Saturday, December 12, 2015

Cisco ASA mac-address auto Command

We used to manage two Cisco ASA firewalls in our network environment: one to terminate site-to-site IPsec VPNs for remote client sites connecting back to our HQ and another ASA firewall to run multiple security context. The second ASA is used to NAT multiple downstream clients but now I just use a single ASA with 9.x image having site-to-site IPsec VPNs under the admin context and NAT on multiple security context. I've demonstrated a context-based ASA firewall using 9.0 code running S2S VPN in a previous blog.

I was creating a new context for a customer last time and after configuring nameif on the shared outside interface, management traffic (like ping and SNMP) to our upstream Internet edge router was cut off. I tried to troubleshoot and then recalled that by default, all context uses the same MAC address for its shared outside interface. The best practice is to have a unique MAC address on the outside interface for individual security context. We can manually assign a unique MAC address on the shared outside interface for each context or do it automatically under system context using the mac-address auto command. I was able to ping the Internet again under the new context and our NMS was able to poll the ASA via SNMP after issuing this command.


ciscoasa# show interface g0/0 | include MAC 
        MAC address a46c.2a65.83d9, MTU not set

ciscoasa/admin# show interface g0/0 | include MAC   
        MAC address  a46c.2a65.83d9, MTU 1500

ciscoasa/NEW# show interface g0/0 | include MAC   
        MAC address  a46c.2a65.83d9, MTU 1500

ciscoasa/admin# changeto context NEW
ciscoasa/NEW(config)# interface GigabitEthernet0/0
ciscoasa/NEW(config-if)# mac-address a46c.2a65.1111    // MANUAL APPROACH; NETWORK TRAFFIC WENT BACK TO NORMAL

ciscoasa/NEW(config)# interface GigabitEthernet0/0
ciscoasa/NEW(config-if)# no mac-address a46c.2a65.1111
ciscoasa/NEW(config-if)# changeto system
ciscoasa(config)# mac-address auto
INFO: Converted to mac-address auto prefix 33748

ciscoasa# show interface g0/0 | include MAC    // SYSTEM CONTEXT
        MAC address a46c.2a65.83d9, MTU not set

ciscoasa/admin# show interface g0/0 | include MAC     // ADMIN CONTEXT
        MAC address a2d4.8300.0004, MTU 1500

ciscoasa/NEW# show interface g0/0 | include MAC    // NEW CONTEXT
        MAC address a2d4.8300.0002, MTU 1500

Saturday, December 5, 2015

Site-to-Site IPsec VPN on Context ASA 9.0

I practically use security context to PAT (and NAT) clients using a different outside public IP address on a context-based Cisco ASA firewall. This makes the ASA configuration scalable and more manageable. I also used to run a separate ASA firewall just to terminate site-to-site IPsec VPNs but with the Cisco ASA Software release 9.0, I'm now able to run IKEv1 (and IKEv2) VPNs on a context-based ASA. I wasn't successful establishing the IPSec VPN tunnel right after its configuration so I ran some debugs:

Aug 19 06:30:54 [IKEv1]Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
Aug 19 06:30:54 [IKEv1]Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
Aug 19 06:30:54 [IKEv1]Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
Aug 19 06:30:54 [IKEv1 DEBUG]IP = 116.21.19.9, IKE SA Proposal # 1, Transform # 1 acceptable  Matches global IKE entry # 7
Aug 19 06:30:54 [IKEv1 DEBUG]IP = 116.21.19.9, constructing ISAKMP SA payload
Aug 19 06:30:54 [IKEv1 DEBUG]IP = 116.21.19.9, constructing Fragmentation VID + extended capabilities payload
Aug 19 06:30:54 [IKEv1]IP = 116.21.19.9, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108

Aug 19 06:30:54 [IKEv1]IP = 116.21.19.9, Tunnel Rejected: The maximum tunnel count allowed has been reached
Aug 19 06:30:54 [IKEv1 DEBUG]Group = 116.21.19.9, IP = 116.21.19.9, IKE MM Responder FSM error history (struct &0x00007fff36a117d0)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_SND_MSG6_H, EV_SND_MSG_OK-->MM_SND_MSG6_H, EV_SND_MSG-->MM_SND_MSG6, EV_SND_MSG-->MM_BLD_MSG6, EV_ENCRYPT_OK-->MM_BLD_MSG6, NullEvent-->MM_BLD_MSG6, EV_ENCRYPT_MSG-->MM_BLD_MSG6, EV_CHECK_IA
Aug 19 06:30:54 [IKEv1 DEBUG]Group = 116.21.19.9, IP = 116.21.19.9, IKE SA MM:ce5a3ed0 terminating:  flags 0x0100c002, refcnt 0, tuncnt 0
Aug 19 06:30:54 [IKEv1 DEBUG]Group = 116.21.19.9, IP = 116.21.19.9, sending delete/delete with reason message
Aug 19 06:30:54 [IKEv1 DEBUG]Group = 116.21.19.9, IP = 116.21.19.9, constructing blank hash payload
Aug 19 06:30:54 [IKEv1 DEBUG]Group = 116.21.19.9, IP = 116.21.19.9, constructing IKE delete payload
Aug 19 06:30:54 [IKEv1 DEBUG]Group = 116.21.19.9, IP = 116.21.19.9, constructing qm hash payload
Aug 19 06:30:54 [IKEv1]IP = 116.21.19.9, IKE_DECODE SENDING Message (msgid=e1881a02) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76


Even though my IKE Phase 1 and Phase 2 policies on both VPN peers were correct, they're still unable to establish a security association (SA). I found out that for multiple ASA context, we need to explicitly define the VPN class resource for each context. We first create a class (IPSEC-VPN) where we set the VPN resource and then add the specific context (admin) to the said class.

ciscoasa# configure terminal
ciscoasa(config)# class ?

configure mode commands/options:
  WORD  Symbolic name of the class

ciscoasa(config)# class  IPSEC-VPN
ciscoasa(config-class)# ?

Class configuration commands:
  limit-resource  Configure the resource limits
  no              Negate a command or set its defaults

ciscoasa(config-class)# limit-resource ?

class mode commands/options:
  rate    Enter this keyword to specify a rate/sec
Following resources available:
  ASDM    ASDM Connections
  All     All Resources
  Conns   Connections
  Hosts   Hosts
  Routes  Routing Table Entries
  SSH     SSH Sessions
  Telnet  Telnet Sessions
  VPN     VPN resources
  Xlates  XLATE Objects

ciscoasa(config-class)# limit-resource vpn ?

class mode commands/options:
  Burst  Burst limit over the configured limit. This burst limit is not
         guaranteed. The context may take this resource if it is available on
         the device at run time.
  Other  Other VPN sessions which include Site-to-Site, IKEv1 RA and L2tp
         Sessions. These are guaranteed for a context and shouldn't exceed the
         system capacity when combined across all contexts.
  ikev1  Configure IKEv1 specific resources.

ciscoasa(config-class)# limit-resource vpn other ?

class mode commands/options:
  WORD  Value of resource limit (in <value> or <value>%)

ciscoasa(config-class)# limit-resource vpn other 10    // I HAD 10 SECURITY CONTEXT LICENSE INSTALLED

ciscoasa(config-class)# context admin
ciscoasa(config-ctx)# ?

