the traffic that will be scanned. If the packet is
permitted by the ACL, the signature will be scanned and
reported; if the packet is denied by the ACL, the packet
bypasses the scanning engine and goes directly to the intended
destination. At the end of the script, the IPS rule is applied
to a router interface (ip ips SECURIPS in). IPS rules
can be applied to an interface in either the inbound or
outbound direction. In this example, the rule is applied
inbound to the interface, as specified by the parameter
in. Typically, we recommend that you apply the rules in
the inbound direction. Enhanced Cisco IOS IPS
Configuration
The enhanced configuration example in
Figure is a continuation of the basic Cisco IOS IPS
configuration. In this enhanced Cisco IOS IPS configuration
example, the first command, copy flash:attack-drop.sdf
ips-sdf, merges the attack-drop.sdf file in flash with the
built-in SDF that has been loaded as a result of the basic
configuration. The copy ips-sdf flash:my-signatures.sdf
command copies the resulting merged SDF to flash so that the
signature database becomes usable after a router reload. The
ip ips sdf location flash:my-signatures.sdf
configuration command specifies a new SDF location pointing to
the merged SDF file in the flash. The ip ips signature 1007
0 disable command deactivates the signature with ID 1107
and sub-signature ID 0. The ip ips signature 5037 0
delete command marks the signature with ID 5037 and
sub-signature ID 0 for deletion. The signature will be removed
when the signatures are reloaded or saved. The ip ips
signature 6190 0 list 101 command filters the traffic prior
to scanning by the signature with ID 6190 and sub-signature ID
0. If the packet is permitted by the ACL, the signature will be
scanned; if the packet is denied by the ACL, the signature is
deemed disabled. Finally, the IPS rule needs to be reapplied to
the interface for the changes in SDF to take effect. You can
reapply the rule by unbinding the IPS rule from the interface
and assigning the rule to the interface again (using the no
ip ips SECURIPS in and ip ips SECURIPS in commands
in interface configuration mode). Verifying IOS IPS
Configuration
You can verify the Cisco IOS IPS
configuration and parameters by using the show ip ips
configuration EXEC command. A sample of the resulting
output is shown in Figure . The merged SDF (my-signatures.sdf)
is configured as the SDF location. The output reports that
built-in signatures have not been loaded. This report is
correct, although in this example the signatures are included
in the merged signature file and effectively loaded from the
flash location. The fail-close is activated. The total number
of signatures (183) results from merging the built-in
signatures (132) with the signatures from attack-drop.sdf (51).
The signature 1107:0 is disabled, signature 6190:0 is filtered,
and the signature 5037:0 has been deleted and does not appear
in this output. The rule SECURIPS is referencing ACL 100 and is
applied to Serial0/0 in the inbound direction.
Content
6.5 Configuring Cisco IOS IPS
6.5.4 Cisco IOS IPS SDM Tasks The SDM provides a
wide range of configuration capabilities for Cisco IOS IPS. You
can configure all options through the IPS Edit menu. Figure
summarizes the tasks you use to configure Cisco IOS IPS using
Cisco SDM. Additionally, SDM offers the IPS Policies wizard to
expedite deploying the default IPS settings. The wizard
provides configuration steps for interface and traffic flow
selection, SDF location, and signature deployment. The wizard
also verifies the available router resources before the
commands are sent to the router. The IPS Policies wizard
configures IPS using default signature descriptions, as defined
in the SDF files that Cisco provides, or the built-in
signatures included in the Cisco IOS. If you want to customize
the signatures after the wizard deploys the default settings,
you can use the IPS Edit menu that is available in SDM. Using
the Edit menu, you can modify any signature parameter, as well
as disable and delete the signatures.
Content
6.5 Configuring Cisco IOS IPS
6.5.5 Selecting Interfaces and Configuring SDF
Locations Figure shows the steps to access the Cisco SDM
features that you use to configure Cisco IOS IPS features. To
access the IPS configuration options that are available in the
SDM, follow this procedure: Step 1 Click the
Configure icon in the top navigation bar to enter the
configuration page. Step 2 Click the Intrusion
Prevention icon in the left vertical navigation bar.
Step 3 To activate IPS functionality using default
signature descriptions, click the Create IPS tab and
click the Launch IPS Rule Wizard button. Step 4
To configure all IPS features, including the signature
customization options, select the Edit IPS tab. IPS
Policies Wizard Overview
Figure shows the Welcome to
the IPS Policies Wizard form. Clicking Next brings you
to the wizard that provides an overview of functions that will
be configured on the router. Identifying Interfaces and Flow
Direction
Figure shows the IPS Policies Wizard form
that you use to select interfaces. The wizard requires that you
provide details about the interfaces and flow directions.
After clicking the Launch IPS Rule Wizard button, a
window opens, describing the tasks that the IPS Policies wizard
guides you through. You will select the interfaces to apply the
IPS rules to, select traffic flow direction to be inspected by
the IPS rules, and specify the SDF location. Click Next
to proceed to the interface selection. After you have clicked
Next in the wizard Welcome page, you must specify where
the IPS microengines should scan the traffic. The wizard
creates an IPS rule that is applied to an interface. Provide
the interface name and the direction to assign the IPS rule in.
In typical environments, you will apply the rules in the
inbound direction on interfaces where incoming malicious
traffic is likely. When you have selected the interfaces that
you want to use, click Next. The SDF Locations form
appears. Selecting SDF Location
Figure shows the IPS
Policies Wizard form that you use to select the SDF locations.
The wizard needs to load the signature database. In this form,
you must specify which SDF should be used to load the
signatures and the location of the SDF. If the Use Built-in
Signatures (as backup) check box in the SDF locations form
is checked, the Cisco IOS built-in signature set will be used
if the signatures cannot be loaded from the specified location
or if no SDF location has been configured. Click the
Add button to provide the information about the SDF
location in the Add a Signature Location dialog box that
appears, as shown in Figure . In this form, you can specify the
SDF location in the flash memory or on a network server.
Note
Cisco publishes multiple types of SDFs. If you
use the Cisco installation program for SDM installation, the
most appropriate type of the SDF file is automatically copied
to the flash memory based on the amount of the installed RAM.
After you specify the SDF location, click OK. Next, you
see a screen, shown in Figure , showing the currently
configured SDF locations. You can configure more than one SDF
location by clicking the Add button. If you configure
more than one SDF location, the Cisco IOS software will try to
load all locations, starting from the top of the list. If the
Cisco IOS software fails to load the SDF from the first
location in the list, the software tries the subsequent
locations one by one until the software successfully loads an
SDF file. Click Next to proceed to the next task, in
which you will view and deploy the IPS configuration.
Content 6.5 Configuring Cisco IOS IPS
6.5.6 Viewing the IPS Policy Summary and Delivering
the Configuration to the Router After clicking Next