Network Security 2. Module 2 Configure Network Intrusion Detection and Prevention



Similar documents
Network Security 1. Module 8 Configure Filtering on a Router

Cisco Secure PIX Firewall with Two Routers Configuration Example

Lab Configure IOS Firewall IDS

Introduction of Intrusion Detection Systems

Virtual Fragmentation Reassembly

FIREWALLS & CBAC. philip.heimer@hh.se

INTRODUCTION TO FIREWALL SECURITY

Securing Networks with PIX and ASA

Configuring the Cisco Secure PIX Firewall with a Single Intern

Lab Configure Intrusion Prevention on the PIX Security Appliance

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Firewall Firewall August, 2003

Lab Configure and Test Advanced Protocol Handling on the Cisco PIX Security Appliance

Troubleshooting Cisco Secure Intrusion Detection Systems

Cisco ASA, PIX, and FWSM Firewall Handbook

Classic IOS Firewall using CBACs Cisco and/or its affiliates. All rights reserved. 1

Firewalls. Chapter 3

Securing Cisco Network Devices (SND)

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Lab Configure Cisco IOS Firewall CBAC on a Cisco Router

Securizarea Calculatoarelor și a Rețelelor 13. Implementarea tehnologiei firewall CBAC pentru protejarea rețelei

SonicOS 5.9 One Touch Configuration Guide

Security Threats VPNs and IPSec AAA and Security Servers PIX and IOS Router Firewalls. Intrusion Detection Systems

PIX/ASA 7.x and above: Mail (SMTP) Server Access on the DMZ Configuration Example

Application Notes SL1000/SL500 VPN with Cisco PIX 501

P and FTP Proxy caching Using a Cisco Cache Engine 550 an

PIX/ASA: Allow Remote Desktop Protocol Connection through the Security Appliance Configuration Example

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

How To Monitor Cisco Secure Pix Firewall Using Ipsec And Snmp Through A Pix Tunnel

Stateful Firewalls. Hank and Foo

TABLE OF CONTENTS NETWORK SECURITY 2...1

FWSM introduction Intro 5/1

Firewalls, IDS and IPS

The Cisco IOS Firewall feature set is supported on the following platforms: Cisco 2600 series Cisco 3600 series

Firewall Authentication Proxy for FTP and Telnet Sessions

SonicOS 5.9 / / 6.2 Log Events Reference Guide with Enhanced Logging

OLD VULNERABILITIES IN NEW PROTOCOLS? HEADACHES ABOUT IPV6 FRAGMENTS

IDS 4.0 Roadshow. Module 1- IDS Technology Overview. 2003, Cisco Systems, Inc. All rights reserved. IDS Roadshow

Architecture Overview

Network Defense Tools

Firewall Log Format. Log ID is a Unique 12 characters code (c1c2c3c4c5c6c7c8c9c10c11c12) e.g ,

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

How To Understand And Understand Cisco Security Specialist (For A Non-Profit)

Firewalls (IPTABLES)

PROFESSIONAL SECURITY SYSTEMS

TROUBLESHOOTING FIREWALLS

Cisco PIX vs. Checkpoint Firewall

U06 IT Infrastructure Policy

General Network Security

Output Interpreter. SHOW RUNNING-CONFIG SECURITY Analysis SHOW RUNNING-CONFIG - FW Analysis. Back to top

Firewalls. Network Security. Firewalls Defined. Firewalls

Chapter 4 Firewall Protection and Content Filtering

Lab Exercise Configure the PIX Firewall and a Cisco Router

Table of Contents. Cisco Configuring an IPSec LAN to LAN Tunnel for Cisco VPN 5000 Concentrator to Cisco Secure PIX Firewall

Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Firewall Defaults and Some Basic Rules

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Firewall Stateful Inspection of ICMP

How Cisco IT Uses Firewalls to Protect Cisco Internet Access Locations

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

Intrusion Detection Systems

Table of Contents. Cisco Using the Cisco IOS Firewall to Allow Java Applets From Known Sites while Denying Others

