IOS IPS basics

Unanswered Question
Aug 23rd, 2007

I'm pretty new to managing IPS. My co is looking at deploying a large number of this and i'm suppose to manage it. i got a few questions

1. are the available signature in default IOS IPS enough? i fired rentina to an old redhat version OS but i find that the results from IOS IPS is pretty detects non valid http traffic over ssl but not the vulnerablities used, and it does even detects nmap non tcp port scanning you recommend using the default IOS IPS signatures ? if no, any recommendations & standards to follow ?

3. Any guidance on custom signature development on IOS IPS ?

4. Any method to manage large numbers of IOS IPS rules/singatures on a single console ? So i can push the signature from a single console to each and every routers. if not, it is possible to copy the signature folders over all the routers to get the same sets on signature on the routers?

Appreciate any useful informations. Thanks in advance

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
rhermes Fri, 08/24/2007 - 10:53

1. The Built-in signatures are pretty old and mostly worthless, you may want to disable them and use the latest Signature File available for the IOS-IPS. Your memeory will be the constraining factor as to how many signature you can have enabled.

2. The signature defaults are a starting place. You will have to spend time doing the analysis of events to see if they're false positives (and many will be) and tune them down, or more likely disable them.

3. Each signature engine has a fixed 64MB of memory. Turn on too many within that engine (including your custom sigs) and you won't get any. Watch the console log when enabling IPS to see if your build is failing. Some sigs eat more memory than others.

4. If you have money to burn you can buy Cisco's CSM 3.1, or else keep your signature file(s) on an FTP/TFTP/SCP server and copy them to your routers as needed.

attmidsteam Fri, 08/24/2007 - 11:29

If you can, skip the IOS IPS and go straight to a full blown IDS/IPS solution since the IOS IPS product can't handle many signatures and also can't handle many of the more worthwhile signature engines. For a real security analysis of hostile traffic, you'll want to be looking at packet captures when a signature fires.

yuliang11 Sun, 08/26/2007 - 17:15

I'm sure the full blown IPS is more powerful. but our exising customers has like the whole WAN ( >30 routers). It's not entirely feasible for them to upgrade to IPS.

yuliang11 Sun, 08/26/2007 - 17:19

Thanks for your reply.

1. I'm using the built in lastest signature. 290.

4. I'm using IPS ver 5. There's a directory flash:ipstore/ created for the IOS IPS config. Can i just copy/paste this to every other IOS IPS to get the same standard signature?


This Discussion