© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Cisco Intrusion Detection System Network Module Lesson 15

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Objectives

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Objectives Upon completion of this lesson, you will be able to perform the following tasks: Describe the Cisco NM-CIDS. Explain how the NM-CIDS works. List the tasks for configuring the NM-CIDS. Describe maintenance tasks for the NM-CIDS.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS NM-CIDS Overview

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Key Features Integrates IDS into several Cisco access router platforms Provides full-featured intrusion protection Runs the IDS 4.1 Sensor software Able to monitor traffic from all router interfaces Able to inspect GRE and IPSec traffic that has been decrypted at the router Delivers comprehensive intrusion protection at branch offices, isolating threats from corporate network

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Specifications Performance45 Mbps InterfaceOnboard external 100mb interface for command and control and internal 100mb interface for monitoring Routers supported2600XM, 2691, 3660, 3725, 3745 Cisco IOS software12.2(15)ZJ or later 2691/3700 ROM version12.2(8r)T2 or later IDS Sensor softwareIDS 4.1

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Traditional Cisco IDS Network Architecture Router Attacker Management server Sensor appliance Monitoring Command and control Targets Untrusted network

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Network Architecture with NM-CIDS Management server Router Command and control Targets Attacker Untrusted network NM Sensor

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS How the NM-CIDS Works

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Hardware Architecture Network module Router CPU Router PCI Bus Memory Flash Console Fast Ethernet 1 NM ConsoleUART MemoryFlashDisk NM Interfaces Controlled by Cisco IOS Controlled by CIDS Fast Ethernet Content CPU Fast Ethernet 0

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS NM-CIDS Front Panel Disk Command and control port ACTLINK PWR EN

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Example Architecture for NM-CIDS Monitoring Untrusted network Branch Command and control NM-CIDS Hacker A Outside Headquarters Hacker B Employee X X IDS is easily deployed and managed. External and internal threats are detected and eliminated quickly.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Traffic Capture for the NM-CIDS Traffic capture for the NM-CIDS is characterized by the following: Cisco IOS software provides interface-level and subinterface-level packet monitoring capability. The forwarding of packets to the NM-CIDS is implemented in the CEF switching path of the Cisco IOS software. Some of the Cisco IOS forwarding features and services implemented within CEF can impact NM-CIDS packet analysis.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Design Considerations

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Cisco IOS Features That Require Special Consideration When Using the NM-CIDS The following Cisco IOS software features require special consideration when used with NM-CIDS monitoring: ACLs Encryption NAT IP multicast UDP flooding IP broadcast GRE tunnels

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS NM-CIDS and Input ACLs Packets that are dropped by inbound ACLs are not forwarded to the NM-CIDS. router(config)# access-list 101 deny ip any router(config)# interface FastEthernet 0/0 router(config-if)# ip access-group 101 in OutsideInside A S= , D= X B

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS NM-CIDS and Output ACLs When output ACLs are configured in the Cisco IOS, the router: Performs output-ACL check after the packet is forwarded to the NM-CIDS. Forwards the packet to the NM-CIDS even if the output ACL drops the packet. router(config)# access-list 101 deny ip any router(config)# interface FastEthernet 0/1 router(config-if)# ip access-group 101 out OutsideInside A B S= , D=

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS NM-CIDS and Encryption Encryption is handled by the router and NM-CIDS as follows: If an IPSec tunnel terminates on the router, intrusion detection is handled as follows: –The router decrypts incoming packets and then sends them to the NM-CIDS. –The router encrypts outgoing packets after copying them to the NM-CIDS. Pass-through IPSec traffic is not interpreted by the NM-CIDS. The NM-CIDS cannot interpret encrypted packets for Layer 4 and above signatures.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS NM-CIDS and Inside NAT S= , D= S= , D= S= , D= S= , D= OutsideInside S= , D= S= , D= A B Only the untranslated inside source address is sent to the NM-CIDS for processing. This facilitates identification of the inside target.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS NM-CIDS and Outside NAT S= , D= S= , D= S= , D= S= , D= OutsideInside S= , D= S= , D= A B A devices real global address ( ) is seen on the inside as Only the translated address is sent to the NM-CIDS for processing. The attackers real address is not displayed in the alarm, so the source of the attack may not be easily traced.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Attacker Untrusted network The NM-CIDS currently supports blocking only on source address. Only external interfaces can be used for blocking. This enables NAT and blocking to work together within the same router. e0/0 e0/1 NM-CIDS, NAT, and Blocking Target router# show access-lists Extended IP access list IDS_Ethernet0/1_in_1 deny ip host host log permit ip any any Router running NAT NM-CIDS