PIX/ASA 7.x with Syslog Configuration Example

Configuring NetFlow Secure Event Logging (NSEL)

Chapter 4 Firewall Protection and Content Filtering

How To Secure Network Threads, Network Security, And The Universal Security Model

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)

Multi-Homing Gateway. User s Manual

Cisco Firewall Technology

Configuring NetFlow Secure Event Logging (NSEL)

10 Configuring Packet Filtering and Routing Rules

Denial of Service Attacks and Countermeasures. Extreme Networks, Inc. All rights reserved. ExtremeXOS Implementing Advanced Security (EIAS)

Security Technology White Paper

CISCO IOS FIREWALL DESIGN GUIDE

1. Firewall Configuration

IPv6 Security Best Practices. Eric Vyncke Distinguished System Engineer

Chapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall

CS5008: Internet Computing

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

F-SECURE MESSAGING SECURITY GATEWAY

Integrating Cisco Secure PIX Firewall and IP/VC Videoconferencing Networks

Chapter 15. Firewalls, IDS and IPS

LifeSize Transit Deployment Guide June 2011

Firewalls, NAT and Intrusion Detection and Prevention Systems (IDS)

PIX/ASA 7.x and above : Mail (SMTP) Server Access on Inside Network Configuration Example

Cisco Intrusion Prevention System Advanced Integration Module for Cisco 1841 and Cisco 2800 and 3800 Series Integrated Services Routers

IT Security Standard: Network Device Configuration and Management

Configuring Health Monitoring

OfficeScan 10 Enterprise Client Firewall Updated: March 9, 2010

Transcription:

1 1

Network Security 2 Module 2 Configure Network Intrusion Detection and Prevention 2

Learning Objectives 2.1 Cisco IOS Intrusion Prevention System 2.2 Configure Attack Guards on the PIX Security Appliance 2.3 Configure Intrusion Prevention on the PIX Security Appliance 2.4 Configure Shunning on the PIX Security Appliance 3

Module 2 Configure Network Intrusion Detection and Prevention 2.1 Cisco IOS Intrusion Prevention System 4

Cisco IOS Intrusion Prevention System Network Management Console 4 Alarm 2 1 Attack Drop Packet 3 Reset Connection 5

Configuration Tasks Install Cisco IOS IPS on the router. Specify location of the Signature Definition File (SDF). Create an IPS rule. Attach a policy to a signature (Optional). Apply IPS rule at an interface. Configure Logging using Syslog or SDEE. Verify the configuration. 6

Specify Location of SDF Router (config)# ip ips sdf location url (Optional) Specifies the location in which the router will load the SDF, attack-drop.sdf. If this command is not issued, the router will load the default, built-in signatures. Router(config)# ip ips sdf location disk2:attack-drop.sdf 7

Create an IPS Rule Router (config)# ip ips name ips-name [list acl] Creates an IPS rule. Router(config)# ip ips name MYIPS Creates an IPS rule named MYIPS that will be applied to an interface. 8

Attach a policy to a given signature(optional) Router (config)# ip ips signature signature-id [:sub-signature-id] {delete disable list acl-list} Attaches a policy to a given signature. Router(config)# ip ips signature 1000 disable Disables signature 1000 in the signature definition file. 9

Attach a policy to a given signature(optional) Router (config)# ip ips signature signature-id [:sub-signature-id] {delete disable list acl-list} Attaches a policy to a given signature. Router(config)# ip audit signature 3100 list 91 Applies optional policy to the signature 3100 10

Apply an IPS Rule at an Interface Router (config-if)# ip ips ips-name {in out} Applies an IPS rule at an interface. Router(config-if)# ip ips MYIPS in 11

