The security challenges that face today's network administrators cannot be successfully managed by any single application. Although implementing device hardening, AAA access control, and firewall features are all part of a properly secured network, these features still cannot defend the network against fast-moving Internet worms and viruses. A network must be able to instantly recognize and mitigate worm and virus threats.
It is also no longer possible to contain intrusions at a few points in the network. Intrusion prevention is required throughout the entire network to detect and stop an attack at every inbound and outbound point.
A networking architecture paradigm shift is required to defend against fast-moving and evolving attacks. This must include cost-effective detection and prevention systems, such as intrusion detection systems (IDS) or, the more scalable, intrusion prevention systems (IPS). The network architecture integrates these solutions into the entry and exit points of the network.
When implementing IDS and/or IPS, it is important to be familiar with the types of systems available, host-based and network-based approaches, the placement these systems, the role of signature categories, and possible actions that a Cisco IOS router can take when an attack is detected.
In a comprehensive hands-on lab for the chapter, Configuring an Intrusion Prevention System (IPS) Using the CLI and SDM, learners configure IPS using the CLI, modify IPS signatures, verify IPS functionality, and log IPS messages to a syslog server. Next, learners configure IPS using SDM, modify signatures, use a scanning tool to simulate an attack, and use SDM Monitor to verify IPS functionality. The lab is found in the lab manual on Academy Connection at cisco.netacad.net.
A Packet Tracer activity, Configure IOS Intrusion Prevention System (IPS) using CLI, provides learners additional practice implementing the technologies introduced in this chapter. Learners configure IPS using CLI, modify IPS signatures, and verify IPS functionality.
Packet Tracer activities for CCNA Security are found on Academy Connection at cisco.netacad.net.
Internet worms and viruses can spread across the world in a matter of minutes. A network must instantly recognize and mitigate worm and virus threats. Firewalls can only do so much and cannot protect against malware and zero-day attacks.
A zero-day attack, sometimes referred to as a zero-day threat, is a computer attack that tries to exploit software vulnerabilities that are unknown or undisclosed by the software vendor. The term zero-hour describes the moment when the exploit is discovered. During the time it takes the software vendor to develop and release a patch, the network is vulnerable to these exploits. To defend against these fast-moving attacks requires security professionals to expand how they view network architecture. It is no longer possible to contain intrusions at a few points in the network.
One approach to prevent worms and viruses from entering a network is for an administrator to continuously monitor the network and analyze the log files generated by the network devices. This solution is not very scalable. Manually analyzing log file information is a time-consuming task and provides a limited view of the attacks being launched against a network. By the time that the logs are analyzed, the attack has already begun.
Intrusion Detection Systems (IDSs) were implemented to passively monitor the traffic on a network. An IDS-enabled device copies the traffic stream, and analyzes the monitored traffic rather than the actual forwarded packets. It compares the captured traffic stream with known malicious signatures in an offline manner similar to software that checks for viruses. This offline IDS implementation is referred to as promiscuous mode.
The advantage of operating with a copy of the traffic is that the IDS does not negatively affect the actual packet flow of the forwarded traffic. The disadvantage of operating on a copy of the traffic is that the IDS cannot stop malicious traffic from single-packet attacks from reaching the target system before it can apply a response to stop the attack. An IDS often requires assistance from other networking devices, such as routers and firewalls, to respond to an attack.
It is better to implement a solution that detects and immediately addresses a network problem as required.
An Intrusion Prevention System (IPS) builds upon IDS technology. Unlike IDS, an IPS device is implemented in inline mode. This means that all ingress and egress traffic must flow through it for processing. An IPS does not allow packets to enter the trusted side of the network without first being analyzed. It can detect and immediately address a network problem as required.
An IPS monitors Layer 3 and Layer 4 traffic and analyzes the contents and the payload of the packets for more sophisticated embedded attacks that might include malicious data at Layers 2 through 7. Cisco IPS platforms use a blend of detection technologies, including signature-based, profile-based, and protocol analysis intrusion detection. This deeper analysis lets the IPS identify, stop, and block attacks that would normally pass through a traditional firewall device. When a packet comes in through an interface on an IPS, that packet is not sent to the outbound or trusted interface until the packet has been analyzed.
The advantage of operating in an inline manner is that the IPS can stop single-packet attacks from reaching the target system. The disadvantage is that a poorly configured IPS or an inappropriate IPS solution can negatively affect the packet flow of the forwarded traffic.
The biggest difference between IDS and IPS is that an IPS responds immediately and does not allow any malicious traffic to pass, whereas an IDS might allow malicious traffic to pass before responding.
IDS and IPS technologies do share several characteristics. IDS and IPS technologies are both deployed as sensors. An IDS or IPS sensor can be any of the following devices:
IDS and IPS technologies use signatures to detect patterns of misuse in network traffic. A signature is a set of rules that an IDS or IPS uses to detect typical intrusive activity. Signatures can be used to detect severe breaches of security, common network attacks, and information gathering. IDS and IPS technologies can detect atomic signature patterns (single-packet) or composite signature patterns (multipacket).
Does an IPS sensor completely replace an IDS sensor?
IDS Advantages and Disadvantages
One main advantage of an IDS platform is that it is deployed in promiscuous mode. Because the IDS sensor is not inline, it has no impact on network performance. It does not introduce latency, jitter, or other traffic flow issues. In addition, if a sensor fails, it does not affect network functionality. It only affects the ability of the IDS to analyze the data.
