Cisco Systems: IPS4360, Cisco Security Manager, simple example on how to create a test plan

Cisco IPS4360
The IPS4300 series is the latest intrusion prevention/detection system by Cisco Systems, it has two quad core CPUs, 8GB RAM and 8GB flash, it has an option for redundant power supply as well. If you are using Cisco security manager to manage be sure to use Cisco Security Manager version 4.3, Cisco Security Manager has system object ID that list down the Cisco security products that are allowed to be managed.

When Cisco first launched IPS4360, there was only CSM version 4.2 and after I proposed to customer and placed the order, after installation I found that CSM 4.2 could not recognize IPS4360. The CSM itself is free to download, but the license is a paid item.

The standard edition allows you to manage 5,10 or 25 nodes depend on which license you have purchased. The evaluation version allows you to use professional license for 90 days, professional license allows you to manage 50 nodes.

The standard edition license is not incremental, if you need to have incremental license be sure to propose professional edition.

Cisco security manager – Device count
One IPS4360 allows you to create up to 4 virtual sensors, the IPS itself has a default virtual sensor which cannot be deleted, if you propose Cisco Security Manager and need to decide how many nodes license you need to purchase you have to understand that each virtual sensor is considered as one node, if you have Cisco ASA and want to manage ASA with CSM, be sure to note that each security context uses one node license.

If you have two IPS4360 and need to propose an appropriate license you should propose 10 nodes license as this is the maximum nodes that CSM can manage.

Virtual sensor
A virtual sensor is an entity that contains the same signature policy and rule policy, you can mix IDS sensors and IPS inline sensors onto one virtual sensor, the IPS and/or IDS sensors that are within the virtual sensors will use the same signature policy and rule policy, changing the policy will affect the sensors included in the virtual sensor.

The rule policy specifies the action once a match is found, the signature policy lets you disable or enable signature, retire or un-retire signature. A retired signature even though you may have enabled the signature, the sensor will ignore if there is a match found, so be sure to un-retire the signature when you want to enable it.

IDS/IPS modes
Promiscuous mode – This mode is the intrusion detection system, the IDS/IPS port that is promiscuous is connected to the port-mirrored destination port of a switch. IDS only analyzes packet if there is a match it will produce alert, it can also connect to blocking device (eg. firewall or router) to request blocking if a match is found. What IDS will do is it will connect using telnet or ssh to the router or firewall and issue access-list command to the router and issue shun command to the Cisco ASA.

Inline interface pair – This pairs up a pair of IPS/IDS physical interfaces. The pairing up of the physical interfaces is also known as bump wire. This is required if you need IPS sensor.

Inline vlan pair – This uses a single IPS/IDS physical interface, two vlans are paired up together. The physical interface of the IPS forms a trunk with the layer3 switch, the layer3 switch tags vlan tags that are required to traverse from one vlan to another vlan.
vlan pair1

Inline vlan group – This mode needs two IPS/IDS physical interfaces, the interfaces must first pair up then you can assign sub-interfaces to the interface pairs, each sub interface transport a vlan tag. The IPS sits in between two switches, and the inline vlan group interfaces act like a trunk for both switches.
vlan group1

Factory acceptance test/user acceptance test
This is a typical test plan you use to conclude that the devices are working properly before delivery. On site deployment will be known as site acceptance test or system integration test, Cisco might have another name for this known as network ready for use test.

You can connect the IPS/IDS to the switches and use computers to act as attacker PC and victim PC. Use backtrack OS to attack the victim, enable the signatures in the IPS/IDS so that alert is produce and blocking is available during the attack. You should do this off site as tools in backtrack can deem live computers un-usable.

For example:
Set up a Victim PC that is Windows XP, bypass the firewall. Set up the attack PC with backtrack and launch metasploit, use exploit ms08_067 and meterpreter reverse tcp payload and start to attack, you will realize that metasploit is timeout because it is blocked by Cisco IPS, Cisco IPS recognizes this type of attack as SMB remote code execution which is by service-smb engine.

Other tools such as nmap and hping3 can be used for the test plan as well.

hping3 can simulate a denial of service attack. The string-tcp engine will recognize a denial of service attack and blocks it if it is operating in IPS mode. You will realize during the denial of service attack the CPU resource of the victim pc is not going up to 100% and it is operating normally (i.e. 1-17% depending on the applications you installed in your victim pc), this can truly prove that IPS is blocking the attack and hence your victim system resource is constantly normal or low.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s