Implementing Intrusion Prevention
Objective: Configure an Intrusion Prevention System
TOPOLOGY:
Note: ISR G1 devices have Fast Ethernet interfaces instead of Gigabit Ethernet Interfaces.
In this lab, you will perform the following tasks:
Part 1: Configure Basic Device Settings
- Configure basic settings such as host name, interface IP addresses, and access passwords.
- Configure static routing to enable end-to-end connectivity.
Part 2: Use CLI to Configure an IOS IPS
- Configure IOS IPS using CLI.
- Modify IPS signatures.
- Examine the resulting IPS configuration.
- Verify IPS functionality.
- Log IPS messages to a syslog server.
Part 3: Simulate an Attack
- Use a scanning tool to simulate an attack.
BACKGROUND
In this lab, you will configure the Cisco IOS IPS, which is part of the Cisco IOS Firewall feature set. IPS examines certain attack patterns and alerts or mitigates when those patterns occur. IPS alone is not enough to make a router into a secure Internet firewall, but when added to other security features, it can be a powerful defense.
You will configure IPS using the Cisco IOS CLI and then test IPS functionality. You will load the IPS Signature package from a TFTP server and configure the public crypto key using the Cisco IOS.
Note: The router commands and output in this lab are from a Cisco 1941 with Cisco IOS Release 15.4(3)M2 (UniversalK9-M). Other routers and Cisco IOS versions can be used. See the Router Interface Summary Table at the end of the lab to determine which interface identifiers to use based on the equipment in the lab. Depending on the router model and Cisco IOS version, the commands available and output produced might vary from what is shown in this lab.
Note: Before beginning, ensure that the routers and switches have been erased and have no startup configurations.
Instructions for initializing the network devices are provided in Lab 0.0.0.0.
Part 1: Configure Basic Device Settings
The desktop system assigned to you serves as an end-user terminal. You access and manage the lab environment from the student desktop system using GNS3 Software.
Students should perform the steps in this task individually.
In Part 1 of this lab, you set up the network topology and configure basic settings, such as the interface IP addresses, static routing, device access, and passwords.
All steps should be performed on routers R1-S0000 and R3-S0000. The procedures are shown for only one of the routers.
Part 2: Configuring IPS Using the Cisco IOS CLI
In Part 2 of this lab, you will configure IPS on R1 using the Cisco IOS CLI. You then review and test the resulting configuration.
Task 1: Verify Current Router Configurations.
In this task, you will verify end-to-end network connectivity before implementing ZPF.
Task 2: Prepare the Router and TFTP Server
Task 3: Configure the IPS Crypto Key
The crypto key verifies the digital signature for the master signature file (sigdef-default.xml). The contents are signed by a Cisco private key to guarantee the authenticity and integrity at every release.
Task 4: Configure IPS
Task 5: Load the IOS IPS Signature Package to the Router
The most common way to load the signature package to the router is to use TFTP.
Task 6: Test the IPS Rule and Modify a Signature
You can work with signatures in many ways. They can be retired and unretired, enabled and disabled, and their characteristics and actions can be changed. In this task, you first test the default behavior of IOS IPS by pinging it from the outside.
Part 3: Simulate an Attack
Task 1: Verify IPS with Zenmap
Nmap/Zenmap is a network-scanning tool that allows you to discover network hosts and resources, including services, ports, operating systems, and other fingerprinting information. Zenmap is the graphical interface for Nmap. Nmap should not be used to scan networks without prior permission. The act of network scanning can be considered a form of network attack.
Nmap/Zenmap will test the IPS capabilities on R1. You will run the scanning program from PC-A and attempt to scan open ports on router R2 before and after applying IPS rule iosips on R1.
Task 2: Observe the syslog messages on R1.
You should see syslog entries on the R1 console and on the syslog server if it is enabled. The descriptions should include phrases, such as TCP NULL Packet and TCP SYN/FIN Packet.
a. What is the IPS risk rating or severity level (Sev:) of the TCP NULL Packet, signature 3040?
b. What is the IPS risk rating or severity level (Sev:) of the TCP SYN/FIN packet, signature 3041?
Reflection
1. If changes are made to a signature while using version 5.x signature files, are they visible in the router running the configuration?
Attachment:- Configure an Intrusion Prevention System IPS.rar