Preparing Cisco IOS Routers

Table Of Contents

Preparing Cisco IOS Routers

Preparing Cisco IOS Routers for Use With Cisco ICS as IPS Coverage Devices

Verifying the Cisco IOS IPS Configuration for Use With Cisco ICS

Preparing Cisco IOS Routers for Use With Cisco ICS as ACL Coverage Devices

Verifying the ACL Configuration

ip ips sdf location

Preparing Cisco IOS Routers

This appendix provides procedures for configuring a Cisco IOS router. It contains the following sections:

• Preparing Cisco IOS Routers for Use With Cisco ICS as IPS Coverage Devices

• Verifying the Cisco IOS IPS Configuration for Use With Cisco ICS

• Preparing Cisco IOS Routers for Use With Cisco ICS as ACL Coverage Devices

• Preparing Cisco IOS Routers for Use With Cisco ICS as ACL Coverage Devices

• Verifying the ACL Configuration

• ip ips sdf location

Preparing Cisco IOS Routers for Use With Cisco ICS as IPS Coverage Devices

The Cisco ICS uses Hypertext Transfer Protocol (HTTP) or HTTPS to communicate with Cisco IOS routers that are set up for Cisco IOS IPS (Intrusion Prevention System) coverage. Set up HTTP or HTTPS on the router with the proper authentication so that Cisco ICS can add the router into its database and deploy an Outbreak Management Task (OMT). An OMT is a Cisco IOS ICS object that ICS uses to track active outbreaks. An OMT will result in an OPACL being deployed to mitigation devices, and it may further be associated with its follow-on OPSig being deployed if and when one becomes available.

Note Cisco ICS manages Cisco IOS IPS coverage devices differently from Cisco IOS Access Control List (ACL) coverage devices. Cisco ICS utilizes HTTP or HTTPS for deploying OPACLs and OPSigs to IPS coverage devices, whereas ACL utilizes Telnet or SSH to deploy OPACLs to ACL coverage devices.

To prepare Cisco IOS routers as IPS coverage devices for use with Cisco ICS, follow these steps:

Note Steps 1 and 2 enable build-in signatures.

Step 1 Define an IPS rule.

yourHost(config)# ip ips name myOPS

Step 2 Specify the Cisco IOS Signature Definition File (SDF) location with autosave enabled to save the OPSig in a file. The file can be on a disk or in flash memory, depending on your router's hardware configuration.

yourHost(config)# ip ips sdf location flash:mysig.sdf [autosave]

If you specify autosave, the router saves new signatures to the specified location so that signatures are not lost after the router is rebooted. It is recommended that you specify autosave so that Cisco ICS will not redeploy any OPSigs that were previously running.

The location of the SDF can be either of the following:

•sig.sdf

•sig.xml

Note The SDF files can have any names, but they must be in proper xml format.

Step 3 Enable Security Device Event Exchange (SDEE) for event logging. SDEE is the notification protocol that Cisco ICS uses to query Cisco IPS for logging and notification messages.

yourHost(config)# ip ips notify SDEE

Step 4 To prevent event losses, increase to 1000 the maximum number of SDEE alerts that can be stored.

yourHost(config)# ip sdee alerts 1000

Step 5 Initialize Cisco IOS IPS by applying an IPS rule to an interface. Cisco IOS compiles the Signature Micro Engines (SMEs) that are the core of the Cisco IOS IPS subsystem; that is, it uses the signatures to build appropriate regular expression tables that are necessary for packet scans. The signature micro engine build times may vary, depending on the platform.

When configuring Cisco IOS IPS with Cisco ICS for the first time, no signatures will exist within flash:mysigs.sdf. Therefore, Cisco IOS IPS reverts to built-in signatures. After Cisco ICS deploys an OPACL and/or an OPSig to the device, the autosave parameter causes the flash file to be reinitialized and written to flash memory with the merged content of the built-in signatures and OPACL/OPSigs.

yourHost(config)# interface FastEthernet0/1
yourHost(config)# ip ips myOPS in

Step 6 Enable the Cisco IOS HTTPS or HTTP server, depending on the communication method configured for those devices on the Cisco ICS server. It is required that you enter only one of the following two commands or there may be a security problem.

