-
Cisco Router and Security Device Manager 2.5 User Guide
-
About Cisco SDM
-
Creating New Connections
-
Configuring LAN Connections
-
802.1x Authentication
-
WAN Connections
-
Edit Interfaces and Connections
-
Wide Area Application Services
-
Create Firewall Wizard
-
Firewall Policy
-
Application Security
-
Site-to-Site VPN
-
Easy VPN Remote
-
Easy VPN Server
-
Enhanced Easy VPN
-
Dynamic Multipoint VPN
-
VPN Global Settings
-
IP Security
-
Internet Key Exchange
-
Public Key Infrastructure
-
Certificate Authority Server
-
Cisco IOS SSL VPN
-
VPN Troubleshooting
-
Extended Cisco IOS SSL VPN
-
Security Audit
-
Routing
-
Network Address Translation
-
Intrusion Prevention System
-
Network Module Management
-
Quality of Service
-
Network Admission Control
-
Router Properties
-
Editing Access Lists
-
Port-to-Application Mapping
-
Zone-Based Policy Firewall
-
Authentication, Authorization, and Accounting
-
Configuration Management
-
Edit Menu
-
Glossary
-
Table Of Contents
Create IPS: Configuration File Location and Category
Enable or Edit IPS on an Interface
Add or Edit a Signature Location
Edit IPS: SEAP Configuration: Target Value Rating
Edit IPS: SEAP Configuration: Event Action Overrides
Add or Edit an Event Action Override
Edit IPS: SEAP Configuration: Event Action Filters
Add or Edit an Event Action Filter
IPS-Supplied Signature Definition Files
Migration Wizard: Choose the IOS IPS Backup Signature File
Cisco IOS IPS
The Cisco IOS Intrusion Prevention System (Cisco IOS IPS) allows you to manage intrusion prevention on routers that use Cisco IOS Release 12.3(8)T4 or later releases. Cisco IOS IPS lets you monitor and prevents intrusions by comparing traffic against signatures of known threats and blocking the traffic when a threat is detected.
Cisco SDM lets you control the application of Cisco IOS IPS on interfaces, import and edit signature definition files (SDF) from Cisco.com, and configure the action that Cisco IOS IPS is to take if a threat is detected.
IPS Tabs
Use the tabs at the top of the IPS window to go to the area where you need to work.
•
Create IPS—Click to go to the IPS Rule wizard to create a new Cisco IOS IPS rule.
•
•
•
IPS Rules
A Cisco IOS IPS rule specifies an interface, the type and direction of traffic that it is to examine, and the location of the signature definition file (SDF) that the router uses.
Create IPS
In this window you can launch the IPS Rule wizard.
The IPS Rule wizard prompts you for the following information:
•
•
•
For Cisco IOS 12.4(11) or later images, you are also prompted for the following information:
•
•
•
The use case scenario illustrates a configuration in which a Cisco IOS IPS rule is used. After you create the Cisco IOS IPS rule and deliver the configuration to the router, you can modify the rule by clicking the Edit IPS tab.
For more information on Cisco IOS IPS, see the documents at the following link:
http://www.cisco.com/en/US/products/ps6634/prod_white_papers_list.html
Click the Launch IPS Rule Wizard button to begin.
Create IPS: Welcome
This window provides a summary of the tasks to perform when you complete the IPS Rule wizard.
Click Next to begin configuring a Cisco IOS IPS rule.
Create IPS: Select Interfaces
Choose the interfaces on which you want to apply the Cisco IOS IPS rule by specifying whether the rule is to be applied to inbound traffic or outbound traffic. If you check both the inbound and the outbound boxes, the rule applies to traffic flowing in both directions.
For example: the following settings apply Cisco IOS IPS to inbound traffic on the BRI 0 interface, and both inbound and outbound traffic on the FastEthernet 0 interface.
Create IPS: SDF Location
Cisco IOS IPS examines traffic by comparing it against signatures contained in a signature definition file (SDF). The SDF can be located in router flash memory or on a remote system that the router can reach. You can specify multiple SDF locations so that if the router is not able to contact the first location, it can attempt to contact other locations until it obtains an SDF.
Use the Add, Delete, Move Up, and Move Down buttons to add, remove, and order a list of SDF locations that the router can attempt to contact to obtain an SDF. The router starts at the first entry, and works down the list until it obtains an SDF.
Cisco IOS images that support Cisco IOS IPS contain built-in signatures. If you check the box at the bottom of the window, the router will use the built-in signatures only if it cannot obtain an SDF from any location in the list.
Create IPS: Signature File
The Cisco IOS IPS signature file contains the default signature information present in each update to the file on Cisco.com. Any changes made to this configuration are saved in a delta file. For security, the delta file must be digitally signed. Specify the location of the signature file and provide the name and text of the public key that will be used to sign the delta file in this window.
This help topic describes the Signature File window that is displayed when the router runs Cisco IOS 12.4(11)T and later releases.
