Solved: SDM & IPS

87305 · ‎02-27-2007

Hello Everyone,

I have begun to learn Cisco?s new tool SDM and I have some questions in regards to the IPS and its signature files.

I am planning to enable IPS as its ease of configuration is rather simple and it is most worth while.

I am planning to load the predefined advanced signature files, ?attack-drop.sdf? and ?256MB.sdf?

The first question I have is how often are these files updated by Cisco and is there any means of communication as to when these files are updated so that there customers are made aware and that they have the option to load the newest signatures based upon new types of attacks, etc.

My second question is, with the above mentioned two advanced signature files, would this be suffice as an enterprise IPS? I am not interested in writing my own signatures. I would rather monitor and prevent the most common well known and typical attacks.

I am hoping that by updating the two predefined signature files, ?attack-drop.sdf? and ?256MB.sdf? when they are updated this will be sufficient.

Any feedback is greatly appreciated.

Thank you in advance.

Cheers,

ymzhang · ‎02-27-2007

Hi Christopher,

IOS IPS on router platform now supports two different version of signature format. One is 4.x and one is 5.x signature format.

If you use IOS release prior to 12.4(11)T release, it is using 4.x signature format. In this version, you need to use the basic (128MB.sdf) and advanced (256MB.sdf) SDF file.

If you use 12.4(11)T and later release of IOS, it is 5.x signature format based. And you can refer to the getting started guide in the below reference link for more details.

Cisco updates these files on a needed basis. Currently you need to check the Cisco web site for updates. Or if you are using SDM or CSM, these software can perform checking and auto download as well.

For your question whether it is suffice for an enterprise IPS, the answer various depends on your networking/traffic situation in your real deployment. If you can provide more detail, I can further best answer your question. If you are asking about the signature sets, they are selected by Cisco with high severity, high fidelity signatures that are best fit into the router platform. Again, these SDF files are meant to provide a good/solid starting point, any IPS system needs some tuning during operation.

Reference:

Getting Started with Cisco IOS IPS with 5.x Format Signatures: http://www.cisco.com/en/US/products/ps6634/products_white_paper0900aecd805c4ea8.shtml

CCO IOS IPS: http://www.cisco.com/go/iosips

Thanks,

-Chris

View solution in original post

ymzhang · ‎02-27-2007

Hi Christopher,

IOS IPS on router platform now supports two different version of signature format. One is 4.x and one is 5.x signature format.

If you use IOS release prior to 12.4(11)T release, it is using 4.x signature format. In this version, you need to use the basic (128MB.sdf) and advanced (256MB.sdf) SDF file.

If you use 12.4(11)T and later release of IOS, it is 5.x signature format based. And you can refer to the getting started guide in the below reference link for more details.

Cisco updates these files on a needed basis. Currently you need to check the Cisco web site for updates. Or if you are using SDM or CSM, these software can perform checking and auto download as well.

For your question whether it is suffice for an enterprise IPS, the answer various depends on your networking/traffic situation in your real deployment. If you can provide more detail, I can further best answer your question. If you are asking about the signature sets, they are selected by Cisco with high severity, high fidelity signatures that are best fit into the router platform. Again, these SDF files are meant to provide a good/solid starting point, any IPS system needs some tuning during operation.

Reference:

Getting Started with Cisco IOS IPS with 5.x Format Signatures: http://www.cisco.com/en/US/products/ps6634/products_white_paper0900aecd805c4ea8.shtml

CCO IOS IPS: http://www.cisco.com/go/iosips

Thanks,

-Chris