Table Of Contents
Configuring Distributed Threat Mitigation with Intrusion Prevention System in
Cisco Security MARS
Date Revised: September 28, 2006
This technology preview exists for Cisco Security Monitoring, Analysis, and Response System (MARS) 4.1.1, and later, and has been incrementally updated through the current release. Use this preview to understand, plan, and verify large deployments in controlled environments. Work with your Cisco sales engineer or partner to plan and configure this technology before you deploy it in a production network. MARS support is conditioned on the assumption that this is not being used in networks that exceed the appliance-to-IOS IPS router recommendations set forth in Table 2.
This document presents the following topics:
DTM Solution Overview
Even though attacks can be identified by either signature or anomaly-based systems, there is no easy way to prevent attacks against other network nodes or domains, to mitigate nodes, or to issue company-wide alarms. You need to be able identify and correlate discrete network activities, such as a successful attack that damages the target node or innocent-looking reconnaissance that is preparation for an attack, so that you can quickly protect the rest of the network from similar incidents.
Typically, you cannot correlate the facts about an attack to one another in a timely manner. Various pieces of information are derived from signature-based IPS sensors, and new families of security routers provide volumes of different data: signature alarms, firewall syslog messages, device health information, route information, and so on. Before Cisco Security MARS was developed, this information was not correlated to validate the presence and success of attacks throughout the network.
Cisco Security MARS Distributed Threat Mitigation (DTM) with Intrusion Prevention System (IPS) pro-actively identifies and distributes IPS signatures for active threats detected on the network. It provides distributed and rapid threat mitigation using Cisco IOS Software IPS routers. Cisco Security MARS collects and correlates the attack information provided by signature-based IPS sensors and security routers and, together with Cisco IOS IPS routers, enables IPS signatures to help prevent attacks from spreading. DTM is effective inline intrusion protection and leverages routers already deployed in the network for additional value.
Table 1 lists features and benefits of the DTM solution.
Hardware and Software Requirements
The hardware and software required to enable the DTM solution varies depending on the desired functionality. The DTM solution is composed of three categories of Cisco products: static IPS devices, dynamically updated IPS devices, and management components. Static IPS devices keep Cisco Security MARS abreast of active threats on the network by monitoring traffic for a broad set of signatures. Dynamically updated IPS devices are inline IPS solutions that detect and block traffic matching a signature and that accept dynamic signature updates from Cisco Security MARS. Management components provide change control and auditing of the deployed network policy and signatures. At a minimum, your solution must include one static IPS device, one dynamically updated IP device, and a supported MARS Appliance.
Static IPS Devices
•Cisco IPS 4200 Series appliances using Cisco IPS Sensor Software v5.1.1 or greater
•Cisco ASA 5500 Series appliances with the Advanced Inspection and Protection module using Cisco ASA Software v5.0 or greater
•Cisco IDSM-2 sensor blades for the Cisco Catalyst 6500 Series using Cisco IPS Sensor Software v5.1.1 or greater
•Cisco NM-CIDS Network Module (with Cisco IPS Sensor Software v5.1.1 or greater) for Cisco 2600XM, 2800, 3700, and 3800 series routers
Dynamically Updated IPS Devices
•Cisco IOS Software routers with security image using Cisco IOS Software Release 12.4(6)T1 or greater
•Cisco Security MARS, software release 4.2.1. Supported Cisco Security MARS hardware includes:
•(Optional) Management Center for Intrusion Prevention Systems (IPS MC), Release 2.2 or later.
How DTM Works
In the DTM solution, Cisco Security MARS proactively identifies active signatures as reported by one or more Cisco IPS appliances or modules deployed in your network. Next, Cisco Security MARS distributes the same IPS signatures to specified IOS IPS routers.
Figure 1 DTM Components
A Cisco IPS appliance or module can run the full signature set, whereas Cisco IOS IPS routers run a subset of signatures based on the memory capacity and which signatures are active (different signatures consume different amounts of memory). Therefore, specifying one or more Cisco IPS appliances or modules as the reporting devices in your DTM rules ensures the network is monitored for all known attacks rather than a restricted set. Cisco IPS appliances and modules generate and publish up-to-date signature definition files (SDFs) to Cisco IOS IPS routers. The SDF is an XML file with a definition of all signatures. A Cisco IOS IPS router reads the SDF update, parses the file, and populates its internal tables with the information necessary to detect each signature.
To use the DTM solution, you must enable IOS IPS on the routers and, in MARS, identify these routers as the target of DTM notifications for inspection rules based on Cisco IPS signatures. While technically, an IOS IPS router can also serve as a monitoring device, only IOS IPS routers can be the notification target of a DTM rule.
For DTM rules, the SDF for the signatures matched in the rules is generated and stored on the MARS Appliance when the rules are fired. MARS does not generate a single SDF file for all routers, it generates as separate SDF for each router and that set is limited to the signatures that the routers supports. All IPS signatures supported by the Cisco IPS appliance are not supported by the Cisco IOS IPS routers.
