Cisco IOS Threat Defense Features,Configuring Cisco IOS IPS,Configuring Cisco IOS IPS,Cisco IOS IPS Configuration Steps,Configure basic IPS settings:Specify SDF locationConfigure failure parameterCreate an IPS rule and, optionally, combine it with a filterApply the IPS rule to interfaceConfigure enhanced IPS settings:Merge SDFsDisable, delete, and filter selected signaturesReapply the IPS rule to the interfaceVerify the IPS configuration.,Configure Basic IPS Settings,Router# show running-config | begin ips ! Drop all packets until IPS is ready for scanning ip ips fail closed! IPS rule definitionip ips name SECURIPS list 100!.interface Serial0/0ip address 172.31.235.21 255.255.255.0! Apply the IPS rule to interface in inbound directionip ips SECURIPS in.,Configure Enhanced IPS Settings,! Merge built-in SDF with attack-drop.sdf, and copy to flashRouter# copy flash:attack-drop.sdf ips-sdfRouter# copy ips-sdf flash:my-signatures.sdfRouter# show runnning-config | begin ips! Specify the IPS SDF locationip ips sdf location flash:my-signatures.sdf ip ips fail-closed! Disable sig 1107, delete sig 5037, filter sig 6190 with ACL 101ip ips signature 1107 0 disableip ips signature 5037 0 deleteip ips signature 6190 0 list 101ip ips name SECURIPS list 100.interface Serial0/0ip address 172.31.235.21 255.255.255.0! Reapply the IPS rule to take effectip ips SECURIPS in.,Verifying IOS IPS Configuration,Router# show ip ips configurationConfigured SDF Locations: flash:my-signatures.sdfBuiltin signatures are enabled but not loadedLast successful SDF load time: 13:45:38 UTC Jan 1 2006IPS fail closed is enabled.Total Active Signatures: 183Total Inactive Signatures: 0Signature 6190:0 list 101Signature 1107:0 disableIPS Rule Configuration IPS name SECURIPS acl list 100Interface Configuration Interface Serial0/0 Inbound IPS rule is SECURIPS Outgoing IPS rule is not set,Cisco IOS IPS SDM Tasks,Cisco IOS IPS SDM Tasks,Tasks included in the IPS Policies wizard:Quick interface selection for rule deploymentIdentification of the flow directionDynamic signature updateQuick deployment of default signaturesValidation of router resources before signature deploymentSignature customization available in the SDM IPS Edit menu: DisableDeleteModify parameters,Selecting Interfaces and Configuring SDF Locations,Launching the IPS Policies Wizard,Launch the wizard with the default signature parameters,Customization options,1.,2.,3.,4.,IPS Policies Wizard Overview,Identifying Interfaces and Flow Direction,Select interface,Identify direction,Selecting SDF Location,Add SDF location,Optionally, use built-in signatures as backup,Selecting SDF Location (Cont.),Select location from flash,Select location from network,Selecting SDF Location (Cont.),Viewing the IPS Policy Summary and Delivering the Configuration to the Router,Viewing the IPS Policies Wizard Summary,Verifying IPS Deployment,1.,2.,3.,4.,Configuring IPS Policies and Global Settings,IPS Policies,Global Settings,Viewing SDEE Messages,Viewing All SDEE Messages,Select message type for viewing,Viewing SDEE Status Messages,Status messages report the engine states,Viewing SDEE Alerts,Signatures fire SDEE alerts,Tuning Signatures,Selecting a Signature,Edit signature,Editing a Signature,Click to edit,Select severity,Disabling a Signature Group,Select category,1.,Select All,2.,Disable,3.,4.,Verifying the Tuned Signatures,Summary,You can configure IPS policy on a router by using the CLI or the SDM.CLI does not display the signature parameters.IPS CLI allows you to specify SDF locations, merge SDF files, disable signatures, assign rules to interfaces, and limit the detection scope using ACLs.SDM offers a wizard that simplifies the IPS configuration.IPS Policies wizard deploys default signature definitions from a specified SDF location.You can then use the SDM to edit the policy and modify global settings.SDM offers a view for SDEE messages containing status, errors, and alerts.You can use the SDM to tune the signature parameters.,Module Summary,Cisco IOS Firewall combines the stateful firewall engine with application-layer filtering for selected applications.Cisco IOS Firewall provides stateful support for TCP, UDP, and ICMP.Cisco IOS Firewall can be configured through the CLI, or the SDM, which provides the Basic and Advanced Firewall Configuration wizards for expedited deployment.IDS and IPS are considered complementary technologies that differ in reaction to attack, placement in the network, and signature tuning.Host and network IPS should be deployed in parallel to maximize the protection strength.Cisco IOS IPS can be configured, tuned, and monitored through the CLI or SDM, which offers a wizard for simplified provisioning.,