實(shí)訓(xùn)指導(dǎo)基于思科路由器的IOS入侵檢測(cè)功能配置CLI

1、計(jì)算機(jī)網(wǎng)絡(luò)安全技術(shù)(jsh)與實(shí)施學(xué)習(xí)情境4：實(shí)訓(xùn)任務(wù)4.2基于思科路由器的IOS入侵檢測(cè)功能(gngnng)配置國(guó)家高等職業(yè)教育網(wǎng)絡(luò)技術(shù)專(zhuān)業(yè)教學(xué)資源庫(kù)共三十七頁(yè)內(nèi)容(nirng)介紹任務(wù)(rn wu)場(chǎng)景1任務(wù)相關(guān)工具軟件介紹2任務(wù)設(shè)計(jì)、規(guī)劃3任務(wù)實(shí)施及方法技巧4任務(wù)檢查與評(píng)價(jià)5任務(wù)總結(jié)6共三十七頁(yè)任務(wù)(rn wu)場(chǎng)景共三十七頁(yè)任務(wù)(rn wu)相關(guān)工具軟件介紹共三十七頁(yè)利用命令行對(duì)CISCO路由器IOS配置入侵檢測(cè)(jin c)與防御功能任務(wù)設(shè)計(jì)(shj)、規(guī)劃共三十七頁(yè)任務(wù)(rn wu)實(shí)施及方法技巧 思科12.3（路由器）的第一個(gè)版本在2003開(kāi)始發(fā)布，并且不斷的在更新一些新的版本，

2、增加了上百個(gè)特性，其中之一便是Intrusion Prevention System雖然(surn)從12.0（5）T開(kāi)始IOS已經(jīng)支持IDS了，但是當(dāng)時(shí)只支持59個(gè)signatures，并且可擴(kuò)展性也很差。只能算個(gè)擺設(shè)而已。在 12.3（11）T支持118個(gè)signatures。共三十七頁(yè)任務(wù)(rn wu)實(shí)施及方法技巧思科IOS IDS/IPS配置：簽名定義文件SDF：Signature Definition File SDF定義了它包含的每個(gè)簽名，當(dāng)簽名被IOS IPS裝載以后，IPS立即開(kāi)始掃描新的簽名。默認(rèn)情況下，IOS里面是不包含任何簽名的。下面有三種類(lèi)型的簽名供IOS IPS使用

3、：attack-drop.sdf 83個(gè)簽名，少于128MB內(nèi)存的路由器使用。128MB.sdf 300個(gè)簽名，128或更多的路由器使用。256MB.sdf 500個(gè)簽名，256或以上的路由器使用。 以上簽名都可以用于12.4以后的所有思科接入路由器。如果Flash被清空(qn kn)的話(huà)，sdf文件也會(huì)被清空。 注意：12.4T-9以后的IOS，不再使用128MB.sdf 而是使用.pkg的文件。 共三十七頁(yè)任務(wù)實(shí)施及方法(fngf)技巧思科IOS IDS/IPS配置：IPS配置：pkg版本12.4T-9創(chuàng)建IPS-Signature文件夾 mkdir ips開(kāi)啟IOS IPS特性 ip i

4、ps name iosips acl 配置Signature存儲(chǔ)位置存在第一步建立(jinl)的文件夾里面 ip ips config location ips配置警告信息通知 ip ips notify log配置Signature策略 ,對(duì)于Signature，必須一開(kāi)始關(guān)閉所有的Signature，然后按照下面的方法開(kāi)啟某些需要的Signature，否則路由器會(huì)因內(nèi)存溢出而崩潰! ip ips signature-category category all retired true共三十七頁(yè)任務(wù)(rn wu)實(shí)施及方法技巧思科IOS IDS/IPS配置(pizh)：IPS配置：pkg版本

5、12.4T-9開(kāi)啟某一項(xiàng)Signature檢測(cè) 比如：ios_ips category ios_ips basic retired false exit confirm change y!在接口上啟用IPS interface e0/0 ip ips iosips in|out exit加載pkg Signature文件copy t/IOS-S310-CLI.pkg idconf 注意：這里一定要加關(guān)鍵字idconf共三十七頁(yè)任務(wù)實(shí)施(shsh)及方法技巧基于CLI配置(pizh)思科路由器IOS的IPS功能共三十七頁(yè)Cisco IOS IPSCisco IOS IPS enables adm