Selecting the DTM notification method means that if the rule fires, MARS issues appropriate commands to any Cisco IOS IPS routers that should receive the notification to instruct those routers to retrieve the associated SDFs. The DTM notification also includes one or more IPS alert action: alarm, drop, reset (if it is a TCP session), deny attacker, or deny flow. This IPS alert action enables new or existing signatures and configures the signature to respond accordingly when it fires. The alert action refers to sending a syslog or SDEE notification to target monitoring devices, such as MARS and syslog servers.
Note You must enable SDEE on the Cisco IPS devices for MARS to process the alerts correctly.
The result of this rule configuration is that Cisco Security MARS provides distributed and rapid threat mitigation to IOS IPS routers based on what an IPS appliance detects in the network. Cisco Security MARS, based on the active threats, amends the set of active signatures running on the IOS IPS routers to mitigate such threats network wide.
When using MARS to monitor your Cisco IPS devices, you can also configure IPS MC to monitor the IOS IPS routers for dynamic configuration changes made by MARS and to notify the administrator when this happens, either via e-mail or via the console. This notification allows you to synchronize your signature policies with the active policy on the network. This feature is important because the dynamic signature changes made by MARS are not permanent; if the IOS IPS router is power cycled, the signature set is synchronized with the last known configuration pushed by IPS MC. The administrator can run a report to see what changed on the configuration and choose whether to re-import the device in IPS MC to synchronize the configuration changes with the database.
As part of the DTM operation, Cisco Security MARS deletes inactive signatures from the SDF file. Inactive signatures have not fired on the network within a user-specified interval. You can specify the interval as "Never Delete Inactive Signatures", 3, 6, or 12 hours, or between 1 and 14 days. If you select Never Delete Inactive Signatures, you will eventually render the DTM feature useless, because no new signatures will be added once the memory limitations of the IOS IPS router is reached.
Cisco Security MARS deletes inactive signatures is to ensure that the IOS IPS routers have the memory available to accept new signatures. However, even when a signature has expired (been inactive for the specified interval), it is not deleted from the SDF until Cisco Security MARS adds a new signature to the SDF. During each add operation, Cisco Security MARS deletes all expired signatures, but it does not removed expired signatures when it is only merging new actions for signatures that are already in the SDF. If a signature in the SDF has fired anywhere on the network, it will be kept in the SDF until it expires, even if the memory limitations are encountered. This strict adherence to the configuration setting means that subsequent updates will fail until signatures can be removed. Therefore, you must study the DTM reports to help tune this signature inactivity value in such a way as to ensure you are keeping the current signatures in the SDF.
This section includes the following topics:
Checklist for Deploying DTM
The following checklist describes the decision-making process and the basic flow required to plan, deploy, and fully enable DTM. Each task might contain several steps and substeps; the steps and substeps should be performed in order. The checklist contains references to the specific procedures used to perform each task.
1. Define the architecture of the network.
Defining the architecture of the network involves understanding traffic flows and placement of sensors (appliances or service modules) and routers. You must identify the critical segments of your network and the mitigation strategies for each segment. For example, you might choose a group of routers that will always block any detected security events. In other cases where asset values are lower, you might define a group of IOS IPS routers for which the signatures generate alarms only unless the attack is actually seen, in which case the signatures should also block the traffic.
Note If your configuration includes more than one Local Controller, be aware that each Local Controller should use a unique IPS device as the primary reporting device. Multiple Local Controller can share the primary reporting device; however, it will introduce inefficiencies on your network as each Local Controller will correlate the same reported incidents and a Global Controller will present the same events as unique per zone. However, without exception, you must not configure the same IOS IPS router in the DTM rule notification on more than one Local Controller, such configurations result in overwriting the SDF settings on the router. Also, the signatures detected by one Local Controller are not propagated to the IOS IPS routers monitored by different Local Controllers. In other words, the IOS IPS signature sets can vary across each Local Controller zone.
Result: A map of the network segments is defined. The placement of each Local Controller is relative to the network segment monitored by the primary IPS reporting device. The mitigation response and desired escalation in responses is determined for each IOS IPS router.
For more information, see the following sections in Installing Cisco Intrusion Prevention System Appliances and Modules 5.0:
Capturing Network Traffic
Introducing the Appliance
2. Bootstrap the routers.
Bootstrap reporting devices (Cisco IOS IPS routers only) to accept SSH or Telnet updates from MARS and to allow MARS to pull current signature settings. The preferred access IP method is SSH, which is used to discover current signature settings and available memory, and to publish SDF updates. You must also enable SDEE on the IOS IPS router and identify the MARS Appliance as a valid SDEE cleint so that it is configured as a reporting device as MARS.
