• Chapter 1: Describing Network Requirements
• Chapter 2: Topologies for Teleworker Connectivity
• Chapter 3: Using Cable to Connect to a Central Site
• Chapter 4: Using DSL to Connect to a Central Site
• Chapter 5: Configuring DSL Access with PPPoE
• Chapter 6: Configuring DSL Access with PPPoA
• Chapter 7: DSL Connection Troubleshooting
• Chapter 8: The MPLS Conceptual Model
• Chapter 9: MPLS Architecture
• Chapter 10: Configuring Frame Mode MPLS
• Chapter 11: MPLS VPN Technologies
• Chapter 12: IPsec Overview
• Chapter 13: Site-to-Site VPN Operations
• Chapter 14: GRE Tunneling over IPsec
• Chapter 15: IPsec High Availability Options
• Chapter 16: Configuring Cisco Easy VPN
• Chapter 18: Cisco Device Hardening
• Chapter 19: Securing Administrative Access
• Chapter 20: Using AAA to Scale Access Control
• Chapter 21: Cisco IOS Threat Defense Features
• Chapter 22: Implementing Cisco IOS Firewalls
• Chapter 23: Implementing Cisco IDS and IPS

Chapter 23: Implementing Cisco IDS and IPS

Concepts

• Intrusion Detection System (IDS) - Does not sit in the traffic path; cannot block traffic itself
• Intrusion Prevention System (IPS) - Sits in the traffic path; configured to actively deny malicious traffic

IDS/IPS categories:

• Network (NIDS/NIPS) - A dedicated device on the network; unable to assess the effectiveness of an attack

• Host (HIDS/HIPS) - Software running on end hosts

• Signature-based - Matches a specific byte pattern or content

• Policy-based - Configurable policy to allow or deny certain traffic types and sources/destinations

• Anomaly-based - Looks for traffic patterns which deviate from the norm

A honeypot is a device deployed with the intention of attracting attackers, possibly to distract them from legitimate devices.

Attack categories:

• Denial of Service (DoS) - An attack on resources such as bandwidth and CPU power
• Distributed DoS (DDoS) - A DoS attack sourced from multiple, likely spoofed sources
• Reconnaissance - An attempt to gather information about the network

Signatures:

• Exploit - A signature built to match a unique exploit
• Connection - Matches unusual connection characteristics or events
• String - Use regular expressions to check for patterns in packets
• DoS - Tailored to detect denial of service attacks

Cisco IOS uses signatures stored in Signature Definition Files (SDFs). SDFs can be moved, modified, and merged together.

Signature reaction:

• Generate an alarm - Via syslog or SNMP; usually accompanied by other actions
• Drop the packet - Traffic is blocked
• Reset the connection - Only works with connection-oriented protocols (TCP)
• Time-limited block from source - All traffic from the source IP is blocked for a specified amount of time
• Time-limited block on connection - Blocks all traffic in a particular TCP session

Configuration

Specify the location of the SDF:

Router(config)# ip ips sdf {builtin | location}

Configure the failure parameter:

Router(config)# ip ips fail closed

Create an IPS rule:

Router(config)# ip ips name <name> [list <ACL>]

Apply the IPS rule to an interface:

Router(config-if)# ip ips <name> {in | out}

Verification

• show ip ips configuration