Specify the signature file you want to use with IOS IPS
If the signature file is already present on the PC, router flash memory, or on a remote system, click Specify the signature file you want to use with IOS IPS to display a dialog in which you can specify the signature file location.
Get the latest signature file from CCO and save to PC
Click Get the latest signature file from CCO and save to PC if the signature file is not yet present on the PC or in router flash memory. Click Browse to specify where you want to save the signature file, and then click Download to begin downloading the file. Cisco SDM downloads the signature file to the location that you specify.
Configure Public Key
Each change to the signature configuration is saved in the delta file. This file must be digitally signed with a public key. You can obtain a key from Cisco.com and paste the information in the Name and Key fields.
Note
Follow these steps to place the public-key information in the Name and Key fields.
Step 1
http://www.cisco.com/pcgi-bin/tablebuild.pl/ios-v5sigup
Step 2
Step 3
named-key realm-cisco.pub signaturecopy realm-cisco.pub signature to the Name field:
Step 4
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 0282010100C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F1617E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B8550437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3F3020301 0001
Create IPS: Configuration File Location and Category
Specify a location for storing the signature information that the Cisco IOS IPS will use. This information consists of the signature file and the delta file that is created when changes are made to the signature information.
This help topic describes the Configuration File Location window that is displayed when the router runs Cisco IOS 12.4(11)T and later releases.
Config Location
Click the button to the right of the Config Location field to display a dialog that allows you to specify a location. After you enter information in that dialog, Cisco SDM displays the path to the location in this field.
Choose Category
Because router memory and resource constraints may prevent the use of all the available signatures, there are two categories of signatures—basic and advanced. In the Choose Category field, choose the category that will allow the Cisco IOS IPS to function efficiently on the router. The basic category is appropriate for routers with less than 128 MB of available flash memory. The advanced category is appropriate for routers with more than 128 MB of available flash memory.
Add or Edit a Config Location
Specify a location for storing the signature information and the delta file that the Cisco IOS IPS will use.
Specify config location on this router
To specify a location on the router, click the button to the right of the Directory Name field and choose the directory in which you want to store the configuration information.
Note
Specify config location using URL
To specify a location on a remote system, specify the protocol and path of the URL needed to reach the location. For example, if you want to specify the URL http://172.27.108.5/ips-cfg, enter 172.27.108.5/ips-cfg.
Note
In the No. of Retries and Timeout fields, specify how many times the router is to attempt to contact the remote system, and how long the router is to wait for a response before stopping the contacting attempts.
Directory Selection
Click the folder in which you want to store configuration information. If you want to create a new folder, click New Folder, provide a name for it in the dialog displayed, select it, and click OK.
Signature File
Specify the location of the signature file that the Cisco IOS IPS will use.
Specify Signature File on Flash
If the signature file is located on router flash memory, click the button to the right of the field. Cisco SDM displays the signature file names of the correct format for you to choose.
Specify Signature File using URL
If the signature file is located on a remote system, select the protocol to be used, and enter the path to the file. For example, if the signature file IOS-S259-CLI.pkg is located at 10.10.10.5, and the FTP protocol will be used , select ftp as the protocol, and enter
10.10.10.5/IOS-S259-CLI.pkg
Note
Specify Signature File on PC
If the signature file is located on the PC, click Browse, navigate to the folder containing the file, and select the filename. You must choose an Cisco SDM-specific package of the format sigv5-SDM-Sxxx.zip; for example, sigv5-SDM-S260.zip.
Create IPS: Summary
Here is an example of a Cisco IOS IPS summary display on a router running a Cisco IOS release earlier than 121.4(11)T.
Selected Interface: FastEthernet 0/1IPS Scanning Direction: BothSignature Definition File Location: flash//sdmips.sdfBuilt-in enabled: yesIn this example, Cisco IOS IPS is enabled on the FastEthernet 0/1 interface, and both inbound and outbound traffic is scanned. The SDF is named sdmips.sdf and is located in router flash memory. The router is configured to use the signature definitions built in to the Cisco IOS image that the router uses.
Create IPS: Summary
The Summary window displays the information that you have entered so that you can review it before delivering the changes to the router.
This help topic describes the Summary window that is displayed when the router runs Cisco IOS 12.4(11)T and later releases. A sample Summary window display follows.
IPS rule will be applied to the outgoing traffic on the following interfaces.FastEthernet0/1IPS rule will be applied to the incoming traffic on the following interfaces.FastEthernet0/0Signature File location:C:\SDM-Test-folder\sigv5-SDM-S260.zipPublic Key:30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00B8BE8433251FA8 F79E393B B2341A13 CAFFC5E6 D5B3645E 7618398A EFB0AC74 11705BEA93A96425 CF579F1C EA6A5F29 310F7A09 46737447 27D13206 F47658C7 885E9732CAD15023 619FCE8A D3A2BCD1 0ADA4D88 3CBD93DB 265E317E 73BE085E AD5B1A9559D8438D 5377CB6A AC5D5EDC 04993A74 53C3A058 8F2A8642 F7803424 9B020301 0001Config Locationflash:/configloc/Selected category of signatures:advancedIn this example, the Cisco IOS IPS policy is applied to the FastEthernet 0/0 and the FastEthernet 0/1 interfaces. The signature file is located on the PC. The config location is on router flash memory, in a directory named configloc.