Note To enable DTM, use the 12.4(6)T1 image on the routers.
You must enable IOS IPS on the routers by defining a default
attack-drop.sdffile. You can bootstrap the routers and enable IOS IPS manually from the CLI or using a management application, such as Security Device Manager (SDM) or the Management Center for Intrusion Prevention System (IPS MC).
Note Cisco Security MARS cannot enable the IPS feature set on a router that does not have it configured. Cisco Security MARS can only modify the list of the enabled signatures or add new signatures.
Result: The recommended software image is running on the routers, and the IOS IPS feature is enabled. The routers are configured to accept SSH administrative connections from the MARS Appliance. Also, the routers are configured to report SDEE events to MARS.
For more information, see:
•Cisco IOS IPS Deployment Guide
For more detailed information on how the IOS IPS feature works, and what the attack-drop.sdf file is and how to configure it, please refer to the following deployment guide:
•How to Load IPS-Based Signatures onto a Router
•How to Configure SDEE on the Router
3. Add bootstrapped reporting devices and mitigation devices to the web interface in MARS.
After you identify and bootstrap the IPS sensors and IOS IPS routers, enable the required traffic flows, and determine the role of the different devices in your DTM solution, you must represent those devices in MARS. MARS uses this information to communicate with and authenticate to the devices. You represent the devices by adding individual devices in the web interface or by importing a comma-separated vector (CSV) seed file, which can define the required settings for basic device types and give you a headstart on defining the more complicated devices. In addition, you can use the SNMP-based topology discovery to discover reporting devices and mitigation devices. You can provide additional detail, such as the SSH credentials used to authenticate to the device, later.
After you add the IOS IPS routers to the MARS web interface, you must select each router, edit the device, and click Add IPS on the device setting page to configure the SDEE authentication and port settings. You must add this information manually, because the seedfile and discovery methods do not support it. SDEE support is required to pull the error and status logs about DTM updates and activities.
Because DTM is a distributed solution, you should be careful to select the correct Local Controller to monitor the IPS sensors and monitor and update the IOS IPS routers. Table 2 recommends the number of IOS IPS routers be updated by a single Local Controller based on the appliance model.
You should also define device groups in the MARS web interface for those devices in the DTM solution that share common roles. Such groups will assist you when defining DTM actions for rules and when running queries and reports. Two example groups follow:
•To treat all branch routers the same way, you should create a single group of devices, called,
Branch IOS IPS, that includes all IOS IPS routers.
•To treat two groups of devices differently, such as one with more sensitive traffic and the other with less sensitive traffic needing less attention, you can create two groups. When the IPS sensor detects attack traffic, you can publish different signature responses to each group. You can publish signature sets with an alarm and drop response to the first group, while publishing an alarm only action for the same signatures to the second group.
After adding a Cisco IOS IPS router in the MARS web interface, make sure that you have defined the SSH or Telnet connection information and that you have discovered the device, via the Discover button, to verify that the authentication settings are correctly defined.
Note You cannot use SNMP access on the IOS IPS routers if you intend to use the DTM feature.
Result: All IPS sensors and IOS IPS routers are defined and activated in MARS. When the devices are bootstrapped and defined in MARS, MARS pulls and inspects the logs received from the devices. Until the devices are added and activated in MARS, MARS cannot pull the SDEE logs from the devices.
For more information, see:
4. Define the period for retaining the SDF files on the MARS Appliance and the schedule for detecting the signature set state for IOS IPS routers.
DTM enables Cisco IOS Routers running IOS IPS to run those signatures that are most likely to be detected, ensuring that the signature set reflects the current network environment. Scheduling DTM updates refers to specifying the frequency with which MARS contacts the IPS routers to check the signatures that they are running, and to make the necessary changes to their SDF files, adding or deleting signatures. MARS maintains a list of the signatures that have been reported by any IDS/IPS device in the network and that are associated with a DTM rule. The suggested trigger device should not be an IOS IPS, because it cannot run the full set of signatures regardless of the memory that it has. However, any IDS/IPS device can, such as the appliance, the NM-CIDS, SSM module for Cisco ASA, or the Catalyst 6000 blade. At the same time, MARS keeps track of the signatures that have not been reported (inactive signatures) in the last 24 hours (default period), so that they will be deleted from the devices: this is necessary so that the router does not run more signatures than it should. Beginning with 4.2.1, you can configure this signature inactivity period to meet your requirements.
Note Inactive signatures are not deleted during every SDF update. Such signatures are deleted only when the SDF update includes the addition of a new signature. Otherwise, they remain in the SDF even if they are expired.
The 4.2.1 release also introduced the top ten signature list,. which is downloaded from Cisco.com. You can also specify the interval for downloading these signatures and define default actions to associate with them.
After you define the settings, you must activate them by clicking Activate on any page in the web interface.