Note HTTPS and HTTP do not support Authentication, Authorization, and Accounting (AAA). Local users must have a privilege of 15 so that the Cisco ICS server can access the Cisco IOS IPS router.

yourHost(config)# ip http server
yourHost(config)# ip http authentication local
yourHost(config)# username yourName privilege 15 password yourPassword

Verifying the Cisco IOS IPS Configuration for Use With Cisco ICS

To verify the Cisco IOS IPS configuration, follow these steps:

Step 1 show ip ips all

Make sure IPS and SDEE are enabled, and that the IPS rule is applied to interfaces:

yourHost(config)# show ip ips all

Configured SDF Locations:
flash://mysig.sdf autosave
Builtin signatures are enabled but not loaded
Last successful SDF load time: 21:03:07 UTC Jun 20 2005
IPS fail closed is disabled
Fastpath IPS is enabled
Quick run mode is enabled
Event notification through syslog is enabled
Event notification through SDEE is enabled
Total Active Signatures: 82
Total Inactive Signatures: 0
IPS Rule Configuration
IPS name myOPS
Interface Configuration
Interface FastEthernet0/1
Inbound IPS rule is myOPS
Outgoing IPS rule is not set

Step 2 show ip ips signature | include number

Verify that Outbreak Prevention ACLs (OPACLs), the 50000:0-2 signatures, are visible and ready for use.

In this example, Cisco ICS has not yet deployed an OPACL to Cisco IOS IPS. The OPACLs are visible, however, although Cisco ICS has not enabled or configured them. Cisco IOS IPS includes these signatures as part of Cisco IOS IPS "built-in" signatures.

yourHost(config)# show ip ips signature | include 5000

50000:0 N A HIGH 0 0 0 0 0 FA N OPACL
50000:1 N A HIGH 0 0 0 0 0 FA N OPACL
50000:2 N A HIGH 0 0 0 0 0 FA N OPACL

After an OPSig has been deployed, you can also use the following command to verify OPSigs.

yourHost(config)# show ip ips signature | section MULTI-STRING

SigID:SubID   On   Action   Sev   Trait   MH   AI   CT   TI   AT FA WF Version -----------   --   ------   ---   -----   --   --   --   --   -----  ----------
50002:0       Y    ADR      INFO  0       0    0     0    0   FA N  V1.0
50010:0       Y    ADR      INFO  0       0    0     0    0   FA  N  V1.0
50010:1       Y    ADR      INFO  0       0    0     0    0   FA  N  V1.0
50010:2       Y    ADR      INFO  0       0    0     0    0   FA  N  V1.0
50010:3       Y    ADR      INFO  0       0    0     0    0   FA  N  V1.0

Step 3 show crypto key pubkey-chain rsa

Verify that Trend Micro's public key has been installed:

Router# show crypto key pubkey-chain rsa

Codes: M - Manually configured, C - Extracted from certificate

Code  Usage   IP-Address/VRF   Keyring   Name
M     Signing default realm-trend.pub

Step 4 show ip http server status

Verify that the HTTP or HTTPS server is enabled:

Router# show ip http server status

HTTP server status: Enabled
HTTP server port: 80
HTTP server authentication method: local
HTTP server access class: 0
HTTP server base path:
HTTP server help root:
Maximum number of concurrent server connections allowed: 5
Server idle time-out: 600 seconds
Server life time-out: 86400 seconds
Maximum number of requests allowed on a connection: 10000
HTTP server active session modules: ALL
HTTP secure server capability: Present
HTTP secure server status: Enabled
HTTP secure server port: 443
HTTP secure server ciphersuite: 3des-ede-cbc-sha des-cbc-sha rc4-128-md5 rc4-128-sha
HTTP secure server client authentication: Disabled
HTTP secure server trustpoint:
HTTP secure server active session modules: ALL

Preparing Cisco IOS Routers for Use With Cisco ICS as ACL Coverage Devices

Cisco ICS uses SSH or Telnet to communicate with Cisco IOS routers that are set up for ACL coverage. Set up SSH or Telnet on the router with the proper authentication so that Cisco ICS can add the router into its database and deploy to it.

The following SSH steps are required:

•Set up Cisco IOS for SSH access by setting up the host and domain names on Cisco IOS and creating an RSA key for SSH.

•Determine the authentication scheme.

•Verify the Cisco ICS "online" status from the Cisco ICS server.

For detailed information about SSH2, refer to Cisco IOS Security Configuration Guide, Release 12.4.

To prepare Cisco IOS routers for use with Cisco ICS as ACL coverage devices, follow these steps:

Step 1 Configure the hostname.

Router(config)# hostname yourHost

Step 2 Enter the following command:

yourHost(config)# ip domain-name yourDomain

Step 3 Configure a privilege level 15 user.

yourHost(config)# username yourName privilege 15 password yourPassword

Step 4 Generate the Rivest, Shamir, and Adelman (RSA) key with a length of 1024 so that the routers support Secure Shell (SSH).

yourHost(config)# crypto key generate rsa usage-keys

The name for the keys will be: yourHost.yourDomain
Choose the size of the key modulus in the range of 360 to 2048 for your Signature Keys. Choosing a key modulus greater than 512 may take a few minutes.

