Implementing Cisco IOS IPS

Implementing Cisco IOS IPS

In this section, we introduce the Cisco IOS IPS router solution and walk through a complete configuration using the Cisco SDM. We will also look at logging options available and methods in both the SDM and the CLI to verify the configuration.

Cisco states that the Cisco IOS IPS is an inline network IPS. Actually, it’s a bit redundant saying this, since we have established that whether a device is inline to the traffic or analyzes copies of the traffic offline is what marks the difference between IPS and IDS technology in the first place. Regardless, one of the advantages of having the IPS run on the router is that, unlike IPS deployments where the sensor and the router are separate and must be configured to cooperate with one another, the IPS logic is integral to the router and can leverage on the router’s firewall to take response actions to intrusions. We covered the various response actions in the last section.

Cisco IOS IPS Feature Blend

Cisco IOS IPS blends features from the Cisco IPS 4200 Series of sensors, as well as the IDSM module for the Cisco Catalyst 6500 Series of switches. It uses three main detection technologies:

  • Profile-based
  • Signature-based
  • Protocol analysis-based

The first two were discussed in the last section. The third was not and bears some discussion. Protocol analysis-based technology simply means that the IPS analyzes the complete structure of the IP packets and their layer 4 through 7 payload to look for suspicious or abnormal activity. If this analysis was based solely on the protocols’ standards, a lot of traffic would be flagged as anomalous. Instead, this is the Cisco IOS IPS signatures common practice rather than some ideal, reflecting the fact that many protocols violate standards in some fashion.

Cisco IOS IPS Primary Benefits

Cisco specifies the following benefits for the IOS IPS:

  • Attack Signatures. Over 2,000 are supported, using a common database across Cisco IPS appliances.
  • Management Tool Support. Supported by Cisco SDM, Cisco Security MARS, Cisco Security Manager, and Cisco IEV.
  • Cisco Self-Defending Network. Integrates into a Self-Defending Network made up of Cisco IPS, Cisco IOS Firewall, Cisco VPN, and Cisco NAC solutions.
  • Inline IPS. All inbound and outbound traffic has to flow through the IPS, meaning that malicious traffic can be detected both inside and outside the network.
  • Multi-Threat Detection. Easily integrates into existing network infrastructure to protect against threats to network infrastructure, servers, and other endpoints.
  • Router Integration. Cisco IOS IPS’s use of the underlying router infrastructure adds an extra layer of security.

Cisco IOS IPS Signature Integration

As stated, the Cisco IOS IPS borrows heavily from the Cisco IPS 4200 Series of sensors and Catalyst 6500 IDSM IPS modules. Table 8.8 shows the features of the signatures in the Cisco IOS IPS.

Implementing Cisco IOS IPStb8.8

Configuring Cisco IOS IPS with the Cisco SDM

We configure the Cisco IOS IPS using the Cisco SDM, starting with an IOS router with no IPS configuration on it.

There’s no requirement that the IOS IPS work in conjunction with either CBAC (Cisco IOS classic firewall) or the newer Zone-Based Policy Firewall (ZPF), both of which were discussed in Chapter 5, “Using Cisco IOS Firewalls to Implement a Network Security Policy.” The Cisco IOS IPS could simply be added to basic router functionality on the edge of the network for network designers that subscribe to the separation of services philosophy, with a firewall configured with Cisco ZPF establishing a separate, inner perimeter.

Figure 8.9 illustrates the Cisco SDM home page, indicating an unconfigured IOS IPS.

Implementing Cisco IOS IPSfig8.9

Figure 8.10 illustrates the SDM Configure->Intrusion Prevention System (IPS) window.