But there are many disadvantages of deploying an IDS platform in promiscuous mode. IDS sensor response actions cannot stop the trigger packet and are not guaranteed to stop a connection. They are also less helpful in stopping email viruses and automated attacks such as worms.
Users deploying IDS sensor response actions must have a well thought-out security policy, combined with a good operational understanding of their IDS deployments. Users must spend time tuning IDS sensors to achieve expected levels of intrusion detection.
Finally, because IDS sensors are not inline, an IDS implementation is more vulnerable to network evasion techniques used by various network threats.
IPS Advantages and Disadvantages
Deploying an IPS platform in inline mode also has advantages and disadvantages.
One advantage over IDS is that an IPS sensor can be configured to perform a packet drop that can stop the trigger packet, the packets in a connection, or packets from a source IP address. Additionally, being inline, an IPS sensor can use stream normalization techniques to reduce or eliminate many of the network evasion capabilities that exist.
A disadvantage of IPS is that errors, failure, and overrunning the IPS sensor with too much traffic can have a negative effect on network performance. This is because IPS must be deployed inline, and traffic must be able to pass through it. An IPS sensor can affect network performance by introducing latency and jitter. An IPS sensor must be appropriately sized and implemented so that time-sensitive applications, such as VoIP, are not negatively effected.
Deployment Considerations
Using one of these technologies does not mean that an administrator should not use the other. In fact, IDS and IPS technologies can complement each other. For example, an IDS can be implemented to validate IPS operation, because IDS can be configured for deeper packet inspection offline. This allows the IPS to focus on fewer but more critical traffic patterns inline.
Deciding which implementation to use is based on the security goals of the organization as stated in the network security policy.
The protection against viruses and threats requires an end-to-end solution. For this reason, IDS and IPS technologies are typically deployed using two implementations: network-based and host-based.
Network-based IPS Implementations
Network-based IPS implementations analyze network-wide activity looking for malicious activity. Network devices such as ISR routers, ASA firewall appliances, Catalyst 6500 network modules, or dedicated IPS appliances are configured to monitor known signatures. They can also detect abnormal traffic patterns.
Host-based IPS Implementations
Host-based implementations are installed on individual computers using host intrusion prevention system (HIPS) software such as Cisco Security Agent (CSA). HIPS audits host log files, host file systems, and resources. A simple form of HIPS enables system logging and log analysis on the host, which is an extremely labor-intensive approach. CSA software helps manage HIPS and proactively secures hosts. A significant advantage of HIPS is that it can monitor operating system processes and protect critical system resources, including files that may exist only on that specific host. It combines behavioral analysis and signature filters with the best features of anti-virus software, network firewalls, and application firewalls in one package.
CSA provides host security to enterprises by deploying agents that defend against the proliferation of attacks across networks. These agents operate using a set of policies that are selectively assigned to each system node on the network by the network administrator.
CSA contains two components:
CSA continuously examines processes, security event logs, critical system files, and system registries looking for malicious entries. It can be installed on publicly accessible servers, corporate mail servers, application servers, and user desktops. It reports events to a central management console server that is located inside the corporate firewall.
When installed on a host, CSA controls system operations, protecting systems using policies that network administrators configure and deploy to agents. These policies allow or deny specific system actions. The agents must check whether an action is allowed or denied before any system resources are accessed and acted upon. This process occurs transparently and does not hinder overall system performance. Unless an errant and unexpected system operation occurs, the agent does not interfere with daily operations.
CSA provides proactive security by controlling access to system resources. CSA can stop attacks, without any updates, by identifying malicious behavior and responding in real time. This approach avoids the race to update defenses to keep up with the latest exploit and protects hosts, even on day zero, from new attacks. For example, the Nimda and SQL Slammer worms did millions of dollars of damage to enterprises on the first day of their appearance before updates were available. Networks that were protected with CSA, however, stopped these attacks by identifying their behavior as malicious.
CSA prompts the user for an action whenever a problem is detected. The user must either allow or deny the action, or terminate the process when it attempts to access resources on a user's system. Typically, a pop-up box appears prompting the user to select from three possible radio buttons when a rule in question is triggered:
For example, if CSA recognizes that a software update is being installed, it requires an action. If the user is installing a legitimate software update, the user must allow the operation to continue. However, if the user is unaware of the installation and the request appears without any valid reason, the user should most likely deny the action.
Depending on the version of Cisco CSA installed, a small orange flag or red flag icon appears in the Windows system tray. When CSA denies a system action, a message informing the user of this event is logged. To draw attention to the user, the small orange flag fades in and out or the red flag waves. The user can also view the CSA log file containing all security events that have occurred on the system.
There are many advantages of using HIPS. With HIPS, the success or failure of an attack can be readily determined. A network IPS sends an alarm upon the presence of intrusive activity but cannot always ascertain the success or failure of such an attack. HIPS also does not have to worry about fragmentation attacks or variable Time to Live (TTL) attacks because the host stack takes care of these issues. HIPS has access to the traffic after it has been unencrypted.
There are two major drawbacks to HIPS. HIPS does not provide a complete network picture. Because HIPS examines information only at the local host level, it has difficulty constructing an accurate network picture or coordinating the events happening across the entire network. Additionally, HIPS needs to run on every system in the network. This requires verifying support for all the different operating systems that are used in the network.
Host-based and network-based IPS implementations complement one another by securing the multiple ingress and egress locations of the network.
A network IPS can be implemented using a dedicated IPS appliance, such as the IPS 4200 series, or can be added to an ISR router, an ASA firewall appliance or Catalyst 6500 switch.
