CCNA Security 011- implementing ios-based ips

10- Implementing IOS-Based IPS
Ahmed Sultan
CCNA | CCNA Security | CCNP Security | JNCIA-Junos | CEH
© 2009 Cisco Learning Institute. 1

Intrusion Prevention Systems (IPSs)
1. An attack is launched on a network
that has a sensor deployed in IPS
mode (inline mode).
2. The IPS sensor analyzes the
packets as they enter the IPS
sensor interface. The IPS sensor
matches the malicious traffic to a
signature and the attack is stopped
immediately.
3. The IPS sensor can also send an
alarm to a management console for
logging and other management
purposes.
4. Traffic in violation of policy can be
dropped by an IPS sensor.
2
Sensor
Management
Console
1
3
Target
4
Bit Bucket

Intrusion Detection Systems (IDSs)
1. An attack is launched on a network
that has a sensor deployed in
promiscuous IDS mode; therefore
copies of all packets are sent to
the IDS sensor for packet analysis.
However, the target machine will
experience the malicious attack.
2. The IDS sensor, matches the
malicious traffic to a signature and
sends the switch a command to
deny access to the source of the
malicious traffic.
3. The IDS can also send an alarm to
a management console for logging
and other management purposes.
Switch
Sensor
3
Management
Console
1
2
Target

Common characteristics of
IDS and IPS
 Both technologies are deployed using
sensors.
 Both technologies use signatures to detect
patterns of misuse in network traffic.
 Both can detect atomic patterns (single-packet)
or composite patterns (multi-packet).

Comparing IDS and IPS Solutions
Advantages Disadvantages
 No impact on network
(latency, jitter)
 No network impact if there is a
sensor failure
 No network impact if there is
sensor overload
 Response action cannot
stop trigger packets
 Correct tuning required for
response actions
 Must have a well thought-out
security policy
 More vulnerable to network
evasion techniques
Promiscuous Mode
IDS

Comparing IDS and IPS Solutions
Advantages Disadvantages
 Stops trigger packets
 Can use stream normalization
techniques
 Sensor issues might affect
network traffic
 Sensor overloading
impacts the network
 Must have a well thought-out
security policy
 Some impact on network
(latency, jitter)
Inline Mode
IPS

Network-Based Implementation
MARS
VPN
CSA
Remote Worker
VPN
CSA
Remote Branch
VPN
Iron Port
Firewall
Web
Server
Email
Server DNS
IPS
CSA
CSA CSA

Host-Based Implementation
MARS
VPN
CSA
Remote Worker
VPN
CSA
Remote Branch
VPN
Iron Port
Firewall
IPS
Web
Server
Agent
CSA
Email
Server DNS
CSA
Management Center for
Cisco Security Agents
CSA CSA
CSA
CSA
CSA

Firewall
Cisco Security Agent
Corporate
Network
Agent Agent
DNS
Server
Agent
Web
Server
Application
Server
Agent Agent
SMTP
Server
Agent Agent
Management Center for
Cisco Security Agents
Agent
Agent
Untrusted
Network
video

Cisco IPS Solutions
AIM and Network Module Enhanced
• Integrates IPS into the Cisco 1841 (IPS AIM only), 2800 and 3800
ISR routers
• IPS AIM occupies an internal AIM slot on router and has its own
CPU and DRAM
• Monitors up to 45 Mb/s of traffic
• Provides full-featured intrusion protection
• Is able to monitor traffic from all router interfaces
• Can inspect GRE and IPsec traffic that has been decrypted at the
router
• Delivers comprehensive intrusion protection at branch offices,
isolating threats from the corporate network
• Runs the same software image as Cisco IPS Sensor Appliances

Cisco IPS Solutions
ASA AIP-SSM
• High-performance module designed to provide additional
security services to the Cisco ASA 5500 Series Adaptive
Security Appliance
• Diskless design for improved reliability
• External 10/100/1000 Ethernet interface for management
and software downloads
• Intrusion prevention capability
• Runs the same software image as the Cisco IPS Sensor
appliances

Cisco IPS Solutions
4200 Series Sensors
• Appliance solution focused on protecting network
devices, services, and applications
• Sophisticated attack detection is provided.

