Lab Configure IOS Firewall IDS

Size: px

Start display at page:

Download "Lab 5.2.5 Configure IOS Firewall IDS"

Darleen Wheeler
8 years ago
Views:

1 Lab Configure IOS Firewall IDS Objective Scenario Topology: Estimated Time: 15 minutes Number of Team Members: Two teams with four students per team. In this lab, the student will learn how to perform the following tasks: Initialize IOS Firewall IDS on the router Configure and apply audit rules Verify the IDS router configuration Test the IDS router configuration Set and test protected addresses The Intrusion Detection Systems provide a level of protection beyond the firewall by protecting the network from internal and external attacks and threats. Cisco IOS Firewall IDS technology enhances perimeter firewall protection by taking appropriate action on packets and flows that violate the security policy or represent malicious network activity based on almost 100 predefined IDS signatures. This figure illustrates the lab network environment. 1-5 Fundamentals of Network Security v Lab Copyright 2003, Cisco Systems, Inc.

router configuration Set and test protected addresses The Intrusion Detection Systems provide a level of protection beyond the firewall by protecting the network from internal and external attacks

2 Preparation Begin with the standard lab topology and verify the standard router configuration on the pod routers. Test the connectivity between the pod routers. Access the perimeter router console port using the terminal emulator on the Windows 2000 server. If desired, save the router configuration to a text file for later analysis. Refer back to the Student Lab Orientation if more help is needed. Tools and resources or equipment In order to complete the lab, the standard lab topology is required: Two pod routers Two student PCs with HyperTerminal installed One SuperServer Additional materials One backbone switch and one backbone router Two console cables Further information about the objectives covered in this lab can be found at the following websites: 86a00800d9819.html 186a00800d9808.html Command list In this lab exercise, the following commands will be used. Refer to this list if assistance or help is needed during the lab exercise. Command ip audit attack ip audit info ip audit name ip audit notify ip audit po ip audit po max-events ip audit signature logging console info Description Specifies the default actions for attack signatures. Specifies the default actions for info signatures. Creates audit rules for info and attack signature types. Specifies the methods of event notification. Specifies the local Post Office parameters used when sending event notifications. Specifies the maximum number of event notifications that are placed in the router event cue. Attaches a policy to a signature. Sets the option of seeing the syslog messages on the router console. 2-5 Fundamentals of Network Security v Lab Copyright 2003, Cisco Systems, Inc.

Refer back to the Student Lab Orientation if more help is needed.

3 Step 1 Initialize the IDS on the Router Complete the following lab steps to initialize IDS on the router. a. Use the ip audit notify command to specify the method of event notification. RouterP(config)# ip audit notify log 1. What are the other methods of notification? b. Use the ip audit po command to specify the local Post Office when sending event notifications. RouterP(config)# ip audit po local c. Use the ip audit po max-events command to specify the maximum number of event notifications that are placed in the router event cue. RouterP(config)# ip audit po max-events What is the maximum amount of events that can be set? d. Use the command logging console info to see the syslog messages on the router console. RouterP(config)# logging console info e. Configure logging to a Syslog server. RouterP(config)# logging 10.0.P.12 RouterP(config)# logging on f. Set the protected network. Router(config)# ip audit protected 10.0.P.20 to 10.0.P.254 g. Save the configuration and reload. RouterP# write memory RouterP# reload Step 2 Create and Apply Audit Rules Complete the following lab steps to configure and apply audit rules on the router. a. Globally disable signature RouterP(config)# ip audit signature 2004 disable b. Use the ip audit info {action [alarm] [drop] [reset]} command to specify the default actions for info signatures. RouterP(config)# ip audit info action alarm c. Use the ip audit attack {action [alarm] [drop] [reset]} command to specify the default actions for attack signatures. RouterP(config)# ip audit attack action alarm 3-5 Fundamentals of Network Security v Lab Copyright 2003, Cisco Systems, Inc.

RouterP(config)# ip audit po local c. Use the ip audit po max-events command to specify the maximum number of event notifications that are placed in the router event cue.

4 d. Use the ip audit name audit name command to create audit rules for attack and info signatures, where audit-name is a user-defined name for an audit rule. RouterP(config)# ip audit name AUDIT.1 info RouterP(config)# ip audit name AUDIT.1 attack e. Use the same name when assigning attack and info type signatures. f. Apply the previously created rule to the outside interface using the in direction: RouterP(config)# interface fa 0/1 RouterP(config)# ip audit AUDIT.1 in 3. What other direction can an audit rule be applied? Step 3 Verify the IDS Router's Configuration a. Display the IDS configuration: RouterP# show ip audit configuration b. Verify the parameters configured as well as several default settings. c. Display the IDS interface configuration: RouterP# show ip audit interface 4. What are the parameters configured and the default settings? d. Display the IDS interface statistics: RouterP# show ip audit statistics Step 4 Test the IDS router configuration a. Telnet to the peer pod router and complete the following steps: Datagram size [100]: 2000 The router will now send multiple packets to the peer router causing them to be discarded and causing audit rules to generate events in the statistics log. 5. What signature number is displayed in the console message? 4-5 Fundamentals of Network Security v Lab Copyright 2003, Cisco Systems, Inc.

Apply the previously created rule to the outside interface using the in direction: RouterP(config)# interface fa 0/1 RouterP(config)# ip audit AUDIT.1 in 3.

5 b. Complete the next ping test: Datagram size [100]: What signature number is displayed in the console message? c. End the Telnet session with the peer router. d. Check to see the generated events by using the show ip audit statistics command: RouterP# sh ip audit statistics 7. What signatures show up in the log? Step 5 Setting and Testing Protected Addresses a. Configure protected addresses by combining audit rules and access control lists (ACLs). RouterP(config)# ip audit name AUDIT.1 attack list 90 RouterP(config)# access-list 90 deny host Q.2 RouterP(config)# access-list 90 permit any Note: The ACL in the preceding example is not denying traffic from Q.2 host. This would be as expected if the ACL were applied to an interface. Instead, the hosts on that network are not filtered through the audit process because they are trusted hosts. On the other hand, all other hosts, as defined by permit any, are processed by the audit rule. b. Telnet to the peer pod router and complete the following steps: Datagram size [100]: Where the packets successful? 5-5 Fundamentals of Network Security v Lab Copyright 2003, Cisco Systems, Inc.

What signatures show up in the log? Step 5 Setting and Testing Protected Addresses a. Configure protected addresses by combining audit rules and access control lists (ACLs).

Lab 3.8.3 Configure Cisco IOS Firewall CBAC on a Cisco Router

Lab 3.8.3 Configure Cisco IOS Firewall CBAC on a Cisco Router Objective Scenario Topology Estimated Time: 35 minutes Number of Team Members: Two teams with four students per team In this lab exercise,