Context configuration commands:
  allocate-interface   Allocate interface to context
  allocate-ips         Allocate IPS virtual sensor to context
  config-url           Configure URL for a context configuration
  description          Provide a description of the context
  exit                 Exit from context configuration mode
  help                 Interactive help for context subcommands
  join-failover-group  Join a context to a failover group
  member               Configure class membership for a context
  no                   Negate a command
  scansafe             Enable scansafe inspection in this context

ciscoasa(config-ctx)# member ?

context mode commands/options:
  WORD  Class name

ciscoasa(config-ctx)# member IPSEC-VPN
ciscoasa(config-ctx)# end
ciscoasa# changeto context admin
ciscoasa/admin# debug crypto ikev1 255
ciscoasa/admin# debug crypto ipsec 255

<OUTPUT TRUNCATED>

Aug 19 06:40:22 [IKEv1]Group = 116.21.19.9, IP = 116.21.19.9, PHASE 1 COMPLETED
Aug 19 06:40:22 [IKEv1]IP = 116.21.19.9, Keep-alive type for this connection: DPD
Aug 19 06:40:22 [IKEv1 DEBUG]Group = 116.21.19.9, IP = 116.21.19.9, Starting P1 rekey timer: 82080
Aug 19 06:40:22 [IKEv1 DECODE]IP = 116.21.19.9, IKE Responder starting QM: msg id = 0848596d

IPSEC: Increment SA NP ref counter for inbound SPI 0xA6685BB5, old value: 1, new value: 2, (ctm_ipsec_create_acl_entry:5281)
IPSEC: Completed inbound permit rule, SPI 0xA6685BB5
    Rule ID: 0x00007fff369ff5d0
IPSEC: Decrement SA NP ref counter for inbound SPI 0xA6685BB5, old value: 2, new value: 1, (ctm_ipsec_create_acl_cb:4645)
IPSEC: Decrement SA NP ref counter for inbound SPI 0xA6685BB5, old value: 1, new value: 0, (ctm_np_vpn_context_cb:10167)
IPSEC: Increment SA HW ref counter for inbound SPI 0xA6685BB5, old value: 0, new value: 1, (ctm_nlite_ipsec_create_hw_ibsa:743)
Aug 19 06:40:22 [IKEv1 DEBUG]Group = 116.21.19.9, IP = 116.21.19.9, Pitcher: received KEY_UPDATE, spi 0xa6685bb5
Aug 19 06:40:22 [IKEv1 DEBUG]Group = 116.21.19.9, IP = 116.21.19.9, Starting P2 rekey timer: 27360 seconds.
Aug 19 06:40:22 [IKEv1]Group = 116.21.19.9, IP = 116.21.19.9, PHASE 2 COMPLETED (msgid=0848596d)
Aug 19 06:40:35 [IKEv1 DEBUG]Group = 116.21.19.9, IP = 116.21.19.9, Sending keep-alive of type DPD R-U-THERE (seq number 0x382b231e)
Aug 19 06:40:35 [IKEv1 DEBUG]Group = 116.21.19.9, IP = 116.21.19.9, constructing blank hash payload
Aug 19 06:40:35 [IKEv1 DEBUG]Group = 116.21.19.9, IP = 116.21.19.9, constructing qm hash payload
Aug 19 06:40:35 [IKEv1]IP = 116.21.19.9, IKE_DECODE SENDING Message (msgid=ddb7337f) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80


ciscoasa/admin# show crypto isakmp sa

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 116.21.19.9
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE


ciscoasa/admin# show crypto ipsec sa
interface: outside
    Crypto map tag: VPN_CMAP, seq num: 818, local addr: 202.7.2.12

      access-list SYDNEY_TO_PERTH extended permit ip host220.10.7.14 host 220.10.7.14
      local ident (addr/mask/prot/port): (220.10.7.14/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (116.21.19.9/255.255.255.255/0/0)
      current_peer: 220.10.7.14

      #pkts encaps: 1569732, #pkts encrypt: 1585121, #pkts digest: 1585121
      #pkts decaps: 1824463, #pkts decrypt: 1824463, #pkts verify: 1824463

      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 1569732, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 15389, #pre-frag failures: 0, #fragments created: 30778
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 87450
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 202.7.2.12/0, remote crypto endpt.: 116.21.19.9
      path mtu 1500, ipsec overhead 58(36), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: 5AE3F513
      current inbound spi : 36AE99F5

<OUTPUT TRUNCATED>

Saturday, November 21, 2015

Configuring and Generating IME Reports

You can customize your report by configuring the number of items you want to have in your report and what the time interval should be. You can also use Domain Name System (DNS) to resolve the IP addresses and use filters to further refine the type of information you want the report to contain.

To configure and generate a sample report, follow these steps:

Step 1: In the Report tree, click New, and then in the New Report dialog box, enter the name of the new report, choose the type of report from the drop-down list, and then click OK. The new report will show up under My Reports in the Report tree.


Step 2: Select your report, and on the General tab, configure the settings for your report:

* In the Report Description field, enter a description for this report.

* In the Top field, enter how many top events you want to see in this report.

* Select the Resolve Addresses Using DNS check box, if you want to use the DNS address resolution.

* Configure the time interval for this report. Either enter the duration or a custom time.


Step 3: On the Filter tab, from the Filter Name drop-down menu, choose the filter name. Or, to add a filter, click the Note icon.



Step 4: Click Generate Report. Your report shows up in the bottom half of the Report Settings pane, displaying the statistics in graph and table form.

Step 5: To customize the display, choose Bar or Pie Chart in the Display Type drop-down menu.

Step 6: Click Print to print the report, or click Save to save the report in PDF or RTF format.

Step 7: To see events for a single IP address, choose the IP address from the Events for drop-down list.


Saturday, November 14, 2015

Customizing Cisco IME Dashboards

The dashboards contain various gadgets that provide information on sensors, including sensor health, sensor status, security alerts, and event statistics.

The Dashboard view features two default dashboards:

* Health Dashboard: Contains gadgets with information about selected sensor health, status, licenses, and utilization.

* Events Dashboard: Contains gadgets with graphs and statistics about attackers, victims, and signatures.



You can add and customize your own dashboard and add gadgets based on the items you would like to track within the sensor.

To add a dashboard, choose Home > Dashboards and click Add Dashboards. A blank untitled dashboard appears and is named CCNP Security in this example.