Sensors detect malicious and unauthorized activity in real time and can take action when required. Sensors are deployed at designated network points that enable security managers to monitor network activity while it is occurring, regardless of the location of the attack target.
Sensors can be implemented in several ways. They can be added to an ISR router using an IPS Advanced Integration Module (AIM) or a Network Module Enhanced (IPS NME), or added to an ASA firewall appliance using an Inspection and Prevention Security Services Module (ASA AIP-SSM). They can also be added to a Catalyst 6500 switch using an Intrusion Detection System Services Module (IDSM-2).
Network IPS sensors are usually tuned for intrusion prevention analysis. The underlying operating system of the platform on which the IPS module is mounted is stripped of unnecessary network services, and essential services are secured. This is know as hardening. The hardware includes three components.
Network IPS gives security managers real-time security insight into their networks regardless of growth. Additional hosts can be added to protected networks without requiring more sensors. Additional sensors are only required when their rated traffic capacity is exceeded, when their performance does not meet current needs, or when a revision in security policy or network design requires additional sensors to help enforce security boundaries. When new networks are added, additional sensors are easy to deploy.
Cisco 1841, 2800, and 3800 ISRs can be configured (using CLI or SDM) to support IPS features using Cisco IOS IPS, which is part of the Cisco IOS Firewall feature set. This does not require the installation of an IPS module but does require downloading signature files and adequate memory to load the signatures. However, this deployment should be limited to a small organization with limited traffic patterns.
For larger volumes of traffic, Cisco IPS sensors can be implemented using standalone appliances or as modules added to network devices.
In addition to Cisco IOS IPS, Cisco offers a variety of modular and appliance-based IPS solutions:
With the increased complexity of security threats, achieving efficient network intrusion security solutions is critical to maintaining a high level of protection. Vigilant protection ensures business continuity and minimizes the effect of costly intrusions.
The choice of a sensor varies depending on the requirements of the organization. Several factors impact the IPS sensor selection and deployment.
Small implementations such as branch offices might only require a Cisco IOS IPS-enabled ISR router. As traffic patterns increase, the ISR can be configured to offload IPS functions using an NME IPS or AIM IPS.
Larger installations could be deployed using their existing ASA 5500 appliance with an ASA AIP.
Enterprises and service providers might require dedicated IPS appliances or a Catalyst 6500 using an IDSM-2 network module.
Network IPS has several advantages and disadvantages. One advantage is that a network-based monitoring system can easily see attacks that are occurring across the entire network. This provides a clear indication of the extent to which the network is being attacked. In addition, because the monitoring system is examining traffic only from the network, it does not have to support every type of operating system that is used on the network.
There are also disadvantages of network IPS. If network data is encrypted this can essentially blind network IPS, allowing attacks to go undetected. Another problem is that IPS has a difficult time reconstructing fragmented traffic for monitoring purposes. Finally, as networks become larger in terms of bandwidth, it becomes more difficult to place network IPS at a single location and successfully capture all traffic. Eliminating this problem requires using more sensors throughout the network, which increases costs.
Recall that HIPS examines information at the local host or operating system level while network IPS examines packets that are traveling through the network for known signs of intrusive activity. They are not competing technologies but complementing technologies and should both be deployed to provide an end-to-end secure network.
To stop incoming malicious traffic, the network must first be able to identify it. Fortunately, malicious traffic displays distinct characteristics or "signatures." A signature is a set of rules that an IDS and an IPS use to detect typical intrusive activity, such as DoS attacks. These signatures uniquely identify specific worms, viruses, protocol anomalies, or malicious traffic. IPS sensors are tuned to look for matching signatures or abnormal traffic patterns. IPS signatures are conceptually similar to the virus.dat file used by virus scanners.
As sensors scan network packets, they use signatures to detect known attacks and respond with predefined actions. A malicious packet flow has a specific type of activity and signature. An IDS or IPS sensor examines the data flow using many different signatures. When a sensor matches a signature with a data flow, it takes action, such as logging the event or sending an alarm to IDS or IPS management software.
Signatures have three distinctive attributes:
Signature Types
Signature types are generally categorized as atomic or composite.
Atomic
An atomic signature is the simplest form. It consists of a single packet, activity, or event that is examined to determine if it matches a configured signature. If it does, an alarm is triggered, and a signature action is performed. Because these signatures can be matched on a single event, they do not require an intrusion system to maintain state information. State refers to situations in which multiple packets of information are required that are not necessarily received at the same time. For example, if there was a requirement to maintain state, it would be necessary for the IDS or IPS to track the three-way handshake of established TCP connections. With atomic signatures, the entire inspection can be accomplished in an atomic operation that does not require any knowledge of past or future activities.
Detecting atomic signatures consumes minimal resources (such as memory) on the IPS or IDS device. These signatures are easy to identify and understand because they are compared against a specific event or packet. Traffic analysis for these atomic signatures can usually be performed very quickly and efficiently. For example, a LAND attack is an atomic signature because it sends a spoofed TCP SYN packet (connection initiation) with the IP address of the target host and an open port as both source and destination. The reason a LAND attack works is because it causes the machine to reply to itself continuously. One packet is required to identify this type of attack. An IDS is particularly vulnerable to an atomic attack because, until it finds the attack, malicious single packets are allowed into the network. An IPS, on the other hand, prevents these packets from entering the network altogether.
Composite
A composite signature is also called a stateful signature. This type of signature identifies a sequence of operations distributed across multiple hosts over an arbitrary period of time. Unlike atomic signatures, the stateful properties of composite signatures usually require several pieces of data to match an attack signature, and an IPS device must maintain state. The length of time that the signatures must maintain state is known as the event horizon.