6、inistrators to manage intrusion prevention on routers that use Cisco IOS Release 12.3(8)T4 or later. Cisco IOS IPS monitors and prevents intrusions by comparing traffic against signatures of known threats and blocking the traffic when a threat is detected. Several steps are necessary to use the Cisc

7、o IOS CLI to work with IOS IPS 5.x format signatures. Cisco IOS version 12.4(10) or earlier used IPS 4.x format signatures and some IPS commands have changed. 共三十七頁(yè)Download the IOS IPS files：下載IOS的IPS文件Create an IOS IPS configuration directory in flash：在FLASH中建立IPS目錄Configure an IOS IPS crypto key：配

8、置驗(yàn)證(ynzhng)特征文件的密鑰Enable IOS IPS (consists of several substeps)：開(kāi)啟IPS功能Load the IOS IPS signature package to the router：加載特征文件到路由器中Steps to implement Cisco IOS IPS共三十七頁(yè)1. Download the IOS IPS files. Download the IOS IPS signature file and public crypto key. IOS-Sxxx-CLI.pkg - This is the latest sign

9、ature package.realm-cisco.pub.key.txt - This is the public crypto key used by IOS IPS. The specific IPS files to download vary depending on the current release. Only registered customers can download the package files and key.共三十七頁(yè)2. Create an IOS IPS directory in FlashCreate a directory in flash to

10、 store the signature files and configurations. Use the mkdir directory-name privileged EXEC command to create the directory. Use the rename current-name new-name command to change the name of the directory. To verify the contents of flash, enter the dir flash: privileged EXEC command. R1# mkdir ipsC

11、reate directory filename ips?Created dir flash:ipsR1#R1# dir flash:Directory of flash:/ 5 -rw- 51054864 Jan 10 2009 15:46:14 -08:00 c2800nm-advipservicesk9-mz.124-20.T1.bin 6 drw- 0 Jan 15 2009 11:36:36 -08:00 ips64016384 bytes total (12693504 bytes free)R1#共三十七頁(yè)3. Configure an IOS IPS crypto keyCon

12、figure the crypto key to verify the digital signature for the master signature file (sigdef-default.xml). The file is signed by a Cisco to guarantee its authenticity and integrity. To configure the IOS IPS crypto key, open the text file, copy the contents of the file, and paste it in the global conf

13、iguration prompt. The text file issues the various commands to generate the RSA key.共三十七頁(yè)Highlight and copy the text in the public key file.Paste the copied text at the global config prompt.3. Configure an IOS IPS crypto keyR1# conf tR1(config)#共三十七頁(yè)Issue the show run command to verify that the key

14、was copied.3. Configure an IOS IPS crypto keyR1# show runcrypto key pubkey-chain rsanamed-key realm-cisco.pub signaturekey-string30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 0282010100C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F1617E630D5 C02AC252 912BE27F 37

15、FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B8550437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C

16、A84DFBA5 7A0AF99E AD768C36006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3F3020301 0001共三十七頁(yè)3. Configure an IOS IPS crypto keyAt the time of signature compilation, an error message is generated if the publi

17、c crypto key is invalid. If the key is configured incorrectly, the key must be removed and then reconfigured using the no crypto key pubkey-chain rsa and the no named-key realm-cisco.pub signature commands.共三十七頁(yè)4a. Enable IOS IPSIdentify the IPS rule name and specify the location. Use the ip ips nam

18、e rule name optional ACL command to create a rule name. An optional extended or standard ACL can be used to filter the traffic. Traffic that is denied by the ACL is not inspected by the IPS.Use the ip ips config location flash:directory-name command to configure the IPS signature storage location. P

19、rior to IOS 12.4(11)T, the ip ips sdf location command was used.R1(config)# ip ips name IOSIPSR1(config)# ip ips name ips list ? Numbered access listWORD Named access listR1(config)#R1(config)# ip ips config location flash:ipsR1(config)#共三十七頁(yè)4b. Enable IOS IPSEnable SDEE and logging event notificati

