Transcript ITE PC v4.0 Chapter 1

Chapter 5: Implementing
Intrusion Prevention
CCNA-Security
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
1
Chapter 5: Objectives
In this chapter you will:

Explain the functions and operations of IDS and IPS systems.

Explain how network-based IPS is implemented.

Describe the characteristics of IPS signatures.

Explain how signature alarms are used in Cisco IPS solutions.

Describe the purpose of tuning signature alarms in a Cisco IPS solution.

Explain how the signature actions in a Cisco IPS solution affect network traffic.

Explain how to manage and monitor a Cisco IPS solution.

Describe the purpose and benefits of IPS Global Correlation.

Configure Cisco IOS IPS using CLI.

Configure Cisco IOS IPS using CCP.

Modify IPS signatures in CLI and CCP.

Verify Cisco IOS IPS configuration.

Monitor the Cisco IOS IPS events.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
2
Chapter 5
5.0 Introduction
5.1 IPS Technologies
5.2 IPS Signatures
5.3 Implement IPS
5.4 Verify and Monitor IPS
5.5 Summary
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
3
5.1 IPS Technologies
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
4
IDS and IPS Characteristics
Zero-Day Attacks
Worms and viruses can spread across the world in
minutes.
 Zero-day attack (zero-day threat) is a computer attack that tries to
exploit software vulnerabilities.
 Zero-hour describes the moment when the exploit is discovered.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
5
IDS and IPS Characteristics
Monitor for Attacks
 IDSs were implemented to passively monitor the traffic on a network.
 IDS-enabled device copies the traffic stream, and analyzes the copied
traffic rather than the actual forwarded packets.
 Working offline, it compares the captured traffic stream with known
malicious signatures.
 This offline IDS implementation is referred to as promiscuous mode.
 The advantage of operating with a copy of the traffic is that the IDS
does not negatively affect the actual packet flow.
 The disadvantage of operating on a copy of the traffic is that the IDS
cannot stop malicious single-packet attacks from reaching the target
before responding to the attack.
 A better solution is to use a device that can immediately detect and
stop an attack. An IPS performs this function.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
6
IDS and IPS Characteristics
Detect and Stop Attacks
 An IDS monitors traffic
offline and generates an
alert (log) when it detects
malicious traffic including:
• Reconnaissance attacks
• Access attacks
• Denial of Service attacks
 An IDS is a passive device
because it analyzes copies
of the traffic stream.
• Only requires a
promiscuous interface.
• Does not slow network
traffic.
• Allows some malicious
traffic into the network.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
7
IDS and IPS Characteristics
Detect and Stop Attacks Cont.
 An IPS builds upon IDS
technology to detect attacks.
However, it can also immediately
address the threat.
 An IPS is an active device
because all traffic must pass
through it.
Referred to as “inline-mode”, it
works inline in real time to monitor
Layer 2 through Layer 7 traffic
and content.
It can also stop single-packet
attacks from reaching the target
system (IDS cannot).
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
8
IDS and IPS Characteristics
IDS and IPS Characteristics
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
9
IDS and IPS Characteristics
IDS and IPS Characteristics Cont.
An IDS or IPS sensor can be any of the following devices:
 Router configured with Cisco IOS IPS software.
 Appliance specifically designed to provide dedicated IDS or IPS
services.
 Network module installed in an adaptive security appliance (ASA),
switch, or router.
IDS and IPS technologies use signatures to detect patterns in
network traffic.
A signature is a set of rules that an IDS or IPS uses to detect
malicious activity.
Signatures are used to detect severe security breaches, common
network attacks, and to gather information.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
10
IDS and IPS Characteristics
Advantages and Disadvantages of IDS and IPS
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
11
Network-Based IPS Implementations
Network IPS Sensors
 Implementation analyzes
network-wide activity
looking for malicious
activity.
 Configured to monitor
known signatures, but can
also detect abnormal traffic
patterns.
 Configured on:
Presentation_ID
•
Dedicated IPS appliances
•
ISR routers
•
ASA firewall appliances
•
Catalyst 6500 network
modules
© 2008 Cisco Systems, Inc. All rights reserved.
12
Network-Based IPS Implementations
Network IPS Sensors Cont.
 Sensors are connected to network segments. A single sensor can
monitor many hosts.
 Sensors are network appliances tuned for intrusion detection analysis.
• The OS is stripped of unnecessary services - “hardened.”
• The hardware is dedicated to intrusion detection analysis.
 The hardware includes three components:
• Network interface card (NIC) - Able to connect to any network.
• Processor - Requires CPU power to perform intrusion detection
analysis and pattern matching.
• Memory - Intrusion detection analysis is memory-intensive.
 Growing networks are easily protected.
• New hosts and devices can be added without adding sensors.
• New sensors can be easily added to new networks.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
