Intrusion Detection Systems
什么是IDS呢?早期的IDS仅仅是一个监听系统,在这里,你可以把监听理解成窃听的意思。基于目前局网的工作方式,IDS可以将用户对位于与IDS同一交换机/HuB的服务器的访问、操作全部记录下来以供分析使用,跟我们常用的widnows操作系统的事件查看器类似。再后来,由于IDS的记录太多了,所以新一代的IDS提供了将记录的数据进行分析,仅仅列出有危险的一部分记录,这一点上跟目前windows所用的策略审核上很象;目前新一代的IDS,更是增加了分析应用层数据的功能,使得其能力大大增加;而更新一代的IDS,就颇有“路见不平,拔刀相助”的味道了,配合上防火墙进行联动,将IDS分析出有敌意的地址阻止其访问。
就如理论与实际的区别一样,IDS虽然具有上面所说的众多特性,但在实际的使用中,目前大多数的入侵检测的接入方式都是采用pass-by方式来侦听网络上的数据流,所以这就限制了IDS本身的阻断功能,IDS只有靠发阻断数据包来阻断当前行为,并且IDS的阻断范围也很小,只能阻断建立在TCP基础之上的一些行为,如Telnet、FTP、HTTP等,而对于一些建立在UDP基础之上就无能为力了。因为防火墙的策略都是事先设置好的,无法动态设置策略,缺少针对攻击的必要的灵活性,不能更好的保护网络的安全,所以IDS与防火墙联动的目的就是更有效地阻断所发生的攻击事件,从而使网络隐患降至较低限度。
实验过程:
第一步 R1、R2的预配置
R1(config)#int e1/0
R1(config-if)#ip add 192.168.1.200 255.255.255.0
R1(config-if)#no sh
R1(config-if)#int f0/0
R1(config-if)#ip add 172.16.0.1 255.255.255.0
R1(config-if)#no sh
R1(config-if)#int lo0
R1(config-if)#ip add 1.1.1.1 255.255.255.0
R1(config-if)#exit
R1(config)#router ospf 64
R1(config-router)#network 0.0.0.0 0.0.0.0 area 0
R1(config-router)#exit
R2(config)#int f0/0
R2(config-if)#ip add 172.16.0.2 255.255.255.0
R2(config-if)#no sh
R2(config-if)#int lo0
R2(config-if)#ip add 2.2.2.2 255.255.255.0
R2(config-if)#exit
R2(config)#router ospf 64
R2(config-router)#network 0.0.0.0 0.0.0.0 area 0
R2(config-router)#exit
第二步 在R1上初始化IOS防火墙IDS
R1(config)#ip audit notify log
// 配置事件通知的方法,可以发送到正规的SYSLOG服务器(log)或者发送到Cisco Secure IDS Director或Cisco Secure Policy Manager
R1(config)#ip audit po local
// 配置本地邮局
R1(config)#ip audit po max-events 100
// 配置放置在路由器事件提示里最大事件通知数目
R1(config)#ip audit protected 192.168.1.1 to 192.168.1.254
// 配置被保护的网段
第三步 在R1上配置和应用审计规则
R1(config)#ip audit signature 2004 disable
// 全局禁用特征2004 (ICMP Echo Request)
R1(config)#ip audit info action alarm
// 配置对信息特征的缺省动作为Alarm告警
R1(config)#ip audit attack action alarm drop reset
// 配置对攻击特征的缺省动作发出警告、丢弃分组、重置TCP连接
R1(config)#ip audit name NORVEL info
// 创建一个新的审计规则
R1(config)#ip audit name NORVEL attack
第四步 在R1的F0/0接口上应用审计规则
R1(config)#int f0/0
R1(config-if)#ip audit NORVEL in
R1(config-if)#end
第五步 验证IDS的配置
R1#show ip audit configuration
// 查看IDS配置
Event notification through syslog is enabled
Event notification through Net Director is disabled
Default action(s) for info signatures is alarm
Default action(s) for attack signatures is alarm drop reset
Default threshold of recipients for spam signature is 250
Signature 2004 disable
PostOffice:HostID:0 OrgID:0 Msg dropped:0
:Curr Event Buf Size:0 Configured:100
Post Office is not enabled - No connections are active
Audit Rule Configuration
Audit name NORVEL
info actions alarm
attack actions alarm drop reset
R1#
R1#show ip audit interface
// 查看IDS接口配置
Interface Configuration
Interface FastEthernet0/0
Inbound IDS audit rule is NORVEL
info actions alarm
attack actions alarm drop reset
Outgoing IDS audit rule is not set
R1#
R1#show ip audit statistics
// 查看IDS统计数据
Signature audit statistics [process switch:fast switch]
signature 1107 packets audited: [6:0]
// signature 1107(RFC 1918 Addresses Seen)
Interfaces configured for audit 1
Session creations since subsystem startup or last reset 0
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [0:0:0]
Last session created never
Last statistic reset never
Post Office is not enabled - No connections are active
第六步 在R2上进行IDS测试
R2#ping
Protocol [ip]:
Target IP address: 172.16.0.1
Repeat count [5]: 100
Datagram size [100]: 2000
Timeout in seconds [2]:
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 100, 2000-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds:
......................................................................
