CCIE Security Lab: IPS and WLC - shun lists

I am not feeling great today, the British public has just shown what a bunch of idiots they are and have voted to leave the EU. Absolutely crazy. But, despite feeling despondent, I need to finish off the IPS.

Today will be pretty quick. The goal is to get the WLC talking to the IPS. Why are we doing this, apart from "just because we can"?

The idea is that we will have traffic that may not be going through the IPS, predominantly Wifi traffic. The IPS is a clever thing and can use the signature-definition rules to create lists of IP addresses we "shun". So we get the benefits of the IPS, even when on the Wifi network.

Creating a shun list looks a bit like this:

IPS(config)# service signature-definition sig1

Editing new instance sig1.
IPS(config-sig)#   
IPS(config-sig)# signatures 64999 0
IPS(config-sig-sig)# alert-severity high 
IPS(config-sig-sig)# engine atomic-ip
IPS(config-sig-sig-ato)# event-action ?
produce-alert                         
produce-verbose-alert                 
deny-attacker-inline                  
deny-connection-inline                
deny-packet-inline                    
log-attacker-packets                  
log-pair-packets                      
log-victim-packets                    
request-block-connection              request NAC to shun this connection
request-block-host                    request NAC to shun this attacker host
request-snmp-trap                     
reset-tcp-connection                  
deny-attacker-victim-pair-inline      
deny-attacker-service-pair-inline     
IPS(config-sig-sig-ato)# event-action request-block-host
IPS(config-sig-sig-ato)# 

I won't be using this one, though, I will be editing the existing signature we set up in the previous post.

IPS(config)# service signature-definition sig0

IPS(config-sig)# signatures 60101 0
IPS(config-sig-sig)# engine atomic-ip
IPS(config-sig-sig-ato)# event-action produce-verbose-alert
IPS(config-sig-sig-ato)# event-action request-block-host
IPS(config-sig-sig-ato)# exit
IPS(config-sig-sig)# show settings 
   sig-id: 60101
   subsig-id: 0
   -----------------------------------------------
      alert-severity: high default: medium
      sig-fidelity-rating: 75 
      promisc-delta: 0 
      sig-description
      -----------------------------------------------
         sig-name: My Sig 
         sig-string-info: My Sig Info 
         sig-comment: Sig Comment 
         alert-traits: 0 
         release: custom 
         sig-creation-date: 20000101 
         sig-type: Other 
      -----------------------------------------------
      engine
      -----------------------------------------------
         atomic-ip
         -----------------------------------------------
            event-action: request-block-host default: produce-alert
            fragment-status: any 
            specify-l4-protocol
            -----------------------------------------------
               yes

IPS(config-sig-sig)# exit
IPS(config-sig)# exit
Apply Changes?[yes]: yes 
IPS(config)#

The rest of the settings are the same as the previous post, so I have truncated the output.

The next step is to set up a user for the WLC on the IPS. I am cribbing from this Cisco doc by the way!

IPS(config)# service network-access 
IPS(config-net)# user-profile vWLC
IPS(config-net-use)# username vWLC
IPS(config-net-use)# password
Enter password[]: *****
Re-enter password: *****
IPS(config-net-use)# enable-password
Enter enable-password[]: *****
Re-enter enable-password: *****
IPS(config-net-use)# show settings
   profile-name: vWLC
   -----------------------------------------------
      enable-password: 
      password: 
      username: vWLC default: 
   -----------------------------------------------
IPS(config-net-use)# exit
IPS(config-net)# exit
Apply Changes?[yes]: yes 
IPS(config)# 

Moving on to the WLC, we head to Security > Advanced > CIDS.

