IOS IPS 3845 router

Similar Messages

• Correct procedure to update IOS IPS signatures on 2911 router

  What is the correct procedure to update the IOS IPS signatures on an 2911 router?
  I know how to download the signatures file (eg. IOS-S556-CLI.pkg) but what is the correct way to install the update?
  Thank you in advance!

  The IPS signature package comes with a list of pre-enabled signatures, hence Cisco does not recommend enabling a lot more other signatures, especially not every single signature as documented.
  The reason why is because the package might include retired/old signatures only for references, and not every single signature is required to protect your environment because you might not have the traffic for some signatures, you might not have some end hosts that are written with specific signatures, therefore, it becomes irrelevant if you enable it.
  Typically here is how customer would enable/disable signatures:
  - Use the default signature that is enabled by Cisco (the default should fit majority of the customers).
  - Monitor it for a couple of months
  - Disable those that you don't need, and enable others if you think you require it for specific.

• IOS IPS/IDS on a BGP Peering Router?

  We have a pair of BP peerings between our network and our upstream service provider.  Since the peering points are geographically distributed and we run a "cold potato" routing policy on our network we cannot guarantee symmetric routing for traffic exchanged with our upstream service provider.
  Yesterday we followed the bouncing ball through the IPS/IDS setup documentation on a Cisco 2901 running 15.2(4)M3 and acting as a BGP speaking peering router at one of our peering points.  Immediately the router started throwing %IPS-6-SEND_TCP_PAK and %IPS-6-TIMEOUT_EVENT messages in the logs.  We also observed that some upstream service provider web sites became inaccessible to our users.  Turning off IPS/IDS on the 2901 restored connectivity for our users to those web sites.
  Three questions:
  Do the default Cisco IOS IPS/IDS rules assume that the router will see both sides of each TCP session?
  Does the Cisco IOS IPS/IDS TCP stream reassembly assume an attack and send TCP RST frames when it doesn't see both sides of a TCP session?
  Should we move the Cisco IPS/IDS functionality from the BGP-speaking routers at peering points to our customer sites, as the customer sites are the only places in our network guaranteed to see both sides of a given TCP session?  (We already perform NAT on the customer site routers for that reason.)

  Hello Bill,
  1) Yes, there are some normalizer functions on some IOS-IPS signatures that will behave like that with this scenarios (Asymetric routing not something good to any kind of security device)
  2) Yes, it will close the connections, I will definetly need to look for specific actions regarding that but you could just check the IOS IPS Signature statistics  on your router , see which is the one triggering the most and then see the action configured for it (and change it if required)
  3) If you cannot change that behavior then it would be safe to tell the router is not a good place to set an IPS or any other kind of firewall configuration unless you set with a weaker security policy (useless from a security standard point of view)
  Check my blog at http:laguiadelnetworking.com for further information.
  Cheers,
  Julio Carvajal Segura

• 3845 router and ios 15.1(4)m9

  Who can tell me if it is needed to purchase a license for IOS 15.1(4)M9 which is going to be installed on cisco 3845 router?

  Dear Customer,
  Unfortunately your question was raised in the wrong supportforum.
  Cisco ServiceGrid is part of Software Enabled Services. We provide Integration Services.
  However, you can raise your question in the right forum: https://supportforums.cisco.com/community/6016/lan-switching-and-routing
  Our hardware professionals will be happy to provide you any answer you need.
  thanks
  Patrick

• CSM3.1 device addition of IOS IPS router

  Upon adding a IOS IPS device running (C2800NM-ADVIPSERVICESK9-M,Version 12.4(15)T1,)& 5.x-303 release signatures, CSM 3.1 does not display it as an IPS enabled device. The device in question (2821) has a stand-alone config and 5.x advanced signatures functioning properly.
  In the device properties of CSM 3.1 of said 2821, IPS is a feature but is grayed out. I have successfully added 2 ADSM modules from our 6513's and it displays them as IPS devices and I can add/deploy signatures to these devices. However, CSM 3.1 does not recognize the 2821 as an IOS IPS device and I can not add/deploy to this device. What am I missing here?

  In this case you will need to create a new device in CSM (using the Add Device option) and discover the device for the IOS IPS policies to show up. Just doing a rediscovery of an existing IOS device will not show the IOS IPS policies. This is because CSM treats the IOS IPS device as a different target type than a IOS device.

