-detection module 4 data-port 1 capture allowed-vlan 202
intrusion-detection module 4 data-port 2 capture allowed-vlan 202
intrusion-detection module 4 data-port 1 autostate include
intrusion-detection module 4 data-port 2 autostate include
vlan access-map IDSM2 10
match ip address 1 IDSM2-LIST
action forward capture
ip access-list extended IDSM2-LIST
permit ip any any log
permit icmp any any

vlan filter IDSM2 vlan-list 202
monitor session 2 source vlan 202

Cisco IDSM configuration example IDSM side

Once that switch side configuration is completed you can login to the IDSM-2 Module from the CAT 6509 switch using the bellow command
Session 1 slot 4
Username:cisco
Password:cisco
TEST-IPS01# sh ver
Application Partition:
Cisco Intrusion Prevention System, Version 7.0(1)E3
Host:
Realm Keys            key1.0
Signature Definition:
Signature Update      S440.0                   2009-10-02
Virus Update          V1.4                     2007-03-02
OS Version:               2.4.30-IDS-smp-bigphys
Platform:                 WS-SVC-IDSM-2
Serial Number:            xxxxxx
Trial license, expires:   14-Nov-2009 UTC
Sensor up-time is 11 days.
Using 1406742528 out of 1983508480 bytes of available memory (70% usage)
system is using 16.5M out of 38.5M bytes of available disk space (43% usage)
application-data is using 37.7M out of 166.8M bytes of available disk space (24% usage)
boot is using 40.6M out of 68.6M bytes of available disk space (62% usage)

MainApp            B-BEAU_2009_APR_18_08_00_7_0_1   (Release)   2009-04-18T08:05:25-0500   Running
AnalysisEngine     B-BEAU_2009_APR_18_08_00_7_0_1   (Release)   2009-04-18T08:05:25-0500   Running
CollaborationApp   B-BEAU_2009_APR_18_08_00_7_0_1   (Release)   2009-04-18T08:05:25-0500   Running

Managing the IDSM2

The management address of the appliance is configured by the bellow commands and only a host setup in the acces list can access the management gui in order to mnage the device .The device can be accessed using https://ip address you configured in setup .

Initial Setup

service host
network-settings
host-ip 10.158.28.132/24,10.158.28.19
host-name test
telnet-option disabled
access-list 10.158.0.0/16
access-list 168.20.221.88/32
access-list 192.168.0.0/16
access-list 193.168.100.0/24
access-list 196.23.1.4/32
exit
time-zone-settings
offset 0
standard-time-zone-name GMT+02:00

Default gateway setup

is necessary in order for the device to be managed from a different subnet or for signature updates originating from the IDSM
host-ip 10.158.28.132/24,10.158.28.19

IDSM and AIP Failover configuration notes

The IDSM pairs are configured in an Active Standby Failover configuration .Due to the nature of the traffic flow the Primary core switch is always being used. Thus the primary IDSM module always receives the traffic. In case of a chassis failure or FWSM failure that traffic flow will be diverted to the secondary FWSM and IDSM units. The secondary IDSM has been configured with the exact same configuration as the primary but it will be idling until a failover case occurs

Cisco AIP module Configuration example

Data sheet ,Throughput and more specific support options can be found on Cisco’s Web Site over here

Operating Modes

You can send traffic to the AIP SSM using one of the following modes:

•Inline mode—This mode places the AIP SSM directly in the traffic flow No traffic that you identified for IPS inspection can continue through the adaptive security appliance without first passing through, and being inspected by, the AIP SSM. This mode is the most secure because every packet that you identify for inspection is analyzed before being allowed through. Also, the AIP SSM can implement a blocking policy on a packet-by-packet basis. This mode, however, can affect throughput.

•Promiscuous mode—This mode sends a duplicate stream of traffic to the AIP SSM. This mode is less secure, but has little impact on traffic throughput. Unlike the inline mode, in promiscuous mode the AIP SSM can only block traffic by instructing the adaptive security appliance to shun the traffic or by resetting a connection on the adaptive security appliance. Also, while the AIP SSM is analyzing the traffic, a small amount of traffic might pass through the adaptive security appliance before the AIP SSM can shun it. Below figure shows the AIP SSM in promiscuous mode. In this example, the AIP SSM sends a shun message to the security appliance for traffic it identified as a threat.

Configuration sequence Cisco ASA

Prerequisites: Configured the Cisco ASA is configured and an AIP module is inserted in it
Then on the Cisco ASA you need to divert the traffic as show on the bellow output.

access-list IPS extended permit ip any any
!
class-map my-ips-class
match access-list IPS
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
class my-ips-class
!for ips promiscuous mode use bellow
ips promiscuous fail-open
!for ips inline mode use bellow but not both as same time
ips inline fail-open

login to the AIP module device via ssh or session from the Cisco ASA

hostname# session 1

Opening command session with slot 1.
Connected to slot 1. Escape character sequence is 'CTRL-^X'.