Edit IPS
In this window you can view the Cisco IOS IPS buttons for configuring and managing Cisco IOS IPS policies, security messages, signatures, and more.
IPS Policies Button
Click to display the Edit IPS window, where you can enable or disableCisco IOS IPS on an interface and view information about how Cisco IOS IPS is applied. If you enableCisco IOS IPS on an interface, you can optionally specify which traffic to examine for intrusion.
Global Settings Button
Click to display the Edit IPS: Global Settings window, where you make settings that affect the overall operation of Cisco IOS IPS.
Auto Update
This button appears if the Cisco IOS image on the router is version 12.4(11)T or later. Auto Update allows you to configure the router to obtain the latest signature updates from the Cisco Security Center automatically. Refer to Edit IPS: Auto Update for more information.
SEAP Configuration
This button appears if the Cisco IOS image on the router is version 12.4(11)T or later. Signature Event Action Processing (SEAP) gives you greater control over IOS IPS by providing advanced filtering and overrides.
SDEE Messages Button
Secure Device Event Exchange (SDEE) messages report on the progress of Cisco IOS IPS initialization and operation. Click to display the Edit IPS: SDEE Messages window, where you can review SDEE messages and filter them to display only error, status, or alert messages.
Signatures Button
Click to display the Edit IPS: Signatures window where you can manage signatures on the router.
NM CIDS Button
This button is visible if a Cisco Intrusion Detection System network module is installed in the router. Click to manage the IDS module.
Edit IPS: IPS Policies
This window displays the Cisco IOS IPS status of all router interfaces, and allows you to enable and disable Cisco IOS IPS on interfaces.
Interfaces
Use this list to filter the interfaces shown in the interface list area. Choose one of the following:
•
•
Enable Button
Click to enable Cisco IOS IPS on the specified interface. You can specify the traffic directions to which Cisco IOS IPS is to be applied, and the ACLs used to define the type of traffic you want to examine. See Enable or Edit IPS on an Interface for more information.
Edit Button
Click to edit the Cisco IOS IPS characteristics applied to the specified interface.
Disable Button
Click to disable Cisco IOS IPS on the specified interface. A context menu shows you the traffic directions on which Cisco IOS IPS has been applied, and you can choose the direction on which you want to disable Cisco IOS IPS. If you disable Cisco IOS IPS on an interface to which it has been applied, Cisco SDM dissociates any Cisco IOS IPS rules from that interface.
Disable All Button
Click to disable Cisco IOS IPS on all interfaces on which it has been enabled. If you disable Cisco IOS IPS on an interface to which it has been applied, Cisco SDM dissociates any Cisco IOS IPS rules from that interface.
Interface Name
The name of the interface. For example: Serial0/0, or FE0/1.
IP
This column can contain the following types of IP addresses:
•
•
•
•
•
Inbound IPS/Outbound IPS
•
•
VFR Status
Virtual Fragment Reassembly (VFR) status. The possible values are:
•
•
Cisco IOS IPS cannot identify the contents of IP fragments, nor can it gather port information from the fragment in order to match it with a signature. Therefore, fragments can pass through the network without being examined or without dynamic access control list (ACL) creation.
VFR enables the Cisco IOS Firewall to create the appropriate dynamic ACLs, thereby protecting the network from various fragmentation attacks.
Description
A description of the connection, if added.
IPS Filter Details
If no filter is applied to traffic, this area contains no entries. If a filter is applied, the name or number of the ACL is shown in parentheses.
Inbound and Outbound Filter Buttons
Click to view the entries of the filter applied to inbound or outbound traffic.
Field Descriptions
Action—Whether the traffic is permitted or denied.
Source—Network or host address, or any host or network.
Destination—Network or host address, or any host or network.
Service—Type of service filtered: IP, TCP, UDP, IGMP, or ICMP.
Log—Whether or not denied traffic is logged.
Attributes—Options configured using the CLI.
Description—Any description provided.
Enable or Edit IPS on an Interface
Use this window to choose the interfaces on which you want to enable intrusion detection, and to specify the IPS filters for examining traffic.
Both, Inbound, and Outbound Buttons
Use these buttons to specify whether you are going to enable Cisco IOS IPS on both inbound and outbound traffic, only inbound traffic, or only outbound traffic.
Inbound Filter
(Optional) Enter the name or number of the access rule that specifies the inbound traffic to be examined. The ACL that you specify appears in the IPS Rules Configuration window when the interface with which it is associated is chosen. If you need to browse for the access rule or create a new one, click the ... button.
