© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Adaptive Threat Defense Configuring Cisco IOS IPS

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Cisco IOS Intrusion Prevention System 1 Attack 2 Drop Packet 3 Reset Connection 4 Alarm Network Management Console

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Features Uses the underlying routing infrastructure Ubiquitous protection of network assets Inline deep packet inspection –Software based inline intrusion prevention sensor IPS signature support –Signature based packet scanning, uses same set of signatures as IDS Sensor platform –Dynamic signature update (no need to update IOS Image) –Customized signature support Variety of event actions configurable per-signature basis Parallel signature scanning Named and numbered extended ACL support

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Signature Micro Engines An SME is a component of IOS IPS that supports signatures in a certain category. Each engine is customized for the protocol and fields it is designed to inspect, and defines a set of legal parameters that have allowable ranges or sets of values. The SMEs look for malicious activity in a specific protocol. All the signatures in a given micro-engine are scanned in parallel fashion rather than serially. 15 SMEs in 12.4(4) T or later OTHER engine has hard-coded signatures

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Built-in Signatures 135 Signatures Built-in signatures is the last resort when router loads signatures. Can be turned off using CLI no ip ips sdf builtin Cisco recommend to use pre-tuned SDF files – attack-drop.sdf, 128MB.sdf and 256MB.sdf. Built-in signatures will NOT be supported in 12.4(PI5)T when IOS IPS supports 5. x format.

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Signature Actions Alarm Send alarm via Syslog and SDEE Reset Applys to TCP connection. Send reset to both peers Drop Drops the packet DenyAttackerInline Blocks the attackers source IP address completely. No connection can be established from the attacker to the router until the shun time expires (this is set by the user). DenyFlowInline Blocks the appropriate TCP flow from the attacker. Other connections from the attacker can be established to the router

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Load SDF from next available location Repeat through all Configured Locations Built-in Enabled? YES NO Load Built-in Sigs (135) Fail closed? Success? YES NO Build Sig Engines START Engine build success? YES NO SDF load complete Previous engine exist? YES Use previous engine sigs Put engine in Inactive state NO YES Packet Dropped! Packet passed un- scanned No more locations Signature Loading Process IOS IPS goes through several steps when loading the SDF

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Signature Definition File (SDF) A SDF contains all or a subset of the signatures supported by Cisco IPS. An IPS loads the signatures contained in the SDF and scans incoming traffic for matching signatures. The IPS enforces the policy defined in the signature action. Cisco IPS uses the SDF to populates internal tables with the information necessary to detect each signature. The SDF can be saved on the router flash memory. SDFs are downloaded from cisco.com. Two pre-built SDFs: –256MB.sdf –128MB.sdf

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Intranet Servers International Sales Offices Campus Backbone Sales Offices Suppliers Mainframe Engineering Finance Accounting VPN Cisco IOS Firewall IPS Network Visibility WAN Internet

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Issues to Consider Memory use and performance impact –Limited persistent storage –CPU-intensive Updated signature coverage –More than 1500 common attacks

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Configuration Tasks Install Cisco IOS Firewall IPS on the router: Specify location of SDF. Create an IPS rule. Attach a policy to a signature (optional). Apply IPS rule at an interface. Configure logging via syslog or SDEE. Verify the configuration.

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v router(config)# ip ips sdf location flash:128MB.sdf Specify Location of SDF (Optional) Specifies the location in which the router will load the SDF 128MB.sdf. If this command is not issued, the router will load the default, built-in signatures.

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Merging Signatures router# copy flash:128MB.sdf ips-sdf router# copy ips-sdf flash:snrs-signatures.sdf router# configure terminal router(config)# ip ips sdf location flash:snrs-signatures.sdf router(config)# interface fastEthernet 0/1 router(config-if)# no ip ips SNRS-IPS in *Apr 8 14:05:38.243:%IPS-2-DISABLED:IPS removed from all interfaces - IPS disabled router(config-if)# ip ips SNRS-IPS in

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Attach a Policy to a Given Signature (Optional) router(config)# ip ips signature 6500 list 99 router(config)# ip ips signature 1000 disable Associates an access list with a signature Disables signature 1000 in the SDF

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Creating an IPS Rule router(config)# ip ips name SNRS-IPS Creates an IPS rule named MYIPS that will be applied to an interface

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v IOS IPS Configuration Example Disable Signatures R1(config)# ip ips signature disable %IPS Signature 9024:0 is disabled R1# show ip ips signatures Signatures were last loaded from flash:128MB.sdf Cisco SDF release version S128.0 Trend SDF release version V0.0 Signature Micro-Engine: ATOMIC.TCP (11 sigs) SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF Version :0 N A HIGH FA N OPACL 3038:0 Y AD HIGH FA N Y :0 Y AD HIGH FA N Y :0 Y AD HIGH FA N N :0 Y AD HIGH FA N N :0 Y AD HIGH FA N Y :0 Y AD HIGH FA N :0 Y A HIGH FA N N :0 N A LOW FA N S :0 Y A MED FA N S :0 Y A MED FA N S40 Disabled signatures show as N on the On Column

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v ip ips ips-name {in | out} Applies an IPS rule at an interface router(config-if)# router(config-if)# ip ips MYIPS in Apply an IPS Rule at an Interface

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Example router(config)# ip ips sdf location flash:128MB.sdf router(config)# ip ips fail closed router(config)# ip ips name SNRS-IPS router(config)# interface FastEthernet0/1 router(config-if)# ip address router(config-if)# ip virtual-reassembly router(config-if)# ip ips SNRS-IPS in router(config-if)# end *Jan 28 01:18:04.664: %IPS-6-SDF_LOAD_SUCCESS: SDF loaded successfully from flash:128MB.sdf... messages ommited *Jan 28 01:18:30.452: %IPS-6-ENGINE_BUILDING: ATOMIC.L3. IP - 5 signatures - 15 of 15 engines

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Monitoring Cisco IOS Firewall IPS Signatures Network Management Console Alarm SDEE Protocol Syslog Server Alert Syslog

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v SDEE and Syslog Cisco IOS Software now supports the SDEE protocol. SDEE uses a pull mechanism: Requests come from the network management application, and the IDS or IPS router responds. SDEE will become the standard format for all vendors to communicate events to a network management application. The use of HTTP over SSL or HTTPS ensures that data is secured as it traverses the network. The Cisco IOS Firewall IPS router will still send IPS alerts via syslog.