13
Network-Based IPS Implementations
Cisco IPS Solutions
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
14
Network-Based IPS Implementations
Cisco IPS Solutions Cont.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
15
Network-Based IPS Implementations
Choose an IPS Solution
There are several factors
that affect the IPS sensor
selection and deployment:
 Amount of network traffic
 Network topology
 Security budget
 Available security staff to
manage IPS
Organization Site
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
16
Network-Based IPS Implementations
IPS Advantages and Disadvantages
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
17
5.2 IPS Signatures
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
18
IPS Signature Characteristics
Signature Attributes
 Malicious traffic displays distinct characteristics or
“signatures.”
 These signatures uniquely identify specific worms,
viruses, protocol anomalies, or malicious traffic.
 IPS sensors are tuned to look for matching signatures or
abnormal traffic patterns.
 When a sensor matches a signature with a data flow, it
takes action, such as logging the event or sending an
alarm to IDS or IPS.
 Signatures have three distinctive attributes:
• Type
• Trigger (alarm)
• Action
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
19
IPS Signature Characteristics
Signature Types- Atomic Signature
Signature types are categorized as atomic or composite.
 An atomic signature is the simplest type of signature. It
consists of a single packet, activity, or event.
 Detecting atomic signatures consumes minimal
resources. These signatures are easy to identify and
understand because they are compared against a specific
event or packet.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
20
IPS Signature Characteristics
Signature Types- Atomic Signature Cont.
A land attack contains a spoofed TCP SYN packet with the IP address
of the target host as both source and destination, causing the machine
to reply to itself continuously.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
21
IPS Signature Characteristics
Signature Types - Composite Signature
 A composite signature is also called a stateful signature.
 A composite signature identifies a sequence of operations
distributed across multiple hosts over an arbitrary period
of time.
 An IPS uses a configured event horizon to determine how
long it looks for a specific attack signature.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
22
IPS Signature Characteristics
Signature File
 As new threats are identified, new signatures must be
created and uploaded to an IPS.
 To make this process easier, all signatures are contained
in a signature file and uploaded to an IPS on a regular
basis.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
23
IPS Signature Characteristics
Signature Micro-Engines
 To make the scanning of
signatures more efficient, the
Cisco IOS software relies on
signature micro-engines (SME),
which categorize common
signatures in groups.
 The Cisco IOS software can then
scan for multiple signatures based
on group characteristics, instead
of one at a time.
 The available SMEs vary
depending on the platform, Cisco
IOS version, and version of the
signature file.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
24
IPS Signature Characteristics
Acquire the Signature File
 Cisco investigates/creates signatures for new threats as
they are discovered, and publishes them regularly.
• Lower priority IPS signature files are published biweekly.
• If the threat is severe, Cisco publishes signature files within hours of
identification.
 Update the signature file regularly to protect the network.
• Each update includes new signatures and all the signatures in the
previous version.
• For example, the IOS-S595-CLI.pkg signature file includes all
signatures in file IOS-S594-CLI.pkg, plus signatures created for
threats discovered subsequently.
 New signatures are downloadable from CCO, and required
a valid CCO login.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
25
IPS Signature Alarms
Signature Alarm
The heart of any IPS signature is the signature alarm, often referred to as
the signature trigger.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
26
Signature Alarm
Pattern-Based Detection
Pattern-based detection, also known as signature-based
detection, compares the network traffic to a database of
known attacks and triggers an alarm, or prevents
communication if a match is found.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
27
Signature Alarm
Anomaly-Based Detection
 Anomaly-based detection, also known as profile-based
detection, involves first defining a profile of what is
considered normal for the network or host.
 The signature triggers an action if excessive activity occurs
beyond a specified threshold that is not included in the
normal profile.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
28
IPS Signature Alarms
Policy-Based Detection
 Policy-based detection is also known as behavior-based
detection.
 The administrator defines behaviors that are suspicious
based on historical analysis.
 Honeypot-based detection uses a dummy server to attract
attacks.
• The honeypot approach is to distract attacks away from real
network devices.
• Honeypot systems are rarely used in production environments.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
29
IPS Signature Alarms
Benefits of Implementing an IPS
