200 Chapter 6 Cisco IOS Firewall Authentication and Intrusion Detection

3.TCP or UDP

4.Application-level protocol

If a signature match is made, the appropriate action will be taken.

Verifying the Configuration

Okay, it’s not a perfect world, and not everything runs smoothly the first time, right? So as you might expect, there are several show commands available to you for verifying and troubleshooting the IOS Firewall IDS. Here’s the output from the most useful show command:

Lab_B#show ip audit ?

Lab_B#show ip audit statistics

Interfaces configured for audit 1

Session creations since subsystem startup or last reset 0

Current session counts (estab/half-open/terminating) [0:0:0]

Maxever session counts (estab/half-open/terminating) [0:0:0]

Last session created never

Last statistic reset never

Post Office is not enabled - No connections are active

Lab_B#show ip audit configuration

Event notification through syslog is enabled

Event notification through Net Director is disabled

Default action(s) for info signatures is alarm

Default action(s) for attack signatures is alarm drop reset

Default threshold of recipients for spam signature is 100

Signature 3102 list 75

PostOffice:HostID:0 OrgID:0 Msg dropped:0 :Curr Event Buf Size:0 Configured:100

Post Office is not enabled - No connections are active

Audit Rule Configuration

Audit name toddaudit info actions alarm

attack actions alarm drop reset

Lab_B#show ip audit interface

Interface Configuration

Interface FastEthernet0/1

Inbound IDS audit rule is toddaudit info actions alarm

attack actions alarm drop reset Outgoing IDS audit rule is not set

Lab_B#

You’re right! The preceding statistics indicate a largely idle network, but the configuration and interface output points to the work you’ve done so far and checks out. There are also several debug command options available:

Lab_B#debug ip audit ?

Stopping the IOS Firewall IDS

Sometimes you just gotta pull the plug, and in order to pull it, you have to know where it is. If you really need to kill the IOS Firewall IDS lights, there are several steps to take. First, let’s start

202 Chapter 6 Cisco IOS Firewall Authentication and Intrusion Detection

with the show ip audit configuration screen again to verify that the configuration is still in place:

Lab_B#show ip audit configuration

Event notification through syslog is enabled

Event notification through Net Director is disabled

Default action(s) for info signatures is alarm

Default action(s) for attack signatures is alarm drop reset

Default threshold of recipients for spam signature is 100

Signature 3102 list 75

PostOffice:HostID:0 OrgID:0 Msg dropped:0 :Curr Event Buf Size:0 Configured:100

Post Office is not enabled - No connections are active

Audit Rule Configuration

Audit name toddaudit info actions alarm

attack actions alarm drop reset

Yup—it’s there.

Next, use the clear ip audit configuration command to disable IDS, remove all IDS configuration, and release all dynamic resources:

Lab_B#clear ip audit configuration

And finally (as always), you’ve got to verify that it did what it was supposed to do, so look at the output from the show ip audit configuration command:

Lab_B#show ip audit configuration

Event notification through syslog is enabled

Event notification through Net Director is disabled

Default action(s) for info signatures is alarm

Default action(s) for attack signatures is alarm

Default threshold of recipients for spam signature is 250

PostOffice:HostID:0 OrgID:0 Msg dropped:0

:Curr Event Buf Size:0 Configured:100

Post Office is not enabled - No connections are active

Lab_B#

It’s good to go—all values have been reset to the defaults!

Exam Essentials 203

Summary

The IOS Firewall was introduced in Chapter 5, “Context-Based Access Control Configuration,” which explained CBAC, but this chapter covered two of its critically important additional capabilities:

The wonderful new IOS Firewall Authentication Proxy bestows upon the networking world the ability to control user access based on users rather than on IP addresses or other device information! In the glowing IOS Firewall world, users are forced to authenticate before accessing external resources. Their now-personalized access policies are being retrieved from centralized AAA servers and following them wherever they roam on the network.

Add to the Authentication Proxy the IOS Firewall IDS—a capable guard with the ability to alert, reset, and drop when security signatures are matched—and you can select which signatures to deactivate, or you can selectively apply signatures using ACLs.

Exam Essentials

Remember the two types of AAA servers you can use for the IOS Authentication Proxy.

TACACS+ and RADIUS are the two types of AAA servers you can use for Authentication Proxy.

Know the default idle time for the IOS Firewall Authentication Proxy. The default idle time for the Authentication Proxy is 60 minutes.

Know the different types of signatures for the IOS Firewall IDS. The four types of signatures are info atomic, info compound, attack atomic, and attack compound.

Be familiar with the show and debug commands for both the IOS Firewall Authentication Proxy and the IOS Firewall IDS. For the IOS Firewall Authentication Proxy, the commands are show ip auth-proxy and debug ip auth-proxy. For the IOS Firewall IDS, the commands are show ip audit and debug ip audit.

Remember the three actions that the IOS Firewall IDS can take when a signature is matched.

The three actions the IOS Firewall IDS can take when a signature is matched are alert, reset, and drop.