网络工程 | Cisco 配置路由器的IPS功能 - THRFUR

网络工程 | Cisco 配置路由器的IPS功能

NaN

本实例通过配置路由器 R1 的 IPS 来实现对进入内网 192.34.1.0 网络的流量进行扫描检测，服务器用于记录IPS日志消息。

首先是要将各个设备之间的通信解决，在本实例中使用 RIP 技术。

R1#conf t
R1(config)#inter f0/0
R1(config-if)#ip add 192.34.1.1 255.255.255.0
R1(config-if)#no shut
R1(config-if)#exit
R1(config)#inter s0/0/0
R1(config-if)#ip add 10.34.1.1 255.255.255.0
R1(config-if)#no shut
R1(config-if)#exit
R1(config)#router rip
R1(config-router)#version 2
R1(config-router)#network 192.34.1.0
R1(config-router)#network 10.34.1.0
R1(config-router)#no auto-summary
R1(config-router)#end

R2#conf t
R2(config)#inter s0/0/0
R2(config-if)#ip add 10.34.1.2 255.255.255.0
R2(config-if)#no shut
R2(config-if)#exit
R2(config)#inter s0/0/1
R2(config-if)#ip add 10.34.2.1 255.255.255.0
R2(config-if)#no shut
R2(config-if)#exit
R2(config)#router rip
R2(config-router)#version 2
R2(config-router)#network 10.34.1.0
R2(config-router)#network 10.34.2.0
R2(config-router)#no auto-summary
R2(config-router)#end

R3#conf t
R3(config)#inter s0/0/0
R3(config-if)#ip add 10.34.2.2 255.255.255.0
R3(config-if)#no shut
R3(config-if)#exit
R3(config)#inter f0/1
R3(config-if)#ip add 192.34.3.1 255.255.255.0
R3(config-if)#no shut
R3(config-if)#exit
R3(config)#router rip
R3(config-router)#version 2
R3(config-router)#network 10.34.2.0
R3(config-router)#network 192.34.3.0
R3(config-router)#no auto-summary
R3(config-router)#end

给 PC-A、服务器、PC-B 添加IP地址、默认网关、子网掩码。PC-A、服务器的默认网关指向路由器 R1，PC-B的默认网关指向路由器 R3。

接着测试一下网络是否通畅，PC-A ping PC-B：

Packet Tracer PC Command Line 1.0
C:\>ping 192.34.3.2

Pinging 192.34.3.2 with 32 bytes of data:

Request timed out.
Reply from 192.34.3.2: bytes=32 time=3ms TTL=125
Reply from 192.34.3.2: bytes=32 time=4ms TTL=125
Reply from 192.34.3.2: bytes=32 time=2ms TTL=125

Ping statistics for 192.34.3.2:
    Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
    Minimum = 2ms, Maximum = 4ms, Average = 3ms

C:\>

PC-B ping PC-A：

Packet Tracer PC Command Line 1.0
C:\>ping 192.34.1.2

Pinging 192.34.1.2 with 32 bytes of data:

Reply from 192.34.1.2: bytes=32 time=3ms TTL=125
Reply from 192.34.1.2: bytes=32 time=3ms TTL=125
Reply from 192.34.1.2: bytes=32 time=2ms TTL=125
Reply from 192.34.1.2: bytes=32 time=2ms TTL=125

Ping statistics for 192.34.1.2:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 2ms, Maximum = 3ms, Average = 2ms

C:\>

好了，看来是全部通信了，那么接下来就要配置重点了 —- IPS，接下来的步骤都是在路由器 R1 上完成。

首先，需要在 R1 的 FLASH 中创建一个名为 ipsdir 的目录，不是固定的，可以随意定名称。

R1#mkdir ipsdir
Create directory filename [ipsdir]?
Created dir flash:ipsdir

R1#

接着配置 IPS 的 signature 存放位置。
R1(config)#ip ips config location flash:ipsdir

建立一条 IPS rule，即 IPS 的检测规则。(iosips名称可变)
R1(config)#ip ips name iosips

开启日志功能。
R1(config)#ip ips notify log

根据需要，在特权模式下设置时间等信息。
R1#clock set 17:20:00 26 April 2020

开启时间戳服务。
R1(config)#service timestamp log datetime msec

发送日志消息到服务器上。
R1(config)#logging host 192.34.1.3

配置 IPS 所使用的 signature 类别。使用 retired true 命令退订所有签名类，使用 retired false 命令引用 signature.