The length of an event horizon varies from one signature to another. An IPS cannot maintain state information indefinitely without eventually running out of resources. Therefore, an IPS uses a configured event horizon to determine how long it looks for a specific attack signature when an initial signature component is detected. Configuring the length of the event horizon is a tradeoff between consuming system resources and being able to detect an attack that occurs over an extended period of time.
Network security threats are occurring more frequently and spreading more quickly. As new threats are identified, new signatures must be created and uploaded to an IPS. To make this process easier, all signatures are contained in a signature file and uploaded to an IPS on a regular basis.
The signature file contains a package of network signatures intended as an update to the signature database resident in a Cisco product with IPS or IDS functions. This signature database is used by the IPS or IDS solution to compare network traffic against data patterns within the signature-file library. The IPS or IDS uses this comparison to detect suspected malicious network traffic behavior.
For example, the LAND attack is identified in the Impossible IP Packet signature (signature 1102.0). A signature file contains that signature and many more. Networks deploying the latest signature files are better protected against network intrusions.
To make the scanning of signatures more efficient, Cisco IOS software relies on signature micro-engines (SME), which categorize common signatures in groups. Cisco IOS software can then scan for multiple signatures based on group characteristics, instead of one at a time.
When IDS or IPS is enabled, an SME is loaded or built on the router. When an SME is built, the router might need to compile the regular expression found in a signature. A regular expression is a systematic way to specify a search for a pattern in a series of bytes.
The SME then looks for malicious activity in a specific protocol. Each engine defines a set of legal parameters with allowable ranges or sets of values for the protocols and the fields the engine inspects. Atomic and composite packets are scanned by the micro-engines that recognize the protocols contained in the packets. Signatures can be defined using the parameters offered by the SME.
Each SME extracts values from the packet and passes portions of the packet to the regular expression engine. The regular expression engine can search for multiple patterns at the same time.
The available SMEs vary depending on the platform, Cisco IOS version, and version of the signature file. Cisco IOS Release 12.4(6)T defines five micro-engines:
SMEs are constantly being updated. For example, before Release 12.4(11T), the Cisco IPS signature format used version 4.x. Since IOS 12.4(11)T, Cisco introduced version 5.x, an improved IPS signature format. The new version supports encrypted signature parameters and other features such as signature risk rating, which rates the signature on security risk.
There are a few factors to consider when determining router requirements for maintaining signatures. First, compiling a regular expression requires more memory than the final storage of the regular expression. Determine the final memory requirements of the finished signature before loading and merging signatures. Assess how many signatures the various router platforms can actually support. The number of signatures and engines that can adequately be supported depends only on the memory available. For this reason, configure Cisco IOS IPS-enabled routers with the maximum amount of memory possible.
Cisco investigates and creates signatures for new threats and malicious behavior as they are discovered and publishes them regularly. Typically, lower priority IPS signature files are published biweekly. If the threat is severe, Cisco publishes signature files within hours of identification.
To protect a network, the signature file must be updated regularly. Each update includes new signatures and all the signatures in the previous version. For example, signature file IOS-S361-CLI.pkg includes all signatures in file IOS-S360-CLI.pkg plus signatures created for threats discovered subsequently.
Just as virus checkers must constantly update their virus database, network administrators must be vigilant and regularly update the IPS signature file. New signatures are available from Cisco.com. A CCO login is required to retrieve signatures.
Signature Alarm
The heart of any IPS signature is the signature alarm, often referred to as the signature trigger. Consider a home security system. The triggering mechanism for a burglar alarm could be a motion detector that detects the movement of an individual entering a room protected with an alarm.
The signature trigger for an IPS sensor could be anything that can reliably signal an intrusion or security policy violation. A network IPS might trigger a signature action if it detects a packet with a payload containing a specific string going to a specific port. A host-based IPS might trigger a signature action when a specific function call is invoked. Anything that can reliably signal an intrusion or security policy violation can be used as a triggering mechanism.
The Cisco IDS and IPS sensors (Cisco IPS 4200 Series Sensors and Cisco Catalyst 6500 - IDSM) can use four types of signature triggers:
These triggering mechanisms can be applied to both atomic and composite signatures. The triggering mechanisms can be simple or complex. Every IPS incorporates signatures that use one or more of these basic triggering mechanisms to trigger signature actions.
Another common triggering mechanism is called protocol decodes. Instead of simply looking for a pattern anywhere in a packet, protocol decodes break down a packet into the fields of a protocol and then search for specific patterns in a specific protocol field or some other malformed aspect of the protocol fields. The advantage of protocol decodes is that it enables a more granular inspection of traffic and reduces the number of false positives (traffic that generates an alert but is not a threat to the network).
Pattern-Based Detection
Pattern-based detection, also known as signature-based detection, is the simplest triggering mechanism because it searches for a specific, pre-defined pattern. A signature-based IDS or IPS sensor compares the network traffic to a database of known attacks and triggers an alarm or prevents communication if a match is found.
The signature trigger might be textual, binary, or even a series of function calls. It can be detected in a single packet (atomic) or in a sequence of packets (composite). In most cases, the pattern is matched to the signature only if the suspect packet is associated with a particular service or destined to and from a particular port. This matching technique helps to lessen the amount of inspection done on every packet. However, it makes it more difficult for systems to deal with protocols and attacks that do not utilize well-defined ports, such as Trojan Horses and their associated traffic, which can move at will.
At the initial stage of incorporating pattern-based IDS or IPS, before the signatures are tuned, there can be many false positives. After the system is tuned and adjusted to the specific network parameters, there are fewer false positives than with a policy-based approach.
