Chapter 16: Implementing IOS-Based IPS

I. Understanding and Installing an IOS-Based IPS

1. What Can IOS IPS Do?
1. Profile based
2. Signature based
3. Protocol analysis based
a. Does not support anomaly-based detection like the appliances do
4. Benefits
a. The ability to do dynamic updates of signatures
b. Integrates easily into an existing network
c. Compatible to work alongside of other security features, such as Zone-Based
Firewalls (ZBF), VPN termination, ACLs, AAA, and many others on the same
router as long as there is enough memory and CPU to support all the features
d. Can be managed by CCP, IPS Manager Express (IME) and Cisco Security Manager
(CSM), and via the CLI.
e. Supports attack signatures from the same signature database that is used by the IPS
appliances
Table 16-2 IOS IPS Features
Cisco IOS IPS
Description
Signature Features
Regular expression
string pattern
matching

Enables the creation of string patterns using variables. An example of a regular

expression is hot|cold, which is part of the signature that would look for a match
on the word hot or cold. Using regular expressions can allow a single string to
be used to match several possible combinations of that string inside of a packet

Response actions

This enables the sensor to take action in response to a triggered event, such as
denying a packet, creating an alert, resetting the TCP connection, or denying the
attacker's future packets for a period of time

Alarm summarization This helps prevent resource exhaustion by summarizing events that are all the
same or at least the same signature. Under heavy attack, a summary may show
the attack happened 15,000 times as opposed to producing 15,000 individual
alerts. Summarization is tunable on both the IOS IPS and the appliances
Threshold
configuration

Threshold configuration identifies thresholds, which if exceeded may trigger

events. For example, a specific string of text can be identified in a signature.
That same signature can specify that an alert will be generated only after that
string of text has been seen five times within a 60-second window

Anti-evasive
techniques

Similar to the appliances, the intelligence in the IOS IPS is designed to correctly
interpret the actual data regardless if it is fragmented or using a combination of
character sets, such as Unicode

Risk ratings

A calculated number between 0-100 associated with an alert. The higher the
number, the more risk is presumed. Identifying your critical servers/hosts
enables the system to generate higher risk ratings when signatures to those
devices are matched. Those higher risk ratings can then trigger countermeasures
against the attack(s)

2. Installing the IOS IPS Feature

1. Use Feature Navigator to make sure your IOS version supports IOS IPS.
2. Obtain signature files
a. ZIP format
a. Use CCP if the zip file is on your computer and using CCP move to router
b. .pkg
a. Move to the router and use CLI to install
c. Can use your CCO account, configured the router to use, to automatically update
the router signature files
a. Signature files use a lot of CPU to compile; could cause performance issues
3. Install via CCP and CLI below

3. Getting to the IPS Wizard

1.

Configure > Security > Intrusion Prevention Click Launch IPS Rule Wizard

a. If Security Device Event Exchange (SDEE) Protocol has not been enabled yet, you
will be prompted to do so. Click OK

4. Subscription is open to the router to get SDEE events; a subscription is the term used to
describe a connection to an IPS device that sends alerts via SDEE and manages the IPS. Click
OK

1. Welcome page, click NEXT

2. Interfaces that are currently on the router are shown. Usually inbound should be
chosen, and the interface(s) on the less trusted network, like the Internet. Click NEXT

3. Select the ZIP file on the local computer or use FTP, or specify it on the router flash;
click OK

4. Cisco signs their signature files so that they can be verified (to make sure you aren't
downloading malicious signatures)
a. public key found with downloaded signatures from Cisco
5. Click NEXT

6. Can store IPS configuration on local router (flash) or a file server

a. Do this below; could be FTP, could be router flash
b. Click OK

7. Advanced category has more than 1000 signatures if you have plenty of cpu and
memory, otherwise pick basic category with fewer than 500 signatures enabled.
a. Click NEXT

8. Compiling will take up to 5 minutes, and a smaller router will utilize the CPU up to
100%
a. See CLI output while signatures compiled into Micro-Engines

