Sunday, April 15, 2012

CCIE Security vLab: IPS


After getting through with ASA 8.4 Emulation, the next step is Cisco IPS 6 using QEMU. This guide is going to show you the steps required for getting the Cisco IPS 4235 Sensor emulated successfully using IPS 6.0. The IPS will be configured for Interface Pairing or Inline VLAN Pairing using a dedicated Management Interface. 

The Procedure starts as follows, create two disks to be used for IPS Operation:
cd /usr/ccie/base
/usr/local/bin/qemu-img create disk1.img 512M
/usr/local/bin/qemu-img create disk2.img 4000M

The above steps will create the IPS Disk Images for holding the OS and the IPS Data.

The IPS can be started and installed with the following script:
/usr/local/bin/qemu -hda ips-disk1.img -hdb ips-disk1.img -m 1024 -cdrom  IPS-K9-cd-1.1-a-6.0-6-E1.iso -boot d -vnc 0.0.0.0:0

The output can be taken on centos localhost IP and Port 5900 on a VNC Viewer. The QEMU will boot from the ISO, press ‘k’ to start the image recovery process. Once the reimaging is done, the QEMU will reboot the virtual machine. Close the QEMU Process as now we need to start it with different parameters.

Start the IPS with the following parameters:
/usr/local/bin/qemu -hda ips-disk1.img -hdb ips-disk1.img -m 1024

Once the QEMU Boots and stops at the GRUB, press ‘e’ to edit the first boot entry. In the menu, select the 2nd line which starts with kernel and press ‘e’ again. 

Now change the parameter init=/loadrc to init=1. then press ‘b’ to boot.
The IPS System will boot into runlevel 1 and stop at the console. Press ENTER to activate the console.

Enter the following commands in the console:
/loadrc
 cd /etc/init.d
 ./rc.init
 cp ids_functions ids_functions.orig
 vi ids_function

In the ids_function file, search for “845” you need to type /845 to jump to the section which has the matching string, it will look like this:

elif [[ `isCPU 845` -eq $TRUE && $NUM_OF_PROCS -eq 1 ]]; then       
 MODEL=$IDS4215
 HTLBLOW=8
 MEM_PAGES=${HTLBLOW}
 DEFAULT_MGT_OS="fe0_0"
 DEFAULT_MGT_CIDS="FastEthernet0/0"
 
Replace the above section with this:
 
elif [[ 1 -eq 1 ]]; then
         MODEL=$IDS4235
         HTLBLOW=32
         MEM_PAGES=${HTLBLOW}
         DEFAULT_MGT_OS="ma0_0"
         DEFAULT_MGT_CIDS="Management0/0"
 
save the file and exit by pressing ESC and then :wq!
 
Now map the emulated NICs to the IPS Interfaces using the following procedure:
 
cd /usr/cids/idsRoot/etc
cp interface.conf interface.conf.orig
vi interface.conf
 
Search for 4250 section by using /4250 in vi and replace it with the following section while removing whatever is there: 
 
[models/IDS-4250/interfaces/1]
name-template=Management0/0
port-number=0
pci-path=3.0
vendor-id=0x8086
device-id=0x100e
type=ge
mgmt-capable=yes
net-dev-only=yes
tcp-reset-capable=yes                               

[models/IDS-4250/interfaces/2]
name-template=GigabitEthernet0/0
port-number=1
pci-path=4.0
vendor-id=0x8086
device-id=0x100e
type=ge
sensing-capable=yes
tcp-reset-capable=yes                                  

[models/IDS-4250/interfaces/3]
name-template=GigabitEthernet0/1
port-number=2
pci-path=5.0
vendor-id=0x8086
device-id=0x100e
type=ge
sensing-capable=yes
tcp-reset-capable=yes

[models/IDS-4250/interfaces/4]
name-template=GigabitEthernet0/2
port-number=3
pci-path=6.0
vendor-id=0x8086
device-id=0x100e
type=ge
sensing-capable=yes
tcp-reset-capable=yes

[models/IDS-4250/interfaces/5]
name-template=GigabitEthernet0/3
port-number=4
pci-path=7.0
vendor-id=0x8086
device-id=0x100e
type=ge
sensing-capable=yes
tcp-reset-capable=yes
 
Save the changes with vi and quit. Next step is to reboot using the ‘reboot’ command.
Now you should have a fully working Cisco IPS, don’t worry about the Hardware Errors and Unsupported Messages.

Once the device is fully loaded, it will prompt for Username and Password.
Username: cisco
Password: cisco

It will prompt you to change the password immediately with secure password. Now it’s required to create an IPS Startup script to remove the UNSUPPORTED HARDWARE ERROR Messages:

[root@centos ccie]# more START-IPS
qemu -m 1024 -hda IDS-4235/ips-disk1.img -hdb IDS-4235/ips-disk2.img \
-smbios "type=0,vendor=Phoenix Technologies Ltd.,version=1.10,date=09/30/2002,release=A04" \
-smbios "type=1,product=IDS-4235,manufacturer=Cisco Systems,version=1.0,serial=12345789012,uuid=E0A32395-8DFE-D511-8C31-001FC641BA6B
,sku=011,family=IDS-4235/4250" \
-net nic,vlan=9,model=e1000,macaddr=00:aa:00:00:01:09 \
-net udp,vlan=9,sport=30009,dport=20009,daddr=127.0.0.1 \

-net nic,vlan=10,model=e1000,macaddr=00:aa:00:00:01:10 \
-net udp,vlan=10,sport=30010,dport=20010,daddr=127.0.0.1 \

-net nic,vlan=11,model=e1000,macaddr=00:aa:00:00:01:11 \
-net udp,vlan=11,sport=30011,dport=20011,daddr=127.0.0.1 \

-net nic,vlan=12,model=e1000,macaddr=00:aa:00:00:01:12 \
-net udp,vlan=12,sport=30012,dport=20012,daddr=127.0.0.1 \

-net nic,vlan=13,model=e1000,macaddr=00:aa:00:00:01:13 \
-net udp,vlan=13,sport=30013,dport=20013,daddr=127.0.0.1 \

-vnc 0.0.0.0:0
The above script will start the Cisco IPS with the following parameters:
Memory: 1024 Mb
Harddrive 1: ips-disk1.img
Harddrive 2: ips-disk2.img
SMBIOS: Phoneix Technologies, Release A4, Product: IDS 4235, Vendor:  Cisco
NIC 1: VLAN09, redirected to UDP Port 20009
NIC 2: VLAN10, redirected to UDP Port 20010
NIC 3: VLAN11, redirected to UDP Port 20011
NIC 4: VLAN12, redirected to UDP Port 20012
NIC5: VLAN13, redirected to UDP Port 20013
Device Output is redirected to VNC (Listening on all Interfaces) with Port 5900

Although the hardware specifies 5 interfaces, we are going to use only 2. One for Management and other for Inspection.

That’s the final configuration for Cisco IPS Emulation and now it would start normally. The Cisco IDM would also work perfectly fine out of Cisco IPS. We will run it from the Windows XP VM directly which is discussed in later (Management) Section.

References:
Thanks to http://www.brainbump.net/how-to-emulate-cisco-ips/ for the accurate and simple way of detailing all steps.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)