Anomaly-based Detection
Anomaly-based detection, also known as profile-based detection, involves first defining a profile of what is considered normal for the network or host. This normal profile can be learned by monitoring activity on the network or specific applications on the host over a period of time. It can also be based on a defined specification, such as an RFC. After defining normal activity, the signature triggers an action if excessive activity occurs beyond a specified threshold that is not included in the normal profile.
The advantage of anomaly-based detection is that new and previously unpublished attacks can be detected. Instead of having to define a large number of signatures for various attack scenarios, the administrator simply defines a profile for normal activity. Any activity that deviates from this profile is then abnormal and triggers a signature action.
Despite this obvious advantage, several disadvantages can make anomaly-based signatures hard to use. For example, an alert from an anomaly signature does not necessarily indicate an attack. It indicates only a deviation from the defined normal activity, which can sometimes occur from valid user traffic. As the network evolves, the definition of normal usually changes, so the definition of normal must be redefined.
Another consideration is that the administrator must guarantee that the network is free of attack traffic during the learning phase. Otherwise, the attack activity will be considered normal traffic. Precautions should be taken to ensure that the network is free of attacks while establishing normal activity. However, it can be difficult to define normal traffic because most networks consist of a heterogeneous mixture of systems, devices, and applications that continually change.
When a signature does generate an alert, it might be difficult to correlate that alert back to a specific attack, because the alert indicates only that non-normal traffic has been detected. More analysis is required to determine whether the traffic represents an actual attack and what the attack actually accomplished. In addition, if the attack traffic happens to be similar to normal traffic, the attack might go undetected altogether.
Policy-based Detection
Policy-based detection, also known as behavior-based detection, is similar to pattern-based detection, but instead of trying to define specific patterns, the administrator defines behaviors that are suspicious based on historical analysis.
The use of behaviors enables a single signature to cover an entire class of activities without having to specify each individual situation. For example, having a signature that triggers an action when an email client invokes cmd.exe enables the administrator to apply the signature to any application whose behavior mimics the basic characteristics of an email client without having to apply the signature to each email client application individually. Therefore, if a user installs a new email application, the signature still applies.
Honey pot-based Detection
Honey pot-based detection uses a dummy server to attract attacks. The purpose of the honey pot approach is to distract attacks away from real network devices. By staging different types of vulnerabilities in the honey pot server, administrators can analyze incoming types of attacks and malicious traffic patterns. They can then use this analysis to tune their sensor signatures to detect new types of malicious network traffic. Honey pot systems are rarely used in production environments. Anti-virus and other security vendors tend to use them for research.
Cisco has implemented IPS functions into its Cisco IOS software. Cisco IOS IPS uses technology from Cisco IDS and IPS sensor product lines, including Cisco IPS 4200 Series Sensors and Cisco Catalyst 6500 Series Intrusion Detection System Services Module (IDSM).
There are many benefits to using the Cisco IOS IPS solution:
Triggering False Alarms
Triggering mechanisms can generate alarms that are false positives or false negatives. These alarms must be addressed when implementing an IPS sensor.
A false positive alarm is an expected but undesired result. A false positive alarm occurs when an intrusion system generates an alarm after processing normal user traffic that should not have resulted in the alarm. Analyzing false positives limits the time that a security analyst has to examine actual intrusive activity on a network. If this occurs, the administrator must be sure to tune the IPS to change these alarm types to true negatives. A true negative describes a situation in which normal network traffic does not generate an alarm.
A false negative is when an intrusion system fails to generate an alarm after processing attack traffic that the intrusion system is configured to detect. It is imperative that the intrusion system does not generate false negatives, because it means that known attacks are not being detected. The goal is to render these alarm types as true positive. A true positive describes a situation in which an intrusion system generates an alarm in response to known attack traffic.
Alarms trigger when specific parameters are met. An administrator must balance the number of incorrect alarms that can be tolerated with the ability of the signature to detect actual intrusions. If there are too few alarms, suspect packets might be allowed into the network, but network traffic flows more quickly. But if IPS systems use untuned signatures, they produce many false positive alarms.
A signature is tuned to one of four levels (listed alphabetically), based on the perceived severity of the signature:
There are several factors to consider when implementing the alarms that a signature uses:
Whenever a signature detects the activity for which it is configured, the signature triggers one or more actions. Several actions can be performed:
The available actions depend on the signature type and the platform.
Generating an Alert
Monitoring the alerts generated by network-based and host-based IPS systems is vital to understanding the attacks being launched against the network. If an attacker causes a flood of bogus alerts, examining these alerts can overload the security analysts. Both network- and host-based IPS solutions incorporate two types of alerts to enable an administrator to efficiently monitor the operation of the network: atomic alerts and summary alerts. Understanding these types of alerts is critical to providing the most effective protection for a network.
Atomic Alerts
Atomic alerts are generated every time a signature triggers. In some situations, this behavior is useful and indicates all occurrences of a specific attack. However, an attacker might be able to flood the monitor console with alerts by generating thousands of bogus alerts against the IPS device or applications.
Summary Alerts
Instead of generating alerts for each instance of a signature, some IPS solutions enable the administrator to generate summary alerts. A summary alert is a single alert that indicates multiple occurrences of the same signature from the same source address or port. Alarm summary modes limit the number of alerts generated and make it difficult for an attacker to consume resources on the sensor.