Implementing Cisco IOS IPSfig8.10
Before we start configuring the IPS, let’s look at some of the choices we have when we navigate to Configure->Intrusion Prevention from the home page in the Cisco SDM, as indicated in Figure 8.10. Along the top of the Intrusion Prevention System (IPS) window are these choices, presented as tabs:

  • Create IPS. Contains a single choice—the IPS Rule wizard (see the following note) used to automate the creation of a Cisco IOS IPS rule and all facets of configuring the IPS.
  • Edit IPS. Enables you to manually edit Cisco IOS IPS rules and either associate or disassociate them from interfaces.
  • Security Dashboard. Enables you to view Cisco’s Top Threat table and deploy signatures to counter those threats.
  • IPS Migration. This is used to migrate IOS IPS configurations, which
    were created in earlier versions of the Cisco IOS software. You must be running IOS Software Release 12.4(11)T or later to use this function. There is also the Launch IPS Rule Wizard button that (although you really want to press it now!) we will look at shortly.
Substitute the words “IPS signature configuration” for “IPS rule configuration” every time you see it in the SDM. In some of the dialogs, SDM calls signatures “rules.” This is inconsistent use of the word “rule” because the Launch IPS Rule Wizard button (see Figure 8.10, as well as the previous paragraph) does not launch a wizard where you can change the signatures! The word “rule” in that context means policy. Ouch! While we’re on the subject, sharp-eyed readers will notice that the SDM wizard is called the Intrusion Prevention System wizard, whereas we have been calling it the Intrusion Protection System up to now. This is just semantics, and you shouldn’t read anything into the difference because they actually mean the same thing. Just when you thought you were figuring out the terminology!

The reference diagram for configuring Cisco IOS IPS is found in Figure 8.11. It is a slight modification to the reference diagram found in Figure 8.6 that we have been using in this chapter. The management VLAN is VLAN 3. The production VLAN is VLAN 1. This is where the wired workstations reside that belong to our internal knowledge workers. Similarly, there is a separate VLAN, VLAN 99, deployed for our wireless hotspot. Essentially, all three of these VLANs represent internal networks for the purpose of configuring the IOS IPS. FastEthernet 4 is the external, Internet-facing interface.

Implementing Cisco IOS IPSfig8.11
Because there is currently no IPS configured, we follow these steps to configure the Cisco IOS IPS:

  1. Navigate to Configure->Intrusion Prevention->Create IPS. The screen that appears is illustrated in Figure 8.12.Implementing Cisco IOS IPSfig8.12
  2. Push the Launch IPS Rule Wizard button.
  3. If this is a first-time configuration, an information window appears, indicating that “SDM will open a subscription with the router to get the SDEE events.” Press OK.
  4. The Welcome to the IPS Policies Wizard screen appears. Click Next. The Select Interfaces screen opens and is illustrated in Figure 8.13.
  5. Place a check mark beside each interface in the check box corresponding to the direction, Inbound and Outbound, that you want to inspect the packets for signs of intrusion. In this example, FastEthernet4 is the Internet-facing interface, and Vlan1, Vlan3, and Vlan99 are all inside the perimeter (refer to Figure 8.11) .
  6. Click Next. The Signature File and Public Key window appears and is illustrated in Figure 8.14.
    Recall that there are no built-in signatures as of IOS Software Release 12.4(11)T. Some IOS routers ship from Cisco with SDF (Signature Definition Files) already in flash memory. Also, when you download and install the SDM, there are SDF files included with the SDM archive for different amounts of RAM that can get you started without having to go to CCO. That said, the latest signature files are available on CCO to users with sufficient access.

    Implementing Cisco IOS IPSfig8.13

    Implementing Cisco IOS IPSfig8.14
    In this window, you can push either of two radio buttons:

    • Specify the signature file you want to use with the IOS IPS.
    • Get the latest signature file from and save to PC.
      If you choose the first choice, you will be led through a dialog that enables you to fetch the signature file from one of the following: router flash, the local PC, or the URL of an external source such as a web server.