Upgrade to Latest SDF Router (config)# ip ips name ips-name Creates an IPS rule. Router (config)# no ip ips sdf builtin Instructs the router not to load the built-in signatures. Router (config)# ip ips fail closed Instructs the router to drop all packets until the signature engine is built and ready to scan traffic. 12

Upgrade to Latest SDF(Cont.) Router (config-if)# ip ips ips-name {in out} [list acl] Applies an IPS rule at an interface. This command automatically loads the signatures and builds the signature engines. 13

Monitoring Cisco IOS IPS Signatures Network Management Console Alarm SDEE Protocol Alert Syslog Syslog Server 14

SDEE Benefits Vendor Interoperability SDEE will become the standard format for all vendors to communicate events to a network management application. This lowers the cost of supporting proprietary vendor formats and potentially multiple network management platforms. Secured transport The use of HTTP over SSL or HTTPS ensures that data is secured as it traverses the network 15

Set Notification Type Router (config)# ip ips notify [log sdee] Sets notification type Router(config)# ip ips notify sdee Router(config)# ip ips notify log Router (config)# ip sdee events num_of_events Sets the maximum number of SDEE events that can be stored in the event buffer. 16

show Commands Router# show ip ips configuration Verifies that Cisco IOS IPS is properly configured. Router# show ip ips signatures [detailed] Verifies signature configuration, such as signatures that have been disabled. Router# show ip ips interface Display the interface configuration 17

clear Commands Router# clear ip ips configuration Remove all intrusion prevention configuration entries, and release dynamic resources. Router# clear ip ips statistics Reset statistics on packets analyzed and alarms sent Router# clear ip sdee {events subscriptions} Clear SDEE events or subscriptions. 18

debug Commands Router# debug ip ips timers Router# debug ip ips object-creation Router# debug ip ips object-deletion Router# debug ip ips function trace Router# debug ip ips detailed Router# debug ip ips ftp-cmd Router# debug ip ips ftp-token Router# debug ip ips icmp Router# debug ip ips ip Router# debug ip ips rpc Router# debug ip ips smtp Router# debug ip ips tcp Router# debug ip ips tftp Router# debug ip ips udp Instead of no, undebug may be used 19

Module 2 Configure Network Intrusion Detection and Prevention 2.2 Configure Attack Guards on the PIX Security Appliance 20

Mail Guard Provides a safe conduit for Simple Mail Transfer Protocol (SMTP) connections from the outside to an inside e-mail server Enables administrators to deploy a mail server within the internal network, without it being exposed to known security problems that exist within some mail server implementations Only the SMTP commands specified in RFC 821 section 4.5.1 are allowed to a mail server By default, the Cisco Secure PIX Security Appliance inspects port 25 connections for SMTP traffic SMTP servers using ports other than port 25 must use the fixup protocol smtp command 21

Mail Guard pixfirewall (config)# fixup protocol smtp port [-port] Defines ports on which to activate Mail Guard (default = 25) Only allows RFC 821, section 4.5.1 commands: HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT. If disabled, all SMTP commands are allowed through the firewall Potential mail server vulnerabilities are exposed. pixfirewall(config)# fixup protocol smtp 2525 pixfirewall(config)# fixup protocol smtp 2625-2635 pixfirewall(config)# no fixup protocol smtp 25 22

DNS Guard DNS Guard is always on. After the client does a DNS request, a dynamic conduit allows UDP packets to return from the DNS server. The default UDP timer expires in two minutes. The DNS server response is recognized by the firewall, which closes the dynamic UDP conduit immediately. The PIX Security Appliance does not wait for the UDP timer to expire. 23