R1#conf t
R1(config)#ip ips signature-category
R1(config-ips-category)#category all
R1(config-ips-category-action)#retired true
R1(config-ips-category-action)#exit
R1(config-ips-category)#category ios_ips basic
R1(config-ips-category-action)#retired false
R1(config-ips-category-action)#exit
R1(config-ips-category)#exit
Do you want to accept these changes? [confirm]
Applying Category configuration to signatures ...
%IPS-6-ENGINE_BUILDING: atomic-ip - 288 signatures - 6 of 13 engines
%IPS-6-ENGINE_READY: atomic-ip - build time 30 ms - packets for this engine will be scanned

R1(config)#

然后应用 IPS 规则到接口上。

R1(config)#inter f0/0
R1(config-if)#ip ips iosips out
R1(config-if)#
*四月 26, 17:34:07.3434:  %IPS-6-ENGINE_BUILDS_STARTED:  17:34:07 UTC 四月 26 2020
*四月 26, 17:34:07.3434:  %IPS-6-ENGINE_BUILDING: atomic-ip - 3 signatures - 1 of 13 engines
*四月 26, 17:34:07.3434:  %IPS-6-ENGINE_READY: atomic-ip - build time 8 ms - packets for this engine will be scanned
*四月 26, 17:34:07.3434:  %IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 8 ms
R1(config-if)#

修改路由器 R1 的签名，改变 signature 的时间动作 event-action..

R1(config)#ip ips signature-definition
R1(config-sigdef)#signature 2020 0
R1(config-sigdef-sig)#status
R1(config-sigdef-sig-status)#retired false
R1(config-sigdef-sig-status)#enabled true
R1(config-sigdef-sig-status)#exit
R1(config-sigdef-sig)#engine
R1(config-sigdef-sig-engine)#event-action produce-alert
R1(config-sigdef-sig-engine)#event-action deny-packet-inline
R1(config-sigdef-sig-engine)#exit
R1(config-sigdef-sig)#exit
R1(config-sigdef)#exit
Do you want to accept these changes? [confirm]
Signature not found - 2020:0

R1(config)#

使用 show ip ips all 命令检查 IPS。

R1#show ip ips all
IPS Signature File Configuration Status
    Configured Config Locations: flash:ipsdir
    Last signature default load time: 
    Last signature delta load time: 
    Last event action (SEAP) load time: -none-

    General SEAP Config:
    Global Deny Timeout: 3600 seconds
    Global Overrides Status: Enabled
    Global Filters Status: Enabled

IPS Auto Update is not currently configured

IPS Syslog and SDEE Notification Status
    Event notification through syslog is enabled
    Event notification through SDEE is enabled

IPS Signature Status
    Total Active Signatures: 1
    Total Inactive Signatures: 0

IPS Packet Scanning and Interface Status
    IPS Rule Configuration
      IPS name iosips
    IPS fail closed is disabled
    IPS deny-action ips-interface is false
    Fastpath ips is enabled
    Quick run mode is enabled
    Interface Configuration
      Interface FastEthernet0/0
        Inbound IPS rule is not set
        Outgoing IPS rule is iosips

IPS Category CLI Configuration:
    Category all
	Retire: True
    Category ios_ips basic
	Retire: False
R1#

最后就是检查 IPS 是否正常工作。

PC-B 与 PC-A将无法通信，因为设置了“deny-packet-inline”，即在线拒绝DROP。
PC-A 与 PC-B将可以通信，因为IPS规则中没有包括对于echo reply的事件动作。

PC-A 与 PC-B 通信检测结果：

C:\>ping 192.34.3.2

Pinging 192.34.3.2 with 32 bytes of data:

Reply from 192.34.3.2: bytes=32 time=7ms TTL=125
Reply from 192.34.3.2: bytes=32 time=2ms TTL=125
Reply from 192.34.3.2: bytes=32 time=4ms TTL=125
Reply from 192.34.3.2: bytes=32 time=3ms TTL=125

Ping statistics for 192.34.3.2:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 2ms, Maximum = 7ms, Average = 4ms

C:\>

PC-B 与 PC-A 通信检测结果：

C:\>ping 192.34.1.2

Pinging 192.34.1.2 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.34.1.2:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\>

服务器上的 syslog 信息：