• 3845 Router do not work with NME-X23ES-1GP Interface card

  Need help!
  I Trying install interface card NME-X 23ES-1GP on 3845 Router. I installed this card in slot 4, but router could not communicate with this card.
  IOS version in Router 12.3
  Here is results show diag command:
  Slot 4:
  Unknown (type 1187) Port adapter
  Port adapter is disabled deactivated
  Port adapter insertion time unknown
  EEPROM contents at hardware discovery:
  Hardware Revision : 1.0
  Top Assy. Part Number : 800-25011-01
  Board Revision : A0
  Deviation Number : 0-0
  Fab Version : 03
  PCB Serial Number : FOC090009VC
  RMA Test History : 00
  RMA Number : 0-0-0-0
  RMA History : 00
  Product (FRU) Number : NME-X-23ES-1G-P
  Version Identifier : V01
  Base MAC Address : 0013.8088.9f80
  MAC Address block size : 128
  EEPROM format version 4
  EEPROM contents (hex):
  Possibly IOS release too old?

  Thank you for link. I read all information on this link. But I can't solve the problem.
  Commands "show version" and "show flash:" show my the IOS image file version on Router (but not on interface modules). Here is Routers IOS image:
  c3845-advipservicesk9-mz.123-11.T5.bin
  I Can't connect to and open a session on the interface module. Command service-module interface slot/port session don't work.
  What I should do next?
  May is ncessarily upgrade Software on router?
  Here is results show version and show flash:
  BIG1#show flash:
  -#- --length-- -----date/time------ path
  1 29801400 Jun 28 2005 04:47:46 +00:00 c3845-advipservicesk9-mz.123-11.T5.bin
  2 1651 Jun 28 2005 04:55:18 +00:00 sdmconfig-38xx.cfg
  3 3085312 Jun 28 2005 04:55:40 +00:00 sdm.tar
  4 763392 Jun 28 2005 04:55:56 +00:00 es.tar
  5 820224 Jun 28 2005 04:56:10 +00:00 common.tar
  6 1038 Jun 28 2005 04:56:24 +00:00 home.shtml
  7 113152 Jun 28 2005 04:56:36 +00:00 home.tar
  8 749101 Jun 28 2005 04:56:52 +00:00 256MB.sdf
  9 1208320 Jun 28 2005 04:57:08 +00:00 ips.tar
  27451392 bytes available (36560896 bytes used)
  BIG1#show version
  Cisco IOS Software, 3800 Software (C3845-ADVIPSERVICESK9-M), Version 12.3(11)T5, RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2005 by Cisco Systems, Inc.
  Compiled Sat 02-Apr-05 15:14 by yiyan
  ROM: System Bootstrap, Version 12.3(11r)T2, RELEASE SOFTWARE (fc1)
  BIG1 uptime is 57 minutes
  System returned to ROM by reload at 07:11:45 UTC Tue Jul 12 2005
  System image file is "flash:c3845-advipservicesk9-mz.123-11.T5.bin"
  Cisco 3845 (revision 1.0) with 223232K/38912K bytes of memory.
  Processor board ID FCZ0927714C
  2 Gigabit Ethernet interfaces
  1 Virtual Private Network (VPN) Module
  4 Voice FXS interfaces
  DRAM configuration is 64 bits wide with parity enabled.
  479K bytes of NVRAM.
  62720K bytes of ATA System CompactFlash (Read/Write)
  Configuration register is 0x2102

• IOS IPS for blocking IM and P2P

  Any recommendations on the best way to use IOS IPS to stop P2P and IM?
  I set up a 3845 with 12.3(14)T1 to do this by importing signatures from the latest SDF using SDM. I used the attack-drop, and all IM and P2P signatures I could find. I changed them all to drop and reset. I then applied it to the inside interface of a 3845. I also set up nbar with a drop policy for all P2P traffic.
  The configuration caused very slow web response time for users, including blocked pages. Removing the IPS filter made everything work properly again. The router also stopped rebooting periodically.
  Is there a recommended way to set this up that does not cause slow performance and reboots?

  OK, went back and loaded some upgraded software. Now using 12.4.1 Advanced security IOS on the 3845, and SDM 211. The new 256MB.sdf signature file has all the IM and P2P signatures in it already!
  After applying the IPS inbound on the serial interface, I changed the UDP signatures action to drop and the TCP to drop/reset.
  Everything appears to be working beautifully. Yahoo and MSN messenger get dropped, as well as the peer to peer requests. I am unable to download Bittorrent. Web access is fast, and there is no hesitation by the router in configuring the IPS.
  This appears to be a great solution so far.

• Cisco 3845 Router, SSH, Secure HTTP & CS-MARS

  Hello,
  I have a 3845 router (Version 12.3(11r)T2, RELEASE SOFTWARE (fc1)) which I have configured SSH access through vty. Th e problem is that SSH access fails when I try to connect to it using Putty. It also fails to connect using ip http secure-server both from a browser & through CS-MARS (IOS IPS). All user names exist and are working fine with telnet.
  Does IOS 12.3 have issues with SSH * secure http?
  I get this error in MARS:
  "Error in INIT GET. Check the username/password"

  Hi -
  I searched all open/closed TAC cases for you with that error message - I found 1 similar case.
  Here's the results of their case:
  "we managed to fix the issue it was ip http authentication enable command (change to accept local usernames/passwords)."
  Can you review this and see if you need to tell SSH and HTTPs to use the local database?
  Please let us know.
  thxs
  peter

• Is there a way to automate IOS IPS signature updates without CSM?

