With the modern world, there are a number of different security threats that organizations need to deal with. There are a number of different solutions that can be deployed in order to deal with these different threats including firewalls, host and network based Intrusion Detection Systems (IDS)/Intrusion Prevention Systems (IPS), as well as spam, virus and worm prevention systems. This article looks at the current IOS device based network intrusion prevention system (NIPS).
Intrusion Prevention System Concepts
The way that intrusion prevention systems work is by scanning network traffic as it goes across the network; unlike an intrusion detection system, which is intended to just react, an intrusion prevention system is intended to prevent malicious events from occurring by preventing attacks as they are happening. There are a number of different attack types that can be prevented using an IPS including (among others):
- Denial of Service
- Distributed Denial of Service
- Exploits (Various types)
- Worms
- Viruses
It is also important to understand, that like an IDS, IPSs are limited to the signatures that they are configured to look for. As of this writing, the IOS IPS system has protection for over 3700 different signatures. These signatures are updated by Cisco constantly, but if they are not updated onto the configured equipment they do little to help against new threats. The IOS IPS feature was also designed to work with other IOS-based features including IOS Firewall, control-plane policing and other IOS security protection features.
Packet Flow
A very important piece of the security configuration of an IOS device is being able to understand which feature is allowed to process traffic and in what order. Figure 1 shows the general order that is used to process packets as they come into a device.
IPS Signature Versions
There can also be some confusion when reading through Cisco documentation. Within the last couple of IOS releases, there has been a transition from the Intrusion Prevention System Version 4.x Signature Format to Version 5.x Signature Format. With this transition, there was a big change from the use of .SDF files to .pkg files; this can be further complicated when looking through the different documentation available on the Cisco website, as some refers to the version 4.x Signature Format and other documentation refers to the Version 5.x Signature format. This article reviews the use of the newer .pkg files and signature format.
IPS Signature Categories
IOS IPS relies on a number of different signature micro-engines (SMEs); each of these engines is used to process different categories of signatures. These different categories are important to be familiar with because IOS IPS cannot load all of the available signatures at the same time; the way that IOS IPS has to be configured is by loading only the required categories of signatures that are specific to the configured IOS IPS device and its purpose.
Two of these categories are intended for use, especially with IOS IPS devices; these include the ios_basic category and the ios_advanced categories. A third category, specific to IOS IPS, was introduced in IOS 15.0(1)M called ‘IOS IPS Default’ and currently has the same signatures as the ios_advanced category.
Signature Actions
When a signature is downloaded from Cisco, it is automatically assigned a specific action that will occur should the event be detected. There are a total of five available actions that are possible:
- produce-alertSends an alarm when a signature is detected
- deny-packet-inlineDrops the packet which contained the signature that was detected, but does not reset the connection
- reset-tcp-connectionSends a TCP reset to both the attacker and the destination host
- deny-attacker-inlineDenies traffic from the IP address of the offending traffic with a dynamic access list
- deny-connection-inlineDenies traffic from the offending traffic session with a dynamic access list
Any of these five actions can be combined and customized to individual signatures on the IOS IPS device. In the past, these actions could be customized with Security Device Manager (SDM), however, with IOS version 12.4(11)T and later, the use of SDM has been depreciated and the use of Cisco Configuration Professional (CCP)(Single device), Cisco Security Manager (CSM)(Up to 5 devices) or direct IOS CLI tuning is now required.
IOS IPS Logging, Monitoring and Alarming
When a signature is detected on an IOS IPS device, there are two methods that can be used for logging, monitoring and alarming:
- syslog messages (enable by default)
- Using the Secure Device Event Exchange (SDEE) format
Both the CCP and CME can be used to collect these events on smaller implementations; with larger deployments, the use of the Cisco Security Monitoring, Analysis, and Response System is required (MARS).
Intrusion Prevention System Configuration
When configuring IOS IPS on a device, Cisco recommends following a five step process for implementation; these steps are reviewed in the following sections.
