Introduction to the Cisco IOS Firewall IDS

ip-srcaddr 172.16.1.100 pak-srcaddr 0.0.0.0

00:55:43: AUTH-PROXY FUNC: auth_proxy_fast_path 00:55:43: AUTH-PROXY auth_proxy_find_conn_info :

find srcaddr - 172.16.1.100, dstaddr - 1.1.1.1 ip-srcaddr 172.16.1.100

pak-srcaddr 0.0.0.0

Lab_B#

Clearing the Cache

And finally, you need to know the commands for maintaining and clearing the cache. Earlier, you set a timeout parameter for inactive sessions, so yes, these sessions will time out on their own eventually, but there may be times when you’ll want to clear some or all of the connections and force users to re-authenticate. The following output includes the command-line help and an example of clearing all connections:

Lab_B#clear ip auth-proxy ?

cache Delete auth-proxy cache entries

Lab_B#clear ip auth-proxy cache ?

* Delete all auth-proxy cache A.B.C.D Address to delete

Lab_B#clear ip auth-proxy cache *

Lab_B#

Okay, your users are now happily typing in usernames and passwords to access external resources, and you’ve risen above the challenge described at the beginning of this chapter—nice. Now all you have left to do is check each monitor and look under all the keyboards for those little stickies with usernames and passwords scribbled on them, and you’re good to go!

Introduction to the Cisco IOS Firewall IDS

Let me make sure you’ve got the terminology specific to the IOS Firewall IDS straight. I mentioned that the Intrusion Detection System (IDS) functions on signatures. Well, each signature profiles a specific type of attack or potential problem.

192 Chapter 6 Cisco IOS Firewall Authentication and Intrusion Detection

For specific information on signatures and their descriptions, see www.cisco.com or your CSIDS Director documentation.

Atomic signatures trigger based on a single packet, and compound signatures trigger based on multiple packets. Atomic signatures are much easier to support for the router because they can evaluate each packet independently. Compound signatures work by buffering previous packets for comparison against current packets to see if traffic trends match their signature, which means that they cost more memory.

Signature types are further defined as

Info signatures are informational—they notice when an information-gathering activity such as a port scan is underway. Attack signatures represent malicious activities such as DoS attacks or inappropriate Application-layer calls.

So, you really end up with four types of signatures:

While you definitely want to defend your network against attacks, you don’t need a nuclear device to kill a mouse in your house either; nothing’s free, and every precaution you take costs you something. So the key issues to consider when deploying the IOS Firewall IDS are

I’m bringing this up because the IOS Firewall IDS can have a seriously significant impact on router memory and performance. Some signatures have the capability to monitor not just Layer 3 or Layer 4 functions, but application-level functioning as well. Realize that with such signatures enabled, each packet traversing the router must be inspected—potentially up to the Application layer—and decoding all those headers tends to guzzle resources. The more signatures that are enabled, the worse your mileage will be, and with signatures for 59 common attacks currently included with the IOS Firewall IDS—well, you can imagine the potential impact. And that’s nothing. The CSIDS Sensor includes 300 signatures!

The IOS Firewall IDS is an in-line IDS and has a number of options available as reactions to signature matches, so it offers a good bit of flexibility for you in deciding what you want it to do

when it sees a problem. Basically, you get three self-explanatory choices of action, which can also be used in combination with one another:

Alarm means to (surprise) generate an alarm to either a CSIDS Director or a Syslog server, reset sends a TCP reset to both session participants if the packet used TCP, and drop means to immediately drop the packet. Reset does not imply drop—it’ll still forward the packet. For this reason, reset and drop are often used together.

With these preliminaries out of the way, let’s add the IOS Firewall IDS configuration to your trusty Lab_B router.

Initializing Cisco IOS Firewall IDS

The first thing you’ll do is configure the IOS Firewall IDS to notify the Syslog server at 172.16.1.200. Remember that you have the choice of notifying either a Syslog server or a CSIDS Director, and you can see that choice in the following output. Configure it to notify the Syslog server:

Lab_B#conf t

Lab_B(config)#ip audit notify ?

log Send events as syslog messages nr-director Send events to the nr-director

Lab_B(config)#ip audit notify log

Lab_B(config)#logging 172.16.1.200

Lab_B(config)#^Z

Lab_B#

And yes—the no form of the ip audit notify command removes event notifications from the router.

Configuring, Disabling, and Excluding Signatures

Only the acutely disturbed like getting spam e-mail. The rest of us resolutely tolerate the pain and hope/pray/chant/scream for the day when every router in the world runs an IOS Firewall IDS with spam protection enabled!

That’s right—wanna put that spam back in the can? Here’s how! In the following example, you can see how to limit the number of SMTP destination addresses using the IOS Firewall IDS:

Lab_B#conf t

Lab_B(config)#ip audit ?

194 Chapter 6 Cisco IOS Firewall Authentication and Intrusion Detection

Lab_B(config)#ip audit smtp ?

spam Specify the threshold for spam signature <cr>

Lab_B(config)#ip audit smtp spam ?

<1-65535> Threshold of correspondents to trigger alarm

Lab_B(config)#ip audit smtp spam 100

Lab_B(config)#^Z

Lab_B#

By following the context-sensitive help, you can see the parameter definitions in the final ip audit smtp spam 100 command. The default maximum number of recipients is 250; here, you changed it to 100. If only everyone on the Internet would do this, we could realize the dream of a Spamless Internet Utopia! Way cool.

Disabling Signatures

As I said, running signatures noshes resources, so you probably don’t want to run every signature available. It’s likely you won’t need them all anyway, so let’s disable signature 3102 on the Lab_B router.

Signature 3102 is an attack compound signature. It’s a Sendmail Invalid Sender signature that triggers when the From: field is a pipe (|) symbol.

Here’s the command syntax for removing this signature:

Lab_B#conf t

Lab_B(config)#ip audit signature ?

<1-65535> Signature to be configured

Lab_B(config)#ip audit signature 3102 ?

Lab_B(config)#ip audit signature 3102 disable

Lab_B(config)#^Z

Lab_B#

But what if you decide that you need the signature back? You use the no form of the command to restore it:

Lab_B#conf t

Lab_B(config)#no ip audit signature 3102 disable

Lab_B(config)#^Z

Lab_B#

Excluding Signatures by Host or Network

That was easy, but suppose you want to get really surgical and apply a signature selectively instead of completely disabling it? You can do that by using an ACL to pick and choose specific hosts and/ or networks that you don’t want a given signature to apply to. Here’s an example of how:

Lab_B#conf t

Lab_B(config)#ip audit signature 3102 ?

Lab_B(config)#ip audit signature 3102 list 75

Lab_B(config)#access-list 75 deny host 172.16.1.50

Lab_B(config)#access-list 75 deny 192.160.1.0 0.0.0.255

Lab_B(config)#access-list 75 permit any

Lab_B(config)#^Z

Lab_B#

This kind of ACL will include deny statements for hosts or networks to exclude them from the signature. And it’s got to end with a permit any command to indicate that all other networks and hosts should still be subjected to it.