320 likes | 419 Vues
This module covers the implementation of Cisco IOS Intrusion Protection System (IPS) and configuring threat defense features on Cisco routers. Learn about SDF files, installing and configuring IPS, signature databases, alarm actions, IPS configuration steps, and more. Understand how to download signatures, configure basic and enhanced IPS settings, and verify the IPS configuration. Discover the considerations for IPS alarms and effective defense mechanisms against threats. Explore the functionality of SDEE for IPS message exchange and safeguarding against IP spoofing. Dive into configuring IPS rules, applying them to interfaces, and checking the IPS settings using practical examples.
E N D
Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features
Module 6: Cisco IOS Threat Defense Features Lesson 6.5: Configuring Cisco IOS IPS
Objectives • Identify the features of the Cisco IOS Intrusion Protection System (IPS). • Explain the purpose of .SDF files. • Describe methods for installing and configuring IPS on Cisco routers.
Cisco IOS IPS SDFs • A Cisco IOS router acts as an in-line intrusion prevention sensor. • Signature databases: • Built-in (100 signatures embedded in Cisco IOS software) • SDF files (can be downloaded from Cisco.com): • Static (attack-drop.sdf) • Dynamic (128MB.sdf, 256MB.sdf)—based on installed RAM • Configuration flexibility: • Load built-in signature database, SDF file, or even merge signatures to increase coverage • Tune or disable individual signatures
Downloading Signatures from Cisco.com attack-drop.sdf SDF contains 82 high-fidelity signatures, providing customers with security threat detection. When loaded, those signatures fit into the 64-MB router memory.
Cisco IOS IPS Alarms: Configurable Actions • Send an alarm to a syslog server or a centralized management interface (syslog or SDEE). • Drop the packet. • Reset the connection. • Block traffic from the source IP address of the attacker for a specified amount of time. • Block traffic on the connection on which the signature was seen for a specified amount of time.
Cisco IOS IPS Alarm Considerations • Alarms can be combined with reactive actions. • SDEE is a communication protocol for IPS message exchange between IPS clients and IPS servers: • More secure than syslog • Reports events to the SDM • When blocking an IP address, beware of IP spoofing: • May block a legitimate user • Especially recommended where spoofing is unlikely • When blocking a connection: • IP spoofing less likely • Allows the attacker to use other attack methods
Cisco IOS IPS Configuration Steps • Configure basic IPS settings: • Specify SDF location. • Configure failure parameter. • Create an IPS rule and, optionally, combine the rule with a filter. • Apply the IPS rule to an interface. • Configure enhanced IPS settings: • Merge SDFs. • Disable, delete, and filter selected signatures. • Reapply the IPS rule to the interface. • Verify the IPS configuration.
Basic IPS Settings Configuration Router# show running-config | begin ips ! Drop all packets until IPS is ready for scanning ip ips fail closed ! IPS rule definition ip ips name SECURIPS list 100 ! ... interface Serial0/0 ip address 172.31.235.21 255.255.255.0 ! Apply the IPS rule to interface in inbound direction ip ips SECURIPS in ...
Enhanced IPS Settings Configuration ! Merge built-in SDF with attack-drop.sdf, and copy to flash Router# copyflash:attack-drop.sdf ips-sdf Router# copy ips-sdf flash:my-signatures.sdf Router# show runnning-config | begin ips ! Specify the IPS SDF location ip ips sdf location flash:my-signatures.sdf ip ips fail-closed ! Disable sig 1107, delete sig 5037, filter sig 6190 with ACL 101 ip ips signature 1107 0 disable ip ips signature 5037 0 delete ip ips signature 6190 0 list 101 ip ips name SECURIPS list 100 ... interface Serial0/0 ip address 172.31.235.21 255.255.255.0 ! Reapply the IPS rule to take effect ip ips SECURIPS in ...
Verifying Cisco IOS IPS Configuration Router# show ip ips configuration Configured SDF Locations: flash:my-signatures.sdf Builtin signatures are enabled but not loaded Last successful SDF load time: 13:45:38 UTC Jan 1 2006 IPS fail closed is enabled ... Total Active Signatures: 183 Total Inactive Signatures: 0 Signature 6190:0 list 101 Signature 1107:0 disable IPS Rule Configuration IPS name SECURIPS acl list 100 Interface Configuration Interface Serial0/0 Inbound IPS rule is SECURIPS Outgoing IPS rule is not set
Cisco IOS IPS SDM Configuration Tasks • Tasks included in the IPS Policies wizard: • Quick interface selection for rule deployment • Identification of the flow direction • Dynamic signature update • Quick deployment of default signatures • Validation of router resources before signature deployment • Signature customization available in the SDM IPS Edit menu: • Disable • Delete • Modify parameters
Launching the IPS Policies Wizard 1 Customization options. 4 2 Launch the wizard with the default signature parameters. 3 Select IPS.
Adding an SDF Location Optionally, use built-in signatures as backup. Add SDF location.
Selecting an SDF Location Select location from flash. Select location from network.
Verifying IPS Deployment 1 2 3 4
Viewing All SDEE Messages Select message type for viewing.
Viewing SDEE Status Messages Status messages report the engine states.
Viewing SDEE Alerts Signatures fire SDEE alerts.
Selecting a Signature Edit signature.
Editing a Signature Click to edit. Select severity.
Disabling a Signature Group 2 3 Select All. Disable. 1 Select category. 4
Summary • The Cisco IOS IPS acts as an in-line intrusion detection sensor, watching packets and sessions as they flow through the router and scanning each packet to match any of the Cisco IOS IPS signatures. • IPS can be configured via IOS command line or using the SDM. • The SDM provides a wide range of configuration capabilities for Cisco IOS IPS. • SDM offers the IPS Policies wizard to expedite deploying the default IPS settings. The wizard provides configuration steps for interface and traffic flow selection, SDF location, and signature deployment.
Resources • Configuring Cisco IOS IPS Using Cisco SDM and CLI • http://cisco.com/en/US/products/ps6634/products_white_paper0900aecd8043bc32.shtml