© 2005 Cisco Systems, Inc. All rights reserved. IPS v Lesson 13 Installing and Maintaining the NM-CIDS

© 2005 Cisco Systems, Inc. All rights reserved. IPS v NM-CIDS Overview

© 2005 Cisco Systems, Inc. All rights reserved. IPS v NM-CIDS Key Features Integrates IDS into several Cisco access router platforms Provides full-featured intrusion protection Can run IPS 5.0 sensor software Is able to monitor traffic from all router interfaces Is able to inspect GRE and IPSec traffic that has been decrypted at the router Delivers comprehensive intrusion protection at branch offices, isolating threats from corporate network

© 2005 Cisco Systems, Inc. All rights reserved. IPS v NM-CIDS Specifications Performance45 Mbps InterfacesOnboard external 100-Mbps interface for command and control and internal 100-Mbps interface for monitoring Routers supported2600XM, 2691, 3660, 3725, 3745 plus the 2811, 2821, 2851, 3825, and 3845 Integrated Services Routers Cisco IOS software12.2(15)ZJ or later or 12.3(4)T or later IDS sensor softwareIDS 4.1 and higher

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Traditional Cisco IDS Network Architecture Router Attacker Management Server Sensor Appliance Monitoring Command and Control Targets Untrusted Network

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Network Architecture with NM-CIDS Management Server Router Command and Control interface Targets Attacker NM-CIDS Untrusted Network

© 2005 Cisco Systems, Inc. All rights reserved. IPS v How the NM-CIDS Works

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Hardware Architecture Network Module Router CPU Router PCI Bus Memory Flash Console Fast Ethernet 1 NM ConsoleUART MemoryFlashDisk NM Interfaces Controlled by Cisco IOS Software Controlled by CIDS Fast Ethernet Content CPU Fast Ethernet 0

© 2005 Cisco Systems, Inc. All rights reserved. IPS v NM-CIDS Front Panel DISK Command and Control Port ACTLINK PWR EN

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Example of Architecture for NM-CIDS Monitoring Branch Command and Control NM-CIDS Hacker A Outside Headquarters Hacker B Employee X X IDS is easily deployed and managed. External and internal threats are detected and eliminated quickly. Untrusted Network

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Traffic Capture for the NM-CIDS Traffic capture for the NM-CIDS: Cisco IOS software provides interface-level and subinterface-level packet monitoring capability. The forwarding of packets to the NM-CIDS is implemented in the CEF switching path of the Cisco IOS software. Some of the Cisco IOS forwarding features and services implemented within CEF can impact NM-CIDS packet analysis.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Design Considerations

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Special Considerations Regarding Cisco IOS Features and the NM-CIDS The following Cisco IOS software features require special consideration when used with NM-CIDS monitoring: ACLs Encryption NAT IP multicast UDP flooding IP broadcast GRE tunnels

© 2005 Cisco Systems, Inc. All rights reserved. IPS v NM-CIDS and Input ACLs Packets that are dropped by inbound ACLs are not forwarded to the NM-CIDS. router(config)# access-list 101 deny ip any router(config)# interface FastEthernet 0/0 router(config-if)# ip access-group 101 in OutsideInside A Source= Destination= X B

© 2005 Cisco Systems, Inc. All rights reserved. IPS v NM-CIDS and Output ACLs When output ACLs are configured in Cisco IOS software, the router Performs output-ACL check after the packet is forwarded to the NM-CIDS Forwards the packet to the NM-CIDS even if the output ACL drops the packet router(config)# access-list 101 deny ip any router(config)# interface FastEthernet 0/1 router(config-if)# ip access-group 101 out OutsideInside A B Source= Destination= S= , D=

