I'm pretty new to managing IPS. My co is looking at deploying a large number of this and i'm suppose to manage it. i got a few questions
1. are the available signature in default IOS IPS enough? i fired rentina to an old redhat version OS but i find that the results from IOS IPS is pretty generic.it detects non valid http traffic over ssl but not the vulnerablities used, and it does even detects nmap non tcp port scanning
2.do you recommend using the default IOS IPS signatures ? if no, any recommendations & standards to follow ?
3. Any guidance on custom signature development on IOS IPS ?
4. Any method to manage large numbers of IOS IPS rules/singatures on a single console ? So i can push the signature from a single console to each and every routers. if not, it is possible to copy the signature folders over all the routers to get the same sets on signature on the routers?
Appreciate any useful informations. Thanks in advance
1. The Built-in signatures are pretty old and mostly worthless, you may want to disable them and use the latest Signature File available for the IOS-IPS. Your memeory will be the constraining factor as to how many signature you can have enabled.
2. The signature defaults are a starting place. You will have to spend time doing the analysis of events to see if they're false positives (and many will be) and tune them down, or more likely disable them.
3. Each signature engine has a fixed 64MB of memory. Turn on too many within that engine (including your custom sigs) and you won't get any. Watch the console log when enabling IPS to see if your build is failing. Some sigs eat more memory than others.
4. If you have money to burn you can buy Cisco's CSM 3.1, or else keep your signature file(s) on an FTP/TFTP/SCP server and copy them to your routers as needed.
If you can, skip the IOS IPS and go straight to a full blown IDS/IPS solution since the IOS IPS product can't handle many signatures and also can't handle many of the more worthwhile signature engines. For a real security analysis of hostile traffic, you'll want to be looking at packet captures when a signature fires.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...