Troubleshooting Scenario

The following scenario will be used to illustrate many of the concepts discussed in this Cisco security white paper. If the names and IP Addresses look familiar to some of you, this is because the diagram represents a portion of the lab topology used in Cisco Security classes offered by Global Knowledge.

Intrusion Prevention Systems

Before we illustrate the effective use of sensor (CLI) commands as well as IPS Device Manager, some basic principles of operation first need to be discussed. For all deployments of sensor appliances and modules, the interfaces belonging to these devices can take one of three roles.

1. Command and Control/Management - one per device; only interface w IP Address
2. Promiscuous - multiple per device; sensing interface
3. Inline (as part of a pair) - multiple per device; sensing interface

While the Command and Control/Management interface is used for Management and Monitoring, the Promiscuous or Inline Pair interfaces are the ones into which the packets to be "sensed" arrive. The following sequence of events occurs with a properly operating and configured signature-based IPS.

1. A packet arrives at a sensing interface (promiscuous or part of an inline pair).
2. The packet is captured by what is known as the sensor app or analysis engine.
3. The sensor app invokes independent signature engines for matching of patterns.
4. If a pattern match is found against the signature database, an alert is generated.
5. Additional deny, blocking, capture, or alert actions are taken, if configured.

The steps outlined above are an oversimplified example of how the IPS operates, assuming that the signature being matched is enabled and that the alerting behavior is configured. Secondly, the pattern match described in the fourth step could be the final packet in a multi-packet or fragment stream versus a single "atomic" capture. This Cisco white paper will focus on troubleshooting the failure of any of the five steps shown above.

Promiscuous Mode Operation - Single Switch with SPAN port

The diagram to the right represents a modification to the troubleshooting scenario depicted earlier, illustrating the implementation of a promiscuous sensing interface on an IPS plugged into a switch. A Switched Port Analyzer (or SPAN port, as it is commonly known) has been configured for copying packets that enter the switch port connected to the DMZ interface of the ASA or PIX firewall.

IOS-based switches must be configured using the monitor global configuration command using the following syntax.

monitor1session 1 source interface <hw-interface-name#> both
monitor1session 1 destination interface <hw-interface-name#>

The keyword both is used above to indicate packets being both received and transmitted by the interface. The commands show monitor and debug monitor can be used to verify proper configuration and operation, respectively. A sample display of show monitor is shown below.

Promiscuous Mode Operation - Multiple Switches with RSPAN

Occasionally, an IPS will need to be operated in promiscuous mode connected to a switch other than the one through which the "interesting traffic" is flowing. In this case, a Remote SPAN or RSPAN VLAN can be used to copy packets from the source switch to this VLAN, carried by a trunk port between the switches, and then to a SPAN port on the destination switch. Several key steps are required on the two switches to accomplish this.

On both switches:

Switch(config)# vlan 900 (900 is an example; any unassigned VLAN # here is fine)
Switch(config-vlan)# remote-span

On Switch2 (see previous diagram):

Switch2(config)# monitor session 1 source interface <hw-interface-name#>
Switch2(config)# monitor session 1 destination remote 900

On Switch1 (see previous diagram):

Switch1(config)# monitor session 1 source remote 900
Switch1(config)# monitor session 1 destination interface <hw-interface-name#>

Once these configurations are in place and spanning-tree for the RSPAN VLAN has been disabled, the reception of packets by the IPS promiscuous interface can be verified by a simple show interface command.

Related Courses

IINS - Implementing Cisco IOS Network Security
SNRS - Securing Networks with Cisco Routers & Switches v3.0
SNAF - Securing Networks with ASA Fundamentals
SNAA - Securing Networks with ASA Advanced
MARS - Cisco Security Monitoring, Analysis, and Response System v3.0
CANAC - Implementing NAC Appliance (formerly Cisco Clean Access)

Related White Papers

Cisco Security Troubleshooting: Part I - Connectivity Through ASA or PIX Firewalls
Cisco Security Troubleshooting: Part II - Virtual Private Networks

Related Videos

Top Three Cisco Security Technologies