After viewing the final PAM configuration, you can view the final PAM table on Router 3 by issuing the show ip port−map command. Listing 4.21 displays the complete PAM table for Router 3, including the system−defined entries, userdefined entries, and host−defined entries.

Listing 4.21: Complete PAM table for Router 3.

Configuring IOS Firewall Intrusion Detection

The process used to configure the IOS Firewall IDS is far more detailed and complex than the process used to configure most technologies. However, if you take one step at a time, the task becomes a bit easier. If the router IDS is configured to log messages to a syslog server and not a CiscoSecure IDS Director, the configuration can be made even simpler. To enable the IOS Firewall IDS, follow these steps:

1.Use this Director command to send event notifications to a CiscoSecure IDS Director or to a syslog server:

ip audit notify <nr−Director | log>

149

The nr−Director argument specifies a CiscoSecure IDS Director and the log argument specifies a syslog server.

2. Use the following command to configure the Post Office parameters for the local router:

ip audit po local <hostid host−id> <orgid org−id>

The host−id is a unique number between 1 and 65535 that identifies the router, and org−id is a unique number between 1 and 65535 that identifies the organization to which the router and Director both belong. Use this command if events are being sent to a CiscoSecure IDS Director.

3.If alarms are being sent to a CiscoSecure IDS Director, the Post Office parameters for the CiscoSecure IDS Director must be configured on the router by using this command:

ip audit <po> remote <hostid host−id> <orgid org−id> <rmtaddress − ip−address> <localaddress ip−address> <port port−number> − <preference preference−number> <timeout seconds> <application − application−type>

The host−id is a unique number between 1 and 65535 that identifies the Director. The org−id is a unique number between 1 and 65535 that identifies the organization to which the router and Director both belong. The rmtaddress ip−address is the Director's IP address. The localaddress ip−address is the router's interface IP address. The port−number identifies the UDP port on which the Director is listening for alarms; port 45000 is the default. The preference−number is the priority of the route to the Director. The seconds is the number of seconds the Post Office will wait before it determines that a connection has timed out. The options for the application−type can be either Director or logger.

4. Use the following command to define the audit rules used by the IOS Firewall IDS:

ip audit name audit−name <info | attack> <list standard−acl> − <action alarm | drop | <reset>

5.Optionally, use the following command to specify the default action the IOS Firewall IDS should take for info and attack signatures (if this command is not used, the default action is to send an alarm):

ip audit <info | attack> action <alarm | drop | reset>

6.Optionally, use this command to configure a threshold that once reached, spamming in email messages is suspected:

ip audit smtp spam <recipients>

The recipients option is the maximum number of recipients in an email message; the default is 250 recipients.

7.Optionally, use this command to set the threshold that, once reached, will cause cued events that are to be sent to the CiscoSecure IDS Director to be dropped from the cue:

ip audit po max−events <events>

8.Use the following command to disable the signatures that should not be included in the audit rule:

150

ip audit signature signature−id <disable | list acl−list>

9. Use this command to apply the audit rule to an interface:

ip audit audit−name <in | out.

Other commands can be used with the IOS Firewall IDS and they will be addressed as needed throughout the explanations that follow. Figure 4.8 displays a simple network design with a router that will be used to enable the IOS Firewall IDS. I will begin with a basic configurationof the IOS Firewall IDS. In this configuration, the audit rule testrule is created and is applied inbound on Router 3's Ethernet interface. Listing 4.22 outlines the configuration of Router 3.

Figure 4.8: Simple firewall IDS network design.

Listing 4.22: IDS configuration of Router 3.

ip audit smtp spam 42

ip audit notify nr−Director ip audit notify log

ip audit po local hostid 1 orgid 34

ip audit po remote hostid 5 orgid 34 rmtaddress 192.168.10.8 − localaddress 192.168.10.1

!

ip audit name testrule info action alarm

ip audit name testrule attack action alarm drop reset

!