Cisco IPS Solutions
Cisco Catalyst 6500 Series IDSM-2
• Switch-integrated intrusion protection module
delivering a high-value security service in the
core network fabric device
• Support for an unlimited number of VLANs
• Intrusion prevention capability
• Runs the same software image as the Cisco IPS
Sensor Appliances

IPS Sensors
• Factors that impact IPS sensor selection and
deployment:
- Amount of network traffic
- Network topology
- Security budget
- Available security staff
• Size of implementation
- Small (branch offices)
- Large
- Enterprise

Signature Characteristics
Hey, come look
at this. This
looks like the
signature of a
LAND attack.
• An IDS or IPS sensor
matches a signature with
a data flow
• The sensor takes action
• Signatures have three
distinctive attributes
- Signature type
- Signature trigger
- Signature action

Cisco Signature List

Signature Alarms
Alarm Type Network Activity IPS Activity Outcome
False positive Normal user traffic Alarm
generated Tune alarm
False negative Attack traffic No alarm
generated Tune alarm
True positive Attack traffic Alarm
generated
Ideal
setting
True negative Normal user traffic No alarm
generated
Ideal
setting

Cisco IPS Solutions
• Locally Managed Solutions:
- Cisco Configuration Professional (CCP)
• Centrally Managed Solutions:
- Cisco IDS Event Viewer (IEV)
- Cisco Security Manager (CSM)
- Cisco Security Monitoring, Analysis, and Response
System (MARS)

Cisco IPS Device Manager
• A web-based
configuration tool
• Shipped at no additional
cost with the Cisco IPS
Sensor Software
• Enables an administrator
to configure and manage
a sensor
• The web server resides
on the sensor and can be
accessed through a web
browser

Cisco IPS Event Viewer
• View and manage alarms for up
to five sensors
• Connect to and view alarms in
real time or in imported log files
• Configure filters and views to
help you manage the alarms.
• Import and export event data for
further analysis.

Cisco Security Manager
• Powerful, easy-to-use
solution to centrally provision
all aspects of device
configurations and security
policies for Cisco firewalls,
VPNs, and IPS
• Support for IPS sensors and
Cisco IOS IPS
• Automatic policy-based IPS
sensor software and
signature updates
• Signature update wizard

Cisco Security Monitoring Analytic
and Response System
• An appliance-based, all-inclusive
solution that allows
network and security
administrators to monitor,
identify, isolate, and counter
security threats
• Enables organizations to
more effectively use their
network and security
resources.
• Works in conjunction with
Cisco CSM.

Secure Device Event Exchange
Network
Management
Console
Alarm
SDEE Protocol
Syslog
Server
Alarm
Syslog
• The SDEE format was developed to improve
communication of events generated by security devices
• Allows additional event types to be included as they are
defined

Overview of Implementing IOS IPS
1. Download the IOS IPS
files
2. Create an IOS IPS
configuration directory
on Flash
3. Configure an IOS IPS
crytpo key
4. Enable IOS IPS
5. Load the IOS IPS
Signature Package to
the router
I want to use CLI to
manage my signature
files for IPS. I have
downloaded the IOS
IPS files.

1. Download the Signature File
Download IOS IPS
signature package files
and public crypto key

2. Create Directory
R1# mkdir ips
Create directory filename [ips]?
Created dir flash:ips
R1#
R1# dir flash:
Directory of flash:/
5 -rw- 51054864 Jan 10 2009 15:46:14 -08:00
c2800nm-advipservicesk9-mz.124-20.T1.bin
6 drw- 0 Jan 15 2009 11:36:36 -08:00 ips
64016384 bytes total (12693504 bytes free)
R1#
To rename a directory:
R1# rename ips ips_new
Destination filename [ips_new]?
R1#

3. Configure the Crypto Key
R1# conf t
R1(config)#
1
2
1 – Highlight and copy the text contained in the public key file.
2 – Paste it in global configuration mode.