Click on "New" in the top right-hand corner and enter the details:

If you are wondering how to get the SHA fingerprint, that comes from the IPS:

IPS# sh tls fingerprint

MD5: 34:F0:0A:8B:F5:4F:E0:89:2A:99:0C:8F:A1:22:64:CF
SHA1: 8F:4E:BF:26:8C:62:8E:5E:C3:80:F4:FD:D4:15:FC:1C:1A:46:80:DF
IPS# 

This then goes on our list:

We should be able to pull data from the IPS now - if it worked:

(Cisco Controller) >debug wps cids enable 
(Cisco Controller) >*osapiBsnTimer: Jun 24 13:06:27.592: cidsSdeeCallback is called
*cids-cl Task: Jun 24 13:06:27.592: cidsProcessSdeeQuery: ip=10.1.4.155,port=443 state=1 interval=60
*cids-cl Task: Jun 24 13:06:27.592: cidsQuerySend: https://10.1.4.155:443/cgi-bin/transaction-server?command=getShunEntryList
*cids-cl Task: Jun 24 13:06:27.592: curlHandle is 0xe44db58
*cids-cl Task: Jun 24 13:06:27.592: Perform on curlHandle 0xe44db58 ... 
*cids-cl Task: Jun 24 13:06:27.624: Response code is 7: 
*cids-cl Task: Jun 24 13:06:27.624: Curl Error! Response 7:couldn't connect to host 

This is going to cause issues with IDM, but let's try anyway:

IPS# conf t
IPS(config)# service web-server 
IPS(config-web)# enable-tls true
IPS(config-web)# port 443
IPS(config-web)# exit
Apply Changes?[yes]: yes
IPS(config)# exit
IPS#


(Cisco Controller) >debug wps cids enable 
(Cisco Controller) >*osapiBsnTimer: Jun 24 13:13:32.405: cidsSdeeCallback is called
*cids-cl Task: Jun 24 13:13:32.410: cidsProcessSdeeQuery: ip=10.1.4.155,port=443 state=1 interval=60
*cids-cl Task: Jun 24 13:13:32.410: cidsQuerySend: https://10.1.4.155:443/cgi-bin/transaction-server?command=getShunEntryList
*cids-cl Task: Jun 24 13:13:32.410: curlHandle is 0xe44db58
*cids-cl Task: Jun 24 13:13:32.410: Perform on curlHandle 0xe44db58 ... 
*cids-cl Task: Jun 24 13:13:32.538: ssl_sensor_verify_callback: verifying cert from sensor
*cids-cl Task: Jun 24 13:13:32.538: Cert fingerprint verified
*cids-cl Task: Jun 24 13:13:32.831: Response code is 0: 
*cids-cl Task: Jun 24 13:13:32.831: Add 123.123.123.123 from local sensor 10.1.4.155 to shun-list
*cids-cl Task: Jun 24 13:13:32.831: xmlDoc buffer freed
*cids-cl Task: Jun 24 13:13:32.831: Parser cleaned
*cids-cl Task: Jun 24 13:13:32.831: 0 cids-update groupcast messages sent

Looks better. We can even see a manually created entry I made earlier on the IPS:

Of course, this is only as good as the stability of the IPS, so it quickly craps out:

The point has been proven, though.

The IPS is kind of pissing me off. It keeps needing to be reset, which is just wasting time. But I think we can leave it there.

It's time to move on and look at VPNs.

CCIE Security Lab: IPS - CLI to GUI and back again

I started on the IPS a little while ago, in this post, and then in this post. Then went and rebuilt the lab using Arista switches, and now the stability is much improved. In doing so I moved from the IPS and into ISE, but there is much left to do with the IPS.

Options with the IPS seems to be limited, for me at least. I can't get IDM to work over HTTPS, but HTTP works:

IPS(config)# service web
IPS(config-web)# enable-tls false
IPS(config-web)# port 80 
IPS(config-web)# exit
Apply Changes?[yes]: yes 
IPS(config)# 

Temporarily.

Fucking Java.

So, let's do this from the CLI instead:

Gives me another excuse to post pictures of Rachel Riley.

So, what do we need to achieve?

I want an interface pair, and I'll take Gi0/1 and Gi0/2 for these, and a VLAN pair, using Gi0/3, then we'll set up some custom signatures.

Let's go!

IPS interface pairs

We start in the "service interface" section:

IPS(config)# service interface 
IPS(config-int)# ?
bypass-mode                 
cdp-mode                    
default                     
exit                        
inline-interfaces           
interface-notifications     
no                          
physical-interfaces         
show                        
IPS(config-int)# 

I have removed the descriptions because they were long...

