Cisco IOS IPS on 2811

Similar Messages

• Cisco IOS IPS in Cisco 2921/k9 router

  Hi All,
  I have a router of Cisco 2921 series (C2921/K9) basic box with IP BAse IOS image (SL-29-IPB-K9 IOS). I would like to enable IOS Level IPS feature on this Router now. Based on the Cisco Document i have found i need to purchase an additonal subscripton license to enale the IPS feature. My querry is-
  Will it support on the Basic IP Base IOS or do i need to change the IOS?
  If i need to purchase the Subscription Licesne, how can i get the part number and cost for the same?
  Do i need to buy any addtional module for this like (NME-IPS-K9) ?
  Thanks in advance for your quick support
  regards
  Sunny

  Hi Sunny
  1. Yes you can enable IPS on IOS with the security license, without buying a subscription, but this would make little sense - new signatures are being released all the time so you would not be protected from recently discovered vulnerabilities/attacks.
  2. Correct, the modules and appliances run a different kind of software and are much more powerful
  3. If you add the module, you do NOT need the security license. It would still be advised to get a subscription license to get signature updates for the module.
  I hope this helps, let us know.
  regards
  Herbert
  jacob.samuel wrote:Dear Herbert,Thanks alot for the wonderful post. It clear most of my doubts. Still i kindly need to know few more points-1)  Cant we enable IPS Feature on 2921/K9 router (with Sec license or 2921Sec/K9 bundle) without signature subscription license (is it a must? it is for getting updates of signatures and for support only, right?)2)  I came to know from a distributor pre-sales engineer that the Cisco IOS Level Intrusion Protection is not going to provide the full feature of IPS like NME module or IPS Applinace. Is that right?3)  If i add NME-IPS-K9 Module to my 2921 Router, without enabling Sec License, can i enable IPS feature on the Router. Or is it a must that i need to buy Sec License (SL-29-SEC-K9)?Attaching the Datasheet of NME-IPS-K9 module (Page num 5 above Table 3) mentione as follows-Cisco IOS Software Feature Sets and ReleaseTable 3 lists the required Cisco IOS feature sets and releases for Cisco IPS AIM and IPS NME on the Cisco 1841,
  2800 and 3800 series Integrated Services Routers Note that, IPS NME on the Cisco 2900 and 3900 Integrated
  Services Routers does not require a Security Feature license.
  In that case if i buy a module i can install it on the 2921K9 box directly and can enable the IPS feature right? I dont need any License and additonal signature subscription here to enable the IPS feature (if i dont need signature updates and support) right?
  thanks alot for the support.
  regards
  Sunny

• Cisco IOS IPS - How to manage signatures?

  Hello everyone,
  I'd like to efficiently tune signatures in IOS IPS on one router, a 1941. Available options I found are:
  CLI: not efficient to tune a group of signatures (example: Windows OS)
  CCP 2.7 (Windows GUI): best tool I know, but not efficient, since:
  a bit bugged (sometimes won't work on some computers)
  needs IE9 to work fine, thus excluding its use on W8/W8.1
  turnaround to use onIE10/IE11 won't always work (one computer refuses to keep compatibility view settings, for example)
  not able to efficiently sort signatures, using several criteria (main drawback)
  not able to exclude sets of signatures - like compile failed signatures
  CCP 2.8: only available in express version. I installed it, but did not see a tab about signature tuning ...
  Cisco Security Manager is complete overkill, since it needs a license and a server. Not simple to tune IPS on only one router ;-)
  IPS Manager Express: seems a nice tool, but mainly designed for IPS sensors and firewalls, and not able to tune signatures for a router.
  So, if one of you has an idea about a tool, whether Cisco or 3rd party, running preferably on Windows, it is very velcome!
  Thanks!

  Hello Will,
  I have only played with the CLI and with that I was able to selective enable the signatures I wanted (even using the sub-id intentifier), changed the action,compile the ones required, etc.
  If this is what you are looking for when refering to tune signatures CLI will be fine, if more than that is needed well you have all of the software that you could use.
  No other software available
  Looking for some Networking Assistance? 
  Contact me directly at [email protected]
  I will fix your problem ASAP.
  Cheers,
  Julio Carvajal Segura
  http://laguiadelnetworking.com

• Cisco IOS IPS ?

