1 - 7
CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 6-4
Copyright
© 2007, Cisco Systems, Inc
Lab 6.4 Configuring IPS with CLI
Learning Objectives
• Configure Cisco IOS IPS on an interface
• Disable unwanted IPS signatures
• Verify IPS settings
Topology Diagram
Scenario
In this lab, you will configure the Cisco IOS Intrusion Prevention System (IPS),
which is part of the Cisco IOS Firewall feature set. IPS examines certain attack
patterns and will alert and/or mitigate when those patterns occur.
In this scenario, TRUSTED represents a trusted inside router, FW represents a
router serving as an intrusion prevention router, and UNTRUSTED represents
an untrusted outside router. Since UNTRUSTED is outside, FW will examine
packets inbound from it. IPS alone is not enough to make a router into a secure
Internet firewall, but in addition to other security features it can be a powerful
defense.
Step 1: Configure Addressing
Configure the serial interfaces shown in the diagram. Set the clock rate on the
appropriate interface and issue the no shutdown command on all serial
connections. Verify that you have connectivity across the local subnet using the
ping command.
TRUSTED(config)# interface serial0/0/0
TRUSTED(config-if)# ip address 192.168.12.1 255.255.255.0
TRUSTED(config-if)# clockrate 64000
TRUSTED(config-if)# no shutdown
FW(config)# interface serial0/0/0
FW(config-if)# ip address 192.168.12.2 255.255.255.0
FW(config-if)# no shutdown
FW(config-if)# interface serial0/0/1
FW(config-if)# ip address 192.168.23.2 255.255.255.0
FW(config-if)# clockrate 64000
FW(config-if)# no shutdown
UNTRUSTED(config)# interface serial0/0/1
UNTRUSTED(config-if)# ip address 192.168.23.3 255.255.255.0
UNTRUSTED(config-if)# no shutdown
Step 2: Configure Static Default Routes
On the TRUSTED and UNTRUSTED routers, configure static default routes
directing traffic to unknown destinations to be forwarded to the FW router. FW
will not need any routes because it has interfaces directly connected to both
networks.
TRUSTED(config)# ip route 0.0.0.0 0.0.0.0 192.168.12.2
UNTRUSTED(config)# ip route 0.0.0.0 0.0.0.0 192.168.23.2
Your network should have full IP connectivity at this point. If it does not have full
connectivity, troubleshoot.
Normally a single-homed company might use Network Address Translation
(NAT) at its corporate edge to protect its network and allow private addressing
within the bounds of its network. In that case, the UNTRUSTED router, normally
a provider edge router would have a static route directing traffic to the address
owned by the customer out one of its interfaces. In this scenario you will not
configure NAT, and you will use a default route for simplicity.
Step 3: Create and Apply an IPS rule
On FW, create an IPS rule using the ip ips name name command in global
configuration mode. Use the name “myips” for the ips name. Although it will not
be used in this lab, to create an IPS rule that only operates on certain traffic
(specified with an access list), you would use the ip ips name name list list
command in global configuration mode.
FW(config)# ip ips name myips
Note: This lab does not cover using signatures from a signature definition file
(SDF). Instead it uses the built-in signatures in the IOS Firewall software. In a
production environment, you might want to specify an SDF file using the ip ips
sdf location location command in global configuration mode, where location is
2 - 7
CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 6-4
Copyright
© 2007, Cisco Systems, Inc
a relative location to the router, such as “flash:128MB.sdf” which indicates that
an SDF file in the router’s flash memory named “128MB.sdf” will be used.
Apply the IPS rule to an interface with the ip ips name direction command in
interface configuration mode. Apply the rule you just created inbound on the
interface facing UNTRUSTED. Once you enable IPS, some log messages will
be sent to the console line indicating that the IPS engines are being initialized.
FW(config)# interface serial0/0/1
FW(config-if)# ip ips myips in
*Feb 19 09:16:09.923: %IPS-6-BUILTIN_SIGS: Configured to load builtin
signatures
*Feb 19 09:16:10.067: %IPS-6-SDF_LOAD_SUCCESS: SDF loaded successfully from
builtin
*Feb 19 09:16:10.075: %IPS-6-ENGINE_BUILDING: OTHER - 3 signatures - 1 of 15
engines
*Feb 19 09:16:10.075: %IPS-6-ENGINE_READY: OTHER - 0 ms - packets for this
engine will be scanned
*Feb 19 09:16:10.075: %IPS-6-ENGINE_BUILDING: MULTI-STRING - 0 signatures - 2
of 15 engines
*Feb 19 09:16:10.075: %IPS-6-ENGINE_BUILD_SKIPPED: MULTI-STRING - there are no
new signature definitions for this engine
*Feb 19 09:16:10.075: %IPS-6-ENGINE_BUILDING: STRING.ICMP - 0 signatures - 3
of 15 engines
*Feb 19 09:16:10.075: %IPS-6-ENGINE_BUILD_SKIPPED: STRING.ICMP - there are no
new signature definitions for this engine
<OUTPUT OMITTED>
Step 4: Modify Default IPS Behavior
From UNTRUSTED, ping TRUSTED with a high repeat count.