20、on. The HTTP server must first be enabled using the ip http server command. SDEE notification must be explicitly enabled using the ip ips notify sdee command. IOS IPS also supports logging to send event notification. SDEE and logging can be used independently or simultaneously. Logging notification

21、is enabled by default. Use the ip ips notify log command to enable logging. R1(config)# ip http server R1(config)# ip ips notify sdeeR1(config)# ip ips notify logR1(config)# 共三十七頁(yè)4c. Configure the Signature CategoryAll signatures are grouped into three common categories:AllBasicAdvancedSignatures th

22、at IOS IPS uses to scan traffic can be retired or unretired. Retired means that IOS IPS does not compile that signature into memory. Unretired instructs the IOS IPS to compile the signature into memory and use it to scan traffic. 共三十七頁(yè)4c. Configure the Signature CategoryWhen IOS IPS is first configu

23、red, all signatures in the all category should be retired, and then selected signatures should be unretired in a less memory-intensive category. To retire and unretired signatures, first enter IPS category mode using the ip ips signature-category command. Next use the category category-name command

24、to change a category.R1(config)# ip ips signature-categoryR1(config-ips-category)# category allR1(config-ips-category-action)# retired trueR1(config-ips-category-action)# exitR1(config-ips-category)# R1(config-ips-category)# category IOSIPS basicR1(config-ips-category-action)# retired falseR1(config

25、-ips-category-action)# exitR1(config-ips-category)# exitDo you want to accept these changes? confirm yR1(config)#共三十七頁(yè)4d. Configure the Signature CategoryApply the IPS rule to a desired interface, and specify the direction.Use the ip ips rule-name in | out interface configuration command to apply th

26、e IPS rule. The in argument means that only traffic going into the interface is inspected by IPS. The out argument specifies that only traffic going out of the interface is inspected.R1(config)# interface GigabitEthernet 0/1R1(config-if)# ip ips IOSIPS inR1(config-if)# ip ips IOSIPS outR1(config-if)

27、# exitR1(config)# exit共三十七頁(yè)5. Load the IOS IPS signatureUpload the signature package to the router using either FTP or TFTP. To copy the downloaded signature package from the FTP server to the router, make sure to use the idconf parameter at the end of the command.copy ftp:/ftp_user:passwordServer_I

28、P_address/signature_package idconfR1# copy ftp:/cisco:cisco/IOS-S376-CLI.pkg idconfLoading IOS-S310-CLI.pkg !OK - 7608873/4096 bytes*Jan 15 16:44:47 PST: %IPS-6-ENGINE_BUILDS_STARTED: 16:44:47 PST Jan 15 2008*Jan 15 16:44:47 PST: %IPS-6-ENGINE_BUILDING: multi-string - 8 signatures - 1 of 13 engines*

29、Jan 15 16:44:47 PST: %IPS-6-ENGINE_READY: multi-string - build time 4 ms - packets for this engine will be scanned*Jan 15 16:44:47 PST: %IPS-6-ENGINE_BUILDING: service-http - 622 signatures - 2 of 13 engines*Jan 15 16:44:53 PST: %IPS-6-ENGINE_READY: service-http - build time 6024 ms - packets for th

30、is engine will be scanned共三十七頁(yè)5. Load the IOS IPS signatureVerify that the signature package is properly compiled using the show ip ips signature count command.R1# show ip ips signature countCisco SDF release version S310.0 signature package release versionTrend SDF release version V0.0Signature Mic

31、ro-Engine: multi-string: Total Signatures 8multi-string enabled signatures: 8multi-string retired signatures: 8 Signature Micro-Engine: service-msrpc: Total Signatures 25service-msrpc enabled signatures: 25service-msrpc retired signatures: 18service-msrpc compiled signatures: 1service-msrpc inactive

32、 signatures - invalid params: 6Total Signatures: 2136Total Enabled Signatures: 807Total Retired Signatures: 1779Total Compiled Signatures: 351 total compiled signatures for the IOS IPS Basic categoryTotal Signatures with invalid parameters: 6Total Obsoleted Signatures: 11R1#共三十七頁(yè)任務(wù)(rn wu)檢查與評(píng)價(jià) CLI方式

