ccie.security lab - cisco ips @unl

this section is just about my individual approach to implementing and running the Intrusion Prevention System (IPS) within the UNL. lot of guides exists on the web - how to create the IPS v6 fom the scratch, how to run it etc. I want to focus to IPS v7 ...

step 1 - prepare the disks


the first thing is to get IPSv7 ova package and extract the vmdk disks to be able to convert them to qcow2 format for QEMU environment. I selected the easiest way and got them with 7zip from OVA archive. Then, use SCP to move these files to UNL server and convert it to qcow2 with qemu-img:


#qemu-img convert -f vmdk -O qcow2 IPS-4240-disk1.vmdk hda.qcow2
#qemu-img convert -f vmdk -O qcow2 IPS-4240-disk2.vmdk hdb.qcow2


Then create a folder for IPS in the UNL addons and copy the disks there.


# mkdir /opt/unetlab/addons/qemu/cips-ips7
# cp hd* /opt/unetlab/addons/qemu/cips-ips7


step 2 - fix the network interfaces


you can leave this step for the first start of the IPS and edit the interface.conf before you start to use the IPS in UNL but you'll lose your settings whenever you wipe the config from UNL. So my recommendation is to run the QEMU separatelly, fix the interfaces and then, use these disks in UNL. run the following qemu command from the cips-ips7 folder:


qemu-system-i386 -smp 1 -m 2048 -hda hda.qcow2 -hdb hdb.qcow2 -machine type=pc-1.0 -serial mon:stdio -nographic -nodefconfig -nodefaults -rtc base=utc -no-shutdown -boot order=c -smbios type=1,product=IPS-4240/4255,version=1.0,family=IPS-4240/4255


login with the default service account credentials (service/ciscoips123) and you'll get linux bash prompt. change to root with the same password ciscoips123 and edit the interfaces.conf for cids system to reflect the IPS-4240 section:


-bash-2.05b$ su -
Password:
-bash-2.05b#
-bash-2.05b# vi /usr/cids/idsRoot/etc/interface.conf


find the appropriate section for IPS4240 (key "/" and 4240, followed by "n") and change the parameters of five interfaces to reflect this:


name-template=Management0/0
port-number=0
pci-path=2.0
vendor-id=0x8086
device-id=0x100e
type=ge
mgmt-capable=yes
net-dev-only=yes
tcp-reset-capable=yes

name-template=GigabitEthernet0/0
port-number=1
pci-path=3.0
vendor-id=0x8086
device-id=0x100e
type=ge
sensing-capable=yes
tcp-reset-capable=yes

name-template=GigabitEthernet0/1
port-number=2
pci-path=4.0
vendor-id=0x8086
device-id=0x100e
type=ge
sensing-capable=yes
tcp-reset-capable=yes

name-template=GigabitEthernet0/2
port-number=3
pci-path=5.0
vendor-id=0x8086
device-id=0x100e
type=ge
sensing-capable=yes
tcp-reset-capable=yes

name-template=GigabitEthernet0/3
port-number=4
pci-path=6.0
vendor-id=0x8086
device-id=0x100e
type=ge
sensing-capable=yes
tcp-reset-capable=yes


quit vi editor with Escape :x (save and exit) ... after all these changes are done, just kill the qemu process from another unl session as neither the reboot nor the poweroff command is not working.

step 3 - UNL work


firstly, check the cips template and modify the cips.php (/opt/unetlab/html/templates/cips.php) as per following output:


$p['type'] = 'qemu';
$p['name'] = 'IPS';
$p['icon'] = 'Network Analyzer.png';
$p['cpu'] = 1;
$p['ram'] = 2048;
$p['ethernet'] = 5;
$p['console'] = 'telnet';
$p['qemu_arch'] = 'i386';
$p['qemu_version'] = '1.3.1';
$p['qemu_options'] = '-machine type=pc-1.0 -serial mon:stdio -nographic -nodefconfig -nodefaults -rtc base=utc -no-shutdown -boot order=c -smbios type=1,product=IPS-4240/4255,version=1.0,family=IPS-4240/4255';


Then, just use the UNL, create a lab, add a node of IPS (ips7) and connect Ma0/0 interface to the pnet0 (or whatever pnet you're using for connection with the UNL server). Then apply the basic configuration:


conf t
service host
network-settings
host-ip 10.0.0.200/24,10.0.0.138
access-list 10.0.0.0/24
exit
exit
service web-server
enable-tls false
port 80
exit


