© 2008 Cisco Systems, Inc. All rights reserved.Presentation_ID 1
Chapter 5: Implementing Intrusion Prevention
CCNA-Security
Presentation_ID 2© 2008 Cisco Systems, Inc. All rights reserved.
Chapter 5: ObjectivesIn this chapter you will:
Explain the functions and operations of IDS and IPS systems.
Explain how network-based IPS is implemented.
Describe the characteristics of IPS signatures.
Explain how signature alarms are used in Cisco IPS solutions.
Describe the purpose of tuning signature alarms in a Cisco IPS solution.
Explain how the signature actions in a Cisco IPS solution affect network traffic.
Explain how to manage and monitor a Cisco IPS solution.
Describe the purpose and benefits of IPS Global Correlation.
Configure Cisco IOS IPS using CLI.
Configure Cisco IOS IPS using CCP.
Modify IPS signatures in CLI and CCP.
Verify Cisco IOS IPS configuration.
Monitor the Cisco IOS IPS events.
Presentation_ID 3© 2008 Cisco Systems, Inc. All rights reserved.
Chapter 5
5.0 Introduction
5.1 IPS Technologies
5.2 IPS Signatures
5.3 Implement IPS
5.4 Verify and Monitor IPS
5.5 Summary
© 2008 Cisco Systems, Inc. All rights reserved.Presentation_ID 4
5.1 IPS Technologies
Presentation_ID 5© 2008 Cisco Systems, Inc. All rights reserved.
IDS and IPS Characteristics
Zero-Day AttacksWorms and viruses can spread across the world in minutes. Zero-day attack (zero-day threat) is a computer attack that tries to
exploit software vulnerabilities.
Zero-hour describes the moment when the exploit is discovered.
Presentation_ID 6© 2008 Cisco Systems, Inc. All rights reserved.
IDS and IPS Characteristics
Monitor for Attacks IDSs were implemented to passively monitor the traffic on a network.
IDS-enabled device copies the traffic stream, and analyzes the copied traffic rather than the actual forwarded packets.
Working offline, it compares the captured traffic stream with known malicious signatures.
This offline IDS implementation is referred to as promiscuous mode.
The advantage of operating with a copy of the traffic is that the IDS does not negatively affect the actual packet flow.
The disadvantage of operating on a copy of the traffic is that the IDS cannot stop malicious single-packet attacks from reaching the target before responding to the attack.
A better solution is to use a device that can immediately detect and stop an attack. An IPS performs this function.
Presentation_ID 7© 2008 Cisco Systems, Inc. All rights reserved.
IDS and IPS Characteristics
Detect and Stop Attacks An IDS monitors traffic
offline and generates an alert (log) when it detects malicious traffic including:
• Reconnaissance attacks• Access attacks• Denial of Service attacks
An IDS is a passive device because it analyzes copies of the traffic stream.
• Only requires a promiscuous interface.
• Does not slow network traffic.
• Allows some malicious traffic into the network.
Presentation_ID 8© 2008 Cisco Systems, Inc. All rights reserved.
IDS and IPS Characteristics
Detect and Stop Attacks Cont.
An IPS builds upon IDS technology to detect attacks.
However, it can also immediately address the threat.
An IPS is an active device because all traffic must pass through it.
Referred to as “inline-mode”, it works inline in real time to monitor Layer 2 through Layer 7 traffic and content.
It can also stop single-packet attacks from reaching the target system (IDS cannot).
Presentation_ID 9© 2008 Cisco Systems, Inc. All rights reserved.
IDS and IPS Characteristics
IDS and IPS Characteristics
Presentation_ID 10© 2008 Cisco Systems, Inc. All rights reserved.
IDS and IPS Characteristics
IDS and IPS Characteristics Cont.An IDS or IPS sensor can be any of the following devices:
Router configured with Cisco IOS IPS software.
Appliance specifically designed to provide dedicated IDS or IPS services.
