Adaptive Threat

Defense

Configuring Cisco IOS IPS

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—5-1

 Cisco IOS Intrusion Prevention System

Attack

4 1
Alarm

3
2
Network Management
Console Reset Connection
Drop Packet

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—5-2

 Features
 Uses the underlying routing infrastructure
 Ubiquitous protection of network assets
 Inline deep packet inspection
– Software based inline intrusion prevention sensor
 IPS signature support
– Signature based packet scanning, uses same set of signatures as
IDS Sensor platform
– Dynamic signature update (no need to update IOS Image)
– Customized signature support
 Variety of event actions configurable per-signature basis
 Parallel signature scanning
 Named and numbered extended ACL support

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—5-3

 Signature Micro Engines

 An SME is a component of IOS IPS that supports signatures

in a certain category.
 Each engine is customized for the protocol and fields it is
designed to inspect, and defines a set of legal parameters
that have allowable ranges or sets of values.
 The SMEs look for malicious activity in a specific protocol.
 All the signatures in a given micro-engine are scanned in
parallel fashion rather than serially.
 15 SMEs in 12.4(4) T or later
 OTHER engine has hard-coded signatures

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—5-4

 Built-in Signatures

 135 Signatures
 Built-in signatures is the last resort when router loads signatures.
Can be turned off using CLI ‘no ip ips sdf builtin’
 Cisco recommend to use pre-tuned SDF files – attack-drop.sdf,
128MB.sdf and 256MB.sdf.
 Built-in signatures will NOT be supported in 12.4(PI5)T when IOS
IPS supports 5.x format.

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—5-5

 Signature Actions

 Alarm
 Send alarm via Syslog and SDEE
 Reset
 Applys to TCP connection. Send reset to both peers
 Drop
 Drops the packet
 DenyAttackerInline
 Blocks the attacker’s source IP address completely.
No connection can be established from the attacker to the
router until the shun time expires (this is set by the user).
 DenyFlowInline
 Blocks the appropriate TCP flow from the attacker. Other
connections from the attacker can be established to the router

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—5-6

 Signature Loading Process
 IOS IPS goes through several steps when loading the SDF

START

No more locations NO
Repeat through all NO Fail Packet
Built-in Enabled? passed un-
Configured Locations closed?
scanned
YES YES
Load SDF from next
available location Load Built-in Sigs
(135) Packet Dropped!

Success?
NO
YES
Build Sig Engines

NO NO
Engine build Previous engine
Put engine in
success? exist?
Inactive state
YES YES
 SDF load complete  Use previous
engine sigs

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—5-7

 Signature Definition File (SDF)
 A SDF contains all or a subset of the signatures supported by
Cisco IPS.
 An IPS loads the signatures contained in the SDF and scans
incoming traffic for matching signatures.
 The IPS enforces the policy defined in the signature action.
 Cisco IPS uses the SDF to populates internal tables with the
information necessary to detect each signature.
 The SDF can be saved on the router flash memory.
 SDFs are downloaded from cisco.com.
 Two pre-built SDFs:
– 256MB.sdf
– 128MB.sdf

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—5-8

 Cisco IOS Firewall IPS Network Visibility
Engineering
Sales Finance
Offices International
Sales Offices
Mainframe

WAN

Campus Suppliers
VPN Backbone
Accounting

Internet
Intranet Servers

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—5-9

 Issues to Consider

 Memory use and performance impact

– Limited persistent storage
– CPU-intensive
 Updated signature coverage
– More than 1500 common attacks

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—5-10

 Configuration Tasks

Install Cisco IOS Firewall IPS on the router:

 Specify location of SDF.
 Create an IPS rule.
 Attach a policy to a signature (optional).
 Apply IPS rule at an interface.
 Configure logging via syslog or SDEE.
 Verify the configuration.

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—5-11

 Specify Location of SDF
router(config)# ip ips sdf location flash:128MB.sdf

 (Optional) Specifies the location in which the router will

load the SDF 128MB.sdf.
 If this command is not issued, the router will load the
default, built-in signatures.

