Solution CCNA Security: Configure IOS Intrusion Prevention System (IPS) using CLI

Task 1: Enable IOS IPS

Note: Within Packet Tracer, the routers already have the signature files imported and in place. They are the default xml files in flash. For this reason, it is not necessary to configure the public crypto key and complete a manual import of the signature files.

Step 1. Verify network connectivity.
Ping from PC-C to PC-A. The ping should be successful.
Ping from PC-A to PC-C. The ping should be successful.

PC-C
PC>ping 192.168.1.2

Pinging 192.168.1.2 with 32 bytes of data:

Reply from 192.168.1.2: bytes=32 time=2ms TTL=125
Reply from 192.168.1.2: bytes=32 time=6ms TTL=125
Reply from 192.168.1.2: bytes=32 time=6ms TTL=125
Reply from 192.168.1.2: bytes=32 time=5ms TTL=125

Ping statistics for 192.168.1.2:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 2ms, Maximum = 6ms, Average = 4ms

PC-A
PC>ping 192.168.3.2

Pinging 192.168.3.2 with 32 bytes of data:

Reply from 192.168.3.2: bytes=32 time=6ms TTL=125
Reply from 192.168.3.2: bytes=32 time=2ms TTL=125
Reply from 192.168.3.2: bytes=32 time=5ms TTL=125
Reply from 192.168.3.2: bytes=32 time=6ms TTL=125

Ping statistics for 192.168.3.2:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 2ms, Maximum = 6ms, Average = 4ms

Step 2. Create an IOS IPS configuration directory in flash.
On R1, create a directory in flash using the mkdir command. Name the directory ipsdir.

R1
R1>en
Password:
R1#mkdir ipsdir
Create directory filename [ipsdir]?
Created dir flash:ipsdir
R1#

Step 3. Configure the IPS signature storage location.
On R1, configure the IPS signature storage location to be the directory you just created.

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#ip ips config location ipsdir
R1(config)#

Step 4. Create an IPS rule.
On R1, create an IPS rule name using the ip ips name name command in global configuration mode. Name the IPS rule iosips.

R1(config)#ip ips name iosips
R1(config)#

Step 5. Enable logging.
IOS IPS supports the use of syslog to send event notification. Syslog notification is enabled by default. If logging console is enabled, you see IPS syslog messages.
Enable syslog if it is not enabled.
Use the clock set command from privileged EXEC mode to reset the clock if necessary.
Verify that the timestamp service for logging is enabled on the router using the show run command. Enable the timestamp service if it is not enabled.
Send log messages to the Syslog server at IP address 192.168.1.50.

R1(config)#service timestamps log datetime msec
R1(config)#logging on
R1(config)#logging 192.168.1.50
*mar 01, 04:21:30.2121: SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.50 port 514 started - CLI initiated
R1(config)#ip ips notify log
R1(config)#

Step 6. Configure IOS IPS to use the signature categories.
Retire the all signature category with the retired true command (all signatures within the signature release). Unretire the IOS_IPS Basic category with the retired false command.

R1(config)#ip ips signature-category
R1(config-ips-category)#category all
R1(config-ips-category-action)#retired true
R1(config-ips-category-action)#exit
R1(config-ips-category)#category ios_ips basic
R1(config-ips-category-action)#retired false
R1(config-ips-category-action)#exit
R1(config-ips-category)#exit
Do you want to accept these changes? [confirm]
Applying Category configuration to signatures ...
%IPS-6-ENGINE_BUILDING: atomic-ip - 288 signatures - 6 of 13 engines
%IPS-6-ENGINE_READY: atomic-ip - build time 30 ms - packets for this engine will be scanned

R1(config)#

Step 7. Apply the IPS rule to an interface.
Apply the IPS rule to an interface with the ip ips name direction command in interface configuration mode. Apply the rule outbound on the Fa0/0 interface of R1. After you enable IPS, some log messages will be sent to the console line indicating that the IPS engines are being initialized.
Note: The direction in means that IPS inspects only traffic going into the interface. Similarly, out means only traffic going out the interface.

R1(config)#int fa0/0
R1(config-if)#ip ips iosips out
R1(config-if)#
*mar 01, 04:33:47.3333:  %IPS-6-ENGINE_BUILDS_STARTED:  04:33:47 UTC mar 01 1993
*mar 01, 04:33:47.3333:  %IPS-6-ENGINE_BUILDING: atomic-ip - 3 signatures - 1 of 13 engines
*mar 01, 04:33:47.3333:  %IPS-6-ENGINE_READY: atomic-ip - build time 8 ms - packets for this engine will be scanned
*mar 01, 04:33:47.3333:  %IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 8 ms
R1(config-if)#

Task 2: Modify the Signature
Step 1. Change the event-action of a signature.
Un-retire the echo request signature (signature 2004, subsig ID 0), enable it and change the signature action to alert, and drop.