interface FastEthernet0/0

ip address 192.168.10.1 255.255.255.0 ip audit testrule in

In Listing 4.22, Router 3 is configured to perform the IOS Firewall IDS functions. The first line of the configuration uses the ip audit smtp command to specify the number of recipients in a certain mail message the intrusion detection system considers a spam attack after the threshold is reached or exceeded. The next line configures the IOS Firewall IDS to send messages to a CiscoSecure IDS Director. The next line configures the IOS Firewall IDS to send messages to a syslog server, which can also be the local logging service of the router. The ip audit po local command specifies the local Post Office parameters used when event notifications are sent to the CiscoSecure Director. A router can report to more than one CiscoSecure Director. In the event that two or more Directors are configured, you must give each Director a preference number that establishes its relative priority among the Directors. You can do this by using the hosted values. In Listing 4.22 above, only one remote Director has been configured, and it has been given a hosted value of 5; if you add another Director to the network and the router is supposed to prefer this Director over the previously

151

configured Director, it would need to be configured with a lower hosted value. The router will always attempt to use the Director with the lowest number, switching automatically to Director with the next higher number when a Director fails and then switching back when the Director begins functioning again.

The next two lines configure audit rules for info and attack signature types using the name testrule and specifies that, for matched info signatures, the action the router should take is to send an alarm—the default action. For attack signatures, the action the router should take is to send an alarm and drop the packets and reset the session. The audit rule is then applied inbound on the Ethernet interface of Router 3. The IOS Firewall IDS software keeps detailed statistics that display the number of packets audited and the number of alarms sent. To view the statistics that the software has gathered, use the show ip audit statistics command. Listing 4.23 displays the output of this command.

Listing 4.23: Output of the show ip audit statistics command.

Router−3#show ip audit statistics

Session creations since subsystem startup or last reset 19

Current session counts (estab/half−open/terminating) [16:3:1]

Maxever session counts (estab/half−open/terminating) [52:8:0]

Last session created 09:12:29

Last statistic reset never

Router−3#

Listing 4.23 displays the statistics for each signature matched and lists the switching method used for each. The output also provides other information related to the auditing process the router uses. One other useful command that can be issued to verify the operation of the auditing process is the sh ip audit config command. Listing 4.24 shows the output of the show ip audit config command.

Listing 4.24: Router 3 audit configuration.

Router−3#show ip audit config

Event notification through syslog is enabled Event notification through Net Director is enabled Default action(s) for info signatures is alarm Default action(s) for attack signatures is alarm

Default threshold of recipients for spam signature is 42 PostOffice:HostID:5 OrgID:34 Msg dropped:0

:Curr Event Buf Size:100 Configured:100 HID:13 OID:34 S:1 A:2 H:82 HA:49 DA:0 R:0 Q:0

ID:1 Dest:192.168.10.8:45000 Loc:1192.168.10.1:45000 T:5 − S:ESTAB

Audit Rule Configuration Audit name testrule

info actions alarm

152

attack actions alarm drop reset Router−3#

In the next configuration, the security administrator of a small business has a machine with many security software packages installed and preconfigured to automatically kick off at various times during the day. After software applications begin running, the IDS software begins to send alarms to the Director and the Director continuously sends email and page notifications to the security administrator. As a result, the security administrator would like to configure the IOS Firewall so that any packets originating from his machine and the owner's machine will not be subjected to inspection by the IDS software. Listing 4.25 details the configuration of Router 3 that is needed so that packets from the security administrator's machine and the owner's machine are not subject to auditing.

Listing 4.25: Denying devices from inspection.

ip audit smtp spam 42

ip audit notify nr−Director ip audit notify log

ip audit po local hostid 1 orgid 34

ip audit po remote hostid 5 orgid 34 rmtaddress 192.168.10.8 − localaddress 192.168.10.1

!

ip audit name testrule info list 10 action alarm

ip audit name testrule attack list 10 action alarm drop reset

!

interface FastEthernet0/0

ip address 192.168.10.1 255.255.255.0 ip audit testrule in

!

access−list 10 deny 192.168.10.50 access−list 10 deny 192.168.10.30 access−list 10 permit any

The configuration in Listing 4.25 is very similar to the configuration that was displayed in Listing 4.22. The only significant changes to this configuration are the addition of the access list. The access list is bound to the audit rule named testrule. The access list in Listing 4.25 is not denying traffic from the hosts with IP addresses of 192.168.10.50 and 192.168.10.30. Instead, the two hosts are not filtered through the signatures because they are considered to be trusted hosts; all other hosts as defined by the permit any command are subjected to filtering through the signatures.