© 2005 Cisco Systems, Inc. All rights reserved. IPS v NM-CIDS and Encryption Here is how encryption is handled by the router and NM-CIDS. If an IPSec tunnel terminates on the router, intrusion detection is handled as follows: –The router decrypts incoming packets and then sends them to the NM-CIDS. –The router encrypts outgoing packets after copying them to the NM-CIDS. Pass-through IPSec traffic is not interpreted by the NM-CIDS. The NM-CIDS cannot interpret encrypted packets for Layer 4 and higher signatures.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v NM-CIDS and Inside NAT S= , D= S= , D= S= , D= S= , D= OutsideInside S= , D= S= , D= A B Only the untranslated inside source address is sent to the NM-CIDS for processing. This facilitates identification of the inside target. S=Source D=Destination

© 2005 Cisco Systems, Inc. All rights reserved. IPS v NM-CIDS and Outside NAT S= , D= S= , D= S= , D= S= , D= OutsideInside S= , D= S= , D= A B A devices real global address ( ) is seen on the inside as Only the translated address is sent to the NM-CIDS for processing. The attackers real address is not displayed in the alarm, so the source of the attack may not be easily traced. S=Source D=Destination

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Special Considerations for Using the NM-CIDS IP multicast, UDP flooding, and IP broadcast: –The input interface must be configured for IDS monitoring. If only the output interfaces are configured for monitoring, the packet is not forwarded to the NM-CIDS. GRE: –If the router in which the NM-CIDS is installed receives a GRE-encapsulated packet, the packet is not forwarded to the NM-CIDS. –If the router in which the NM-CIDS is installed encapsulates the packet in a GRE tunnel, the packet is analyzed by the NM-CIDS before encapsulation.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Packets Not Forwarded to NM-CIDS The following packets are not inspected by the NM- CIDS: Packets not forwarded to the NM-CIDS –ARP packets Packets dropped by Cisco IOS software –Bad IP version –Invalid IP option –Bad header length –Any header error –Total length more than 1548 bytes or less than 20 bytes –IP CRC failure –TTL less than 1

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Installation and Configuration Tasks

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuration Tasks Configuration tasks are the same as those for the sensor appliance, with the following exceptions: Initial configuration requires establishing a session from the router console. The NM-CIDS clock cannot be set directly. One of the following must be used: –Routers clock –NTP server

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Installation and Configuration Tasks Task 1: Install the NM-CIDS. Task 2: Configure the internal ids-sensor interface. Task 3: Configure the clock settings. Task 4: Configure packet monitoring. Task 5: Log in to the NM-CIDS console. Task 6: Perform additional IDS configuration.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Task 1: Install the NM-CIDS Step 1: Insert the NM-CIDS into a router. Step 2: Connect the NM-CIDS to the network. Step 3: Verify the presence of the NM-CIDS. Step 4: Verify that Cisco IOS IPS is not running.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Task 1, Step 1: Insert the NM-CIDS into a Router When inserting the NM-CIDS in the router, remember the following important points: The 2600XM Series, 2691, and 3725 routers must be powered down before you install the NM-CIDS. The 3660, 3745, 3800 routers allow OIR. Only one NM-CIDS should be installed in a router. Running Cisco IOS IPS on a router in which the NM-CIDS is installed is not recommended.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Task 1, Step 2: Connect the NM-CIDS to the Network Connects to switch, hub, repeater, server, or other network device Straight-Through Cat 5 UTP Cable NM-CIDS Fast Ethernet 0 RJ45 Command and Control

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Task 1, Step 3: Verify the Presence of the NM-CIDS Indications that the router recognizes the NM- CIDS: The NM-CIDS PWR and EN LEDs are green. The show running-config command displays the following line: –interface IDS-Sensor1/0 The show version command displays the following line: –1 cisco ids sensor(s), ids monitoring on slot 1

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Task 1, Step 4: Verify that Cisco IOS IDS Is Not Running Running Cisco IOS IPS in the router that hosts the NM-CIDS causes performance reduction in the router. To verify that Cisco IOS IPS is not running, use the show ip audit interfaces command. The output should be blank.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Task 2: Configure the Internal IDS-Sensor Interface Step 1: Verify the NM-CIDS slot number. Step 2: Enable CEF. Step 3: Configure the interface. Untrusted Network FE0/1FE0/0 Command and Control Interface IDS-Sensor Loopback