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Special Considerations for Using the NM-CIDS IP multicast, UDP flooding, and IP broadcast –The input interface must be configured for IDS monitoring. If only the output interfaces are configured for monitoring, the packet is not forwarded to the NM- CIDS. GRE –If the router in which the NM-CIDS is installed receives a GRE-encapsulated packet, the packet is not forwarded to the NM-CIDS. –If the router in which the NM-CIDS is installed encapsulates the packet into a GRE tunnel, the packet is analyzed by the NM-CIDS before encapsulation.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Packets Not Forwarded to NM-CIDS The following packets are not inspected by the NM- CIDS: Packets not forwarded to the NM-CIDS –ARP packets Packets dropped by Cisco IOS software –Bad IP version –Invalid IP option –Bad header length –Any header error –Total length greater than 1548 bytes or less than 20 bytes –IP CRC failure –TTL less than 1

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Installation and Configuration Tasks

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Configuration Tasks Configuration tasks are the same as those for the Sensor appliance with the following exceptions: –Initial configuration requires establishing a session from the router console. –The NM-CIDS clock cannot be set directly. One of the following must be used: Routers clock NTP server

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Installation and Configuration Tasks Task 1Install the NM-CIDS. Task 2Configure the internal ids-sensor interface. Task 3Configure the clock settings. Task 4Configure packet monitoring. Task 5Log in to the NM-CIDS console. Task 6Perform additional IDS configuration.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Task 1Install the NM-CIDS Step 1Insert the NM-CIDS into a router. Step 2Connect the NM-CIDS to the network. Step 3Verify the presence of the NM-CIDS. Step 4Verify that Cisco IOS-IDS is not running.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Task 1, Step 1Insert the NM-CIDS into a Router When inserting the NM-CIDS in the router, keep in mind the following important points: The 2600XM series and 2691 routers must be powered down before you install the NM-CIDS. The 3660, 3725 and 3745 routers allow OIR. Only one NM-CIDS should be installed in a router. Running Cisco IOS-IDS on a router in which the NM-CIDS is installed is not recommended.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Task 1, Step 2Connect the NM-CIDS to the Network Connects to switch, hub, repeater, server, or other network device Straight-through Cat 5 UTP cable NM-CIDS Fast Ethernet 0 RJ45 command and control

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Task 1, Step 3Verify the Presence of the NM-CIDS The following are indications that the router recognizes the NM-CIDS: The NM-CIDS PWR and EN LEDs are green. The show running-config command displays the following line: interface IDS-Sensor1/0 The show version command displays the following line: 1 cisco ids sensor(s), ids monitoring on slot 1

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Task 1, Step 4Verify that Cisco IOS- IDS Is Not Running Running Cisco IOS-IDS in the router that hosts the NM-CIDS causes performance reduction in the router. To verify that Cisco IOS-IDS is not running, use the show ip interface command. The output should be blank.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Task 2Configure the Internal IDS-Sensor Interface Step 1Verify the NM-CIDS slot number. Step 2Enable CEF. Step 3Configure the interface. Untrusted network FE0/1FE0/0 Command and control Interface ids-sensor Loopback

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS router#show interfaces ids-sensor 1/0 IDS-Sensor1/0 is up, line protocol is up Hardware is I82559FE, address is 000d.bc3a.d090 (bia 000d.bc3a.d090) Interface is unnumbered. Using address of Loopback0 ( ) MTU 1500 bytes, BW Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:17, output 00:00:00, output hang never. Task 2, Step 1Verify the NM-CIDS Slot Number router# show interfaces ids-sensor slot-number/port-number Displays statistics for the ids-sensor interface in your router

