Security: Getting started with IPS4200 series

The IDS4215 is an EoL piece of hardware under the IPS4200 family. I know a Singaporean vendor who sold this hardware at a high price despite this hardware is as old as 2600xm series routers. I managed to get this IDS at a reasonable price over ebay.

What is an IDS?

Intrusion Detection System is a system that detects anomaly and invoke an action. The action may be alerting ASA or other firewall but it will not stop anomaly from harming your system. Unlike IPS, it cannot drop the suspicious traffic itself. The IDS4215 is a computer that is operating a linux kernel (2.4) it uses Redhat distribution. It could be a x86 architecture, which you can have chance to use the IPS software in your own x86 architecture computer (perhaps, but i do not know how…)

Getting started

IDS# setup

    --- System Configuration Dialog ---

At any point you may enter a question mark '?' for help.
User ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.

Current Configuration:

service host
network-settings
host-ip 192.168.1.10/24,192.168.1.1
host-name IDS
telnet-option disabled
access-list 192.168.1.0/24
ftp-timeout 300
no login-banner-text
exit
time-zone-settings
offset 480
standard-time-zone-name UTC
exit
summertime-option disabled
ntp-option disabled
exit
service web-server
port 443
exit
service interface
physical-interfaces FastEthernet0/1
admin-state enabled
exit
exit
service event-action-rules rules0
overrides
override-item-status Enabled
risk-rating-range 90-100
exit
exit

Current time: Tue Jun 28 14:31:08 2011

Setup Configuration last modified: Tue Jun 28 12:49:35 2011

Continue with configuration dialog?[yes]:

You can use the setup script or you can do it yourself manually. Let’s go through the setup script.

Setup Configuration last modified: Tue Jun 28 12:49:35 2011

Continue with configuration dialog?[yes]:
Enter host name[IDS]:
Enter IP interface[192.168.1.10/24,192.168.1.1]:
Enter telnet-server status[disabled]:
Enter web-server port[443]:
Modify current access list?[no]:
Modify system clock settings?[no]:
Modify interface/virtual sensor configuration?[no]:
Modify default threat prevention settings?[no]:
No changes were made to the configuration.

This is just a run through, i do not want to change my setup configuration as of now. If you just got your IDS box, I recommend you say Yes to Modify current access list. You need to specify an access list so that your system is allowed to manage the IDS, if you do not specify the access-list all traffic will be dropped. You can choose not to manage via ssh or https, if this is what you want then you can ignore the access list portion.

Cisco IPS device manager (IDM)

It is recommended to use JRE version 1.4.2 (any release) to launch the IDM, and I am using WinXP SP3 1GB RAM, 20GB HDD, JRE 1.4.2 (initial release). You have to set the maximum heap size to 256mb, if you do not IDM will refuse to launch. I recommend you read this on how to increase the JRE heap size.

The IDM interface is very similar to ASDM. This is version 6, I have actually upgraded the image to get this new IDM.

Signature definition

An IDS/IPS without an updated signature file is as good as getting a trial version Antivirus software. You need to pay for yearly subscription for a license.

Advertisements
This entry was posted in IDS/IPS and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s