 IPS use the underlying routing infrastructure to provide an
additional layer of security.
 Since Cisco IOS IPS is inline, attacks can be effectively
mitigated by denying malicious traffic from both inside and
outside the network.
 When used in combination with Cisco IDS, Cisco IOS
Firewall, VPN, and Network Admission Control (NAC)
solutions, Cisco IOS IPS provides threat protection at all
entry points to the network.
 It is supported by easy and effective management tools,
such as the Cisco Configuration Professional.
 The size of the signature database used by the device can
be adapted to the amount of available memory in the router.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
30
Tuning IPS Signature Alarms
Trigger False Alarms
 Triggering mechanisms can generate alarms that are false
positives or false negatives.
 These alarms must be addressed when implementing an
IPS sensor.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
31
Tuning IPS Signature Alarms
Tune Signature
 An administrator must balance the number of incorrect
alarms that can be tolerated with the ability of the signature
to detect actual intrusions.
 If IPS systems use untuned signatures, they produce many
false positive alarms.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
32
Tuning IPS Signature Alarms
Tune Signature Cont.
 Low
Abnormal network activity is detected that could be perceived as
malicious, but an immediate threat is unlikely.
 Medium
Abnormal network activity is detected that could be perceived as
malicious, and an immediate threat is likely.
 High
Attacks used to gain access or cause a DoS attack are detected, and
an immediate threat is extremely likely.
 Informational
Activity that triggers the signature is not considered an immediate
threat, but the information provided is useful information.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
33
IPS Signature Actions
Signature Actions
 Whenever a signature detects the activity for which it is
configured, the signature triggers one or more actions.
 Several actions can be performed:
• Generate an alert.
• Log the activity.
• Drop or prevent the activity.
• Reset a TCP connection.
• Block future activity.
• Allow the activity.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
34
IPS Signature Actions
Signature Actions Cont.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
35
IPS Signature Actions
Generate an Alert
 An IPS can be enabled to produce alert or a verbose alert.
 Atomic alerts are generated every time a signature triggers
 Some IPS solutions enable the administrator to generate
summary alerts, which indicates multiple occurrences of the
same signature from the same source address or port.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
36
IPS Signature Actions
Log the Activity
 Used when an administrator does not necessarily have
enough information to stop an activity.
 An IPS can be enabled to log the attacker packets, pair
packets, or just the victim packets.
 An administrator can then perform a detailed analysis, and
identify exactly what is taking place and make a decision as
to whether it should be allowed or denied in the future.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
37
IPS Signature Actions
Drop or Prevent the Activity
An IPS can be enabled to deny the attacker packets, deny
the connection, or deny the specific packet.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
38
IPS Signature Actions
Reset, Block, and Allow Traffic
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
39
Manage and Monitor IPS
Monitor Activity
Monitoring the security-related events on a network is also a
crucial aspect of protecting a network from attack.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
40
Manage and Monitor IPS
Monitoring Considerations
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
41
Manage and Monitor IPS
Monitor IPS Using CCP
GUI-based IPS device managers include:
 Cisco Configuration Professional (CCP) - Allows
administrators to control the application of Cisco IOS IPS on
interfaces, import and edit signature definition files (SDFs)
from cisco.com, and to configure the action that Cisco IOS IPS
is to take if a threat is detected.
 Cisco IPS Manager Express (IME) - An all-in-one IPS
management application to provision, monitor, troubleshoot,
and generate reports for up to 10 IPS sensors.
 Cisco Security Manager - Can be used to manage multiple
IPS sensors and other infrastructure devices. It supports
automatic policy-based IPS sensor software and signature
updates and includes a signature update wizard allowing easy
review and editing prior to deployment.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
42
Manage and Monitor IPS
Secure Device Event Exchange
 IPS sensors and Cisco IOS IPS generate alarms when an
enabled signature is triggered. These alarms are stored on
the sensor and can be viewed locally, or through a
management application, such as IPS Manager Express.
 The Cisco IOS IPS feature can send a syslog message or
an alarm in Secure Device Event Exchange (SDEE) format.
 CCP can monitor syslog and SDEE-generated events and
keep track of alarms that are common in SDEE system
messages, including IPS signature alarms.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
43
Manage and Monitor IPS
IPS Configuration Best Practices
 The need to upgrade
sensors with the latest
signature packs must be
balanced with the
momentary downtime during