Based on your security standards and requirements, you can customize the metrics that are used to determine the health of the IPS in the Sensor Health pane. This can be done by choosing Configuration Sensor Name > Sensor Management > Sensor Health.


A metric must be selected, or it will not show up in the health status results. You can accept the default configuration or edit the values.

The IPS produces a health and security event when the overall health status of the IPS changes.


Adding Gadgets

With the CCNP Security dashboard successfully added, the next step is to add gadgets to the dashboard. To know which gadgets are available and which to choose, navigate to Home > Dashboards and click Add Gadgets. Double-click a gadget icon or drag and drop a gadget to add it to the dashboard. After the gadgets are added, click Add Gadgets again to hide them.


Cisco IME provides 14 built-in gadgets:

* Sensor Information: Displays the most important sensor information, such as device type, IPS version, analysis engine status, host name, and IP address.

* Sensor Health: Displays two meters: the Sensor Health meter and the Network Security Health meter. They indicate the overall system health and overall network security health, respectively. The meters have three color scales - green, yellow, and red - to depict Normal, Needs Attention, and Critical.

* Licensing: Displays the license status and signature and engine versions of the sensor.

* Interface Status: Displays the status of the interfaces, whether enabled, whether up or down, mode, packets transmitted, and received.

* Global Correlation Reports: Displays the alerts and denied packets resulting from reputation data and traditional detection techniques.

* Global Correlation Health: Displays the status of global correlation and the network participation status, counters, and connection history.

* Network Security: Displays graphs of the event count and the average threat rating and risk rating values, including the maximum threat rating and risk rating values over a configured time period. The sensor aggregates these values and puts them in one of three categories: green, yellow, or red.

* Top Applications: Displays the top ten services ports that the sensor has observed over the past 10 seconds.

* CPU, Memory and Load: Displays the current sensor CPU, memory, and disk usage. If the sensor has multiple CPUs, multiple meters are presented.

* RSS Feed: A generic RSS feed gadget. By default, the data is fed from Cisco securiyt advisories. You can customize and add more RSS feeds.

* Top Attackers: Displays the top number of attacker IP addresses that occured in the last configured time interval. You can configure the top number of attacker IP addresses for 10, 20, and 30. You can configure the time interval to cover the last hour, last 8 hours, or last 24 hours. You can also filter this information.

* Top Victims: Displays the top number of victim IP addresses that occured in the last configured time interval.

* Top Signatures: Displays the top number of signatures that occured in the last configured time interval. You can also filter this information.

* Attacks Over Time: Displays the attack counts in the last configured interval. Each set of data in the graph is the total alert counts that IME recieved during each minute. You can configure the time interval to cover the last hour, last 8 hours, or last 24 hours. You can also filter this information.

Saturday, November 7, 2015

Configuring Remote IPS Blocking Using ACLs on a Router

The Cisco IPS uses the blocking feature to prevent packets from reaching their destination by using another Cisco device as the initiator at the request of the sensor. THe blocking device must be reachable and accessible by the sensor for management purposes.

The sensor must be able to communicate with the blocking device and should have Telnet or Secure Shell (SSH) access configured. The sensor will connect to the blocking device through either of these protocols.


Using ACLs on a Router

On a blocking device, you can have only one active access control list (ACL) for each interface and direction combination. To accomodate other ACL entries apart from the ones that are generated by the sensor, you should configure the additional ACL in the form of pre-blocked and post-block ACLs. These ACLs allow an administrator to include access rules that must be processed before and after the blockig rules are added by the sensor:

* Pre-block ACLs: These are used for permitting what you do not want the sensor to block and thus override the deny lines resulting from blocks. From example, when a packet is checked against an ACL, the first line that is matched determines the action. Therefore, if the first line matched is a permit line from the pre-block ACL, the packet is permitted, even though there could be a deny line from an automatic block that is listed later in the ACL.

* Post-block ACLs: These are used for additional blocking or permitting of traffic on an interface when there is an existing ACL that must be there after the block action. The sensor creates an ACL with the following entries and applies it to the specified interface and direction as required:

* A permit line for the sensor IP addres if it is currently blocked

* A copy of all the configuratio nlines in the pre-block ACL

* A deny line for each address being blocked by the sensor

* A copy of all the configuration lines of the post-block ACL


Configuration Tasks

A number of steps need to be performed to complete the configuration process for blocking. They are grouped here into tasks to make them easy to follow:

Step 1: Add the blocking device to the sensor known host list. This involves importing an authentic copy of the public key of the blocking device to later reliably authenticate it in SSH connections. This is only required if you use SSH to communicate with the blocking devices, and it is optional.

Step 2: Configure the sensor global blocking properties. This involves enabling blocking and defining blocking parameters, such as the maximum number of blocking entries, IP addresses to be blocked, and IP addresses that cannot be blocked.

Step 3: Create blocking device login profiles. This task involves defining the username, password, and enable password for communication between the sensor and the blocking device for blocking.

Step 4: Define the blocking device properties: This task involves defining the properties of the blocking device such as device type, IP address, login profile, and communication method.

Step 5: Configure properties of managed interfaces: This involves selecting the blocking interfaces or VLAN and specifying the direction in which to apply the ACL and also defining pre-block and post- block ACLs. This step is optional and is not required for Cisco ASA devices.

Step 6: Assign a block action to a signature. This task involves configuring a signature action to request blocking from an external device.

For Task 1, if you select SSH-DES or 3DES as the secure communication method, the sensor uses SSH password authentication to log in to the managed device. To configure the sensor to communicate with a blocking device using SSH, you must manually retrieve the SSH public key of the blocking device to the sensor. Follow these steps to add the blocking device to the sensor known host list:

Step 1: Navigate to Configuration > Sensor Management > SSH > Known Host Keys.

Step 2: Click Add. The Add Known Host Key window opens.


Step 3: Enter the IP address of the managed (blocking) device, and click Retreive Host Key.

Step 4: The sensor will retrieve the host key of the device. Verify the authenticity of this key by comparing it with a known authentic copy, and click OK to confirm that it is authentic.

Follow these steps to configure the sensor blocking properties:

Step 1: Navigate to Configuration > Sensor Management > Blocking > Blocking Properties to display the Blocking Properties panel.


Step 2: Verify that the Enable Blocking check box is selected. Blocking is enabled by default, so it should be selected.

Step 3: There is an Allow Sensor IP Address to Be Blocked check box as well, which should remain deselecte. Selecting this box can allow the sensor to block itself and not be able to communicate with the devices it is managing.

Step 4: There is a Maximum Block Entries Field that has values ranging from 1 to 65,535. The default is 250 and is the recommended amount of entries to be blocked. After the sensor reaches it maximum, newer blocks will not occur.

Step 5: Click the Add button to add a host or network to the list of addresses never to be blocked, which will appear under the Never Block Addresses section.

Step 6: Enter the IP address of the host or network in the IP Address field.

