Cisco Labs – Network Security (2) – Intrusion Prevention System on ASA

Posted on by

Introduction

During my university studies I was doing a diploma thesis in field of Redundant and reliable networking. The purpose of itwas to create LAB examples for students, so they can test Basic settings for VPN, IPS and others. These tasks are created to Virtlab (Virtual lab with physical Cisco routers) however configuration is valid and tested on physical Cisco routers as well.

Each task in the series will have its separate post with brief description of the task and schema. Complete task can be downloaded on My Onedrive

NS2 – Modul2 2.3.3 ASA task definition

IPS on ASA

Goal

  • Initialize the Intrusion Protection System (IPS) on ASA.
  • Generate a test message.
  • Verify the IPS configuration.
  • Do not forget to clear configuration before start.

Required time

1 hour

Theoretical background

Follow the link to get theoretical background for this task: Cisco IPS white papers.

Topology

NS2-2.3.3_ASA_topology1_VIRTLAB

Configuration

PC1

ifconfig int3 10.0.0.2 netmask 255.255.255.0						;set IP address
route add default gw 10.0.0.1 dev int3							;set default gw

PC2

ifconfig int4 192.168.1.2 netmask 255.255.255.0						;set IP address
route add default gw 192.168.1.1 dev int4						;set default gw

ASA

1) basic interface settings

ASA-IPS(config)# domain-name test							;set domain name
ASA-IPS(config)# interface INT1
ASA-IPS(conf-if)# switchport mode access
ASA-IPS(conf-if)# switchport access vlan 10
ASA-IPS(conf-if)# no shutdown
ASA-IPS(conf-if)# interface vlan 10
ASA-IPS(conf-if)# ip address 10.0.0.1 255.255.255.0
ASA-IPS(conf-if)# nameif outside
ASA-IPS(conf-if)# no shutdown
ASA-IPS(config)# interface INT2
ASA-IPS(conf-if)# switchport mode access
ASA-IPS(conf-if)# switchport access vlan 20
ASA-IPS(conf-if)# no shutdown
ASA-IPS(conf-if)# interface vlan 20
ASA-IPS(conf-if)# nameif inside
ASA-IPS(conf-if)# ip address 192.168.1.1 255.255.255.0
ASA-IPS(conf-if)# no shutdown

2) NAT settings

ASA-IPS(config)# static (inside,outside) 10.0.0.3 192.168.1.2 netmask 255.255.255.255	;static address translation
ASA-IPS(config)# access-list outsidein permit icmp any host 10.0.0.3			;access list to permit icmp traffic to inside host
ASA-IPS(config)# access-group outsidein in interface outside				;apply access list to interface

3) configuration of IPS:

ASA-IPS(config)# ip audit name AUDITNAMEPOLICY2 attack action alarm			;define named policy what to do if attack signature is matched
ASA-IPS(config)# ip audit name AUDITNAMEPOLICY info action alarm			;define named policy what to do if information signature is matched
ASA-IPS(config)# ip audit interface outside AUDITNAMEPOLICY				;apply policy to interface
ASA-IPS(config)# ip audit interface outside AUDITNAMEPOLICY2

4) logging settings

ASA-IPS(config)# logging enable								;enable log globally
ASA-IPS(config)# logging facility 20							;set logging facility to 20
ASA-IPS(config)# logging trap warnings							;set logging level
ASA-IPS(config)# logging host inside 192.168.1.2					;which host is syslog server where device will log

5) syslog server

For virtlab users this is preconfigured in image and does not need to be touched.

This is linux configuration. 

edit /etc/syslog.conf       :add line 20.* /var/log/NS2-IDS.log 			 ;insert line to the beginning of configuration file adding facility.severity   filename.log
edit /etc/init.d/sysklogd   :replace SYSLOGD="" with SYSLOGD="-r"  			 ;set syslog server to log messages from remote host
restart sysklogd daemon     :/etc/init.d/sysklogd restart         			 ;testart server daemon (same as restart service in Windows), server is ready to use

Function test

check ASA configuration

sh runnning ip audit ?                         						;display all possibilities to display audit configuration
sh ip audit count                              						;show number of signatures matches and its name

ping

Extended ping (fragmented packets) from PC1 to PC2 – it will be logged to syslog server according to the settings previously made.

Syntax

win: 	ping -l >size< >host IP address<       						;ping -l 50000 10.0.0.3
linux:	ping -s >size< >host IP address<        					;ping -s 50000 10.0.0.3

check logs on configured place – usually: /var/logs/NS2-IDS.log – You can see lines with description which signature was detected and action made.

Optional tasks

  • set logging level differently (logging trap see point 4)

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s