Result: The schedules for updating IOS IPS routers are defined and activated in MARS. The DTM services monitor the MARS database to determine the firing signatures across the reporting devices (Cisco IPS and Cisco IDS devices). Based on this information, MARS adds and deletes signatures in the SDF files so that Cisco IOS Routers running the DTM feature set can query MARS for the list of signatures that have been fired by the DTM rules.
For more information, see:
5. Define specific inspection rules with the DTM notification method.
The DTM feature of MARS works in conjunction with Cisco IPS devices to generate and publish up-to-date signature definition files (SDFs) to Cisco IOS IPS routers. Selecting the DTM notification method means that when an inspection rule fires, MARS pushes the associated SDF to any Cisco IOS IPS routers that are the subject of the notification. The DTM notification also includes an IPS alert action: alarm, drop, reset (if it is a TCP session), deny attacker, or deny flow. This IPS alert action enables new or existing signatures and configures the signature to respond accordingly when it fires. The alarm action refers to sending a syslog or SDEE notification to target monitoring devices, such as MARS and syslog servers.
Result: All MARS inspection rules based on the IPS device signature events include DTM notifications. The notifications specify, as target devices, the Cisco IOS IPS routers monitored by the Local Controller.
For more information, see:
6. Start monitoring.
After the settings are configured and the DTM rules created, Cisco Security MARS begins monitoring the network via SDEE for new alarms. The Cisco IOS IPS router or IPS appliance detects one or more signatures and alarms, which the MARS Appliance pulls using SDEE for event correlation and further inspection.
Typical monitoring activity is as follows:
•A DTM rule fires and MARS updates the list of the signatures.
When the DTM rule fires, an incident is created. All such incidents are analyzed at the pre-defined interval based on the value specified in the Interval to Synchronize Signatures on DTM Devices field of the Distributed Threat Mitigation Settings page. When the interval expires, Cisco Security MARS retrieves all such incidents and analyzes all of the signatures that are part of each incident. Based on those signatures, Cisco Security MARS generates a single SDF and contacts the routers that are defined in the notification group for that DTM rule to instruct those routers to get the new SDF file. If a signature is already in the SDF file but the action is different from that specified in the DTM notification setting, then the signature action is merged. Otherwise, the new signature is added and any inactive signatures are deleted from the SDF.
MARS tracks the set of signatures running on each router, basing the new SDF file on the contents of that file. MARS adds signatures to this file depending on how the MARS Appliance has been configured and on what is firing. MARS determines the required memory for each signature and the free memory on the router. If the router is out of memory, MARS follows the user-specified setting for deleting inactive signatures. If the router is out of memory and no signatures can be deleted, it is a critical incident, the update fails, and MARS retrieves the SDEE events about this failure from the IOS IPS router. MARS attempts to update the SDF when the interval next expires.
•MARS notifies the devices and makes available the appropriate SDF updates. MARS sends a notification to either all devices or a group of branch routers, as specified by the DTM rules. The IOS IPS routers connect to the MARS Appliance to download and install the updated SDF files. You can specify that signatures are added using the "alarm only" action if desired. The action that you want to implement on the devices should be defined based on the set of routers you are using to enforce the signatures as well as the topology of the network. If two or DTM rules are defined for the same signature using different actions, MARS ORs the actions, resulting in all selected actions being defined for the signatures.
You can specify that all signatures are deployed with the drop action or you can specify different actions for each set of routers to which you are deploying. You can define unique rules based on the following criteria: which IPS is firing, how often one or more signature fires within a time period, whether the signature is red, yellow, or green, and whether the source or destination is within a specific network or address range.
•Another attack fires. Following the update, most likely, the branch office routers will also detect the same signatures and start sending alarms to the MARS, which verifies the occurrence of active threats. Those new alarms, in turn, trigger a different rule in MARS to have those signatures now drop the suspicious packets, thus stopping the attack at the branch gateway. A new SDF file is pushed to the routers with the new action for those rules.
Result: The DTM solution monitors the network for active attacks and pushes signature updates and defined responses to the IOS IPS routers.
7. Run DTM reports and queries to track changes on the network.
You can define queries and reports around any DTM event, which is organized under the Misc/DTM event group. A DTM event provides status about a DTM update that is published to the target devices. The following actions result from DTM signature changes: DTM_UPDATE_SUCCESS, DTM_UPDATE_FAIL, DTM_DELETE_SUCCESS, and DTM_DELETE_FAIL.
These DTM reports and queries can help you identify errors, such as out of memory and signature update failures, as well as provide clearer status on the DTM updates. The recommended monitoring and trougbleshooting approach is to schedule the full set of DTM reports to be updated frequently and to monitor them, many of which are not scheduled by default.
