© 2004, Cisco Systems, Inc. All rights reserved. CSIDS 4.117-1 Lesson 17 Capturing Network Traffic for Intrusion Detection Systems.

Презентация:

Advertisements

Похожие презентации

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Lesson 8 Object Grouping.

Advertisements

© 2001, Cisco Systems, Inc. CSIDS Chapter 9 Signature and Intrusion Detection Configuration.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 8 Object Grouping.

© 2006 Cisco Systems, Inc. All rights reserved. CVOICE v Configuring Voice Networks Configuring Dial Peers.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Cisco IOS Threat Defense Features Configuring Cisco IOS IPS.

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Layer 2 Security Examining Layer 2 Attacks.

© 2005 Cisco Systems, Inc. All rights reserved.INTRO v Operating and Configuring Cisco IOS Devices Configuring a Router.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 9 Routing.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v Managing IP Traffic with ACLs Introducing ACLs.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v Managing IP Traffic with ACLs Configuring IP ACLs.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Configuring a Cisco IOS Firewall Configuring a Cisco IOS Firewall with the Cisco SDM Wizard.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v IPsec VPNs Site-to-Site IPsec VPN Operation.

© 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 7-1 © 2002, Cisco Systems, Inc. All rights reserved.

© 2005 Cisco Systems, Inc. All rights reserved. BGP v Route Selection Using Policy Controls Applying Route-Maps as BGP Filters.

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v MPLS TE Overview Configuring MPLS TE on Cisco IOS Platforms.

© 2005 Cisco Systems, Inc. All rights reserved. BGP v Route Selection Using Policy Controls Employing AS-Path Filters.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Lesson 16 Intrusion Detection System Module Configuration.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Lesson 11 Blocking Configuration.

© 2001, Cisco Systems, Inc. CSIDS Chapter 10 IP Blocking Configuration.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v IPsec VPNs Configuring IPsec Site-to-Site VPN Using SDM.

Транксрипт:

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Lesson 17 Capturing Network Traffic for Intrusion Detection Systems

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Objectives

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Objectives Upon completion of this lesson, you will be able to perform the following tasks: List the network devices involved in capturing traffic for intrusion detection analysis. Describe the basic flow of traffic through networking devices and its impact on traffic capture. Configure Cisco Catalyst switches to capture network traffic for intrusion detection analysis.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Traffic Capture Overview

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Overview Network traffic must be visible to the Sensor in order for the Sensor to perform analysis. The Sensors monitoring port is connected to a network device that captures the traffic.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Overview (Cont.) The network devices that are used to capture network traffic are: –Hubs –Network taps –Switches The methods that are used to capture network traffic are: –SPAN –RSPAN –VACLs –The mls ip ids command

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Hub Traffic Flow

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Tx and Rx Network Tap Traffic Flow Traffic from router Full-duplex link Aggregation switch Traffic from firewall From firewall From router

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Switch Traffic Flow

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS SPAN Traffic Flow

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS SPAN Terminology Egress traffic Ingress traffic Source SPAN ports Destination SPAN port

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS RSPAN Traffic Flow VLAN of the source port RSPAN VLAN

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS TCP Resets and Switches With the exception of the 4250-XL Sensor, the Sensor appliances send the TCP reset packets from the monitoring interface. The Sensors monitoring interface is connected to the switch SPAN destination port. Not all switches allow SPAN destination ports to receive input packets. Cisco IDS Sensors use a randomly generated MAC address in the TCP reset packet.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Configuring SPAN for Catalyst 4500 and 6500 Traffic Capture

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS set span [rx|tx|both] [create] Enables or disables SPAN and creates SPAN sessions Catalyst Operating System SPAN Configuration switch>(enable) switch>(enable) set span 4/5 3/1 rx create Assigns port 3/1 as the destination port and port 4/5 as the source

