Demonstration: deploying a Cisco Inline Interface Mode Sensor in traversing Mode (online Mode)

　Demonstration: deploying a Cisco Inline Interface Mode Sensor in the traversing Mode online Mode

Using the cross-mode IPS will have a certain impact on traffic performance, especially for some IP address voice packets with ultra-low latency. The biggest advantage is that it can prevent initialization attacks, the following describes how to deploy Inline Interface Mode.

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/0633145R3-0.png "title =" 1.png" alt = "072031128.png"/>

Demonstration Background:In the environment shown in Figure 5.16, Cisco IPS works in the online mode. There are two VLANs in the host S1 and S2, respectively. VLAN2 and VLAN3, and switch S1 store VLAN databases, as the server of the VTP domain, the VLAN database is automatically transmitted to vs2 through the trunk channel of The VTP domain. vs2 is the client of the VTP domain, and then in the middle of VS1 and S2, there is an IPS device that works in the online mode. In fact, this IPS device is transparent to switches S1 and S2 (switches S1 and S2 cannot perceive the existence of IPS, (that is, transparent bridging). Then, after the communication configuration is successful, scanning Behavior Based on X_scan is initiated on the host of VLAN3, And Then detecting the alarms of IPS, and intercept scanning behavior.

Demo steps:

Step 1:First, complete the basic configuration of VS1, including creating a Vlan, VTP domain, and planning the vswitch interface to the corresponding VLAN, and implement the trunk technology of the related interface. The specific configuration process is as follows:

Basic configurations of vswitch S1:

S1 # vlan database * enters the vlan database configuration mode.

S1 (vlan) # vtp domainips * Create a VTP domain name named ips

Changing VTP domainname from NULL to ips * The system prompts the VTP domain to convert from empty to ips.

S1 (vlan) # vtp server * indicates that s1 is a VTP server.

Device mode alreadyVTP SERVER. * The system prompts that VTP mode is switched to SERVER mode.

S1 (vlan) # vlan 2 namev2 * Create a VLAN 2 and name it v2

S1 (vlan) # vlan 3 namev3 * Create a VLAN 3 and name it v3

S1 (vlan) # exit * exit Vlan Database Configuration

S1 (config) # interfacefastEthernet 0/1 * enters the fa0/1 Interface Configuration Mode

S1 (config-if) # switchportaccess vlan 2 * plan this interface to VLAN2

S1 (config-if) # noshutdown

S1 (config-if) # exit

S1 (config) # interfacefastEthernet 0/2

S1 (config-if) # switchportaccess vlan 3

S1 (config-if) # noshutdown

S1 (config-if) # exit

S1 (config) # interfacefastEthernet 0/3

S1 (config-if) # switchportmode trunk * configure fa0/3 as the trunk path.

S1 (config-if) # noshutdown

S1 (config-if) # exit

Note: After completing the preceding configuration, the vlan2 and 3 information will be automatically transmitted to the vs2 according to the general configuration logic, then, plan the corresponding switch interface to the corresponding VLAN, but this environment does not work. You must configure IPS in the online mode, VTP information of VS1 is transmitted to vs2. Otherwise, vs2 cannot learn information about VLAN2 and 3 at all. Therefore, an error is reported when VLAN planning is performed on the interface, the reason for this phenomenon: the S1 and S2 trunk channels of the switch exist in an IPS, even if the IPS device is transparent, by default, the interfaces of IPS devices are not activated, so the VLAN database information of switch S1 cannot be transmitted to S2. Therefore, in this demonstration environment, we must break the planned configuration logic, step 2: complete the online IPS mode configuration.

Step 2:Initialize Cisco IPS devices to support IDM management. This is described in Project 4 and will not be repeated here, this step describes how to use the IDM graphical interface to configure the online mode of the Cisco IPS system. The configuration for implementing the Cisco IPS online mode can include the following content:

Ü start the physical interface.

Ü add two physical interfaces in working online mode to an interface pair.

Ü associate an interface pair with virtual Sensors and signature.

First, complete the configuration that will start the physical interface. When the IDM configuration interface shown in Figure 5.17 is started, select configuration \ interface, as shown in Figure 5.18, select the G1 and G2 interfaces and Enable them to activate the two physical interfaces. Remember to Apply Change after the configuration is complete, as shown in Figure 5.19.

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/0633142413-1.png "style =" float: none; "title =" 2.png" alt = "012711933.png"/>

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/0633142160-2.png "style =" float: none; "title =" 3.png" alt = "012711250.png"/>

Add two physical interfaces in working online mode to an Interface pair, as shown in Figure 5.20. Select configuration \ Interface Pairs \ add to display the dialog box shown in Figure 5.21, in this dialog box, create an interface pair, name it inlineIPSlab, select the G1 and G2 interfaces, and click OK. The interface shown in Figure 5.22 is displayed, and the interface pair is added in online mode.

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/0633142Y3-3.png "title =" 4.png" alt = "073919137.png"/>

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/06331435K-4.png "title =" 5.png" alt = "073953614.png"/>

Associate an interface pair with virtual Sensors and signature. As shown in figure 5.23, select configuration \ AnalysisEngine \ virtual Sensors and click Edit. the dialog box shown in 5.24 is displayed. Select the interface pair you just created, click Assign, and click OK, complete the assignment of interface pairs in virtualSensors. The page shown in Figure 5.25 is displayed.

