Cisco Systems CL-28826-01 Overview of Cisco IOS IPS Configuration

44-3

User Guide for Cisco Security Manager 4.4

OL-28826-01

Chapter44 Configuring IOS IPS Routers

Overview of Cisco IOS IPS Configuration

As of Cisco IOS Release 12.4(11)T, signature definition files (SDFs) are no longer used by Cisco IOS

IPS. Thus, you cannot not use the deprecated built-in signature sets, 128.sdf, 256.sdf, and

attack-drop.sdf, with Security Manager.

Instead, routers access signature definition information through a directory that contains three

configuration files—the default configuration, the delta configuration, and the SEAP configuration. You

configure the location using the IPS > General Settings policy.

SEAP is the control unit responsible for coordinating the data flow of a signature event. It allows for

advanced filtering and signature overrides on the basis of the Event Risk Rating (ERR) feedback. ERR

is used to control the level in which a user chooses to take actions in an effort to minimize false positives.

Signatures once stored in NVRAM are now stored in the delta configuration file.

Cisco IOS IPS routers do not support all the features that are supported by dedicated IPS sensor

appliances and service modules. In addition, routers that support IOS IPS might not allocate as much

memory to IPS functionality as an IPS sensor does. The following limitations and restrictions are

important:

•When configuring an IOS IPS device, select only the signatures that you need. If you select all

signatures that are available in Security Manager, you might exceed the memory available on the

IOS IPS router and deployment can fail, the device might fail to load all of the signatures, or

performance might be significantly degraded. If you encounter deployment failures, select a reduced

set of signatures and then redeploy the configuration to the device.

•Virtual sensors are not supported by IOS IPS.

•When using event action filters with an IOS IPS router, only a subset of IPS actions are available for

removal from an event that meets the criteria of the event action filter. For more information on

available event actions, see Filter Item Dialog Box, page 39-9 and Understanding IPS Event

Actions, page 39-2.

•IOS IPS is based on IPS Software 5.1. Therefore, features introduced in later versions of IPS

Software are typically not available in IOS IPS. For example, you cannot configure the following

features:

–

Global correlation.

–

Anomaly detection.

–

OS identification in the event action network identification policy.

Overview of Cisco IOS IPS Configuration

There are a wide variety of devices on which you can configure the Intrusion Prevention System. From

a configuration point-of-view, you can separate the devices into two groups: dedicated appliances and

service modules (for routers, switches, and ASA devices) that run the full IPS software; and IPS-enabled

routers running Cisco IOS Software 12.4(11)T and later (Cisco IOS IPS).

The following procedure is an overview of IPS configuration on a Cisco IOS IPS router. For dedicated

IPS devices, including IPS service modules installed in a router, see Overview of IPS Configuration,

page 35-5.