How to configure Intrusion Prevention System on router using Cisco S... http://www.misdivision.com/blog/intrusion-prevention-system-using-ci...

Home
About

13 Dec 2010 • Featured, Security

How to configure Intrusion Prevention System on router

using Cisco SDM
Monday, December 13th, 2010 by Kevin Diep (See all posts by Kevin Diep)

Bookmark on Delicious

Digg this post

Recommend on Facebook

share via Reddit

Share with Stumblers

Tweet about it

Subscribe to the comments on this post

Intrusion Prevention Systems (IPS) is an network security appliances that monitor network
and/or system activities for malicious activity. The main functions of ‘’’intrusion prevention
systems’’’ are to identify malicious activity, log information about said activity, attempt to
block/stop activity, and report activity. In this blog I will show you how to enable IPS on a
cisco router using the cisco Security Device Manager (SDM) application. The Cisco SDM
allows you to download signature definition files (SDFs) from Cisco.com, import them onto
a router, enable the IPS on router interfaces, tune IPS signatures, and deliver edited
signatures to the router. You can specify that alerts are to be copied to a syslog server or
you can configure the router to subscribe to the Security Device Event Exchange (SDEE) 1
protocol to report security events.

You can go here to find a list of cisco routers that support SDM, as well as instruction for
downloading and installing SDM. You can install and run SDM on a router that is already in
use without disrupting network traffic, but you must ensure that a few configuration settings
are present in the router configuration file. As a prerequisite, three Cisco recommended and
tuned signature files (attack-drop.sdf, 128MB.sdf, and 256MB.sdf) are included with Cisco
SDM (which examines the router memory and loads the best signature file to the router’s
flash memory), and a weekly compiled SDF can be manually downloaded from Cisco.com
(http://www.cisco.com/cgi-bin/tablebuild.pl/ios-sigup) and saved in a local management
workstation.

For this examle the router configuration has FastEthernet0/0 as its inside interface and
FastEthernet0/1 as its outside interface. The IPS is applied to the
inbound traffic to the outside interface. The SDF, 1841.sdf, is loaded from the SDF file
server.

Tutorial:

1 sur 6 11/03/2011 22:35

How to configure Intrusion Prevention System on router using Cisco S... http://www.misdivision.com/blog/intrusion-prevention-system-using-ci...

1. At Configure Mode, select Intrusion Prevention, click the Create IPS tab, and
click Launch IPS Rule Wizard to launch the IPS wizard.

2. If SDEE is not enabled on the router, you are prompted to enable and subscribe to it.
Click OK twice to continue. SDEE is a message protocol that can be used to report
on security events, such as alarms generated when a packet matches the
characteristics of a signature.

3. At the Select Interfaces tab, in this case it is best to inspect the traffic from outside to
inside at the outside interface FastEthernet0/1, so check
Inbound IPS for FastEthernet0/1 and click Next .

4. At the Cisco SDM Location window, specify the location from which Cisco SDM
should be loaded by Cisco IOS IPS. In the following scenario, click the Add button.
The Add a Signature Location window appears. Select the Specify SDF using URL
button and
perform the following steps:
• In the Protocol box, enter http.

2 sur 6 11/03/2011 22:35

How to configure Intrusion Prevention System on router using Cisco S... http://www.misdivision.com/blog/intrusion-prevention-system-using-ci...

• In the http:// box, enter 192.168.201.50/IPS_SDF/branch092005.sdf.

• Check the autosave option.
• Click OK.
The ip address is the location where you stored the SDF files.

5. The SDF Locations window appears. Check the Use Built-in Signatures (as backup)
option and click Next.

6. If you are satisfied with the configuration, click Finish to deliver the configuration.
Click OK when the signatures are loaded onto the router memory, then the Signature
Compilation Status window displays. Click OK to close the message window.

7. You are redirected to the Edit IPS tab in the Intrusion Prevention System (IPS)
window. The following figure shows that IPS Inbound is enabled on
FastEthernet0/1.

3 sur 6 11/03/2011 22:35

How to configure Intrusion Prevention System on router using Cisco S... http://www.misdivision.com/blog/intrusion-prevention-system-using-ci...

8. To verify the SDF location, click Global Settings. The Cisco SDM creates a new
SDF, sdmips.sdf, in the router’s flash memory as the
primary IPS signature source file. You can enable and disable syslog notification, edit
SDEE parameters and Engine Option, and control SDF locations at Global Settings.

9. Click Signatures in the Edit IPS tab to view the imported IPS signatures. In this
example, there are 135 signatures in the SDF shown on the upper panel of the
signature list. The category tree enables you to filter the signature list on the right
panel based on the type of signature
you want to view. Select the category of signature that you want to display; for
example, select Attack from the category tree. The signature list panel displays the
signatures for the Attack type. If a plus sign (+) appears to the left of the category
branch, there are subcategories you can use to refine the filter.
Click on the sign to expand the branch and select the subcategory you want to
display. If the signature list is empty, there are no signatures available for that type.
At the top of the Edit IPS tab, the Select by box enables you to filter the display by
type of signature. First select a criterion in the Select by: list, then select the value for
that criterion in the list to the right.

4 sur 6 11/03/2011 22:35

How to configure Intrusion Prevention System on router using Cisco S... http://www.misdivision.com/blog/intrusion-prevention-system-using-ci...

Bookmark on Delicious

Digg this post

Recommend on Facebook

share via Reddit

Share with Stumblers

Tweet about it

Subscribe to the comments on this post

One Response to “How to configure Intrusion Prevention System on

router using Cisco SDM”

1. Worldwidejay says:
December 15, 2010 at 5:47 am

I had to edit the configuration settings in the router config file, so I could set it up
without intervening with the flow of traffic. But, it all worked out so thanks for the
article.

Reply

Leave a Reply

Name (required)

Mail (will not be published) (required)

Website

Submit Comment

Search

MISDivision™ offers the following services:

5 sur 6 11/03/2011 22:35

How to configure Intrusion Prevention System on router using Cisco S... http://www.misdivision.com/blog/intrusion-prevention-system-using-ci...

Tags

2007 2008 2010 active directory ad Administration apache cisco DAG database DNS Email encryption

Exchange Firewall Flash IT Management linux mailbox Microsoft Microsoft

Exchange Monitoring music mysql Network open source Outlook php Powershell
Security SEO sharepoint streaming System Center System Center Essentials 2010 Troubleshooting
ubuntu video vpn Web Design windows Windows 7 windows server 2008 Windows Server 2008 R2
wireless

Archives
March 2011
February 2011
January 2011
December 2010
November 2010

Categories
Featured
Flash Animation
General
Linux
Microsft SharePoint
Microsoft Exchange
Microsoft Lync
Microsoft System Center Essentials
MySQL
PHP
Security
VoIP

Home
About

© 2010 MISDivision™

6 sur 6 11/03/2011 22:35