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Sets notification type Set Notification Type router (config)# router(config)# ip ips notify sdee router(config)# ip ips notify log ip sdee events num_of_events Sets the maximum number of SDEE events that can be stored in the event buffer router (config)# ip ips notify [log | sdee]

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v ip ips name ips-name Creates an IPS rule Upgrade to Latest SDF router (config)# no ip ips sdf builtin Instructs the router not to load the built-in signatures router (config)# ip ips fail closed Instructs the router to drop all packets until the signature engine is built and ready to scan traffic router (config)#

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Verifying IPS R1# show ip ips configuration Configured SDF Locations: flash:128MB.sdf Builtin signatures are enabled but not loaded Last successful SDF load time: 12:10:43 CST Oct IPS fail closed is disabled Fastpath ips is enabled Quick run mode is enabled Event notification through syslog is enabled Event notification through SDEE is enabled Total Active Signatures: 303 Total Inactive Signatures: 0 Signature 50000:0 disable Signature 50000:1 disable Signature 50000:2 disable IPS Rule Configuration IPS name SNRS-IPS Interface Configuration Interface FastEthernet0/1 Inbound IPS rule is SNRS-IPS Outgoing IPS rule is not set Verifies that Cisco IOS IPS is properly configured

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Verifying IPS (Cont.) R1# show ip ips signatures Builtin signatures are configured Signatures were last loaded from flash:128MB.sdf Cisco SDF release version 128MB.sdf v2 Trend SDF release version V0.0 *=Marked for Deletion Action=(A)larm,(D)rop,(R)eset Trait=AlarmTraits MH=MinHits AI=AlarmInterval CT=ChokeThreshold TI=ThrottleInterval AT=AlarmThrottle FA=FlipAddr WF=WantFrag Signature Micro-Engine: OTHER (4 sigs) SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF Version :0 Y A HIGH FA N N :0 Y A HIGH FA N N :0 Y A HIGH FA N :0 Y A HIGH FA N N Signature Micro-Engine: STRING.ICMP (1 sigs) SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF Version :0 Y A MED FA N S54 Signature Micro-Engine: STRING.UDP (16 sigs) SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF Version :0 Y A INFO FA N S :0 Y A INFO FA N S :2 Y A HIGH FA N S30b

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Verifying IPS (Cont.) R1# show ip ips interfaces Interface Configuration Interface FastEthernet0/1 Inbound IPS rule is SNRS-IPS Outgoing IPS rule is not set Displays the interface configuration

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Check SDEE messages R1# show ip sdee alerts Alert storage: 200 alerts using bytes of memory SDEE Alerts SigID Sig Name SrcIP:SrcPort DstIP:DstPort or Summary Info 1: 3301:0 NbtStat Query : :137 2: 3301:0 NbtStat Query : :137 3: 3301:0 NbtStat Query : :137 R1# show ip sdee events Alert storage: 200 alerts using bytes of memory Message storage: 200 messages using bytes of memory SDEE Events Time Type Description 1: 03:20:11 UTC Feb STATUS SDF_LOAD_SUCCESS: SDF loaded successfully from flash:128MB.sdf 2: 03:20:11 UTC Feb STATUS ENGINE_BUILDING: OTHER - 3 signatures - 1 of 15 engines 3: 03:20:11 UTC Feb STATUS ENGINE_READY: OTHER - 0 ms - packets for this engine will be scanned 4: 03:20:11 UTC Feb STATUS ENGINE_BUILDING: MULTI-STRING - 0 signatures - 2 of 15 engines 5: 03:20:11 UTC Feb STATUS ENGINE_BUILD_SKIPPED: MULTI-STRING - there are no new signature definitions for this engine Verifying IPS (Cont.)

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v clear ip ips configuration Removes all intrusion prevention configuration entries and releases dynamic resources clear Commands router# clear ip ips statistics Resets statistics on packets analyzed and alarms sent router# clear ip sdee {events | subscriptions} Clears SDEE events or subscriptions router#

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v debug Commands router# debug ip ips timers router# debug ip ips object-creation router# debug ip ips object-deletion router# debug ip ips function trace router# debug ip ips detailed router# debug ip ips ftp-cmd router# debug ip ips ftp-token router# debug ip ips icmp router# debug ip ips ip router# debug ip ips rpc router# debug ip ips smtp router# debug ip ips tcp router# debug ip ips tftp router# debug ip ips udp Instead of no, the undebug command may be used.

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Summary The Cisco IOS IPS acts as an inline intrusion prevention sensor. An SME is a component of Cisco IOS IPS that supports signatures in a certain category. Cisco IOS IPS contains 135 built-in signatures but can be loaded with over 1500 signatures from signature definition files. Cisco IOS IPS has two main deployment scenarios. Several tasks are required to configure Cisco IOS IPS on a router. Alert logging for IOS IPS can be done with Syslog and SDEE. An important part of IPS is keeping up with the latest attack signatures. There are several commands available to verify and troubleshoot IPS configuration and operation.

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v