After completing the preceding configuration, you can see the name of the interface pair, the two physical interfaces in the interface pair, and the associated virtualSensors in configuration \ Interfaceconfiguration \ Summary on the Interface 5.26 page, this completes the configuration of the entire inline mode.

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/0633141A3-5.png "title =" 6.png" alt = "074053593.png"/>

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/0633145401-6.png "title =" 7.png" alt = "074227525.png"/>

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/0633144210-7.png "title =" 8.png" alt = "0743202.16.png"/>

Step 3:Now, you can configure vs2. Because the IPS online mode between VS1 and S2 has been successfully configured, the VLAN information on VS1 can be successfully transmitted to vs2, the configuration of vswitch S2 is as follows:

Vs2Basic Configuration:

S2 # vlan database * enters the VLAN database Configuration Mode of vswitch S2.

S2 (vlan) # vtp domainips * You must create a VTP domain name that is the same as that of switch S1, Which is ips

Changing VTP domainname from NULL to ips * The system prompts that The VTP domain name is successfully converted to ips

S2 (vlan) # vtp client * configures the VTP mode as the client mode.

Setting device toVTP CLIENT mode. * The system prompts you to convert VTP mode to CLIENT mode.

S2 (vlan) # exit * to exit the VLAN configuration mode.

Question:Why are VLAN2 and 3 and S1 not created on the vswitch?

Answer:VLAN2 and 3 do not need to be created on vs2, because the VLAN database information will be learned from VS1, because the VS1 and S2 have the same VTP domain name, and S1 is The vtp server, s2 is the client of VTP. Therefore, switch S1 automatically transmits VLAN database information to S2. Therefore, Vlan2 and 3 do not need to be created on S2.

S2 (config) # interfacefastEthernet 0/3 * enters the fa0/3 interface configuration mode.

S2 (config-if) # switchportmode trunk * configure this interface as a trunk path.

S2 (config-if) # noshutdown

S2 (config-if) # exit

S2 (config) # interfacefastEthernet 0/1 * enters the fa0/1 interface configuration mode.

S2 (config-if) # switchportaccess vlan 2 * plan this interface to vlan2.

S2 (config-if) # noshutdown

S2 (config-if) # exit

S2 (config) # interfacefastEthernet 0/2

S2 (config-if) # switchportaccess vlan 3

S2 (config-if) # noshutdown

S2 (config-if) # exit

Step 4:Now we can test the working status of IPS in online mode. In fact, we can check whether it can successfully analyze the data traffic that passes through it, one feasible solution is to use ping to test the analysis capability of IPS. Fill in IP addresses for the VLAN3 servers and clients respectively and test connectivity. Note: in order to reduce unnecessary information alarms on Cisco professional sensors, the ID2000 and 2004 signatures for ICMP requests and responses in signature are disable by default, therefore, you need to find the signatures with IDs 2000 and 2004 in signature and enable them, as shown in Figure 5.27.

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/063314L41-8.png "title =" 9.png" alt = "07109578.png"/>

Ping 192.168.4.1 on host 192.168.4.2, as shown in Figure 5.28. After the test is completed, you can view the events generated in the last minute in the monitoring/events System of the IPS system, see Figure 5.29. Figure 5.30 shows the current ICMP event in Eventviewer. If you want to view details, select an event and click details. The event details shown in Figure 5.31 are displayed, including the VLAN that generates the event, in this demonstration environment, it is VLAN3.

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/0633144124-9.png "title =" 10.png" alt = "074849898.png"/>

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/063314EN-10.png "title =" 11.png" alt = "074937652.png"/>

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/0633143A6-11.png "title =" 12.png" alt = "075016753.png"/>

Configure the interface addresses for the two vrouters in VLAN2 and activate them. The specific configuration is as follows:

R1 (config) # interfacee1/0 * enter the E1/0 interface of R1

R1 (config-if) # ipaddress 192.168.3.1 255.255.255.0 * configure an IP address for this interface.

R1 (config-if) # noshutdown * activate this interface

R1 (config-if) # exit

R2 (config) # interface e1/0

R2 (config-if) # ipaddress 192.168.3.2 255.255.255.0

R2 (config-if) # noshutdown

R2 (config-if) # exit

Then, on router R1, pingR2192.168.3.2) as shown below. When router R1 successfully pinges R2, an alert about ICMP information on IPS is triggered. For details about the alert, see Figure 5.32.

R1 # ping 192.168.3.2

Type escape sequenceto abort.

Sending 5, 100-byteICMP Echos to 192.168.3.2, timeout is 2 seconds:

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 20/26/40 MS

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/0633143511-12.png "title =" 14.png" alt = "075242891.png"/>

So far, the above has completed the deployment of the entire online mode IPS, and confirmed that IPS can detect normal traffic, please keep this TOP environment unchanged, the next blog will start to demonstrate in the attack environment, how online IPS protect network security.

This article is from the "unknown Christ" blog. For more information, contact the author!