UNTRUSTED# ping 192.168.12.1 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 56/56/88 ms
Notice the log messages on FW. It starts off logging each signature match, but
after 62 hits, IPS only reports a summary count without logging each match
individually.
FW#
*Feb 19 09:30:41.823: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req
[192.168.23.3:0 -> 192.168.12.1:0]
*Feb 19 09:30:41.879: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req
[192.168.23.3:0 -> 192.168.12.1:0]
*Feb 19 09:30:41.935: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req
[192.168.23.3:0 -> 192.168.12.1:0]
*Feb 19 09:30:41.991: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req
[192.168.23.3:0 -> 192.168.12.1:0]
*Feb 19 09:30:42.051: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req
[192.168.23.3:0 -> 192.168.12.1:0]
*Feb 19 09:30:42.107: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req
[192.168.23.3:0 -> 192.168.12.1:0]
3 - 7
CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 6-4
Copyright
© 2007, Cisco Systems, Inc
*Feb 19 09:30:42.163: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req
[192.168.23.3:0 -> 192.168.12.1:0]
*Feb 19 09:30:42.219: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req
[192.168.23.3:0 -> 192.168.12.1:0]
*Feb 19 09:30:42.275: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req
[192.168.23.3:0 -> 192.168.12.1:0]
*Feb 19 09:30:42.335: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req
[192.168.23.3:0 -> 192.168.12.1:0]
*Feb 19 09:30:42.391: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req
[192.168.23.3:0 -> 192.168.12.1:0]
*Feb 19 09:30:42.447: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req
[192.168.23.3:0 -> 192.168.12.1:0]
*Feb 19 09:30:42.903: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req
[192.168.23.3:0 -> 192.168.12.1:0]
*Feb 19 09:30:42.959: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req
[192.168.23.3:0 -> 192.168.12.1:0]
*Feb 19 09:30:43.019: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req
[192.168.23.3:0 -> 192.168.12.1:0]
*Feb 19 09:30:43.075: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req
[192.168.23.3:0 -> 192.168.12.1:0]
*Feb 19 09:30:43.131: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req
[192.168.23.3:0 -> 192.168.12.1:0]
*Feb 19 09:30:43.187: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req
[192.168.23.3:0 -> 192.168.12.1:0]
*Feb 19 09:30:43.247: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req
[192.168.23.3:0 -> 192.168.12.1:0]
*Feb 19 09:30:43.303: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req
[192.168.23.3:0 -> 192.168.12.1:0]
*Feb 19 09:30:43.359: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req
[192.168.23.3:0 -> 192.168.12.1:0]
*Feb 19 09:30:43.415: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req
[192.168.23.3:0 -> 192.168.12.1:0]
*Feb 19 09:30:43.927: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req
[192.168.23.3:0 -> 192.168.12.1:0]
*Feb 19 09:30:43.987: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req
[192.168.23.3:0 -> 192.168.12.1:0]
*Feb 19 09:30:44.043: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req
[192.168.23.3:0 -> 192.168.12.1:0]
*Feb 19 09:30:44.099: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req
[192.168.23.3:0 -> 192.168.12.1:0]
*Feb 19 09:30:44.159: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req
[192.168.23.3:0 -> 192.168.12.1:0]
*Feb 19 09:30:44.215: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req
[192.168.23.3:0 -> 192.168.12.1:0]
*Feb 19 09:30:44.271: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req
[192.168.23.3:0 -> 192.168.12.1:0]
*Feb 19 09:30:44.327: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req
[192.168.23.3:0 -> 192.168.12.1:0]
*Feb 19 09:30:44.387: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req
[192.168.23.3:0 -> 192.168.12.1:0]
*Feb 19 09:30:44.443: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req
[192.168.23.3:0 -> 192.168.12.1:0]
*Feb 19 09:30:44.899: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req
[192.168.23.3:0 -> 192.168.12.1:0]
*Feb 19 09:30:44.955: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req
[192.168.23.3:0 -> 192.168.12.1:0]
*Feb 19 09:30:45.011: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req
[192.168.23.3:0 -> 192.168.12.1:0]
*Feb 19 09:30:45.067: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req
[192.168.23.3:0 -> 192.168.12.1:0]
*Feb 19 09:30:45.127: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req
[192.168.23.3:0 -> 192.168.12.1:0]
4 - 7
CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 6-4
Copyright
© 2007, Cisco Systems, Inc
*Feb 19 09:30:45.183: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req
[192.168.23.3:0 -> 192.168.12.1:0]
*Feb 19 09:30:45.239: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req
[192.168.23.3:0 -> 192.168.12.1:0]
*Feb 19 09:30:45.295: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req
[192.168.23.3:0 -> 192.168.12.1:0]
*Feb 19 09:30:45.355: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req
[192.168.23.3:0 -> 192.168.12.1:0]