      NOTEWhen fetching the file from your PC, the signature file will be of the form, where xxx is the signature set’s version number. If you choose to specify the router’s flash, use the format IOS-Sxxx-CLI.pkg.If you choose the second choice, you will be prompted for where you want to save the file; you then are prompted for your username and password on CCO and to save the SDF file (in .zip format) to your local PC’s hard drive and subsequently install on the IPS. Incidentally, this will also download the update files in the form of a .pkg file, which you can push to the router (see the preceding note).
      In both cases, you must enter the name and value of Cisco’s public key before you proceed. This is because any changes you make to the signatures (so called “deltas”) will need to be signed with this key for security reasons. You must visit this URL to look up both the name of the key to put in the Name field and the key’s value to put in the Key field. The URL is Enter the values in both fields as indicated; then proceed by clicking Next.
  7. The Config Location and Category windows appear as illustrated in Figure 8.15.
    You are presented with these options:

    • Config Location. Specify where the IPS configuration, .pkg files, and delta files are located. This may be in router flash or on an external server such as an HTTP server specified by URL. Follow the prompts.
    • Signature Category.
    • Basic. If the router has 128MB or less of flash, Cisco recommends using the Basic category to avoid memory allocation errors.
    • Advanced. If the router has more than 256MB of flash, you may choose the Advanced category.
      Implementing Cisco IOS IPSfig8.15

      The Cisco IINS v1.0 courseware that was referenced for this Exam Cram specifies that Basic is recommended for 128MB or less of flash memory vs. RAM. This isn’t correct (and doesn’t make sense). This URL at Cisco indicates otherwise. Remember, though, that what’s in the course is always the right wrong answer! ( iosswrel/ps6537/ps6586/ps6634/prod_white_paper0900aecd8066d265.html)
  8. Click Next when you have filled out the information per the previous step. The Summary window of the IPS Policies Wizard appears. This is illustrated in Figure 8.16.
  9. Review the information in the window; then click Finish to deliver the configuration to the router. Click OK on the Commands Delivery Status window when this has been completed. The IOS IPS Configuration Status window appears, indicating that the signatures are being configured on the router. This is illustrated in Figure 8.17.Implementing Cisco IOS IPSfig8.17
    Implementing Cisco IOS IPSfig8.16
  10. After the IPS Configuration has been completed, the Configure> Intrusion Prevention window appears, this time with the Edit IPS tab selected, as illustrated in Figure 8.18. Review the information in this window:

Implementing Cisco IOS IPSfig8.18

Looking at the bottom of the Edit IPS screen in Figure 8.18 indicates that no filters have been set for the traffic that will be inspected (inbound, in this example) on the interfaces. Thus when you select an interface, the warning “IPS rule is enabled, but there is no filter configured for this rule. IPS will scan all inbound traffic” appears. This can be fine-tuned separately if desired.

When you return to the Cisco SDM home page, the working IPS configuration can be seen as in Figure 8.19. In the right-bottom quadrant of the screenshot in Figure 8.19, we learn the following:

  • Total Active Signatures: 373. These are the number of signatures that are active out of the total possible signatures in the signature database.
  • No. of IPS-enabled Interfaces: 4. This makes sense because we enabled IPS on VLANs 1, 3, and 99 and FastEthernet 4 (see Figures 8.11 and 8.13).
  • Signature Version: S332.0. This is the version of the signature file that we downloaded and installed from Cisco.

Implementing Cisco IOS IPSfig8.19
If you were looking at syslog output (if configured) or you had a terminal window to the CLI open while the IPS was being configured, you might see some interesting output as the micro-engines are being compiled into RAM. First, let’s examine what the %IPS-6-ENGINE message text means in the IPS messages that are displayed to the terminal:

  • ENGINE_BUILDS_STARTED. Each micro-engine starts the compile process. Recall from the previous section that this part of the process consumes more RAM than is used once the build completes.
  • ENGINE_BUILDING. The micro-engines is in the process of being compiled. Note that this is done consecutively until all the microengines that have enabled signatures are compiled into memory.
  • ENGINE_READY. The compile process for the micro-engine is complete. The next engine starts.

Now here is an example of the screen output of an actual terminal session. Note that the term monitor command has been executed to ensure that the terminal windows that we are using will see output that would normally be directed to the default output device, console 0. We would not need to use this command if this output was taken from a terminal connected to console 0. The output represents the 13 signature micro engines (SMEs) compiling signatures and the number of signatures that are being compiled per SME.