Downloading the IOS IPS Files
The main first step is acquiring the IOS IPS files from Cisco; this requires a current Cisco IPS Service Contract for license signature update services. There are two files that are required to be downloaded:
- IOS-Sxxx-CLI.pkgContains the signatures themselves with the x’s denoting a specific version
- realm-cisco.pub-key.txtContains Cisco public crypto key
Creating the IOS IPS Configuration Directory
A specific directory is required to be created in the device flash for use by the IOS IPS feature. This directory includes the signature files and the configurations. The files that are contained within include:
- router-sigdef-default.xmlContains all factory default signature definitions
- router-sigdef-delta.xmlContains signature definitions that have been changed from default
- router-sigdef-typedef.xmlContains all of the signature parameter definitions
- router-sigdef-category.xmlContains all of the signature category information
- router-seap-delta.xmlContains changes made by the default Signature Event Action Processor (SEAP) parameters
- router-seap-typedef.xmlContains all of the SEAP parameter definitions
The name of this directory does not have to be anything specific, but the name ‘ips’ is recommended. In order to create this directory from the CLI, enter the following command syntax from the enable device prompt:
router#mkdir directory_name
Configuring the Cisco IOS IPS crypto key
To ensure that the contents of the signature file are authentic, Cisco has signed the master signature file with their private key. To ensure that this master file can be verified, Cisco’s public key must be input into the device configuration. The following steps should be followed to accomplish this:
- Open the realm-cisco.pub-key.txt file that was downloaded from Cisco and open it in a text editor.
- Copy the contents of the file.
- On the IOS IPS device, enter into global configuration mode with the “configure terminal” command.
- On the IOS IPS device, paste the contents from the text file at the global configuration prompt (router(config)#).
- On the IOS IPS device, exit from global configuration mode with the “end” command.
- On the IOS IPS device, verify the input of the key into the configuration by running the “show running-configuration” command; look for the contents from the text file.
If the contents mimic the contents from the text file, save the configuration using the “copy running-config startup-config” command.
Enable the IOS IPS Feature
There are a couple of steps that are required to enable the IOS IPS feature. None of these steps are particularly complex, but they do require a knowledge of which IPS signature category that is going to be used, as shown in the table below.
1 |
Create an IPS rule name |
router(config)#ip ips name rule_name |
2 |
Configure the IPS signature storage location |
router(config)#ip ips config location flash: directory_name |
3 |
Configure the signature categories that are to be used |
This step requires a few substeps: The first thing that must be done is to “retire” all of the signatures in the signature files. This is because, by default, all of the signatures will be loaded which is not possible on an IOS IPS device; this is done with the following commands: router(config)#ip ips signature-category router(config-ips-category)#category all router(config-ips-category-action)#retired true router(config-ips-category-action)#exit The second thing is that the signatures that will be used must be “unretired”; to do this the following commands are used: router(config)#ip ips signature-category router(config-ips-category)#category category router(config-ips-category-action)#retied false router(config-ips-category-action)#end |
4 |
Enable the IPS rule onto the desired interface |
router(config)#interface interface-id router(config-if)#ip ips rule_name {in | out} |
Loading the IOS IPS signatures packages onto the IOS IPS device
It is possible to load IPS signatures onto a device using TFTP or FTP. This process is rather simple as it requires only a simple copy command from the signature location (TFTP or FTP) to idconf. For example:
router#copy ftp://cisco:cisco@inside.server.com/<signature_file> idconf
This command will initiate the transfer; once this transfer is complete the device will automatically load and compile the signatures. To verify that the signatures have been loaded and compiled correctly, use the following command:
router#show ip ips signature count
Summary
There are certainly a number of different ways and locations where an IPS can be deployed. As well as being supported within IOS, there are also a number of different IPS appliances which can be deployed. The focus of this article was to give a high level overview of what an IPS can provide to an organization as well as a short tutorial of how to implement the IOS IPS feature. Hopefully, the contents of this article have made the possibilities that exist when deploying the IOS IPS feature easier to understand and will prompt the use of this technology on more organizational networks.