1 / 32

Implementing Secure Converged Wide Area Networks (ISCW)

Implementing Secure Converged Wide Area Networks (ISCW). Module 6: Cisco IOS Threat Defense Features. Module 6: Cisco IOS Threat Defense Features. Lesson 6.5: Configuring Cisco IOS IPS. Objectives. Identify the features of the Cisco IOS Intrusion Protection System (IPS).

urit
Download Presentation

Implementing Secure Converged Wide Area Networks (ISCW)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features

  2. Module 6: Cisco IOS Threat Defense Features Lesson 6.5: Configuring Cisco IOS IPS

  3. Objectives • Identify the features of the Cisco IOS Intrusion Protection System (IPS). • Explain the purpose of .SDF files. • Describe methods for installing and configuring IPS on Cisco routers.

  4. Cisco IOS IPS SDFs • A Cisco IOS router acts as an in-line intrusion prevention sensor. • Signature databases: • Built-in (100 signatures embedded in Cisco IOS software) • SDF files (can be downloaded from Cisco.com): • Static (attack-drop.sdf) • Dynamic (128MB.sdf, 256MB.sdf)—based on installed RAM • Configuration flexibility: • Load built-in signature database, SDF file, or even merge signatures to increase coverage • Tune or disable individual signatures

  5. Downloading Signatures from Cisco.com attack-drop.sdf SDF contains 82 high-fidelity signatures, providing customers with security threat detection. When loaded, those signatures fit into the 64-MB router memory.

  6. Cisco IOS IPS Alarms: Configurable Actions • Send an alarm to a syslog server or a centralized management interface (syslog or SDEE). • Drop the packet. • Reset the connection. • Block traffic from the source IP address of the attacker for a specified amount of time. • Block traffic on the connection on which the signature was seen for a specified amount of time.

  7. Cisco IOS IPS Alarm Considerations • Alarms can be combined with reactive actions. • SDEE is a communication protocol for IPS message exchange between IPS clients and IPS servers: • More secure than syslog • Reports events to the SDM • When blocking an IP address, beware of IP spoofing: • May block a legitimate user • Especially recommended where spoofing is unlikely • When blocking a connection: • IP spoofing less likely • Allows the attacker to use other attack methods

  8. Cisco IOS IPS Configuration Steps • Configure basic IPS settings: • Specify SDF location. • Configure failure parameter. • Create an IPS rule and, optionally, combine the rule with a filter. • Apply the IPS rule to an interface. • Configure enhanced IPS settings: • Merge SDFs. • Disable, delete, and filter selected signatures. • Reapply the IPS rule to the interface. • Verify the IPS configuration.

  9. Basic IPS Settings Configuration Router# show running-config | begin ips ! Drop all packets until IPS is ready for scanning ip ips fail closed ! IPS rule definition ip ips name SECURIPS list 100 ! ... interface Serial0/0 ip address 172.31.235.21 255.255.255.0 ! Apply the IPS rule to interface in inbound direction ip ips SECURIPS in ...

  10. Enhanced IPS Settings Configuration ! Merge built-in SDF with attack-drop.sdf, and copy to flash Router# copyflash:attack-drop.sdf ips-sdf Router# copy ips-sdf flash:my-signatures.sdf Router# show runnning-config | begin ips ! Specify the IPS SDF location ip ips sdf location flash:my-signatures.sdf ip ips fail-closed ! Disable sig 1107, delete sig 5037, filter sig 6190 with ACL 101 ip ips signature 1107 0 disable ip ips signature 5037 0 delete ip ips signature 6190 0 list 101 ip ips name SECURIPS list 100 ... interface Serial0/0 ip address 172.31.235.21 255.255.255.0 ! Reapply the IPS rule to take effect ip ips SECURIPS in ...

  11. Verifying Cisco IOS IPS Configuration Router# show ip ips configuration Configured SDF Locations: flash:my-signatures.sdf Builtin signatures are enabled but not loaded Last successful SDF load time: 13:45:38 UTC Jan 1 2006 IPS fail closed is enabled ... Total Active Signatures: 183 Total Inactive Signatures: 0 Signature 6190:0 list 101 Signature 1107:0 disable IPS Rule Configuration IPS name SECURIPS acl list 100 Interface Configuration Interface Serial0/0 Inbound IPS rule is SECURIPS Outgoing IPS rule is not set

  12. Cisco IOS IPS SDM Configuration Tasks • Tasks included in the IPS Policies wizard: • Quick interface selection for rule deployment • Identification of the flow direction • Dynamic signature update • Quick deployment of default signatures • Validation of router resources before signature deployment • Signature customization available in the SDM IPS Edit menu: • Disable • Delete • Modify parameters

  13. Launching the IPS Policies Wizard 1 Customization options. 4 2 Launch the wizard with the default signature parameters. 3 Select IPS.

  14. IPS Policies Wizard Overview

  15. Adding an SDF Location Optionally, use built-in signatures as backup. Add SDF location.

  16. Selecting an SDF Location Select location from flash. Select location from network.

  17. Current SDF Location

  18. Viewing the IPS Policies Wizard Summary

  19. Verifying IPS Deployment 1 2 3 4

  20. IPS Policies

  21. Global Settings

  22. Viewing All SDEE Messages Select message type for viewing.

  23. Viewing SDEE Status Messages Status messages report the engine states.

  24. Viewing SDEE Alerts Signatures fire SDEE alerts.

  25. Selecting a Signature Edit signature.

  26. Editing a Signature Click to edit. Select severity.

  27. Disabling a Signature Group 2 3 Select All. Disable. 1 Select category. 4

  28. Verifying the Tuned Signatures

  29. Summary • The Cisco IOS IPS acts as an in-line intrusion detection sensor, watching packets and sessions as they flow through the router and scanning each packet to match any of the Cisco IOS IPS signatures. • IPS can be configured via IOS command line or using the SDM. • The SDM provides a wide range of configuration capabilities for Cisco IOS IPS. • SDM offers the IPS Policies wizard to expedite deploying the default IPS settings. The wizard provides configuration steps for interface and traffic flow selection, SDF location, and signature deployment.

  30. Q and A

  31. Resources • Configuring Cisco IOS IPS Using Cisco SDM and CLI • http://cisco.com/en/US/products/ps6634/products_white_paper0900aecd8043bc32.shtml

More Related