Ips and IDS - 090356
Ips and IDS - 090356
Ips and IDS - 090356
Keep in mind, IDS and IPS are not necessarily two seprate physical
devices. They can be combined into one device.
IPS
• They can be also combined with other devices, such as firewall,
router, or proxy, into a single device.
• Unified Threat Management(UTM)
• And Next-Generation firewalls are two examples.
Configuring Cisco IPS Using CLI
• To use the command-line interface (CLI) to specify an IPS rule, use the ip
ips name name command in global configuration mode as follows:
router(config)# ip ips name sdm_ips_rule
• To specify the location of the IPS configuration, use the ip ips config
location location global configuration command, as demonstrated here:
router(config)# ip ips config location flash:/ipsdir/retries 1
• To specify the method of event notification, use the ip ips notify global
configuration command. The following is an example of event notification
sent using Security Device Event Exchange (SDEE), which is a standard
developed to communicate an event generated by security devices:
Configuring Cisco IPS Using CLI
router(config)# ip ips notify SDEE
• Examples in this presentation of the chapter dealing with Cisco IOS IPS
CLI configuration assume that the signature files are already on the
router.
• To configure the router to support the default basic signature set use
the ip ips signature-category global configuration command as follows:
Router(config)# ip ips signature-category
Router(config-ips-category)# category all
Router(config-ips-category-action)# retired true
Configuring Cisco IPS Using CLI
Router(config-ips-category-action)# exit
Router(config-ips-category)# category ios_ips basic
Router(config-ips-category-action)# retired false
• To apply an IPS rule to an interface, use the ip
ips ips_rule_name command in interface configuration mode as
demonstrated here:
router(config)# interface Serial0/0/0
router(config-if)# ip ips sdm_ips_rule in
Configuring Cisco IPS Using CLI
• Virtual Fragment Reassembly
Virtual Fragment Reassembly (VFR) enables the Cisco IOS Firewall to
examine out-of-sequence fragments and reorder the packets into the
order. It examines the number of fragments from a same single IP address.
When VFR is enabled on a Cisco IOS Firewall, it creates the appropriate
dynamic ACLs, thereby protecting the network from various fragmentation
attacks. To enable VFR on an interface, use the ip virtual-reassembly
command in interface configuration mode, as demonstrated here:
Router(config)# interface Serial0/0/0
Router(config-if)# ip virtual-reassembly