© 2005 Cisco Systems, Inc. All rights reserved. IPS v router#show interfaces ids-sensor 1/0 IDS-Sensor1/0 is up, line protocol is up Hardware is I82559FE, address is 000d.bc3a.d090 (bia 000d.bc3a.d090) Interface is unnumbered. Using address of Loopback0 ( ) MTU 1500 bytes, BW Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:17, output 00:00:00, output hang never. Task 2, Step 1: Verify the NM-CIDS Slot Number router# show interfaces ids-sensor slot-number/port-number Displays statistics for the ids-sensor interface in your router

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Task 2, Step 1 (Cont.) router#show running-config. interface FastEthernet0/1 ip address duplex auto speed auto ! interface IDS-Sensor1/0 ip unnumbered Loopback0 hold-queue 60 out. router# show running-config Displays the contents of the currently running configuration file

© 2005 Cisco Systems, Inc. All rights reserved. IPS v router(config)#ip cef Task 2, Step 2: Enable CEF router(config)# ip cef Globally enables CEF on the router Globally enables CEF on the router, so the router can forward packets to the NM-CIDS

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Task 2, Step 3: Configure the Interface router(config)#interface loopback 0 router(config-if)#ip address router(config)# interface loopback number Creates a loop-back interface and enters interface configuration mode Creates loop-back interface 0 and assigns IP address /32 to it

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Task 2, Step 3 (Cont.) router(config)#interface ids-sensor 1/0 router(config-if)#ip unnumbered loopback 0 Enables the ids-sensor interface to use the IP address of loop-back interface 0 router(config-if)# ip unnumbered type number Enables IP processing on an interface without assigning an explicit IP address to the interface router(config)# interface ids-sensor slot-number/port-number Enters configuration mode for the ids-sensor interface

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Task 3: Configure the Clock Settings When assigning clock settings, keep in mind the following important information: The NM-CIDS clock cannot be set directly. The NM-CIDS must obtain its time from one of the following: –The router clock (Cisco IOS mode) –An NTP server (NTP mode) In both Cisco IOS and NTP modes, the NM-CIDS module: –Obtains UTC (GMT) time from the router or NTP server –Converts to local time using its own time zone and summertime settings

© 2005 Cisco Systems, Inc. All rights reserved. IPS v What Determines NM-CIDS Clock Accuracy? NTP Mode Cisco IOS Clock Mode NTP servers clock reference IDS NTP configuration IDS time zone offset IDS summertime mode and offset Routers local time Routers time zone offset Routers summertime mode and offset IDS modules time zone offset IDS modules summertime mode and offset

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Clock Considerations When choosing the NM-CIDS clock mode, keep the following in mind: UTC sent to the NM-CIDS is calculated by the router from its local time, time zone, and summertime settings. If the routers time zone settings are incorrect, the UTC time sent to the IDS module is incorrect. Setting the router clock to UTC is recommended. IDS alarm time stamps indicate both UTC and local time. If the router is power-cycled, the clock is reset. TLS certificates expire based on current time.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Clock Recommendations Clock recommendations from best to worst: Use NTP mode on the NM-CIDS. Run an NTP client on the router and use Cisco IOS mode on the NM-CIDS. Run Cisco IOS mode on the NM-CIDS and set the routers time zone to UTC. Run Cisco IOS mode on the NM-CIDS and set the routers time zone to the local time zone.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Setting NTP Clock Mode router(config)#ntp server router(config)#ntp server prefer router(config)# ntp server ip-address [version number] [key keyid] [source interface] [prefer] Enables the software clock to be synchronized by an NTP time server Designates two NTP servers and specifies server as the preferred one

