Demonstration: Response Behavior of Inline Interface Mode in Cisco IPS online Mode (different defense behavior)

Demonstration: Response Behavior of Inline Interface Mode in Cisco IPS online Mode

Demonstration objectives:InlineInterface Mode Response Behavior in cops online Mode.

Demo environment:Still use the network environment as shown in Figure 5.16.

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/09393260Z-0.png "title =" 1.png" alt = "012020.20.png"/>

Demonstration Background:On host 192.168.4.2 of VLAN3, a vulnerability scan is initiated for host 192.168.4.1 to identify the security vulnerabilities of the host and prepare for intrusion, however, the scanning traffic of host 192.168.4.2 to host 192.168.4.1 must pass through the online IPS Mode to reach the target host. At this time, IPS can detect the scanning traffic, however, by default, IPS only sends an alarm to this instance and does not execute other actions. In this case, you need to adjust the relevant signature and use the blocked and filtered scan, however, Cisco IPS can provide many types of Defense behaviors. In this case, it will help you understand each type of Defense behavior and then test the typical defense behavior.

Demo tool:X-Scan scanner, Cisco's IPS system.

Demo steps:

Step 1: Use X-scan on 192.168.4.2 to scan for the vulnerability of 192.168.4.1. Figure 5.33 shows the IP address range of the host to be scanned. In this example, the IP address range of the host is 192.168.4.1, then, execute the scan, as shown in Figure 5.34, to scan for ports and vulnerabilities opened at 192.168.4.1.

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/0939321007-1.png "title =" 2.png" alt = "0121320.5.png"/>

Step 2: Now, check the event on the Cisco IPS system, as shown in Figure 5.35. IPS reports a TCP port scan event with a Low security level.) In fact, scanning is a hacker action preparing for attacks or intrusions, and it is also the beginning of an illegal activity. However, this does not mean that the real attack or intrusion has started, so its security alarm level is low. Even so, we cannot make the customer "Happy scan" as expected ", therefore, to analyze the Details of a TCP port scan event, select the event and click the Details button.

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/0939322b8-2.png "title =" 3.png" alt = "012222143.png"/>

As shown in figure 5.36, The SigID that triggers the alarm is 3002, which indicates a tcp syn-based scan and displays the attacker and target IP addresses, and the ports that trigger the target.

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/0939322242-3.png "title =" 4.png" alt = "012309635.png"/>

Step 3: Now, the defense work is started, because the SigID3002TCP SYN scan is triggered.) The default behavior is an alarm. At this time, the Administrator thinks that this simple alarm behavior is not enough to prevent hackers from scanning, therefore, you need to modify the Actions Option of SigID3002 to prevent hacker scanning. First, find the location of signature of 5.37 through SigID, and then click Actions to display the dialog box shown in Figure 3002, select Deny attacker Inline. This option indicates that all traffic of the source host that triggers signature will be deny, whether it accesses others or others to access the host, all deny. Click OK to configure the application, as shown in Figure 5.39.

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/0939324136-4.png "title =" 5.png" alt = "012401417.png"/>

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/093932LL-5.png "title =" 6.png" alt = "012316619.png"/>

Note: For exampleFig 5.38The Actions Option shown in has many options for defense Actions. This will describe the role and significance of each action at the end of the demonstration process!

Step 4: The host is successfully pinged at 192.168.4.2, as shown in Figure 5.40, at this time, X-scan is used again on host 192.168.4.2 to scan host 192.168.4.1. The result is shown in Figure 5.41, and nothing can be scanned, because all scanning traffic from the host 192.168.4.2 to 192.168.4.1 is denied by IPS in online mode, any traffic from the host 192.168.4.2 to any host will be rejected. You can ping the host 192.168.4.1 again on host 192.168.4.2. The result is shown in Figure 5.42 below. The communication fails.

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/0939326356-6.png "title =" 7.png" alt = "012548237.png"/>

At this point, you can access monitoring \ DeniedAttackers, and you can see the blacklist shown in Figure 5.43. Obviously, you can see that host 192.168.4.2 is in the blacklist, so it cannot communicate with any host. To restore the communication capability of the host at 192.168.4.2, you must click Clear list to Clear it from the denied list. Now, Clear it to restore the communication capability of the host, ping 192.168.4.1 on host 192.168.4.2, as shown in Figure 5.44.

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/093932O93-7.png "title =" 8.png" alt = "012626748.png"/>

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/09393243E-8.png "title =" 9.png" alt = "037914180.png"/>

When signature is triggered, there are many defensive behaviors in Actions, as shown in Figure 5.45. Now we will analyze the functions and differences of these different defensive behaviors one by one, as described below:

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/093932L21-9.png "title =" 10.png" alt = "012813659.png"/>

ÜDeny attacker inline:All traffic of the source host that triggers signature will be deny, whether it accesses others or others to access the host, all traffic through deny.

ÜDeny attacker service pair inline:All traffic from the source host that triggers signature to the target port number is deny, matching the same source and target port numbers. For example, if an attacker executes malicious code when the telnet switch S1 triggers the Deny attacker service pair inline of signature, this attacker will be rejected when it goes to telnet S2, S3, or Rx. Because you violate the rules when performing telnet, it will reject you from all traffic destined for port 23. However, attacker can communicate with this host or other hosts through ports other than port 23, such as ping.