The last three lines in the configuration snippet are mentioned just because my browser cannot handle the TLS and HTTPS port (443) so I have found I can change the port to HTTP (80) and disable the TLS for IPS web-server and then, you can try to connect and run the IDM:


That's it! how easy ... enjoy and good luck!



add your own note here:

Name: human verification: 1 + 2 =    

your opinions/notes:

SaphSaph 2017-11-22
after completing your guide  and im now logging to the sensor at -bash-2.05b$ 

however im not sure where should i stand to be able to apply the basic configuration. should i connect it to a firewall or it should work with it self since the bash doesnt support the above mentioned commands
SaphSaph 2017-11-19
after completing your guide  and im now logging to the sensor at -bash-2.05b$ 

however im not sure where should i stand to be able to apply the basic configuration. should i connect it to a firewall or it should work with it self since the bash doesnt support the above mentioned commands
Amin 2017-01-06
Hi Guys,

Am unable to see the Management Interface in IPS. I have followed the same procedure. Anyone have any idea?
naipoom 2016-08-29
How to kill qemu process ?
Taslim 2016-08-16
where can I find the IPSv7 ova package ?
h4ck 2016-05-12
/opt/qemu/bin/qemu-system-i386 -smp 1 -m 2048 -hda /opt/unetlab/addons/qemu/cips-ips7/hda.qcow2 -hdb /opt/unetlab/addons/qemu/cips-ips7/hdb.qcow2 -machine type=pc-1.0 -serial mon:stdio -nographic -nodefconfig -nodefaults -rtc base=utc -no-shutdown -boot order=c -smbios type=1,product=IPS-4240/4255,version=1.0,family=IPS-4240/4255
Stuart 2016-05-03
How stable do you find the IPS? Mine stops responding on the management interface pretty quickly. Console is fine, but nothing going in/out of the network interface!
cz.NetLab 2016-04-11
@Andrew - No license needed for whole Security blueprint
cz.NetLab 2016-04-11
@HBK - use cisco/ciscoips123 ... the service account is for setting up the system behind the analysis sensor stuff
Andrew 2016-04-04
for the lab practice do we need a license? I do not see where the serial number or information is for this to request a demo license
Andrew 2016-04-02
for the lab practice do we need a license? I do not see where the serial number or information is for this to request a demo license
HBK 2016-03-23
Thank you yes that  was the prob and I successfully completed all the steps. Drag and dropped the topology and when I logged In using service and ciscoips123 it let me into bash mode again...is there any other password I need to use to login into the sensor ?
HBK 2016-03-23
Tried cisco/ cisco ///doesnt  work
siraya 2016-03-23
hi 
already follow all your step 
but my unl_wrapper.txt 
got this error 
ERROR: Invalid QEMU custom options (80018).
ERROR: Failed to build CMD line (80046).
ERROR: Failed to build CMD line (80046).
ERROR: Failed to start node (12).

any advice 

thanks 
siraya 2016-03-23
@hbk 
you can try cisco/ciscoips123

Thanks 
HBK 2016-03-22
Hi i am stuck at the below command not working on UNL 

qemu-system-i386 -smp 1 -m 2048 -hda hda.qcow2 -hdb hdb.qcow2 -machine type=pc-1.0 -serial mon:stdio -nographic -nodefconfig -nodefaults -rtc base=utc -no-shutdown -boot order=c -smbios type=1,product=IPS-4240/4255,version=1.0,family=IPS-4240/4255


root@unl01:~# 
root@unl01:~# 
root@unl01:~# 
root@unl01:~# mkdir /opt/unetlab/addons/qemu/cips-ips7
root@unl01:~# cd /opt/unetlab/addons/qemu/cips-ips7
root@unl01:/opt/unetlab/addons/qemu/cips-ips7# qemu-system-i386 -smp 1 -m 2048 -hda hda.qcow2 -hdb hdb.qcow2 -machine type=pc-1.0 -serial mon:stdio -nographic -nodefconfig -nodefaults -rtc base=utc -no-shutdown -boot order=c -smbios type=1,product=IPS-4240/4255,version=1.0,family=IPS-4240/4255
-bash: qemu-system-i386: command not found
root@unl01:/opt/unetlab/addons/qemu/cips-ips7# ls
hda.qcow2  hdb.qcow2
cz.NetLab 2016-03-22
It seems there is some issue with the PATH, check:

ls /usr/bin/qemu*
ls /opt/qemu*

if there is at least one match, just create symlinks in /usr/bin or use absolute path in your command, e.g.:

/opt/qemu/bin/qemu-system-i386, or
/opt/qemu-2.0.2/bin/qemu-system-i386

Copyright © TR2016