Académique Documents
Professionnel Documents
Culture Documents
Cisco Security
Troubleshooting:
Part III – Intrusion
Prevention Systems
1-800-COURSES www.globalknowledge.com
Cisco Security Troubleshooting: Part III –
Intrusion Prevention Systems
Douglas B. McKillip, P.E., CCSI, CCSP, CCIE #1851
Introduction
This paper is the third in a three-part series of white papers on Cisco security troubleshooting, each of which
examines the challenge of implementing network security on equipment from Cisco Systems while maintaining
the connectivity requirements of the business or enterprise. The focus of this third paper is primarily on trouble-
shooting the proper sensing operation of a signature-based Intrusion Prevention System (IPS). The first two
papers in this series are: Troubleshooting Part I – Connectivity Through ASA or PIX Firewalls and Troubleshooting
Part II – Virtual Private Networks
Troubleshooting Scenario
The following scenario will be used to illustrate many of the concepts discussed in this Cisco security white pa-
per. If the names and IP Addresses look familiar to some of you, this is because the diagram represents a portion
of the lab topology used in Cisco Security classes offered by Global Knowledge.
Perimeter
Router
200.200.1.0/24 Outside-PC
DMZ Subnet 150.150.1.20
172.16.1.0/24
ASA/PIX
DMZ-Srv
172.16.1.15
10.10.10.0.2
NAT: 200.200.1.15
Admin-PC
10.10.10.10
While the Command and Control/Management interface is used for Management and Monitoring, the Promiscu-
ous or Inline Pair interfaces are the ones into which the packets to be “sensed” arrive. The following sequence of
events occurs with a properly operating and configured signature-based IPS.
The steps outlined above are an oversimplified example of how the IPS operates, assuming that the signature
being matched is enabled and that the alerting behavior is configured. Secondly, the pattern match described in
the fourth step could be the final packet in a multi-packet or fragment stream versus a single “atomic” capture.
This Cisco white paper will focus on troubleshooting the failure of any of the five steps shown above.
The keyword both is used above to indicate packets being both received and transmitted by the interface. The
commands show monitor and debug monitor can be used to verify proper configuration and operation,
respectively. A sample display of show monitor is shown below.
Occasionally, an IPS will need to be operated in promiscuous mode connected to a switch other than the one
through which the “interesting traffic” is flowing. In this case, a Remote SPAN or RSPAN VLAN can be used to
copy packets from the source switch to this VLAN, carried by a trunk port between the switches, and then to a
SPAN port on the destination switch. Several key steps are required on the two switches to accomplish this.
On both switches:
Switch(config)# vlan 900 (900 is an example; any unassigned VLAN # here is fine)
Switch(config-vlan)# remote-span
Once these configurations are in place and spanning-tree for the RSPAN VLAN has been disabled, the reception
of packets by the IPS promiscuous interface can be verified by a simple show interface command.
While this command will verify that the sensor is receiving packets, it does not verify that the bi-directional flow
between each session endpoint is seen. A more useful command on the sensor to verify this “sessionized flow”
is the packet capture command as seen below (which can also be done for inline operation).
As can be seen from the trace above of a 1200 byte ping from 10.10.10.10 to 10.10.10.200, both the echo-
request and echo-reply packets can be seen. The observation of both directions of flow is necessary for the IPS
sensor to properly reassemble fragmented packets in addition to its ability to observe “well-behaved” TCP con-
nections (the completion of 3-way handshake & FIN exchange, for example).
The diagram shown above is a more detailed depiction of the Troubleshooting Scenario seen at the beginning of
this paper. If the two interfaces on an IPS sensor inline pair are connected to the same switch, the DMZ Server
and the ASA/PIX dmz interface must be on different VLANs; otherwise, the sensor will be bypassed. Since each
VLAN is traditionally thought of as its own broadcast domain, this means that VLAN 3 and VLAN 13 now have
been effectively combined into one.
show version
Application Partition:
Host:
Realm Keys key1.0
Signature Definition:
Signature Update S280.0 2007-04-11
Virus Update V1.2 2005-11-24
--- (output omitted) ---
MainApp 2007_MAR_29_14_06 (Release) 2007-03-29T14:44:36-
0600 Running
AnalysisEngine 2007_MAR_29_14_06 (Release) 2007-03-
29T14:44:36-0600 Running
CLI 2007_MAR_29_14_06 (Release) 2007-03-29T14:44:36-0600
As shown by the output below, the CLI command show statistics analysis engine can be used to verify
activity of the signature engines.
Note that even though the documentation on CCO classifies the ATOMIC.IP as an engine, the transport layer
protocols TCP, UDP, and ICMP are separated out statistically. Also note that the line “Number of seconds since
service started” substantiates that the analysis engine is running.
200.200.1.0/24 Outside-PC
DMZ Subnet 150.150.1.20
172.16.1.0/24
ASA/PIX
DMZ-Srv
172.16.1.15
10.10.10.0.2
NAT: 200.200.1.15
Admin-PC
10.10.10.10
The managed device in this example is the Perimeter Router, which will be logged into by the sensor using
telnet. The traces below illustrate the both the translation of the IPS Command and Control interface private IP
address and the occupied terminal line of the router using this translated address.
PERIM#show users
Line User Host(s) Idle
Location
* 0 con 0 admin idle 00:00:00
514 vty 0 idle
00:00:05 200.200.1.52
As shown above, the sensor’s IP address of 10.10.10.200 is being translated to 200.200.1.52, and this IP ad-
dress is being used to log in the Perimeter Router terminal line vty0.
Learn More
Learn more about how you can improve productivity, enhance efficiency, and sharpen your competitive edge.
Check out the following Global Knowledge courses:
IINS (Introduction to IOS Network Security)
SNRS (Securing Networks with Cisco® Routers and Switches)
SNAF (Securing Networks with ASA Fundamentals)
SNAA (Securing Networks with ASA Advanced)
MARS (Cisco® Monitoring Analysis and Reporting System)
CANAC (Cisco® Appliance for Network Admission Control)
For more information or to register, visit www.globalknowledge.com or call 1-800-COURSES to speak with a
sales representative. Our courses and enhanced, hands-on labs offer practical skills and tips that you can imme-
diately put to use. Our expert instructors draw upon their experiences to help you understand key concepts and
how to apply them to your specific work situation. Choose from our more than 700 courses, delivered through
Classrooms, e-Learning, and On-site sessions, to meet your IT and management training needs.
Doug’s hobbies include playing piano at his local church and physical activities such as running, cycling, swim-
ming, golf, skiing, and windsurfing. He and his wife Karen reside in Wilmington, Delaware. Doug can be reached
at innovativeint@mindspring.com.