IPS(config-int)# inline-interfaces Inline-VS 
IPS(config-int-inl)# interface1 ?
GigabitEthernet0/0     GigabitEthernet0/0 physical interface.
GigabitEthernet0/1     GigabitEthernet0/1 physical interface.
GigabitEthernet0/2     GigabitEthernet0/2 physical interface.
GigabitEthernet0/3     GigabitEthernet0/3 physical interface.
Management0/0          Management0/0 physical interface.
IPS(config-int-inl)# interface1 GigabitEthernet0/1
IPS(config-int-inl)# interface2 GigabitEthernet0/2
IPS(config-int-inl)# exit
IPS(config-int)# exit
Apply Changes?[yes]: yes 
IPS(config)# 

That's the first part of the interface pair, let's do the VLAN pair:

IPS(config)# service interface 
IPS(config-int)# physical-interfaces GigabitEthernet0/3  
IPS(config-int-phy)# subinterface-type inline-vlan-pair 
IPS(config-int-phy-inl)# subinterface 1 
IPS(config-int-phy-inl-sub)# vlan1 4
IPS(config-int-phy-inl-sub)# vlan2 90
IPS(config-int-phy-inl-sub)# exit
IPS(config-int-phy-inl)# exit
IPS(config-int-phy)# exit
IPS(config-int)# exit
Apply Changes?[yes]: yes 
IPS(config)# exit
IPS# 

I can't see where to name this, though, so hopefully the config should show us. Well, this is the relevant part of the config, but there is no name, maybe we don't need it:

service interface
physical-interfaces GigabitEthernet0/3 
subinterface-type inline-vlan-pair
subinterface 1 
vlan1 4
vlan2 90
exit
exit
exit
inline-interfaces Inline-VS 
interface1 GigabitEthernet0/1
interface2 GigabitEthernet0/2
exit
exit

The next step is to create the virtual sensors and assign the interfaces to them (or maybe it's the other way around).

It is important to make sure that all the interfaces are up:

IPS(config)# service interface 
IPS(config-int)# physical-interfaces GigabitEthernet0/3
IPS(config-int-phy)# admin-state enabled
IPS(config-int)# exit
Apply Changes?[yes]: yes 
IPS(config)# exit
IPS# show interfaces brief
CC   Interface            Sensing State   Link   Inline Mode                                Pair Status   
     GigabitEthernet0/0   Disabled        Down   Unpaired                                   N/A           
     GigabitEthernet0/1   Enabled         Up     Paired with interface GigabitEthernet0/2   Up            
     GigabitEthernet0/2   Enabled         Up     Paired with interface GigabitEthernet0/1   Up            
     GigabitEthernet0/3   Enabled         Up     Inline-vlan-pair                           N/A           
*    Management0/0        Disabled        Up                                                              
IPS# 

Back to the virtual sensor:

IPS(config)# service analysis-engine
IPS(config-ana)# virtual-sensor VS-VS 
IPS(config-ana-vir)# signature-definition sig0

IPS(config-ana-vir-ano)# anomaly-detection-name ad0
IPS(config-ana-vir-ano)# exi
IPS(config-ana-vir)# event-action-rules rules0

IPS(config-ana-vir)# 
IPS(config-ana-vir)# logical-interface Inline-VS 
IPS(config-ana-vir)# 
IPS(config-ana-vir)# show setting
   name: VS-VS
   -----------------------------------------------
      description:  
      signature-definition: sig0 default: sig0
      event-action-rules: rules0 default: rules0
      anomaly-detection
      -----------------------------------------------
         anomaly-detection-name: ad0 default: ad0
         operational-mode: detect 
      -----------------------------------------------
      physical-interface (min: 0, max: 999999999, current: 0)
      -----------------------------------------------
      -----------------------------------------------
      logical-interface (min: 0, max: 999999999, current: 1)
      -----------------------------------------------
         name: Inline-VS
         subinterface-number: 0 
         -----------------------------------------------
      -----------------------------------------------
      inline-TCP-session-tracking-mode: virtual-sensor 
      inline-TCP-evasion-protection-mode: strict 
   -----------------------------------------------
IPS(config-ana-vir)# exit
IPS(config-ana)# exit
Apply Changes?[yes]: yes 
IPS(config)# 

