Understanding Cisco IOS IPS
You can use Cisco Security Manager with the Cisco IOS Intrusion Prevention System (IOS IPS) to manage intrusion prevention on Cisco routers that use supported Cisco IOS Software releases 12.4(11)T2 and later.
The Cisco IOS IPS acts as an in-line intrusion prevention sensor, watching packets and sessions as they flow through the router and scanning each packet to match any of the Cisco IOS IPS signatures. When it detects suspicious activity, it responds before network security can be compromised and logs the event through Cisco IOS syslog messages or Security Device Event Exchange (SDEE).
You can configure Cisco IOS IPS to choose the appropriate response to various threats. The Signature Event Action Processor (SEAP) can dynamically control actions that are to be taken by a signature event on the basis of parameters such as fidelity, severity, or target value rating. You can configure these actions in Security Manager through the Signatures and Event Actions policies.
When packets in a session match a signature, Cisco IOS IPS can take any of the following actions, as appropriate:
-
Send an alarm to a syslog server or a centralized management interface.
-
Drop the packet.
-
Reset the connection.
-
Deny traffic from the source IP address of the attacker for a specified amount of time.
-
Deny traffic on the connection for which the signature was seen for a specified amount of time.
Cisco developed its Cisco IOS software-based intrusion-prevention capabilities and Cisco IOS Firewall with flexibility in mind, so that individual signatures could be disabled in case of false positives. Generally, it is preferable to enable both the firewall and Cisco IOS IPS to support network security policies. However, each of these features can be enabled independently and on different router interfaces.
For an overall understanding of the Cisco IOS IPS configuration process, see .Overview of Cisco IOS IPS Configuration
This section contains the following topics:
Understanding IPS Subsystems and Support of IOS IPS Revisions
Cisco Security Manager automatically supports minor revisions of IOS IPS. To identify minor revisions that are supported, the IPS subsystem version is needed.
The IPS subsystem version is a version number used to keep track of Cisco IOS IPS feature changes. The subsystem number is show in the device properties (right-click the device and select Device Properties). You can also use the command show subsys name ips at a command line on the router that is running Cisco IOS IPS to show the detailed Cisco IOS IPS subsystem version. The 3.x subsystems are equivalent to IPS 5.x. For a list of the supported subsystems by Cisco IOS Software release, see the Supported Devices and Software Versions for Cisco Security Manager on Cisco.com for this release of Security Manager.
An IPS subsystem version is minor if the version difference is limited at postfix. For example, a revision from 3.0.1 to 3.0.2 is considered minor. For another example, 3.0.1 to 3.1.1 is also considered a minor version change. However, minor revisions that include new features are not automatically supported by Cisco Security Manager.
Cisco IOS IPS Signature Scanning with Lightweight Signatures
The addition of Cisco IOS IPS signature scanning with lightweight signatures in Cisco IOS Release 15.0(1)M is an enhancement to Cisco IOS IPS that allows loading of larger signatures sets, without consuming significant additional memory or reducing the memory consumed by an existing signature set, by loading equivalent lighter-weight signatures. These signatures are referred to as lightweight signatures.
Security Manager can discover and tune custom signatures with LWEs on ISRs and modular access routers. Security Manager supports the following features for signatures with LWEs on ISRs and modular access routers:
-
New signature types
-
Signature categories
-
New default signature category recognition
-
New engine update levels
-
Licensing status—bypassed, expired, or not installed
Router Configuration Files and Signature Event Action Processor (SEAP)
As of Cisco IOS Release 12.4(11)T, signature definition files (SDFs) are no longer used by Cisco IOS IPS. Thus, you cannot not use the deprecated built-in signature sets, 128.sdf, 256.sdf, and attack-drop.sdf, with Security Manager.
Instead, routers access signature definition information through a directory that contains three configuration files—the default configuration, the delta configuration, and the SEAP configuration. You configure the location using the IPS > General Settings policy.
SEAP is the control unit responsible for coordinating the data flow of a signature event. It allows for advanced filtering and signature overrides on the basis of the Event Risk Rating (ERR) feedback. ERR is used to control the level in which a user chooses to take actions in an effort to minimize false positives.
Signatures once stored in NVRAM are now stored in the delta configuration file.
Cisco IOS IPS Limitations and Restrictions
Cisco IOS IPS routers do not support all the features that are supported by dedicated IPS sensor appliances and service modules. In addition, routers that support IOS IPS might not allocate as much memory to IPS functionality as an IPS sensor does. The following limitations and restrictions are important:
-
When configuring an IOS IPS device, select only the signatures that you need. If you select all signatures that are available in Security Manager, you might exceed the memory available on the IOS IPS router and deployment can fail, the device might fail to load all of the signatures, or performance might be significantly degraded. If you encounter deployment failures, select a reduced set of signatures and then redeploy the configuration to the device.
-
Security Manager-managed routers being configured to use IOS-IPS for the first time cannot use the auto-update process for signature updates. You must first update the router before you use the auto-update process. Follow these steps:
-
Push an E3 signature, for example, S317.
-
Push an intermediate signature, for example, S470.
-
Push the first E4 signature, for example, S485.
-
Push subsequent E4 signatures until you reach the desired level. Note that each delta should be less than 10 MB in size.
-
After you have updated the router, you can use the auto-update process to update the signatures. The auto-update process will be successful as each incremental change will not exceed the memory available on the router. For information on configuring automatic updates, see Automating IPS Updates.
-
Virtual sensors are not supported by IOS IPS.
-
When using event action filters with an IOS IPS router, only a subset of IPS actions are available for removal from an event that meets the criteria of the event action filter. For more information on available event actions, see Filter Item Dialog Box and Understanding IPS Event Actions.
-
IOS IPS is based on IPS Software 5.1. Therefore, features introduced in later versions of IPS Software are typically not available in IOS IPS. For example, you cannot configure the following features:
-
Global correlation.
-
Anomaly detection.
-
OS identification in the event action network identification policy.
-