Network module installed in an adaptive security appliance (ASA), switch, or router.
IDS and IPS technologies use signatures to detect patterns in network traffic.
A signature is a set of rules that an IDS or IPS uses to detect malicious activity.
Signatures are used to detect severe security breaches, common network attacks, and to gather information.
Presentation_ID 11© 2008 Cisco Systems, Inc. All rights reserved.
IDS and IPS Characteristics
Advantages and Disadvantages of IDS and IPS
Presentation_ID 12© 2008 Cisco Systems, Inc. All rights reserved.
Network-Based IPS Implementations
Network IPS Sensors Implementation analyzes
network-wide activity looking for malicious activity.
Configured to monitor known signatures, but can also detect abnormal traffic patterns.
Configured on:• Dedicated IPS appliances
• ISR routers
• ASA firewall appliances
• Catalyst 6500 network modules
Presentation_ID 13© 2008 Cisco Systems, Inc. All rights reserved.
Network-Based IPS Implementations
Network IPS Sensors Cont. Sensors are connected to network segments. A single sensor can
monitor many hosts.
Sensors are network appliances tuned for intrusion detection analysis.
• The OS is stripped of unnecessary services - “hardened.”• The hardware is dedicated to intrusion detection analysis.
The hardware includes three components:• Network interface card (NIC) - Able to connect to any network.• Processor - Requires CPU power to perform intrusion detection
analysis and pattern matching.• Memory - Intrusion detection analysis is memory-intensive.
Growing networks are easily protected.• New hosts and devices can be added without adding sensors.• New sensors can be easily added to new networks.
Presentation_ID 14© 2008 Cisco Systems, Inc. All rights reserved.
Network-Based IPS Implementations
Cisco IPS Solutions
Presentation_ID 15© 2008 Cisco Systems, Inc. All rights reserved.
Network-Based IPS Implementations
Cisco IPS Solutions Cont.
Presentation_ID 16© 2008 Cisco Systems, Inc. All rights reserved.
Network-Based IPS Implementations
Choose an IPS Solution
There are several factors that affect the IPS sensor selection and deployment: Amount of network traffic
Network topology
Security budget
Available security staff to manage IPS
Organization Site
Presentation_ID 17© 2008 Cisco Systems, Inc. All rights reserved.
Network-Based IPS Implementations
IPS Advantages and Disadvantages
© 2008 Cisco Systems, Inc. All rights reserved.Presentation_ID 18
5.2 IPS Signatures
Presentation_ID 19© 2008 Cisco Systems, Inc. All rights reserved.
IPS Signature Characteristics
Signature Attributes Malicious traffic displays distinct characteristics or
“signatures.” These signatures uniquely identify specific worms,
viruses, protocol anomalies, or malicious traffic. IPS sensors are tuned to look for matching signatures or
abnormal traffic patterns. When a sensor matches a signature with a data flow, it
takes action, such as logging the event or sending an alarm to IDS or IPS.
Signatures have three distinctive attributes:• Type
• Trigger (alarm)
• Action
Presentation_ID 20© 2008 Cisco Systems, Inc. All rights reserved.
IPS Signature Characteristics
Signature Types- Atomic SignatureSignature types are categorized as atomic or composite.
An atomic signature is the simplest type of signature. It consists of a single packet, activity, or event.
Detecting atomic signatures consumes minimal resources. These signatures are easy to identify and understand because they are compared against a specific event or packet.
Presentation_ID 21© 2008 Cisco Systems, Inc. All rights reserved.
IPS Signature Characteristics
Signature Types- Atomic Signature Cont.A land attack contains a spoofed TCP SYN packet with the IP address of the target host as both source and destination, causing the machine to reply to itself continuously.
Presentation_ID 22© 2008 Cisco Systems, Inc. All rights reserved.
IPS Signature Characteristics
Signature Types - Composite Signature A composite signature is also called a stateful signature. A composite signature identifies a sequence of operations
distributed across multiple hosts over an arbitrary period of time.
