SECS05L05 - Configuring Cisco IOS IPS
SECS05L05 - Configuring Cisco IOS IPS
SECS05L05 - Configuring Cisco IOS IPS
Defense
Attack
4 1
Alarm
3
2
Network Management
Console Reset Connection
Drop Packet
135 Signatures
Built-in signatures is the last resort when router loads signatures.
Can be turned off using CLI ‘no ip ips sdf builtin’
Cisco recommend to use pre-tuned SDF files – attack-drop.sdf,
128MB.sdf and 256MB.sdf.
Built-in signatures will NOT be supported in 12.4(PI5)T when IOS
IPS supports 5.x format.
Alarm
Send alarm via Syslog and SDEE
Reset
Applys to TCP connection. Send reset to both peers
Drop
Drops the packet
DenyAttackerInline
Blocks the attacker’s source IP address completely.
No connection can be established from the attacker to the
router until the shun time expires (this is set by the user).
DenyFlowInline
Blocks the appropriate TCP flow from the attacker. Other
connections from the attacker can be established to the router
START
No more locations NO
Repeat through all NO Fail Packet
Built-in Enabled? passed un-
Configured Locations closed?
scanned
YES YES
Load SDF from next
available location Load Built-in Sigs
(135) Packet Dropped!
Success?
NO
YES
Build Sig Engines
NO NO
Engine build Previous engine
Put engine in
success? exist?
Inactive state
YES YES
SDF load complete Use previous
engine sigs
WAN
Campus Suppliers
VPN Backbone
Accounting
Internet
Intranet Servers
Network
Management
Console
Alarm
SDEE Protocol
Alert
Syslog
Syslog
Server
router (config)#
router (config)#
router (config)#
ip ips name ips-name
Instructs the router to drop all packets until the signature engine is
built and ready to scan traffic
router#
router#