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Task 2, Step 1 (Cont.) router#show running-config. interface FastEthernet0/1 ip address duplex auto speed auto ! interface IDS-Sensor1/0 ip unnumbered Loopback0 hold-queue 60 out. router# show running-config Displays the contents of the currently running configuration file

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS router(config)#ip cef Task 2, Step 2Enable CEF router(config)# ip cef Globally enables CEF on the router Globally enables CEF on the router, enabling the router to forward packets to the NM-CIDS

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Task 2, Step 3Configure the Interface router(config)#interface loopback 0 router(config-if)#ip address router(config)# interface loopback number Creates a loopback interface and enters interface configuration mode Creates loopback interface 0 and assigns IP address /32 to it

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Task 2, Step 3 (Cont.) router(config)#interface ids-sensor 1/0 router(config-if)#ip unnumbered loopback 0 Enables the ids-sensor interface to use the IP address of loopback interface 0 router(config-if)# ip unnumbered type number Enables IP processing on an interface without assigning an explicit IP address to the interface router(config)# interface ids-sensor slot-number/port- number Enters configuration mode for the ids-sensor interface

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Task 3Configure the Clock Settings When assigning clock settings, keep in mind the following important information: The NM-CIDS clock cannot be set directly. The NM-CIDS must obtain its time from one of the following: –The router clock (Cisco IOS mode) –An NTP server (NTP mode) In both Cisco IOS and NTP modes, the NM-CIDS module: –Obtains UTC (GMT) time from the router or NTP server –Converts to local time using its own time zone and summer time settings

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS What Determines NM-CIDS Clock Accuracy? NTP mode Cisco IOS clock mode Accurate IDS local time depends on: NTP servers clock reference IDS NTP configuration IDS time zone offset IDS summer time mode and offset Accurate IDS local time depends on: Routers local time Routers time zone offset Routers summer time mode and offset IDS modules time zone offset IDS modules summer time mode and offset

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Clock Considerations When choosing the NM-CIDS clock mode, keep the following in mind: UTC time sent to the NM-CIDS is calculated by the router from its local time, time zone, and summer time settings. If the routers time zone settings are incorrect, the UTC time sent to the IDS module is incorrect. Setting the router clock to UTC is recommended. IDS alarm time stamps indicate both UTC and local time. If the router is power-cycled, the clock is reset. TLS certificates expire based on current time.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Clock Recommendations Clock recommendations from best to worst are as follows: Use NTP mode on the NM-CIDS. Run an NTP client on the router and use Cisco IOS mode on the NM-CIDS. Run Cisco IOS mode on the NM-CIDS and set the routers time zone to UTC. Run Cisco IOS mode on the NM-CIDS and set the routers time zone to the local time zone.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Setting NTP Clock Mode router(config)#ntp server router(config)#ntp server prefer router(config)# ntp server ip-address [version number] [key keyid] [source interface] [prefer] Enables the software clock to be synchronized by an NTP time server Designates two NTP servers and specifies server as the preferred of the two

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Setting NTP Clock Mode (Cont.) router(config)#ntp authentication-key md5 NTPKEY router(config)# ntp authentication-key number md5 value Defines an authentication key for NTP Specifies the NTP authentication key ID and value

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Task 4Configure Packet Monitoring Specifies that packets sent and received on Fast Ethernet interface 0/0 should be forwarded to the NM-CIDS for inspection router(config)#interface FastEthernet0/0 router(config-if)#ids-service-module monitoring router(config)#interface FastEthernet0/0.1 router(config-if)#ids-service-module monitoring Specifies that packets sent and received on Fast Ethernet subinterface 0/0.1 should be forwarded to the NM-CIDS for inspection ids-service-module monitoring router(config-if)# Configures packet monitoring on the interface