  Hi,
  I am currently studying CCSP SNRS by Greg Bastien. I have the following Lab scenario and would like clarification on what I am seeing. I want to verify that my IPS setup is working, so I have run 'angry ip' port/ip address scan at the router. When I use 'sh ip ips statistics' I see 'signature 3051:1 packets checked: [0:1]' which translates to 'TCP Connection Window Size DoS ATOMIC.TCP'.
  Is this signature 3051 an indication that the router has seen the IP scan ? and considered this a reconnassaince attack. Are there any other ways of verifying the attack ?

  Hi,
  If you see signature alert messages, then it means there is a match and IPS fires an alert message which is the default setting of a signatures.
  In your case, it only means that the 3051:1 signature saw one packet matching, so it just recorded the information. For this signature to fire (which means for ips to identify an attack, it has to check other parameters as well).
  If you look into the details of the definition of this signature, it has a global summary threshold and summary interval settings. Which means the ips has to see this signature match within the summary interval for the number of times defined in the summary threshold, then it will validate a signature match, thus send alarm and perform actions defined in the signature.
  So in your case, it just shows there is a packet matching this signature. You might be able to find more detailed information if you run a sniffer and capture your "angry ip' traffic sent to the router.
  Thanks,
  -Chris

• Problems with adding IOS IPS to IPS MC

  Hi,
  We are having problems in adding Cisco IOS IPS (Running on Cisco 1701,12.3(14)T2) into IPS-MC (Version: 2.1.0).
  The IPS MC is able to create the Trust Point on the Router and the Router is also able to download the IPS-MC certificate chain. However after that the process fails with the error
  ++++++++++++++++++++
  Import of sensor x.x.x.x failed.
  Error : Error importing configuration files from the sensor - Unable to import sensor config from IOS IPS: null
  ++++++++++++++++++++
  Any ideas ?
  Thanks \\ Naman

  I am having the same issue and open TAC case for several days..with 1841 and 2811's..same software and IOS
  It works with advipservices but not with advsecurity

• IOS IPS/IDS on a BGP Peering Router?

  We have a pair of BP peerings between our network and our upstream service provider.  Since the peering points are geographically distributed and we run a "cold potato" routing policy on our network we cannot guarantee symmetric routing for traffic exchanged with our upstream service provider.
  Yesterday we followed the bouncing ball through the IPS/IDS setup documentation on a Cisco 2901 running 15.2(4)M3 and acting as a BGP speaking peering router at one of our peering points.  Immediately the router started throwing %IPS-6-SEND_TCP_PAK and %IPS-6-TIMEOUT_EVENT messages in the logs.  We also observed that some upstream service provider web sites became inaccessible to our users.  Turning off IPS/IDS on the 2901 restored connectivity for our users to those web sites.
  Three questions:
  Do the default Cisco IOS IPS/IDS rules assume that the router will see both sides of each TCP session?
  Does the Cisco IOS IPS/IDS TCP stream reassembly assume an attack and send TCP RST frames when it doesn't see both sides of a TCP session?
  Should we move the Cisco IPS/IDS functionality from the BGP-speaking routers at peering points to our customer sites, as the customer sites are the only places in our network guaranteed to see both sides of a given TCP session?  (We already perform NAT on the customer site routers for that reason.)