An IPS uses a configured event horizon to determine how long it looks for a specific attack signature.
Presentation_ID 23© 2008 Cisco Systems, Inc. All rights reserved.
IPS Signature Characteristics
Signature File As new threats are identified, new signatures must be
created and uploaded to an IPS.
To make this process easier, all signatures are contained in a signature file and uploaded to an IPS on a regular basis.
Presentation_ID 24© 2008 Cisco Systems, Inc. All rights reserved.
IPS Signature Characteristics
Signature Micro-Engines To make the scanning of
signatures more efficient, the Cisco IOS software relies on signature micro-engines (SME), which categorize common signatures in groups.
The Cisco IOS software can then scan for multiple signatures based on group characteristics, instead of one at a time.
The available SMEs vary depending on the platform, Cisco IOS version, and version of the signature file.
Presentation_ID 25© 2008 Cisco Systems, Inc. All rights reserved.
IPS Signature Characteristics
Acquire the Signature File Cisco investigates/creates signatures for new threats as
they are discovered, and publishes them regularly. • Lower priority IPS signature files are published biweekly.
• If the threat is severe, Cisco publishes signature files within hours of identification.
Update the signature file regularly to protect the network. • Each update includes new signatures and all the signatures in the
previous version.
• For example, the IOS-S595-CLI.pkg signature file includes all signatures in file IOS-S594-CLI.pkg, plus signatures created for threats discovered subsequently.
New signatures are downloadable from CCO, and required a valid CCO login.
Presentation_ID 26© 2008 Cisco Systems, Inc. All rights reserved.
IPS Signature Alarms
Signature AlarmThe heart of any IPS signature is the signature alarm, often referred to as the signature trigger.
Presentation_ID 27© 2008 Cisco Systems, Inc. All rights reserved.
Signature Alarm
Pattern-Based DetectionPattern-based detection, also known as signature-based detection, compares the network traffic to a database of known attacks and triggers an alarm, or prevents communication if a match is found.
Presentation_ID 28© 2008 Cisco Systems, Inc. All rights reserved.
Signature Alarm
Anomaly-Based Detection Anomaly-based detection, also known as profile-based
detection, involves first defining a profile of what is considered normal for the network or host.
The signature triggers an action if excessive activity occurs beyond a specified threshold that is not included in the normal profile.
Presentation_ID 29© 2008 Cisco Systems, Inc. All rights reserved.
IPS Signature Alarms
Policy-Based Detection Policy-based detection is also known as behavior-based
detection.
The administrator defines behaviors that are suspicious based on historical analysis.
Honeypot-based detection uses a dummy server to attract attacks.
• The honeypot approach is to distract attacks away from real network devices.
• Honeypot systems are rarely used in production environments.
Presentation_ID 30© 2008 Cisco Systems, Inc. All rights reserved.
IPS Signature Alarms
Benefits of Implementing an IPS IPS use the underlying routing infrastructure to provide an
additional layer of security.
Since Cisco IOS IPS is inline, attacks can be effectively mitigated by denying malicious traffic from both inside and outside the network.
When used in combination with Cisco IDS, Cisco IOS Firewall, VPN, and Network Admission Control (NAC) solutions, Cisco IOS IPS provides threat protection at all entry points to the network.
It is supported by easy and effective management tools, such as the Cisco Configuration Professional.
The size of the signature database used by the device can be adapted to the amount of available memory in the router.
Presentation_ID 31© 2008 Cisco Systems, Inc. All rights reserved.
Tuning IPS Signature Alarms
Trigger False Alarms Triggering mechanisms can generate alarms that are false
positives or false negatives.
These alarms must be addressed when implementing an IPS sensor.
Presentation_ID 32© 2008 Cisco Systems, Inc. All rights reserved.
Tuning IPS Signature Alarms
Tune Signature An administrator must balance the number of incorrect
alarms that can be tolerated with the ability of the signature to detect actual intrusions.