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS monitor session session_number source {{interface type} | {{vlan type} [rx | tx | both]}... Enables SPAN by setting the source interfaces/VLANs for the monitor session Cisco IOS SPAN Configuration Configuring the Source Router(config)# Router(config)# monitor session 2 source interface FastEthernet 5/15, 7/3 rx Assigns ports 5/15 and 7/3 as the source ports

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS monitor session session_number destination {{interface type} | {{vlan type} Configures a SPAN destination Cisco IOS SPAN Configuration Configuring the Destination Router(config)# Router(config)# monitor session 2 destination interface FastEthernet0/1 Configures Fast Ethernet port 0/1 as the destination for SPAN session 2

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Configuring RSPAN for Catalyst 4500 and 6500 Traffic Capture

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS RSPAN Example

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS CatOS Configuration Tasks Complete the following tasks to configure CatOS RSPAN for capturing IDS traffic: Configure an RSPAN VLAN. Use the set rspan command to configure the source switch. Use the set rspan command to configure the destination switch.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS set vlan {vlans}...rspan Configure the RSPAN VLAN switch>(enable) switch>(enable)set vlan 901 rspan vlan 901 configuration successful Switch>(enable) Creates RSPAN VLAN 901 Configures the RSPAN VLAN

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS set rspan source {src_mod/src_ports... | src_vlans... | sc0} {rspan_vlan} [rx | tx | both] [multicast {enable | disable}] [filter vlans...] [create] Creates remote SPAN sessions by designating the sources Configure RSPAN Sources switch>(enable) S1>(enable) set rspan source 6/2 901 rx Monitors traffic entering S1 on port 6/2 and copies it to RSPAN VLAN 901

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS set rspan destination {mod_num/port_num} {rspan_vlan} [inpkts {enable|disable}] [learning {enable|disable}] [create] Creates remote SPAN sessions by designating the destination port Configure RSPAN Destination Port switch>(enable) S2>(enable) set rspan destination 5/2 901 On S2, port 5/2 assigned as destination for monitored traffic sent on RSPAN VLAN 901

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Cisco IOS Configuration Tasks Complete the following tasks to configure Cisco IOS RSPAN for capturing IDS traffic: Configure an RSPAN VLAN. Configure an RSPAN source session. Configure an RSPAN destination session.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS vlan {vlan-id | vlan-range} Configure the RSPAN VLAN Router(config)# Router1(config)# vlan 901 Router1(config-vlan)#remote-span Router1(config-vlan)# Creates RSPAN VLAN 901 Router(config-vlan)# remote-span Configures a VLAN as an RSPAN VLAN Creates or modifies an Ethernet VLAN for RSPAN Must be created on source, destination, and intermediate devices

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Configure the Source Session monitor session session_number source {{interface type} | {{vlan type} [rx | tx | both]} | {remote vlan rspan-vlan-id}} Router1(config)# Configures interfaces or VLANS as sources for an RSPAN session. monitor session session_number destination {{interface type} | {vlan type} | {remote vlan vlan-id} | … Router1(config)# Router1(config)# monitor session 2 source interface fastethernet6/2 rx Router1(config)# monitor session 2 destination remote vlan 901 Configures the RSPAN VLAN as the destination for the RSPAN session. Configures RSPAN source session 2 on S1 (Router 1). Traffic entering S1 on port 6/2 is monitored. VLAN 901 is the destination.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Configure the Destination Session Router2(config)#monitor session 2 source remote vlan 901 Router2(config)# monitor session 2 destination interface FastEthernet 5/2 The destination session is configured on the destination switch. The source is VLAN 901. Port 5/2 is assigned as the RSPAN destination port.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Configuring VACLs for Catalyst 6500 Traffic Capture