  Hello Bill,
  1) Yes, there are some normalizer functions on some IOS-IPS signatures that will behave like that with this scenarios (Asymetric routing not something good to any kind of security device)
  2) Yes, it will close the connections, I will definetly need to look for specific actions regarding that but you could just check the IOS IPS Signature statistics  on your router , see which is the one triggering the most and then see the action configured for it (and change it if required)
  3) If you cannot change that behavior then it would be safe to tell the router is not a good place to set an IPS or any other kind of firewall configuration unless you set with a weaker security policy (useless from a security standard point of view)
  Check my blog at http:laguiadelnetworking.com for further information.
  Cheers,
  Julio Carvajal Segura

• IOS IPS auto-update

  Hi,
  I have a couple of questions I hope people could answer:
  1) What recommendations/options are available for downloading signature files to a HTTP/TFTP server prior to having the IOS IPS device pull them from the server?  Is their a way to automate the HTTP/TFTP server downloading the signatures? (Cron job or such)
  2) Does the signature file name change each time a new signature file is released? If it does, would I have to go back to the router to update the URL string that is configured in the ip ips auto-update section? I would hate to have to update 200 CPE devices each time a new signature file is released.
  Hoping someone could answer these or help point me in the right direction to find the answer out.
  regards M

  I found this link with answers my one question.
  Cisco IOS Intrusion Prevention System (IPS)
  Tuning, Deploying and Updating Cisco IOS IPS Signature Sets For Multiple-Device Deployments
  http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/white_paper_c11_549300.html

• 1841 IOS IPS online updates

  Hi,
  Can we configure 1841 IOS IPS to get automatic signature updates directly from cisco site. I know we can do it in other firewalls like sonicwall, fortigate, etc.
  Regards
  Siva K

  Hi  Siva,
  Yes you can do it from the Cisco Security Manager , or you can try
  Automatic Signature Update Guidelines
  When enabling automatic signature updates, it is recommended that you ensure
  the following configuration guidelines have been met:
  * The router's clock is set up with the proper relative time.
  *The frequency for Cisco IOS IPS to obtain updated signature information has
  been defined.
  *The URL in which to retrieve the Cisco IOS IPS signature configuration files
  has been specified.
  *Optionally, the username and password for which to access the files from the
  server have been specified.
  SUMMARY STEPS
  1. enable
  2. configure terminal
  3. ip ips auto-update
  4. occur-at min:hour date day
  5. username name password password
  6. url url
  7. exit
  8. show ip ips auto-update
  http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_ips5_sig_fs_ue_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1079125
  regards
  Yesua

• 2811 IOS IPS VMS Configuration

  I have several already deployed 2811 that I'd like to turn on the IPS feature. IOS firewall is already running. We also have just deployed VMS. Is there any order that need to be followed to get these into VMS. Should I import them into Router MC or IDS MC first? IDS MC documentation isnt clear to me setting up IOS IPS.
  thanks in advance

  No particular order (that I am aware of).
  As far as Security Monitor to monitor IDS Alerts, I choose the hard way and just manually added each of our devices, tedious but all is working.
  As far as Performance Monitor, I imported from RME
  The bulk of our routers run 12.3(11)T and 12.3(11)T2.
  We have a ton of 831's and I choose for them to send alerts via PostOffice rather than waiting for collections via SDEE because the memory in the 831's (48MB) are already just about maxed out (Regularly over 80%) just running the daily needed applications (VPN and CBAC). We have some 1700s and 2600s out in the field too that are not as taxed.
  if you choose the PostOffice route (or test it out) then here are the commands and steps you need:
  First add the device in Security Monitor to use PostOffice
  then from the router console, ssh, etc........
  ip ips notify nr-director
  ip ips po max-events 100
  ip ips po remote hostid [VMS Host ID#] orgid [ORG #] rmtaddress [VMS IP Address] localaddress [Router IP Address] port 45000
  ip ips po local hostid [Router Host ID#] orgid [Org ID#]
  exit
  write mem
  reload
  Once you reload it will send an initial packet to VMS and the router will register as 'Connected' in Sec Monitor.
  You should make sure that the 'ip ips po' commands are accepted in your IOS version
  I don't know what your memory consumption is like in your 2800 Router but the config for SDEE Event Collection is much less involved. If your router has resources to spare this is the way to go.

