You are on page 1of 3

PT Activity: Configure IOS Intrusion Prevention System (IPS) using CLI

Topology Diagram

Addressing Table
Device R1 R! R) Sys*og Server PC+A PC+C Interface FA0/0 S0/0/0 S0/0/0 ('C() S0/0/1 ('C() FA0/0 S0/0/0 &IC &IC &IC IP Address 1 !"1#$"1"1 10"1"1"1 10"1"1"! 10"!"!"1 1 !"1#$")"1 10"!"!"! 1 !"1#$"1"%0 1 !"1#$"1"! 1 !"1#$")"! Subnet Mask !%%"!%%"!%%"0 !%%"!%%"!%%"0 !%%"!%%"!%%"0 !%%"!%%"!%%"0 !%%"!%%"!%%"0 !%%"!%%"!%%"0 !%%"!%%"!%%"0 !%%"!%%"!%%"0 !%%"!%%"!%%"0 Default Gateway &/A &/A &/A &/A &/A &/A 1 !"1#$"1"1 1 !"1#$"1"1 1 !"1#$")"1



• (n,-*e IOS IPS" • Configure *ogging" • .o/ify ,n IPS sign,ture" • 0erify IPS"

A** contents ,re Co1yrig2t 3 1

!4!01! Cisco Systems5 Inc" A** rig2ts reserve/" T2is /ocument is Cisco Pu-*ic Inform,tion"

P,ge 1 of )

e signature categories' Retire t2e all sign.tion to -e t2e /irectory you >ust t2e sign.t IP .u*t =m* fi*es in f*.ve -een 1reconfigure/" T2e routers 2.cer5 t2e routers .tion" P.ges" 6ou must configure t2e router to i/entify t2e sys*og server in or/er to receive *ogging mess.*so -een 1reconfigure/ 8it2 t2e fo**o8ing: • • • • (" ?nretire t2e I S.n/ /.ture c.n/ com1*ete .IPS /asic c.CC&A Security Introduction 6our t.ges is vit.n/ in g*o-.//ress 1 !"1#$"1"%0" Step -' +onfigure I S IPS to use t.-*e/" ?se t2e clock set comm.-*e t2e timest.RP 101 Task #$ %nable I S IPS &ote$ <it2in P.m1 service for *ogging is en.-*e/5 you see IPS sys*og mess.-*e/ on t2e router using t2e s.ges" 'is1*. On R15 configure t2e IPS sign.ying t2e correct time .n/ in 1*.n *oc.c7et Tr.ges" (n.* im1ort of t2e sign.ffic entering t2e 1 !"1#$"1"0 net8or7" T2e server *.-*e IPS to 1ro/uce .tion is en.te/" Step *' +reate an IPS rule' On R15 cre.-e*e/ 9Sys*og Server: is use/ to *og IPS mess.ss8or/: ciscoenpa"" Conso*e Co1yrig2t 3 1 !4!01! Cisco Systems5 Inc" A** rig2ts reserve/" T2is /ocument is Cisco Pu-*ic Inform.n IPS ru*e n.-*e sys*og if it is not en. m.*ert .m1 service for *ogging on t2e routers" .ss8or/: ciscovtypa"" (I.*re.n/" &.n/" A** contents .n/ from 1rivi*ege/ (@(C mo/e to reset t2e c*oc7 if necess.n/ (.n/ /ro1 t2e IPS ru*e iosips" Step "' %nable logging' IOS IPS su11orts t2e use of sys*og to sen/ event notific.-*e/" Sen/ *og mess.-*e/ -y /ef.tures 8it2in t2e sign./y 2.tion" Sys*og notific.u*t" If *ogging conso*e is en.te .te in sys*og t2e /ef.c7ets in*ine" T2e server .n/ PCs 2.son5 it is not necess.ry" 0erify t2.t t2e ! of ) .ges to t2e Sys*og server .s2" For t2is re.ry to configure t2e 1u-*ic cry1to 7ey . Configure the IPS signature storage location.s2 using t2e mkdir comm.ture fi*es im1orte/ .tion mo/e" &.te .ture fi*es" Step #' (erify network connectivity' • • Ping from PC+C to PC+A" T2e 1ing s2ou*/ -e successfu*" Ping from PC+A to PC+C" T2e 1ing s2ou*/ -e successfu*" Step )' Create an IOS IPS configuration directory in flash.ce" T2ey .me t2e /irectory ipsdir" Step 3.n/ configure timest.P ec2o re1*y 1.* configur.-*e 1.n/" (n.ture re*e.ss8or/: ciscoconpa"" 0T6 *ine 1.tegory 8it2 t2e retired false comm.m1 service if it is not en.ow run comm.n . /irectory in f*.* 82en using sys*og to monitor t2e net8or7" Set t2e c*oc7 .tegory 8it2 t2e retired true using t2e ip ips name name comm. On R15 cre.**y5 en.** sign.ture stor.s7 is to configure router R1 for IPS in or/er to sc.

ces .n/ in 82ic2 /irection is t2e iosi1s ru*e .ture (sign.tion mo/e" A11*y t2e ru*e out-oun/ on t2e F.ttem1t to ping PC+C" <ere t2e 1ings successfu*D <2y or 82y notD Step *' (iew t.n IPS configur.n interf.ffic going out t2e -een com1*ete/" A** contents .ce" Simi*.ting t2.nge t2e sign.ture .re -eing initi.CC&A Security Step 0' Apply t.-*e it .e IPS rule to an interface' A11*y t2e IPS ru*e to .tion" P.ns t2.t t2e IPS engines .ction to .at IPS is working properly' From PC+C5 .-*e IPS5 some *og mess.c7 .n/ in interf.ns on*y tr.e Syslog messages' C*ic7 on t2e Syslog server" Se*ect t2e +onfig t.ry" To 82ic2 interf.ges 8i** -e sent to t2e conso*e *ine in/ic.ttem1t to ping PC+A" <ere t2e 1ings successfu*D <2y or 82y notD From PC+A5 .ce" Task )$ Modify t.tion of 82ic2 reBuire/ com1onents 2.ow commands to verify IPS' ?se t2e s.tion menu5 se*ect S4SL G to vie8 t2e *og fi*e" Step "' +.e event1action of a signature' ?n+retire t2e ec2o reBuest sign.tion st.e Signature Step #' +.r*y5 out me.t IPS ins1ects on*y to see .ture !00C5 su-sig I' 0)5 en.-" In t2e *eft n.ce of R1" After you s2ou*/ -e 100E" C*ic7 +.0/0 interf.n/ /ro1" Step )' 2se s.*iAe/" &ote$ T2e /irection in me.ffic going into t2e interf.tus summ.*ert5 .n/ c2.ow ip ips all comm.eck results' 6our com1*etion ) of ) .eck 5esults to see fee/-.n/ verific.11*ie/D Step 3' (erify t.ange Co1yrig2t 3 1 !4!01! Cisco Systems5 Inc" A** rig2ts reserve/" T2is /ocument is Cisco Pu-*ic Inform.ce configur.ce 8it2 t2e ip ips name direction comm.