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS CatOS Configuration Tasks Complete the following tasks to configure the use of CatOS VACLs for capturing IDS traffic: Create a VACL to capture interesting traffic. Commit a VACL to memory. Map a VACL to the VLANs. Assign the Sensors monitoring port as a VACL capture port.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS set security acl ip permit (…) [capture] Sets the VACL to restrict and capture traffic. Security VLAN ACL switch>(enable) switch>(enable) set security acl ip SPAN_MIMIC permit ip any any capture Sets the VACL SPAN_MIMIC to capture all IP traffic for IDS analysis. The SPAN_MIMIC VACL is equivalent to capturing traffic using the SPAN feature.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS VACL Examples switch>(enable) set security acl ip WEBONLY permit tcp any host eq 80 capture switch>(enable) set security acl ip WEBONLY permit ip any any Sets VACL WEBONLY to capture only web traffic for IDS analysis. Other IP traffic is allowed but not captured. switch>(enable) set security acl ip 10_NET permit ip any capture switch>(enable) set security acl ip 10_NET permit ip any capture Sets the VACL 10_NET to capture traffic destined to or originating from the network.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS set security acl map Maps VACLs to VLANs Commit and Map VACLs switch>(enable) switch>(enable) set security acl map WEBONLY 401 commit security acl Commits VACLs to switch switch>(enable) switch>(enable) commit security acl WEBONLY

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Assign Capture Ports set security acl capture-ports Defines security ACL capture ports switch> (enable) switch>(enable) set security acl capture- ports 3/1

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Cisco IOS Configuration Tasks Complete the following tasks to capture traffic by using VACLs on a Catalyst 6500 Series switch running Cisco IOS software: Configure ACLs to define interesting traffic. Define a VLAN access map. Configure the match clause in the VLAN access map using ACLs. Configure the action clause in the VLAN access map using the capture option. Apply the VLAN access map to the specified VLANs. Select an interface. Enable the capture function on the interface.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS vlan access-map map_name [ ] Defines the VLAN access map and enters vlan access-map command mode Create VLAN Access Map Router(config)# Router(config)# vlan access-map CAPTUREWEB Router(config-access-map)# Creates a VLAN access map named CAPTUREWEB

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS match {ip address {acl-number | acl-name}} Configures a match clause in a VLAN access map Configure the Match Clause Router (config-access-map)# Router(config-access-map)# match ip address 13 Selects IP ACL 13 for the VLAN access map

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS action {{drop [log]} | {forward [capture]} … Configures the VACL to capture traffic Configure VACL to Capture Traffic Router (config-access-map)# Router(config-access-map)# action forward capture Configures the VACL to capture traffic

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS vlan filter map-name {vlan-list vlan-list | interface interface number} Applies the VLAN access map to the specified VLANs Apply VLAN Access Map to VLANs Router (config)# Router(config)# vlan filter CAPTUREWEB vlan- list 7-9 Applies VLAN access map CAPTUREWEB to VLANs 7 through 9

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS interface type number Selects an interface Select an Interface Router (config)# Router(config)# interface FastEthernet 2/4 Router(config-if)# Enters interface configuration mode on the Fast Ethernet interface for module 2, port 4, of an IDSM

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS switchport capture Enable Capture on the Interface Router (config-if)# Router(config-if)# switchport capture Configures the interface to capture VACL-filtered traffic Enables the capture function on the interface

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Using the mls ip ids Command for Catalyst 6500 Traffic Capture

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS CatOS Configuration Tasks Complete the following tasks to use the mls ip ids command method for capturing IDS traffic: Create an ACL to capture interesting traffic. Select the VLAN interface. Apply the ACL to the interface. Assign the Sensors monitoring port as a VACL capture port.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS ip access-list extended … Creates a Cisco IOS extended IP ACL Configure Cisco IOS ACLs router(config)# router(config)# ip access-list extended MLS_ACL permit ip any any Creates an ACL MLS_ACL to capture all IP traffic for IDS analysis. The MLS_ACL access list is equivalent to capturing traffic using the SPAN feature.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Select the VLAN Interface and Apply the ACL interface vlan Creates or accesses the VLAN interface specified router(config)# router(config)# interface vlan 401 mls ip ids Applies an IP ACL to the VLAN interface router(config-if)# router(config-if)# mls ip ids MLS_ACL router(config-if)#

