Cisco IOS IPS

IPS Basic Concepts and Components

Intrusion Detection System (IDS) uses sensors to monitor, analyze and detect the malicious activities, and generate alerts or syslog to notice administrator to take action to prevent further attack. While Intrusion Prevention system (IPS), is designed to detect, classify and take real-time actions to prevent further malicious activities automatically without any human interruption.

Signatures: they are specific rules defined in IPS which are used to match specific traffic pattern that might result in malicious activities. A signature-based network IPS analyze the network traffic based on local Signature database, which should be updated on regular basis to stay current.

Signature engine: A signature engine is a component of the sensors’ analysis engine. Each
signature within a Cisco IPS component is created and controlled by a signature engine that is designed for a particular type of traffic. An example would be the STRING.TCP engine, which is designed to analyze TCP connections and look for particular string patterns. Each engine is made up of a parser and an inspector.
image

In Cisco IOS Software Release 12.4(11)T and later T-Train releases, IOS IPS signature provisioning is accomplished by selecting one of two signature categories: Basic or Advanced. Starting with IOS Release 15.0(1)M, a new category called “IOS IPS Default” will be also supported and released within IPS signature packages. At that time, the IOS Advanced category will be changed to contain exactly the same signatures as in the IOS Default category, allowing both category names to be used interchangeably for backward compatibility. Users can also add or remove individual signatures and/or can tune signature parameters through Cisco Configuration Professional (CCP) or Cisco Security Manager (CSM) management or through the command-line interface (CLI), which allows easy scripting to manage signature configuration for a large number of routers.

Sensor Accuracy: there are 4 Classifications into which the decisions made by IPS sensor and IDS sensor can fall:

  • True positives: The IPS or IDS sensor triggered because of legitimate malicious activity. This is normal, desired operation
  • False positives: The IPS or IDS sensor triggered because of nonmalicious activity. This is usually because of errors caused by signatures that are configured to be too relaxed or broad in scope. In other words, the sensor mistook normal traffic patterns to be malicious.
  • True negatives: The IPS or IDS sensor failed to trigger when there was no malicious activity. This is normal, desired operation.
  • False negatives: The IPS or IDS sensor failed to trigger when there was malicious activity. This is usually because of errors caused by signatures that are configured to be too specific.

Cisco IOS IPS Sensor Platform: Cisco IOS IPS Sensor can be running on software-based which use ISR’s main CPU for procession, or hardware-based which take advantage of the specific-purpose hardware (AIM-IPS or NME-IPS) processors installed on ISR.

Deploy IPS on Cisco IOS Software devices.

Configure a Cisco IOS Software IPS Signature policy: which means enabling a particular set of signatures on a specific router interface or interfaces.

  • import the RSA public key that the router uses to verify the authenticity and integrity of all signature packages and signature updates to the router.
    Router# configure terminal
    Router(config)# crypto key pubkey-chain rsa
    Router(config-pubkey-chain)# named-key realm-cisco.pub signature
    Translating “realm-cisco.pub”
    Router(config-pubkey-key)# key-string         //then paste the text from the realm-cisco.pub.key.txt file which is found at Cisco.com.
  • Create IPS rulesets and apply them to specific router interfaces. A default location for the IPS sensor configuration files in the router’s local file system must be specified. Create the new directory on the router’s local file system with the mkdir command. Then, enter configuration mode and specify the location of the new folder with the ip ips config location command.
    Router# configure terminal
    Router(config)# ip ips config location flash:/ipsroot
    Router(config)# ip ips name MY-IPS
    Router(config)# interface GigabitEthernet0/0
    Router(config-if)# ip ips MY-IPS in
    Router(config-if)# ip ips MY-IPS out
    Router(config-pubkey)# end
  • download basic signature packet from cisco.com, and choose the initial signature set by specifying the signature categories that will be enabled by default.
    Go to the download section of Cisco.com and navigate to Products > Security > Integrated Router/Switch Security > Integrated Threat Control > Cisco IOS Intrusion Prevention System Feature Software > IOS IPS Signature Data File. Download the latest package, which should have a filename in the format IOS-Sxxx-CLI.pkg. Use the copy command to transfer the file to the router’s idconf alias. This causes the router to download and unpack the contents of the file (XML files) into the folder that was specified in Task 2 of this section. The router compiles the files into the required internal format and displays any errors that occur.
    Retire and Disable all signatures
    Router(config)# ip ips signature-category
    Router(config-ips-category)# category all
    Router(config-ips-category-action)# enabled false
    Router(config-ips-category-action)# retired true
    Router(config-ips-category-action)# exit
    Enable desired IPS Signature Categories and assign a prevention action
    Router(config-ips-category)# category os ios
    Router(config-ips-category-action)# retired false
    Router(config-ips-category-action)# enable ture
    Router(config-ips-category-action)# event-action produce-alert deny-packet-inline
    Router(config-ipss-category-action)# exit

Tune Cisco IOS Software IPS Signature policies to balance between and manage false positives and false negatives.

Deploy the Cisco IOS Software IPS Signature update feature, which configures the router to independently load new signatures as they become available.

Select a monitoring tool and use it to monitor intrusion events generated by the Cisco IOS Software IPS sensor.