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Setting NTP Clock Mode (Cont.) router(config)#ntp authentication-key md5 NTPKEY router(config)# ntp authentication-key number md5 value Defines an authentication key for NTP Specifies the NTP authentication key ID and value

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Task 4: Configure Packet Monitoring Specifies that packets sent and received on Fast Ethernet interface 0/0 should be forwarded to the NM-CIDS for inspection router(config)#interface FastEthernet0/0 router(config-if)#ids-service-module monitoring router(config)#interface FastEthernet0/0.1 router(config-if)#ids-service-module monitoring Specifies that packets sent and received on Fast Ethernet subinterface 0/0.1 should be forwarded to the NM-CIDS for inspection ids-service-module monitoring router(config-if)# Configures packet monitoring on the interface

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Task 5: Log In to the NM-CIDS Console No physical console port is available on the NM-CIDS. The NM-CIDS console can be accessed in either of the following ways: –Execute the service-module ids-sensor slot-number/port- number session command from the router privileged EXEC mode. –Telnet directly to the NM-CIDS using an IP address on the router and a port number corresponding to the NM- CIDS slot.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Console Access to the NM-CIDS via the session Command router#service-module ids-sensor 1/0 session Trying , Open sensor login: service-module ids-sensor slot-number/port-number session router# Establishes a session between the router and the NM-CIDS Establishes a session between the router and the module in slot 1

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Console Access to the NM-CIDS via Telnet You can telnet directly into the NM-CIDS by using an IP address and port number. The port number is calculated with the following formula: –(32 x slot number) The following are examples of using Telnet for console access: –To telnet to the NM-CIDS in slot 1 via router interface : –router#telnet –To telnet to the NM-CIDS in slot 2 via router interface : –router#telnet

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Log In to the NM-CIDS sensor login: cisco Password:***** You are required to change your password immediately (password aged) Changing password for cisco (current) UNIX password: New password: Retype new password:. sensor# You must first log in with the default username cisco. The password for the cisco account is also cisco. You are forced to change the password at the first login. After login, execute the setup command to initialize the NM-CIDS.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Image Upgrade and Recovery

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Upgrading the NM-CIDS You can use the upgrade command to apply image upgrades, service packs, and signature updates to your NM-CIDS. You can use the command to upgrade from software version 4. x to 5.0. To upgrade from software version 4. x to 5.0, the NM- CIDS must already be running IDS 4.1(1) or higher. Using the upgrade command to apply the IPS 5.0 major upgrade file retains your configuration, including signature settings. The IPS 5.0 major upgrade file contains the major upgrade identifier maj. Example: IPS-K9-maj S149.rpm.pkg

© 2005 Cisco Systems, Inc. All rights reserved. IPS v NM-CIDS Image Recovery You can recover the NM-CIDS image by applying the NM-CIDS system image file. An NM-CIDS system image file name contains the name NM-CIDS and the sys designator. Example: IPS-NM-CIDS-K9-sys-1.1-a img You can use TFTP to recover the image over the network. You lose all your configuration settings when you recover the NM-CIDS image.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v NM-CIDS Image Recovery (Cont.) Applying the system image to the NM-CIDS requires a helper image. You can download the helper image file from Cisco.com. The helper file contains the helper identifier. Example: NM-CIDS-K9-helper bin Before loading the NM-CIDS system image via TFTP, you must confirm the correct bootloader version or manually upgrade it.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Recovering the NM-CIDS Image Complete the following steps to recover the NM-CIDS image over the network: 1. Place the helper image file and the NM-CIDS system image file on your TFTP server. 2. Enter the NM-CIDS bootloader CLI. 3. Boot the helper file. 4. Use the helper utility to configure TFTP as the transfer method. 5. Use the helper utility to re-image the hard-disk drive. 6. Reboot the NM-CIDS.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Maintenance Tasks Unique to the NM-CIDS