For example, if you see a signature firing on a primary reporting device (IPS device) but do not see that signature running on your IOS IPS routers, first determine whether a DTM rule based on that signature has fired. If such a rule did fire, then determine whether the update interval has expired since the signature fired on the primary reporting device. If it has not, you may wish to decrease the interval. If that is not the cause, then review the DTM reports for possible failures with the update to that router. If the DTM rule did not fire, then determine why it did not fire. Possible causes include failure to receive the alarm or an incorrectly defined DTM rule.
Result: Stay abreast of DTM signature changes by studying the change audit trail.
For more information, see:
8. Configure CiscoWorks Management Center for IPS Sensors to monitor the IOS IPS routers for configuration changes.
You can specify the interval at which CiscoWorks Management Center for IPS Sensors (IPS MC) version 2.2 polls the monitored devices for configuration changes made out of band. The default interval is 5 minutes. IPS MC checks the signatures deployed versus its configuration stored in the local database and if a change has occurred, it issues an e-mail notification and on the console the icon of the router changes color to indicate a configuration change. You must run a difference report to determine the changes and whether to re-import the router to update the configuration in the IPS MC database or not.
Note If you have a distributed environment, you must have at least one firing device per zone. The Global Controller cannot correlate among different zones, so each Local Controller must work independently on a set of devices. Each Local Controller can look only at the IDS/IPS devices that it monitors, and deploy the signatures that those fire to the set of routers that specific Local Controller knows about.
Result: The configuration settings in your IPS management application are synchronized with the SDF updates provided to IOS IPS routers by Cisco Security MARS.
For more information, see:
•IPS MC Documentation Portal
"Monitoring Sensor Health" from Using Management Center for IPS Sensors 2.2
Define DTM-Specific Inspection Rules
When defining inspection rules for DTM, consider the following framework for the rules:
For <Devices> that report signatures firing that match <Conditions>, update <Targets> with the SDF file with <IPS Action>.
Figure 2 Example DTM Rule
Each inspection rule ties together four pieces of information:
•Devices. The reporting devices for which the data is to be correlated for the rule. These reporting devices are the ones that you consider to be your primary IPS/IDS devices. Cisco Security MARS, based on attacks or probes reported by these devices, updates the signature sets on your Cisco IOS IPS routers. Valid reporting devices for this field are:
–Cisco IPS sensors and modules
–Cisco IOS IPS routers
–Cisco IDS devices.
•Conditions. The conditions defined for one or more Cisco IPS signatures for which you want to generate SDFs. In the DTM rule, the conditions define which signatures are worth updating. Valid conditions include signature/type, group, severity, or count of the times a signature is fired or combinations thereof.
•IPS Action. One or more IPS alert actions that the signatures should enable. When defining an alert action that applies to multiple signatures, verify that each signature is compatible with the action. The IPS signature actions specify that the new SDF file should include one or more of the following actions as part of the signature configuration:
–Alarm sends a notification about the attack through syslog or SDEE.
–Reset is effective for TCP-based connections and sends a reset to both the source and destination addresses. For example, in case of a half-open SYN attack, Cisco IOS IPS can reset the TCP connections.
–Drop discards the packet without sending a reset. Cisco recommends using "drop and reset" in conjunction with alarm.
–Deny Attacker blocks the attacker's source IP address completely. No connection can be established from the attacker to the router until the shun time expires (this time is set by the user).
–Deny Flow blocks the appropriate TCP flow from the attacker. Other connections from the attacker can be established to the router.
Tip To define the action from a rule, click Action and then click Add to specify a new action object. The DTM action appears in the bottom right of the Add Action page. From the list, select the action you to implement for the signatures. Click Change Recipient to select the devices to which the signatures should be published.
Figure 3 IPS Actions and DTM Notification Settings
Note In releases before 4.2.1, MARS does not support the denyAttackerInline and denyFlowInline actions available on Cisco IOS IPS.
•Targets. The list of Cisco IOS IPS routers to which you want to publish the SDF update when the inspection rule fires.
When a rule fires, the SDF update for the signatures is placed in an update queue. When the period, defined by DTM Device Access Interval, elapses, all queued updates are published to each target device. Each target device has a separate SDF that is updated each time the interval period elapses.
Example DTM Rules
The following example rule is illustrated in this section:
Source/Dest IP = ANY, Service Name = ANY, Event = SAME, Device = ANY (of the IPs devices), Severity = RED, COUNTS = 3, Reported USER = ANY,
Time-Range = 30 min,
Action = DTM Action with signature action = Alarm Only & recipients = All IOS routers
To define this rule using the MARS web interface, follow these steps:
Step 1 Define a rule that fires for every severity red event firing on the IPS sensors.
a. Click Rules > Inspections Rules, and then click Add.
b. Specify a meaningful name, such Cisco DTM Trigger, and description for the rule, and click Next.
c. Select ANY for the Source IP, Destination IP, and Service Name values.
d. Select SAME for the Event value.
e. Select one or more IPS device to serve as the reporting device in the Devices field.
f. Select ANY for the Reported User and Keyword values.
g. Select Red for the Severity value, enter 3 as the Counts value, and click Next.