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—5-12

 Merging Signatures

router# copy flash:128MB.sdf ips-sdf

router# copy ips-sdf flash:snrs-signatures.sdf
router# configure terminal
router(config)# ip ips sdf location flash:snrs-signatures.sdf
router(config)# interface fastEthernet 0/1
router(config-if)# no ip ips SNRS-IPS in
*Apr 8 14:05:38.243:%IPS-2-DISABLED:IPS removed from all interfaces - IPS
disabled
router(config-if)# ip ips SNRS-IPS in

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—5-13

 Attach a Policy to a Given Signature (Optional)

router(config)# ip ips signature 6500 list 99

router(config)# ip ips signature 1000 disable

• Associates an access list with a signature

• Disables signature 1000 in the SDF

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—5-14

 Creating an IPS Rule

router(config)# ip ips name SNRS-IPS

• Creates an IPS rule named MYIPS that will be
applied to an interface

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—5-15

 IOS IPS Configuration Example
Disable Signatures

R1(config)# ip ips signature 9024 0 disable

%IPS Signature 9024:0 is disabled
R1# show ip ips signatures
Signatures were last loaded from flash:128MB.sdf

Cisco SDF release version S128.0

Trend SDF release version V0.0

Signature Micro-Engine: ATOMIC.TCP (11 sigs)

SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF Version
----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- -- -------
50000:0 N A HIGH 0 0 0 0 0 FA N OPACL
3038:0 Y AD HIGH 0 0 0 100 30 FA N Y 2.2.1.1
3039:0 Y AD HIGH 0 0 0 100 30 FA N Y 2.2.1.1
3040:0 Y AD HIGH 0 0 0 100 30 FA N N 2.2.1.1
3041:0 Y AD HIGH 0 0 0 100 30 FA N N 2.2.1.1
3043:0 Y AD HIGH 0 0 0 100 30 FA N Y 2.2.1.1
3300:0 Y AD HIGH 0 0 0 100 30 FA N 2.1.1
3042:0 Y A HIGH 0 0 0 100 30 FA N N 2.2.1.1
9024:0 N A LOW 0 0 0 100 30 FA N S44
3123:0 Y A MED 0 0 0 100 30 FA N S46
9023:0 Y A Disabled
MED signatures
0 0 0 100 30 FA N S40
show as “N” on the
“On” Column

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—5-16

 Apply an IPS Rule at an Interface
router(config-if)#

ip ips ips-name {in | out}

 Applies an IPS rule at an interface

router(config-if)# ip ips MYIPS in

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—5-17

 Example

router(config)# ip ips sdf location flash:128MB.sdf

router(config)# ip ips fail closed
router(config)# ip ips name SNRS-IPS
router(config)# interface FastEthernet0/1
router(config-if)# ip address 172.30.1.2 255.255.255.0
router(config-if)# ip virtual-reassembly
router(config-if)# ip ips SNRS-IPS in
router(config-if)# end
*Jan 28 01:18:04.664: %IPS-6-SDF_LOAD_SUCCESS: SDF loaded
successfully from flash:128MB.sdf
. . . messages ommited ...........
*Jan 28 01:18:30.452: %IPS-6-ENGINE_BUILDING: ATOMIC.L3.IP - 5
signatures - 15 of 15 engines

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—5-18

 Monitoring Cisco IOS Firewall IPS
Signatures

Network
Management
Console

Alarm

SDEE Protocol

Alert
Syslog

Syslog
Server

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—5-19

 SDEE and Syslog

 Cisco IOS Software now supports the SDEE protocol.

 SDEE uses a pull mechanism: Requests come from the network
management application, and the IDS or IPS router responds.
 SDEE will become the standard format for all vendors to
communicate events to a network management application.
 The use of HTTP over SSL or HTTPS ensures that data is
secured as it traverses the network.
 The Cisco IOS Firewall IPS router will still send IPS alerts via
syslog.

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—5-20

 Set Notification Type

router (config)#

ip ips notify [log | sdee]

 Sets notification type

router(config)# ip ips notify sdee

router(config)# ip ips notify log

router (config)#

ip sdee events num_of_events

 Sets the maximum number of SDEE events that can be stored

in the event buffer

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—5-21

 Upgrade to Latest SDF

router (config)#
ip ips name ips-name

 Creates an IPS rule

router (config)#
no ip ips sdf builtin

 Instructs the router not to load the built-in signatures

router (config)#
ip ips fail closed

 Instructs the router to drop all packets until the signature engine is
built and ready to scan traffic

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—5-22

 Verifying IPS
R1# show ip ips configuration
Configured SDF Locations:
flash:128MB.sdf
Builtin signatures are enabled but not loaded
Last successful SDF load time: 12:10:43 CST Oct 30 2006
IPS fail closed is disabled
Fastpath ips is enabled
Quick run mode is enabled
Event notification through syslog is enabled
Event notification through SDEE is enabled
Total Active Signatures: 303
Total Inactive Signatures: 0
Signature 50000:0 disable
Signature 50000:1 disable
Signature 50000:2 disable
IPS Rule Configuration
IPS name SNRS-IPS
Interface Configuration
Interface FastEthernet0/1
Inbound IPS rule is SNRS-IPS
Outgoing IPS rule is not set