Step 7: Choose the network mask that corresponds to the IP address from the Mask drop-down menu.

Step 8: Click OK. The new host or network appears in the Never Block Addresses list on the Blocking Properties panel.

Step 9: Click Apply to apply your changes and save the updated configuration. In Task 3, you will be specifying the username and password that the sensor will use when logging in to the blocking devices. This is created under a login profile, where one login profile can be used for multiple devices.

An example will be creating a login profile for routers that share the same username and password.

Follow these steps to create a device login profile:

Step 1: Navigate to Configuration > Sensor Management > Blocking > Device Login Profiles. This displays the Device Login Profiles window.

Step 2: Click Add to add a profile, add the Add Device Login Profile window opens.


Step 3: Enter a name for your profile in the Profile Name field.

Step 4: Enter the username that will be used to log in to the blocking device in the Username field.

This step is optional if a username is not required by the blocking device.

Step 5: Enter the password that is used to log in to the blocking device in the New Password field. Enter the same password in the Confirm New Password field.

Step 6: Enter the enable password that is used on the blocking device under the Enable Password section in the New Password field. This is optional if an enable password is not used. If this is entered, it will have to be confirmed by entering the same password in the Confirm New Password field.

Step 7: Click OK and the new device login profile appears in the list in the Device Login Profiles window.

Step 8: Click Apply to apply your changes and save the revised configuration.

In Task 4, you will define the properties of the blocking device by following these steps:

Step 1: Navigate to Configuration > Sensor Management > Blocking > Blocking Devices to display the Blocking Devices panel.

Step 2: Click Add and the Add Blocking Device window opens. You might receive an error message if you have not configured the device login profile.


Step 3: Enter the IP address of the blocking device in the IP Address field.

Step 4: Enter the sensor's Network Address Translation (NAT) address in the Sensor's NAT Address field. This is an optional field and should only be used if there is a NAT device between the management interface of the sensor and the management interface of the blocking device.

Step 5: Choose the device login profile from the Device Login Profile drop-down list. The login profile was created in Task 3 and is a prerequisite to this step.

Step 6: Choose the device type form the Device Type drop-down list. The options from the list are Cisco Router, PIX/ASA, and Cat 6K.

Step 7: Observe the Block and Rate Limit check boxes in the Response Capabilities section. The Block check box is selected, as the response action by the blocking device is to block.

Step 8: From the communication drop-down list, choose the connection method that will be used for the management access. It is recommended that you use the SSSH 3DES method.

Step 9: Click OK.

Step 10: Click Apply to apply your changes and save the upload configuration.

In Task 5, you will configure the properties of the managed interface by following these steps:

Step 1: Navigate to Configuration > Blocking > Router Blocking Device Interfaces. Because a router was selected in Task 3, it only follows that the interfaces will be router interfaces. If the blocking device is not created in Task 3, an error message will be produced when attempting the next step.

Step 2: Click Add and the Add Router Blocking Device Interface window opens.


Step 3: Choose the IP address of the blocking device from the Router Blocking Device drop-down list.

Step 4: Type in the blocking interface name in the Blocking Interface field.

Step 5: Select the direction in which you want to apply the blocking ACL, which can be in or out.

Step 6: Enter the name of the pre-block ACL in the Pre-Block ACL field. This is optional.

Step 7: Enter the nam of the post-block ACL in the Post-Block ACL field. This is also an optional field.

Step 8: Click OK and the new interface appears in the Router Blocking Device interface list. If the exact same information already exists, you will receive an error message.

Step 9: Click Apply to apply your changes and save the revised configuration. Task 6 is the last set of steps when configuring remote blocking. The key here is selecting a signature and modifying it such that the alert response is to block the malicious host. Follow these steps to modify the signature so that a block is performed when triggered.

Step 1: Navigate to Configuration > Policies > Signature Definition > sig0 to reveal the Signature window.

Step 2: From the Sig0 window, select a signature or a group of signatures and click Edit Actions. The Edit Action window opens.


Step 3: Select the Request Block Host, Request Rate Limit, or Request Block Connection action from the Other Actions section.

Step 4: Click OK.

Step 5: Click Apply to apply your changes and save the revised configuration.

Sunday, November 1, 2015

Configuring Websense URL Filtering and Botnet feature in Cisco ASA

I was asked to migrate a customer that's using Websense URL filtering and Botnet feature to an ASA context. I install a Botnet license (1 year license) on our ASA firewalls and I'm glad to know this feature works. I believe Cisco is now moving towards a new approach with Advanced Malware Protection (AMP) on their next-gen ASA firewalls (5500-X series) and next-gen IPS (FirePower).


Botnet config:

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 200            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
VPN-DES                           : Enabled        perpetual
VPN-3DES-AES                      : Enabled        perpetual
Security Contexts                 : 10             perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 750            perpetual
Total VPN Peers                   : 750            perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Enabled        168 days
Intercompany Media Engine         : Disabled       perpetual
IPS Module                        : Disabled       perpetual

This platform has an ASA5525 VPN Premium license.

Serial Number: FCH18087ABC
Running Permanent Activation Key: 0xc22ecd45 0x78ac555a 0xa9637128 0xfe9838f8 0x0e15edef
Running Timebased Activation Key: 0x9c1876cf 0x49ca6c5e 0xc949bb03 0xdbf386df 0x847c2123
Configuration register is 0x1

ciscoasa/CUST(config)# dynamic-filter ?

configure mode commands/options:
  ambiguous-is-black  Handle (ambiguous) greylist matched traffic as blacklist
                      for Dynamic Filter drop
  blacklist           Configure Dynamic Filter blacklist
  drop                Enable traffic drop based on Dynamic Filter traffic
                      classification
  enable              Enable Dynamic Filter classification
  use-database        Use Dynamic Filter data downloaded from updater-server
  whitelist           Configure Dynamic Filter whitelist

exec mode commands/options:
  database  Dynamic Filter data commands
ciscoasa/CUST(config)# dynamic-filter use-database ?

configure mode commands/options:
  <cr>
ciscoasa/CUST(config)# dynamic-filter use-database

ciscoasa/CUST(config)# access-list DYNAMIC-FILTER-ACL extended permit ip any any

ciscoasa/CUST(config)# dynamic-filter enable ?    

configure mode commands/options:
  classify-list  Set the access-list for classification
  interface      Enable classification on an interface
  <cr>
ciscoasa/CUST(config)# dynamic-filter enable interface ?

configure mode commands/options:
Current available interface(s):
  inside    Name of interface GigabitEthernet0/1
  outside  Name of interface GigabitEthernet0/0
ciscoasa/CUST(config)# dynamic-filter enable interface outside ?

configure mode commands/options:
  classify-list  Set the access-list for classification
  <cr>
ciscoasa/CUST(config)# dynamic-filter enable interface outside classify-list ?                       

