Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
572
Views
15
Helpful
4
Replies

IOS IPS basics

yuliang11
Level 1
Level 1

‎08-23-2007 06:12 PM - edited ‎03-10-2019 03:45 AM

I'm pretty new to managing IPS. My co is looking at deploying a large number of this and i'm suppose to manage it. i got a few questions

1. are the available signature in default IOS IPS enough? i fired rentina to an old redhat version OS but i find that the results from IOS IPS is pretty generic.it detects non valid http traffic over ssl but not the vulnerablities used, and it does even detects nmap non tcp port scanning

2.do you recommend using the default IOS IPS signatures ? if no, any recommendations & standards to follow ?

3. Any guidance on custom signature development on IOS IPS ?

4. Any method to manage large numbers of IOS IPS rules/singatures on a single console ? So i can push the signature from a single console to each and every routers. if not, it is possible to copy the signature folders over all the routers to get the same sets on signature on the routers?

Appreciate any useful informations. Thanks in advance

Labels:
0 Helpful
4 Replies 4

rhermes
Level 7
Level 7

‎08-24-2007 10:53 AM

1. The Built-in signatures are pretty old and mostly worthless, you may want to disable them and use the latest Signature File available for the IOS-IPS. Your memeory will be the constraining factor as to how many signature you can have enabled.

2. The signature defaults are a starting place. You will have to spend time doing the analysis of events to see if they're false positives (and many will be) and tune them down, or more likely disable them.

3. Each signature engine has a fixed 64MB of memory. Turn on too many within that engine (including your custom sigs) and you won't get any. Watch the console log when enabling IPS to see if your build is failing. Some sigs eat more memory than others.

4. If you have money to burn you can buy Cisco's CSM 3.1, or else keep your signature file(s) on an FTP/TFTP/SCP server and copy them to your routers as needed.

attmidsteam
Level 1
Level 1
In response to rhermes

‎08-24-2007 11:29 AM

If you can, skip the IOS IPS and go straight to a full blown IDS/IPS solution since the IOS IPS product can't handle many signatures and also can't handle many of the more worthwhile signature engines. For a real security analysis of hostile traffic, you'll want to be looking at packet captures when a signature fires.

yuliang11
Level 1
Level 1
In response to attmidsteam

‎08-26-2007 05:15 PM

I'm sure the full blown IPS is more powerful. but our exising customers has like the whole WAN ( >30 routers). It's not entirely feasible for them to upgrade to IPS.

0 Helpful

yuliang11
Level 1
Level 1
In response to rhermes

‎08-26-2007 05:19 PM

Thanks for your reply.

1. I'm using the built in lastest signature. 290.

4. I'm using IPS ver 5. There's a directory flash:ipstore/ created for the IOS IPS config. Can i just copy/paste this to every other IOS IPS to get the same standard signature?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card