which the network becomes
vulnerable to attack.
 Update signature packs
automatically.
 Download new signatures to
a secure server within the
management network.
 Place signature packs on a
dedicated SFTP server
within the management
network.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
44
Manage and Monitor IPS
IPS Configuration Best Practices Cont.
 Configure the sensors to
regularly check the SFTP
server for new signature
packs.
 Keep the signature levels
that are supported on the
management console
synchronized with the
signature packs on the
sensors.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
45
IPS Global Correlation
Cisco Global Correlation
 Cisco IPS includes a security feature called Cisco Global
Correlation.
 Cisco IPS devices receive regular threat updates from a
centralized Cisco threat database called the Cisco
SensorBase Network.
 The Cisco SensorBase Network contains real-time,
detailed information about known threats on the Internet.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
46
IPS Global Correlation
Cisco SensorBase Network
 When participating in global correlation, the Cisco
SensorBase Network provides information to the IPS
sensor about IP addresses with a reputation.
 The sensor uses this information to determine which
actions, if any, to perform when potentially harmful traffic is
received from a host with a known reputation.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
47
IPS Global Correlation
Cisco Security Intelligence Operation
 The SensorBase Network is part of a larger, back-end
security ecosystem, known as the Cisco Security
Intelligence Operation (SIO).
 Its purpose is to detect threat activity, research and analyze
threats, and provide real-time updates and best practices to
keep organizations informed and protected.
 Cisco SIO consists of three elements:
• Threat intelligence from the Cisco SensorBase Network.
• The Threat Operations Center is the combination of automated and
human processing and analysis.
• The automated and best practices content that is pushed to
network elements in the form of dynamic updates.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
48
5.3 Implement IPS
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
49
Configure Cisco IOS IPS with CLI
Implement IOS IPS Files
To implement the Cisco IOS IPS:
 Download the IOS IPS files.
 Create an IOS IPS configuration directory in flash.
 Configure an IOS IPS crypto key.
 Enable IOS IPS (consists of several substeps).
 Load the IOS IPS signature package to the router.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
50
Configure Cisco IOS IPS with CLI
Download the IOS IPS Files
 Cisco IOS release 12.4(10)T and earlier, provided built-in
signatures in the Cisco IOS software image and support for
imported signatures.
 With newer IOS versions, all signatures are stored in a
separate signature file and must be imported.
Step 1. Download the IOS IPS signature package files and a
public crypto key from cisco.com.
• IOS-Sxxx-CLI.pkg - The latest signature package
• realm-cisco.pub.key.txt - The public crypto key used by
IOS IPS
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
51
Configure Cisco IOS IPS with CLI
Download the IOS IPS Files Cont.
Step 2. Create an IOS IPS configuration directory in flash.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
52
Configure Cisco IOS IPS with CLI
Configure an IPS Crypto Key
The crypto key verifies the digital signature for the master signature file
(sigdef-default.xml). The content of the file is signed by a Cisco private
key to guarantee its authenticity and integrity.
Step 3. Configure an IOS IPS crypto key.
Highlight and copy the text in the public key file. Paste the
copied text at the global configuration prompt.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
53
Configure Cisco IOS IPS with CLI
Enable IOS IPS
Step 4. Enable IOS IPS.
a. Identify the IPS rule name and specify the location.
Presentation_ID
•
Use the ip ips name [rule name] [optional ACL] command to create a
rule name.
•
An optional extended or standard ACL can be used to filter the traffic.
•
Traffic that is denied by the ACL is not inspected by the IPS.
•
Use the ip ips config location flash:directory-name command to
configure the IPS signature storage location.
•
Prior to IOS 12.4(11)T, the ip ips sdf location command was used.
© 2008 Cisco Systems, Inc. All rights reserved.
54
Configure Cisco IOS IPS with CLI
Enable IOS IPS Cont.
Step 4. Enable IOS IPS.
b. Enable SDEE and logging event notification.
Presentation_ID
•
HTTP server must first be enabled with the ip http server command.
•
SDEE notification must be explicitly enabled using the ip ips notify sdee
command.
•
IOS IPS also supports logging to send event notification.
•
SDEE and logging can be used independently or simultaneously.
•
Logging notification is enabled by default.
•
Use the ip ips notify log command to enable logging.
© 2008 Cisco Systems, Inc. All rights reserved.
55
Configure Cisco IOS IPS with CLI
Enable IOS IPS Cont.
Step 4. Enable IOS IPS.
c. Configure the signature category.
Presentation_ID
•
All signatures are grouped into categories, and the categories are hierarchical.
•
The three most common categories are all, basic, and advanced.
© 2008 Cisco Systems, Inc. All rights reserved.
56
Configure Cisco IOS IPS with CLI
Enable IOS IPS Cont.
Step 4. Enable IOS IPS.
d. Apply the IPS rule to an interface, and specify direction.