  I have a growing number of 891 routers running IOS IDS/IPS. My Cisco vendor has stated repeatedly that CSM is the only way to manage signature updates to multiple routers, but I'm finding CSM to be incredibly tedious and slow. It also wants to manage a lot more than just the IPS policies and signatures which causes other problems.
  I have about 160 routers deployed now and that will grow to at least 600. I have CSM 3.3.1. I'm told 4.x would make it easier becasue it can be configured to ignore more of the non-IPS bits of the router configs, but the upgrade is a big chunk of money that wouldn't be in the budget until at least 2012.
  Is anybody doing this with an expect script or EEM applets or something else? It seems to me that I could manually upload an update to one router and push the resulting XML files to all the other routers a lot easier and faster than I could "discover" a bunch of routers in CSM (and rediscover them every time we make a CLI change), add the routers to a group, apply updates to a sig policy, lather, rinse, repeat..., not to mention troubleshooting the weird errors and completely wron "warnings" that CSM spews.
                 Thanks in advance!

  From IOS version 15.1(1)T, you can configure the IOS IPS to auto update from cisco.com which would help I believe.
  Here is the configuration guide for your reference:
  http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_ips5_sig_fs_ue_ps10591_TSD_Products_Configuration_Guide_Chapter.html#wp1138659

• Which interface to apply IOS IPS

  Hello,
  I have IOS IPS installed on 4 routers on our network at different sites.  They are 2911 routers, with 2GB ram and i am using the latest signatures from cisco.  Everything is working fine.  I have enabled the basic signatures.  At the moment the ips policy is only applied to the wan interface and not the lan. So in summary:
  interface serial0/0     (wan link)
  ip address x.x.x etc
  ip ips mypolicy in
  ip ips mypolicy out
  exit
  According to cisco i should not bother applying ip ips mypolicy out on the wan interface (serial0/0) but should have ip ips mypolicy in on the fa0/0
  lan interface aswell as the serial0/0 interface.
  interface fa0/0          (lan traffic)
  NO IPS POLICY IN HERE AT THE MOMENT
  anyone got experience on this?
  regards
  Kevin

  Hi Kevin,
  I would say that you have done the right thing, since router are limited in memory we should not enable a lot of signatures and also try to limit the scanning to traffic that we actually need to be scanned.
  In what you have done any traffic that in entering or leaving the WAN interface will be scanned.
  Now if there are more interfaces on your router and you want the traffic between the interfaces to be scanned as well in that case only you should enable IPS on those interfaces.
  Most of the times it is not needed.
  Regards,
  Sachin

• IOS IPS and SDM 2.2.a

  Hello everybody!,
  I have installed a Cisco 2821 Router with 12.4(4)T IOS version. And SDM V2.2.a. (enteprise service IOS image).
  The router have 256MB Ram and 64MB flash memory.
  From the SDM Interface cannot upload any .sdf file and cannot edit the signatures and tune de IOS IPS.
  Do you know how i can fix that problem?.
  Thanks for the answers friends.

  Hi,
  To add more info, here is the info on defect filed on SDM for RCP issue and workaround suggested.
  Symptoms:
  Issue 1) Installation of SDM version 2.2a or earlier on a router fails with RCP failure message.
  Issue 2) "Load File from PC" feature of File Management dialog in SDM version 2.2a or earlier
  fails.
  Conditions:
  These issues will be encountered for IOS images 12.4(4)T and above.
  SDM uses RCP for installation operations. This problem occurs because the fix for CSCdu34824 in
  recent Cisco IOS releases has changed RCP behavior. Because of this change, if the RCP client
  uses a non-privileged port , the router RCP server does not respond and the above issues occur.
  Workaround:
  1) For Issue 1 :- Use the copy tftp flash command to copy SDM related files from PC to router.
  2) For Issue 2 :- Use the copy tftp flash command to copy the required file from PC to router.