Let's create the other one with the VLAN pair:

IPS(config)# service analysis-engine 
IPS(config-ana)# virtual-sensor VS-VP
IPS(config-ana-vir)# signature-definition sig0

IPS(config-ana-vir)# event-action-rules rules0
                                             
IPS(config-ana-vir)# 
IPS(config-ana-vir)# physical-interface GigabitEthernet0/3 subinterface-number 1
IPS(config-ana-vir)# exi 
IPS(config-ana-vir)# anomaly-detection 
IPS(config-ana-vir-ano)# anomaly-detection-name ad0
IPS(config-ana)# exit
IPS(config-ana-vir)# show settings 
   name: VS-VP
   -----------------------------------------------
      description:  
      signature-definition: sig0 default: sig0
      event-action-rules: rules0 default: rules0
      anomaly-detection
      -----------------------------------------------
         anomaly-detection-name: ad0 default: ad0
         operational-mode: detect 
      -----------------------------------------------
      physical-interface (min: 0, max: 999999999, current: 1)
      -----------------------------------------------
         name: GigabitEthernet0/3
         subinterface-number: 1 default: 0
         -----------------------------------------------
      -----------------------------------------------
      logical-interface (min: 0, max: 999999999, current: 0)
      -----------------------------------------------
      -----------------------------------------------
      inline-TCP-session-tracking-mode: virtual-sensor 
      inline-TCP-evasion-protection-mode: strict 
   -----------------------------------------------
IPS(config-ana-vir)# 
Apply Changes?[yes]: yes 
IPS(config)# 

Now let's create a custom signature, which is intended to produce a high-severity alert if it sees a telnet connection coming from the 192.168.90.0/24 subnet:

IPS(config)# service signature-definition sig0

IPS(config-sig)# signatures ?
     
IPS(config-sig)# signatures 60101 ?
     
IPS(config-sig)# signatures 60101 0           
IPS(config-sig-sig)# alert-severity high                        
IPS(config-sig-sig)# engine atomic-ip              
IPS(config-sig-sig-ato)# event-action produce-verbose-alert  
IPS(config-sig-sig-ato)# specify-l4-protocol yes                
IPS(config-sig-sig-ato-yes)# l4-protocol tcp                 
IPS(config-sig-sig-ato-yes-tcp)# no tcp-flags
IPS(config-sig-sig-ato-yes-tcp)# no tcp-mask
IPS(config-sig-sig-ato-yes-tcp)# specify-dst-port yes   
IPS(config-sig-sig-ato-yes-tcp-yes)# dst-port 23 
IPS(config-sig-sig-ato-yes-tcp-yes)# exi
IPS(config-sig-sig-ato-yes-tcp)# specify-src-port no
IPS(config-sig-sig-ato-yes-tcp)# exit
IPS(config-sig-sig-ato-yes)# exit           
IPS(config-sig-sig-ato)# specify-ip-addr-options yes     
IPS(config-sig-sig-ato-yes)# ip-addr-options ip-addr   
IPS(config-sig-sig-ato-yes-ip)# specify-src-ip-addr yes   
IPS(config-sig-sig-ato-yes-ip-yes)# src-ip-addr 192.168.90.1-192.168.90.254
IPS(config-sig-sig-ato-yes-ip-yes)# 
IPS(config-sig-sig-ato-yes-ip-yes)# exit
IPS(config-sig-sig-ato-yes-ip)# exit
IPS(config-sig-sig-ato-yes)# exit
IPS(config-sig-sig-ato)# exit
IPS(config-sig-sig)# exit
IPS(config-sig)# exit
Apply Changes?[yes]: yes 
IPS(config)#   

This shows in the config as follows:

service signature-definition sig0
signatures 60101 0 
alert-severity high
engine atomic-ip
event-action produce-verbose-alert
specify-l4-protocol yes
l4-protocol tcp
no tcp-flags
no tcp-mask
specify-dst-port yes
dst-port 23
exit
specify-src-port no
exit
exit
specify-ip-addr-options yes
ip-addr-options ip-addr
specify-src-ip-addr yes
src-ip-addr 192.168.90.1-192.168.90.254

This is all well and good, but we need to turn it on for it to be effective:

IPS(config)# service signature-definition sig0
IPS(config-sig)# signatures 60101 0
IPS(config-sig-sig)# status
IPS(config-sig-sig-sta)# enabled true
IPS(config-sig-sig-sta)# exit
IPS(config-sig-sig)# exit
IPS(config-sig)# exit
Apply Changes?[yes]: yes 
IPS(config)#  

Looks good, but we need the IPS to get the traffic. At the moment there is no reason why it should get the traffic, and this is partly a bad design choice on my part, and having moved my switches over to Arista, I lose the remote-span functionality, but we are not totally out of luck:

SW2(config)#monitor session trunky source e10
SW2(config)#monitor session trunky destination e18
SW2(config)#exi
SW2#sh mon sess

Session trunky
------------------------

Source Ports:

  Both:        Et10

Destination Ports:

    Et18 :  active


SW2#sh int e18 sta
Port       Name              Status       Vlan        Duplex  Speed Type        
Et18       IPS               connected    monitoring    full unconf EbraTestPhyP

SW2#

With this in place, we do get the telnet traffic (from MGMT-PC to 10.1.4.101) mirrored towards the IPS:

Not getting anything on the IPS though:

IPS# sh events alert high

The lack of output isn't to say that it's not working. I look after a handful of IPS modules for work, and they are slow, not as slow as this one is, but still very slow. Thankfully, although IDM access is a little hit and miss, it does show that this works:

The console does seem to take an extraordinarily long time, though, so it looks like its waiting for a response, but this does work, and, at nearly 10 pm, that's the goal. Thankfully I managed to pull the results out of IDM before Java shit the bed (for the ten billionth time).

I will be saving WLC integration for another day.

CCIE Security lab: IPS Part 2 - Oh, you motherf-IPS!

I posted yesterday about the IPS, in that it had a tendency to go to sleep on me, and not wake up. However, the IPS is a pretty big part of the CCIE Security lab, so it needs to be working! Through the power of the internet, it turns out that this is not an uncommon issue.

@802101stu Well i faced same issue, and some other minor things, but finally found that bug was with the image which i was using

— mzStanikzai (@mzStanikzai) 3 May 2016

This guy is also working towards his CCIE Security, so follow him on Twitter.

So I started again from scratch, new source, followed the IPS creation docs (see the cznetlab link from yesterday), and everything booted up.

So I ran the setup:

sensor# setup


    --- Basic Setup ---

    --- System Configuration Dialog ---

At any point you may enter a question mark '?' for help.
User ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.



Current time: Wed May  4 09:45:54 2016

Setup Configuration last modified: Wed May 04 09:45:35 2016

Enter host name[sensor]: IPS-4240
Enter IP interface[192.168.1.2/24,192.168.1.1]: 10.1.4.155/24,10.1.4.254
Modify current access list?[no]: yes
Current access list entries:
  No entries
Permit: 10.1.4.0/24
Permit: 10.1.20.0/24
Permit: 
Use DNS server for Global Correlation?[no]: 
Use HTTP proxy server for Global Correlation?[no]: 
Modify system clock settings?[no]: 
Participation in the SensorBase Network allows Cisco to
collect aggregated statistics about traffic sent to your IPS.
SensorBase Network Participation level?[off]: 

The following configuration was entered.

service host
network-settings
host-ip 10.1.4.155/24,10.1.4.254
host-name IPS-4240
telnet-option disabled
access-list 10.1.4.0/24 
access-list 10.1.20.0/24 
ftp-timeout 300
no login-banner-text
dns-primary-server disabled
dns-secondary-server disabled
dns-tertiary-server disabled
http-proxy no-proxy
exit
time-zone-settings
offset 0
standard-time-zone-name UTC
exit
summertime-option disabled
ntp-option disabled
exit
service global-correlation
network-participation off
exit


[0] Go to the command prompt without saving this config.
[1] Return to setup without saving this config.
[2] Save this configuration and exit setup.
[3] Continue to Advanced setup.

Enter your selection[3]: 2
Warning: DNS or HTTP proxy is required for global correlation inspection and reputation filtering, but no DNS or proxy servers are defined.

