cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

BLOG (No Title)

1055
Views
5
Helpful
3
Comments
Enthusiast

In Cisco IPS Signatures 101 (Sept ’12 Chalk Talk) signature  properties, engines, alerts, and actions were covered from a high level. The purpose of this document is to help a network or security  professional understand how to configure Cisco Signatures to include the properties, engines, alerts, and actions. The content is relevant for  the Cisco CCNP Security IPS Certification Exam (642-627) and should be useful for anyone studying for the CCIE Security Certification written and practical exam (Lab). 

Configuring Basic Signature Properties

To configure signatures it is HIGHLY recommended to do so via the Cisco IDM (IPS Device Manager) by clicking on Configuration >  Policies > Signature Definitions > sig0, then click All  Signatures to access the Signature Configuration panel. The All  Signatures is visible only when the Sig0 is expanded. By default, the signature configuration panel displays signatures that are listed by signature ID number. The All  Signatures database view displays all signatures available in the sensor signature set and when each signature set is clicked on, it displays the list of signatures grouped under it in the view pane. The following are available signature sets –

  • Active Signatures
  • Adware/Spyware
  • Attack
  • Configuration
  • DDoS
  • DoS
  • Email
  • IOS  IPS
  • Instant Messaging
  • L2/L3/L4 Protocol
  • Network Services
  • OS
  • Other Services
  • P2P
  • Reconnaissance
  • Releases
  • TelePresence
  • UC  protection
  • Viruses/Worms/Trojans
  • Web Server
  • All Signatures

image  1.jpg

Figure 1:  Example of an actual Signature  Configuration View (click to view larger image)

As seen below in Figure 2, there is a filter drop-down list in the configuration view pane that can be used to display signatures in different ways, such as types of attacks they detect or services being inspected. The Selection Criteria menu changes to correspond to the Filter drop-down selection. For example, if you choose Severity in the Filter drop-down, the criteria field provides a drop down with High, Medium, Low and Informational options respectively. The configuration view pane refreshes only those signatures that match the sorting criteria, but only if the Filter option is selected.  There are a limited set of options from the Filter drop-down list including:  Sig ID, Sig Name, Enabled, Severity, Fidelity  Rating, Action, Type (Tuned … ), and Engine.

image 2.jpg

Figure 2:  Example snapshot of the Filter drop-down  list (click to view larger image)

Enabling & Disabling Signatures

Enabling a signature makes the signature inspect traffic, When it is disabled, it does not inspect  traffic. The following steps walk you through enabling a signature.

Step 1:     Click Configuration and choose Policies > Signature Definitions > Sig0 >  Active Signatures. The Signature Configuration panel is  displayed.

Step 2:     Locate the signature that you want to enable. A signature that is already enabled has a check-mark in the check-box. If the signature is disabled, the check-box is empty.

Step 3:     If the signature is currently disabled, put a check in the box next to  signature by clicking on it.

Step 4:     Click Apply to apply your changes and save the updated configuration.  To disable a signature that is already disabled, uncheck the check box in the Enabled column.

Note:  To enable multiple signatures at the same time, hold down the Ctrl or  Shift key and click the signatures that you would like  to enable, then right click on one of the selected signatures and click  Enable.

dave.jpg

Dave Burns joined Cisco in July 2008, as a systems engineer working for a U.S.-based SP Mobility account. He came to Cisco from a large U.S.-based cable company, where he was a senior  network and security design engineer. Dave has held various roles prior to joining Cisco during his 10-plus years in the industry, working in SP operations, SP engineering, SP architecture, enterprise IT, and United  States military intelligence communications engineering. He is currently a Systems Engineering  Manager working with US Service Providers on various architectures that include IP NGN, Data Center, Cloud, Security, Mobility, and Transport. He holds various sales and industry and Cisco technical certifications, including CISSP, CCSP, CCDP, and two associate-level certifications. Dave recently passed the CCIE Security written exam, and is currently preparing for the CCIE Security Lab. Dave is also currently working on his Masters in Business Administration in his ‘free’ time. Dave earned his Bachelor of Science degree in telecommunications engineering technology from Southern Polytechnic State University, Georgia, where he currently serves as a member of the industry advisory board for the Computer & Electrical Engineering Technology School.

cover.jpg

CCNP  Security IPS 642-627 Official Cert Guide

By  David  Burns,  Odunayo Adesina, Keith Barker

ISBN-10:  1-58714-255-4

ISBN-13: 978-1-58714-255-0

Published: October 25, 2011

US SRP: $55.99

Published by Cisco  Press.

This article was featured in the November issue of the Cisco TS Newsletter. Are you subscribed?
3 Comments
Beginner

Is there an article or vendor instructions that speaks to best practices for updating IPS signatures?  I can not find one.    PCI DSS 11.4.c requires that IDS/IPS configurations are configured, maintained, and updated per vendor instructions to ensure optimal protection.

Beginner

Hi Shawn... I apologize for the delay in response.  I assume you have looked on CCO?  If not here are some very helpful links that I believe are what you are looking for.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6525/ps7264/ps6634/IOS_IPS_Best_Practices.pdf

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/white_paper_c11_549300.html

Hopefully this Helps - Happy Holidays!

DB

To scale the performance of firewalls/IPS and to provide high reliability, Cisco has a new feature called ITD. Please see ITD (Intelligent Traffic Director) White Paper.

Also, recent blog : Intelligent Traffic Director @ Cisco Live Milan

 

ITD Provides CAPEX and OPEX Savings for Customers

ITD (Intelligent Traffic Director) is a hardware based multi-Tbps Layer 4 load-balancing, traffic steering and clustering solution on Nexus 5K/6K/7K series of switches. It supports IP-stickiness, resiliency, NAT, (EFT), VIP, health monitoring, sophisticated failure handling policies, N+M redundancy, IPv4, IPv6, VRF, weighted load-balancing, bi-directional flow-coherency, and IPSLA probes including DNS.

ITD is much superior than legacy solutions like PBR, WCCP, ECMP, port-channel, layer-4 load-balancer appliances.