..............................
// 连续发送大量分段数据包被阻止
Success rate is 0 percent (0/100)
R2#
第七步 在R1的Console会显示
R1#
*Mar 1 00:07:36.583: %IDS-4-IP_RFC_1918_SIG: Sig:1107:IP RFC 1918 Address Seen - from 172.16.0.2 to 224.0.0.5
R1#
*Mar 1 00:08:15.347: %IDS-4-IP_RFC_1918_SIG: Sig:1107:IP RFC 1918 Address Seen - from 172.16.0.2 to 172.16.0.1
*Mar 1 00:08:15.347: %IDS-4-ICMP_FRAGMENT_SIG: Sig:2150:Fragmented ICMP Traffic - from 172.16.0.2 to 172.16.0.1
R1#
*Mar 1 00:08:46.559: %IDS-4-IP_RFC_1918_SIG: Sig:1107:IP RFC 1918 Address Seen - from 172.16.0.2 to 224.0.0.5
*Mar 1 00:08:47.335: %IDS-4-ICMP_FRAGMENT_SIG: Sig:2150:Fragmented ICMP Traffic - from 172.16.0.2 to 172.16.0.1
R1#
// 在R1的Console上显示了logging信息,分别是IDS特征库中的1107和2150(Fragmented ICMP Traffic)
第八步 再次在R2上测试IDS
R2#ping
Protocol [ip]:
Target IP address: 172.16.0.1
Repeat count [5]: 20
Datagram size [100]: 1021
Timeout in seconds [2]:
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 20, 1021-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds:
....................
// 连续发送多个大尺寸数据包被阻止
Success rate is 0 percent (0/20)
R2#
第九步 回到R1上查看Console上的信息
R1#
*Mar 1 00:15:36.571: %IDS-4-ICMP_TOOLARGE_SIG: Sig:2151:Large ICMP Traffic - from 172.16.0.2 to 172.16.0.1
// 这次在R1的Console上看到的是IDS特征库中的2151(Large ICMP Traffic)
第十步 在R1上配置信任源
R1(config)#ip audit name NORVEL attack list 90
// 过滤掉可信源
R1(config)#access-list 90 deny host 172.16.0.2
R1(config)#access-list 90 permit any
第十一步 再次在R2上Ping测试
R2#ping
Protocol [ip]:
Target IP address: 172.16.0.1
Repeat count [5]: 20
Datagram size [100]: 2000
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 2.2.2.2
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 20, 2000-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
....................
// 2.2.2.2为非信任源,ping不通
Success rate is 0 percent (0/20)
R2#ping
Protocol [ip]:
Target IP address: 172.16.0.1
Repeat count [5]: 20
Datagram size [100]: 2000
Timeout in seconds [2]:
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 20, 2000-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (20/20), round-trip min/avg/max = 4/22/144 ms
| 