• ISE 1.1.3 en Cisco IOS SCEP

  Hi,
  I'm running Cisco ISE 1.1.3.124 and a Cisco IOS 2811 (c2800nm-spservicesk9-mz.150-1.M2.bin) which I configured the be a SCEP server.
  PKI Authentication and enrollment of a Cisco switch with this SCEP server is running well but BYOD clients enrollment via EAP-TLS (1024/2048) giving me the following error on the Cisco IOS SCEP server:
  SCEP#
  .Mar 17 15:21:59.446: Sun, 17 Mar 2013 15:21:59 GMT 10.0.0.164 /cgi-bin/pkiclient.exe ok
          Protocol = HTTP/1.1 Method = GET Query = operation=PKIOperation&message=MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgU
  AMIAGCSqGSIb3DQEHAaCAJIAEggPoMIAGCSqGSIb3DQEHA6CAMIACAQAxggEvMIIBKwIBADATMA4xDDAKBgNVBAMTA2lzZQIBA
  TANBgkqhkiG9w0BAQEFAASCAQAmbK6WZ5L6gw+uh7h4Qi53XL76QsBNcY8E6cMxWDp8hWbLvujNOylSvJLF
  .Mar 17 15:21:59.446:
  .Mar 17 15:21:59.454: CRYPTO_CS: received a SCEP request, 3652 bytes
  .Mar 17 15:21:59.454: CRYPTO_CS: read SCEP: registered and bound service SCEP_READ_DB_10  
  .Mar 17 15:21:59.482: CRYPTO_CS: scep msg type - 19
  .Mar 17 15:21:59.482: CRYPTO_CS: trans id - 9871e81c65121310b77df8b341c7c887a5392da2
  .Mar 17 15:21:59.486: CRYPTO_CS: failed to open env data
  .Mar 17 15:21:59.486: CRYPTO_CS: read SCEP: unregistered and unbound service SCEP_READ_DB_10  
  .Mar 17 15:21:59.486: CRYPTO_CS: failed to read SCEP request
  .Mar 17 15:21:59.502: Sun, 17 Mar 2013 15:21:59 GMT 10.0.0.164 /cgi-bin/pkiclient.exe ok
  SCEP#
  I'm stuck now on the message: failed to open env data. So can anyone explain what the meaning is of this message or maybe know if IOS SCEP with ISE is supported ?
  Thanks in advance.
  greetz Michel
  btw the tracelog of the switch enrollment with IOS SCEP is below:
  SCEP#
  .Mar 17 14:57:10.932: Sun, 17 Mar 2013 14:57:10 GMT 10.0.0.161 /cgi-bin/pkiclient.exe ok
          Protocol = HTTP/1.0 Method = GET Query = operation=PKIOperation&message=MIIGWgYJKoZIhvcNAQcCoIIGSzCCBkcCAQExCzAJBgUrDgMCGgUAMIIDAAYJKoZI
  hvcNAQcBoIIC8QSCAu0wggLpBgkqhkiG9w0BBwOgggLaMIIC1gIBADGBujCBtwIB
  ADAgMBsxGTAXBgNVBAMTEGNhLndlc3R3aWp6ZXIubmwCAQEwDQYJKoZIhvcNAQEB
  BQAEgYAo/LNaINm+tcgzF8V8d7d5x
  .Mar 17 14:57:10.932:
  .Mar 17 14:57:10.936: CRYPTO_CS: received a SCEP request, 2210 bytes
  .Mar 17 14:57:10.940: CRYPTO_CS: read SCEP: registered and bound service SCEP_READ_DB_1   
  .Mar 17 14:57:10.948: CRYPTO_CS: scep msg type - 19
  .Mar 17 14:57:10.948: CRYPTO_CS: trans id - 59D142A6D0F525668626A435229BAAF1
  .Mar 17 14:57:11.040: CRYPTO_CS: read SCEP: unregistered and unbound service SCEP_READ_DB_1   
  .Mar 17 14:57:11.040: CRYPTO_CS: received an enrollment request
  .Mar 17 14:57:11.040: CRYPTO_PKI: creating trustpoint clone ise1
  .Mar 17 14:57:11.040: CRYPTO_CS: checking policy for enrollment request ID=1
  .Mar 17 14:57:11.040: CRYPTO_CS: request has been authorized, transaction id=59D142A6D0F525668626A435229BAAF1
  .Mar 17 14:57:11.040: CRYPTO_CS: locking the CS
  .Mar 17 14:57:11.040: CRYPTO_CS: added CDP extension
  .Mar 17 14:57:11.044: CRYPTO_CS: added key usage extension
  .Mar 17 14:57:11.044: CRYPTO_CS: Validity: 13:57:11 UTC Mar 17 2013-13:57:11 UTC Oct 3 2013
  .Mar 17 14:57:11.128: CRYPTO_CS: writing serial number 0x2.
  .Mar 17 14:57:11.180: CRYPTO_CS: file opened: nvram:ise.ser
  .Mar 17 14:57:11.180: CRYPTO_CS: Writing 32 bytes to ser file
  .Mar 17 14:57:13.864: CRYPTO_CS: reqID=1 granted, fingerprint=2
  .Mar 17 14:57:13.864: CRYPTO_CS: unlocking the CS
  .Mar 17 14:57:13.864: CRYPTO_CS: write SCEP: registered and bound service SCEP_WRTE_DB_1   
  .Mar 17 14:57:13.984: CRYPTO_CS: write SCEP: unregistered and unbound service SCEP_WRTE_DB_1   
  .Mar 17 14:57:13.988: CRYPTO_CS: Certificate generated and sent to requestor
  .Mar 17 14:57:13.988: CRYPTO_CS: removing trustpoint clone ise1