Use the ip ips rule-name [in | out] interface configuration mode command
to apply the IPS rule.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
57
Configure Cisco IOS IPS with CLI
Load the IPS Signature Package in RAM
Step 5. Load the IOS IPS Signature package to the router.
Presentation_ID
•
Upload the signature package to the router using either FTP or TFTP.
•
To copy the downloaded signature package from the FTP server to the router, use
the idconf parameter at the end of the command.
© 2008 Cisco Systems, Inc. All rights reserved.
58
Configure Cisco IOS IPS using CCP
Implement IOS IPS Using CCP
CCP needs a minimum Java memory heap size of 256 MB to
support IOS IPS.
 Exit CCP and open the Windows Control Panel.
 Click the Java option to opens the Java Control Panel.
 Select the Java tab and click View under the Java Applet Runtime
Settings.
 In the Java Runtime Parameter field, enter -Xmx256m, and click OK.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
59
Configure Cisco IOS IPS using CCP
Implement IOS IPS Using CCP Cont.
CCP provides controls for applying Cisco IOS IPS on interfaces, importing
and editing signature files from cisco.com, and configuring the action that
Cisco IOS IPS takes if a threat is detected.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
60
Configure Cisco IOS IPS using CCP
Launch the IPS Rule Wizard
Prior to configuring IPS with the Cisco Configuration
Professional, download the latest IPS signature file and public
key, if required, from cisco.com.
To launch the IPS Rule wizard:
1. On the CCP menu bar, click Configure > Security > Intrusion
Prevention > Create IPS.
2. Click Launch IPS Rule Wizard.
3. Read the Welcome to the IPS Policies Wizard screen and
click Next.
4. In the Select Interfaces window, select the interfaces to which to
apply the IPS rule and the direction of traffic.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
61
Configure Cisco IOS IPS using CCP
Configure the Crypto Key
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
62
Configure Cisco IOS IPS using CCP
Specify the Signature File
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
63
Configure Cisco IOS IPS using CCP
Complete the IOS IPS Wizard
Use the show running-config command to verify the
IPS configuration generated by the CCP IPS wizard.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
64
Modify Cisco IOS IPS Signatures
Retire and Unretire Signatures
The Cisco IOS CLI can be used to retire or unretire individual
signatures or a group of signatures that belong to a signature
category.
Retire a Specific Signature
Presentation_ID
Unretire a Signature Category
© 2008 Cisco Systems, Inc. All rights reserved.
65
Modify Cisco IOS IPS Signatures
Change Signature Actions
To change an action, the event-action command must be
used in IPS Category Action mode or Signature Definition
Engine mode.
Change Actions for a Signature
Presentation_ID
Change Actions for a Category
© 2008 Cisco Systems, Inc. All rights reserved.
66
Modify Cisco IOS IPS Signatures
Edit Signatures
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
67
Modify Cisco IOS IPS Signatures
Tune a Signature
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
68
Modify Cisco IOS IPS Signatures
Access and Configure Signature Parameters
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
69
Modify Cisco IOS IPS Signatures
Access and Configure Signature Parameters Cont.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
70
5.4 Verify and Monitor IPS
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
71
Verify Cisco IOS IPS
Verify IOS IPS
Several show commands can be used to verify the IOS IPS
configuration.
The show ip ips privileged EXEC mode command can be
used with other parameters to provide specific IPS
information; for example:
• show ip ips all
• show ip ips configuration
• show ip ips interfaces
• show ip ips signatures
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
72
Verify Cisco IOS IPS
Verify IOS IPS Using CCP
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
73
Monitoring Cisco IOS IPS
Report IPS Alerts
Two methods to report IPS intrusion alerts:
 Cisco Configuration Professional Security Device Event
Exchange (SDEE)
The sdee keyword sends messages in SDEE format.
 Cisco IOS logging via syslog
The log keyword sends messages in syslog format.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
74
Monitoring Cisco IOS IPS
Enable SDEE
 SDEE is the preferred method of reporting IPS activity.
 SDEE uses HTTP and XML to provide a standardized
approach.
 Enable an IOS IPS router using the ip ips notify
sdee command.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
75
Monitoring Cisco IOS IPS
Monitor IOS IPS Using CCP
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
76
5.5 Summary
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
77
Chapter 5
Summary
 A network must be able to instantly recognize and mitigate
worm and virus threats.
 A network-based IPS should be implemented inline to
defend against fast-moving Internet worms and viruses.
 IPS signatures provide an IPS with a list of identified
problems.
 The IPS signatures are configured to use various triggers
and actions.
 Security staff must continuously monitor an IPS solution
and tune signatures as necessary to ensure an adequate
level of protection.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
78
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
79