With the summarization modes, the administrator also receives information on the number of times that the activity that matches a signature's characteristics was observed during a specific period of time. When using alarm summarization, the first instance of intrusive activity usually triggers a normal alert. Then, other instances of the same activity (duplicate alarms) are counted until the end of the signature's summary interval. When the length of time specified by the summary interval has elapsed, a summary alarm is sent, indicating the number of alarms that occurred during the time interval.
Some IPS solutions also enable automatic summarization even though the default behavior is to generate atomic alerts. In this situation, if the number of atomic alerts exceeds a configured threshold in a specified amount of time, the signature automatically switches to generating summary alerts instead of atomic alerts. After a defined period of time, the signature reverts to its original configuration. Automatic summarization enables the administrator to automatically regulate the number of alerts being generated.
As a hybrid between atomic alerts and summary alerts, some IPS solutions also enable the generation of a single atomic alert and then disable alerts for that signature and source address for a specific period of time. This prevents an administrator from getting overwhelmed with alerts while still indicating that a specific system shows suspicious activity.
Logging the Activity
In some situations, an administrator does not necessarily have enough information to stop an activity. Therefore, logging the actions or packets that are seen so that they can be analyzed later in more detail is very important. By performing a detailed analysis, an administrator can identify exactly what is taking place and make a decision as to whether it should be allowed or denied in the future.
For example, if an administrator configures a signature to look for the string /etc/password and to log the action with the attacker's IP address whenever the signature triggers, the IPS device begins logging the traffic from the attacker's IP address for a specified period of time or number of bytes. This log information is usually stored on the IPS device in a specific file. Because the signature also generates an alert, the administrator can observe the alert on the management console. Then the log data can be retrieved from the IPS device, and the activity that the attacker performed on the network after triggering the initial alarm can be analyzed.
Dropping or Preventing the Activity
One of the most powerful actions for an IPS device is to drop packets or prevent an activity from occurring. This action enables the device to stop an attack before it has the chance to perform malicious activity. Unlike a traditional IDS device, the IPS device actively forwards packets across two of its interfaces. The analysis engine determines which packets should be forwarded and which packets should be dropped.
Besides dropping individual packets, the drop action can be expanded to drop all packets for a specific session or even all packets from a specific host for a certain amount of time. By dropping traffic for a connection or host, the IPS conserves resources without having to analyze each packet separately.
Resetting a TCP Connection
The TCP Reset Signature Action is a basic action that can be used to terminate TCP connections by generating a packet for the connection with the TCP RST flag set. Many IPS devices use the TCP reset action to abruptly end a TCP connection that is performing unwanted operations. The reset TCP connection action can be used in conjunction with deny packet and deny connection actions. Deny packet and deny flow actions do not automatically cause TCP reset actions to occur.
Blocking Future Activity
Most IPS devices have the capability to block future traffic by having the IPS device update the access control lists (ACLs) on one of the infrastructure devices. The ACL stops traffic from an attacking system without requiring the IPS to consume resources analyzing the traffic. After a configured period of time, the IPS device removes the ACL. Network IPS devices usually provide this blocking functionality along with other actions such as dropping unwanted packets. One advantage of the blocking action is that a single IPS device can stop traffic at multiple locations throughout the network, regardless of the location of the IPS device. For example, an IPS device located deep within the network can apply ACLs at the perimeter router or firewall.
Allowing the Activity
The final action is the Allow Signature action. It might seem a little confusing, because most IPS devices are designed to stop or prevent unwanted traffic on a network. The allow action is necessary so that an administrator can define exceptions to configured signatures. By dropping traffic for a connection or host, the IPS conserves resources without having to analyze each packet separately. Configuring exceptions enables administrators to take a more restrictive approach to security because they can first deny everything and then allow only the activities that are needed.
For example, suppose that the IT department routinely scans its network using a common vulnerability scanner. This scanning causes the IPS to trigger various alerts. These are the same alerts that the IPS generates if an attacker scans the network. By allowing the alerts from the approved IT scanning host, an administrator can protect the network from intrusive scans while eliminating the false positives generated by the routine IT-approved scanning.
Some IPS devices provide the allow action indirectly through other mechanisms, such as signature filters. If an IPS does not provide the allow action directly through an action such as permit or allow, the administrator needs to search the product documentation to find the mechanism used to enable exceptions to signatures.
Monitoring the security-related events on a network is also a crucial aspect of protecting a network from attack. Although an IPS can prevent numerous attacks against a network, understanding which attacks are being launched against the network enables an administrator to assess how strong the current protections are and what enhancements may be required as the network grows. Only by monitoring the security events on a network can an administrator accurately identify the attacks and security policy violations that are occurring.
Management Method
IPS sensors can be managed individually or centrally. Configuring each IPS device individually is the easiest process if there are only a couple of sensors. For example, a network deploying Cisco IOS IPS on a few routers could be managed using SDM. Managing many IPS routers and IPS sensors individually becomes difficult and time-consuming.
In a larger network, a centralized management system that allows the administrator to configure and manage all IPS devices from a single central system should be deployed. Using a centralized management approach for large sensor deployments reduces time and staffing requirements and enables greater visibility to all events occurring on a network.
Event correlation
Event correlation refers to the process of correlating attacks and other events that are happening simultaneously at different points across a network. Using Network Time Protocol (NTP) and having the devices derive their time from an NTP server enables all alerts generated by the IPS to be accurately time-stamped. A correlation tool can then correlate the alerts based on their time-stamps. The administrator should enable NTP on all network devices to time-stamp events with a common system time. These time-stamps can then be used to accurately assess when specific network events happened in relation to other events, regardless of which device detected the event.
