IPS的基本原理
- IPS(入侵防御系统),对于初始者来说,IPS位于防火墙和网络的设备之间。由于防火墙性能上的限制,通常不具备实时的监控入侵的能力,而IPS如果检测到攻击,IPS会在这种攻击扩散到网络的其它地方之前阻止这个恶意的通信。
- 而IDS(入侵检测系统),只是存在于你的网络之外起到报警的作用,而不是在你的网络前面起到防御的作用。换言之IDS只是启动检测到攻击,而不能及时的对其进行处理
- IPS检测攻击的方法也与IDS不同。目前有很多种IPS系统,它们使用的技术都不相同。但是,一般来说,IPS系统都依靠对数据包的检测。IPS将检查入网的数据包,确定这种数据包的真正用途,然后决定是否允许这种数据包进入你的网络。
- IDS和IPS系统有一些重要的区别。如果你要购买有效的安全设备,使用的是IPS而不是使用IDS,你的网络通常会更安全。但是安全和性能从来都是成反比的,所以我们建议在网络访问较少的,数据相对重要的布置IPS,访问较多的,数据相对不那么重要的布置IDS
如何访问CLI
- SSH
- Console
- Telnet
注意:默认用户名和密码都是cisco!第一次登入的时候会提示你修改默认密码,密码保管好
console的初始化
- 开机输入密码进入系统后输入setup,安装提示输入
IPS4240# setup #输入setup
--- Basic Setup ---
--- System Configuration Dialog ---
At any point you may enter a question mark '?' for help.
User ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.
Current time: Wed Nov 10 03:30:27 2021
Setup Configuration last modified: Wed Nov 10 03:15:35 2021
Enter host name[sensor]: IPS #修改名字为IPS
Enter IP interface[192.168.1.2/24,192.168.1.1]: 10.0.0.1/24,10.0.0.254 #设置管理IP为10.0.0.1/24网关为10.0.0.254
Modify current access list?[no]: yes #是否需要修改可以访问IPS的访问列表,输入yes
Current access list entries:
No entries
Permit: 10.0.0.0/24 #设置允许10.0.0.0/24访问
Permit: #如果没有了就回车,如果还有就继续输入列表
Use DNS server for Global Correlation?[no]: #是否使用DNS服务器进行全局关联,需要就输入DNS,不需要就回车
Use HTTP proxy server for Global Correlation?[no]: #是否使用HTTP代理服务器进行全局关联,有就输入,不需要就回车
Modify system clock settings?[no]: #修改系统时钟设置,直接回车,在web界面操作
Participation in the SensorBase Network allows Cisco to
collect aggregated statistics about traffic sent to your IPS.
SensorBase Network Participation level?[off]: #是否参与思科汇总统计,向思科发送信息。有点类似于我们安装软件最后一步参加什么云改善计划活动。直接回车
下面显示你刚才配置的信息
The following configuration was entered.
service host
network-settings
host-ip 10.0.0.1/24,10.0.0.254
host-name IPS
telnet-option disabled
access-list 10.0.0.0/24
ftp-timeout 300
no login-banner-text
dns-primary-server disabled
dns-secondary-server disabled
dns-tertiary-server disabled
http-proxy no-proxy
exit
time-zone-settings
offset 0
standard-time-zone-name UTC
exit
summertime-option disabled
ntp-option disabled
exit
service global-correlation
network-participation off
exit
[0] Go to the command prompt without saving this config. #转到命令提示符而不保存此配置
[1] Return to setup without saving this config. #返回安装程序而不保存此配置
[2] Save this configuration and exit setup. #保存此配置并退出安装程序
[3] Continue to Advanced setup. #继续高级设置
Enter your selection[3]: #选择3 回车
Enter telnet-server status[disabled]: #默认telnet是关闭的,回车。如果需要打开输入enable
Enter web-server port[443]: #web访问接口为443,需要修改直接输入
Modify interface/virtual sensor configuration?[no]: #修改接口/虚拟传感器配置,默认不修改,回车
Modify default threat prevention settings?[no]: #是否修改默认的威胁预防设置,默认不修改,回车
显示刚才配置完的全部信息
The following configuration was entered.
service host
network-settings
host-ip 10.0.0.1/24,10.0.0.254
host-name IPS
telnet-option disabled
access-list 10.0.0.0/24
ftp-timeout 300
no login-banner-text
dns-primary-server disabled
dns-secondary-server disabled
dns-tertiary-server disabled
http-proxy no-proxy
exit
time-zone-settings
offset 0
standard-time-zone-name UTC
exit
summertime-option disabled
ntp-option disabled
exit
service global-correlation
network-participation off
exit
service web-server
port 443
exit
service event-action-rules rules0
overrides
override-item-status Enabled
risk-rating-range 90-100
exit
exit
[0] Go to the command prompt without saving this config.
[1] Return to the Advance setup without saving this config.
[2] Save this configuration and exit setup.
Enter your selection[2]: #输入2选项,默认是2,直接回车保存配置
Warning: DNS or HTTP proxy is required for global correlation inspection and reputation filtering, but no DNS or proxy servers are defined.
Configuration Saved.
IPS4240# #名字需要重启设备后生效
- 查看配置
IPS# show configuration #输入查看配置命令,和交换机路由器有点不一样
! ------------------------------
! Current configuration last modified Wed Nov 10 05:38:58 2021
! ------------------------------
! Version 7.0(8)
! Host:
! Realm Keys key1.0
! Signature Definition:
! Signature Update S615.0 2012-01-03
! ------------------------------
service interface
exit
! ------------------------------
service authentication
exit
! ------------------------------
service event-action-rules rules0
exit
! ------------------------------
service host
network-settings
host-ip 10.0.0.1/24,10.0.0.254
host-name IPS
telnet-option disabled
access-list 10.0.0.0/24
dns-primary-server disabled
dns-secondary-server disabled
dns-tertiary-server disabled
exit
time-zone-settings
offset 0
standard-time-zone-name UTC
exit
exit
! ------------------------------
service logger
exit
! ------------------------------
service network-access
exit
! ------------------------------
service notification
exit
! ------------------------------
service signature-definition sig0
exit
! ------------------------------
service ssh-known-hosts
exit
! ------------------------------
service trusted-certificates
exit
! ------------------------------
service web-server
exit
! ------------------------------
service anomaly-detection ad0
exit
! ------------------------------
service external-product-interface
exit
! ------------------------------
service health-monitor
exit
! ------------------------------
service global-correlation
exit
! ------------------------------
service aaa
exit
! ------------------------------
service analysis-engine
exit
IPS#
拓扑
利用win7电脑使用IDM软件连接IPS
前提是需要提前安装好JAVA,版本为6的,过低或者过高都会有所影响,这里可自行百度下载安装。