Lab Activity: Configure IOS Firewall IDS

ITSY 2301 Firewalls and Network Security Fall 2009

Lab 15 Intrusion Detection Systems on a Router

Purpose: Create an IDS on a router.

Topology: See the ITSY2301 standard router configuration diagram. Confirm the cabling of the routers and switches.

Directions: ***** Configure the 2 routers with appropriate starting IP addresses and routing protocol. Start with the basic configurations for both routers. Use EIGRP as the routing protocol. Remove any default gateway static routes. Test the connectivity between the routers, and between the inside and external hosts. ****** The PC that you use as the Inside Host must have Syslog on it. Activate Syslog before starting the lab.

Preliminary:

Objectives of the lab: Create secure stateful packet inspection for the network on a perimeter device by:

1 • Initializing IOS Firewall IDS on the router 2 • Configuring and apply audit rules 3 • Verifying and testing the IDS router configuration 4 • Setting and testing protected addresses

Preparation Setup an Attack PC on the 10.0.2.0/24 network off the Austin router. A free, test copy of GFI Languard is available in the LabFiles folder on the desktop. You need to install it on the Attack PC (Inside host).

Page 1 Commands used in this lab (from Cisco.com)

ip audit attack action Specifies the default actions for attack signatures.

ip audit info Specifies the default actions for info signatures.

ip audit name Creates audit rules for info and attack signature types.

ip audit notify Specifies the methods of event notification.

ip audit po Specifies the local Post Office parameters used when sending event notifications.

ip audit po max-events Specifies the maximum number of event notifications that are placed in the router event cue.

ip audit signature Attaches a policy to a signature.

logging console info Sets the option of seeing the syslog messages on the router console.

Step 1 Initialize the IDS on both routers for practice

a. Specify the method of event notification.

ip audit notify log 1 2 What are other ways to record notification?

b. Use the local (audit) Post Office when sending event notifications.

ip audit po local Are there other ways/places to send auditing information?c. Specify the maximum number of event notifications listed in the router event cue.

ip audit po max-events 100

1 2 What is the maximum number of events recorded?

d. For safety, turn off console logging no logging console debug

e. Then turn on logging and send messages to the syslog server:

logging host 10.0.1.2 logging source-interface f0/0 logging trap debug logging on

f. Identify the protected network.

On Austin ip audit protected 10.0.1.2 to 10.0.1.254

On Boston ip audit protected 11.0.13.2 to 11.0.13.254

Step 2 Create and Apply Audit Rules

a. First we must globally disable signature 1107 (IP RFC 1918 Addresses) and 2004 (ICMP Echo Request). Signature 1107 IP addresses are used in our topology. We will be testing using Ping. ip audit signature 1107 disable ip audit signature 2004 disable

Page 3 Answer reflection question #1b. Specify the default actions to take for info signatures.

ip audit info action alarm

c. Specify the default actions to take for attack signatures.

ip audit attack action alarm

d. Create the audit rules for attack and info signatures. The name of the rule set is IDS-AUDIT. It is case sensitive.

ip audit name IDS-AUDIT info action alarm drop reset ip audit name IDS-AUDIT attack action alarm drop reset

Answer reflection question #2.

e. Apply the previously created rule to the “outside (WAN)” interface using the in direction: for Austin: interface f 0/0 ip audit IDS-AUDIT in

for Boston: interface s 0/0 ip audit IDS-AUDIT in

Note: we are experiencing the coding on both routers. We are applying the audit rules to the interface which will inspect traffic coming into the router. 1 Answer reflection question #3Step 3. Display the IDS Router's Configuration

a. Display the IDS configuration:

show ip audit configuration

Verify the parameters configured as well as several default settings.

Step 4. Display the IDS interface configuration:

show ip audit interface

1 2 Step 5. Display the IDS interface statistics:

show ip audit statistics

Are there any statistics yet? If so, note them here.

Step 6. Test the IDS router configuration

1 a. From the Attack PC running Languard located on the “outside” network 2 3 on Austin verify the Attack PC’s IP address

(the address should be 10.0.1.2)

Page 5 1 2 b. From the Attack PC, ping 10.0.1.2 and 11.0.13.2 to verify connectivity:

ping 10.0.1.2 ping 11.0.13.2

1 c. From the Attack PC, execute a Languard scan of 10.0.1.2. Then start one for 11.0.13.2.

start a LANGuard analysis of 10.0.1.2 start a LANGuard analysis of 11.0.13.2

The Attack PC will now send multiple packets to the hosts causing them to be discarded and causing audit rules to generate events in the statistics log.

Answer reflection questions #4 and #5

1 d. How can you verify the attack traffic does not hit the targets?

Implement your suggestion and test it.

Record the results here.

d. Check to see the statistical events by

show ip audit statistics 1 What events are displayed? Reflections questions:

1. Why are these two signatures disabled in our lab exercise?

2. What do these statements mean – especially the “action alarm drop reset” part?

3. Why is the audit rule set applied here? This is a strategy question.

1 2 3 4. What signature numbers are displayed in the console logging messages?

1 2 3 4 5. What do the routers do with the offending traffic?

Page 7