Home > Articles > Network Technology > Security > Network Security Using Cisco IOS IPS

Network Security Using Cisco IOS IPS

By Catherine Paquet.
Sample Chapter is provided courtesy of Cisco Press.
Date: Jun 8, 2009.

Save Digg Digg Del.icio.us Print Email

Chapter Information

Chapter Description

This chapter describes the functions and operations of IDS and IPS systems.

From the Book

Implementing Cisco IOS Network Security (IINS): (CCNA Security exam 640-553) (Authorized Self-Study Guide)

$54.40 (Save 20%)

Verifying IPS Operation

To verify the IPS configuration on the router, choose Configure > Intrusion Prevention > Edit IPS, as shown in Figure 6-27. The Edit IPS tab shows all the interfaces on the router and whether they are configured for Cisco IOS IPS. If Enabled appears in either the Inbound or the Outbound column, Cisco IOS IPS is enabled for that direction of traffic on that interface. If Disabled appears in either the Inbound or the Outbound column, Cisco IOS IPS is disabled for that direction on the interface.

Figure 6-27 Verifying IPS Policies

Cisco IOS IPS cannot identify the contents of IP fragments when VFR is not enabled, and it cannot gather port information from the fragment to match it with a signature. Therefore, fragments can pass through the network without being examined or without a dynamic ACL being created on the Cisco IOS Firewall. You will remember that VFR enables the Cisco IOS Firewall to examine out-of-sequence fragments. VFR can create the dynamic ACLs necessary to protect against fragment attacks

The VFR status field shows the status of VFR on an interface. If VFR is enabled on the interface, the column displays On. If VFR is disabled on the interface, the column displays Off.

The Edit IPS tab also contains buttons that enable you to configure and manage Cisco IOS IPS policies, security messages, signatures, and more.

Use the show ip ips configuration command to display additional configuration data that is not displayed with the show running-config command. Example 6-2 shows some sample output from the show ip ips configuration command.

Example 6-2. show ip ips configuration Command Output

Router# show ip ips configuration
IPS Signature File Configuration Status
    Configured Config Locations: flash:/ipsdir/
    Last signature default load time: 04:39:33 UTC Dec 14 2007
    Last signature delta load time: -none-
    Last event action (SEAP) load time: -none-

    General SEAP Config:
    Global Deny Timeout: 3600 seconds
    Global Overrides Status: Enabled
    Global Filters Status: Enabled

IPS Auto Update is not currently configured

IPS Syslog and SDEE Notification Status
    Event notification through syslog is enabled
    Event notification through SDEE is enabled

IPS Signature Status
    Total Active Signatures: 353
    Total Inactive Signatures: 1783

IPS Packet Scanning and Interface Status
    IPS Rule Configuration
      IPS name sdm_ips_rule
    IPS fail closed is disabled
    IPS deny-action ips-interface is false
    Fastpath ips is enabled
    Quick run mode is enabled
    Interface Configuration
      Interface FastEthernet0/0
        Inbound IPS rule is sdm_ips_rule
        Outgoing IPS rule is not set
      Interface FastEthernet0/1
        Inbound IPS rule is sdm_ips_rule
        Outgoing IPS rule is not set

IPS Category CLI Configuration:
    Category all:
        Retire: True
    Category ios_ips basic:
        Retire: False
    Category ios_ips:
        Enable: True
    Category ios_ips advanced:
       Enable: True

Use the show ip ips interface command to display interface configuration data. Example 6-3 displays output from the show ip ips interface command, revealing that the inbound IPS audit rule sdm_ips_rule is applied to FastEthernet 0/0 and FastEthernet 0/1. There is no rule applied for outgoing traffic on either interface.

Example 6-3. show ip ips interface Command Output

Router# show ip ips interfaces
Interface Configuration
      Interface FastEthernet0/0
        Inbound IPS rule is sdm_ips_rule
        Outgoing IPS rule is not set
      Interface FastEthernet0/1
        Inbound IPS rule is sdm_ips_rule
       Outgoing IPS rule is not set

Use the show ip ips all command to display additional configuration data that is not displayed with the show ip ips configuration command.

In Example 6-4, the output from the show ip ips all command shows that syslog and SDEE notification is enabled, and that there are 693 active signatures and 1443 inactive signatures on the router.

Example 6-4. show ip ips all Command Output

Router# show ip ips all
IPS Signature File Configuration Status
    Configured Config Locations: flash:ipsstore/
    Last signature default load time: 00:25:35 UTC Dec 6 2007
    Last signature delta load time: -none-
    Last event action (SEAP) load time: -none-

    General SEAP Config:
    Global Deny Timeout: 3600 seconds
    Global Overrides Status: Enabled
    Global Filters Status: Enabled

IPS Auto Update is not currently configured

IPS Syslog and SDEE Notification Status
    Event notification through syslog is enabled
    Event notification through SDEE is enabled

IPS Signature Status
    Total Active Signatures: 693
    Total Inactive Signatures: 1443

IPS Packet Scanning and Interface Status
    IPS Rule Configuration
      IPS name myips
    IPS fail closed is disabled
    IPS deny-action ips-interface is false
    Fastpath ips is enabled
    Quick run mode is enabled
    Interface Configuration
      Interface FastEthernet0/1
        Inbound IPS rule is not set
        Outgoing IPS rule is myips

IPS Category CLI is not configured

IPS Category CLI is not configured