R1(config)#ip ips signature-definition
R1(config-sigdef)#signature 2004 0
R1(config-sigdef-sig)#status
R1(config-sigdef-sig-status)#retired false
R1(config-sigdef-sig-status)#enabled true
R1(config-sigdef-sig-status)#exit
R1(config-sigdef-sig)#engine
R1(config-sigdef-sig-engine)#event-action produce-alert
R1(config-sigdef-sig-engine)#exit
R1(config-sigdef-sig)#exit
R1(config-sigdef)#exit
Do you want to accept these changes? [confirm]
%IPS-6-ENGINE_BUILDS_STARTED:  
%IPS-6-ENGINE_BUILDING: atomic-ip - 303 signatures - 3 of 13 engines
%IPS-6-ENGINE_READY: atomic-ip - build time 480 ms - packets for this engine will be scanned
%IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 648 ms
R1(config)#

Step 2. Use show commands to verify IPS.
Use the show ip ips all command to see an IPS configuration status summary.
To which interfaces and in which direction is the iosips rule applied?

R1#show ip ips all
IPS Signature File Configuration Status
    Configured Config Locations: ipsdir
    Last signature default load time:
    Last signature delta load time:
    Last event action (SEAP) load time: -none-

    General SEAP Config:
    Global Deny Timeout: 3600 seconds
    Global Overrides Status: Enabled
    Global Filters Status: Enabled

IPS Auto Update is not currently configured

IPS Syslog and SDEE Notification Status
    Event notification through syslog is enabled
    Event notification through SDEE is enabled

IPS Signature Status
    Total Active Signatures: 1
    Total Inactive Signatures: 0

IPS Packet Scanning and Interface Status
    IPS Rule Configuration
      IPS name iosips
    IPS fail closed is disabled
    IPS deny-action ips-interface is false
    Fastpath ips is enabled
    Quick run mode is enabled
    Interface Configuration
      Interface FastEthernet0/0
        Inbound IPS rule is not set
        Outgoing IPS rule is iosips

IPS Category CLI Configuration:
    Category all
    Retire: True
    Category ios_ips basic
    Retire: False
R1#

Step 3. Verify that IPS is working properly.
From PC-C, attempt to ping PC-A. Were the pings successful? Why or why not?
From PC-A, attempt to ping PC-C. Were the pings successful? Why or why not?

PC-A
PC>ping 192.168.3.2

Pinging 192.168.3.2 with 32 bytes of data:

Reply from 192.168.3.2: bytes=32 time=3ms TTL=125
Reply from 192.168.3.2: bytes=32 time=2ms TTL=125
Reply from 192.168.3.2: bytes=32 time=6ms TTL=125
Reply from 192.168.3.2: bytes=32 time=6ms TTL=125

Ping statistics for 192.168.3.2:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 2ms, Maximum = 6ms, Average = 4ms

PC>

PC-C
PC>ping 192.168.1.2

Pinging 192.168.1.2 with 32 bytes of data:

Reply from 192.168.1.2: bytes=32 time=3ms TTL=125
Reply from 192.168.1.2: bytes=32 time=2ms TTL=125
Reply from 192.168.1.2: bytes=32 time=6ms TTL=125
Reply from 192.168.1.2: bytes=32 time=2ms TTL=125

Ping statistics for 192.168.1.2:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 2ms, Maximum = 6ms, Average = 3ms

PC>

Step 4. View the Syslog messages.
Click on the Syslog server. Select the Config tab. In the left navigation menu, selectSYSLOG to view the log file.

This post is also available in: Italian

2 comments on “Solution CCNA Security: Configure IOS Intrusion Prevention System (IPS) using CLI

  1. Ekweh Edmund says:

    please can i get the ips signature files? i realy need them for a project

  2. chriv says:

    You set the alert, but not the drop in Task 2, Step 1. If properly set to alert and drop, pings from PC-C to PC-A should fail.

    " Task 2: Modify the Signature
    Step 1. Change the event-action of a signature.
    Un-retire the echo request signature (signature 2004, subsig ID 0), enable it and change the signature action to alert, and drop. "

    The bold line below needs to be added. Doing this makes the pings from PC-C to PC-A fail (which they should for this lab).

    R1(config)#ip ips signature-definition
    R1(config-sigdef)#signature 2004 0
    R1(config-sigdef-sig)#status
    R1(config-sigdef-sig-status)#retired false
    R1(config-sigdef-sig-status)#enabled true
    R1(config-sigdef-sig-status)#exit
    R1(config-sigdef-sig)#engine
    R1(config-sigdef-sig-engine)#event-action produce-alert

    R1(config-sigdef-sig-engine)#event-action deny-packet-inline

    R1(config-sigdef-sig-engine)#exit

    R1(config-sigdef-sig)#exit

    R1(config-sigdef)#exit

    Do you want to accept these changes? [confirm]

    %IPS-6-ENGINE_BUILDS_STARTED:

    %IPS-6-ENGINE_BUILDING: atomic-ip - 303 signatures - 3 of 13 engines

    %IPS-6-ENGINE_READY: atomic-ip - build time 480 ms - packets for this engine will be scanned

    %IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 648 ms

     

    R1(config)#

     

Leave a Reply to Ekweh Edmund Cancel reply

Your email address will not be published. Required fields are marked *

CAPTCHA Image

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>