Viewing the output of the show ip audit interface command, you can see that access list 10 is bound to audit rule testrule for info signatures and attack signatures and the rule is bound to interface FastEthernet0/0. Listing 4.26 displays the output of the show ip audit interface command.

Listing 4.26: Access list configuration.

153

Attack signatures can also be disabled if a device is using a legitimate program on the network and generating false positive results to the IOS Firewall IDS. To disable attack signatures, use the ip audit signature command and specify the specific attack signature that needs to be disabled. Continuing with the example in Listing 4.26, the security administrator would like to disable attack signatures with values in the range of 1000 to 1004 and the signature with the value of 3040. To disable these signatures use the following commands:

ip audit signature 1000 disable ip audit signature 1001 disable ip audit signature 1002 disable ip audit signature 1003 disable ip audit signature 1004 disable ip audit signature 3040 disable

To verify that the attack signatures listed above have indeed been disabled, you must issue the show ip audit config command. Listing 4.27 displays the output of issuing the command after disabling the signatures.

Listing 4.27: Verification of disabled attack signatures.

Router−3#show ip audit config

Event notification through syslog is enabled Event notification through Net Director is enabled Default action(s) for info signatures is alarm Default action(s) for attack signatures is alarm

Default threshold of recipients for spam signature is 42 Signature 1000 disable

Signature 1001 disable Signature 1002 disable Signature 1003 disable Signature 1004 disable Signature 3040 disable

PostOffice:HostID:5 OrgID:34 Msg dropped:0

:Curr Event Buf Size:100 Configured:100 HID:13 OID:34 S:1 A:2 H:82 HA:49 DA:0 R:0 Q:0

ID:1 Dest:192.168.10.8:45000 Loc:1192.168.10.1:45000 T:5 − S:ESTAB

Audit Rule Configuration Audit name testrule

info actions alarm

attack actions alarm drop reset Router−3#

It can be risky to disable the signature globally on the router because in the event another device begins to create traffic that is not legitimate and that matches the characteristics of the signature(s) that have been disabled, there will no way to detect the attack signature. So the IOS Firewall IDS gives you the power to disable attack signatures on a per−host basis with the use of a standard access list. To disable attack signatures, use the configuration displayed in Listing 4.28.

Listing 4.28: Disabling attack signatures on a per−host basis.

access−list 20 deny 192.168.10.51 access−list 20 deny 192.168.10.66 access−list 20 deny 192.168.10.212 access−list 20 permit any

!

154

ip audit signature 2150 list 20 ip audit signature 2151 list 20 ip audit signature 3150 list 20

Listing 4.28 configures an access list, which matches according to the source address listed within the access list. The access list is then bound to each attack signature. The access list logic for this configuration does not deny the host access as in a typical access list configuration, but the configuration states that the hosts that are in the access list configuration with a deny statement are not subject to filtering through the audit process for the attack signature in which the access list is applied. The complete intrusion detection configuration of Router 3 is shown in Listing 4.29.

Listing 4.29: Complete intrusion detection configuration.

ip audit smtp spam 42

ip audit notify nr−Director ip audit notify log

ip audit po local hostid 1 orgid 34

ip audit po remote hostid 5 orgid 34 rmtaddress 192.168.10.8 localaddress 192.168.10.1

!

ip audit name testrule info list 10 action alarm

ip audit name testrule attack list 10 action alarm drop reset ip audit signature 1000 disable

ip audit signature 1001 disable ip audit signature 1002 disable ip audit signature 1003 disable ip audit signature 1004 disable ip audit signature 3040 disable ip audit signature 2150 list 20 ip audit signature 2151 list 20 ip audit signature 3150 list 20

!

interface FastEthernet0/0

ip address 192.168.10.1 255.255.255.0 ip audit testrule in

!

access−list 10 deny 192.168.10.50 access−list 10 deny 192.168.10.30 access−list 10 permit any access−list 20 deny 192.168.10.51 access−list 20 deny 192.168.10.66 access−list 20 deny 192.168.10.212 access−list 20 permit any

155