If IPS systems use untuned signatures, they produce many false positive alarms.
Presentation_ID 33© 2008 Cisco Systems, Inc. All rights reserved.
Tuning IPS Signature Alarms
Tune Signature Cont. Low
Abnormal network activity is detected that could be perceived as malicious, but an immediate threat is unlikely.
MediumAbnormal network activity is detected that could be perceived as malicious, and an immediate threat is likely.
HighAttacks used to gain access or cause a DoS attack are detected, and an immediate threat is extremely likely.
InformationalActivity that triggers the signature is not considered an immediate threat, but the information provided is useful information.
Presentation_ID 34© 2008 Cisco Systems, Inc. All rights reserved.
IPS Signature Actions
Signature Actions Whenever a signature detects the activity for which it is
configured, the signature triggers one or more actions.
Several actions can be performed:• Generate an alert.
• Log the activity.
• Drop or prevent the activity.
• Reset a TCP connection.
• Block future activity.
• Allow the activity.
Presentation_ID 35© 2008 Cisco Systems, Inc. All rights reserved.
IPS Signature Actions
Signature Actions Cont.
Presentation_ID 36© 2008 Cisco Systems, Inc. All rights reserved.
IPS Signature Actions
Generate an Alert An IPS can be enabled to produce alert or a verbose alert.
Atomic alerts are generated every time a signature triggers
Some IPS solutions enable the administrator to generate summary alerts, which indicates multiple occurrences of the same signature from the same source address or port.
Presentation_ID 37© 2008 Cisco Systems, Inc. All rights reserved.
IPS Signature Actions
Log the Activity Used when an administrator does not necessarily have
enough information to stop an activity.
An IPS can be enabled to log the attacker packets, pair packets, or just the victim packets.
An administrator can then perform a detailed analysis, and identify exactly what is taking place and make a decision as to whether it should be allowed or denied in the future.
Presentation_ID 38© 2008 Cisco Systems, Inc. All rights reserved.
IPS Signature Actions
Drop or Prevent the ActivityAn IPS can be enabled to deny the attacker packets, deny the connection, or deny the specific packet.
Presentation_ID 39© 2008 Cisco Systems, Inc. All rights reserved.
IPS Signature Actions
Reset, Block, and Allow Traffic
Presentation_ID 40© 2008 Cisco Systems, Inc. All rights reserved.
Manage and Monitor IPS
Monitor ActivityMonitoring the security-related events on a network is also a crucial aspect of protecting a network from attack.
Presentation_ID 41© 2008 Cisco Systems, Inc. All rights reserved.
Manage and Monitor IPS
Monitoring Considerations
Presentation_ID 42© 2008 Cisco Systems, Inc. All rights reserved.
Manage and Monitor IPS
Monitor IPS Using CCPGUI-based IPS device managers include:
Cisco Configuration Professional (CCP) - Allows administrators to control the application of Cisco IOS IPS on interfaces, import and edit signature definition files (SDFs) from cisco.com, and to configure the action that Cisco IOS IPS is to take if a threat is detected.
Cisco IPS Manager Express (IME) - An all-in-one IPS management application to provision, monitor, troubleshoot, and generate reports for up to 10 IPS sensors.
Cisco Security Manager - Can be used to manage multiple IPS sensors and other infrastructure devices. It supports automatic policy-based IPS sensor software and signature updates and includes a signature update wizard allowing easy review and editing prior to deployment.
Presentation_ID 43© 2008 Cisco Systems, Inc. All rights reserved.
Manage and Monitor IPS
Secure Device Event Exchange IPS sensors and Cisco IOS IPS generate alarms when an
enabled signature is triggered. These alarms are stored on the sensor and can be viewed locally, or through a management application, such as IPS Manager Express.
The Cisco IOS IPS feature can send a syslog message or an alarm in Secure Device Event Exchange (SDEE) format.
