SIC JOURNAL TYIT
PRACTICAL NO 7: Configure IOS Intrusion
Prevention System (IPS) Using the CLI
The Cisco IOS IPS acts as an in-line intrusion prevention sensor, watching packets and
sessions as they flow through the router and scanning each packet to match any of the Cisco
IOS IPS signatures. When it detects suspicious activity, it responds before network security can
be compromised and logs the event through Cisco IOS syslog messages or Security Device
Event Exchange (SDEE). The network administrator can configure Cisco IOS IPS to choose the
appropriate response to various threats. The Signature Event Action Processor (SEAP) can
dynamically control actions that are to be taken by a signature event on the basis of parameters
such as fidelity, severity, or target value rating. These parameters have default values but can
also be configured through CLI. When packets in a session match a signature, Cisco IOS IPS
can take any of the following actions, as appropriate:
1) Send an alarm to a syslog server or a centralized management interface
2) Drop the packet
3) Reset the connection
4) Deny traffic from the source IP address of the attacker for a specified amount of time
5) Deny traffic on the connection for which the signature was seen for a specified amount
of time
Cisco developed its Cisco IOS software-based intrusion-prevention capabilities and Cisco IOS
Firewall with flexibility in mind, so that individual signatures could be disabled in case of false
positives. Generally, it is preferable to enable both the firewall and Cisco IOS IPS to support
network security policies. However, each of these features may be enabled independently and
on different router interfaces.
Signatures:
A signature is a set of rules that an IDS and an IPS use to detect typical intrusive activity, such
as DoS attacks. We can easily install signatures using IDS and IPS management software such
as Cisco IDM. Sensors enables us to modify existing signatures and define new ones.
As sensors scan network packets, they use signatures to detect known attacks and respond
with predefined actions. A malicious packet flow has a specific type of activity and signature,
and an IDS or IPS sensor examines the data flow using many different signatures. When an IDS
or IPS sensor matches a signature with a data flow, the sensor takes action, such as logging the
event or sending an alarm to IDS or IPS management software, such as the Cisco SDM
ISMAIL H P Page 1
�SIC JOURNAL TYIT
We define some of the commands which will be used while configuring the Router for IPS
Commands Function Example
ip ips signature- Enters IPS category Router(config)# ip ips signature-category
category configuration mode.
category Specifies that all categories Router(config-ips-category)# category all
(and all signatures) are
retired in the following step
and enters IPS category
action configuration mode
Example:
Router(config-ips-category)# category
ios_ips basic
Specifies the basic category
(and a set of signatures) that
are to be “unretired” in the
following step.
retired {true | false} Specifies that the device Router(config-ips-category-action)#
should retire all categories retired true
(and all signatures).
true --Retires all signatures
within a given category.
false --“Unretires” all
signatures within a given
category.
mkdir flash:/ips5 Create a directory for which Example:
Cisco IOS IPS saves Device# mkdir flash:/ips5
signature information.
ip ips name ips- Example:
name Device(config)# ip ips name myips
ip ips ips- Applies an IPS rule at an Example:
name {in | out} interface and automatically Device(config-if)# ip ips MYIPS in
loads the signatures and
builds the signature engines.
ISMAIL H P Page 2
�SIC JOURNAL TYIT
We us the following topology for the present case
Configuring PC0
ISMAIL H P Page 3
�SIC JOURNAL TYIT
Configuring PC1
Configuring SERVER0
ISMAIL H P Page 4
�SIC JOURNAL TYIT
Serial Interface must be added in each Router before configuring it
Configuring Router0
ISMAIL H P Page 5
�SIC JOURNAL TYIT
Configuring Router1
ISMAIL H P Page 6
�SIC JOURNAL TYIT
Configuring Router2
ISMAIL H P Page 7
�SIC JOURNAL TYIT
We need to set the Routing table in all the Routers so that each node could send
and receive packets from others (RIP is set in all the Routers as follows)
Router0
Router1
ISMAIL H P Page 8
�SIC JOURNAL TYIT
Router2
Now we can check the connectivity by sending ping commands from any node to any
other node
So we conclude that the connectivity has been established
ISMAIL H P Page 9
�SIC JOURNAL TYIT
PART1: Enable the IOS IPS (on Router1)
Type the following command in the CLI mode of Router1
Router#show version
We will get a message informing whether the security Package is enabled or not
As seen above the security package is not enabled, to enable the security feature,
type the following command in Router1
Router(config)#license boot module c1900 technology-package securityk9
Router(config)#exit
Router#
Router#reload
Router>enable
Router#
Router#show version
We will get a message informing whether the security package is enabled or not
ISMAIL H P Page 10
� SIC JOURNAL TYIT
As seen above now the security package has been enabled
Now type the following commands in the CLI mode of Router1
Router#
Router#
Router#clock set 11:47:56 MARCH 3 2020
Router#mkdir smile
Router#configure terminal
Router(config)#ip ips config location flash:smile
Router(config)#ip ips name iosips
Router(config)#ip ips notify log
Router(config)#ip ips signature-category
Router(config-ips-category)#category all
Router(config-ips-category-action)#retired true
Router(config-ips-category-action)#exit
Router(config-ips-category)#category ios_ips basic
Router(config-ips-category-action)#retired false
Router(config-ips-category-action)#exit
Router(config-ips-category)#exit
Router(config)#interface Serial0/1/0
Router(config-if)#ip ips iosips out
Router(config-if)#
Router(config)#
ISMAIL H P Page 11
�SIC JOURNAL TYIT
Part 2: Modify the Signature
Type the following commands in the CLI mode of Router1
Router(config)#
Router(config)#ip ips signature-definition
Router(config-sigdef)#signature 2004 0
Router(config-sigdef-sig)#status
Router(config-sigdef-sig-status)#retired false
Router(config-sigdef-sig-status)#enabled true
Router(config-sigdef-sig-status)#exit
Router(config-sigdef-sig)#engine
Router(config-sigdef-sig-engine)#event-action produce-alert
Router(config-sigdef-sig-engine)#event-action deny-packet-inline
Router(config-sigdef-sig-engine)#exit
Router(config-sigdef-sig)#exit
Router(config-sigdef)#exit
Router(config)#
Now we need to verify the above IPS configuration, we do it first by pinging PC1
to SERVER and then from SERVER to PC1
PC1 to SERVER
The ping FAILS
ISMAIL H P Page 12
�SIC JOURNAL TYIT
SERVER to PC1
Also we can observe the Syslog service in the SERVER to check the log activities
Hence we set the IPS and also verified it on Router1
ISMAIL H P Page 13
