Home > Articles > Cisco Certification > CCNP Security / CCSP > Basic Intrusion Prevention System (IPS) Concepts and Configuration

Basic Intrusion Prevention System (IPS) Concepts and Configuration

  • Article is provided courtesy of Cisco Press.
  • Date: Jun 29, 2011.

Contents

  1. Basic Intrusion Prevention System (IPS) Concepts and Configuration

Article Description

In the modern world, there are a number of different security threats that organizations need to deal with. There are a number of different solutions that can be deployed in order to deal with these different threats including firewalls, host and network based Intrusion Detection Systems (IDS)/Intrusion Prevention Systems (IPS), as well as spam, virus and worm protection systems. This article looks at the current IOS device based network intrusion prevention system (NIPS).

Like this article? We recommend

CCNP Security Secure 642-637 Official Cert Guide

CCNP Security Secure 642-637 Official Cert Guide

$69.99

With the modern world, there are a number of different security threats that organizations need to deal with. There are a number of different solutions that can be deployed in order to deal with these different threats including firewalls, host and network based Intrusion Detection Systems (IDS)/Intrusion Prevention Systems (IPS), as well as spam, virus and worm prevention systems. This article looks at the current IOS device based network intrusion prevention system (NIPS).

Intrusion Prevention System Concepts

The way that intrusion prevention systems work is by scanning network traffic as it goes across the network; unlike an intrusion detection system, which is intended to just react, an intrusion prevention system is intended to prevent malicious events from occurring by preventing attacks as they are happening. There are a number of different attack types that can be prevented using an IPS including (among others):

  • Denial of Service
  • Distributed Denial of Service
  • Exploits (Various types)
  • Worms
  • Viruses

It is also important to understand, that like an IDS, IPSs are limited to the signatures that they are configured to look for. As of this writing, the IOS IPS system has protection for over 3700 different signatures. These signatures are updated by Cisco constantly, but if they are not updated onto the configured equipment they do little to help against new threats. The IOS IPS feature was also designed to work with other IOS-based features including IOS Firewall, control-plane policing and other IOS security protection features.

Packet Flow

A very important piece of the security configuration of an IOS device is being able to understand which feature is allowed to process traffic and in what order. Figure 1 shows the general order that is used to process packets as they come into a device.

IPS Signature Versions

There can also be some confusion when reading through Cisco documentation. Within the last couple of IOS releases, there has been a transition from the Intrusion Prevention System Version 4.x Signature Format to Version 5.x Signature Format. With this transition, there was a big change from the use of .SDF files to .pkg files; this can be further complicated when looking through the different documentation available on the Cisco website, as some refers to the version 4.x Signature Format and other documentation refers to the Version 5.x Signature format. This article reviews the use of the newer .pkg files and signature format.

IPS Signature Categories

IOS IPS relies on a number of different signature micro-engines (SMEs); each of these engines is used to process different categories of signatures. These different categories are important to be familiar with because IOS IPS cannot load all of the available signatures at the same time; the way that IOS IPS has to be configured is by loading only the required categories of signatures that are specific to the configured IOS IPS device and its purpose.

Two of these categories are intended for use, especially with IOS IPS devices; these include the ios_basic category and the ios_advanced categories. A third category, specific to IOS IPS, was introduced in IOS 15.0(1)M called ‘IOS IPS Default’ and currently has the same signatures as the ios_advanced category.

Signature Actions

When a signature is downloaded from Cisco, it is automatically assigned a specific action that will occur should the event be detected. There are a total of five available actions that are possible:

  • produce-alert—Sends an alarm when a signature is detected
  • deny-packet-inline—Drops the packet which contained the signature that was detected, but does not reset the connection
  • reset-tcp-connection—Sends a TCP reset to both the attacker and the destination host
  • deny-attacker-inline—Denies traffic from the IP address of the offending traffic with a dynamic access list
  • deny-connection-inline—Denies traffic from the offending traffic session with a dynamic access list

Any of these five actions can be combined and customized to individual signatures on the IOS IPS device. In the past, these actions could be customized with Security Device Manager (SDM), however, with IOS version 12.4(11)T and later, the use of SDM has been depreciated and the use of Cisco Configuration Professional (CCP)(Single device), Cisco Security Manager (CSM)(Up to 5 devices) or direct IOS CLI tuning is now required.

IOS IPS Logging, Monitoring and Alarming

When a signature is detected on an IOS IPS device, there are two methods that can be used for logging, monitoring and alarming:

  • syslog messages (enable by default)
  • Using the Secure Device Event Exchange (SDEE) format

Both the CCP and CME can be used to collect these events on smaller implementations; with larger deployments, the use of the Cisco Security Monitoring, Analysis, and Response System is required (MARS).

