I am not feeling great today, the British public has just shown what a bunch of idiots they are and have voted to leave the EU. Absolutely crazy. But, despite feeling despondent, I need to finish off the IPS.
Today will be pretty quick. The goal is to get the WLC talking to the IPS. Why are we doing this, apart from "just because we can"?
The idea is that we will have traffic that may not be going through the IPS, predominantly Wifi traffic. The IPS is a clever thing and can use the signature-definition rules to create lists of IP addresses we "shun". So we get the benefits of the IPS, even when on the Wifi network.
Creating a shun list looks a bit like this:
IPS(config)# service signature-definition sig1 Editing new instance sig1. IPS(config-sig)# IPS(config-sig)# signatures 64999 0 IPS(config-sig-sig)# alert-severity high IPS(config-sig-sig)# engine atomic-ip IPS(config-sig-sig-ato)# event-action ? produce-alert produce-verbose-alert deny-attacker-inline deny-connection-inline deny-packet-inline log-attacker-packets log-pair-packets log-victim-packets request-block-connection request NAC to shun this connection request-block-host request NAC to shun this attacker host request-snmp-trap reset-tcp-connection deny-attacker-victim-pair-inline deny-attacker-service-pair-inline IPS(config-sig-sig-ato)# event-action request-block-host IPS(config-sig-sig-ato)#I won't be using this one, though, I will be editing the existing signature we set up in the previous post.
IPS(config)# service signature-definition sig0
IPS(config-sig)# signatures 60101 0
IPS(config-sig-sig)# engine atomic-ip
IPS(config-sig-sig-ato)# event-action produce-verbose-alert
IPS(config-sig-sig-ato)# event-action request-block-host
IPS(config-sig-sig-ato)# exit
IPS(config-sig-sig)# show settings
sig-id: 60101
subsig-id: 0
-----------------------------------------------
alert-severity: high default: medium
sig-fidelity-rating: 75
promisc-delta: 0
sig-description
-----------------------------------------------
sig-name: My Sig
sig-string-info: My Sig Info
sig-comment: Sig Comment
alert-traits: 0
release: custom
sig-creation-date: 20000101
sig-type: Other
-----------------------------------------------
engine
-----------------------------------------------
atomic-ip
-----------------------------------------------
event-action: request-block-host default: produce-alert
fragment-status: any
specify-l4-protocol
-----------------------------------------------
yes
IPS(config-sig-sig)# exit
IPS(config-sig)# exit
Apply Changes?[yes]: yes
IPS(config)#
The rest of the settings are the same as the previous post, so I have truncated the output.The next step is to set up a user for the WLC on the IPS. I am cribbing from this Cisco doc by the way!
IPS(config)# service network-access
IPS(config-net)# user-profile vWLC
IPS(config-net-use)# username vWLC
IPS(config-net-use)# password
Enter password[]: *****
Re-enter password: *****
IPS(config-net-use)# enable-password
Enter enable-password[]: *****
Re-enter enable-password: *****
IPS(config-net-use)# show settings
profile-name: vWLC
-----------------------------------------------
enable-password:
password:
username: vWLC default:
-----------------------------------------------
IPS(config-net-use)# exit
IPS(config-net)# exit
Apply Changes?[yes]: yes
IPS(config)#
Moving on to the WLC, we head to Security > Advanced > CIDS.
Click on "New" in the top right-hand corner and enter the details:
If you are wondering how to get the SHA fingerprint, that comes from the IPS:
IPS# sh tls fingerprint MD5: 34:F0:0A:8B:F5:4F:E0:89:2A:99:0C:8F:A1:22:64:CF SHA1: 8F:4E:BF:26:8C:62:8E:5E:C3:80:F4:FD:D4:15:FC:1C:1A:46:80:DF IPS#This then goes on our list:
We should be able to pull data from the IPS now - if it worked:
(Cisco Controller) >debug wps cids enable (Cisco Controller) >*osapiBsnTimer: Jun 24 13:06:27.592: cidsSdeeCallback is called *cids-cl Task: Jun 24 13:06:27.592: cidsProcessSdeeQuery: ip=10.1.4.155,port=443 state=1 interval=60 *cids-cl Task: Jun 24 13:06:27.592: cidsQuerySend: https://10.1.4.155:443/cgi-bin/transaction-server?command=getShunEntryList *cids-cl Task: Jun 24 13:06:27.592: curlHandle is 0xe44db58 *cids-cl Task: Jun 24 13:06:27.592: Perform on curlHandle 0xe44db58 ... *cids-cl Task: Jun 24 13:06:27.624: Response code is 7: *cids-cl Task: Jun 24 13:06:27.624: Curl Error! Response 7:couldn't connect to hostThis is going to cause issues with IDM, but let's try anyway:
IPS# conf t IPS(config)# service web-server IPS(config-web)# enable-tls true IPS(config-web)# port 443 IPS(config-web)# exit Apply Changes?[yes]: yes IPS(config)# exit IPS# (Cisco Controller) >debug wps cids enable (Cisco Controller) >*osapiBsnTimer: Jun 24 13:13:32.405: cidsSdeeCallback is called *cids-cl Task: Jun 24 13:13:32.410: cidsProcessSdeeQuery: ip=10.1.4.155,port=443 state=1 interval=60 *cids-cl Task: Jun 24 13:13:32.410: cidsQuerySend: https://10.1.4.155:443/cgi-bin/transaction-server?command=getShunEntryList *cids-cl Task: Jun 24 13:13:32.410: curlHandle is 0xe44db58 *cids-cl Task: Jun 24 13:13:32.410: Perform on curlHandle 0xe44db58 ... *cids-cl Task: Jun 24 13:13:32.538: ssl_sensor_verify_callback: verifying cert from sensor *cids-cl Task: Jun 24 13:13:32.538: Cert fingerprint verified *cids-cl Task: Jun 24 13:13:32.831: Response code is 0: *cids-cl Task: Jun 24 13:13:32.831: Add 123.123.123.123 from local sensor 10.1.4.155 to shun-list *cids-cl Task: Jun 24 13:13:32.831: xmlDoc buffer freed *cids-cl Task: Jun 24 13:13:32.831: Parser cleaned *cids-cl Task: Jun 24 13:13:32.831: 0 cids-update groupcast messages sentLooks better. We can even see a manually created entry I made earlier on the IPS:
Of course, this is only as good as the stability of the IPS, so it quickly craps out:
The point has been proven, though.
The IPS is kind of pissing me off. It keeps needing to be reset, which is just wasting time. But I think we can leave it there.
It's time to move on and look at VPNs.