configure mode commands/options:
  WORD  Specify the name of an access-list
ciscoasa/CUST(config)# dynamic-filter enable interface outside classify-list DYNAMIC-FILTER-ACL
ciscoasa/CUST(config)# dynamic-filter drop ?

configure mode commands/options:
  blacklist  Drop traffic matching blacklist
ciscoasa/CUST(config)# dynamic-filter drop blacklist ?

configure mode commands/options:
  action-classify-list  Set the access-list for drop
  interface             Enable drop on an interface
  threat-level          Set the threat-level for drop
  <cr>
ciscoasa/CUST(config)# dynamic-filter drop blacklist interface ?

configure mode commands/options:
Current available interface(s):
  inside    Name of interface GigabitEthernet0/1
  outside  Name of interface GigabitEthernet0/0
ciscoasa/CUST(config)# dynamic-filter drop blacklist interface outside ?

configure mode commands/options:
  action-classify-list  Set the access-list for drop
  threat-level          Set the threat-level for drop
  <cr>
ciscoasa/CUST(config)# $st interface outside threat-level ?                

configure mode commands/options:
  eq     Threat-level equal to operator
  range  Threat-level range operator
ciscoasa/CUST(config)# dynamic-filter drop blacklist interface outside threat-level range ?

configure mode commands/options:
  high       high threat
  low        Low threat
  moderate   moderate threat
  very-high  Highest threat
  very-low   lowest threat
ciscoasa/CUST(config)# dynamic-filter drop blacklist interface outside threat-level range high ?

configure mode commands/options:
  high       high threat
  low        Low threat
  moderate   moderate threat
  very-high  Highest threat
  very-low   lowest threat
ciscoasa/CUST(config)# dynamic-filter drop blacklist interface outside threat-level range range high very-high     

ciscoasa/CUST(config)# dynamic-filter whitelist
ciscoasa/CUST(config-llist)# ?

Dynamic Filter list configuration
  address  Add IP address to local list
  name     Add domain name to local list
  no       Negate a command
ciscoasa/CUST(config-llist)# address ?

dynamic-filter-list mode commands/options:
  Hostname or A.B.C.D  Add IP address or network to local list
ciscoasa/CUST(config-llist)# address 208.67.220.220 ?

dynamic-filter-list mode commands/options:
  A.B.C.D  The IP netmask to apply to the IP address
ciscoasa/CUST(config-llist)# address 208.67.220.220 255.255.255.255   // OPEN DNS IP

class-map DYNAMIC-FILTER-DNS-CMAP
 match port udp eq domain

policy-map DYNAMIC-FILTER-DNS-PMAP
 class dynamic-filter_snoop_class
  inspect dns dynamic-filter-snoop

ciscoasa/CUST(config)# service-policy ?

configure mode commands/options:
Available policy-maps:
  global_policy
  DYNAMIC-FILTER-DNS-PMAP
service-policy DYNAMIC-FILTER-DNS-PMAP interface outside


Here are some useful show commands to verify Botnet feature:

ciscoasa/CUST# show dynamic-filter data      
Dynamic Filter is using downloaded database version '1446144909'   // UPDATE FROM CISCO SIO
Fetched at 15:17:36 UTC Oct 29 2015, size: 2097145
Sample contents from downloaded database:
  loubouscoc.narod.ru  alkhair.org  mfqr.cn.com  azpros.com
  tubez11.cu.cc  72.66.16.146  monitor4eg.ru  wildroute.biz
Sample meta data from downloaded database:
  threat-level: very-high,      category: Malware,
  description: "These are sources that use various exploits to deliver adware, spyware and other malware to victim computers.  Some of these are associated with rogue online vendors and distributors of dialers which deceptively call premium-rate phone numbers."
  threat-level: high,   category: Bot and Threat Networks,
  description: "These are rogue systems that control infected computers.  They are either systems hosted on threat networks or systems that are part of the botnet itself."
  threat-level: moderate,       category: Malware,
  description: "These are sources that deliver deceptive or malicious anti-spyware, anti-malware, registry cleaning, and system cleaning software."
  threat-level: low,    category: Ads,
  description: "These are advertising networks that deliver banner ads, interstitials, rich media ads, pop-ups, and pop-unders for websites, spyware and adware.  Some of these networks send ad-oriented HTML emails and email verification services."
Total entries in Dynamic Filter database:
  Dynamic data: 79504 domain names , 2942 IPv4 addresses
  Local data: 0 domain names , 2 IPv4 addresses
Active rules in Dynamic Filter asp table:
  Dynamic data: 0 domain names , 2942 IPv4 addresses
  Local data: 0 domain names , 2 IPv4 addresses

ciscoasa/CUST# show dynamic-filter reports infected-hosts all
Total 149 infected-hosts in buffer
Host (interface)                        Latest malicious conn time, filter action  Conn logged, dropped
=======================================================================================================
172.27.199.123 (inside)         13:52:06 UTC Oct 29 2015, dropped                14109  14109
Malware-sites connected to (not ordered)
Site                                            Latest conn port, time, filter action   Conn logged, dropped Threat-level Category
-------------------------------------------------------------------------------------------------------
158.85.62.205 (x.rafomedia.com)                  80, 13:52:06 UTC Oct 29 2015, dropped             6      6   very-high  Malware
54.149.242.159 (neutral-sky.info)                80, 13:21:05 UTC Oct 29 2015, dropped             9      9   very-high  Malware
54.213.23.40 (neutral-sky.info)                  80, 13:20:23 UTC Oct 29 2015, dropped             9      9   very-high  Malware
54.213.128.72 (neutral-sky.info)                 80, 13:21:26 UTC Oct 29 2015, dropped             6      6   very-high  Malware
52.25.206.149 (neutral-sky.info)                 80, 13:20:44 UTC Oct 29 2015, dropped             6      6   very-high  Malware
=======================================================================================================
172.27.181.179 (inside)         11:23:38 UTC Oct 29 2015, dropped                  229    229

Last clearing of the infected-hosts report: Never


ciscoasa/CUST# show dynamic-filter reports top infected-hosts
Infected Hosts (since last clear)
Host                                            Connections Logged
----------------------------------------------------------------------
172.27.199.121 (inside)                      49660
172.27.199.123 (inside)                      14109

Last clearing of the top infected-hosts report: Never


ciscoasa/CUST# show dynamic-filter reports top malware-ports
Malware Ports (since last clear)
Port                                            Connections Logged
----------------------------------------------------------------------
tcp 80                                           78693
tcp 443                                            273
udp >8192                                           37
udp 4682                                             1