Intrusion Prevention System Configuration

When configuring IOS IPS on a device, Cisco recommends following a five step process for implementation; these steps are reviewed in the following sections.

Downloading the IOS IPS Files

The main first step is acquiring the IOS IPS files from Cisco; this requires a current Cisco IPS Service Contract for license signature update services. There are two files that are required to be downloaded:

  • IOS-Sxxx-CLI.pkg—Contains the signatures themselves with the x’s denoting a specific version
  • realm-cisco.pub-key.txt—Contains Cisco public crypto key

Creating the IOS IPS Configuration Directory

A specific directory is required to be created in the device flash for use by the IOS IPS feature. This directory includes the signature files and the configurations. The files that are contained within include:

  • router-sigdef-default.xml—Contains all factory default signature definitions
  • router-sigdef-delta.xml—Contains signature definitions that have been changed from default
  • router-sigdef-typedef.xml—Contains all of the signature parameter definitions
  • router-sigdef-category.xml—Contains all of the signature category information
  • router-seap-delta.xml—Contains changes made by the default Signature Event Action Processor (SEAP) parameters
  • router-seap-typedef.xml—Contains all of the SEAP parameter definitions

The name of this directory does not have to be anything specific, but the name ‘ips’ is recommended. In order to create this directory from the CLI, enter the following command syntax from the enable device prompt:

router#mkdir directory_name

Configuring the Cisco IOS IPS crypto key

To ensure that the contents of the signature file are authentic, Cisco has signed the master signature file with their private key. To ensure that this master file can be verified, Cisco’s public key must be input into the device configuration. The following steps should be followed to accomplish this:

  1. Open the realm-cisco.pub-key.txt file that was downloaded from Cisco and open it in a text editor.
  2. Copy the contents of the file.
  3. On the IOS IPS device, enter into global configuration mode with the “configure terminal” command.
  4. On the IOS IPS device, paste the contents from the text file at the global configuration prompt (router(config)#).
  5. On the IOS IPS device, exit from global configuration mode with the “end” command.
  6. On the IOS IPS device, verify the input of the key into the configuration by running the “show running-configuration” command; look for the contents from the text file.

If the contents mimic the contents from the text file, save the configuration using the “copy running-config startup-config” command.

Enable the IOS IPS Feature

There are a couple of steps that are required to enable the IOS IPS feature. None of these steps are particularly complex, but they do require a knowledge of which IPS signature category that is going to be used, as shown in the table below.

1

Create an IPS rule name

router(config)#ip ips name rule_name

2

Configure the IPS signature storage location

router(config)#ip ips config location flash: directory_name

3

Configure the signature categories that are to be used

This step requires a few substeps:

The first thing that must be done is to “retire” all of the signatures in the signature files. This is because, by default, all of the signatures will be loaded which is not possible on an IOS IPS device; this is done with the following commands:

router(config)#ip ips signature-category

router(config-ips-category)#category all

router(config-ips-category-action)#retired true

router(config-ips-category-action)#exit

The second thing is that the signatures that will be used must be “unretired”; to do this the following commands are used:

router(config)#ip ips signature-category

router(config-ips-category)#category category

router(config-ips-category-action)#retied false

router(config-ips-category-action)#end

4

Enable the IPS rule onto the desired interface

router(config)#interface interface-id

router(config-if)#ip ips rule_name {in | out}

Loading the IOS IPS signatures packages onto the IOS IPS device

It is possible to load IPS signatures onto a device using TFTP or FTP. This process is rather simple as it requires only a simple copy command from the signature location (TFTP or FTP) to idconf. For example:

router#copy ftp://cisco:cisco@inside.server.com/<signature_file> idconf

This command will initiate the transfer; once this transfer is complete the device will automatically load and compile the signatures. To verify that the signatures have been loaded and compiled correctly, use the following command:

router#show ip ips signature count

Summary

There are certainly a number of different ways and locations where an IPS can be deployed. As well as being supported within IOS, there are also a number of different IPS appliances which can be deployed. The focus of this article was to give a high level overview of what an IPS can provide to an organization as well as a short tutorial of how to implement the IOS IPS feature. Hopefully, the contents of this article have made the possibilities that exist when deploying the IOS IPS feature easier to understand and will prompt the use of this technology on more organizational networks.

Cisco Press Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Cisco Press and its family of brands. I can unsubscribe at any time.

Overview

Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Cisco Press products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@ciscopress.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security

Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children

This site is not directed to children under the age of 13.

Marketing

Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out

Users can always make an informed choice as to whether they should proceed with certain services offered by Cisco Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.ciscopress.com/u.aspx.

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links

This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020