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Task 5Log In to the NM-CIDS Console No physical console port is available on the NM-CIDS. The Cisco IOS software creates a reverse Telnet to access the NM-CIDS console. The NM-CIDS console can be accessed via the session command or Telnet.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Console Access to the NM-CIDS via the Session Command router#service-module ids-sensor 1/0 session Trying , Open sensor login: service-module ids-sensor slot-number/port- number session router# Establishes a session between the router and the NM-CIDS Establishes a session between the router and the module in slot 1

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Console Access to the NM-CIDS via Telnet You can telnet directly into the NM-CIDS by using an IP address and port number. The port number is calculated with the following formula: – (32 x slot number) The following are examples of using Telnet for console access: –To telnet to the NM-CIDS in slot 1 via router interface : C:\>telnet –To telnet to the NM-CIDS in slot 2 via router interface : C:\>telnet

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Log In to the NM-CIDS sensor login: cisco Password:***** You are required to change your password immediately (password aged) Changing password for cisco (current) UNIX password: New password: Retype new password:. sensor# You must first log in with the default username cisco. The password for the cisco account is also cisco. You are forced to change the password for the default cisco account at the first login. After login, execute the setup command to initialize the NM-CIDS.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS NM-CIDS Interfaces Command and control int0

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Maintenance Tasks Unique to the NM-CIDS

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Cisco IOS Command for NM-CIDS Support service-module ids-sensor slot-number/port-number {reload | reset | session | shutdown |status} router# Enables you to do the following from the router console: –Reload the NM-CIDS –Reset the NM-CIDS –Establish a session to the NM-CIDS –Shut down the NM-CIDS –View the status of the NM-CIDS

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Reload the NM-CIDS Hardware Reloads the NM-CIDS in slot 1 from the router console Stops the application, and then reloads the software router#service-module ids-sensor 1/0 reload Do you want to proceed with reload?[confirm] y Trying to reload Service Module IDS-Sensor1/0

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Reset the NM-CIDS Hardware Resets the NM-CIDS in slot 1 from the router console Initiates a hardware reboot Must be used with caution because it could corrupt the file system on the hard disk router#service-module ids-sensor 1/0 reset Use reset only to recover from shutdown or failed state Warning: May lose data on the hard disc! Do you want to reset?[confirm]

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Shut Down the IDS Applications Shuts down the IDS applications router#service-module ids-sensor 1/0 shutdown Do you want to proceed with shutdown? [confirm] y Use service module reset command to recover from shutdown router# Sep 12 15:24:13.919: %SERVICEMODULE-5-SHUTDOWN2: Service module IDS-Sensor1/0 shutdown complete

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Check the Status of the IDS Software Checks the status of the IDS software router#service-module ids-sensor 1/0 status Service Module is Cisco IDS-Sensor1/0 Service Module supports session via TTY line 33 Service Module is in Steady state Getting status from the Service Module, please wait.. Cisco Systems Intrusion Detection System Network Module Software version: 4.1(1)S47 Model:NM-CIDS Memory: KB sensor#

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS NM-CIDS Removal and Replacement The Linux operating system on the NM-CIDS must be appropriately shut down before you remove the NM-CIDS from the router. The 2600XM Series and 2691 routers must be powered down before you remove the NM-CIDS. The 3660, 3725 and 3745 routers allow OIR. The 3660, 3725, and 3745 routers support OIR with similar modules only. If you remove an NM-CIDS, install another NM-CIDS in its place.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Recovering the NM-CIDS Software Image You might need to recover the NM-CIDS software image in the following circumstances: –Lost password –Corrupted operating system –Corrupted hard drive If you perform an image recovery, all IDS configuration settings are reset to the defaults.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Recovering the NM-CIDS Software Image (Cont.) To recover the NM-CIDS software image, you will need the following: Application image Helper image Latest signature and service pack updates Backup configuration file

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Configure the boot loader using the config command. 2. Boot the helper image. 3. Select either SSH or TFTP as the file transfer method. 4. Download and write the application image to disk. 5. Boot the application image. 6. Configure the IDS application or restore a saved configuration. Image Recovery Overview

