a specific service. Port scan: An
attacker scans all ports or all well-known ports in an attempt
to find services running. TCP SYN flooding: An
attacker tries to compromise the availability of a server to
serve legitimate sessions. The aim is to make the server run
out of resources. These are examples of exploit
signatures in the application layer: - When hackers
attempt to penetrate a particular network, the hackers often
need to learn as much information as possible about the network
before launching attacks. An example of how an attacker learns
information is a Domain Name System (DNS) query, which reveals
information such as who owns a particular domain and what
addresses have been assigned to that domain.
-
Malicious code that operates at the application layer including
worms, viruses, Trojan horses, adware, and malware.
Figure presents the signature ID, name, and description of
common signatures.
Content 6.5
Configuring Cisco IOS IPS 6.5.1 Cisco IOS IPS
Signature Definition Files (SDF) The Cisco IOS IPS acts as
an in-line intrusion detection sensor, watching packets and
sessions as they flow through the router and scanning each
packet to match any of the Cisco IOS IPS signatures. When the
IPS detects suspicious activity, the IPS responds before
network security can be compromised. It then logs the event
through syslog or Security Device Event Exchange (SDEE)
protocol. SDEE is an application level communication protocol
that is used to exchange IPS messages between IPS clients and
IPS servers. SDEE provides a secure communication path using
Secure Socket Layer (SSL) (Secure HTTP [HTTPS]). SDEE replaced
the Post Office Protocol (POP) on Cisco IOS routers. Cisco IOS
IPS offers configuration flexibility by providing these two
functions: - The administrator can load the built-in
signature database (available in the Cisco IOS image itself),
load a specific signature database file (sdf), or even merge
different databases to extend the protection scope.
-
Individual signatures can be disabled or tuned in case of false
positives.
Figure summarizes these points.
Downloading Signatures from Cisco.com
Cisco SDFs are
updated and posted to Cisco.com on a regular basis. Thus,
customers can download signatures that help protect networks
from the latest known network attacks. Figure shows examples of
downloadable signature definition files. Multiple definition
sources are available, such as the default, built-in signatures
that are shipped with the routers, or the SDF files named
64MB.sdf, 128MB.sdf, and 256MB.sdf. The files differ in the
number of configured signatures. The administrator should
select the appropriate SDF file based on the amount of RAM
memory in the router.
Content 6.5
Configuring Cisco IOS IPS 6.5.2 Cisco IOS IPS
Alarms When a signature is matched, the IPS responds in
real time, before network security can be compromised and then
logs the event through Cisco IOS syslog messages or SDEE. You
can configure IPS to choose the appropriate response to various
threats. Figure describes the configurable actions that the
Cisco IOS IPS Alarms feature provides. When packets in a
session match a signature, IPS can take any of these actions,
as appropriate: - Send an alarm to a syslog server or a
centralized management interface. This action is typically
combined with other preventive actions.
- Drop the
packet. This action is effective for all IP protocols and does
not affect any legitimate user if the source IP address was
spoofed.
- Reset the connection. This action works only
for TCP sessions.
Note
The sensor sends
TCP restore (RST) to both communication endpoints and spoofs
the source IP address in those TCP RST packets. For example, if
Endpoint A and Endpoint B were communicating via TCP, the
sensor sends RST to Endpoint A pretending to be Endpoint B, and
to Endpoint B pretending to be Endpoint A. - Block
traffic from the source IP address of the attacker for a
specified amount of time. This action imposes a penalty on the
attacker IP address.
- Block traffic on the connection
on which the signature was seen for a specified amount of time.
This action imposes a penalty on the attacker session.
Cisco IOS IPS Alarm Considerations
You can
configure a combination of actions when a signature is
triggered. Typically, you combine an alert with some preventive
action, such as packet drop. Figure describes the
considerations when configuring the Cisco IOS IPS Alarm
feature, one of the considerations when implementing
signatures. Cisco IOS IPS can report IPS intrusion alerts
either using syslog or SDEE. SDEE is more secure and therefore
recommended, because SDEE uses HTTPS to exchange data. Cisco
IOS routers use SDEE to report IPS events to the SDM.
Note
Although SDM provides secure communications,
SDM monitoring capabilities are limited in that SDM is not a
real-time monitoring tool and does not offer advanced filtering
and correlation features. For a fully functional monitoring
solution, deploy other Cisco tools, such as Cisco Security
Monitoring, Analysis, and Response system (CS-MARS) or
CiscoWorks Monitoring Center for Security, which is a component
of the VPN/Security Management Solution. When implementing a
Cisco IOS-based IPS, you should consider the following:
- With IP address blocking, you may block a legitimate user
whose address was spoofed by an attacker. This method is
recommended in environments where IP spoofing is
unlikely.
- With connection blocking, a potential
connectivity disruption in case of address spoofing is less
likely. This is the case because establishing a bidirectional
session using a spoofed IP address is difficult because return
traffic typically never reaches the attacker. The disadvantage
of connection blocking is that the hacker can use other
protocols or ports to attack the target.
Content 6.5 Configuring Cisco IOS IPS
6.5.3 Configuring Cisco IOS IPS Cisco IOS
IPS Configuration Steps
To set up Cisco IOS IPS, you
need to configure basic IPS settings and, optionally, use the
enhanced settings. Figure describes the steps you use to
configure the Cisco IOS IPS feature. There are four basic
configuration steps: - Specify the SDF to load the
signatures from.
- Configure a failure parameter that
defines whether to block or forward traffic if signature
microengines (SMEs) are not operational.
- Create an
IPS rule and, optionally, combine the rule with an access
control list (ACL) for traffic filtering purposes.
-
Apply the IPS rule to an interface.
These are the
enhanced configuration steps: - Merge two or more SDFs
to increase the signature coverage.
- Delete, disable,
or filter individual signatures.
- Reapply the IPS rule
to an interface for the changes to take effect.
When
you are finished these steps, verify the IPS configuration and
operations. Basic IOS IPS Configuration
Figure shows
an example of a simple Cisco IOS IPS configuration. The default
command ip ips sdf builtin does not appear in this IPS
configuration example because the configuration specifies the
default built-in SDF. This file contains 100 signatures, and
with sub-signatures, the total number of signatures is 132. The
keyword builtin is the default option of the ip ips
sdf command. The command ip ips fail closed
instructs the router to drop all traffic if any of the SMEs
that should scan the data are not available. This command has
no other parameters. If the SMEs are unavailable and you want
to forward the packets without scanning, use the no ip ips
fail closed command. The command ip ips name
SECURIPS is used to create an IPS rule. The IPS rule can be
combined with an ACL. In this example, SECURIPS is combined
with ACL 100. This optional standard or extended ACL filters