• Verifies that Cisco IOS IPS is properly configured

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—5-23
 Verifying IPS (Cont.)
R1# show ip ips signatures
Builtin signatures are configured
Signatures were last loaded from flash:128MB.sdf
Cisco SDF release version 128MB.sdf v2
Trend SDF release version V0.0

*=Marked for Deletion Action=(A)larm,(D)rop,(R)eset Trait=AlarmTraits

MH=MinHits AI=AlarmInterval CT=ChokeThreshold
TI=ThrottleInterval AT=AlarmThrottle FA=FlipAddr
WF=WantFrag
Signature Micro-Engine: OTHER (4 sigs)
SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF Version
----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- -- -------
1203:0 Y A HIGH 0 0 0 30 15 FA N N 2.2.1.5
1202:0 Y A HIGH 0 0 0 100 15 FA N N 2.2.1.5
3050:0 Y A HIGH 0 0 0 100 15 FA N 1.0
1201:0 Y A HIGH 0 0 0 30 15 FA N N 2.2.1.5
Signature Micro-Engine: STRING.ICMP (1 sigs)
SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF Version
----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- -- -------
2156:0 Y A MED 0 0 0 100 15 FA N S54
Signature Micro-Engine: STRING.UDP (16 sigs)
SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF Version
----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- -- -------
11209:0 Y A INFO 0 0 0 100 15 FA N S139
11208:0 Y A INFO 0 0 0 100 15 FA N S139
4608:2 Y A HIGH 0 1 0 100 15 FA N S30b

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—5-24

 Verifying IPS (Cont.)

R1# show ip ips interfaces

Interface Configuration
Interface FastEthernet0/1
Inbound IPS rule is SNRS-IPS
Outgoing IPS rule is not set

Displays the interface configuration

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—5-25

 Verifying IPS (Cont.)
 Check SDEE messages
R1# show ip sdee alerts
Alert storage: 200 alerts using 54400 bytes of memory
SDEE Alerts
SigID Sig Name SrcIP:SrcPort DstIP:DstPort
or Summary Info
1: 3301:0 NbtStat Query 172.28.49.222:137 172.28.49.255:137
2: 3301:0 NbtStat Query 172.28.49.222:137 172.28.49.255:137
3: 3301:0 NbtStat Query 172.28.49.222:137 172.28.49.255:137

R1# show ip sdee events

Alert storage: 200 alerts using 54400 bytes of memory
Message storage: 200 messages using 84800 bytes of memory
SDEE Events
Time Type Description
1: 03:20:11 UTC Feb 17 2006 STATUS SDF_LOAD_SUCCESS: SDF loaded successfully from
flash:128MB.sdf
2: 03:20:11 UTC Feb 17 2006 STATUS ENGINE_BUILDING: OTHER - 3 signatures - 1 of 15
engines
3: 03:20:11 UTC Feb 17 2006 STATUS ENGINE_READY: OTHER - 0 ms - packets for this engine
will be scanned
4: 03:20:11 UTC Feb 17 2006 STATUS ENGINE_BUILDING: MULTI-STRING - 0 signatures - 2 of
15 engines
5: 03:20:11 UTC Feb 17 2006 STATUS ENGINE_BUILD_SKIPPED: MULTI-STRING - there are no new
signature definitions for this engine

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—5-26

 clear Commands
router#

clear ip ips configuration

 Removes all intrusion prevention configuration entries and releases

dynamic resources

router#

clear ip ips statistics

 Resets statistics on packets analyzed and alarms sent

router#

clear ip sdee {events | subscriptions}

 Clears SDEE events or subscriptions

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—5-27

 debug Commands

router# debug ip ips timers

router# debug ip ips object-creation
router# debug ip ips object-deletion
router# debug ip ips function trace
router# debug ip ips detailed
router# debug ip ips ftp-cmd
router# debug ip ips ftp-token
router# debug ip ips icmp
router# debug ip ips ip
router# debug ip ips rpc
router# debug ip ips smtp
router# debug ip ips tcp
router# debug ip ips tftp
router# debug ip ips udp

 Instead of no, the undebug command may be used.

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—5-28

 Summary
• The Cisco IOS IPS acts as an inline intrusion prevention sensor.
• An SME is a component of Cisco IOS IPS that supports
signatures in a certain category.
• Cisco IOS IPS contains 135 built-in signatures but can be loaded
with over 1500 signatures from signature definition files.
• Cisco IOS IPS has two main deployment scenarios.
• Several tasks are required to configure Cisco IOS IPS on a router.
• Alert logging for IOS IPS can be done with Syslog and SDEE.
• An important part of IPS is keeping up with the latest attack
signatures.
• There are several commands available to verify and troubleshoot
IPS configuration and operation.

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—5-29

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—5-30