© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Cisco IOS Threat Defense Features Configuring Cisco IOS IPS
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Configuring Cisco IOS IPS
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Cisco IOS IPS Configuration Steps 1. Configure basic IPS settings: –Specify SDF location –Configure failure parameter –Create an IPS rule and, optionally, combine it with a filter –Apply the IPS rule to interface 2. Configure enhanced IPS settings: –Merge SDFs –Disable, delete, and filter selected signatures –Reapply the IPS rule to the interface 3. Verify the IPS configuration.
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Configure Basic IPS Settings Router# show running-config | begin ips ! Drop all packets until IPS is ready for scanning ip ips fail closed ! IPS rule definition ip ips name SECURIPS list 100 !... interface Serial0/0 ip address ! Apply the IPS rule to interface in inbound direction ip ips SECURIPS in...
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Configure Enhanced IPS Settings ! Merge built-in SDF with attack-drop.sdf, and copy to flash Router# copy flash:attack-drop.sdf ips-sdf Router# copy ips-sdf flash:my-signatures.sdf Router# show runnning-config | begin ips ! Specify the IPS SDF location ip ips sdf location flash:my-signatures.sdf ip ips fail-closed ! Disable sig 1107, delete sig 5037, filter sig 6190 with ACL 101 ip ips signature disable ip ips signature delete ip ips signature list 101 ip ips name SECURIPS list interface Serial0/0 ip address ! Reapply the IPS rule to take effect ip ips SECURIPS in...
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Verifying IOS IPS Configuration Router# show ip ips configuration Configured SDF Locations: flash:my-signatures.sdf Builtin signatures are enabled but not loaded Last successful SDF load time: 13:45:38 UTC Jan IPS fail closed is enabled... Total Active Signatures: 183 Total Inactive Signatures: 0 Signature 6190:0 list 101 Signature 1107:0 disable IPS Rule Configuration IPS name SECURIPS acl list 100 Interface Configuration Interface Serial0/0 Inbound IPS rule is SECURIPS Outgoing IPS rule is not set
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Cisco IOS IPS SDM Tasks
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Cisco IOS IPS SDM Tasks Tasks included in the IPS Policies wizard: –Quick interface selection for rule deployment –Identification of the flow direction –Dynamic signature update –Quick deployment of default signatures –Validation of router resources before signature deployment Signature customization available in the SDM IPS Edit menu: –Disable –Delete –Modify parameters
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Selecting Interfaces and Configuring SDF Locations
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Launching the IPS Policies Wizard Launch the wizard with the default signature parameters Customization options
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v IPS Policies Wizard Overview
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Identifying Interfaces and Flow Direction Select interfaceIdentify direction
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Selecting SDF Location Add SDF location Optionally, use built-in signatures as backup
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Selecting SDF Location (Cont.) Select location from flash Select location from network
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Selecting SDF Location (Cont.)
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Viewing the IPS Policy Summary and Delivering the Configuration to the Router
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Viewing the IPS Policies Wizard Summary
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Verifying IPS Deployment
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Configuring IPS Policies and Global Settings
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v IPS Policies
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Global Settings
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Viewing SDEE Messages
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Viewing All SDEE Messages Select message type for viewing
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Viewing SDEE Status Messages Status messages report the engine states
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Viewing SDEE Alerts Signatures fire SDEE alerts
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Tuning Signatures
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Selecting a Signature Edit signature
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Editing a Signature Click to edit Select severity
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Disabling a Signature Group Select category 1. Select All 2. Disable 3. 4.
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Verifying the Tuned Signatures
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Summary You can configure IPS policy on a router by using the CLI or the SDM. CLI does not display the signature parameters. IPS CLI allows you to specify SDF locations, merge SDF files, disable signatures, assign rules to interfaces, and limit the detection scope using ACLs. SDM offers a wizard that simplifies the IPS configuration. IPS Policies wizard deploys default signature definitions from a specified SDF location. You can then use the SDM to edit the policy and modify global settings. SDM offers a view for SDEE messages containing status, errors, and alerts. You can use the SDM to tune the signature parameters.
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v