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Step 1Configure the Boot Loader ServicesEngine boot-loader> config Obtain the boot loader prompt by completing the following substeps: 1. Establish a session into the NM-CIDS. 2. Suspend the session by pressing Ctrl-Shift-6 x. 3. Reset the NM-CIDS. 4. Resume the suspended session by pressing Enter. 5. At the following prompt, enter ***. Please enter '***' to change boot configuration: At the ServicesEngine boot-loader> prompt, enter config to obtain the interactive prompts that enable you to set up the following boot loader network parameters: –NM-CIDSs IP address, netmask, and gateway –TFTP servers IP address –Path to helper image file –Internal/external interface –Default boot device

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Boot the helper file by entering the boot helper command at the ServicesEngine boot-loader> prompt. When the TFTP load actually begins, a spinning character is displayed to indicate packets arriving from the TFTP server. The following Helper utility is launched: Cisco Systems, Inc. Services engine helper utility for NM-CIDS Version 1.0(1) [ ] Main menu 1 - Download application image and write to HDD 2 - Download bootloader and write to flash 3 - Display software version on HDD 4 - Display total RAM size 5 - Change file transfer method (currently secure shell) r - Exit and reset Services Engine h - Exit and shutdown Services Engine Selection [12345rh]: Step 2Boot the Helper Image ServicesEngine boot-loader> boot helper

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Step 3Select the File Transfer Method Selection [12345rh]: 5 Change file transfer method menu The current file transfer method is secure shell. 1 - Change to secure shell 2 - Change to tftp r - return to main menu From the Helper utility, select 5 if you want to change the file transfer method.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Step 4Download and Install the Application Image Selection [12345rh]: 1 Download recovery image via secure shell and write to HDD secure shell server user name [cisco]: server IP address [ ]: full pathname of recovery image []: NM-CIDS-K9-a S42-1. bin Ready to begin Are you sure? [y/N] y From the Helper utility, select 1 to download and install the application image.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Step 5Boot the Application Image Selection [12345rh]: r About to exit and reset Services Engine. Are you sure? [y/N] From the Helper utility, select r to boot the application image.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Software Upgrades The NM-CIDS accepts the same software revision upgrades, service packs, and signature updates as all other Cisco IDS Sensors. The upgrade process is also the same. You can use the upgrade command in the CLI.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Summary

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Summary The NM-CIDS is a fully featured IDS Sensor that runs on Cisco 2600XM, 2691, 3660, 3725, and 3745 routers. The NM-CIDS can inspect all traffic traversing the router. The NM-CIDS runs the Cisco IDS 4.1 Sensor software. The NM-CIDS has one external Fast Ethernet interface that is used as the command and control port. An internal Fast Ethernet interface on the NM-CIDS connects to the internal PCI bus on the routers backplane. This provides the monitoring or sniffing capability.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Summary (Cont.) Tasks for enabling the NM-CIDS to analyze network traffic include the following: Enabling CEF on the router. Creating a loopback interface on the router. Assigning an IP address to the routers loopback interface. Enabling the routers ids-sensor interface to use the loopback interfaces IP address. Configuring the NM-CIDS clock settings. Configuring packet monitoring. NM-CIDS software upgrades use the same software revision upgrades, service packs, and signature updates as all other CIDS sensors. Like other Sensor devices, the NM-CIDS can be upgraded using the upgrade command.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Summary (Cont.) The service-module ids-sensor command is a Cisco IOS command that supports the NM-CIDS by providing the ability to reload, reset, shut down, establish a session to, and check the status of the NM-CIDS. Before removing the NM-CIDS from the router, you must do the following: –Shut down the Linux operating system on the NM-CSIDS. –Power down the router if it is a 2600XM or 2691 model. There is a recovery procedure that enables you to recover the NM-CIDS software image in situations such as the following: –Lost password –Corrupted operating system –Corrupted hard drive All IDS configuration settings are reset to the defaults when you perform the software recovery procedure.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Lab Exercise

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Router NM-CIDS P Router NM-CIDS Q Q P.0 Lab Visual Objective Student PC.2 Student PC P Q P Q.0 RTS Web FTP RBB.4