Cisco allows a few ways to configure the IDS/IPS. The console port is the fastest way to access the device. Telnet is disabled by default, and Cisco recommends jumping straight to SSH.
The default login for the IPS sensor is "cisco" with the password of "cisco". The setup wizard on the IPS sensor is not as bad as the intial configuration wizard found in IOS. The setup wizard actually does a lot of necessary configuration for us so let's begin by invoking it through:
setupThe setup wizard walks us through setting up of: Host Name, Interface IP (and Default Gateway), Telnet, HTTPS, Management Access List, System Clock and Virtual Sensor. At the end of the wizard, a preview of the commands will be displayed on the screen like in an IOS device.
To reload the sensor, instead of "reload", we use:
resetThe reset will take a while to start (up to 90 seconds). You will be logged out upon reset but the sensor will reset once it's fully shut down. An IPS is actually running on Red Hat Linux 7.3, so you would actually see the GRUB boot loader during reboot. The IOS-like interface is actually an application known as MainApp.
There are four major modes in the sensor firmware. These are:
-Privileged EXEC Mode - The same as the privileged mode on a router. There is no such thing as a user mode on a sensor.
-Global Configuration Mode - From here, we can access the other two modes: Service Mode, and Multi-Instance Service Mode.
-Service Mode - Allows configuration of various services like network configurations of the sensor itself.
-Multi-Instance Service Mode - Can be used to modify the signature definitions and the actions to take.
There are many services available for configuration in the Service Mode. To configure the host, we can go under the host service prompt through:
service hostFrom here, we can then modify the network settings of the host. Under host services, we can modify access-list, the IP address, the host name, login banner and so on:
network-settingsWe can also go under the interface service mode to change settings like the bypass-mode (discussed in the previous article), inline-interfaces and so on:
service interfaceIt may not be as intuitive as it is on a router. For example, a new user would typically go into interface service mode to configure an IP address, but it's actually in host.
The Multi-Instance Service Mode can be accessed from either:
service signature-definition sig0
service event-action-rules rules0We'll begin with sig0. This is where we modify the signatures. Signatures tell the sensor what kind of traffic to match. An example is to modify the H225 : SETUP fixed signature 1. To do this, we'll type:
signatures 12505 3This references signature 12505, sub-signature 3. A good list can be found here.
At this prompt, we can change the priority levels and other configurations. To see information about the signature, we can type:
show settingsFrom here, we can modify settings specific to the h225 engine through:
engine service h225By now you would be in 4 sub-prompts. However, lets not get too carried away with this introductory article. We'll begin with the simple things, like setting up banners:
banner login
Do not log in!*CTRL+V Enter*
All activities are logged!CTRL+V allows entering of a control character, and the enter button would cause a carriage return. The Enter button itself would end the banner entry.
To save the configuration of the sensor, we'll use:
copy current-config backup-configIn the sensor, the current-config is the running-config, and the backup-config is the startup-config. We cannot use "wr" so we must get used to "copy run back".
Commands like "more" also works in the sensor. To see the backup-config, we use:
more backup-configWe can also use:
show configuration | include serviceTo add hosts into the management access-list, we can go through:
service host
network-settings
access-list 1.1.1.1/32This would allow the 1.1.1.1 host to manage the router. When you exit the service prompt, you will be prompted to save the configuration. This is because changes in service mode doesn't take effect immediately. This gives us more freedom to fiddle around with the settings.
We can actually REPLACE the running-configuration through:
copy /erase backup currentThis erases the current-configuration before replacing it with the backup-configuration. On an IOS router, you can only MERGE the configurations.
Finally, we'll check out the events in the sensor. To do this, we'll use:
show events 21:00 July 16This would actually show events beginning from 9PM on 16 July. The event log stores things like interface status and IPS alerts. You can also clear the event log using:
clear events
No comments :
Post a Comment