1. © 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features

2. © 2006 Cisco Systems, Inc. All rights reserved. Module 6: Cisco IOS Threat Defense Features Lesson 6.5: Configuring Cisco IOS IPS

3. © 2006 Cisco Systems, Inc. All rights reserved. Objectives  Identify the features of the Cisco IOS Intrusion Protection System (IPS).  Explain the purpose of.SDF files.  Describe methods for installing and configuring IPS on Cisco routers.

4. © 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS IPS SDFs  A Cisco IOS router acts as an in-line intrusion prevention sensor.  Signature databases: Built-in (100 signatures embedded in Cisco IOS software) SDF files (can be downloaded from Cisco.com): Static (attack-drop.sdf) Dynamic (128MB.sdf, 256MB.sdf)—based on installed RAM  Configuration flexibility: Load built-in signature database, SDF file, or even merge signatures to increase coverage Tune or disable individual signatures

5. © 2006 Cisco Systems, Inc. All rights reserved. Downloading Signatures from Cisco.com attack-drop.sdf SDF contains 82 high-fidelity signatures, providing customers with security threat detection. When loaded, those signatures fit into the 64-MB router memory.

6. © 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS IPS Alarms: Configurable Actions  Send an alarm to a syslog server or a centralized management interface (syslog or SDEE).  Drop the packet.  Reset the connection.  Block traffic from the source IP address of the attacker for a specified amount of time.  Block traffic on the connection on which the signature was seen for a specified amount of time.

7. © 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS IPS Alarm Considerations  Alarms can be combined with reactive actions.  SDEE is a communication protocol for IPS message exchange between IPS clients and IPS servers: More secure than syslog Reports events to the SDM  When blocking an IP address, beware of IP spoofing: May block a legitimate user Especially recommended where spoofing is unlikely  When blocking a connection: IP spoofing less likely Allows the attacker to use other attack methods

8. © 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS IPS Configuration Steps  Configure basic IPS settings: Specify SDF location. Configure failure parameter. Create an IPS rule and, optionally, combine the rule with a filter. Apply the IPS rule to an interface.  Configure enhanced IPS settings: Merge SDFs. Disable, delete, and filter selected signatures. Reapply the IPS rule to the interface.  Verify the IPS configuration. Note The default command ip ips sdf builtin does not appear in this IPS configuration example because the configuration specifies the default built- in SDF.

9. © 2006 Cisco Systems, Inc. All rights reserved. Basic IPS Settings Configuration Router# show running-config | begin ips ! Drop all packets until IPS is ready for scanning ip ips fail closed ! IPS rule definition ip ips name SECURIPS list 100 !... interface Serial0/0 ip address 172.31.235.21 255.255.255.0 ! Apply the IPS rule to interface in inbound direction ip ips SECURIPS in...

10. © 2006 Cisco Systems, Inc. All rights reserved. Enhanced IPS Settings Configuration ! Merge built-in SDF with attack-drop.sdf, and copy to flash Router# copy flash:attack-drop.sdf ips-sdf Router# copy ips-sdf flash:my-signatures.sdf Router# show runnning-config | begin ips ! Specify the IPS SDF location ip ips sdf location flash:my-signatures.sdf ip ips fail-closed ! Disable sig 1107, delete sig 5037, filter sig 6190 with ACL 101 ip ips signature 1107 0 disable ip ips signature 5037 0 delete ip ips signature 6190 0 list 101 ip ips name SECURIPS list 100... interface Serial0/0 ip address 172.31.235.21 255.255.255.0 ! Reapply the IPS rule to take effect ip ips SECURIPS in...

11. © 2006 Cisco Systems, Inc. All rights reserved. Verifying Cisco IOS IPS Configuration Router# show ip ips configuration Configured SDF Locations: flash:my-signatures.sdf Builtin signatures are enabled but not loaded Last successful SDF load time: 13:45:38 UTC Jan 1 2006 IPS fail closed is enabled... Total Active Signatures: 183 Total Inactive Signatures: 0 Signature 6190:0 list 101 Signature 1107:0 disable IPS Rule Configuration IPS name SECURIPS acl list 100 Interface Configuration Interface Serial0/0 Inbound IPS rule is SECURIPS Outgoing IPS rule is not set

12. © 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS IPS SDM Configuration Tasks  Tasks included in the IPS Policies wizard: Quick interface selection for rule deployment Identification of the flow direction Dynamic signature update Quick deployment of default signatures Validation of router resources before signature deployment  Signature customization available in the SDM IPS Edit menu: Disable Delete Modify parameters

13. © 2006 Cisco Systems, Inc. All rights reserved. Launching the IPS Policies Wizard Launch the wizard with the default signature parameters. Customization options. 1 2 3 4 Select IPS.

14. © 2006 Cisco Systems, Inc. All rights reserved. IPS Policies Wizard Overview

15. © 2006 Cisco Systems, Inc. All rights reserved. Adding an SDF Location Add SDF location. Optionally, use built-in signatures as backup.

16. © 2006 Cisco Systems, Inc. All rights reserved. Selecting an SDF Location Select location from flash. Select location from network.

17. © 2006 Cisco Systems, Inc. All rights reserved. Current SDF Location

18. © 2006 Cisco Systems, Inc. All rights reserved. Viewing the IPS Policies Wizard Summary

19. © 2006 Cisco Systems, Inc. All rights reserved. Verifying IPS Deployment 1 2 3 4

20. © 2006 Cisco Systems, Inc. All rights reserved. IPS Policies

21. © 2006 Cisco Systems, Inc. All rights reserved. Global Settings

22. © 2006 Cisco Systems, Inc. All rights reserved. Viewing All SDEE Messages Select message type for viewing.

23. © 2006 Cisco Systems, Inc. All rights reserved. Viewing SDEE Status Messages Status messages report the engine states.

24. © 2006 Cisco Systems, Inc. All rights reserved. Viewing SDEE Alerts Signatures fire SDEE alerts.

25. © 2006 Cisco Systems, Inc. All rights reserved. Selecting a Signature Edit signature.

26. © 2006 Cisco Systems, Inc. All rights reserved. Editing a Signature Click to edit. Select severity.

27. © 2006 Cisco Systems, Inc. All rights reserved. Disabling a Signature Group Select category. 1 Select All. 2 Disable. 3 4

28. © 2006 Cisco Systems, Inc. All rights reserved. Verifying the Tuned Signatures

29. © 2006 Cisco Systems, Inc. All rights reserved. Summary  The Cisco IOS IPS acts as an in-line intrusion detection sensor, watching packets and sessions as they flow through the router and scanning each packet to match any of the Cisco IOS IPS signatures.  IPS can be configured via IOS command line or using the SDM.  The SDM provides a wide range of configuration capabilities for Cisco IOS IPS.  SDM offers the IPS Policies wizard to expedite deploying the default IPS settings. The wizard provides configuration steps for interface and traffic flow selection, SDF location, and signature deployment.

30. © 2006 Cisco Systems, Inc. All rights reserved. Q and A

31. © 2006 Cisco Systems, Inc. All rights reserved. Resources  Configuring Cisco IOS IPS Using Cisco SDM and CLI http://cisco.com/en/US/products/ps6634/products_white_paper0 900aecd8043bc32.shtml

32. © 2006 Cisco Systems, Inc. All rights reserved.