FragGuard and Virtual Re-assembly The FragGuard and Virtual Re-assembly feature has the following characteristics: Is on by default. Verifies each fragment set for integrity and completeness. Tags each fragment in a fragment set with the transport header. Performs full reassembly of all ICMP error messages and virtual reassembly of the remaining IP fragments that are routed through the PIX Security Appliance. Uses Syslog to log fragment overlapping and small fragment offset anomalies. 24

fragment Command pixfirewall (config)# fragment size database-limit [interface] Sets the maximum number of packets in the fragment database. pixfirewall (config)# fragment chain chain-limit [interface] Specifies the maximum number of packets into which a full IP packet can be fragmented. pixfirewall (config)# fragment timeout seconds [interface] Specifies the maximum number of seconds that the PIX Security Appliance waits before discarding a packet that is waiting to be reassembled. pixfirewall(config)# fragment size 1 pixfirewall(config)# fragment chain 1 25

AAA Flood Guard pixfirewall (config)# floodguard enable disable Reclaims attacked or overused AAA resources to help prevent DoS attacks on AAA services (default = enabled). pixfirewall(config)# floodguard enable 26

SYN Flood Attack The attacker spoofs a nonexistent source IP address and floods the target with SYN packets. The target responds to the SYN packets by sending SYN-ACK packets to the spoofed hosts. The target overflows its port buffer with embryonic connections and stops responding to legitimate requests. 27

SYN Flood Guard Configuration pixfirewall (config)# static [(prenat_interface, postnat_interface)] mapped_address interface real_address [dns][netmask mask][norandomseq][connection_limit [em_limit]] For inbound connections: pixfirewall (config)# Use the em_limit to limit the number of embryonic connections. Set the limit to a number lower than the server can handle. nat [(if-name)]id address [netmask [outside] [dns] [norandomseq] [timeout hh:mm:ss] [conn_limit [em_limit]]] For outbound connections: Use the em_limit to limit the number of embryonic connections. Set the limit to a number lower than the server can handle. pixfirewall(config)# nat (inside) 1 0 0 0 10000 pixfirewall(config)# static (inside,outside) 192.168.0.11 172.16.0.2 0 1000 28

TCP Intercept pixfirewall(config)# static (inside,outside) 192.168.0.10 10.0.0.11 netmask 255.255.255.255 1000 100 29

Module 2 Configure Network Intrusion Detection and Prevention 2.3 Configure Intrusion Prevention on the PIX Security Appliance 30

PIX IDS 31

Configure IDS pixfirewall(config)# ip audit name audit_name info [action [alarm] [drop] [reset]] Creates a policy for informational signatures. pixfirewall(config)# ip audit name audit_name attack [action [alarm] [drop] [reset]] Creates a policy for attack signatures. pixfirewall(config)# ip audit interface if_name audit_name Applies a policy to an interface. pixfirewall(config)# ip audit name ATTACKPOLICY attack action alarm reset pixfirewall(config)# ip audit interface outside ATTACKPOLICY When the PIX Security Appliance detects an attack signature on its outside interface, it reports an event to all configured Syslog servers, drops the offending packet, and closes the connection if it is part of an active connection. 32

Specify Default Actions for Signatures pixfirewall(config)# ip audit attack [action [alarm] [drop] [reset]] Specifies the default actions for attack signatures. pixfirewall(config)# ip audit info [action [alarm] [drop] [reset]] Specifies the default actions for informational signatures. pixfirewall(config)# ip audit info action alarm drop When the PIX Security Appliance detects an info signature, it reports an event to all configured Syslog servers and drops the offending packet. 33

Disable Intrusion Detection Signatures pixfirewall(config)# ip audit signature signature_number disable Excludes a signature from auditing. pixfirewall(config)# ip audit signature 6102 disable Disables signature 6102. 34

Module 2 Configure Network Intrusion Detection and Prevention 2.4 Configure Shunning on the PIX Security Appliance 35

shun Command pixfirewall(config)# shun src_ip [dst_ip sport dport [protocol]] Applies a blocking function to an interface under attack. pixfirewall(config)# shun 172.26.26.45 No further traffic from 172.26.26.45 is allowed. 36

Shunning an Attacker pixfirewall(config)# shun 172.26.26.45 192.168.0.10 4000 53 37

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information