The highlights in the previous command output indicate the SME that was loaded as well as the number of signatures that have been compiled for each SME. Compare the output with the SME names in Table 8.7  You can verify that the signatures are loaded by entering the show ip ips signatures count command. The Cisco SDF release version number, the names of the SMEs, and the total number of signatures is highlighted for reference.

Note that the output of the show ip ips signatures count command shows the signatures organized by micro-engine and in the same order that they were compiled, as was seen in the syslog output.

Cisco IOS IPS CLI Configuration

Here are the basic commands used to configure the IOS IPS with the CLI. We’ll start with an example that matches the worked example that we have just completed with the SDM and then look at the commands one by one and in the order shown (note: the configuration for interfaces Vlan99 and Vlan3 has been omitted):

Here is an explanation of the commands (see the previous configuration for specific examples used in our reference network):

  • ip ips config location. This global configuration command specifies the location of the IPS configuration. In this example, it is in the flash:/ips/ directory.
  • ip ips notify. This global configuration command specifies the method of event notification. In this example, SDEE is being used.
  • ip ips name. This global configuration command specifies the IPS rule (policy) name—sdm_ips_rule in this example.
  • ip ips signature-category. This global configuration command configures the router to support the default basic or advanced signature set.
  • p ips ips_rule_name. This interface configuration command applies the named IPS rule (policy) on the selected interface.
  • ip virtual-reassembly. This interface configuration command turns on Virtual Fragment Reassembly (VFR). Dynamic ACLs are created to protect the network against various fragmentation attacks.

Configuring IPS Signatures

This section examines the steps required to configure IPS signatures using the SDM.

Configuring IPS Signature Severity

You may recall earlier that one of Cisco’s recommendations for IPS best practices is to set the alert level of any signature to the severity level of the signature itself. You can set the severity level of a signature, both the included ones as well as ones you create, by following these steps:

  1. From the SDM, navigate to Configure->Intrusion Prevention->Edit IPS->Signatures->All Categories. The list of all signatures appears, as illustrated in Figure 8.20.
    Implementing Cisco IOS IPSfig8.20
  2. Select the signature whose severity level you want to change; then rightclick to bring up the context menu. Select Set Severity Level to and select from: high, informational, low, or medium. This is illustrated in Figure 8.20
  3. Click Apply Changes in the Edit IPS window when you are done.

Configuring Signature Actions

Recall that IPS signatures have default actions or “responses.” (See the subsection “Signature Attack Responses” for a complete list of responses and their meaning.) The SDM enables you to change these actions. To change the action for a signature, follow these steps (using the Email signature category as an example):

  1. From the SDM, navigate to Configure->Intrusion Prevention->Edit IPS->Signatures->Email.
  2. Select the signature whose severity level you want to change; then rightclick to bring up the context menu. Select Assign Actions from the context menu. A new Assign Actions window appears, as illustrated in Figure 8.21.Implementing Cisco IOS IPSfig8.21
  3. Place a check mark in the box beside the action(s) you want to take.
    The actions you can choose from are the following:

    • Deny Attacker Inline
    • Deny Connection Inline
    • Deny Packet Inline
    • Produce Alert (the default for this IMAP Email Signature)
    • Reset TCP Connection
  4. Click OK.
  5. Click Apply Changes in the Edit IPS window when you are done.

Editing IPS Signatures Using Cisco SDM

You can edit a signature, both the included ones as well as ones you create, by following these steps. This example will choose a signature from the
Reconnaissance category called TCP Ports Sweeps:

  1. From the SDM, navigate to Configure->Intrusion Prevention->Edit
    IPS->Signatures->Reconnaissance->TCP Ports Sweeps.
  2. Select the signature you want to edit and click the Edit button.
  3. The Edit Signature window appears, as illustrated in Figure 8.22.Implementing Cisco IOS IPSfig8.22
    The parameters you see depend on the signature. Here’s a list of what you may edit in this window, depending on the signature:

