Configuring IOS Firewall Intrusion Detection
The process used to configure the IOS Firewall IDS is far more detailed and complex than the process used to configure most technologies. However, if you take one step at a time, the task becomes a bit easier. If the router IDS is configured to log messages to a syslog server and not a CiscoSecure IDS Director, the configuration can be made even simpler. To enable the IOS Firewall IDS, follow these steps:
1.Use this Director command to send event notifications to a CiscoSecure IDS Director or to a syslog server:
ip audit notify <nr−Director | log>
The nr−Director argument specifies a CiscoSecure IDS Director and the log argument specifies a syslog server.
2.Use the following command to configure the Post Office parameters for the local router:
ip audit po local <hostid host−id> <orgid org−id>
The host−id is a unique number between 1 and 65535 that identifies the router, and org−id is a unique number between 1 and 65535 that identifies the organization to which the router and Director both belong. Use this command if events are being sent to a CiscoSecure IDS Director.
3.If alarms are being sent to a CiscoSecure IDS Director, the Post Office parameters for the CiscoSecure IDS Director must be configured on the router by using this command:
ip audit <po> remote <hostid host−id> <orgid org−id> <rmtaddress −
ip−address> <localaddress ip−address> <port port−number> −
<preference preference−number> <timeout seconds> <application −
The host−id is a unique number between 1 and 65535 that identifies the Director. The org−id is a unique number between 1 and 65535 that identifies the organization to which the router and Director both belong. The rmtaddress ip−address is the Director’s IP address. The localaddress ip−address is the router’s interface IP address. The port−number identifies the UDP port on which the Director is listening for alarms; port 45000 is the default. The preference−number is the priority of the route to the Director. The seconds is the number of seconds the Post Office will wait before it determines that a connection has timed out. The options for the application−type can be either Director or logger.
4.Use the following command to define the audit rules used by the IOS Firewall IDS:
ip audit name audit−name <info | attack> <list standard−acl> −
<action alarm | drop | <reset>
5.Optionally, use the following command to specify the default action the IOS Firewall IDS should take for info and attack signatures (if this command is not used, the default action is to send an alarm):
ip audit <info | attack> action <alarm | drop | reset>
6.Optionally, use this command to configure a threshold that once reached, spamming in email messages is suspected:
ip audit smtp spam <recipients>
The recipients option is the maximum number of recipients in an email message; the default is 250 recipients.
7.Optionally, use this command to set the threshold that, once reached, will cause cued events that are to be sent to the CiscoSecure IDS Director to be dropped from the cue:
ip audit po max−events <events>
8.Use the following command to disable the signatures that should not be included in the audit rule:
ip audit signature signature−id <disable | list acl−list>
9.Use this command to apply the audit rule to an interface:
ip audit audit−name <in | out.
Other commands can be used with the IOS Firewall IDS and they will be addressed as needed throughout the explanations that follow. Figure 4.8 displays a simple network design with a router that will be used to enable the IOS Firewall IDS. I will begin with a basic configurationof the IOS Firewall IDS. In this configuration, the audit rule testrule is created and is applied inbound on Router 3’s Ethernet interface. Listing 4.22 outlines the configuration of Router 3.
Figure 4.8: Simple firewall IDS network design.
Listing 4.22: IDS configuration of Router 3.
ip audit smtp spam 42
ip audit notify nr−Director
ip audit notify log
ip audit po local hostid 1 orgid 34
ip audit po remote hostid 5 orgid 34 rmtaddress 192.168.10.8 −
ip audit name testrule info action alarm
ip audit name testrule attack action alarm drop reset
ip address 192.168.10.1 255.255.255.0
ip audit testrule in
In Listing 4.22, Router 3 is configured to perform the IOS Firewall IDS functions. The first line of the configuration uses the ip audit smtp command to specify the number of recipients in a certain mail message the intrusion detection system considers a spam attack after the threshold is reached or exceeded. The next line configures the IOS Firewall IDS to send messages to a CiscoSecure IDS Director. The next line configures the IOS Firewall IDS to send messages to a syslog server, which can also be the local logging service of the router. The ip audit po local command specifies the local Post Office parameters used when event notifications are sent to the CiscoSecure Director. A
router can report to more than one CiscoSecure Director. In the event that two or more Directors are configured, you must give each Director a preference number that establishes its relative priority among the Directors. You can do this by using the hosted values. In Listing 4.22 above, only one remote Director has been configured, and it has been given a hosted value of 5; if you add another Director to the network and the router is supposed to prefer this Director over the previously configured Director, it would need to be configured with a lower hosted value. The router will always attempt to use the Director with the lowest number, switching automatically to Director with the next higher number when a Director fails and then switching back when the Director begins functioning again.
The next two lines configure audit rules for info and attack signature types using the name testrule and specifies that, for matched info signatures, the action the router should take is to send an alarm—the default action. For attack signatures, the action the router should take is to send an alarm and drop the packets and reset the session. The audit rule is then applied inbound on the Ethernet interface of Router 3. The IOS Firewall IDS software keeps detailed statistics that display the number of packets audited and the number of alarms sent. To view the statistics that the software has gathered, use the show ip audit statistics command. Listing 4.23 displays the output
of this command.
Listing 4.23: Output of the show ip audit statistics command.
Router−3#show ip audit statistics
Signature audit statistics [process switch:fast switch]
signature 2000 packets audited: [0:2]
signature 2001 packets audited: [9:9]
signature 2004 packets audited: [0:2]
signature 6103 packets audited: [0:42]
signature 6151 packets audited: [0:23]
signature 6152 packets audited: [0:18]
signature 6153 packets audited: [0:31]
signature 6154 packets audited: [0:29]
signature 6155 packets audited: [3:47]
signature 6180 packets audited: [0:8]
Interfaces configured for audit 1
Session creations since subsystem startup or last reset 19
Current session counts (estab/half−open/terminating) [16:3:1]
Maxever session counts (estab/half−open/terminating) [52:8:0]
Last session created 09:12:29
Last statistic reset never
Listing 4.23 displays the statistics for each signature matched and lists the switching method used for each. The output also provides other information related to the auditing process the router uses. One other useful command that can be issued to verify the operation of the auditing process is the sh ip audit config command. Listing 4.24 shows the output of the show ip audit config command.
Listing 4.24: Router 3 audit configuration.
Router−3#show ip audit config
Event notification through syslog is enabled
Event notification through Net Director is enabled
Default action(s) for info signatures is alarm
Default action(s) for attack signatures is alarm
Default threshold of recipients for spam signature is 42
PostOffice:HostID:5 OrgID:34 Msg dropped:0
:Curr Event Buf Size:100 Configured:100
HID:13 OID:34 S:1 A:2 H:82 HA:49 DA:0 R:0 Q:0
ID:1 Dest:192.168.10.8:45000 Loc:1192.168.10.1:45000 T:5 −
Audit Rule Configuration
Audit name testrule
info actions alarm
attack actions alarm drop reset
In the next configuration, the security administrator of a small business has a machine with many security software packages installed and preconfigured to automatically kick off at various times during the day. After software applications begin running, the IDS software begins to send alarms to the Director and the Director continuously sends email and page notifications to the security administrator. As a result, the security administrator would like to configure the IOS Firewall so that any packets originating from his machine and the owner’s machine will not be subjected to inspection by the IDS software. Listing 4.25 details the configuration of Router 3 that is needed so that packets from the security administrator’s machine and the owner’s machine are not subject to auditing.