BCMSN v3.02-1
BCMSN v3.02-2
BCMSN v3.02-3
BCMSN v3.02-4
BCMSN v3.02-5
BCMSN v3.02-6
BCMSN v3.02-7
BCMSN v3.02-8
BCMSN v3.02-9
BCMSN v3.02-10
BCMSN v3.02-11
These steps occur when a packet arrives at the Cisco IOS Firewall:
Step 1
A packet traveling through the inside interface triggers an inspection rule and an entry that
is logged in the connection state table.
Step 2
The Cisco IOS Firewall opens a dynamic ACL entry that permits the return traffic through
the outside interface inbound ACL.
Step 3T
he Cisco IOS Firewall filter engine keeps inspecting the incoming traffic from the outside to
permit the proper return traffic and blocks application attacks or misuses.
Step 4
When the session terminates, the Cisco IOS Firewall filter engine removes the dynamic
information from the connection state table and removes the dynamic ACL entry.
BCMSN v3.02-12
BCMSN v3.02-13
BCMSN v3.02-14
BCMSN v3.02-15
BCMSN v3.02-16
BCMSN v3.02-17
BCMSN v3.02-18
BCMSN v3.02-19
BCMSN v3.02-20
BCMSN v3.02-21
BCMSN v3.02-22
BCMSN v3.02-23
BCMSN v3.02-24
BCMSN v3.02-25
BCMSN v3.02-26
BCMSN v3.02-27
BCMSN v3.02-28
BCMSN v3.02-29
Cisco IOS ISP combines existing Cisco IDS and IPS product features
with three different intrusion detection techniques:
Profile-based intrusion detection: Profile-based intrusion detection
generates an alarm when activity on the network goes outside a defined
profile. A profile could be created to monitor web traffic.
Signature-based intrusion detection: A signature is a set of rules
pertaining to typical intrusion activity. A Cisco IOS IPS implements
signatures that can look at every packet going through the network and
generate alarms when necessary.
Protocol analysis-based intrusion detection: Protocol analysis-based
intrusion detection is similar to signature-based intrusion detection, but it
performs a more in-depth analysis of the protocols specified in the
packets. A deeper analysis examines the payloads within TCP and UDP
packets, which contain other protocols. For example, a protocol such as
Domain Name System (DNS) is contained within TCP or UDP, which itself
is contained within IP.
2006 Cisco Systems, Inc. All rights reserved.
BCMSN v3.02-30
BCMSN v3.02-31
BCMSN v3.02-32
BCMSN v3.02-33
BCMSN v3.02-34
BCMSN v3.02-35
BCMSN v3.02-36
The command
Router(config)#ip ips fail closed
instructs the router to drop all traffic if any of the SMEs that should scan the data
are not available. This command has no other parameters.
BCMSN v3.02-37
The command
Router(config)#ip ips name SECURIPS list <access-list>
is used to create an IPS rule.
BCMSN v3.02-38
At the end of the script, the IPS rule is applied to a router interface
BCMSN v3.02-39
BCMSN v3.02-40
The
Router(config)#ip ips sdf location flash:my-signatures.sdf
configuration command specifies a new SDF location pointing to the merged
SDF file in the flash.
The
Router(config)#ip ips signature 1007 0 disable
command deactivates the signature with ID 1107 and sub-signature ID 0.
BCMSN v3.02-41
The
Router(config)#ip ips signature 5037 0 delete
command marks the signature with ID 5037 and sub-signature ID 0 for deletion.
The signature will be removed when the signatures are reloaded or saved.
The
Router(config)#ip ips signature 6190 0 list 101
command filters the traffic prior to scanning by the signature with ID 6190 and
sub-signature ID 0.
BCMSN v3.02-42
Finally, the IPS rule needs to be reapplied to the interface for the
changes in SDF to take effect. You can reapply the rule by unbinding
the IPS rule from the interface and assigning the rule to the interface
again using the
Router(config-if)#no ip ips SECURIPS in
and
Router(config-if)# ip ips SECURIPS in
commands in interface configuration mode
BCMSN v3.02-43
BCMSN v3.02-44
BCMSN v3.02-45