33、(fngsh)查看IPS配置 R1# show runnning-config | begin ips 檢查IPS是否配置正確 R1# show ip ips configuration 檢查特征庫(kù)配置 R1# show ip ips signature 檢查IPS接口配置 R1# show ip ips interface 可以用與show相對(duì)應(yīng)的clear命令禁用IPS系統(tǒng)。也可以用debug命令來(lái)排錯(cuò)或者檢查思科IOS入侵防護(hù)系統(tǒng)。 R1# show ip ips all R1# debug ip ips icmp共三十七頁(yè)任務(wù)(rn wu)檢查與評(píng)價(jià)通過(guò)本工任務(wù)(rn wu)理解網(wǎng)絡(luò)入

34、侵檢測(cè)技術(shù)與入侵防御的實(shí)現(xiàn)過(guò)程，這個(gè)工作任務(wù)(rn wu)建議是由課內(nèi)完成的，要求達(dá)到的目標(biāo)是：能夠區(qū)別IDS與IPS技術(shù)，正確部署與實(shí)施基于思科路由器的入侵防御IPS系統(tǒng)，滿(mǎn)足企業(yè)網(wǎng)絡(luò)對(duì)入侵防御技術(shù)的需求，以最低成本優(yōu)質(zhì)完成工作任務(wù)，并能進(jìn)行正確的檢查。任務(wù)4.2-知識(shí)技能要點(diǎn)測(cè)評(píng)表序號(hào)測(cè)評(píng)要點(diǎn)具體目標(biāo)測(cè)評(píng)權(quán)重1知識(shí)理解對(duì)比理解入侵檢測(cè)技術(shù)與入侵防御技術(shù)的功能區(qū)別，掌握路由器中入侵防御的功能。202工具及軟件使用能正確在思科路由器IOS中配置與實(shí)施IPS入侵防御功能。103任務(wù)實(shí)施對(duì)CISCO路由器等設(shè)備配置IOS入侵檢測(cè)或防御系統(tǒng)工作任務(wù)配置204專(zhuān)業(yè)能力提升掌握入侵檢測(cè)技術(shù)及入侵防御技術(shù)

35、，通過(guò)配置IOS的IPS去深入理解入侵檢測(cè)及入侵防御技術(shù)的工作原理與工作過(guò)程205方法能力提升利用學(xué)習(xí)資源自主進(jìn)行深入學(xué)習(xí)206社會(huì)能力提升通過(guò)小組合作完成任務(wù)，提升表達(dá)、溝通能力10共三十七頁(yè)任務(wù)(rn wu)總結(jié)小結(jié)主要介紹了入侵檢測(cè)技術(shù)與入侵防御(fngy)技術(shù)相關(guān)概念入侵檢測(cè)技術(shù)與入侵防御技術(shù)的功能基于思科路由器IOS入侵防御技術(shù)的配置與實(shí)現(xiàn)練習(xí)利用CCP配置思科路由器的IPS功能共三十七頁(yè)謝謝您的收看(shukn)！請(qǐng)多提寶貴意見(jiàn)！謝謝(xi xie)共三十七頁(yè)附：配置(pizh)案例任務(wù)描述：本任務(wù)將基于新的PT圖去完成任務(wù)，所有設(shè)備的網(wǎng)絡(luò)連通性已經(jīng)配置完成。本任務(wù)是配置R1的IP

36、S，實(shí)現(xiàn)對(duì)進(jìn)入內(nèi)網(wǎng)網(wǎng)絡(luò)的流量進(jìn)行描掃檢測(cè)。內(nèi)網(wǎng)中一臺(tái)服務(wù)器作為Syslog Server用于記錄IPS日志消息。要配置路由器R1識(shí)別到日志服務(wù)器以便其接收到日志消息。當(dāng)用日志功能來(lái)監(jiān)控網(wǎng)絡(luò)時(shí)，需要查看一下(yxi)日志消息中的時(shí)間和日期是否正確?？梢詾槁酚善鞯娜罩竟δ茉O(shè)置CLOCK并配置時(shí)間戳服務(wù)。最后開(kāi)啟IPS來(lái)生成一個(gè)在線的ICMP的ECHO應(yīng)答包的ALERT和DROP動(dòng)作。共三十七頁(yè)利用命令行對(duì)CISCO路由器IOS配置(pizh)入侵檢測(cè)與防御功能附：配置(pizh)案例共三十七頁(yè)附：配置(pizh)案例任務(wù)1：使能IOS的IPS功能注意：在PT里，路由器已經(jīng)把signature文件導(dǎo)