--- Configuration Saved ---

Complete the advanced setup using CLI or IDM.
To use IDM,point your web browser at https://.

sensor#

All looked good. I switched to non-TLS, and IDM started to load... then hung. Again the IPS won't communicate with anything else.

So I get another IPS-4240 source, and the same things happens again. This is really starting to piss me off now.

Oddly, it only seems to crap out once I start to use the GUI, so could this be the issue? Am I destined know IPS purely by the CLI? That's no bad thing. So let's see how far I can go in the CLI. Starting by creating some users. Thankfully the IPS supports context sensitive help, and there is a username command:

IPS-4240(config)# username ipsadmin privilege administrator password Admin1234
IPS-4240(config)# username ipsoper privilege operator password Oper1234
IPS-4240(config)# username ipsview privilege viewer password View1234
IPS-4240(config)# 

That was a nice, easy start. The rest of the cool stuff lives under the "service command":

IPS-4240(config)# service ?
aaa                            Enter configuration mode for AAA options.
analysis-engine                Enter configuration mode for global analysis engine options.
anomaly-detection              Enter configuration mode for anomaly-detection.
authentication                 Enter configuration mode for user authentication options.
event-action-rules             Enter configuration mode for the event action rules.
external-product-interface     Enter configuration mode for the interfaces to external products.
global-correlation             Enter configuration mode for global correlation configuration.
health-monitor                 Enter configuration mode for health and security monitoring.
host                           Enter configuration mode for host configuration.
interface                      Enter configuration mode for interface configuration.
logger                         Enter configuration mode for debug logger.
network-access                 Enter configuration mode for the network access controller.
notification                   Enter configuration mode for the notification application.
signature-definition           Enter configuration mode for the signature definition.
ssh-known-hosts                Enter configuration mode for configuring SSH known hosts.
trusted-certificates           Enter configuration mode for configuring trusted certificates.
web-server                     Enter configuration mode for the web server application.
IPS-4240(config)# service 

Let's try and create a new signature. This will have some basic goals. It'll produce a high-severity alert on matches to tcp port 93. I kind of stumbled my way through, so have cleaned it up a bit:

IPS-4240(config)# service signature-definition sig2
Editing new instance sig2.

IPS-4240(config-sig)# 
IPS-4240(config-sig)# signatures ?
<1000-65000>     
IPS-4240(config-sig)# signatures 65000 ?
<0-255>     
IPS-4240(config-sig)# signatures 65000 0
IPS-4240(config-sig-sig)# alert-severity ?
high              Dangerous Alert.
medium            Medium level alert
low               Low level alert
informational     Informational alert.
IPS-4240(config-sig-sig)# alert-severity high
IPS-4240(config-sig-sig)# engine atomic-ip
IPS-4240(config-sig-sig-ato)# ?
default                          
event-action                     
exit                             
fragment-status                  
no                               
show                             
specify-ip-addr-options          
specify-ip-header-length         
specify-ip-id                    
specify-ip-option-inspection     
specify-ip-payload-length        
specify-ip-tos                   
specify-ip-total-length          
specify-ip-ttl                   
specify-ip-version               
specify-l4-protocol              
swap-attacker-victim             
IPS-4240(config-sig-sig-ato)# event-action produce-alert 
IPS-4240(config-sig-sig-ato)# specify-l4-protocol yes
IPS-4240(config-sig-sig-ato-yes)# l4-protocol tcp
IPS-4240(config-sig-sig-ato-yes-tcp)# exit
Error: /tcp/tcp-flags/ -- the value is empty and has no default
/tcp/tcp-mask/ -- the value is empty and has no default

% Please answer 'yes' or 'no'. no]: no tcp-flags
Would you like to exit anyway?[no]: no 
IPS-4240(config-sig-sig-ato-yes-tcp)# no tcp-flags 
IPS-4240(config-sig-sig-ato-yes-tcp)# no tcp-mask
IPS-4240(config-sig-sig-ato-yes-tcp)# specify-dst-port yes 
IPS-4240(config-sig-sig-ato-yes-tcp-yes)# dst-port 93
IPS-4240(config-sig-sig-ato-yes-tcp-yes)# exit
IPS-4240(config-sig-sig-ato-yes-tcp)# exit
IPS-4240(config-sig-sig-ato-yes)# exit
IPS-4240(config-sig-sig-ato)# exit
IPS-4240(config-sig-sig)# exit
Apply Changes?[yes]: yes 
IPS-4240(config)# 

So, that took a fair amount of time, so I thought I'd see if I could access it by the IDM, just in case I wasn't waiting long enough after booting. But even without trying IDM, I had still lost contact with the network:

IPS-4240# ping 10.1.4.254
PING 10.1.4.254 (10.1.4.254): 56 data bytes

--- 10.1.4.254 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss
IPS-4240# 

Arse.