  Michel,
  Officially supported it is not:
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCud86973
  Some people mentioned varios degrees of "having it working".
  In your case it's the envelope data which appears to be a problem for IOS.
  M.

• Is there a way to automate IOS IPS signature updates without CSM?

  I have a growing number of 891 routers running IOS IDS/IPS. My Cisco vendor has stated repeatedly that CSM is the only way to manage signature updates to multiple routers, but I'm finding CSM to be incredibly tedious and slow. It also wants to manage a lot more than just the IPS policies and signatures which causes other problems.
  I have about 160 routers deployed now and that will grow to at least 600. I have CSM 3.3.1. I'm told 4.x would make it easier becasue it can be configured to ignore more of the non-IPS bits of the router configs, but the upgrade is a big chunk of money that wouldn't be in the budget until at least 2012.
  Is anybody doing this with an expect script or EEM applets or something else? It seems to me that I could manually upload an update to one router and push the resulting XML files to all the other routers a lot easier and faster than I could "discover" a bunch of routers in CSM (and rediscover them every time we make a CLI change), add the routers to a group, apply updates to a sig policy, lather, rinse, repeat..., not to mention troubleshooting the weird errors and completely wron "warnings" that CSM spews.
                 Thanks in advance!

  From IOS version 15.1(1)T, you can configure the IOS IPS to auto update from cisco.com which would help I believe.
  Here is the configuration guide for your reference:
  http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_ips5_sig_fs_ue_ps10591_TSD_Products_Configuration_Guide_Chapter.html#wp1138659

• Correct procedure to update IOS IPS signatures on 2911 router

  What is the correct procedure to update the IOS IPS signatures on an 2911 router?
  I know how to download the signatures file (eg. IOS-S556-CLI.pkg) but what is the correct way to install the update?
  Thank you in advance!

  The IPS signature package comes with a list of pre-enabled signatures, hence Cisco does not recommend enabling a lot more other signatures, especially not every single signature as documented.
  The reason why is because the package might include retired/old signatures only for references, and not every single signature is required to protect your environment because you might not have the traffic for some signatures, you might not have some end hosts that are written with specific signatures, therefore, it becomes irrelevant if you enable it.
  Typically here is how customer would enable/disable signatures:
  - Use the default signature that is enabled by Cisco (the default should fit majority of the customers).
  - Monitor it for a couple of months
  - Disable those that you don't need, and enable others if you think you require it for specific.

