Home Knowledge Base CCIE Security Pursuit CCIE Security - IPS Lab Notes

CCIE Security - IPS Lab Notes

Basic IPS Configuration:

IPS#
 service host
 network-settings
 host-ip 10.0.0.10/24,10.0.0.254
 telnet-option enabled
 login-banner-text Welcome to IPS
 access-list 10.0.0.100/32
 Apply Changes?[yes]: yes
 clock set 19:03 February 13 2010

Configuring IPS sensor in inline mode between two VLANs. In our example we bridge between VLAN 101 and 102:

ips(config)# service interface
 ips(config-int)# physical-interfaces GigabitEthernet0/0
 ips(config-int-phy)# subinterface-type inline-vlan-pair
 ips(config-int-phy-inl)# subinterface 1
 ips(config-int-phy-inl-sub)# vlan1 101
 ips(config-int-phy-inl-sub)# vlan2 102
 ips(config-int-phy-inl-sub)# exit
 ips(config-int-phy-inl)# exit
 ips(config-int-phy)# admin-state enabled
 ips(config-int-phy)#

To configure IPS to monitor more than one VLAN we will need to use concept of VLAN Group. In this case IPS will be in sniffing (promiscuous) mode, and we will SPAN/RSPAN interesting traffic:

ips(config)# service interface
 ips(config-int)# physical-interfaces GigabitEthernet0/0
 ips(config-int-phy)# subinterface-type vlan-group
 ips(config-int-phy-vla)# subinterface 1
 ips(config-int-phy-vla-sub)# vlans range 999
 ips(config-int-phy-vla-sub)# exit
 ips(config-int-phy-vla)# subinterface 2
 ips(config-int-phy-vla-sub)# vlans range 34
 ips(config-int-phy-vla-sub)# exit
 ips(config-int-phy-inl)# exit
 ips(config-int-phy)# admin-state enabled
 ips(config-int-phy)#

To view IPS alert in last 10 minutes, issue:

show events alert past 00:01:00

To see who is blocked by IPS:

show statistics denied-attackers

To unblock denied traffic:

clear denied-attackers

RR - Risk Rating

TVR - Target Value Rating:

  • Mission Critical = 200
  • High = 150
  • Medium = 100
  • Low = 75

ASR - Attack Severity Rating:

  • High = 100
  • Medium = 75
  • Low = 50
  • Informational = 25

SFR - Signature Fidelity Rating

To calculate RR for mission critical traffic:

RR = (ASR*TVR*SFR)/10000 + ARR - PD
SFR = 100
ASR = 25
TVR = 200
RR = 50 + ARR (ARR - Attack Relevance Rating)

Whenever you specify "Rate Limit" Action, don't forget to specify:

Event Action Settings:

"External Rate Limit Type" = Percentage

"External Rate Limit Percentage" = 25

Search

Moving your apps to Amazon or Miscrosoft Clouds?

We can help you analyze your existing infrastructure, identify the cost savings we can achieve by migrating to a cloud provider. We can then execute end-to-end migration plan of your infrastructure and bringing down your TCO.

Cloud Computing

Ready for IPv6 Migration?

The Internet is running out of the equivalent of phone numbers - familiar problem, non-trivial solution.

The world has to move to IPv6, with its 128-bit addresses. But that's easier said than done.

IPv6 Migration

Are you fluent in "Linux"?

Learn Linux from a leading expert and quickly master you Linux skills.

Learn how to simplify your workflow and increase your productivity using tips and techniques of the pros.

Ideal training for Corporate IT Beginners and Advanced IT Admins alike.

Corporate Linux Training

Who's Online

We have 8 guests and no members online