A dialog box prompts "Are you done defining the rule conditions?"
h. Click Yes.
Step 2 When you have defined this rule, click Action.
Step 3 Click Add to add an action to the building blocks.
Step 4 Enter a meaningful name, such as Push to Branch IOS IPS routers.
Step 5 Select the Distributed Threat Mitigation check box in the bottom right-hand corner of the screen.
Step 6 Click Change Recipient to select the IOS IPS routers that should receive signature updates when this rule fires, and then click Submit.
Step 7 Select the check box that corresponds to each action that you want the signature updates to enforce, and then click Submit.
These actions are the ones you want to implement for the signatures when they are triggered (Alarm, Drop, Reset).
Step 8 After the action is defined, select it to attach it to the rule, and click Next.
Step 9 Specify the time range as 30 minutes, and click Next.
The output is the following rule:
Step 10 To determine whether any DTM updates have been pushed out, run an inline query.
Two additional example DTM rules follow:
1. Activate the rule only if there are at least 15 high-severity signatures fire within 5 minutes. The action associated with the signature set deployed to the router is to alarm and drop the traffic if it is seen on the routers.
Source/Dest IP = ANY, Service Name = ANY, Event = ANY, Device = ANY, Severity = HIGH, COUNTS = 15, Reported USER = ANY
Time-Range = 5 min,
Action = DTM Action with signature action = Alarm and Drop & recipients = All IOS routers
2. This rule fires in a less severe case— when there are at least 10 medium severity rules that fire within 5 minutes. The action associated with the signature set deployed to the router is to alarm only if it fires on the router.
Source/Dest IP = ANY, Service Name = ANY, Event = ANY, Device = ANY, Severity = MEDIUM, COUNTS = 10, Reported USER = ANY,
Time-Range = 5 min,
Action = DTM Action with signature action = Alarm Only & recipients = All 2800 and 3800 routers in medium/large branches with 256 MB or more memory
View DTM-Specific Reports
You can define queries and reports around any DTM event, which is organized under the Info/DTM group. A DTM event provides status about a DTM update that is published to the target devices. Alternatively, you can enter DTM in the Description/CVE: field and click Search on the Management > Event Management page of the web interface.
The following DTM-specific report group exists:
•System: CS-MARS Distributed Threat Mitigation (Cisco DTM)
The following DTM reports are provided by MARS:
•Activity: IOS IPS DTM Successful Signature Tuning - All Events
•Connectivity Issue - IOS IPS DTM - All Events
•Resource Issue - IOS IPS DTM - All Events
•Resource Issue - IOS IPS DTM - Top Devices
Schedule DTM Updates
DTM allows Cisco IOS Routers running IOS IPS to run those signatures that are most likely to be detected, ensuring that the signature set is germane to the current network environment. Scheduling DTM updates refers to specifying the frequency with which MARS polls those Cisco IPS and Cisco IDS devices that it monitors. MARS uses this data to generate a list of fired signatures as reported across these devices. MARS stores these generated signature sets on the MARS Appliance for retrieval by Cisco IOS Routers also monitored by MARS. The routers then run the top N signatures based on memory limitations.
To define the global DTM update schedule, follow these steps:
Step 1 Click Admin > System Parameters > Distributed Threat Mitigation Settings.
Step 2 In the Interval to Synchronize Signatures on DTM Devices field, enter the interval, in minutes, at which MARS should update the target devices.
This value represents the minimum time that MARS waits to synchronize with the target Cisco IOS IPSs, as defined in the notification subjects of the DTM-specific inspection rules. When a DTM rule fires, the list of signatures to be added is modified, but the SDF file deploys only when the specified interval time expires. Consider this value carefully; it is the minimum time that MARS waits. If MARS is updating a large number of routers, a single threat could take longer than the specified time to finish polling all the devices it will have to.
As an example, consider the time interval of 15 minutes. This value specifies that every 15 minutes the MARS Appliance attempts to contact the IOS IPS routers to compare their operating configuration with the active set and to deploy a new SDF file if needed. If a DTM rule fires in the middle of this 15-minute interval, the wait time is only 7 and a half minutes.
The process that polls the IOS IPS routers is single threaded; therefore, the number of devices monitored by a Local Controller should be small enough that a full round of polling can occur within the specified interval. A minimum interval time for the signatures to be updated must be defined to avoid an attack to the IOS IPS router itself. If new SDF updates are being pushed, it is important to allow the IOS IPS router time to compile and activate the previous updates before new SDF updates are pushed. If a new SDF file is deployed too early, it could corrupt the signature set running on the router.
Table 2 provides the maximum number of devices and polling interval recommendations for each model of MARS Appliance.
Caution These recommendations do not consider the potential load the MARS Appliance has in events/second received from other reporting devices.