• Which interface to apply IOS IPS

  Hello,
  I have IOS IPS installed on 4 routers on our network at different sites.  They are 2911 routers, with 2GB ram and i am using the latest signatures from cisco.  Everything is working fine.  I have enabled the basic signatures.  At the moment the ips policy is only applied to the wan interface and not the lan. So in summary:
  interface serial0/0     (wan link)
  ip address x.x.x etc
  ip ips mypolicy in
  ip ips mypolicy out
  exit
  According to cisco i should not bother applying ip ips mypolicy out on the wan interface (serial0/0) but should have ip ips mypolicy in on the fa0/0
  lan interface aswell as the serial0/0 interface.
  interface fa0/0          (lan traffic)
  NO IPS POLICY IN HERE AT THE MOMENT
  anyone got experience on this?
  regards
  Kevin

  Hi Kevin,
  I would say that you have done the right thing, since router are limited in memory we should not enable a lot of signatures and also try to limit the scanning to traffic that we actually need to be scanned.
  In what you have done any traffic that in entering or leaving the WAN interface will be scanned.
  Now if there are more interfaces on your router and you want the traffic between the interfaces to be scanned as well in that case only you should enable IPS on those interfaces.
  Most of the times it is not needed.
  Regards,
  Sachin

• IOS IPS and SDM 2.2.a

  Hello everybody!,
  I have installed a Cisco 2821 Router with 12.4(4)T IOS version. And SDM V2.2.a. (enteprise service IOS image).
  The router have 256MB Ram and 64MB flash memory.
  From the SDM Interface cannot upload any .sdf file and cannot edit the signatures and tune de IOS IPS.
  Do you know how i can fix that problem?.
  Thanks for the answers friends.

  Hi,
  To add more info, here is the info on defect filed on SDM for RCP issue and workaround suggested.
  Symptoms:
  Issue 1) Installation of SDM version 2.2a or earlier on a router fails with RCP failure message.
  Issue 2) "Load File from PC" feature of File Management dialog in SDM version 2.2a or earlier
  fails.
  Conditions:
  These issues will be encountered for IOS images 12.4(4)T and above.
  SDM uses RCP for installation operations. This problem occurs because the fix for CSCdu34824 in
  recent Cisco IOS releases has changed RCP behavior. Because of this change, if the RCP client
  uses a non-privileged port , the router RCP server does not respond and the above issues occur.
  Workaround:
  1) For Issue 1 :- Use the copy tftp flash command to copy SDM related files from PC to router.
  2) For Issue 2 :- Use the copy tftp flash command to copy the required file from PC to router.

• IOS IPS basics

  I'm pretty new to managing IPS. My co is looking at deploying a large number of this and i'm suppose to manage it. i got a few questions
  1. are the available signature in default IOS IPS enough? i fired rentina to an old redhat version OS but i find that the results from IOS IPS is pretty generic.it detects non valid http traffic over ssl but not the vulnerablities used, and it does even detects nmap non tcp port scanning
  2.do you recommend using the default IOS IPS signatures ? if no, any recommendations & standards to follow ?
  3. Any guidance on custom signature development on IOS IPS ?
  4. Any method to manage large numbers of IOS IPS rules/singatures on a single console ? So i can push the signature from a single console to each and every routers. if not, it is possible to copy the signature folders over all the routers to get the same sets on signature on the routers?
  Appreciate any useful informations. Thanks in advance

  1. The Built-in signatures are pretty old and mostly worthless, you may want to disable them and use the latest Signature File available for the IOS-IPS. Your memeory will be the constraining factor as to how many signature you can have enabled.
  2. The signature defaults are a starting place. You will have to spend time doing the analysis of events to see if they're false positives (and many will be) and tune them down, or more likely disable them.
  3. Each signature engine has a fixed 64MB of memory. Turn on too many within that engine (including your custom sigs) and you won't get any. Watch the console log when enabling IPS to see if your build is failing. Some sigs eat more memory than others.
  4. If you have money to burn you can buy Cisco's CSM 3.1, or else keep your signature file(s) on an FTP/TFTP/SCP server and copy them to your routers as needed.