Cisco Docs: Secure DATA PLANE>Security Configuration Guide:Cisco IOS Intrusion Prevention System
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_ios_ips/configuration/12-4t/sec-data-ios-ips-12-4t-book.html
IPS is watching packets and sessions as they flow through the router and scanning each packet to match any of the Cisco IOS IPS signatures. When packets in a session match a signature, Cisco IOS IPS can take any of the actions:
- Send an alarm to a syslog server or a centralized management interface
- Drop the packet
- Reset the connection
- Deny traffic from the source IP address of the attacker for a specified amount of time
- Deny traffic on the connection for which the signature was seen for a specified amount of time
*SDEE is application-level communication protocol, used to exchange IPS messages between IPS clients and IPS servers.
First you need to specify the location in which the router loads the SDF (Signature Definition File), because in the IOS there are NO DEFAULT SIGNATURES:
(config)# ip ips sdf location disk2:attack-drop.sdf
If you're configuring the IP IPS on a new router, first CREATE the IPS, name it, and define it, in this case to send the events as SYSLOG messages:
(config)#ip ips name MYIPS
(config)#ip ips notify log
*Be sure to have a SYSLOG SERVER defined:
(config)#logging 10.187.145.12
(config)#logging ON
Specify where the IPS configuration will be stored:
(config)#ip ips config location flash:MYIPS
Apply the configured IPS to the interface:
(config-if)#ip ips MYIPS out
*THIS WILL NOT WORK UNLESS YOU HAVE THE SIGNATURES. To check the signatures:
#sh ip ips signatures
Cisco SDF release version S0.0
Trend SDF release version V0.0
En - possible values are Y, Y*, N, or N*
Y: signature is enabled
N: enabled=false in the signature definition file
*: retired=true in the signature definition file
Cmp - possible values are Y, Ni, Nr, Nf, or No
Y: signature is compiled
Ni: signature not compiled due to invalid or missing parameters
Nr: signature not compiled because it is retired
Nf: signature compile failed
No: signature is obsoleted
Nd: signature is disallowed
Action=(A)lert, (D)eny, (R)eset, Deny-(H)ost, Deny-(F)low
Trait=alert-traits EC=event-count AI=alert-interval
GST=global-summary-threshold SI=summary-interval SM=summary-mode
SW=swap-attacker-victim SFR=sig-fidelity-rating Rel=release
Signature Micro-Engine: atomic-ip (INACTIVE)
Signature Micro-Engine: normalizer (INACTIVE)
Signature Micro-Engine: service-http-v2 (INACTIVE)
Signature Micro-Engine: service-http (INACTIVE)
...
You might need to generate the SDF using the .txt file downloaded from the cisco.com to your flash:
#more flash:downloaded_key.txt <-COPY THE CONTENT TO LATER PASTE INTO THE KEY
Now create the key:
(config)#crypto key pubkey-chain rsa
(config-pubkey-chain)#named-key DOWNLOADED_KEY signature
(config-pubkey-key)#key-string
Enter a public key as a hexidecimal number ....
(config-pubkey)#(ENTER THE COPIED CONTENT HERE, and type "quit")
Subscribe to:
Post Comments (Atom)
Most Popular Posts
-
Before we start, lets once again make sure we fully understand what Bridge Domain is. The bridge domain can be compared to a giant distribut...
-
Ever since Cisco bought Insieme and created Cisco ACI, and VMware bought Nicira and created NSX, I've been intensively deep-diving and b...
-
[In collaboration with the guest blogger, Marc Espinosa ] Let's start with the messaging protocols, MQTT and CoAP, and consider which ...
-
By know you should know the following facts about ACI: Cisco Nexus 9k Switches make the ACI Fabric, which is the Control and the Data pla...
-
Get ready to have your mind blown. One of the easiest procedures I've encountered. You just need to follow these 3 steps, to migrate the...
-
The VM-Series firewall for VMware NSX is jointly developed by Palo Alto Networks and VMware. NetX APIs are used to integrate the Palo Alto N...
-
Google has made their Cloud Platform (GCP) so that you can host your application any way your business requires. When we talk about the ...
-
First time we “unpack” ACI, we will find a certain number of potential Spine and potential Leaf switches, and hopefully 3 (or 5) APIC Contro...
-
Narbik Topology for web-iou Disclaimer: I DON’T OWN NOR HAVE AN ACCESS TO THE TOPOLOGY, INITIAL CONFIGS, IOU/IOL BINARIES OR ANY OTHER ...
-
Before I get into the Python for NX-OS, let me explain a few concepts that I've seen Network Engineers have been struggling with. Dev...
No comments:
Post a Comment