CCP can monitor syslog and SDEE-generated events and keep track of alarms that are common in SDEE system messages, including IPS signature alarms.
Presentation_ID 44© 2008 Cisco Systems, Inc. All rights reserved.
Manage and Monitor IPS
IPS Configuration Best Practices The need to upgrade
sensors with the latest signature packs must be balanced with the momentary downtime during which the network becomes vulnerable to attack.
Update signature packs automatically.
Download new signatures to a secure server within the management network.
Place signature packs on a dedicated SFTP server within the management network.
Presentation_ID 45© 2008 Cisco Systems, Inc. All rights reserved.
Manage and Monitor IPS
IPS Configuration Best Practices Cont. Configure the sensors to
regularly check the SFTP server for new signature packs.
Keep the signature levels that are supported on the management console synchronized with the signature packs on the sensors.
Presentation_ID 46© 2008 Cisco Systems, Inc. All rights reserved.
IPS Global Correlation
Cisco Global Correlation Cisco IPS includes a security feature called Cisco Global
Correlation.
Cisco IPS devices receive regular threat updates from a centralized Cisco threat database called the Cisco SensorBase Network.
The Cisco SensorBase Network contains real-time, detailed information about known threats on the Internet.
Presentation_ID 47© 2008 Cisco Systems, Inc. All rights reserved.
IPS Global Correlation
Cisco SensorBase Network When participating in global correlation, the Cisco
SensorBase Network provides information to the IPS sensor about IP addresses with a reputation.
The sensor uses this information to determine which actions, if any, to perform when potentially harmful traffic is received from a host with a known reputation.
Presentation_ID 48© 2008 Cisco Systems, Inc. All rights reserved.
IPS Global Correlation
Cisco Security Intelligence Operation The SensorBase Network is part of a larger, back-end
security ecosystem, known as the Cisco Security Intelligence Operation (SIO).
Its purpose is to detect threat activity, research and analyze threats, and provide real-time updates and best practices to keep organizations informed and protected.
Cisco SIO consists of three elements:• Threat intelligence from the Cisco SensorBase Network.
• The Threat Operations Center is the combination of automated and human processing and analysis.
• The automated and best practices content that is pushed to network elements in the form of dynamic updates.
© 2008 Cisco Systems, Inc. All rights reserved.Presentation_ID 49
5.3 Implement IPS
Presentation_ID 50© 2008 Cisco Systems, Inc. All rights reserved.
Configure Cisco IOS IPS with CLI
Implement IOS IPS Files
To implement the Cisco IOS IPS:
Download the IOS IPS files.
Create an IOS IPS configuration directory in flash.
Configure an IOS IPS crypto key.
Enable IOS IPS (consists of several substeps).
Load the IOS IPS signature package to the router.
Presentation_ID 51© 2008 Cisco Systems, Inc. All rights reserved.
Configure Cisco IOS IPS with CLI
Download the IOS IPS Files Cisco IOS release 12.4(10)T and earlier, provided built-in
signatures in the Cisco IOS software image and support for imported signatures.
With newer IOS versions, all signatures are stored in a separate signature file and must be imported.
Step 1. Download the IOS IPS signature package files and a public crypto key from cisco.com.
• IOS-Sxxx-CLI.pkg - The latest signature package
• realm-cisco.pub.key.txt - The public crypto key used by IOS IPS
Presentation_ID 52© 2008 Cisco Systems, Inc. All rights reserved.
Configure Cisco IOS IPS with CLI
Download the IOS IPS Files Cont.
Step 2. Create an IOS IPS configuration directory in flash.
Presentation_ID 53© 2008 Cisco Systems, Inc. All rights reserved.
Configure Cisco IOS IPS with CLI
Configure an IPS Crypto KeyThe crypto key verifies the digital signature for the master signature file (sigdef-default.xml). The content of the file is signed by a Cisco private key to guarantee its authenticity and integrity.
Step 3. Configure an IOS IPS crypto key.Highlight and copy the text in the public key file. Paste the copied text at the global configuration prompt.
