Wednesday, February 4, 2015

Upgrading a Cisco IPS

This tutorial will guide you through upgrading the firmware on an IPS (Intrusion Prevention System) sensor. We don't want our systems hacked by Chloe from 24, so we need to keep our stuff in tip-top shape! Onward!

Set it up

Download the image file(s) from support.cisco.com You can up/download them to an FTP, SCP, HTTP, or HTTPS server; provided your sensor can access it.

Pull it down

Log into the sensor via a terminal console (telnet or ssh). In configuration mode, we need to pull the image file we downloaded off our server. This example uses our FTP server:
conf t
upgrade ftp://ftpuser@192.168.1.1/IPS-K9-X.X-X-XX.pkg
You'll be prompted for a password, so put it in
Enter password: ********
Enter yes to complete the upgrade.

The device will pull the image off the server, decompress, install, then reboot. Once rebooted log back in via terminal and check the version.
show ver
And that's it! Chloe can go whine to Jack because she can't get in anymore.


Armageddon (Optional!)

IPS modules are usually in-line, meaning they're the cream filling in our Oreo network. If they go down, everything goes down. So you've unleashed the fires of hell upon earth!

Alright, there's a couple things you can do to prevent this from going four-horsemen bad.

1. Make sure to have someone on site, next to the rack, rearing to go

2. Have a cabling contingency; so you can bypass the failed IPS

3. Have another IPS to swap in!

Even with all that, you'll need to get it back to a clean-working state. For this we'll need ROMMON (woo!)

Gather

ROMMON is the boot-loader of an Cisco device, much like on an Android phone. It allows you to manage system files without booting into the OS. Download the IPS system image file to the tftp root directory of a TFTP server that is accessible from your IPS. Make sure you can access the TFTP server location from the network connected to the Ethernet port of your IPS.

Press Break or Esc at the following prompt while the system is booting to interrupt boot. Press the spacebar to begin boot immediately.

You have ten seconds to press Break or Esc.
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
The system enters ROMMON mode. The rommon> prompt appears.

Check the current network settings.
rommon> set
ROMMON Variable Settings:
ADDRESS=0.0.0.0
SERVER=0.0.0.0
GATEWAY=0.0.0.0
PORT=Management0/0
VLAN=untagged
IMAGE=
CONFIG=
The variables have the following definitions:
Address: Local IP address of IPS
Server: TFTP server IP address where the application image is stored
Gateway: Gateway IP address used by IPS
Port: Ethernet interface used for IPS management
VLAN: VLAN ID number (leave as untagged)
Image: System image file/path name Config—Unused by these platforms

Not all values are required to establish network connectivity. The address, server, gateway, and image values are required.

The default interface used for TFTP downloads is Management0/0, which corresponds to the MGMT interface of IPS.

Verify that you have access to the TFTP server by pinging it from your local Ethernet port with one of the following commands.
rommon> ping 192.168.1.1
Define the path and filename on the TFTP file server from which you are downloading the image.
rommon> IMAGE=path/file_name
Caution Make sure that you enter the IMAGE command in all uppercase. You can enter the other ROMMON commands in either lower case or upper case, but the IMAGE command specifically must be all uppercase.

UNIX Example
rommon> IMAGE=/system_images/IPS 4240-K9-sys-1.1-a-7.0-4-E4.img
The path is relative to the default tftpboot directory of the UNIX TFTP server. Images located in the default tftpboot directory do not have any directory names or slashes in the IMAGE specification.

Windows Example
rommon> IMAGE=\system_images\IPS 4240-K9-sys-1.1-a-7.0-4-E4.img
Enter set and press Enter to verify the network settings.

You can use the sync command to store these settings in NVRAM so they are maintained across boots. Otherwise, you must enter this information each time you want to boot an image from ROMMON.

Deploy

Download and install the system image.

rommon> tftp
To avoid corrupting the system image, do not remove power from the IPS while the system image is being installed.

If the network settings are correct, the system downloads and boots the specified image on the IPS. Be sure to use the correct IPS image. And now we're back to square-one, BUT without the fire and brimstone. :)

GRE pass-through on ZBF

Simple little config snippet for a Cisco Zone-Based firewall.

First you need to put in a deny statement for GRE traffic in an ACL.
Deny? Wait a second, don't we want traffic to pass?
Well of course we do! But if you remember in a Zone-Based firewall your outbound ACL is used in a class-map to inspect traffic; dynamically allowing bi-directional sessions. The reason we want to deny it is you can't inspect GRE traffic; it just doesn't work.
(config)#ip access-list extended ACL_PERMIT_GRE
(config-ext-nacl)#deny gre any any

Okay so we're not inspecting traffic, but we still need to pass it. To do this we have make a class-map to nest under out outbound and inbound policy-maps.

Now we'll create our class-map which matches GRE traffic, referencing the ACL we just made:
(config)#class-map type inspect match-all CMAP_PASS_GRE
(config-cmap)#match access-group name ACL_PERMIT_GRE

Then we want to apply this to our policy maps and define the action as pass.
The policy maps I'm applying these to also contain class-maps for generic traffic.
(config)#policy-map type inspect PMAP_UNTRUST_TO_TRUST
(config-pmap)#class type inspect CMAP_PASS_GRE
(config-pmap-c)#pass

(config)#policy-map type inspect PMAP_TRUST_TO_UNTRUST
(config-pmap)#class type inspect CMAP_PASS_GRE
(config-pmap-c)#pass

And that's about it, your GRE should be good to go. This will work for PPTP pass-through on a Cisco IOS running in ZBF and the same principal should apply for an ASA.