Last clearing of the top ports report: Never


ciscoasa/CUST# show dynamic-filter reports top malware-sites
Malware Sites (since last clear)
Site                            Connections Logged Dropped Threat-level Category
---------------------------------------------------------------------------------
158.85.62.205 (x.rafomedia.com)            13649    13649    very-high  Malware
173.193.251.201 (x.rafomedia.com)          12643    12643    very-high  Malware
94.75.230.226 (a.adquantix.com)             9338     9338    very-high  Malware
94.75.230.225 (a.adquantix.com)             8519     8519    very-high  Malware
211.100.56.174 (analytics3.dopool.com)      3627     3627    very-high  Malware
104.28.9.72 (zigad.winnerical.org)           906      906    very-high  Malware
104.28.8.72 (zigad.winnerical.org)           906      906    very-high  Malware
52.74.115.82 (in1.apusapps.com)              831      831    very-high  Malware
54.255.128.61 (in1.apusapps.com)             828      828    very-high  Malware
212.113.89.75 (abs.proxistore.com)           636      636    very-high  Malware

Last clearing of the top sites report: Never


Websense URL filtering config:

ciscoasa/CUST(config)# url-server ?

configure mode commands/options:
  (  Open parenthesis for the network interface where the URL filtering server
     resides
ciscoasa/CUST(config)# url-server (inside) ?

configure mode commands/options:
  host    Configure the IP address of the URL filtering server after this
          keyword
  vendor  The URL server vendor, default is Websense
ciscoasa/CUST(config)# url-server (inside) vendor ?

configure mode commands/options:
  smartfilter  Secure Computing SmartFilter (N2H2) URL server
  websense     Websense URL server
ciscoasa/CUST(config)# url-server inside) vendor websense ?

configure mode commands/options:
  host  Configure the IP address of the URL filtering server after this keyword
ciscoasa/CUST(config)# url-server (inside) vendor websense host ?

configure mode commands/options:
  Hostname or A.B.C.D  IP address of the URL filtering server
ciscoasa/CUST(config)# url-server (inside) vendor websense host 10.160.6.77 ?

configure mode commands/options:
  protocol  Protocol to be used for communicating to the URL server, TCP
            protocol will be used by default
  timeout   The maximum idle time permitted before the system switches to the
            next server specified, default is 30 seconds
  version   Optional version number for the Websense server, the version can be
            1 or 4, default is 1. UDP protocol is available only in version 4
  <cr>
ciscoasa/CUST(config)# url-server (inside) vendor websense host 10.160.6.77 protocol ?               

configure mode commands/options:
  tcp  TCP to be used as transport protocol
  udp  UDP to be used as transport protocol
ciscoasa/CUST(config)# url-server (inside) vendor websense host 10.160.6.77 protocol tcp ?

configure mode commands/options:
  connections  Optional simultaneous TCP connection count
  version      Optional version number for the Websense server, the version can
               be 1 or 4, default is 1. UDP protocol is available only in
               version 4
  <cr>
ciscoasa/CUST(config)# url-server (inside) vendor websense host 10.160.6.77 protocol tcp version ?

configure mode commands/options:
  1  Websense version 1
  4  Websense version 4
ciscoasa/CUST(config)# url-server (inside) vendor websense host 10.160.6.77 protocol tcp version 1 ?

configure mode commands/options:
  connections  Optional simultaneous TCP connection count
  <cr>
ciscoasa/CUST(config)# url-server (inside) vendor websense host 10.160.6.77 protocol tcp version 1 connections ?               

configure mode commands/options:
  <1-100>  Specify number of TCP connections to this URL server, default is 5
ciscoasa/CUST(config)# url-server (inside) vendor websense host 10.160.6.77 protocol tcp version 1 connections 10ciscoasa/CUST(config)# url-block ?

configure mode commands/options:
  block        Configure number of blocks that will be buffered
  url-mempool  Configure memory resource to be allocated for long URL buffer
  url-size     Configure maximum allowed URL size
ciscoasa/CUST(config)# url-block url-mempool ?

configure mode commands/options:
  <2-10240>  Memory resource allocated for long URL buffer in KB
ciscoasa/CUST(config)# url-block url-mempool 512
ciscoasa/CUST(config)# url-block url-size ? 

configure mode commands/options:
  <2-4>  Maximum allowed URL size in KB
ciscoasa/CUST(config)# url-block url-size  4
ciscoasa/CUST(config)# url-block block ?

configure mode commands/options:
  <1-16>  Number of blocks that will be buffered
ciscoasa/CUST(config)# url-block block 16

ciscoasa/CUST(config)# filter ?

configure mode commands/options:
  activex  ActiveX filtering
  ftp      FTP filtering
  https    HTTPS filtering
  java     Java filtering
  url      HTTP filtering
ciscoasa/CUST(config)# filter https ?

configure mode commands/options:
  except             Create an exception to previously specified set of IP
Enter the port or port range <start>[-<end>]
  aol               
  bgp               
  biff              
  bootpc            
  bootps            
  chargen           
  cifs              
  citrix-ica        
  cmd               
  ctiqbe            
  daytime           
  discard           
  dnsix             
  domain            
  echo              
  exec              
  finger            
  ftp               
  ftp-data          
  gopher            
  h323              
ciscoasa/CUST(config)# filter https 443 ?

configure mode commands/options:
  Hostname or A.B.C.D  The address of local/internal host which is source for
                       connections requiring filtering
ciscoasa/CUST(config)# filter https 443 172.24.0.0 ?

configure mode commands/options:
  A.B.C.D  Network mask to be applied to local IP address
ciscoasa/CUST(config)# filter https 443 172.24.0.0 255.255.0.0 ?

configure mode commands/options:
  Hostname or A.B.C.D  The address of foreign/external host which is
                       destination for connections requiring filtering
ciscoasa/CUST(config)# filter https 443 172.24.0.0 255.255.0.0 0.0.0.0 ?

configure mode commands/options:
  A.B.C.D  Network mask to be applied to foreign IP address
ciscoasa/CUST(config)# filter https 443 172.24.0.0 255.255.0.0 0.0.0.0 ?                     

configure mode commands/options:
  allow  When url-server is down, allow outbound <service> traffic
  <cr>
ciscoasa/CUST(config)# filter https 443 172.24.0.0 255.255.0.0 0.0.0.0 allow