Password:cisco

Last login: Fri Sep 2 06:21:20

from xxx.xxx.xxx.xxx

you may also use SSH connection or Https connection to the ip address configured.

Cisco IPS 42xx Configuration Example

Traffic flow

The recommended Traffic Flow is almost always inline mode as this is the most optimum setting for the IPS device
Traffic flow will thus be situated so it can physically intercept all the traffic from the relevant segments that needs to be protected.

Configuration sequence Cisco IPS 4200 model

login: cisco
Password:cisco
***NOTICE**
Please go to http://www.cisco.com/go/license
to obtain a new license or install a license.
ips-4215#
my recommendation would be to do an initial basic setup configuration and then continue with the configuartin via the GUI interface
you can do that by issuing SETUP command and follow the configuration prompts

System Configuration Dialog

When you enter the setup command, an interactive dialog called the System Configuration Dialog appears on the system console screen. The System Configuration Dialog guides you through the configuration process.
The values shown in brackets next to each prompt are the current values. You must go through the entire System Configuration Dialog until you come to the option that you want to change. To accept default settings for items that you do not want to change, press Enter To return to the EXEC prompt without making changes and without going through the entire System Configuration Dialog, press Ctrl-C. The System Configuration Dialog also provides help text for each prompt. To access the help text, enter? at a prompt. When you complete your changes, the System Configuration Dialog shows you the configuration that you created during the setup session. It also asks you if you want to use this configuration. If you enteryes, the configuration is saved. If you enter no, the configuration is not saved and the process begins again. There is no default for this prompt; you must enter either yes or no.

Example System Configuration Dialog
--- System Configuration Dialog ---
At any point you may enter a question mark '?' for help.
User ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.
Current Configuration:
service host
network-settings
host-ip 10.1.9.201/24,10.1.9.1
host-name sensor
telnet-option disabled
ftp-timeout 300
np login-banner-text
exit
time-zone-settings
offset 0
standard-time-zone-name UTC
exit
summertime-option disabled
ntp-option disabled
exit
service web-server
port 443
exit
service interface
physical-interfaces FastEthernet0/0
admin-state enabled
subinterface-type inline-vlan-pair
subinterface 1
description Created via setup by user asmith
vlan1 200
vlan2 300
exit
exit
exit
physical-interfaces FastEthernet0/1
admin-state enabled
exit
physical-interfaces FastEthernet0/2
admin-state enabled
exit
physical-interfaces GigabitEthernet0/0
admin-state enabled
exit
inline-interfaces newPair
description Created via setup by user asmith
interface1 FastEthernet0/1
interface2 FastEthernet0/2
exit
exit
service analysis-engine
virtual-sensor newVs
description Created via setup by user cisco
signature-definition newSig
event-action-rules rules0
anomaly-detection
anomaly-detection-name ad0
operational-mode inactive
exit
physical-interface GigabitEthernet0/0
exit
virtual-sensor vs0
physical-interface FastEthernet0/0 subinterface-number 1
logical-interface newPair
exit
exit

Gui Configuration common for all the IPS ,IDSM ,AIP models

Firstly you need to login to the device using https://ip-address-of-the-device

System Basic settings

Promiscuous mode configuration

IPS signature Updates and Automatic updates signature update URL

NB you need to install a Cisco Licence go to the specified page and you can request a Cisco IPs signature updates trial licence if you possess a valid CCO and have the serial number of the device .However this is a temporary measure and you need to purchase a valid subscription from Cisco in order for the IPS to be able fetch automatic updates from the Cisco Network
Once the contract has been purchased you may use the bellow url in order for you to update these signature

http://www.cisco.com/go/license

https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl

Cisco IPS Manager Express IME

Simplify Cisco Intrusion Prevention System (IPS) sensor management with a user-friendly application. Ideal for small or simple deployments, Cisco IPS Manager Express provides:

An intuitive graphical user interface to help you configure, tune, and manage Cisco IPS sensors, Cisco Advanced Inspection and Prevention Security Services Modules, Cisco Catalyst 6500 Series Intrusion Detection System Modules, Cisco IDS Network Modules, and Cisco IOS IPS modules.
Powerful monitoring and reporting tools, including a real-time event viewer for troubleshooting and top reports for security auditing and compliance purposes.
Flexible device management options for up to 10 IPS devices within a single GUI.

Upgrade procedure

the cisco AIP cisco IPS and cisco IDSM document can be found by cisco over here

Credits and References As always credit must be given where credit is due The bellow references were used in compiling this rather large document

http://www.cisco.com