Presentation_ID 54© 2008 Cisco Systems, Inc. All rights reserved.
Configure Cisco IOS IPS with CLI
Enable IOS IPSStep 4. Enable IOS IPS.
a. Identify the IPS rule name and specify the location. • Use the ip ips name [rule name] [optional ACL] command to create a
rule name.
• An optional extended or standard ACL can be used to filter the traffic.
• Traffic that is denied by the ACL is not inspected by the IPS.
• Use the ip ips config location flash:directory-name command to configure the IPS signature storage location.
• Prior to IOS 12.4(11)T, the ip ips sdf location command was used.
Presentation_ID 55© 2008 Cisco Systems, Inc. All rights reserved.
Configure Cisco IOS IPS with CLI
Enable IOS IPS Cont.Step 4. Enable IOS IPS.
b. Enable SDEE and logging event notification.• HTTP server must first be enabled with the ip http server command.
• SDEE notification must be explicitly enabled using the ip ips notify sdee command.
• IOS IPS also supports logging to send event notification.
• SDEE and logging can be used independently or simultaneously.
• Logging notification is enabled by default.
• Use the ip ips notify log command to enable logging.
Presentation_ID 56© 2008 Cisco Systems, Inc. All rights reserved.
Configure Cisco IOS IPS with CLI
Enable IOS IPS Cont.Step 4. Enable IOS IPS.
c. Configure the signature category.• All signatures are grouped into categories, and the categories are hierarchical.
• The three most common categories are all, basic, and advanced.
Presentation_ID 57© 2008 Cisco Systems, Inc. All rights reserved.
Configure Cisco IOS IPS with CLI
Enable IOS IPS Cont.
Step 4. Enable IOS IPS.
d. Apply the IPS rule to an interface, and specify direction.Use the ip ips rule-name [in | out] interface configuration mode command to apply the IPS rule.
Presentation_ID 58© 2008 Cisco Systems, Inc. All rights reserved.
Configure Cisco IOS IPS with CLI
Load the IPS Signature Package in RAM
Step 5. Load the IOS IPS Signature package to the router.• Upload the signature package to the router using either FTP or TFTP.
• To copy the downloaded signature package from the FTP server to the router, use the idconf parameter at the end of the command.
Presentation_ID 59© 2008 Cisco Systems, Inc. All rights reserved.
CCP needs a minimum Java memory heap size of 256 MB to support IOS IPS. Exit CCP and open the Windows Control Panel.
Click the Java option to opens the Java Control Panel.
Select the Java tab and click View under the Java Applet Runtime Settings.
In the Java Runtime Parameter field, enter -Xmx256m, and click OK.
Configure Cisco IOS IPS using CCP
Implement IOS IPS Using CCP
Presentation_ID 60© 2008 Cisco Systems, Inc. All rights reserved.
Configure Cisco IOS IPS using CCP
Implement IOS IPS Using CCP Cont.
CCP provides controls for applying Cisco IOS IPS on interfaces, importing and editing signature files from cisco.com, and configuring the action that Cisco IOS IPS takes if a threat is detected.
Presentation_ID 61© 2008 Cisco Systems, Inc. All rights reserved.
Configure Cisco IOS IPS using CCP
Launch the IPS Rule Wizard
Prior to configuring IPS with the Cisco Configuration Professional, download the latest IPS signature file and public key, if required, from cisco.com.
To launch the IPS Rule wizard: 1. On the CCP menu bar, click Configure > Security > Intrusion
Prevention > Create IPS.
2. Click Launch IPS Rule Wizard.
3. Read the Welcome to the IPS Policies Wizard screen and click Next.
4. In the Select Interfaces window, select the interfaces to which to apply the IPS rule and the direction of traffic.
Presentation_ID 62© 2008 Cisco Systems, Inc. All rights reserved.
