How to emulate Cisco IPS

If you are studying for CCIE Security or any Cisco Related Certification, you need to work on IPS. In this detailed tutorial, i will show you how you can emulate Cisco Intrusion Prevention System (IPS) 6 using Qemu & GNS3. I will be emulating IPS 4235 v 6.0.6(E3) in this tutorial. You can run upto 4 virtual sensors starting IPS-4235u v 6.0 . In a future blog post, i will show you also how to run virtual sensors , configure IPS for sensing interfaces using interface pair , inline vlan pair etc & connecting to IPS6 using ASDM . In this guide, i will setup sensor for 5 1000Mbps interfaces with Management0/0 being used for Command & Control ( C&C ) & rest of 4 interfaces (GigabitEthernet 0/0 – GigabitEthernet 0/3) as Sensing interfaces.

First & foremost, install the latest version of GNS3 i.e GNS v 0.7.3 if you haven’t already done so. Next, Cisco IPS Recovery CD will be required. You should be able to get one from you CCO account on Cisco.com.

Disclaimer: This tutorial is for learning purposes only. You can download Cisco IPS Recovery image from CCO directly.Otherwise,it shouldn’t be hard to get one from internet using some googling skills :) I will NOT provide any images so, please refrain from asking me as i won’t entertain any such requests/emails.

Cisco Secure ACS 5.X Deployment Guide E-Book

Now, lets get started. I will be breaking it down into several steps.

Software Version Used in this tutorial:

  • -> Platform : Windows 7 64bit edition (Tutorial will work on any OS )
  • -> GNS3 Version : v0.7.3
  • -> IPS Sensor Version : IPS 4235 v 6.0.6(E3)
  • -> Qemu Version : 0.11.0
  • -> Reference : http://inetpro.org/wiki/Using_qemu_to_run_Cisco_IPS

NOTE: Screenshots might get cropped on blog post so click on thumbnail to view full image.If you want to download tutorial , see end of this tutorial for GNS3 configuration file & PDF version of this tutorial.

 

Step 1 : Create 2 Disk Images (hda & hdb)

IPS disk creation

Step 2 : Load IPS CD image using qemu

IPS Image Recovery Process

When qemu boots, press ‘k’ to start the re-imaging process (image recovery). When reimaging is done, the software reloads, and qemu pauses in the BIOS screen complaining about boot issues. Exit the qemu process (using Ctrl-C)

Step 3 :  Boot from the Re-Imaged Disks

Next step is to boot from the disk. When the system starts, you need to modify the grub boot entry to make sure the system starts at runlevel 1.

At the grub menu, press “e” to edit the first boot entry. In the following menu, select the 2nd line (that starts with “kernel=”) and press “e” again. Change the option init=/loadrc to init=1, then Enter followed by “b” to boot.

The IPS software now boots into runlevel 1. When prompted, press Enter and issue  following commands:

/loadrc
 cd /etc/init.d
 ./rc.init
 cp ids_functions ids_functions.orig
 vi ids_functions

In the resulting file, search for the string “845″ (with /845),it will jump to the  section which looks like this :

 elif [[ `isCPU 845` -eq $TRUE && $NUM_OF_PROCS -eq 1 ]]; then
         MODEL=$IDS4215
         HTLBLOW=8
         MEM_PAGES=${HTLBLOW}
         DEFAULT_MGT_OS="fe0_0"
         DEFAULT_MGT_CIDS="FastEthernet0/0"

Replace the first line (the elif statement) and the variables DEFAULT_MGT_OS and DEFAULT_MGT_CIDS to the following :

 elif [[ 1 -eq 1 ]]; then
         MODEL=$IDS4235
         HTLBLOW=32
         MEM_PAGES=${HTLBLOW}
         DEFAULT_MGT_OS="ma0_0"
         DEFAULT_MGT_CIDS="Management0/0"

Save and exit vi.

Step 4: Map the emulated NIC cards to the IPS interface

 

 

Now,lets adjust the process of mapping the emulated NIC cards to the IPS interfaces. Issue the following commands:

cd /usr/cids/idsRoot/etc
 cp interface.conf interface.conf.orig
 vi interface.conf

Move forward to the section that deals with the 4235 sensor.  You only need to make modifications at the [models/IDS-4250/interfaces/X] sections.

Edit the section. The result should look like following :

 [models/IDS-4250/interfaces/1]
 name-template=Management0/0
 port-number=0
 pci-path=3.0
 vendor-id=0x8086
 device-id=0x100e
 type=ge
 mgmt-capable=yes
 net-dev-only=yes
 tcp-reset-capable=yes                                

 [models/IDS-4250/interfaces/2]
 name-template=GigabitEthernet0/0
 port-number=1
 pci-path=4.0
 vendor-id=0x8086
 device-id=0x100e
 type=ge
 sensing-capable=yes
 tcp-reset-capable=yes                                   

 [models/IDS-4250/interfaces/3]
 name-template=GigabitEthernet0/1
 port-number=2
 pci-path=5.0
 vendor-id=0x8086
 device-id=0x100e
 type=ge
 sensing-capable=yes
 tcp-reset-capable=yes

[models/IDS-4250/interfaces/4]
 name-template=GigabitEthernet0/2
 port-number=3
 pci-path=6.0
 vendor-id=0x8086
 device-id=0x100e
 type=ge
 sensing-capable=yes
 tcp-reset-capable=yes

[models/IDS-4250/interfaces/5]
 name-template=GigabitEthernet0/3
 port-number=4
 pci-path=7.0
 vendor-id=0x8086
 device-id=0x100e
 type=ge
 sensing-capable=yes
 tcp-reset-capable=yes

Follow the Screenshots :

Save the changes and exit vi. The system changes are done, now reload the device

reboot





Device will reload couple of times, followed by prompting you to change the password & that’s it!

GNS3 Specific Configuration :

 

 

Next, Edit Preferences Menu in GNS3 & make IPS Qemu Settings as shown [ Under Qemu Options, modify smbios settings to remove Unsupported platform error ] :

Create the Topology in GNS3 & boot the sensor. Access CLI & also access via IDM (IPS Device Manager) as shown.

Now , you have FULL-BLOWN IPS Sensor at your disposal. ENJOY !!!

In Next tutorial, i will help you fine tune the sensor e.g . Setup mutiple virtual sensors, reduce CPU load to less than 5% (Qemu Optimization), Tunning Signatures , Connecting & Configuring Sensing interfaces in GNS3 etc. Stay Tuned !

NOTE:Refer to the original wiki document mentioned in Reference if you want to understand the nitty gritty.Thanks to “tranzitwww” for his comments.

If you find this tutorial useful in your studies & want to download this tutorial for offline viewing, the link is provided below.Download package contains GNS3 Configuration File (.net) , PDF version of this tutorial , separate full resolution screenshots etc.

Download Tutorial

 

 

 

Create PDF    Send article as PDF   

Tags: , , , , , , , , ,


Fatal error: Uncaught CurlException: 60: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed thrown in /home/content/b/r/a/brainbump/html/wp-content/plugins/seo-facebook-comments/facebook/base_facebook.php on line 825