• IOS IPS auto-update

  Hi,
  I have a couple of questions I hope people could answer:
  1) What recommendations/options are available for downloading signature files to a HTTP/TFTP server prior to having the IOS IPS device pull them from the server?  Is their a way to automate the HTTP/TFTP server downloading the signatures? (Cron job or such)
  2) Does the signature file name change each time a new signature file is released? If it does, would I have to go back to the router to update the URL string that is configured in the ip ips auto-update section? I would hate to have to update 200 CPE devices each time a new signature file is released.
  Hoping someone could answer these or help point me in the right direction to find the answer out.
  regards M

  I found this link with answers my one question.
  Cisco IOS Intrusion Prevention System (IPS)
  Tuning, Deploying and Updating Cisco IOS IPS Signature Sets For Multiple-Device Deployments
  http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/white_paper_c11_549300.html

• IOS IPS Signature-File

  Hi Guys,
  We have recently purchased a Cisco ISR 2921,  and on its docs it is writen that this product has a License for IOS IPS Signatrue File,  but on the product Flash Memory there is no  IOS IPS Sig-File.   and while i try to download the sig-file from Cisco, it fails.
  Can any one tell me where is an alternate way to download the sig-file ?

  900 active signatures is quite much for a system that has no dedicated IPS-ressources.
  But you can controll which and how many signatures get enabled on your router:
  In the following example I first disable all signatures and enable the ones for web-servers. So just decide which signatures you need. But don't forget to monitor your router-ressources.
  gw#conf t
  Enter configuration commands, one per line.  End with CNTL/Z.
  gw(config)#ip ips signature-category
  gw(config-ips-category)#?
  IPS signature category configuration commands:
    category  Category keyword
    exit      Exit from Category Mode
    no        Negate or set default values of a command
  gw(config-ips-category)#category ?
    adware/spyware                Adware/Spyware (more sub-categories)
    all                           All Categories
    attack                        Attack (more sub-categories)
    configurations                Configurations (more sub-categories)
    ddos                          DDoS (more sub-categories)
    dos                           DoS (more sub-categories)
    email                         Email (more sub-categories)
    instant_messaging             Instant Messaging (more sub-categories)
    ios_ips                       IOS IPS (more sub-categories)
    l2/l3/l4_protocol             L2/L3/L4 Protocol (more sub-categories)
    network_services              Network Services (more sub-categories)
    os                            OS (more sub-categories)
    other_services                Other Services (more sub-categories)
    p2p                           P2P (more sub-categories)
    reconnaissance                Reconnaissance (more sub-categories)
    releases                      Releases (more sub-categories)
    specially_licensed_signature  Specially Licensed Signature (more sub-categories)
    telepresence                  TelePresence (more sub-categories)
    uc_protection                 UC Protection (more sub-categories)
    viruses/worms/trojans         Viruses/Worms/Trojans (more sub-categories)
    web_server                    Web Server (more sub-categories)
  gw(config-ips-category)#category all
  gw(config-ips-category-action)#retire true
  gw(config-ips-category-action)#exit              
  gw(config-ips-category)#category web_server
  gw(config-ips-category-action)#?
  Category Options for configuration:
    alert-severity   Alarm Severity Rating
    enabled          Enable Category Signatures
    event-action     Action
    exit             Exit from Category Actions Mode
    fidelity-rating  Signature Fidelity Rating
    no               Negate or set default values of a command
    retired          Retire Category Signatures
  gw(config-ips-category-action)#retired false
  gw(config-ips-category-action)#exit
  gw(config-ips-category)#exit
  Do you want to accept these changes? [confirm]
  gw(config)#
  gw(config)#exit
  gw#sh ip ips configuration | s IPS Signature Status
  IPS Signature Status
      Total Active Signatures: 131
      Total Inactive Signatures: 4370
  gw#
  I didn't follow the thread and answered your first post to have less line-breaks in this post.

• IOS IPS and VMS and shunning

  Installed 12.3.14T2 (advanced security) on 2811 router with new
  VMS update to the IDS Management Center (2.1) to support IOS IPS SDEE event monitoring. When I configure a specific signature, there is no option to shun. Only alert, block or reset. Where do you configure the dynamic shuning or "local shun action" that seems to be in all the "new features" of the IOS IPS.
  Configuring the signature to block, alert or reset works fine. Just no options to shun. Also the IPS device does not show up in the device list under Monitoring on VMS, even though it shows up as a device in Monitoring Center Device Page.
  Maybe this is where the problem may lie.

  IOS versions before 12.3(14)T support the following
  actions for IOS IPS:
  - alarm
  - drop (drop just the offending packet)
  - reset (reset tcp connection - works for tcp only)
  Version 12.3(14)T and later (including 12.4 versions) added support for the "local shunning" through two different actions:
  - denyFlowInline
  - denyAttackerInline
  DenyFlowInline creates an ACL that drops all traffic on that connection for a certain idle-timeout.
  DenyAttackerInline creates an ACL that drops all traffic from that source address (including other connections from that source address) for a certain idle-timeout.

• IOS IPS Signature Updates

  Hi,
  Is it possible to update signatures for IOS IPS or do we need to update the IOS to get more signatures?
  Thanks and rgds
  Rajesh

  hi,
  if you have cisco sdm, then it would be easy to update your IOS IPS signatures. You may need to upgrade IOS of the router only when the ips signature requires you to do it.