*Feb 19 09:30:45.411: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req
[192.168.23.3:0 -> 192.168.12.1:0]
*Feb 19 09:30:45.931: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req
[192.168.23.3:0 -> 192.168.12.1:0]
*Feb 19 09:30:45.987: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req
[192.168.23.3:0 -> 192.168.12.1:0]
*Feb 19 09:30:46.047: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req
[192.168.23.3:0 -> 192.168.12.1:0]
*Feb 19 09:30:46.103: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req
[192.168.23.3:0 -> 192.168.12.1:0]
*Feb 19 09:30:46.159: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req
[192.168.23.3:0 -> 192.168.12.1:0]
*Feb 19 09:30:46.215: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req
[192.168.23.3:0 -> 192.168.12.1:0]
*Feb 19 09:30:46.275: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req
[192.168.23.3:0 -> 192.168.12.1:0]
*Feb 19 09:30:46.331: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req
[192.168.23.3:0 -> 192.168.12.1:0]
*Feb 19 09:30:46.387: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req
[192.168.23.3:0 -> 192.168.12.1:0]
*Feb 19 09:30:46.443: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req
[192.168.23.3:0 -> 192.168.12.1:0]
*Feb 19 09:30:46.923: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req
[192.168.23.3:0 -> 192.168.12.1:0]
*Feb 19 09:30:46.979: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req
[192.168.23.3:0 -> 192.168.12.1:0]
*Feb 19 09:30:47.039: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req
[192.168.23.3:0 -> 192.168.12.1:0]
*Feb 19 09:30:47.095: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req
[192.168.23.3:0 -> 192.168.12.1:0]
*Feb 19 09:30:47.151: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req
[192.168.23.3:0 -> 192.168.12.1:0]
*Feb 19 09:30:47.207: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req
[192.168.23.3:0 -> 192.168.12.1:0]
*Feb 19 09:30:47.263: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req
[192.168.23.3:0 -> 192.168.12.1:0]
*Feb 19 09:30:47.323: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req
[192.168.23.3:0 -> 192.168.12.1:0]
*Feb 19 09:30:47.379: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req
[192.168.23.3:0 -> 192.168.12.1:0]
*Feb 19 09:30:47.435: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req
[192.168.23.3:0 -> 192.168.12.1:0]
*Feb 19 09:31:11.823: %IPS-4-SIG_SUMMARY: Sig:2004 Subsig:0 Global Summary:
100 alarms in this interval
To disable a signature on a router, use the ip ips signature number disable
command in global configuration mode. Signature number 2004 detected the
previous potential Internet Control Message Protocol (ICMP) attack indicated in
the previous output. Disable the signature numbered 2004, which was being set
off by the ping previously.
FW(config)# ip ips signature 2004 disable
%IPS Signature 2004:0 is disabled
5 - 7
CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 6-4
Copyright
© 2007, Cisco Systems, Inc
Try the ping again from UNTRUSTED to TRUSTED. You do not need a high
repeat count because there will be no summary messages (since there will not
be any matches to begin with).
UNTRUSTED# ping 192.168.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/56/56 ms
Notice that no individual or summary IPS messages have been logged on the
FW router.
Why would you want to disable IPS signatures?
You can also verify the current IPS configuration by using the command show
ip ips all. Notice that in addition to the signature we just disabled, there was
another signature disabled by default.
FW# show ip ips all
Configured SDF Locations: none
Builtin signatures are enabled and loaded
Last successful SDF load time: 09:29:43 UTC Feb 19 2007
IPS fail closed is disabled
Fastpath ips is enabled
Quick run mode is enabled
Event notification through syslog is enabled
Event notification through SDEE is disabled
Total Active Signatures: 132
Total Inactive Signatures: 0
Signature 2004:0 disable
Signature 1107:0 disable
IPS Rule Configuration
IPS name myips
Interface Configuration
Interface Serial0/0/1
Inbound IPS rule is myips
Outgoing IPS rule is not set
Notice that you can use the syslog protocol to report detections and IPS actions
to management stations. For the intrusion detection feature, the IPS router will
simply send the notifications to the syslog server.
Final Configurations
TRUSTED# show run
hostname TRUSTED
!
interface Serial0/0/0
6 - 7
CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 6-4
Copyright
© 2007, Cisco Systems, Inc
ip address 192.168.12.1 255.255.255.0
clock rate 64000
no shutdown
!
ip route 0.0.0.0 0.0.0.0 192.168.12.2
end
FW# show run
hostname FW
!
ip ips signature 2004 0 disable
ip ips name myips
!
interface Serial0/0/0
ip address 192.168.12.2 255.255.255.0
no shutdown
!
interface Serial0/0/1
ip address 192.168.23.2 255.255.255.0
ip ips myips in
clock rate 64000
no shutdown
!
end
UNTRUSTED# show run
hostname UNTRUSTED
!
interface Serial0/0/1
ip address 192.168.23.3 255.255.255.0
no shutdown
!
ip route 0.0.0.0 0.0.0.0 192.168.23.2
end
7 - 7
CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 6-4
Copyright
© 2007, Cisco Systems, Inc