    • Signature ID. Unique number assigned to each signature.
    • SubSignature ID. Unique number assigned to the subsignature. Allows for more granularity of signature definitions.
    • Alert Severity. Defines the severity of alert sent to the sensor when this signature triggers.
    • Sig Description. This is a section where you can give the signature a name, put in user comments, alert notes, alert traits, and release number. Certain of these parameters are pre-defined (though editable) for Cisco signatures.
    • Engine. Specifies information as to which micro-engine this signature uses.
    • Event Counter. This is a section where you can define the event count, event count key, and whether a specific alert interval is to be specified (useful for rate-limiting to defend against DoS attacks against the IPS).
    • Alert Frequency. Define frequency of the alert.
    • Status. This section specifies whether the signature is enabled or disabled and whether or not it is retired.
  4. Click OK when you are done with the changes.
  5. Click Apply Changes in the Edit IPS window when you are done.

SDEE and Syslog Logging Protocol Support

The Cisco IOS IPS supports both the Security Device Event Exchange (SDEE) and syslog protocols to send alerts. Recall that an alarm is generated when an enabled signature is triggered. The alarms are stored in a buffer on the sensor. One disadvantage of syslog is that the syslog server is passive, relying on the sensor to send alerts to it. This is indicated by the arrow in Figure 8.23 pointing to the syslog server from the Cisco IOS IPS. SDEE, on the other hand, is a subscription type of service where hosts can pull alarms from the sensor at any time. This is indicated by the two-headed arrow indicated in Figure 8.23. SDEE-format messages are much richer in their information content.

Implementing Cisco IOS IPSfig8.23
Here are some other things you need to know about SDEE:

  • 1,000 events can be stored in the SDEE buffer. 200 is the default. Disabling SDEE notification erases the buffer.
  • Network management applications pull SDEE messages from the IOS IPS.
  • SDEE is evolving as the standard format for security reporting network management.
  • SDEE is vendor-independent.
  • SDEE uses HTTP or HTTPS (more secure) for transport, thus must be enabled on the router.
  • The IOS IPS still sends alerts via syslog.

Viewing the SDEE Message Log

Navigate to Monitor->Logging->SDEE Message Log to view the SDEE message log. This dialog is illustrated in Figure 8.24.
Here’s an example of an SDEE message captured in the CLI. The IPS is sending an alert of a possible fragmentation attack since signature 1207 has been triggered:
May 20 12:37:24.723: %IPS-4-SIGNATURE: Sig:1207 Subsig:0 Sev:25 IP
Fragment Too Many Datagrams [ ->] RiskRating:25

Implementing Cisco IOS IPSfig8.24

Viewing the Syslog Message Log

Navigate to Monitor->Logging->Syslog to view the syslog message log. This dialog is illustrated in Figure 8.25.

Implementing Cisco IOS IPSfig8.25

Verifying IOS IPS Operation

This section outlines procedures to verify IOS IPS operation with both the SDM and the CLI.

Verifying IPS Policies (Rules)

Navigate to Configure->Intrusion Prevention->Edit IPS to verify that IPS has been enabled on interfaces and in which direction. This is illustrated in
Figure 8.26.

Implementing Cisco IOS IPSfig8.26
Also note in Figure 8.26 that VFR (Virtual Fragment Reassembly) has been enabled on all of the interfaces. The IOS IPS cannot detect intrusions by examining fragments of IP packets. They must be coalesced so the entire packet can be checked. Of course, the Edit IPS tab can be used to edit and not just verify the IPS!

Verifying the IPS Configuration

The command show ip ips configuration (reviewed previously) can be used to verify a summary of the IPS configuration, including the configured location of the files, name of policies (rules), and which interfaces they have been applied on and in which direction. These are highlighted in the following command output:

Verifying IPS Interfaces

If you simply want to see which interface(s) the policies (rules) have been applied on, you can use the show ip ips interfaces command. Here we see the SDMgenerated IPS policy sdm_ips_rule applied inbound on Vlan1, Vlan3, Vlan99, and FastEthernet 4:

Verifying All Cisco IOS IPS Settings

To view all the Cisco IOS IPS settings, including information that is not displayed with the show ip ips configuration command, use the show ip ips all command. In the following output, we see that both syslog and SDEE logging has been enabled and that there are 373 active signatures and 1,888 inactive signatures:

About the author


Leave a Comment