Cisco IPS – Inline VLAN Pair mode

  1. Setup Cisco IPS on EVE

    I failed to setup Cisco IPS on EVE(ver 2.0.3-53).

    What I did: Download Cisco IPS ova file via: http://certcollection.org/forum/topic/270568-ips-4240-ver-7-unholy-darkness/page__hl__%20cisco%20%20ips (https://mega.nz/#!W99UnTIa!-3k6bQwiD_DhNCDFfL6TWlU69KoRwIYeaJE9JlDOASY)

    Did everything been listed in following instructions for IPS Interfaces http://certcollection.org/forum/topic/266792-emulating-ips-on-unl/ http://www.cznetlab.cz/index.php?cat=cciesec&subcat=unlips

    My problem is:

    Cisco IPS failed to ping anything out of it, I run traffic capture on IPS’s interface, no packet out when I execute ping command.

    Question on EVE official forum: http://www.unetlab.com/forum/viewtopic.php?f=5&t=55&sid=25184c5b3a889925218c20bffb2f180f

    The official answer is: This image is currupted and not working nor UNL nor EVE

    So, I deploy it on VMware vShpere

    1

    Setup VM networks on vShpere

    2

    Setup IPS’s networks

    3.png

    Setup EVE’s networks

    4.png

    Setup EVE Lab

    5.png

  2. Initial Cisco IPS

    I initilized the device from Cisco IPS console interface.

    6.png

    Default username/password is : cisco/ciscoips123

    then enter command ‘setup‘ to initial the device.

    The most import thing is to disable HTTPS. Cisco IPS enabled https by default which is not supported by most browsers(Chrome/Firefox/IE) now. Execute following commands:

    service web-server

    enable-tls false

    port 80

    exit

    Then access the device by http, it will prompt you to lunch IDSM (* Java required)

    7.png8.png

  3. Interface Pairs

    Before Cisco IPS Interface Pair

    9

    Add Interface Pair

    10

    After Cisco IPS Interface Pair

    11.png

  4. Bind vs

    12

  5. Lab1- Recognize ICMP as Attack

    13.png141516.png

  6. Verify

    Execute ping command on R1

    17

    Cisco IPS Event

    18.png19.png

Advertisements

Difference of SNMP get route entry[forward-MIB] between Cisco and Juniper

Cisco设备,通过snmp walk 1.3.6.1.2.1.4.21 (route table)节点获取设备路由

Juniper设备,通过snmp walk 1.3.6.1.2.1.4.24(IP-FORWARD-MIB)节点获取路由
后遇到Cisco 7609 (12.0 IOS),及Cisco IOS 15.2版本的3560通过1.3.6.1.2.1.4.21获取路由时失败,SNMP walk 1.3.6.1.2.1.4.24获取成功,但是通过Juniper方式使用1.3.6.1.2.1.4.24.1 + network address (as index) 的SNMP Get单条时获取失败;反复尝试后发现 Cisco  SNMP get route entry 需要使用 1.3.6.1.2.1.4.24.1 + network address + net mask 时设备都有值返回。

Cisco IOS device configure SSH public-key authentication

Author: Kevin Zhang
概念说明:
SSH public Key类型:
-RSA key use with SSH1 and SSH2 protocol
-DSA key use with SSH2 protocol
*Note: DSA的安全性较RSA的弱
Key格式:
公钥 :SSH.com使用的RFC 4716指定的公钥格式,而OpenSSH使用了另外的格式
私钥 : SSH v1私钥只有一种标准格式,但SSH v2私钥格式很多,OpenSSH、ssh.com、puty、winscp格式不同且不兼容
一、key的生成
1. 通过Secure CRT生成key


密钥类型有两种: DSA、RSA. Secure CRT提示多种服务器不支持RSA, Cisco IOS只支持RSA
通行短语为对私钥加密的密码,注释为提示输入密码时的提示,两项均为可为空。


为了更好的兼容性和适用性,选择了 OpenSSH 密钥格式,选择保存私钥的位置:
点击’Finish’后会弹出对话框:
如果选择’Yes’,会影响’快速连接’中的公钥指向保存的文件:
2. 使用PuTTYgen生成key (guide from winscp)


key passphrase : 输入对密钥加密的密码
key comment: 提示输入密码时的提示
*Note: 默认生成的是PuTTY’s native format (*.PPK), 通过Conversions菜单保存为ssh.com或openssh格式的private key
二、配置Cisco设备
1. Enable SSH
ip domain-name publickey.com //配置domain name
crypto key generate rsa //通过配置生成SSH key
line vty 0 4 //设置vty的login mode
   transport input ssh //Cisco与3com的认证方式差异,3com可以设置telnet或ssh用户,而Cisco是基于session的
2. IOS 15 SSH使用public-key (Similar with 12.4T)
ip domain-name publickey.com
ip ssh version 2

crypto key generate rsa label ssh module 1024
ip ssh rsa keypair-name ssh
line vty 0 4
transport input ssh
  exit

ip ssh pubkey-chain
username kzhang //配置使用证书的登陆的用户名
key-string //回车后,是类似banner的配置方式,直到输入exit才结束key配置
xxxxxx //复制CRT、PuTTY生成的RSA的public key,复制的内容有误会被提示: ‘%SSH: Failed to decode the Key Value’;CRT:直接将整个文本内容复制过来即可,PuTTY:只copy文本的一部分:
exit //通过exit退出public key设置
三、验证
1. ‘show ip ssh’ in IOS 15


R2#show ip ssh


SSH Enabled - version 2.0


Authentication timeout: 120 secs; Authentication retries: 3


Minimum expected Diffie Hellman key size : 1024 bits


IOS Keys in SECSH format(ssh-rsa, base64 encoded):


ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCkhc93+j/D2RdJFhRn9NWkfoW+LE8WvERSX9wnygVp


bVMxjlov+PP6Fe4OlppueLtRtdrAVIwROeyE4hxf/bCMf8efUylIqMGx4aI64m+V/l2rbFKEECdDXUHU


LI/cNkdwu12h1C0fw4asGuhq4RQkjH53AgVgdQvk3yi37Rf4fQ==

2.  SecureCRT

以SSH的’快速连接’为例:
  • 首先设置username
  • Step 1: 设置’公钥’项为高优先级
  • Step 2: 点击’属性’配置登陆的公钥
  • Step 3: 点击’使用会话公钥设置’
  • Step 4: 点击 … 指定私钥文件,CRT支持openssh格式,不支持ssh.com格式
设置好后,点击连接
3. PuTTY
Session页面指定device IP:
Connection -> SSH -> Auth项指定私钥
*Note: PuTTY只支持ppk格式,不支持openssh和ssh.com格式

    问题: 15.0 IOS配置完成后,尝试使用putty登录时出现Error “Server refused our key”,在设备执行 “Debug ip ssh detail”,发现有error :


invalid old access type configured - 0x01

尝试配置:

configure terminal


line vty 0 4


login local


exit

后,问题解决。