Another factor that facilitates event correlation is deploying a centralized monitoring facility on a network. By monitoring all IPS events at a single location, an administrator greatly improves the accuracy of event correlation.
Deploying a product that enables an administrator to correlate not only IPS events but also other events on the network, such as syslog messages and NetFlow input, is also recommended. The Cisco Security Monitoring, Analysis and Response System (Cisco Security MARS) product can provide this level of correlation.
Security Staff
IPS devices tend to generate numerous alerts and other events during network traffic processing. Large enterprises require the appropriate security staff to analyze this activity and determine how well the IPS is protecting the network. Examining these alerts also enables security operators to tune the IPS and optimize the IPS operation to the unique requirements of the network.
Incident Response Plan
If a system is compromised on a network, a response plan must be implemented. The compromised system should be restored to the state it was in before the attack. It must be determined if the compromised system led to a loss of intellectual property or the compromise of other systems on the network.
Although the CLI can be used to configure an IPS deployment, it is simpler to use a GUI-based device manager. Several Cisco device management software solutions are available to help administrators manage an IPS solution. Some provide locally managed IPS solutions while others provide more centrally managed solutions.
There are two locally managed IPS solutions:
There are three centrally managed IPS solutions:
IPS sensors and Cisco IOS IPS generate alarms when an enabled signature is triggered. These alarms are stored on the sensor and can be viewed locally, or a central management application such as MARS can pull the alarms from the sensors.
Upon detecting an attack signature, the Cisco IOS IPS feature can send a syslog message or an alarm in Secure Device Event Exchange (SDEE) format. This format was developed to improve communication of events generated by security devices. It primarily communicates IDS events but the protocol is intended to be extensible and allows additional event types to be included as they are defined.
Cisco SDM can monitor syslog and SDEE-generated events and keep track of alarms that are common in SDEE system messages, including IPS signature alarms.
An SDEE system alarm message has this type of format:
%IPS-4-SIGNATURE:Sig:1107 Subsig:0 Sev:2 RFC1918 address [192.168.121.1:137 ->192.168.121.255:137]
Managing signatures on many IPS devices can be difficult. To improve IPS efficiency in a network, consider using these recommended configuration best practices.
Cisco IOS IPS enables administrators to manage intrusion prevention on routers that use Cisco IOS Release 12.3(8)T4 or later. Cisco IOS IPS monitors and prevents intrusions by comparing traffic against signatures of known threats and blocking the traffic when a threat is detected.
Several steps are necessary to use the Cisco IOS CLI to work with IOS IPS 5.x format signatures. Cisco IOS version 12.4(10) or earlier used IPS 4.x format signatures and some IPS commands have changed.
To implement IOS IPS:
Step 1. Download the IOS IPS files.
Step 2. Create an IOS IPS configuration directory in flash.
Step 3. Configure an IOS IPS crypto key.
Step 4. Enable IOS IPS.
Step 5. Load the IOS IPS signature package to the router.
Prior to Cisco IOS release 12.4(11)T, Cisco IOS IPS provided built-in signatures in the Cisco IOS software image as well as support for imported signatures. In Cisco IOS software T-Train releases prior to 12.4(11)T, and in all Cisco IOS Software 12.4 Mainline releases, IPS signature selection involves loading an XML file onto the router. This file, called the signature definition file (SDF), contains a detailed description of each selected signature in Cisco IPS Sensor software 4.x signature format.
Starting with Cisco IOS release 12.4(11)T, there are no built-in (hard-coded) signatures within the Cisco IOS software. Instead all signatures are stored in a separate signature file and must be imported. IOS releases 12.4(11)T and later use the newer 5.x format signature files, which can be can be downloaded from Cisco.com (requires log in).
Step 1. Download the IOS IPS Files.
Prior to configuring IPS, it is necessary to download the IOS IPS signature package files and public crypto key from Cisco.com. The specific IPS files to download vary depending on the current release. Only registered customers can download the package files and key.
Step 2. Create an IOS IPS Configuration Directory in Flash.
The second step is to create a directory in flash to store the signature files and configurations. Use the mkdir directory-name privileged EXEC command to create the directory.
IOS IPS supports any Cisco IOS file system as the configuration location with proper write access. A Cisco USB flash drive connected to the USB port of the router can be used as an alternative location to store the signature files and configurations. The USB flash drive must remain connected to the USB port of the router if it is used as the IOS IPS configuration directory location.
Other commands that are useful include rename current-name new-name. This allows the administrator to change the name of the directory.
To verify the contents of flash, enter the dir flash: privileged EXEC command.
Step 3. Configure an IOS IPS Crypto Key.
Next, configure the crypto key used by IOS IPS. This key is located in the realm-cisco.pub.key.txt file that was downloaded in Step 1.
The crypto key verifies the digital signature for the master signature file (sigdef-default.xml). The content of the file is signed by a Cisco private key to guarantee its authenticity and integrity.
To configure the IOS IPS crypto key, open the text file, copy the contents of the file, and paste it in the global configuration prompt. The text file issues the various commands to generate the RSA key.
At the time of signature compilation, an error message is generated if the public crypto key is invalid. This is an example of an error message:
%IPS-3-INVALID_DIGITAL_SIGNATURE: Invalid Digital Signature found (key not found)
If the key is configured incorrectly, the key must be removed and then reconfigured. Use the no crypto key pubkey-chain rsa and the no named-key realm-cisco.pub signature commands to reconfigure the key.
Enter the show run command at the router prompt to confirm that the crypto key is configured.
The fourth step is to configure IOS IPS, which is a process that consists of several substeps.
