CCIE Security lab: IPS Part 1 – Wake up IPS, why are you sleeping?

Man, I hate Java. It sucks. It gets updated due to Security issues, and access to ASA and IPS GUIs breaks. So you have to either stay with the security issues and not upgrade, or lose access to your hardware. It sucks.

That said, it does mean that I can ditch the GUI and learn the IPS CLI better! You know, silver lining and all that jazz.
OK, so the easiest way to get up and running with the IPS is to use the “setup” command. Or you can find this useful command out later, and do it the hard way, like I did, but I got there in the end:

IDS-4240# conf t
IDS-4240(config)# service host
IDS-4240(config-hos)# network-settings 
IDS-4240(config-hos-net)# host-ip 10.1.4.155/24,10.1.4.254
IDS-4240(config-hos-net)# telnet-option enab
IDS-4240(config-hos-net)# exit
IDS-4240(config-hos)# show settings
   network-settings
   -----------------------------------------------
      host-ip: 10.1.4.155/24,10.1.4.254 default: 192.168.1.2/24,192.168.1.1
      host-name: IDS-4240 default: sensor
      telnet-option: enabled default: disabled
      access-list (min: 0, max: 512, current: 2)
      -----------------------------------------------
         network-address: 0.0.0.0/0
         -----------------------------------------------
         network-address: 192.168.1.0/24
         -----------------------------------------------
      -----------------------------------------------
      ftp-timeout: 300 seconds 
      login-banner-text:  
      dns-primary-server
IDS-4240(config-hos)# exit
Apply Changes?[yes]: yes 
Warning: DNS or HTTP proxy is required for global correlation inspection and reputation filtering, but no DNS or proxy servers are defined.
IDS-4240(config)# 
IDS-4240# ping 10.1.4.254
PING 10.1.4.254 (10.1.4.254): 56 data bytes
64 bytes from 10.1.4.254: icmp_seq=0 ttl=255 time=27.0 ms
64 bytes from 10.1.4.254: icmp_seq=1 ttl=255 time=5.2 ms
IDS-4240#

I needed to add a couple of ACLs, and we do that this way:

IDS-4240(config)# service host
IDS-4240(config-hos)#network-settings
IDS-4240(config-hos-net)# access-list 10.1.20.0/24
IDS-4240(config-hos-net)# access-list 10.1.4.0/24
IDS-4240(config-hos-net)# exit
IDS-4240(config-hos)#exit

If you want to run the IDM (the easy way), then you’ll need to create an exception in Java for the http site, then turn off TLS (and props to CZNetlab for the tips):

IDS-4240(config)# service web-server
IDS-4240(config-web)# enable-tls false
IDS-4240(config-web)# port 80
IDS-4240(config-web)# ex
Apply Changes?[yes]: yes 
IDS-4240(config)# exit

We lose security, but gain accessibility. But it’s a lab, so I guess thats OK. Oh, wait, it’s a security exam though…. I won’t tell if you won’t.

Right, so what can we do now? Well, we need to do a few things:

  1. Set up VLAN-pairs for monitoring
  2. Set up some custom rules
  3. Set up a shun-list that can be used by the vWLC

This would be easier in the GUI, and it would also be a lot easier if the IPS was more stable. But it feels like it goes to sleep and does not wake up again. The IPS has been reset (rebooted), and UNetLab has been rebooted as well. But the IPS just does not seem to want to play ball for very long.

Cisco IPS on UNetLab not stable
Cisco IPS on UNetLab not stable

It hangs at 51%, and the pings fail:

IDS-4240# ping 10.1.4.254
PING 10.1.4.254 (10.1.4.254): 56 data bytes

--- 10.1.4.254 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss
IDS-4240# ping 10.1.4.1
PING 10.1.4.1 (10.1.4.1): 56 data bytes

--- 10.1.4.1 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss
IDS-4240#

Even with doubling the memory, the same issue exists. I still have console access, so can set up everything I need to via the command line, but when it comes to testing it, I’ll be shit out of luck at the moment as connectivity will drop.

Other devices are fine, though, so it looks very much like its confined to the IPS.

Well, I am off to the drawing board (and the forum). If anyone has any ideas, please do post them below!

2 Comments

  1. Anonymous May 5, 2016
  2. Stuart Fordham May 5, 2016