Table 2 Sizing DTM for Your Network
Appliance Model Number of IOS IPS routers Managed1 Recommended Polling Interval
1 Managed using SSH.
Step 3 In the Interval to Determine Signature Inactivity field, select the interval at which the signature list should be restarted. The default value is 24 hours.
This value identifies the period of time that inactive signatures are kept as part of the SDF on IOS IPS routers before they are deleted from it. If a signature is not reported as active by any IPS or IOS IPS router monitored by MARS, it is deleted from the IOS IPS routers that are notification targets for DTM rules after the signature inactivity interval expires.
If you select the Never Delete Inactive Signatures value, eventually the DTM feature will be rendered useless because no new signatures are added once the memory limitations of the IOS IPS router is reached.
MARS polls the Cisco IOS IPS and IDS devices to develop a list of signatures fired by devices over a period of time. When that period elapses, MARS deletes the stored signature list, compiles a new SDF, and restarts this process. This setting ensures that MARS has generated the SDFs based on the current signatures. Before MARS generates an SDF, it polls the Cisco IPS devices to ensure that it has the most recent signatures. Each IOS IPS router has an active signature list against which MARS compares to determine if any signatures in the queue are already running on the device. If any queued signatures are not already running, MARS publishes a marginal SDF of those signatures.
Note To perform this publish operation, MARS issues a copy <url> command to the router. The copy command is issued over HTTP. The router then connects to the Local Controller using HTTPS/SDEE. To delete signatures, MARS issues an ip ips signature <id> delete, then a copy <url> ips-sdf command to merge the marginal SDF. This command triggers a rebuild of the signature set running on the IOS IPS router, during which new signatures are added and inactive ones are deleted. The last command issued by MARS is the no ip ips signature <id> delete, which removes the delete command from the NVRAM configuration.
The number of signatures running on a Cisco IOS IPS router can vary depending on memory constraints. MARS builds an SDF of the current set plus the marginal set. MARS determines how much router memory is available, and if there is sufficient memory, it builds the new SDF file around what is not marked for deletion, as those signatures have been active on the network within the specified interval. The memory is calculated with a "show memory statistics" command.
MARS does not delete any signatures that were reported to MARS within the interval or that MARS published as part of an SDF in the interval. If any signature running on the Cisco IOS IPS has not fired within the interval, it is marked for deletion even if the router has enough memory to run it. However, it is not removed until a new signature is actually added to the SDF. During a signature addition operation, all signatures marked for deletion are removed from the SDF. This signature allocation approach ensures that the router maintains a maximum set of signatures to memory ratio, and it ensures that, in case of an attack, the router has enough free memory to sustain an increase in traffic.
Note If the deployment should fail, MARS does not retry the deployment. Instead, it attempts to deploy an updated SDF file when the Interval to Synchronize Signatures on DTM Devices elapses.
Step 4 In the Interval to Pull Top N Signature from CCO field, select the interval at which the MARS Appliance should check MySDN and download the most recent top 10 threat and corresponding signature ID report.
This report is published as an XML file to the MARS Appliance, http://tools.cisco.com/MySDN/Intelligence/top10.x. The report is similar in content to the Top Ten Intelligence Reports found at http://tools.cisco.com/MySDN/Intelligence/home.x and it uses this information to create signature updates for Cisco IOS IPS routers. By downloading and enabling this ten report, Cisco Security MARS ensures that those supported signatures from the top 10 signature report are always running on your Cisco IOS IPS routers. However, only those top signatures supported by both the MARS software version running on the appliance and Cisco IOS IPS routers can be published as an SDF update to the router.
Step 5 Select the set of actions to include in the SDF files for the top N signature list under Default Action for Signatures Pulled from CCO.
The IPS signature actions specify that the new SDF file should include one or more of the following actions as part of the signature configuration.
•Alarm sends a notification about the attack through syslog or SDEE.
•Reset is effective for TCP-based connections and sends a reset to the source and destination addresses. For example, in case of a half-open SYN attack, Cisco IOS IPS resets the TCP connections.
•Drop discards the packet without sending a reset. Cisco recommends using "drop and reset" in conjunction with alarm.
•Deny Attacker blocks the attacker's source IP address completely. No connection can be established from the attacker to the router until the shun time expires (this time is set by the user).
•Deny Flow blocks the appropriate TCP flow from the attacker. Other connections from the attacker can be established to the router.
Step 6 To save your changes to the database, click Submit. To activate your changes, click Submit and then click Activate.
Troubleshooting DTM Integration
Table 3 identifies possible errors and likely causes and solutions.
