This tutorial will guide you on how to configure intrusion prevention System (IPS) using Cisco IOS. An IPS scans the traffic that goes through the network and takes corrective actions if the traffic is considered dangerous.

One thing to note is that an IPS will react only to the signatures for which is configured. The signatures are constantly updated and the operator must make sure that the device has the latest signatures.

For more information about IPS, you can use this resource from the Cisco Press website: http://www.ciscopress.com/articles/article.asp?p=1722559. This should give you enough information to understand how an IPS works.

Regarding the simulation, you have two files:

  • configuring_ips_init.pkt contains the initial topology. The hosts (PC and SERVER) have full connectivity.
  • configuring_ips_final.pkt this is the final configuration. You can use this file to compare your configuration.

Regarding the topology, on the subnets where a PC/SERVER is connected, the router’s interface has the IP address whose last octet is .1 and last octet of the PC’s IP address is .100. The default gateway of the PC is the router’s IP address.

For instance, the subnet with PC_2: PC_2 has the IP address of 10.10.20.100/24 and R3’s interface IP address is 10.10.20.1/24.

Each router has a loopback address in the form of 1.1.1.X/32, where X is the router number. For instance, the loopback address of R3 is 1.1.1.3/32.

Also, each subnet between the routers is written on the topology and every router uses its router number as the last octet. For instance, on the subnet 10.10.12.0/24, R2 has 10.10.12.2/24 and R1 has 10.10.12.1/24.

All three routers are running OSPF in area 0, so the end host and the server will have connectivity between them.

The goal of the simulator is configure R3 to will allow ICMP traffic between PC and SERVER only if the PC initiate the ping.

We will consider the subnet 10.10.20.0/24 (the link between R3 and PC_2) as the internal network/secure network.

The IPS signature and sub-signature IDs for ICMP requests are 2004 and 0.

In order to test, one thing was preconfigured:

SYSLOG functionality was enabled on SERVER to receive IPS alerts.

Task 1 requirements

  • Start logging to the host 10.10.10.100.
  • Create the IOS IPS directory in flash.
  • Configure the IPS signature location.
  • Configure the IPS rule.
  • Configure IPS to send syslog notifications.
  • Retire all the signatures in the “ALL” category.
  • Unretire the IOS IPS Basic category.
  • Apply the IPS rule to the interface.
  • Unretire and enable the ICMP request signature.
  • Change the signature to drop the packet and send an alert.

Task 1 verification

  1. Connect to SERVER on the Desktop tab select “Command Prompt,” and issue a ping towards 10.10.20.100. This operation should fail.
  2. Connect to PC_2, on the Desktop tab select “Command Prompt” and issue a ping towards 10.10.10.100. This operation should succeed, as R3 was configured to allow ICMP traffic only if it is initiated by PC_2.

Task 1 hints

  1. Use the command “logging 10.10.10.100” to start logging to the host 10.10.10.100.
  2. Use the command “mkdir DIR_IPS” to create the directory in flash.
  3. Use the command “ip ips config location flash:DIR_IPS” to configure the IPS signature location.
  4. Use the command “ip ips name RULE_IPS” to configure the IPS rule.
  5. Use the command “ip ips notify log” to send syslog notifications.
  6. Use this configuration to retire all signatures from “ALL” category and to unretired the IOS IPS Basic category:

    ip ips signature-category
    category all
    retired true
    category ios_ips basic
    retired false

  7. Use these commands to unretire, enable ICMP request signature, drop the packet, and produce an alert:

    R3(config)#ip ips signature-definition
    R3(config-sigdef)#signature 2004 0
    R3(config-sigdef-sig)#status
    R3(config-sigdef-sig-status)#retired false
    R3(config-sigdef-sig-status)#enabled true
    R3(config-sigdef-sig-status)#exit
    R3(config-sigdef-sig)#engine
    R3(config-sigdef-sig-engine)#event
    R3(config-sigdef-sig-engine)#event-action produce-alert
    R3(config-sigdef-sig-engine)#event-action deny-packet-inline
    R3(config-sigdef-sig-engine)#exit
    R3(config-sigdef-sig)#exit
    R3(config-sigdef)#exit
    Do you want to accept these changes? [confirm]
    %IPS-6-ENGINE_BUILDS_STARTED:
    %IPS-6-ENGINE_BUILDING: atomic-ip – 303 signatures – 3 of 13 engines
    %IPS-6-ENGINE_READY: atomic-ip – build time 480 ms – packets for this engine will be scanned
    %IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 648 ms

    R3(config)#

As you can see, configuring IPS on Cisco IOS is pretty straightforward. The only thing that requires researching is to find out what signature/sub-signature has a specific traffic that you would like to allow/deny.

Packet Tracer has limited support for IPS, but this is enough for you to get a feeling of what IPS is and how you can use it.