II. Working with Signatures in an IOS-Based IPS

1. Can use the following to tune IOS IPS
a. CCP
b. CLI
c. CSM
d. IME
2. We will use CCP and CLI in this example
3. Configure > Security > Intrusion Prevention Click Edit IPS tab then click
Signatures option to view signatures

4. Below shows signatures

5. Select a signature to edit or filter based on name, number, or other attribute

6. Four other buttons above signatures
a. Enable Which makes the signature active so long as it is not retired. An enable
and nonretired signature is used as the router scans packets looking for malicious
traffic
b. Disable Retired or not, a signature that is disabled is not used to compare traffic
against when performing IPS
c. Retire If a signature is retired, it is not compiled as part of the available list of
signatures that can be enabled. Long story short: Retiring signatures reduces the
amount of RAM needed on the router
d. Unretire This option causes the signature to be part of the compiled signatures
that if also enabled will be actively used by IPS when scanning traffic
Table 16-3 Matrix for Retired/Unretired/Enabled/Disabled
Compiling /
Enabled
Allowing Action

Disabled

Retired

No memory consumption, and no action

related to the signature during packet
analysis

No memory consumption, and no action

related to the signature during packet
analysis

Unretired

Consumes memory, and the signature is

considered during packet analysis

Consumes memory, but no action related

to the signature during packet analysis

7. Shows filtering based on SigID

8. Red symbol indicates current signature is disabled

9. To ensure a signature triggers every time an ICMP echo request is seen, you can
highlight signature 2004, click Enable and click Unretire just to make sure it's enabled
and not retired.
10. The yellow symbol means that a change has been made but not committed to the router
yet

11. Recompilation on CLI shown below

12. Green symbol (check mark) shows enabled

2. Actions That May Be Taken

1. Actions we can choose for IOS IPS
a. Deny attacker inline
b. Deny connection inline
c. Deny packet inline
d. Produce alert (the default action for most signatures)
e. Reset TCP connection (effective only against TCP-based attacks)
2. Modify actions, Right-Click the signature and select Actions and check which actions
you want to use for the signature. Click OK and Apply Changes
3. Router compiles new changes

4. Ping should now trigger an alert and whatever actions you chose. The example below
shows a workstation pinging the routers interface that has IPS enabled

5. To modify signature; highlight signature and click Edit

6. In the pop-up window shown below, the green square box (just to the left of the item)
indicates the value is at its default.
7. To modify one of these items, click the green box and it changes ot a red diamond and
then allows you to change the value of that property.

8. CLI example of all of the configuration we have done in CCP.

9. f

10. f

11. f

12. f

13. f

3. Best Practices When Tuning IPS

1. Begin with the basic signature category, and see how much memory and CPU
utilization this takes in the production network, before moving to the advanced
signature category which will take significantly more CPU and resources from the
router
2. Schedule downtime for the installation and updates
3. Retire signatures that are irrelevant to your network to save resources on the router
4. Monitor free memory to ensure that you do not cause harm to your router by loading
too many additional services
5. There are options available that can tell the IOS router to not forward any traffic
through an IPS-protected interface if some type of problem causes the signature not to
compile. The term for this is fail closed. The other option, which indicates that if a
problem with the IPS signatures not compiling occurs the router should still forward
traffic, is called fail open. Based on the security policy, you want to choose the option
that meets the needs for the company. A fail close could cause a failure of the network
due to a failure of IPS, but it is more secure than fail open
6. For performance reasons, be very careful before unretiring and enabling the All
category of signatures

III. Managing and Monitoring IPS Alarms

1.