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Assign Capture Ports set security acl capture-ports Defines security ACL capture ports switch> (enable) switch>(enable) set security acl capture- ports 3/1

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Cisco IOS Configuration Tasks Complete the following tasks to use the mls ip ids command method for capturing IDS traffic: Configure an ACL to designate which packets will be captured. Select the VLAN interface. Apply the IDS ACL to an interface. Enable the capture function on the interface.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Advanced Catalyst 6500 Traffic Capture

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Controlling Capture VLAN Traffic By default, a Sensor appliance receives captured traffic only from the VLAN assigned to the switch port to which the Sensor is connected. The appliance Sensor port can receive captured traffic from multiple VLANs if the switch port to which the Sensor is connected is configured as a trunk port. By default, an IDSM receives captured traffic from all VLANs because it trunks all VLANs. VLAN traffic captured and sent to a Sensor can be controlled by removing VLANs from the trunked capture port.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS clear trunk 6/ , set trunk 6/1 1-3 set vlan 1 6/1 set security acl capture-ports 6/1 Single Sensor, Multiple VLANs Scenario Capture VLAN 3 VLAN 2 VLAN 1

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS clear trunk 6/ , set trunk 6/1 2 set vlan 2 6/1 set security acl capture-ports 6/1 Single Sensor, Single VLAN Scenario Capture VLAN 3 VLAN 2 VLAN 1

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS clear trunk 6/ , set trunk 6/1 2 set vlan 2 6/1 set security acl capture-ports 6/1 clear trunk 7/ , set trunk 7/1 1,3 set vlan 1 7/1 set security acl capture-ports 7/1 Multiple Sensors, Multiple VLANs Scenario Capture VLAN 3 VLAN 2 VLAN 1 Sensor1Sensor2

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Trunk Configuration Tasks Configure the destination capture port as a switch trunk port. Clear all VLANs from the destination capture port. Assign the VLANs of interest to the destination capture port. Assign the Sensors monitoring port to the VLAN of interest. Assign the Sensors monitoring port as the destination capture port.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS set trunk [vlans] Adds VLANs to the allowed VLAN list for existing trunks Trunk Traffic switch >(enable) switch>(enable) set trunk 6/1 1-3 clear trunk [vlans] Clears specific VLANs from the allowed VLAN list for a trunk port switch> (enable) switch>(enable) clear trunk 6/ ,

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS set vlan Groups ports into a VLAN Assign Monitoring Port to VLAN switch> (enable) switch>(enable) set vlan 401 6/1 Assigns the monitoring port to VLAN 401

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Assign Capture Ports set security acl capture-ports Defines security ACL capture ports switch> (enable) switch>(enable) set security acl capture- ports 6/1

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS VACL Packet Capture Example All packets captured with security VLAN ACLs are copied to all capture destination ports VLAN 1 VLAN ACE with capture Policy Feature Card (PFC) Option Catalyst 6xxx Switch Port 6/4 Port 6/5 Port 6/6 Set VLAN ACEs to capture traffic: set security acl ip FTPCAPTURE permit tcp any host eq 21 capture 1 Assign capture destination ports: set security acl capture-ports 6/4 2 Limit Sensor traffic by source VLAN: set trunk 6/4 nonnegotiate dot1q clear trunk 6/ , set trunk 6/4 1 3 VLAN 2

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Summary

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Summary Network traffic may be captured using hubs, network taps, and switches. Switches must be configured to mirror traffic from source ports to a destination port or ports. The Cisco SPAN feature enables traffic to be captured for intrusion detection systems. Catalyst 6500 Series switches can capture traffic using a VLAN or Cisco IOS ACLs. VLAN traffic captured using a Catalyst 6500 Series switch may be controlled using the clear trunk and set trunk commands.