How many bits in the modulus [512]: 1024

Choose the size of the key modulus in the range of 360 to 2048 for your Encryption Keys. Choosing a key modulus greater than 512 may take a few minutes.

How many bits in the modulus [512]: 1024

% Generating 1024 bit RSA keys ...[OK]
% Generating 1024 bit RSA keys ...[OK]

Step 5 Configure VTY to allow Telnet and SSH.

yourHost(config)# line vty 0 4
yourHost(config)# login local
yourHost(config)# privilege level 15
yourHost(config)# transport input telnet ssh

Verifying the ACL Configuration

To verify the ACL configuration, follow these steps:

Step 1 show crypto key mypubkey rsa

Verify that the RSA key was generated:

Router# show crypto key mypubkey rsa

% Key pair was generated at: 22:42:55 UTC Jun 16 2005
Key name: yourHost.yourDomain
Usage: Signature Key
Key is not exportable.
Key Data:
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00A1DECE D6307298
A92ACD5E B55A1AAF CC5697CA 298A867C 1E6CE7BD F26ED862 0C665DE1 69E30D11
A25B323C 78E0EBA3 341F7BEF 487B6030 BE5D1EC4 2265BCE8 15020301 0001
% Key pair was generated at: 22:42:55 UTC Jun 16 2005
Key name: yourHost.yourDomain
Usage: Encryption Key
Key is not exportable.
Key Data:
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00955C87 1A5C7556
B9F24757 CAE115A8 0C887487 787C4EF1 2EC4AAD7 580E7F02 17A95593 9C68F105
1C308AE6 5AA4CB78 4A54F1E7 4CD84F0F 74517EA4 894513C1 6D020301 0001

Step 2 show ip access-list

Verify that Cisco ICS has deployed an OPACL to the router.

The following example shows Cisco IOS output of a deployed OPACL. Cisco ICS is configured to deploy ACLs to the router's FastEthernet1 inbound and outbound. This example does not show an OPACL merged with an existing ACL for the interface because no ACL was previously configured on the interface.

yourHost(config)# show ip access-list

ip access-list extended CICS_FastEthernet1_0
deny tcp any any eq 28435 log time-range CICS-9481d42a
permit ip any any
ip access-list extended CICS_FastEthernet1_1
deny tcp any any eq 28435 log time-range CICS-9481d42a
permit ip any any
!
time-range CICS-b790571a
absolute end 16:35 07 October 2005

ip ips sdf location

To specify the location in which the router will load the signature definition file (SDF), use the ip ips sdf location command in global configuration mode. To remove an SDF location from the configuration, use the no form of this command.

ip ips sdf location url [autosave]
no ip ips sdf location url [autosave]
Syntax Description

url

Location of the SDF. Available URL options:

•local flash, such as flash:sig.xml

•FTP server, such as ftp://myuser:mypass@ftp_server.sig.xml

•rcp, such as rcp://myuser@rcp_server/sig.xml

•TFTP server, such as tftp://tftp_server/sig.xml

autosave

(Optional) Specifies that the router will save a new SDF to the specified location.

Defaults

If an SDF location is not specified, the router will load the default built-in signatures.

Command Modes

Global configuration

Command History

Release

Modification

12.3(8)T

This command was introduced.

12.4(4)T

The autosave keyword was added.

Usage Guidelines

When you specify the ip ips sdf location command, the signatures are not loaded until the router is rebooted or until the Intrusion Prevention System (IPS) is applied to an interface (via the ip ips command). If IPS is already applied to an interface, the signatures are not loaded. If IPS cannot load the SDF, an error message is issued and the router uses the built-in IPS signatures.

You can also specify the copy ips-sdf command to load an SDF from a specified location. Unlike the ip ips sdf location command, the signatures are loaded immediately after the copy ips-sdf command is entered.

When you specify the autosave keyword, the router saves a new SDF to the specified location when signatures are loaded using either the copy command or an external management platform such as Security Device Manager (SDM), IPS Management Center (IPSMC) or Cisco Incident Control Server (Cisco ICS). You can specify multiple autosave locations. The router will attempt to save to all autosave locations. The url must have proper write access permissions.

url	Location of the SDF. Available URL options: •local flash, such as flash:sig.xml •FTP server, such as ftp://myuser:mypass@ftp_server.sig.xml •rcp, such as rcp://myuser@rcp_server/sig.xml •TFTP server, such as tftp://tftp_server/sig.xml
autosave	(Optional) Specifies that the router will save a new SDF to the specified location.

Release	Modification
12.3(8)T	This command was introduced.
12.4(4)T	The autosave keyword was added.