This is going to make using the IPS as an IPS so much harder!

Broadening the Google search I can across these posts:

https://supportforums.cisco.com/discussion/12207411/ips-70-gns3
https://gns3.com/qa/ips-7-network-connection-refused

Both have a similar issue (Connection Refused) - but that's through Telnet, whereas I would not see this on the console. The proposed fix is this though:

Qemu Options: -smbios type=1,product=IPS-4240,version=1.0,serial=12345789012,uuid=E0A32395-8DFE-D511-8C31-001FC641BA6B,sku=011,family=IPS-4240

The existing UNL template can be amended to achieve this quite easily.

So let's give this a go!

I edited the template, deleted and readded the IPS, fired it up, reconfigured it, and....

Yep. It all stops again.

So I rebooted. EVERYTHING. All nodes were stopped. I turned the oven on (not related, I'm just hungry), UNL got rebooted, I closed the lab and reopened it, and things were started again.

So, what do you reckon?

Did it work?

Actually, I think it might have done. IDM has loaded, and the ping seems solid:

So, for those having the same issue at home, just a little recap (some steps may not be needed, but this is what has worked for me tonight):

Turn off all nodes
Edit the template file: /opt/unetlab/html/templates/cips.php
Use this code:

<?php
# vim: syntax=php tabstop=4 softtabstop=0 noexpandtab laststatus=1 ruler

/**
 * html/templates/cips.php
 *
 * cips template for UNetLab.
 *
 * LICENSE:
 *
 * This file is part of UNetLab (Unified Networking Lab).
 *
 * UNetLab is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * UNetLab is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with UNetLab.If not, see .
 *
 * @author Andrea Dainese 
 * @copyright 2014-2016 Andrea Dainese
 * @license http://www.gnu.org/licenses/gpl.html
 * @link http://www.unetlab.com/
 * @version 20151116
 */

$p['type'] = 'qemu';
$p['name'] = 'IPS'; 
$p['icon'] = 'Network Analyzer.png';
$p['cpu'] = 1;
$p['ram'] = 2048; 
$p['ethernet'] = 5; 
$p['console'] = 'telnet'; 
$p['qemu_arch'] = 'i386';
$p['qemu_version'] = '1.3.1';
$p['qemu_options'] = '-machine type=pc-1.0 -serial mon:stdio -nographic -nodefconfig -nodefaults -rtc base=utc -no-shutdown -boot order=c -smbios type=1,product=IPS-4240/4255,version=1.0,serial=12345789012,uuid=E0A32395-8DFE-D511-8C31-001FC641BA6B,sku=011,family=IPS-4240/4255';
?>

Save it
Reboot UNL (completely)
Start things up again.

Hopefully it will work for you as well!

This is the only time I have been able to get into IDM, and so far (all 12 minutes), it has been stable!

EDIT: Make that 17 minutes! Wooo Hooo!

CCIE Security lab: IPS Part 1 - Wake up IPS, why are you sleeping?

Man, I hate Java. It sucks. It gets updated due to Security issues, and access to ASA and IPS GUIs breaks. So you have to either stay with the security issues and not upgrade, or lose access to your hardware. It sucks.

That said, it does mean that I can ditch the GUI and learn the IPS CLI better! You know, silver lining and all that jazz.

