Built-in Security with Cisco Intrusion Prevention

Thursday Sep 18th 2008 by Charlie Schluting

With the intrusion prevention features found in the latest IOS releases, Cisco makes good on the "self-defending" part of its security strategy.

Charlie SchlutingAnother new feature available in IOS (12.3) is Cisco’s Intrusion Prevention System. An IDS has been part of IOS for a long time, but the company recently took it a step further. As part of its Self-Defending Network campaign, Cisco realized that an IPS should be integrated into the network fabric. We’ll explain what this means, and show you how to implement it.

Actively preventing an attack makes Cisco’s new feature an IPS. A standard IDS solution can detect and alert, but blocking attacks is not normally part of its feature set. Thus, if you want to prevent attacks rather than just receive alerts, you need an IPS. Cisco’s IPS works like any other: you get a signature file, called the Signature Definition File (SDF) by Cisco, and if the IPS finds that a packet matches a signature, it’s blocked.

There are appliances, Catalyst switch modules, and router modules, but IPS is also built-in to certain IOS images now. Since Cisco claims IPS features won’t impact router performance (since the latest release), it may be possible to skip the purchase of a dedicated module for IPS.

The catch, of course, is that an IPS is not robust without constant signature updates. Attacks are constantly evolving, and without an update you aren’t protected against the latest and greatest attacks. Something completely new could sneak in, but the idea is that after the first few attacks Cisco will update the SDF and you’ll be notified that it’s time to download a new version. That’s right, you have to manually download and install a new signature file. This requires a subscription service above and beyond what you pay for SMARTnet. Services for IPS, as it’s called, provides SDF updates and the other features (support, warranty) that SMARTnet does as well. Accordingly, your SMARTnet contract is discounted when you purchase a Cisco Services for IPS contract, according to Cisco’s Q&A documentation.

Configuring IPS for Sensor Modules

There are many different cases for configuring IPS depending on your device. First, we’ll show you how to enable it on any IPS sensor module that uses the IPS 5.1 or later, then we’ll show you how to take advantage of the IOS built-in default IPS features.

The IDS Device Manager (IDM) is a graphical interface for configuring all IDS (and IPS) functionality. If you prefer that, then refer to the Cisco documentation after reading about how it’s done via the CLI here.

The general idea we’re working with here is called the VLAN pair method. This means that we’ll configure two VLANs in a pair group, and all traffic received by a sensor will be inspected and either forwarded on to the other VLAN, or dropped. Up to 255 VLAN pairs can be configured on most sensors.

First we enter configuration mode, then the service interface, and finally select the physical interface that we wish to configure:

sensor#configure terminal
sensor(config)#service interface
sensor(config-int)#physical-interfaces GigabitEthernet0/1

Next, we must configure the VLAN pair (and give it a meaningful description):

sensor(config-int-phy)#subinterface-type inline-vlan-pair
sensor(config-int-phy-inl)#subinterface 1
sensor(config-int-phy-inl-sub)#vlan1 10
sensor(config-int-phy-inl-sub)#vlan2 11
`sensor(config-int-phy-inl-sub)#description vlans 10 and 11

Conceptually, the interface will now be added to a virtual sensor, and once it’s enabled it will monitor traffic. We now need to enable a virtual sensor:

sensor(config)#service analysis-engine
sensor(config-ana)#virtual-sensor vs0

Once that’s completed, we simply add the previously-defined subinterface to the sensor, and we’re done:

sensor(config-ana-vir)#physical-interface GigabitEthernet0/2 subinterface-number 1

Configuring IPS for IOS

You can enable IPS features in IOS using the default SDF. Signatures may be added manually to the SDF, or you can pay Cisco for the latest signatures.

First we need to enable what’s called Security Device Event Exchange notifications:

router(config)#ip ips notify sdee

Then we must configure an IPS rule name that will be used for associating with interfaces.

router(config)# ip ips name MYIPSRULES

The next step is to specify where the SDF file will come from. The following command specifies that the file 256MB.sdf can be found in flash memory. You can also specify tftp or any other protocol your Cisco knows how to handle, but it’s best to use flash memory to ensure no dependencies on other servers.

router(config)# ip ips sdf location flash:256MB.sdf

Finally, we simply enable IPS on the interface (in both directions). It is also a good idea to enable IP reassembly on the interface, so that the IPS rule can evaluate entire IP packets at once.

router(config)#interface fastEthernet 0
router(config-if)#ip ips MYIPSRULES in
router(config-if)#ip ips MYIPSRULES out
router( config-if)#ip virtual-reassembly

Now you have a working IPS, based on the file in your flash called 256MB.sdf. That file must be downloaded from Cisco using your CCO login linked to a valid support contract.

The Power of Community

If you don’t feel like paying Cisco for signature updates, you can update the SDF yourself. When a new attack surfaces, you’ll often find Cisco IPS XML signatures posted to various online forums. You can and should use them.

To view your current SDF version, you can run: sh ip ips signatures

To merge the IPS SDF configuration with new information, you can copy in an XML file. Just like copying in any configuration snippet, the updates will be merged, not replaced. Say we got sigs.xml from a helpful network operator. To enable these signatures, we simply run:

router#copy tftp://serer.fqdn/sigs.xml ips-sdf

That’s it! You’ll see that 256MB.sdf on the flash memory is now a bit larger. It’s a good idea (and is recommended by Cisco) to rename 256MB.sdf to avoid confusion, now that you are no longer running a Cisco-sanctioned version.

Enabling IPS on supported routers is quite easy, but can lead to some interesting troubleshooting sessions. Be sure you have a syslog server that your routers all log to: It will save hours of work. Also, search around; you may find a source for XML updates that you wish to trust, and then it’s pretty easy to automate daily merges into your local SDF.

Charlie Schluting is the author of Network Ninja, a must-read for every network engineer.

Mobile Site | Full Site
Copyright 2017 © QuinStreet Inc. All Rights Reserved