© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features

© 2006 Cisco Systems, Inc. All rights reserved. Module 6: Cisco IOS Threat Defense Features Lesson 6.5: Configuring Cisco IOS IPS

© 2006 Cisco Systems, Inc. All rights reserved. Objectives  Identify the features of the Cisco IOS Intrusion Protection System (IPS).  Explain the purpose of.SDF files.  Describe methods for installing and configuring IPS on Cisco routers.

© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS IPS SDFs  A Cisco IOS router acts as an in-line intrusion prevention sensor.  Signature databases: Built-in (100 signatures embedded in Cisco IOS software) SDF files (can be downloaded from Cisco.com): Static (attack-drop.sdf) Dynamic (128MB.sdf, 256MB.sdf)—based on installed RAM  Configuration flexibility: Load built-in signature database, SDF file, or even merge signatures to increase coverage Tune or disable individual signatures

© 2006 Cisco Systems, Inc. All rights reserved. Downloading Signatures from Cisco.com attack-drop.sdf SDF contains 82 high-fidelity signatures, providing customers with security threat detection. When loaded, those signatures fit into the 64-MB router memory.

© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS IPS Alarms: Configurable Actions  Send an alarm to a syslog server or a centralized management interface (syslog or SDEE).  Drop the packet.  Reset the connection.  Block traffic from the source IP address of the attacker for a specified amount of time.  Block traffic on the connection on which the signature was seen for a specified amount of time.

© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS IPS Alarm Considerations  Alarms can be combined with reactive actions.  SDEE is a communication protocol for IPS message exchange between IPS clients and IPS servers: More secure than syslog Reports events to the SDM  When blocking an IP address, beware of IP spoofing: May block a legitimate user Especially recommended where spoofing is unlikely  When blocking a connection: IP spoofing less likely Allows the attacker to use other attack methods

© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS IPS Configuration Steps  Configure basic IPS settings: Specify SDF location. Configure failure parameter. Create an IPS rule and, optionally, combine the rule with a filter. Apply the IPS rule to an interface.  Configure enhanced IPS settings: Merge SDFs. Disable, delete, and filter selected signatures. Reapply the IPS rule to the interface.  Verify the IPS configuration. Note The default command ip ips sdf builtin does not appear in this IPS configuration example because the configuration specifies the default built- in SDF.

© 2006 Cisco Systems, Inc. All rights reserved. Basic IPS Settings Configuration Router# show running-config | begin ips ! Drop all packets until IPS is ready for scanning ip ips fail closed ! IPS rule definition ip ips name SECURIPS list 100 !... interface Serial0/0 ip address ! Apply the IPS rule to interface in inbound direction ip ips SECURIPS in...

© 2006 Cisco Systems, Inc. All rights reserved. Enhanced IPS Settings Configuration ! Merge built-in SDF with attack-drop.sdf, and copy to flash Router# copy flash:attack-drop.sdf ips-sdf Router# copy ips-sdf flash:my-signatures.sdf Router# show runnning-config | begin ips ! Specify the IPS SDF location ip ips sdf location flash:my-signatures.sdf ip ips fail-closed ! Disable sig 1107, delete sig 5037, filter sig 6190 with ACL 101 ip ips signature disable ip ips signature delete ip ips signature list 101 ip ips name SECURIPS list interface Serial0/0 ip address ! Reapply the IPS rule to take effect ip ips SECURIPS in...

© 2006 Cisco Systems, Inc. All rights reserved. Verifying Cisco IOS IPS Configuration Router# show ip ips configuration Configured SDF Locations: flash:my-signatures.sdf Builtin signatures are enabled but not loaded Last successful SDF load time: 13:45:38 UTC Jan IPS fail closed is enabled... Total Active Signatures: 183 Total Inactive Signatures: 0 Signature 6190:0 list 101 Signature 1107:0 disable IPS Rule Configuration IPS name SECURIPS acl list 100 Interface Configuration Interface Serial0/0 Inbound IPS rule is SECURIPS Outgoing IPS rule is not set

© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS IPS SDM Configuration Tasks  Tasks included in the IPS Policies wizard: Quick interface selection for rule deployment Identification of the flow direction Dynamic signature update Quick deployment of default signatures Validation of router resources before signature deployment  Signature customization available in the SDM IPS Edit menu: Disable Delete Modify parameters

© 2006 Cisco Systems, Inc. All rights reserved. Launching the IPS Policies Wizard Launch the wizard with the default signature parameters. Customization options Select IPS.

© 2006 Cisco Systems, Inc. All rights reserved. IPS Policies Wizard Overview

© 2006 Cisco Systems, Inc. All rights reserved. Adding an SDF Location Add SDF location. Optionally, use built-in signatures as backup.

© 2006 Cisco Systems, Inc. All rights reserved. Selecting an SDF Location Select location from flash. Select location from network.

© 2006 Cisco Systems, Inc. All rights reserved. Current SDF Location

© 2006 Cisco Systems, Inc. All rights reserved. Viewing the IPS Policies Wizard Summary

© 2006 Cisco Systems, Inc. All rights reserved. Verifying IPS Deployment

© 2006 Cisco Systems, Inc. All rights reserved. IPS Policies

© 2006 Cisco Systems, Inc. All rights reserved. Global Settings

© 2006 Cisco Systems, Inc. All rights reserved. Viewing All SDEE Messages Select message type for viewing.

© 2006 Cisco Systems, Inc. All rights reserved. Viewing SDEE Status Messages Status messages report the engine states.

© 2006 Cisco Systems, Inc. All rights reserved. Viewing SDEE Alerts Signatures fire SDEE alerts.

© 2006 Cisco Systems, Inc. All rights reserved. Selecting a Signature Edit signature.

© 2006 Cisco Systems, Inc. All rights reserved. Editing a Signature Click to edit. Select severity.

© 2006 Cisco Systems, Inc. All rights reserved. Disabling a Signature Group Select category. 1 Select All. 2 Disable. 3 4

© 2006 Cisco Systems, Inc. All rights reserved. Verifying the Tuned Signatures

© 2006 Cisco Systems, Inc. All rights reserved. Summary  The Cisco IOS IPS acts as an in-line intrusion detection sensor, watching packets and sessions as they flow through the router and scanning each packet to match any of the Cisco IOS IPS signatures.  IPS can be configured via IOS command line or using the SDM.  The SDM provides a wide range of configuration capabilities for Cisco IOS IPS.  SDM offers the IPS Policies wizard to expedite deploying the default IPS settings. The wizard provides configuration steps for interface and traffic flow selection, SDF location, and signature deployment.

© 2006 Cisco Systems, Inc. All rights reserved. Q and A

© 2006 Cisco Systems, Inc. All rights reserved. Resources  Configuring Cisco IOS IPS Using Cisco SDM and CLI 900aecd8043bc32.shtml

© 2006 Cisco Systems, Inc. All rights reserved.