Confirm the Crypto Key
R1# show run
<Output omitted>
crypto key pubkey-chain rsa
named-key realm-cisco.pub signature
key-string
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
F3020301 0001
<Output omitted>

4. Enable IOS IPS
R1(config)# ip ips name iosips
R1(config)# ip ips name ips list ?
<1-199> Numbered access list
WORD Named access list
R1(config)#
R1(config)# ip ips config location flash:ips
R1(config)#
1 – IPS rule is created
2 – IPS location in flash identified
1
2
R1(config)# ip http server
R1(config)# ip ips notify sdee
R1(config)# ip ips notify log
R1(config)# 3 – SDEE and Syslog notification
are enabled
3

4. Enable IOS IPS
R1(config)# ip ips signature-category
R1(config-ips-category)# category all
R1(config-ips-category-action)# retired true
R1(config-ips-category-action)# exit
R1(config-ips-category)#
R1(config-ips-category)# category ios_ips basic
R1(config-ips-category-action)# retired false
R1(config-ips-category-action)# exit
R1(config-ips-category)# exit
Do you want to accept these changes? [confirm] y
R1(config)#
1 – The IPS all category is retired
2 – The IPS basic category is unretired.
1
2
R1(config)# interface GigabitEthernet 0/1
R1(config-if)# ip ips iosips in
R1(config-if)# exit
R1(config)#exit
3 – The IPS rule is applied in a incoming direction
R1(config)# interface GigabitEthernet 0/1
R1(config-if)# ip ips iosips in
R1(config-if)# ip ips iosips out
R1(config-if)# exit
R1(config)# exit 4 – The IPS rule is applied in an incoming and outgoing
direction.
3
4

5. Load Signature Package
1 – Copy the signatures from the FTP server.
R1# copy ftp://cisco:cisco@10.1.1.1/IOS-S376-CLI.pkg idconf
Loading IOS-S310-CLI.pkg !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[OK - 7608873/4096 bytes]
*Jan 15 16:44:47 PST: %IPS-6-ENGINE_BUILDS_STARTED: 16:44:47 PST Jan 15 2008
*Jan 15 16:44:47 PST: %IPS-6-ENGINE_BUILDING: multi-string - 8 signatures - 1 of 13 engines
*Jan 15 16:44:47 PST: %IPS-6-ENGINE_READY: multi-string - build time 4 ms - packets for this
engine will be scanned
*Jan 15 16:44:47 PST: %IPS-6-ENGINE_BUILDING: service-http - 622 signatures - 2 of 13 engines
*Jan 15 16:44:53 PST: %IPS-6-ENGINE_READY: service-http - build time 6024 ms - packets for this
<Output omitted>
*Jan 15 16:45:18 PST: %IPS-6-ENGINE_BUILDING: service-smb-advanced - 35 signatures - 12 of 13
engines
*Jan 15 16:45:18 PST: %IPS-6-ENGINE_READY: service-smb-advanced - build time 16 ms - packets
for this engine will be scanned
*Jan 15 16:45:18 PST: %IPS-6-ENGINE_BUILDING: service-msrpc - 25 signatures - 13 of 13 engines
*Jan 15 16:45:18 PST: %IPS-6-ENGINE_READY: service-msrpc - build time 32 ms - packets for this
*Jan 15 16:45:18 PST: %IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 31628 ms
2 – Signature compiling begins immediately after the signature package is
loaded to the router.
1
2

Verify the Signature
R1# show ip ips signature count
Cisco SDF release version S310.0 ← signature package release version
Trend SDF release version V0.0
Signature Micro-Engine: multi-string: Total Signatures 8
multi-string enabled signatures: 8
multi-string retired signatures: 8
<Output omitted>
Signature Micro-Engine: service-msrpc: Total Signatures 25
service-msrpc enabled signatures: 25
service-msrpc retired signatures: 18
service-msrpc compiled signatures: 1
service-msrpc inactive signatures - invalid params: 6
Total Signatures: 2136
Total Enabled Signatures: 807
Total Retired Signatures: 1779
Total Compiled Signatures:
351 ← total compiled signatures for the IOS IPS Basic category
Total Signatures with invalid parameters: 6
Total Obsoleted Signatures: 11
R1#

Configuring IOS IPS in CCP
LAB

CCNA Security 011- implementing ios-based ips

CCNA Security 011- implementing ios-based ips

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to CCNA Security 011- implementing ios-based ips (20)

Recently uploaded (20)

CCNA Security 011- implementing ios-based ips