Scribd
Upload
12 views

Practical-7

The document outlines the configuration of the Cisco IOS Intrusion Prevention System (IPS) using CLI commands, detailing its functionality in monitoring and responding to network threats. It explains the role of signatures in detecting intrusions and provides specific commands for enabling and modifying IPS settings on routers. Additionally, it describes the process of verifying the IPS configuration through connectivity tests and syslog monitoring.

Uploaded by

belaliagh4
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
12 views

Practical-7

The document outlines the configuration of the Cisco IOS Intrusion Prevention System (IPS) using CLI commands, detailing its functionality in monitoring and responding to network threats. It explains the role of signatures in detecting intrusions and provides specific commands for enabling and modifying IPS settings on routers. Additionally, it describes the process of verifying the IPS configuration through connectivity tests and syslog monitoring.

Uploaded by

belaliagh4
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 13

SIC JOURNAL TYIT

PRACTICAL NO 7: Configure IOS Intrusion


Prevention System (IPS) Using the CLI
The Cisco IOS IPS acts as an in-line intrusion prevention sensor, watching packets and
sessions as they flow through the router and scanning each packet to match any of the Cisco
IOS IPS signatures. When it detects suspicious activity, it responds before network security can
be compromised and logs the event through Cisco IOS syslog messages or Security Device
Event Exchange (SDEE). The network administrator can configure Cisco IOS IPS to choose the
appropriate response to various threats. The Signature Event Action Processor (SEAP) can
dynamically control actions that are to be taken by a signature event on the basis of parameters
such as fidelity, severity, or target value rating. These parameters have default values but can
also be configured through CLI. When packets in a session match a signature, Cisco IOS IPS
can take any of the following actions, as appropriate:

1) Send an alarm to a syslog server or a centralized management interface


2) Drop the packet
3) Reset the connection
4) Deny traffic from the source IP address of the attacker for a specified amount of time
5) Deny traffic on the connection for which the signature was seen for a specified amount
of time

Cisco developed its Cisco IOS software-based intrusion-prevention capabilities and Cisco IOS
Firewall with flexibility in mind, so that individual signatures could be disabled in case of false
positives. Generally, it is preferable to enable both the firewall and Cisco IOS IPS to support
network security policies. However, each of these features may be enabled independently and
on different router interfaces.

Signatures:
A signature is a set of rules that an IDS and an IPS use to detect typical intrusive activity, such
as DoS attacks. We can easily install signatures using IDS and IPS management software such
as Cisco IDM. Sensors enables us to modify existing signatures and define new ones.
As sensors scan network packets, they use signatures to detect known attacks and respond
with predefined actions. A malicious packet flow has a specific type of activity and signature,
and an IDS or IPS sensor examines the data flow using many different signatures. When an IDS
or IPS sensor matches a signature with a data flow, the sensor takes action, such as logging the
event or sending an alarm to IDS or IPS management software, such as the Cisco SDM

ISMAIL H P Page 1
SIC JOURNAL TYIT

We define some of the commands which will be used while configuring the Router for IPS

Commands Function Example


ip ips signature- Enters IPS category Router(config)# ip ips signature-category
category configuration mode.

category Specifies that all categories Router(config-ips-category)# category all


(and all signatures) are
retired in the following step
and enters IPS category
action configuration mode

Example:
Router(config-ips-category)# category
ios_ips basic

Specifies the basic category


(and a set of signatures) that
are to be “unretired” in the
following step.
retired {true | false} Specifies that the device Router(config-ips-category-action)#
should retire all categories retired true
(and all signatures).
true --Retires all signatures
within a given category.
false --“Unretires” all
signatures within a given
category.

mkdir flash:/ips5 Create a directory for which Example:


Cisco IOS IPS saves Device# mkdir flash:/ips5
signature information.

ip ips name ips- Example:


name Device(config)# ip ips name myips

ip ips ips- Applies an IPS rule at an Example:


name {in | out} interface and automatically Device(config-if)# ip ips MYIPS in
loads the signatures and
builds the signature engines.

ISMAIL H P Page 2
SIC JOURNAL TYIT

We us the following topology for the present case

Configuring PC0

ISMAIL H P Page 3
SIC JOURNAL TYIT

Configuring PC1

Configuring SERVER0

ISMAIL H P Page 4
SIC JOURNAL TYIT

Serial Interface must be added in each Router before configuring it

Configuring Router0

ISMAIL H P Page 5
SIC JOURNAL TYIT

Configuring Router1

ISMAIL H P Page 6
SIC JOURNAL TYIT

Configuring Router2

ISMAIL H P Page 7
SIC JOURNAL TYIT

We need to set the Routing table in all the Routers so that each node could send
and receive packets from others (RIP is set in all the Routers as follows)

Router0

Router1

ISMAIL H P Page 8
SIC JOURNAL TYIT

Router2

Now we can check the connectivity by sending ping commands from any node to any
other node

So we conclude that the connectivity has been established

ISMAIL H P Page 9
SIC JOURNAL TYIT

PART1: Enable the IOS IPS (on Router1)

Type the following command in the CLI mode of Router1

Router#show version

We will get a message informing whether the security Package is enabled or not

As seen above the security package is not enabled, to enable the security feature,
type the following command in Router1

Router(config)#license boot module c1900 technology-package securityk9


Router(config)#exit
Router#
Router#reload

Router>enable
Router#
Router#show version

We will get a message informing whether the security package is enabled or not

ISMAIL H P Page 10
SIC JOURNAL TYIT

As seen above now the security package has been enabled

Now type the following commands in the CLI mode of Router1

Router#
Router#
Router#clock set 11:47:56 MARCH 3 2020

Router#mkdir smile
Router#configure terminal
Router(config)#ip ips config location flash:smile
Router(config)#ip ips name iosips
Router(config)#ip ips notify log
Router(config)#ip ips signature-category
Router(config-ips-category)#category all
Router(config-ips-category-action)#retired true
Router(config-ips-category-action)#exit

Router(config-ips-category)#category ios_ips basic


Router(config-ips-category-action)#retired false
Router(config-ips-category-action)#exit
Router(config-ips-category)#exit

Router(config)#interface Serial0/1/0
Router(config-if)#ip ips iosips out
Router(config-if)#
Router(config)#

ISMAIL H P Page 11
SIC JOURNAL TYIT

Part 2: Modify the Signature

Type the following commands in the CLI mode of Router1

Router(config)#
Router(config)#ip ips signature-definition
Router(config-sigdef)#signature 2004 0
Router(config-sigdef-sig)#status
Router(config-sigdef-sig-status)#retired false
Router(config-sigdef-sig-status)#enabled true
Router(config-sigdef-sig-status)#exit
Router(config-sigdef-sig)#engine
Router(config-sigdef-sig-engine)#event-action produce-alert
Router(config-sigdef-sig-engine)#event-action deny-packet-inline
Router(config-sigdef-sig-engine)#exit
Router(config-sigdef-sig)#exit
Router(config-sigdef)#exit
Router(config)#

Now we need to verify the above IPS configuration, we do it first by pinging PC1
to SERVER and then from SERVER to PC1

PC1 to SERVER

The ping FAILS

ISMAIL H P Page 12
SIC JOURNAL TYIT

SERVER to PC1

Also we can observe the Syslog service in the SERVER to check the log activities

Hence we set the IPS and also verified it on Router1

ISMAIL H P Page 13

You might also like