ÜDeny attacker Victim Pair inline:The traffic between the source host (attacker) that triggers Signature and the target host Victim) is deny, but the traffic between it and other communication points can be normal.

ÜDeny connection inline:Only for TCP sessions, the current session of the source host (attacker) that triggers Signature is deny. If attacker re-initiates a connection, as long as the new connection no longer triggers signature and does not violate the rules ), the new connection will be accepted.

ÜDeny packet inline:All packets that trigger signature will be rejected. For example, if you configure the action Deny packet inline for signature2000 and 2004 to ping another host B, then all ICMP packets will be deny, in addition, only one is deny, but host A can normally access other services of host B or other target hosts.

ÜLog Attacker packet:As long as all the packages of the source host (attacker) that currently triggers signature are recorded, you can view and download the analysis in IP logging.

ÜLog Pair packet:As long as the packages between the source host (attacker) that currently triggers signature and the target host Victim) are all recorded, you can view and download the analysis in IPlogging.

ÜLog Victim packet:As long as all the packets of the Victim victims currently triggering signature are recorded, you can view and download the analysis in IP logging.

ÜProduce Alert:Generate an alarm. This is the default option.

ÜProduce Verbose Alert:Generate redundant alarms, including capture analysis that triggers signature.

ÜRequest Block connection:This option is valid when IPS is associated with other devices. For example, Blocking is performed on a vro or firewall, and Block connection indicates adding an extended access control list.

ÜRequest Block Host:This option is valid when IPS is associated with other devices. For example, Blocking is performed on a vro or firewall, and Block host indicates adding a standard access control list.

ÜRequest SNMP Trap:Sends an alarm to the SNMP Network Management Center.

ÜReset TCP connection:For TCP, the current signature TCP session reset is triggered.

Step 5: Now we will simulate a Unicode attack against Microsoft IIS. When the attack traffic is detected by IPS, we will try to use the Deny attackerservice pair inline Method for intrusion defense, and distinguish it from the difference in using Deny attacker inline in the previous step. First, we need to build an environment that simulates Unicode attacks and configure DNS and Web services on the VLAN3 server 192.168.4.1. The deployment of these two services is not covered in this course, therefore, we do not provide much description here. If it is difficult for students to construct the two services described above, ask the instructors to deploy the two services described above, make sure that the Vlan3 client 192.168.4.2 can successfully provide DNS and Web Services, and prepare for subsequent security violation intrusion detection and defense.

Step 6: As shown in Figure 5.46, enter http://www.jinpei.com/.%c0109af.in IE of the Web Client. ".. % C0 % af..." is the Unicode attack pattern against Microsoft IIS.

Note: In this case, simply enter ".. % c0 % af .. "signature to simulate Unicode attacks against Microsoft IIS. Of course, you can also use" % c1 % 1c "to simulate Unicode attacks. The principle of Unicode attacks is not the focus of this course, so you can check the updated information, but there is not much description here.

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/09393261T-10.png "title =" 11.png" alt = "012959540.png"/>

Step 7: Return to the IDM host to view the effect of detecting Unicode attacks by IPS, as shown in 5.47. An alert for a high-risk Unicode attack is displayed. You can select this alert and click Details .. the details are shown in Figure 5.48. In the details, the source host and the attacked host are clearly indicated, and the SigID triggered is 5114, triggering feature ".. % c0 % af ...

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/09393242U-11.png "title =" 12.png" alt = "013136798.png"/>

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/0939321925-12.png "title =" 13.png" alt = "013215641.png"/>

In this case, locate SigID5114 in the environment shown in Figure 5.49, and trigger this SigID only generates an alarm. You can click the Actions button to see that the behavior shown in Figure 5.50 is Deny attacker service pair inline. Then, enter http://www.jinpei.com/.c0c0%af.in the IE of the Web Client to initiate another sigid5114error. In this case, the session initiated by the attacker is listed in the denial list, as shown in Figure 5.51. Then, IP Logging records the session and the start time of the session, as shown in Figure 5.52.

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/0939322626-13.png "title =" 14.png" alt = "013109766.png"/>

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/0939325245-14.png "title =" 15.png" alt = "013349962.png"/>

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/0939324524-15.png "title =" 16.png" alt = "013420509.png"/>

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/0939323160-16.png "title =" 17.png" alt = "013521551.png"/>

Question:When the above behavior is completed, then enter a http://www.jinpei.com in IE of the Web Client for a normal access, or access another target Web server, can it be successful? But can other non-Web traffic communication, such as ICMP communication?

Answer:No Web access is allowed, as shown in Figure 5.53. However, other non-Web traffic communication, such as ICMP, can be performed, as shown in Figure 5.54, because the Deny attacker service pair inline action is to trigger all traffic from the source host of signature to the target port number to be deny, matching the same source and target port numbers.

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/09393242F-17.png "title =" 18.png" alt = "013616164.png"/>

This article is from the "unknown Christ" blog. For more information, contact the author!