Outbound Filter
(Optional) Enter the name or number of the access rule that specifies the outbound traffic to be examined. The ACL that you specify appears in the IPS Rules Configuration window when the interface with which it is associated is chosen. If you need to browse for the access rule or create a new one, click the ... button.
... Button
Use this button to specify a filter. Click to display a menu with the following options:
•
•
•
Enable fragment checking for this interface
(Enabled by default). Check if you want the Cisco IOS firewall to check for IP fragments on this interface. See VFR Status for more information.
Enable fragment checking on other interfaces
If fragment checking is enabled for outbound traffic, the router must examine the inbound traffic that arrives on the interfaces that send outbound traffic to the interface being configured. Specify these interfaces below.
If the Inbound radio button is chosen, this area does not appear.
Specify Signature File
The Specify Signature File box contains information about the SDF version that the router is using, and enables you to update the SDF to a more recent version. To specify a new SDF, click the ... button next to the Signature File field and specify a new file in the displayed dialog.
Edit IPS: Global Settings
This window allows you to view and configure global settings for Cisco IPS. This help topic describes the information that you may see if the running Cisco IOS image is earlier than version 12.4(11)T.
Global Settings Table
This table in the Global Settings window displays the current global settings and their values. Click Edit to change any of these values.
Configured SDF Locations
A signature location is a URL that provides a path to an SDF. To find an SDF, the router attempts to contact the first location in the list. If it fails, it tries each subsequent location in turn until it finds an SDF.
Add Button
Click to add a URL to the list.
Edit Button
Click to edit a specified location.
Delete Button
Click to delete a specified location.
Move Up an d Move Down Buttons
Use to change the order of preference for the URLs in the list.
Reload Signatures
Click to recompile signatures in all signature engines. During the time that signatures are being recompiled in a signature engine, the Cisco IOS software can not use that engine's signatures to scan packets.
Edit Global Settings
Edit settings that affect the overall operation of Cisco IOS IPS in this window, in the Syslog and SDEE and Global Engine tabs.
Enable Syslog Notification (Syslog and SDEE Tab)
Check this checkbox to enable the router to send alarm, event, and error messages to a syslog server. A syslog server must be identified in System Properties for this notification method to work.
SDEE (Syslog and SDEE Tab)
Enter the number of concurrent SDEE subscriptions, in the range of 1-3, in the Number of concurrent SDEE subscriptions field. An SDEE subscription is a live feed of SDEE events.
In the Maximum number of SDEE alerts to store field, enter the maximum number of SDEE alerts that you want the router to store, in the range of 10-2000. Storing more alerts uses more router memory.
In the Maximum number of SDEE messages to store field, enter the maximum number of SDEE messages that you want the router to store, in the range of 10-500. Storing more messages uses more router memory.
Enable Engine Fail Closed (Global Engine Tab)
By default, while the Cisco IOS software compiles a new signature for a particular engine, it allows packets to pass through without scanning for the corresponding engine. Enable this option to make the Cisco IOS software drop packets during the compilation process.
Use Built-in Signatures (as backup) (Global Engine Tab)
If Cisco IOS IPS does not find or fails to load signatures from the specified locations, it can use the Cisco IOS built-in signatures to enable Cisco IOS IPS. This option is enabled by default.
Enable Deny Action on IPS interface (Global Engine Tab)
This option is applicable if signature actions are configured to "denyAttackerInline" or "denyFlowInline." By default, Cisco IOS IPS applies ACLs to the interfaces from which attack traffic came, and not to Cisco IOS IPS interfaces. Enabling this option causes Cisco IOS IPS to apply the ACLs directly to the Cisco IOS IPS interfaces, and not to the interfaces that originally received the attack traffic. If the router is not performing load balancing, do not enable this setting. If the router is performing load balancing, we recommend that you enable this setting.
Timeout (Global Engine Tab)
This option lets you set the number of minutes, in the range of 0-65535, that shun actions are to be in effect. The default value is 30 minutes. A shun action occurs if a host or network is added to an ACL to deny traffic from that host or network.
Add or Edit a Signature Location
Specify the location from which Cisco IOS IPS should load an SDF. To specify multiple SDF locations, open this dialog again and enter the information for another SDF.
Specify SDF on this router
Specify the part of router memory in which the SDF is located by using the Location drop-down menu. For example: the menu could have the entries disk0, usbflash1, and flash. Then choose the filename by clicking the down arrow next to the File Name field or enter the filename in the File Name field.
Specify SDF using URL
If the SDF is located on a remote system, you can specify the URL at which it resides.
Protocol
Choose the protocol the router should use to obtain the SDF, such as http or https.
URL
Enter the URL in the following form:
path-to-signature-file
Note
The following URL is provided as an example of the format. It is not a valid URL to a signature file, and it includes the protocol to show the full URL:
https://172.16.122.204/mysigs/vsensor.sdfAutosave
Check this option if you want the router to automatically save the SDF if the router crashes. This eliminates the need for you to reconfigure Cisco IOS IPS with this SDF when the router comes back up.