ciscoasa/CUST(config)# filter https 443 172.24.0.0 255.255.0.0 0.0.0.0 0.0.0.0 allow
ciscoasa/CUST(config)# filter https 443 172.26.103.0 255.255.255.0 0.0.0.0 0.0.0.0 allow
ciscoasa/CUST(config)# filter url http 172.24.0.0 255.255.0.0 0.0.0.0 0.0.0.0 allow longurl-truncate cgi-truncate
ciscoasa/CUST(config)# filter url http 172.26.103.0 255.255.255.0 0.0.0.0 0.0.0.0 allow longurl-truncate cgi-truncate
ciscoasa/CUST(config)# filter ftp 21 172.24.0.0 255.255.0.0 0.0.0.0 0.0.0.0 allow
ciscoasa/CUST(config)# filter ftp 21 172.26.103.0 255.255.255.0 0.0.0.0 0.0.0.0 allow
ciscoasa/CUST(config)# filter https 443 10.48.41.0 255.255.255.0 0.0.0.0 0.0.0.0 allow
ciscoasa/CUST(config)# filter url http 10.48.41.0 255.255.255.0 0.0.0.0 0.0.0.0 allow longurl-truncate cgi-truncate
ciscoasa/CUST(config)# filter ftp 21 10.48.41.0 255.255.255.0 0.0.0.0 0.0.0.0 allow
ciscoasa/CUST(config)# filter https 443 10.0.0.0 255.0.0.0 0.0.0.0 0.0.0.0 allow
ciscoasa/CUST(config)# filter url http 10.0.0.0 255.0.0.0 0.0.0.0 0.0.0.0 allow longurl-truncate cgi-truncate
ciscoasa/CUST(config)# filter ftp 21 10.0.0.0 255.0.0.0 0.0.0.0 0.0.0.0 allow

ciscoasa/CUST# ping 10.160.6.77
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.160.6.77, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 120/128/130 ms

ciscoasa/CUST# ping ping 10.15.16.45 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.15.16.45, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 320/326/330 ms


Here are some useful show commands for Websense redirection:

ciscoasa/CUST# show run url-server
url-server (inside) vendor websense host 10.15.16.45 timeout 30 protocol TCP version 1 connections 10
url-server (inside) vendor websense host 10.160.6.77 timeout 30 protocol TCP version 4 connections 10
url-server (inside) vendor websense host 10.13.16.45 timeout 30 protocol TCP version 4 connections 10

ciscoasa/CUST# show url-server statistics

Global Statistics:
--------------------
URLs total/allowed/denied         137923/135998/1925
URLs allowed by cache/server      0/135998
URLs denied by cache/server       0/1925
HTTPSs total/allowed/denied       76109/55125/20984
HTTPSs allowed by cache/server    0/55125
HTTPSs denied by cache/server     0/20984
FTPs total/allowed/denied         0/0/0
FTPs allowed by cache/server      0/0
FTPs denied by cache/server       0/0
Requests dropped                  64884
Server timeouts/retries           6/80
Processed rate average 60s/300s   0/0 requests/second
Denied rate average 60s/300s      0/0 requests/second
Dropped rate average 60s/300s     0/0 requests/second

Server Statistics:
--------------------
10.160.6.77                       UP
  Vendor                          websense

  Port                            15868
  Requests total/allowed/denied   214036/191121/22909
  Server timeouts/retries         6/80
  Responses received              214030
  Response time average 60s/300s  0/0
10.15.16.45                       UP
  Vendor                          websense

  Port                            15868
  Requests total/allowed/denied   0/0/0
  Server timeouts/retries         0/0
  Responses received              0
  Response time average 60s/300s  0/0

URL Packets Sent and Received Stats:
------------------------------------
Message                 Sent    Received
STATUS_REQUEST          194372  191704
LOOKUP_REQUEST          217845  217759
LOG_REQUEST             0       NA

Errors:
-------
RFC noncompliant GET method     0
URL buffer update failure       0

ciscoasa/CUST# show url-block block statistics

URL Pending Packet Buffer Stats with max block  16
-----------------------------------------------------
Cumulative number of packets held:              2091333
Maximum number of packets held (per URL):       8
Current number of packets held (global):                0
Packets dropped due to
       exceeding url-block buffer limit:        510456
       HTTP server retransmission:              39723
Number of packets released back to client:      2072781

Saturday, October 24, 2015

Configuring Basic Cisco IPS Signature Properties

The signatures in the Cisco IPS Sensor can be accessed through the Cisco IDM by choosing Configuration > Policies  > Signature Definitions > sig0 and then clicking All Signatures to access the Signature Configuration panel. The All Signatures view is only visible when the Sig0 is expanded. By default, the signature configuration panel displays signatures that are lissted by signature ID number. The All Signature database view displays all signatures available in the sensor signature set; when each signature set is clicked on, it displays the list of signatures grouped under it in the view pane.

The signature sets are as follows:

* Active Signatures: Displays all non-retired signatures

* Adware/Spyware: Displays signatures that are designed to address adware and spyware issues

* Attack: Displays attack-based signatures that are grouped by attack types

* Configurations: Displays configuration-based signatures that mitigate atacks typically because of misconfiguration

* DDoS: Displays distributed denial of service (DDoS) signatures

* DoS: Displays denial of service signatures

* Email: Displays email signatures by protocol, such as Internet Message Access Protocol (IMAP) or Simple Mail Transfer Protocol (SMTP)

* IOS IPS: Displays signatures in the IOS IPS

* Instant Messaging: Displays instant messaging (IM) signatures grouped by IM application

* L2/L3/L4 Protocol: Displays signatures grouped by network protocol type, including Address Resolution Protocol (ARP), IP fragment, IP version 6 (IPv6), and others

* Network Services: Displays signatures that are based on network service protocols, such as DHCP

* OS: Displays signatures grouped by operating system type

* Other Services: Displays signatures based on application layer services, such as FTP, HTTP, and others

* P2P: Displays signatures based on different peer-to-peer file-sharing applications

* Reconnaissance: Display signatures based on discovery protocols, such as Internet Control Message Protocol (ICMP) sweeps

* Releases: Enables you to view signatures grouped by signature update releases

* Telepresence: Enables you to display Telepresence-based signatures

* UC Protection: Displays Cisco Unified Communications-based signatures

* Viruses/Worms/Trojans: Displays signatures based on malware that is defined as these three types

* Web Server: Enables you to display signatures based on web servers

* All Signatures: Displays all defined signatures


Enabling and Disabling Signatures

Enabling a signature makes the signature inspect traffic; when it is disabled, it does not inspect traffic. The following steps walk you through enabling a signature:

Step 1: Click Configuration and choose Policies > Signature Definitions > Sig0 > Active Signatures. The Signature Configuration panel is displayed.

Step 2: Locate the signature that you want to enable.

Step 3: A signature that is already enabled has a check mark in the check box. If the signature is disabled, the check box is empty.

Step 4: If the signature is currently disabled, select the signature by clicking it.

Step 5: Click Apply to apply your changes and save the updated configuration. To disable a signature that is already disabled, deselect the check box in the Enabled column.

Tip: To enable multiple signatures at the same time, hold down the Ctrl or Shift key and click the signatures that you would like to enable; then righ-click one of the selected signatures and click Enable.


Retiring and Activating Signatures

Signatures that are not being used are no longer applicable to the network resources being protected should be retired to improve sensor performance. Retiring a signature removes it from the set of currently available signatures, which are part of the signature database. After the signature is retired, it is removed from memory but stored in flash. For a signature to function, the signature must be both activated and enabled.