Configure Cisco IOS IPS using CCP
Configure the Crypto Key
Presentation_ID 63© 2008 Cisco Systems, Inc. All rights reserved.
Configure Cisco IOS IPS using CCP
Specify the Signature File
Presentation_ID 64© 2008 Cisco Systems, Inc. All rights reserved.
Configure Cisco IOS IPS using CCP
Complete the IOS IPS Wizard
Use the show running-config command to verify the IPS configuration generated by the CCP IPS wizard.
Presentation_ID 65© 2008 Cisco Systems, Inc. All rights reserved.
Modify Cisco IOS IPS Signatures
Retire and Unretire Signatures
The Cisco IOS CLI can be used to retire or unretire individual signatures or a group of signatures that belong to a signature category.
Retire a Specific Signature Unretire a Signature Category
Presentation_ID 66© 2008 Cisco Systems, Inc. All rights reserved.
Modify Cisco IOS IPS Signatures
Change Signature Actions
To change an action, the event-action command must be used in IPS Category Action mode or Signature Definition Engine mode.
Change Actions for a Signature Change Actions for a Category
Presentation_ID 67© 2008 Cisco Systems, Inc. All rights reserved.
Modify Cisco IOS IPS Signatures
Edit Signatures
Presentation_ID 68© 2008 Cisco Systems, Inc. All rights reserved.
Modify Cisco IOS IPS Signatures
Tune a Signature
Presentation_ID 69© 2008 Cisco Systems, Inc. All rights reserved.
Modify Cisco IOS IPS Signatures
Access and Configure Signature Parameters
Presentation_ID 70© 2008 Cisco Systems, Inc. All rights reserved.
Modify Cisco IOS IPS Signatures
Access and Configure Signature Parameters Cont.
© 2008 Cisco Systems, Inc. All rights reserved.Presentation_ID 71
5.4 Verify and Monitor IPS
Presentation_ID 72© 2008 Cisco Systems, Inc. All rights reserved.
Verify Cisco IOS IPS
Verify IOS IPS
Several show commands can be used to verify the IOS IPS configuration.
The show ip ips privileged EXEC mode command can be used with other parameters to provide specific IPS information; for example:
• show ip ips all
• show ip ips configuration
• show ip ips interfaces
• show ip ips signatures
Presentation_ID 73© 2008 Cisco Systems, Inc. All rights reserved.
Verify Cisco IOS IPS
Verify IOS IPS Using CCP
Presentation_ID 74© 2008 Cisco Systems, Inc. All rights reserved.
Monitoring Cisco IOS IPS
Report IPS Alerts
Two methods to report IPS intrusion alerts:
Cisco Configuration Professional Security Device Event Exchange (SDEE)
The sdee keyword sends messages in SDEE format.
Cisco IOS logging via syslogThe log keyword sends messages in syslog format.
Presentation_ID 75© 2008 Cisco Systems, Inc. All rights reserved.
Monitoring Cisco IOS IPS
Enable SDEE
SDEE is the preferred method of reporting IPS activity.
SDEE uses HTTP and XML to provide a standardized approach.
Enable an IOS IPS router using the ip ips notify sdee command.
Presentation_ID 76© 2008 Cisco Systems, Inc. All rights reserved.
Monitoring Cisco IOS IPS
Monitor IOS IPS Using CCP
© 2008 Cisco Systems, Inc. All rights reserved.Presentation_ID 77
5.5 Summary
Presentation_ID 78© 2008 Cisco Systems, Inc. All rights reserved.
Chapter 5
Summary A network must be able to instantly recognize and mitigate
worm and virus threats.
A network-based IPS should be implemented inline to defend against fast-moving Internet worms and viruses.
IPS signatures provide an IPS with a list of identified problems.
The IPS signatures are configured to use various triggers and actions.
Security staff must continuously monitor an IPS solution and tune signatures as necessary to ensure an adequate level of protection.
Presentation_ID 79© 2008 Cisco Systems, Inc. All rights reserved.