Monitor > Security > IPS Status

a. Scroll to see all signatures and also see statistics like hits
b. Shows total signatures, how many are enabled, retired, compiled, etc...
c. Click the SDEE Log hyper-link to see another way to view alerts and additional
details about those alerts

2. SDEE Log
3. You can also get here by going to Monitor > Router > Logging click SDEE Message
Log tab
4. Filter by clicking the drop-down menu next to SDEE Messages and select one of the
four filtering options
a. All
b. Error
c. Status
d. Alerts
5. Also can click the Search button to search for source or destination IP address or
specific text

6. Another way
a. Monitor > Security > IPS Status Click IPS Alert Statistics tab
b. Color codes based on risk rating, as shown below
c. Risk rating is important because you can configure something called an event
action override, which automatically initiates countermeasures based on the
resulting risk rating

7. Another way to look at this information from the CLI

8. f

IV. Do I Know This Already? Quiz

Table 16-1 Do I Know This Already? Section-to-Question Mapping
Foundation Topics Section
Questions
Understanding and Installing an IOS-Based IPS

1-4

Working with Signatures in an IOS-Based IPS

5-6

Managing and Monitoring IPS Alarms

7-8

1. Because of how a router operates, which IPS/IDS mode does it operate in?
a. Promiscuous
b. Out-of-band
c. IPS
d. IDS

2. Which of the following enable you to manage an IOS router's IPS configuration?
(Choose all that apply.)
a. CLI
b. CSM
c. CCP
d. IME
3. Why is the public key for Cisco required as part of the IPS installation?
a. It is used to verify the routers self-signed certificate
b. It is used to log in to CCO for automated signature updates
c. It is used to validate the signature that Cisco has placed on the signature package
d. No public key is used as part of an IOS-based IPS
4. Where are the specific signature-related configuration files kept related to an IOSbased IPS?
a. RADIUS server
b. TACAC+ server
c. On Flash or FTP or other reachable destination that the router is configured to use
for that purpose
d. NVRAM
5. Which of the following are examples of tuning a signature? (Choose all that apply.)
a. Changing the default severity level
b. Enabling it if it was disabled by default
c. Disabling it if it was enabled by default
d. Changing the default action
6. Which of the following is used to indicate that a signature is enabled? (Choose all that
apply.)
a. A green icon in the Enabled column
b. A check mark in the Enabled column
c. A missing check mark in the Disabled column
d. A missing check mark in the Unretired column
7. Which of the following are methods that enable you to see alerts that have been
triggered by IOS based IPS?
a. CLI
b. CCP
c. IME
d. CSM
8. Why is it considered a best practice to avoid compiling, enabling, and running all
available signatures? (Choose all that apply.)
a. CPU utilization
b. Memory utilization
c. The size of NVRAM
d. Not a best practice

V. Review All the Key Topics

Table 16-4 Key Topics
Key Topic
Description
Element

Page
Number

Table 16-2

IOS IPS features -

393

Figure 16-7

Adding Cisco public key information -

397

Example 16-1 Output from console while signatures are compiled -

399

Figure 16-10

Viewing the IPS signatures -

401

Table 16-3

Matrix for retired/unretired/enabled/disabled -

402

Figure 16-12

Modifying the properties of the signature -

403

Figure 16-14

Assigning actions to a signature -

405

Figure 16-18

Viewing the event details -

415

Example 16-5 Viewing alerts from the CLI -

415

VI. Complete the Tables and Lists from Memory

Table 16-2 Basic Configuration Parameters and Required Information for Easy VPN
Parameter
Description/Value
Configure ASA IP
address

These are the IP addresses that will be applied on an interface facing the internal network (typically the inside or demilitarized zone
[DMZ]) to our ASAs external-facing interface (typically the outside
interface) for use by our remote clients to communicate with the
ASA for VPN tunnel establishment. The external-facing IP address
can either be a public routable address or an address assigned from
our internal IP addressing plan (typically RFC1918) that might have
been subject to a Network Address Translation (NAT) further toward your organizations gateway to the Internet. Regardless of the
type of external address used, both must be unused and routable
within your environment.

Configure required
routing

With the outside IP address configured, you can now proceed to

configure your routing behavior for the ASA to be able to connect
to your remote clients. Depending on your organizations routing
behavior and protocols, this might be achieved with a dynamic
routing protocol. However, it is common practice to use a static
route to your Internet edge router, as it is in the example in this
chapter.