Edit IPS: SDEE Messages
This window lists the SDEE messages received by the router. SDEE messages are generated when there are changes to Cisco IOS IPS configuration.
SDEE Messages
Choose the SDEE message type to display:
•
•
•
•
View By
Choose the SDEE message field to search.
Criteria
Enter the search string.
Go Button
Click to initiate the search on the string entered in the Criteria field.
Type
Types are Error, Status, and Alerts. Click SDEE Message Text to see possible SDEE messages.
Time
Time message was received.
Description
Available description.
Refresh Button
Click to check for new SDEE messages.
Close Button
Click to close the SDEE Messages window.
SDEE Message Text
This topic lists possible SDEE messages.
IDS Status Messages
Error MessageENGINE_BUILDING: %s - %d signatures - %d of %d engines
Explanation Triggered when Cisco IOS IPS begins building the signature microengine (SME).
Error MessageENGINE_BUILD_SKIPPED: %s - there are no new signature definitions for this engine
Explanation Triggered when there are no signature definitions or no changes to the existing signature definitions of an Intrusion Detection System SME.
Error MessageENGINE_READY: %s - %d ms - packets for this engine will be scanned
Explanation Triggered when an IDS SME is built and ready to scan packets.
Error MessageSDF_LOAD_SUCCESS: SDF loaded successfully from %s
Explanation Triggered when an SDF file is loaded successfully from a given location.
Error MessageBUILTIN_SIGS: %s to load builtin signatures
Explanation Triggered when the router resorts to loading the builtin signatures.
IDS Error Messages
Error MessageENGINE_BUILD_FAILED: %s - %d ms - engine build failed - %s
Explanation Triggered when Cisco IOS IPS fails to build one of the engines after an SDF file is loaded. One message is sent for each failed engine. This means that the Cisco IOS IPS engine failed to import signatures for the specified engine in the message. Insufficient memory is the most probable cause of this problem. If this happens, the new imported signature that belongs to this engine is discarded by Cisco IOS IPS.
Error MessageSDF_PARSE_FAILED: %s at Line %d Col %d Byte %d Len %d
Explanation Triggered when an SDF file does not parse correctly.
Error MessageSDF_LOAD_FAILED: failed to %s SDF from %s
Explanation Triggered when an SDF file fails to load for some reason.
Error MessageDISABLED: %s - IDS disabled
Explanation IDS has been disabled. The message should indicate the cause.
Error MessageSYSERROR: Unexpected error (%s) at line %d func %s() file %s
Explanation Triggered when an unexpected internal system error occurs.
Edit IPS: Global Settings
Several Cisco IOS IPS configuration options are available with Cisco IOS 12.4(11)T and later images. These are described in this help topic. Screen controls and configuration options available prior to Cisco IOS 12.4(11)T, such as the Syslog and SDEE global settings are described in Edit IPS: Global Settings.
This help topic describes the Global Settings window that is displayed when the router runs Cisco IOS 12.4(11)T and later releases.
Engine Options
The engine options available with Cisco IOS 12.4(11)T and later images are the following:
•
•
Edit IPS Prerequisites Table
This table displays the information about how the router is provisioned for Cisco IOS IPS. Click Edit to change any of these values. The sample data in the following table indicated that the config location is the directory configloc in flash memory, that the router is using the basic category of signatures, and that a public key has been configured to allow the router to access the information in the configloc directory.
Config Location
flash:/configloc/
Selected Category
basic
Public Key
Configured
Edit Global Settings
The Edit Global Settings dialog contains a Syslog and SDEE tab, and a Global Engine tab. Click the link below for the information that you want to see:
Syslog and SDEE Tab
The Syslog and SDEE dialog displayed when the router uses a Cisco IOS 12.4(11)T or later image allows you to configure syslog notification and parameters for SDEE subscriptions, events and messages.
Enable Syslog Notification
Check this checkbox to enable the router to send alarm, event, and error messages to a syslog server. A syslog server must be identified in System Properties for this notification method to work.
SDEE
Enter the number of concurrent SDEE subscriptions, in the range of 1-3, in the Number of concurrent SDEE subscriptions field. An SDEE subscription is a live feed of SDEE events.
In the Maximum number of SDEE alerts to store field, enter the maximum number of SDEE alerts that you want the router to store, in the range of 10-2000. Storing more alerts uses more router memory.
In the Maximum number of SDEE messages to store field, enter the maximum number of SDEE messages that you want the router to store, in the range of 10-500. Storing more messages uses more router memory.
Global Engine Tab
The Global Engine dialog displayed when the router uses a Cisco IOS 12.4(11)T or later image allows you to configure the settings described in the following sections.
Enable Engine Fail Closed
By default, while the Cisco IOS software compiles a new signature for a particular engine, it allows packets to pass through without scanning for the corresponding engine. Enable this option to make the Cisco IOS software drop packets during the compilation process.