OK, so the easiest way to get up and running with the IPS is to use the "setup" command. Or you can find this useful command out later, and do it the hard way, like I did, but I got there in the end:

IDS-4240# conf t
IDS-4240(config)# service host
IDS-4240(config-hos)# network-settings 
IDS-4240(config-hos-net)# host-ip 10.1.4.155/24,10.1.4.254
IDS-4240(config-hos-net)# telnet-option enab
IDS-4240(config-hos-net)# exit
IDS-4240(config-hos)# show settings
   network-settings
   -----------------------------------------------
      host-ip: 10.1.4.155/24,10.1.4.254 default: 192.168.1.2/24,192.168.1.1
      host-name: IDS-4240 default: sensor
      telnet-option: enabled default: disabled
      access-list (min: 0, max: 512, current: 2)
      -----------------------------------------------
         network-address: 0.0.0.0/0
         -----------------------------------------------
         network-address: 192.168.1.0/24
         -----------------------------------------------
      -----------------------------------------------
      ftp-timeout: 300 seconds 
      login-banner-text:  
      dns-primary-server
IDS-4240(config-hos)# exit
Apply Changes?[yes]: yes 
Warning: DNS or HTTP proxy is required for global correlation inspection and reputation filtering, but no DNS or proxy servers are defined.
IDS-4240(config)# 
IDS-4240# ping 10.1.4.254
PING 10.1.4.254 (10.1.4.254): 56 data bytes
64 bytes from 10.1.4.254: icmp_seq=0 ttl=255 time=27.0 ms
64 bytes from 10.1.4.254: icmp_seq=1 ttl=255 time=5.2 ms
IDS-4240#

I needed to add a couple of ACLs, and we do that this way:

IDS-4240(config)# service host
IDS-4240(config-hos)#network-settings
IDS-4240(config-hos-net)# access-list 10.1.20.0/24
IDS-4240(config-hos-net)# access-list 10.1.4.0/24
IDS-4240(config-hos-net)# exit
IDS-4240(config-hos)#exit

If you want to run the IDM (the easy way), then you'll need to create an exception in Java for the http site, then turn off TLS (and props to CZNetlab for the tips):

IDS-4240(config)# service web-server
IDS-4240(config-web)# enable-tls false
IDS-4240(config-web)# port 80
IDS-4240(config-web)# ex
Apply Changes?[yes]: yes 
IDS-4240(config)# exit

We lose security, but gain accessibility. But it's a lab, so I guess thats OK. Oh, wait, it's a security exam though.... I won't tell if you won't.

Right, so what can we do now? Well, we need to do a few things:

1. Set up VLAN-pairs for monitoring
2. Set up some custom rules
3. Set up a shun-list that can be used by the vWLC

This would be easier in the GUI, and it would also be a lot easier if the IPS was more stable. But it feels like it goes to sleep and does not wake up again. The IPS has been reset (rebooted), and UNetLab has been rebooted as well. But the IPS just does not seem to want to play ball for very long.

It hangs at 51%, and the pings fail:

IDS-4240# ping 10.1.4.254
PING 10.1.4.254 (10.1.4.254): 56 data bytes

--- 10.1.4.254 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss
IDS-4240# ping 10.1.4.1
PING 10.1.4.1 (10.1.4.1): 56 data bytes

--- 10.1.4.1 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss
IDS-4240# 

Even with doubling the memory, the same issue exists. I still have console access, so can set up everything I need to via the command line, but when it comes to testing it, I'll be shit out of luck at the moment as connectivity will drop.

Other devices are fine though, so it looks very much like its confined to the IPS.

Well, I am off to the drawing board (and the forum). If anyone has any ideas, please do post them below!

Cisco IPS on UNetLab

I saw this link on LinkedIn today, and it's really good, so I thought I would post a link to it here.

So, it you want to run a Cisco IPS on your UNetLab install, click the link through to cznetlab.cz

Here is the link:

http://www.cznetlab.cz/index.php?cat=cciesec&subcat=unlips

It is a good read!

RADIUS authentication on Cisco IPS using Microsoft 2008 NPS

Radius allows us to use network credentials to access things like routers, switches and, in this case, the IPS modules. Perfect for limiting down the number of local accounts you have across the network.

This is coming as part of my job, so due to the nature of it the images have been edited (not very well I admit) to remove anything pertinent.  

Here are the steps for getting the IPS modules on a Cisco ASA, or router to use Microsoft 2008 NPS Server for RADIUS authentication.