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Cisco IOS Command for NM-CIDS Support service-module ids-sensor slot-number/port-number {reload | reset | session | shutdown |status} router# Enables you to do the following from the router console: –Reload the NM-CIDS –Reset the NM-CIDS –Establish a session to the NM-CIDS –Shut down the NM-CIDS –View the status of the NM-CIDS

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Reload the NM-CIDS Hardware Reloads the NM-CIDS in slot 1 from the router console Stops the application and then reloads the software router#service-module ids-sensor 1/0 reload Do you want to proceed with reload?[confirm] y Trying to reload Service Module IDS-Sensor1/0

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Reset the NM-CIDS Hardware Resets the NM-CIDS in slot 1 from the router console Initiates a hardware reboot Must be used with caution because it could corrupt the file system on the hard disk router#service-module ids-sensor 1/0 reset Use reset only to recover from shutdown or failed state Warning: May lose data on the hard disc! Do you want to reset?[confirm]

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Shut Down the IDS Applications Shuts down the IDS applications router#service-module ids-sensor 1/0 shutdown Do you want to proceed with shutdown? [confirm] y Use service module reset command to recover from shutdown router# Sep 12 15:24:13.919: %SERVICEMODULE-5-SHUTDOWN2: Service module IDS-Sensor1/0 shutdown complete

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Check the Status of the IDS Software Checks the status of the IDS software router#service-module ids-sensor 1/0 status Service Module is Cisco IDS-Sensor1/0 Service Module supports session via TTY line 33 Service Module is in Steady state Getting status from the Service Module, please wait.. Cisco Systems Intrusion Prevention System Network Modul Software version: 5.0(0.25)S129.0 Model: NM-CIDS Memory: KB Mgmt IP addr: Mgmt web ports: 443 Mgmt TLS enabled: true

© 2005 Cisco Systems, Inc. All rights reserved. IPS v NM-CIDS Removal and Replacement The Linux operating system on the NM-CIDS must be appropriately shut down before you remove the NM-CIDS from the router. The following routers must be powered down before you remove the NM-CIDS: –2600XM, 2691, and 3725 routers –2811, 2821, and 2851 Integrated Services Routers The following routers support OIR with similar modules only. If you remove an NM-CIDS, install another NM-CIDS in its place: –3660 and 3745 routers –3825 and 3845 Integrated Services Routers

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Summary

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Summary The NM-CIDS is a full-featured sensor that runs on Cisco 2600XM, 2691, 3660, 3725, and 3745 routers and the Cisco 2811, 2821, 2851, 3825, and 3845 Integrated Services Routers. The NM-CIDS can inspect all traffic traversing the router. The NM-CIDS runs the Cisco IPS 5.0 sensor software. The NM-CIDS has one external Fast Ethernet interface that is used as the command and control port. An internal Fast Ethernet interface on the NM-CIDS connects to the internal PCI bus on the routers backplane. This provides the monitoring or sniffing capability.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Summary (Cont.) The service-module ids-sensor command is a Cisco IOS command that supports the NM-CIDS by providing the ability to reload, reset, shut down, establish a session to, and check the status of the NM-CIDS. Tasks for enabling the NM-CIDS to analyze network traffic include the following: –Enabling CEF on the router –Creating a loop-back interface on the router –Assigning an IP address to the routers loop-back interface –Enabling the routers ids-sensor interface to use the loopback interfaces IP address –Configuring the NM-CIDS clock settings –Configuring packet monitoring

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Summary (Cont.) Before removing the NM-CIDS from the router, you must do the following: –Shut down the Linux operating system on the NM- CIDS. –Power down the router if it is a 2600XM or 2691 model. You can use the CLI upgrade command to apply the IPS 5.0 major upgrade file and retain your configuration. You can use the NM-CIDS system image to upgrade or recover the NM-CIDS image.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Lab Exercise

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Q.0 Lab Visual Objective Q Web FTP RBB Q P.0 Student PC 10.0.Q.12 RTS Student PC 10.0.P.12 RTS P.0 nm-cids Pnm-cids Q routerP routerQ 10.0.P.0