Enable Deny Action on IPS interface
This option is applicable if signature actions are configured to "denyAttackerInline" or "denyFlowInline." By default, Cisco IOS IPS applies ACLs to the interfaces from which attack traffic came, and not to Cisco IOS IPS interfaces. Enabling this option causes Cisco IOS IPS to apply the ACLs directly to the Cisco IOS IPS interfaces, and not to the interfaces that originally received the attack traffic. If the router is not performing load balancing, do not enable this setting. If the router is performing load balancing, we recommend that you enable this setting.
Edit IPS Prerequisites
The Edit IPS Prerequisites dialog contains tabs for the following categories of information. Click on a link for the information that you want to see:
Config Location Tab
If a config location has been configured on the router, you can edit it. If none has been configured, you can click Add and configure one. The Add button is disabled if a config location is already configured. The Edit button is disabled when no config location has been configured. See Create IPS: Configuration File Location and Category for more information.
Category Selection Tab
If you specify a signature category, SDM configures the router with a subset of signatures appropriate for a specific amount of router memory. You can also remove an existing category configuration if you want to remove category constraints when selecting signatures.
Configure Category
Click Configure Category and choose either basic or advanced. The basic category is appropriate for routers with less than 128 MB of available flash memory. The advanced category is appropriate for routers with more than 128 MB of available flash memory.
Delete Category
If you want to remove the category configuration, click Delete Category.
Public Key Tab
This dialog displays the public keys configured for Cisco IOS IPS. You can add keys or delete keys from this dialog. To add a key, click Add and configure the key in the dialog displayed.
To remove a key, select the key name and click Delete.
Add Public Key
You can copy the name of the key and the key itself from the following site on Cisco.com:
http://www.cisco.com/pcgi-bin/tablebuild.pl/ios-v5sigup
Copy the key name and paste it into the Name field in this dialog. Then copy the key from the same location and paste it into the Key field. For detailed instructions that explain exactly which parts of the text to copy and paste, see Configure Public Key.
Edit IPS: Auto Update
Signature file updates are posted on Cisco.com. Cisco SDM can download the signature file update that you specify, or it can automatically download the latest signature file update on a defined schedule.
This help topic describes the Auto Update window that is displayed when the router runs Cisco IOS 12.4(11)T and later releases.
Before Configuring Auto Update
Before configuring autoupdate, you should synchronize the router clock with the clock on your PC. To do this, complete the following steps:
Step 1
Step 2
Step 3
Step 4
Download signature file from Cisco.com
To have Cisco SDM download a specific signature file from Cisco.com to your PC, specify the file that you want Cisco SDM to download, and specify the location where the file will be saved. Signature Package in use displays the version that the Cisco IOS IPS is currently using. A CCO login is required to download signature files and obtain other information from the Cisco.com the Cisco IOS IPS web pages.
To download the latest signature file, click Get the latest SDM file. Click Browse to specify where you want the file saved, and then click Download to save the file to your PC.
To download the latest CLI package, click Get the latest CLI package. Click Browse to specify where you want the file saved, and then click Download to save the file to your PC.
To browse the available files before downloading, click List the available files to download. Then click the button to the right of the List of signature packages field. Click Refresh in the context menu to browse the list of available files. To view the readme file, click Show readme. Choose the file that you want, and then use the Browse and Download buttons to save it to your PC.
Autoupdate
Click Enable Autoupdate if you want Cisco SDM to automatically obtain updates from a remote server that you specify.
IPS Autoupdate URL Settings
Enter the username and password required to log in to the server, and enter the URL to the update file in the IPS Autoupdate URL Settings fields. A sample URL follows:
tftp//:192.168.0.2/jdoe/ips-auto-update/IOS_update.zipSchedule
Specify a schedule for when you want the router to obtain the update from the server. You can specify multiple values in each column to indicate a range or to indicate multiple time values. To specify that you want to obtain the update from the server at 1:00 a.m. every day, Sunday through Thursday, choose the values in the following table.
Click Apply Changes to send the changes that you make in the Auto Update fields to the router. Click Discard Changes to remove the data that you have entered in these fields.
Edit IPS: SEAP Configuration
Cisco IOS IPS available with Cisco IOS release 12.4(11)T or later implements Signature Event Action Processing (SEAP). This window describes SEAP features that you can configure. To begin configuration, click on one of the buttons under the SEAP Configuration button.
You can configure SEAP settings for Cisco IOS IPS when the router runs Cisco IOS 12.4(11)T and later releases.
Edit IPS: SEAP Configuration: Target Value Rating
The target value rating (TVR) is a user-defined value that represents the user's perceived value of the target host. This allows the user to increase the risk of an event associated with a critical system and to de-emphasize the risk of an event on a low-value target.
Use the buttons to the right of the Target Value Rating and Target IP Address columns to add, remove, and edit target entries. Click Select All to highlight all target value ratings automatically. Click Add to display a dialog in which you can create a new TVR entry. Click Edit to change the IP address information for an entry.
Target Value Rating Column
Targets can be rated as High, Low, Medium, Mission Critical, or No Value. Once a target entry has been created, the rating cannot be changed. If you need to change the rating, you must delete the target entry and recreate it using the rating that you want.