Configure preferred This step is optional. However, based on your existing policies and
IKEv1 policies
the default ASA policies (these are added after enabling ISAKMP
on an interface using the Adaptive Security Device Manager
[ASDM]), you might need to further customize the various combinations of encryption or authentication parameters and protocols
in use. This section also includes the use of peer authentication and
whether an extended authentication scheme will be used (for example, XAUTH).
Configure preferred This step is optional. However, based on your requirement to furIPsec policies
ther customize the default ASA policies (these are added after enabling ISAKMP on an interface using the ASDM), you might need
to further customize the various combinations of encryption or authentication

parameters and protocols in use.

Configure Hybrid
authentication
(optional)

You may choose to implement hybrid authentication to prevent the

use of man-in-the-middle attacks. By choosing to introduce this
step, we provide the client with a way to authenticate the Adaptive
Security Appliance (ASA) device through the use of certificates.

Configure Client
settings

As part of your configuration, you must determine and enter the required information that will be applied to connecting clients (for
example: IP address pools, the use of internal, external or static assignment, Domain Name System [DNS] servers, and domain suffixes).

Configure basic
access control

You do this through the use of policy assignment and access control lists (ACL). Depending on the resource access you are providing
to users, you might or might not want to restrict their movement
within your network environment.

Install and
For further information about the installation of the client software
Configure the Cisco and basic parameters required to add a connection, see Chapter 15,
IPsec VPN client
Deploying and Managing the Cisco VPN Client.
software
Table 16-3 Tunnel Policy (Crypto Map) Basic Tab
Field
Value
Interface

Select from the list of available interfaces this crypto map will apply
to (default outside).

Policy Type

Static: Commonly used with LAN-to-LAN (L2L) tunnels whereby

both peers will be configured with the same and complete information because all parameters are known.
Dynamic: Allow the ASA to select the preferred settings from those
available or configured for parameter negotiation with the client.
This policy type is commonly used in remote-access VPN scenarios
whereby the IP address of the connecting remote client is unknown,
unlike static policiesthat is, LAN-to-LAN tunnels where the IP addresses of both endpoints (local and remote) have been preconfigured.

Priority

Enter the priority of this crypto map. Values range from 1 to 65535,
with 1 being the preferred (first) policy map to be checked for parameter matches. It is common for a dynamic catchall policy to be
given the value of 65535, allowing for more specific policies to be
entered below.

Transform Sets to
Be Added

Choose from the list of available transform sets and move up or

down in your collected list to sort into a priority order. Those at the
top of the list are sent to the client first.

Connection Type

Choose from Bidirectional, Originate Only, Answer Only.

This option specifies how the ASA will behave when configured
with a VPN connection entry. However, these settings only really
apply when L2L connections have been configured (static crypto
maps). If you have selected Dynamic for the crypto map type earlier,
this option disappears and the action of Answer Only is applied.
This makes perfect logic, because you cannot initiate a VPN session
with someone whos IP address is unknown to you, like a VPN client
who can connect from anywhere on the Internet.

IP Address of Peer
to Be Added

IP address of the remote VPN endpoint, applicable only for static

crypto maps. Policies with the Originate Only policy type might
have up to 10 backup peers configured for failover reasons.

Enable PFS

Disabled by default, this option allows you to specify a DH group

type used to derive Phase 2 keying material instead of deriving it
from Phase 1 master key. Basically, it says that for Phase 2 a new DH
exchange needs to take place.

Table 16-3 Matrix for Retired/Unretired/Enabled/Disabled

Compiling/Allowing Action
Enabled

Disabled

Retired

No memory consumption, and

no action related to the signature
during packet analysis

No memory consumption, and

no action related to the signature
during packet analysis

Unretired

Consumes memory, and the

signature is considered during
packet analysis

Consumes memory, but no

action related to the signature
during packet analysis

VII.Define Key Terms

1.
2.
3.
4.
5.
6.
7.
8.

IPS signature files Cisco public key signature micro-engines enabled disabled retired unretired -

VIII. Command Reference to Check Your Memory

Table 16-5 Command Reference
Command

Description

Show ip sdee alerts

Allow viewing of alert events from the CLI

Show ip ips configuration

Allow viewing of the IPS configuration from the

CLI

Ip ips sdm_ips_rule in

Apply a rule named sdm_ips_rule inbound on the

current interface it is being configured under