topic Cisco IPS and Cisco Mars rollout in Network Security

Cisco IPS and Cisco Mars rollout

ohareka70 — Sun, 10 Mar 2019 12:22:50 GMT

Hello,

I am preparing to roll out ISP on 38 x cisco 2911 routers. I have a cisco Mars device and i intend to setup logging on the routers so the IPS traffic will be logged to cisco mars.

I have cisco 2800 routers on the network but have been told that i need to upgrade them to 2911's to take advantage of the latest ios software needed for up to date signatures. Not sure how accurate this.

I am looking for a few hints to see if i am going about this the right way

This is a summary of the steps i think i need

1) Download IOS IPS signature package files and public crypto key from Cisco.com
2) configure the crypto key used by IOS IPS onto your Cisco 2911 router
3) Enable IOS IPS on the 2900 ROUTER (i have steps for this)

The plan is to Configure the IPS on a router using cisco SDM and the save this config to noetpad and paste it into all the routers out on site.

4) Load IOS IPS Signature packages to the router

5) Add the IP address of the routers into Cisco Mars and log traffic to cs mars device

prerequisites: CCO contract so i can get the signature updates from this site

any advice is welcome

regards

Kevin

Cisco IPS and Cisco Mars rollout

Marcin Latosiewicz — Sat, 18 Jun 2011 16:50:33 GMT

Kevin,

Let's take a step back.

First of all I geuss it's best to run this question by your SE(s).

Second of all considering you already own 2800 series you might look into getting AIM or NME IPS modules instead of swapping everything to 2900 and running IOS IPS.

Of course different pricing/throughput info apply.

AIM/NME IPS modules do not consume router's CPU and are in fact (logically) a separate device.

2900 have much more CPU/mem to burn.

In my experience, I have not found anyone recommending running IOS IPS in big deployment. Then again maybe I've not been talking to right people 🙂

Marcin

Cisco IPS and Cisco Mars rollout

ohareka70 — Thu, 23 Jun 2011 13:19:52 GMT

Marcin,

What about CS Mars. Have you heard of anyone using this product. I thought the idea was to enable IPS on each router and push the syslog traffic back to the CS Mars device?

regards,

Kevin

Cisco IPS and Cisco Mars rollout

Marcin Latosiewicz — Thu, 23 Jun 2011 17:44:33 GMT

Kevin,

MARS is used quite extensively, especially in enterprises.

That being said, I need to warn you.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5739/ps6241/eol_c51-636888.html

IPS can work no probelm in tandem with MARS, via different mechanisms. SDEE/traps/logs just to name a few.

Indeed the IOS IPS might be the cheaper of the solutions, in which case the more powerful hardware the better.

IPS appliances will usually provide a bit more features (global correlation) and separation of roles/hardware (to some extent).

Marcin

Cisco IPS and Cisco Mars rollout

mikecrowe4ICS_2 — Fri, 24 Jun 2011 01:40:24 GMT

Since you already have your MARS appliance, there would be no reason not to use it for collection/correlation of your IOS-IPS events.

IPS Event retrieval (even for IOS IPS) is done by the MARS box using the SDEE protocol. This is the same protocol/method used for communication with standalone IPS appliances. This communication is separate from the syslog and/or SNMP reporting, which are used for the general router logging or monitoring.

So, your router will be communicating with MARS using both SDEE (for IPS) and syslog/SNMP (or both).

Kevin O' Hare wrote:

I have cisco 2800 routers on the network but have been told that i need to upgrade them to 2911's to take advantage of the latest ios software needed for up to date signatures.

Are you considering replacing your 28xx routers, or have the new routers already been purchased?

It's not clear in your original message whether or not you have already purchased the 2911 routers you mentioned.

I think that the person who provided this information was confusing IOS-IPS with the IPS modules (AIM-IPS, NME-IPS). The AIM-IPS is only supported on the 28xx/38xx platform, using the IOS 12.4T release train. The NME-IPS, however, is supported on both x8xx and x9xx platforms. The 29xx routers will provide increased performance with IPS in IOS, but it's not a requirement.

In the end, if you are talking about 38+ routers, adding modules might not be feasible. Keep in mind that the software IPS takes up additional resources on the router. If not configured properly, it can reduce performance, sometimes significantly. Be cautious when rolling it out the feature, and closely monitor performance on your routers.

Cisco IPS and Cisco Mars rollout

ohareka70 — Fri, 01 Jul 2011 14:36:14 GMT

Michael,

We are running it on 16 sites with 2811 routers at the moment. We are just pricing the 2911's but havent upgraded just yet.

So its IOS-IPS on the routers that i am interested in. We dont have a seperate module on the router, we just role out the config for IPS, drop the signature file on the router and point it to cs mars. Seems to be working so far.

I have download a recent signature package - IOS-S556-CLI.pkg
I copied it to flash on a test router and I can access it via CLI or SDM
I have setup my router and put in all the config for IPS

How do i extract all the signatures from IOS-S556-CLI.pkg to an sdm file similar to 256MB SDF which has 500 signatures?

Router with IOS-S556-CLI.pkg

#sh ip ips signatures

Builtin signatures are configured

Signatures were last loaded from flash:/ips/IOS-S556-CLI.pkg

Cisco SDF release version S0.0

Trend SDF release version V0.0

Action=(A)larm,(D)rop,(R)eset,Deny-(H)ost,Deny-(F)low

*=Marked for Deletion WF=WantFrag Trait=AlarmTraits

MH=MinHits AI=AlarmInterval CT=ChokeThreshold

TI=ThrottleInterval AT=AlarmThrottle FA=FlipAddr

Total Active Signatures: 0

Total Inactive Signatures: 0

But if I change it back to Router with 256MB I can see 537 signatures

#sh ip ips signatures

Builtin signatures are configured

Signatures were last loaded from flash:/ips/256MB.sdf

Cisco SDF release version 256MB.sdf V10

Total Active Signatures: 537

Total Inactive Signatures: 0

Kevin

Cisco IPS and Cisco Mars rollout

haivrajesh — Fri, 01 Jul 2011 19:27:41 GMT

Hi Better Use AIM card that is more enogh for you i think and also MARS is already EOL So in future you have to change the logging as well.(Up to 2016 cisco support will be thr).

Rajeswar.