Target IP Address Column
The target IP address can be a single IP address or a range of IP addresses. The following example shows two entries. One is a single IP address entry and the other is an address range.
Apply Changes
When you have entered the information that you want in the Target Value Rating window, click Apply Changes. The Apply Changes button is disabled when there are no changes to send to the router.
Discard Changes
To clear information that you have entered in the Target Value Rating window but have not sent to the router, click Discard Changes. The Discard Changes button is disabled when there are no changes made that are awaiting delivery to the router.
Add Target Value Rating
To add a TVR entry, choose the target value rating and enter a Target IP Address or range of IP addresses.
Target Value Rating (TVR)
Targets can be rated as High, Low, Medium, Mission Critical, or No Value. Once a rating has been used for one target entry, it cannot be used for additional entries. Therefore, enter into the same entry all the targets that you want to give the same rating.
Target IP Addresses
You can enter a single target IP address or a range of addresses, as shown in the examples that follow:
192.168.22.3310.10.11.4-10.10.11.55The IP addresses that you enter are displayed in the Target Value Rating window.
Edit IPS: SEAP Configuration: Event Action Overrides
Event action overrides allow you to change the actions associated with an event based on the Risk Rating RR of that event. You do this by assigning an RR range for each event action. If an event occurs and its RR falls within the range that you defined, the action is added to the event. Event action overrides are a way to add event actions globally without having to configure each signature individually.
Use Event Action Overrides
Check the Use Event Action Overrides box to enable Cisco IOS IPS to use event action overrides. You can add and edit event action overrides whether or not they are enabled on the router.
Select All
The Select All button works with the Enable, Disable and Delete buttons. If you want to enable or disable all event action overrides, click Select All and then click Enable or Disable. To remove all event action overrides, click Select All, and then click Delete.
Add and Edit Buttons
Click Add to display a dialog in which you can enter the information for an event action override. Choose an event action override, and click Edit to change the information for an event action override.
Delete
Click Delete to remove the event action overrides that you selected, or to remove all event action overrides if you clicked Select All.
Enable and Disable
The Enable and Disable buttons allow you to enable or disable event action overrides. Choose one event action override, or click Select All to enable or disable all event action overrides.
Apply Changes
When you have entered the information that you want in the Event Action Overrides window, click Apply Changes. The Apply Changes button is disabled when there are no changes to send to the router.
Discard Changes
If you want to clear information that you have entered in the Event Action Overrides window but have not sent to the router, click Discard Changes. The Discard Changes button is disabled when there are no changes made that are awaiting delivery to the router.
Add or Edit an Event Action Override
To add an event action override, choose the event action, enable or disable it, and specify the RR range. If you are editing, you cannot change the event action.
Event Action
Choose one of the following event actions:
•
•
•
•
•
Enabled
Click Yes to enable the event action override, or No to disable it. You can also enable and disable event action overrides in the Event Action Override window.
Risk Rating
Enter the lower bound of the RR range in the Min box, and the upper bound of the range in the Max box. When the RR value of an event falls within the range that you specify, Cisco IOS IPS adds the override specified by the Event Action. For example, if Deny Connection Inline is assigned a RR range of 90-100, and an event with an RR of 95 occurs, Cisco IOS IPS responds by denying the connection inline.
Edit IPS: SEAP Configuration: Event Action Filters
Event action filters let Cisco IOS IPS perform individual actions in response to an event without requiring it to perform all actions or remove the entire event. Filters work by removing actions from an event. A filter that removes all actions from an event effectively consumes the event. Event action filters are processed as an ordered list. You can move filters up or down in the list to have the router process one filter before it processes other filters.
The Event Action Filters window displays the configured event action filters, and allows you to reorder the filters list so that Cisco IOS IPS processes the filters in the order that you want.
Use Event Action Filters
Check Use Event Action Filters to enable the use of event action filters. You can add, edit, and remove event action filters, and rearrange the list to specify the order that the router processes the filters whether or not event action filtering is enabled.
Event Action Filter List Area
For a description of the columns in the Event Action Filter List area, see Add or Edit an Event Action Filter.
Event Action Filter List Buttons
The Event Action Filter List buttons allow you to create, edit, and remove event action filters, and to place each event action filter in the order you want it to be in the list. The buttons are described in the following sections.
Select All
The Select All button works with the Enable, Disable, and Delete buttons. To enable or disable all event action filters, click Select All, and then click Enable or Disable. To remove all event action filters, click Select All, and then click Delete.
Add
Click the Add button to add an event action filter to the end of the list. A dialog is displayed that enables you to enter the data for the filter.
Insert Before
To insert a new event action filter before an existing one, select the existing filter entry and click Insert Before. A dialog is displayed that enables you to enter the data for the filter.
Insert After
To insert a new event action filter after an existing one, select the existing filter entry and click Insert Before. A dialog is displayed that enables you to enter the data for the filter.