Frequently Asked Questions about DTM with IPS
Q. What is Cisco Distributed Threat Mitigation with IPS?
A. Cisco Distributed Threat Mitigation with IPS is a solution that uses the dynamic signature-loading capability in Cisco IOS Software-based routers; the Cisco Security MARS correlation product; and Cisco IPS 4200 Series sensors. Cisco Security MARS collects IPS events from a strategically located Cisco IPS sensor and (based on the user-configurable rules) propagates that signature to routers enabled with the Cisco IOS IPS feature. This helps ensure that the proper signatures are enabled on the routers.
Q. What are the components of Distributed Threat Mitigation with IPS?
A. The minimum requirements of Distributed Threat Mitigation with IPS are:
•Cisco IOS IPS-enabled routers
•Cisco Security MARS
•An IPS appliance, blade, or module that has the ability to run a full set of Cisco IPS signatures
Q. What release of Cisco IOS Software do I need to be running on the routers?
A. Routers should be running Cisco IOS Software 12.4(6)T1 or later.
Q. What release of Cisco Security MARS is needed?
A. The Distributed Threat Mitigation with IPS feature is supported in Cisco Security MARS 4.1 and later; however, we recommend using 4.2 or later as many issues with the initial release are fixed in the 4.2 release.
Q. What version of IPS appliance sensor do I need to be running?
A. The Cisco IPS sensor appliances are used to trigger the events in the Distributed Threat Mitigation with IPS solution. Therefore, no minimum release is required for the Distributed Threat Mitigation with IPS solution.
Q. Is there a limit to the number of routers supported by Distributed Threat Mitigation with IPS?
A. No. There is no hard limit to the number of routers supported by Distributed Threat Mitigation with IPS. However, limitations based on performance may exist. Cisco has identified issues with running specific DTM configurations in large deployments. Consult your Cisco sale representative when planning to implement DTM.
Q. Does Cisco Security MARS create signatures?
A. No. Cisco Security MARS uses existing signatures from the Cisco signature database.
Q. What signatures can Cisco Security MARS use to generate DTM SDF files?
A. Cisco Security MARS can identify, correlate, and generate those signatures supported by the MARS software version. As these signatures are updated often via software patches, you benefit most by running the most current version of MARS software. However, Cisco IOS IPS routers can only run a select set of signatures; therefore, the signature must be supported by both the MARS software version running on the appliance and Cisco IOS IPS routers before it can be published as an SDF update to the router.
Q. How does Cisco Security MARS get signature updates?
A. Signatures are bundled with Cisco Security MARS upgrade packages.
Q. Where do the top 10 signatures come from?
A. Beginning with Cisco Security MARS release 4.2.1, MARS can directly download the top ten most active signatures from Cisco.com. This report is published as an XML file to the MARS Appliance, http://tools.cisco.com/MySDN/Intelligence/top10.x. The report is similar in content to the Top Ten Intelligence Reports found at http://tools.cisco.com/MySDN/Intelligence/home.x and it uses this information to create signature updates for Cisco IOS IPS routers. By downloading this report and enabling the signatures it identifies, Cisco Security MARS ensures that those supported signatures from the top 10 signature report are always running on your Cisco IOS IPS routers. However, only those top signatures supported by both the MARS software version running on the appliance and Cisco IOS IPS routers can be published as an SDF update to the router.
Q. How is the number of signatures managed on an IPS-enabled router?
A. There is a limit to the number of signatures that can be running on a router. This limit is primarily based on the amount of DRAM loaded on the router. Cisco Security MARS manages the set of signatures running on the router by deleting the inactive signatures from a router's active signature set. Inactive signatures are those that have not matched any traffic in the past 24 hours. However, the DRAM limitations define the total number of signatures that can run on a specific router. For more information, see Technology Preview: Configuring Distributed Threat Mitigation with Intrusion Prevention System in Cisco Security MARS.
Q. Is there a feedback mechanism?
A. Yes. Cisco Security MARS verifies that the signatures were loaded on the routers.
Q. Will Distributed Threat Mitigation with IPS remove signatures that it deployed?
A. Yes. The signatures will be removed if they are not used for a predefined time period based on a configurable idle timer. For more information, see Schedule DTM Updates.
Q. What is the difference between Distributed Threat Mitigation with IPS and the Cisco Incident Control System (ICS)?
A. The Cisco ICS solution is a partnership between Trend Micro and Cisco. Trend Micro creates signatures and deploys the signatures directly to Cisco IPS devices. Distributed Threat Mitigation with IPS helps ensure that the proper signatures are deployed on Cisco IOS IPS routers based on live events that are currently on the network.
Q. Is a router reboot required to use Distributed Threat Mitigation with IPS?
A. No. Cisco IOS IPS routers do not require a reload when new signatures are deployed.
Q. How long does it take for Distributed Threat Mitigation with IPS to update routers?
A. Cisco is testing the Distributed Threat Mitigation with IPS solution.
Q. What routers support Distributed Threat Mitigation with IPS?
A. Any Cisco router that supports IPS supports Distributed Threat Mitigation with IPS.