You can activate signatures you have previously retired. When this is done, the sensor rebuilds its configurations and the signature is once again added to the set of currently active signatures. Follow these steps to retire or activate a signature:

Step 1: Click Configuration and choose Policies > Signature Definitions > Sig0 > All Signatures. The Signature Configuration panel is displayed.

Step 2: Select a signature that you want to retire or activate, and click Edit on the toolbar. The Edit Signature window opens.

Step 3: Scroll down to the Status section and click the Retired field.

Step 4: Select yes or No from the drop-down list.

Alternatively, you can retire or activate signature from the Signature Configuration panel by following these steps:

Step 1: Select a signature that you want to retire or activate.

Step 2: Right-click the signature

Step 3: Choose the Change Status to and then choose Active or Retired.

Note: Retiring or activating signatures can take 30 minutes or longer.


Saturday, October 17, 2015

Cisco IPS Manager Express (IME) 7.0

The Cisco IPS Manager express (IME) is a web-based Java Web Start application that enables you to configure, manage, and monitor the Cisco IPS sensor. Both Microsoft Internet Explorer and Mozilla Firefox web browsers are supported.

The Home pane contains various knobs and widgets. These knobs and widgets can quickly help the administrator/user determine the health of the sensor and gets an overview of current network activity. The following gadgets are presented on the Home pane by default:

* Licensing

* Sensor Information

* Interface Status

* Sensor Health

* CPU, Memory, and Load

The Home pane can be customized by adding, removing, and renaming gadgets and dashboards. The available sensor gadgets can be displayed by clicking the Add Gadgets button.


You can modify the Cisco IPS sensor settings simply by opening the Cisco IDM Configuration pane by clicking the Configuration button on the Cisco IDM toolbar. For the most part, the majority of the Cisco IPS sensor features can be configured from here. There are four main configuration items in the Configuration pane of the Cisco IDM:

* Sensor Management: Configure various sensor device management functions.

* Sensor Setup: Reconfigure basic sensor settings.

* Interfaces: Configure individual sensing interfaces, as well as configure them in a particular operational
mode.

* Policies: Configure and tune Cisco IPS security policies to achieve optimal traffic analysis and response functionality.


The Cisco IDM supports the monitoring of the Cisco IPS sensor events. Click the Monitoring button to display the Cisco IPS sensor events, health, and performance indicators, and traffic and operational statistics.


Sunday, October 11, 2015

Cisco IPS 4240 version 7 in GNS3

I've been searching and trying to emulate IDS/IPS using the new GNS3 version 1.3.9 (need to register) for quite some time. There's a lot of tutorials and qemu files scattered all over the Internet for Cisco 4235 (IDS only) using version 6 but not for Cisco IPS 4240 version 7. The qemu files and links for Cisco IPS version 7 are already unavailable and the only way I was able to emualte it was using an ova file running in VMware Workstation 10. I've used Java 6 update 7 and disabled TLS 1.1 and 1.2 in IE11 for IDM (HTTPS) to work.





sensor# configure terminal
sensor(config)# service ?
aaa                            Enter configuration mode for AAA options.
analysis-engine                Enter configuration mode for global analysis engine
                               options.
anomaly-detection              Enter configuration mode for anomaly-detection.
authentication                 Enter configuration mode for user authentication options.
event-action-rules             Enter configuration mode for the event action rules.
external-product-interface     Enter configuration mode for the interfaces to external
                               products.
global-correlation             Enter configuration mode for global correlation
                               configuration.
health-monitor                 Enter configuration mode for health and security
                               monitoring.
host                           Enter configuration mode for host configuration.
interface                      Enter configuration mode for interface configuration.
logger                         Enter configuration mode for debug logger.
network-access                 Enter configuration mode for the network access controller.
notification                   Enter configuration mode for the notification application.
signature-definition           Enter configuration mode for the signature definition.
ssh-known-hosts                Enter configuration mode for configuring SSH known hosts.
trusted-certificates           Enter configuration mode for configuring trusted
                               certificates.
web-server                     Enter configuration mode for the web server application.
sensor(config)# service host
sensor(config-hos)# ?
auto-upgrade           Configure Auto Upgrade Settings.
crypto                 Configure cryptographic settings.
default                Set the value back to the system default setting.
exit                   Exit service configuration mode.
network-settings       Configure network settings.
ntp-option             Select whether to synchronize the sensor's clock to an NTP time
                       server.
password-recovery      Option to allow password recovery.
show                   Display system settings and/or history information.
summertime-option      Select whether summertime (Daylight Savings Time) begins and ends
                       at the same time every year (recurring), or just this year
                       (non-recurring), or summertime is disabled.
time-zone-settings     Configure time zone settings.
sensor(config-hos)# network-settings
sensor(config-hos-net)# ?
access-list              List of trusted hosts and/or networks.
default                  Set the value back to the system default setting.
dns-primary-server       Optional primary DNS server. Currently DNS is only used by the
                         collaboration service.
dns-secondary-server     Optional secondary DNS server. Currently DNS is only used by the
                         collaboration service.
dns-tertiary-server      Optional tertiary DNS server. Currently DNS is only used by the
                         collaboration service.
exit                     Exit network-settings configuration submode
ftp-timeout              The FTP client timeout (in seconds) used when communicating with
                         an FTP server.
host-ip                  The IP address/netmask, and default gateway used on the command
                         and control interface.
host-name                Network host name assigned to the sensor.
http-proxy               Optional HTTP/HTTPS proxy server.  Currently the proxy is only
                         used by the collaboration service.
login-banner-text        Banner to be displayed at login.
no                       Remove an entry or selection setting.
show                     Display system settings and/or history information.
telnet-option            Option to enable or disable the telnet server on the sensor.
sensor(config-hos-net)# host-ip ?
<A.B.C.D/nn,E.F.G.H>     The IP address/netmask, and default gateway used on the command
                         and control interface.
sensor(config-hos-net)# host-ip 10.1.1.1/24,10.1.1.2
sensor(config-hos-net)# access-list ?
<A.B.C.D>/nn     Network address of a trusted host or network.  To represent a single host
                 address, use /32 for the network mask.
sensor(config-hos-net)# access-list 10.1.1.0/24
sensor(config-hos-net)# telnet-option ?
enabled      Enable the telnet server on the sensor.
disabled     Disable the telnet server on the sensor.
sensor(config-hos-net)# telnet-option enabled
sensor(config-hos-net)# exit
sensor(config-hos)# exit
sensor(config)# username ?
<username>     Username to add to the system.
sensor(config)# username admin ?
<cr>
password      Enter user password.
privilege     User privilege level for local sensor.
sensor(config)# username admin privilege ?
administrator     Allows full system privileges.
operator          May modify most configuration.
service           Logs directly into a system shell.
viewer            No modification allowed view only.
sensor(config)# username admin privilege administrator ?
<cr>
password     Enter user password.
sensor(config)# username admin privilege administrator password cisco4240!