Move Up
Choose an event action filter and click the Move Up button to move the filter up in the list.
Move Down
Choose an event action filter and click the Move Down button to move the filter down in the list.
Edit
Click the Edit button to edit an event action filter you have chosen.
Enable
Click the Enable button to enable an event action filter you have chosen. To enable all event action filters, click Select All first, and then click Enable.
Disable
Click the Disable button to disable an event action filter you have chosen. To disable all event action filters, click Select All first, and then click Disable.
Delete
Click the Delete button to delete an event action filter you have chosen. If you want to delete all event action filters, click Select All first, and then click Delete.
Apply Changes
When you have entered the information that you want in this window, click Apply Changes. The Apply Changes button is disabled when there are no changes to send to the router.
Discard Changes
If you want to clear information that you have entered in this window but have not sent to the router, click Discard Changes. The Discard Changes button is disabled when there are no changes awaiting delivery to the router.
Add or Edit an Event Action Filter
The following information describes the fields in the Add and the Edit Event Action Filter dialogs.
Name
SDM provides event action filter names beginning with Q00000, incrementing the numerical portion of the name by 1 each time you add an event action filter. You can also enter a name that you choose. If you are editing an event action filter, the Name field is read-only.
Enabled
Click Yes to enable the event action filter, or click No to disable it. You can also enable and disable event action filters in the Event Action Filter window.
Signature ID
For Signature ID, enter a range of signature IDs from 900 to 65535, or enter a single ID in that range. If you enter a range, use a dash (-) to separate the upper and lower bounds of the range. For example, enter 988-5000.
Subsignature ID
For Subsignature ID, enter a range of subsignature IDs from 0 to 255, or enter a single subsignature ID in that range. If you enter a range, use a dash (-) to separate the upper and lower bounds of the range. For example, enter 70-200
Attacker Address
For Attacker Address, enter a range of addresses from 0.0.0.0 to 255.255.255.255, or enter a single address in that range. If you enter a range, use a dash (-) to separate the upper and lower bounds of the range. For example, enter 192.168.7.0-192.168.50.0.
Attacker Port
For Attacker Port, enter a range of port numbers from 0 to 65535, or enter a single port number in that range. If you enter a range, use a dash (-) to separate the upper and lower bounds of the range. For example, enter 988-5000.
Victim Address
For Victim Address, enter a range of addresses from 0.0.0.0 to 255.255.255.255, or enter a single address in that range. If you enter a range, use a dash (-) to separate the upper and lower bounds of the range. For example, enter 192.168.7.0-192.168.50.0.
Victim Port
For Victim Port, enter a range of port numbers from 0 to 65535, or enter a single port number in that range. If you enter a range, use a dash (-) to separate the upper and lower bounds of the range. For example, enter 988-5000.
Risk Rating
For Risk Rating, enter an RR range between 0 and 100.
Actions to Subtract
Click any actions that you want to subtract from matching events. To subtract more than one action from matching events, hold down the Ctrl key when you choose additional events. All the events that you choose for this filter will be listed in the Event Action Filters window.
Stop on Match
If you want the Cisco IOS IPS to stop when an event matches this event action filter, click Yes. If you want the Cisco IOS IPS to evaluate matching events against the other remaining filters, click No.
Comments
You can add comments to describe the purpose of this filter. This field is optional.
Edit IPS: Signatures
Cisco IOS IPS prevents intrusion by comparing traffic against the signatures of known attacks. Cisco IOS images that support Cisco IOS IPS have built-in signatures that can be used, and you can also have Cisco IOS IPS import signatures for the router to use when examining traffic. Imported signatures are stored in a signature definition file (SDF).
This window lets you view the configured Cisco IOS IPS signatures on the router. You can add customized signatures, or import signatures from SDFs downloaded from Cisco.com. You can also edit, delete, enable, and disable signatures.
Cisco IOS IPS is shipped with an SDF that contains signatures that your router can accommodate. To learn more about the SDF shipped with Cisco IOS IPS, and how to have Cisco IOS IPS use it, click IPS-Supplied Signature Definition Files.
Signature Tree
The signature tree enables you to filter the signature list on the right according to the type of signature that you want to view. First choose the branch for the general type of signature that you want to display. The signature list displays the configured signatures for the type that you chose. If a plus (+) sign appears to the left of the branch, there are subcategories that you can use to refine the filter. Click the + sign to expand the branch and then choose the signature subcategory that you want to display. If the signature list is empty, there are no configured signatures available for that type.
For example: If you want to display all attack signatures, click the Attack branch folder. If you want to see the subcategories that you can use to filter the display of attack signatures, click the + sign next to the Attack folder. If you want to see Denial of Service (DoS) signatures, click the DoS folder.
Import Button
Click to import a signature definition file from the PC or from the router. When you have specified the file, Cisco IOS IPS displays the signatures available in the file, and you can choose the ones that you want to import to the router. For more information about how to choose the signatures to import, see Import Signatures.
Note