37、入到位了，這些(zhxi)文件默認(rèn)為存入在FLASH中的xml文件。所以，這里不需要再配置公鑰和手動(dòng)導(dǎo)入signature文件了（如果是在真實(shí)設(shè)備中沒(méi)有此文件，可以通過(guò)TFTP等方式上傳上去）。第一步：檢查網(wǎng)絡(luò)連通性從PC-C去Ping到PC-A應(yīng)該是成功連通的從PC-A去Ping到PC-C應(yīng)該是成功連通的第二步：在FLASH中創(chuàng)建一個(gè)IOS的IPS配置目錄在R1上用MKDIR命令在FLASH內(nèi)創(chuàng)建目錄，目錄名為“ipsdir”R1#mkdir ipsdirCreate directory filename ipsdir? Created dir flash:ipsdir第三步：配置IPS的s

38、ignature存放位置在R1上，配置IPS的signature存放位置為上一步創(chuàng)建的目錄R1(config)#ip ips config location flash:ipsdir共三十七頁(yè)附：配置(pizh)案例第四步：建立一條IPS rule，即IPS的檢測(cè)規(guī)則在R1上，配置IPS的rule為在全局下用ip ips name iosips。其中IPS的規(guī)則名為iosipsR1(config)# ip ips name iosips第五步：開(kāi)啟日志功能IOS的IPS支持syslog來(lái)發(fā)送事件通知，日志通知功能默認(rèn)為開(kāi)啟狀態(tài)，如果logging console是使能狀態(tài)，可以看到IPS的sy

39、slog消息。如果日志SYSLOG沒(méi)有使能，可以將其使能或說(shuō)開(kāi)啟R1(config)# ip ips notify log根據(jù)需要，在特權(quán)模式下前往clock set命令設(shè)置時(shí)間等信息(xnx)。R1# clock set 01:20:00 6 january 2009檢查路由器對(duì)于日志的timestamp service是否已經(jīng)開(kāi)啟，可以用show run命令查看，如果時(shí)間戳服務(wù)沒(méi)有開(kāi)啟要將其開(kāi)啟。R1(config)# service timestamps log datetime msec發(fā)送日志消息到日志服務(wù)器，Syslog server的IP地址為0R1(config)# loggi

40、ng host 0共三十七頁(yè)附：配置(pizh)案例第六步：配置IOS的IPS所使用的signature類(lèi)別使用retired true命令退訂所有簽名類(lèi)（在signature庫(kù)中的所有signatures將被釋放掉）。使用retired false命令引用ios_ips基本signature。R1(config)# ip ips signature-categoryR1(config-ips-category)# category allR1(config-ips-category-action)# retired trueR1(config-ips-category-action)# ex

41、itR1(config-ips-category)# category ios_ips basicR1(config-ips-category-action)# retired falseR1(config-ips-category-action)# exitR1(config-ips-cateogry)# exitDo you want to accept these changes? confirm 第七步：應(yīng)用IPS規(guī)則到接口上去應(yīng)用IPS規(guī)則Rule到接口的命令是在接口模式下執(zhí)行ip ips name direction命令。本任務(wù)中應(yīng)用規(guī)則在到R1中由器的Fa0/0的出站outbound方向上。在開(kāi)啟IPS后,一些日志消息(xio xi)會(huì)被發(fā)送到命令行的控制臺(tái)上，表明IPS引擎被初始化完成。注意：方向如果是IN，那么表示IPS只檢查進(jìn)入此接口的流量。同樣，方向如果是OUT，那么表示IPS只檢查從此接口流出的數(shù)據(jù)流量。R1(config)# interface fa0/0 R1(con