1) Identify the IPS rule name and specify the location.
Use the ip ips name [rule name] [optional ACL] command to create a rule name. An optional extended or standard access control list (ACL) can be configured to filter the scanned traffic. All traffic that is permitted by the ACL is subject to inspection by the IPS. Traffic that is denied by the ACL is not inspected by the IPS.
Use the ip ips config location flash:directory-name command to configure the IPS signature storage location. Prior to IOS 12.4(11)T, the ip ips sdf location command was used.
2) Enable SDEE and logging event notification.
To use SDEE, the HTTP server must first be enabled with the ip http server command. If the HTTP server is not enabled, the router cannot respond to the SDEE clients because it cannot see the requests. SDEE notification is disabled by default and must be explicitly enabled. Use the ip ips notify sdee command to enable IPS SDEE event notification. IOS IPS also supports logging to send event notification. SDEE and logging can be used independently or enabled at the same time. Logging notification is enabled by default. If the logging console is enabled, IPS log messages are displayed on the console. Use the ip ips notify log command to enable logging.
3) Configure the signature category.
All signatures are grouped into categories, and the categories are hierarchical. This helps classify signatures for easy grouping and tuning. The three most common categories are all, basic, and advanced.
The signatures that IOS IPS uses to scan traffic can be retired or unretired. Retiring a signature means that IOS IPS does not compile that signature into memory for scanning. Unretiring a signature instructs IOS IPS to compile the signature into memory and use it to scan traffic. When IOS IPS is first configured, all signatures in the all category should be retired, and then selected signatures should be unretired in a less memory-intensive category. To retire and unretired signatures, first enter IPS category mode using the ip ips signature-category command. Next use the category category-name command to change a category. For example, use the category all command to enter IPS category all action mode. To retire a category, use the retired true command. To unretire a category, use the retired false command.
Caution: Do not unretire the all category. The all signature category contains all signatures in a signature release. The IOS IPS cannot compile and use all the signatures at one time, because it will run out of memory.
The order in which the signature categories are configured on the router is also important. IOS IPS processes the category commands in the order listed in the configuration. Some signatures belong to multiple categories. If multiple categories are configured and a signature belongs to more than one of them, IOS IPS uses the signature's properties in the last configured category, for example, retired, unretired, or actions.
4) Apply the IPS rule to a desired interface, and specify the direction.
Use the ip ips rule-name [in | out] interface configuration command to apply the IPS rule. The in argument means that only traffic going into the interface is inspected by IPS. The out argument specifies that only traffic going out of the interface is inspected.
Step 5. Load the IOS IPS Signature Package to the Router.
The last step is for the administrator to upload the signature package to the router. The most common method used is either FTP or TFTP. To copy the downloaded signature package from the FTP server to the router, make sure to use the idconf parameter at the end of the command.
copy ftp://ftp_user:password@Server_IP_address/signature_package idconf
To verify that the signature package is properly compiled, the administrator uses the show ip ips signature count command.
Cisco SDM provides controls for applying Cisco IOS IPS on interfaces, importing and editing signature files from Cisco.com, and configuring the action that Cisco IOS IPS takes if a threat is detected. The tasks for managing routers and security devices are displayed in a task pane on the left side of the Cisco SDM home page. Choose Configure > Intrusion Prevention to display the intrusion prevention options in Cisco SDM.
For the SDM host computer, a minimum Java memory heap size of 256MB is required to configure IOS IPS using SDM. If an error is generated when the Launch IPS Rule Wizard button is selected, the Java memory heap size must be changed on the host computer. To do so, exit Cisco SDM and open the Windows Control Panel. Click on the Java option which opens the Java Control Panel. Select the Java tab and click on the View button under the Java Applet Runtime Settings. In the Java Runtime Parameter field enter exactly -Xmx256m and click OK.
With the Java memory heap size correctly configured, SDM displays four tabs in the Intrusion Prevention Systems (IPS) window. Use the tabs at the top of the IPS window to configure or monitor IPS.
The first three tabs are useful when creating and tuning IPS. The IPS Migration tab is available when the router runs Cisco IOS 12.4(11)T and later. It should be used to convert custom or tuned version 4.x signature files to version 5.x before IPS is implemented.
The administrator can use SDM to create a new rule on a Cisco router either manually through the Edit IPS tab, or automatically using the IPS Rule wizard.
The Cisco IOS IPS Deployment Guide recommends using the IPS Rule wizard. The wizard does more than just configure a rule. It performs all the Cisco IOS IPS configuration steps.
Configuring Cisco IOS IPS on a router or security device using Cisco SDM involves several steps.
Step 1. Choose Configure > Intrusion Prevention > Create IPS.
Step 2. Click the Launch IPS Rule Wizard button.
Step 3. Read the Welcome to the IPS Policies Wizard screen and click Next.
Identify the interfaces on which to apply the Cisco IOS IPS. Decide whether to apply the rule to inbound traffic or outbound traffic. Checking the inbound and the outbound boxes applies the rule to traffic flowing in both directions.
Step 4. In the Select Interfaces window, choose the interfaces to which to apply the IPS rule and the direction of traffic by checking one or both of the boxes.
Step 5. Click Next.
Cisco IOS IPS compares traffic against signatures contained in the signature file. The signature file can be located in router flash memory or on a remote system that the router can reach. Multiple signature file locations can be specified so that if the router is unable to contact the first location, it can attempt to contact other locations until it obtains a signature file.
Step 6. In the Signature File pane in the Signature File and Public Key window, select either the Specify the signature file you want to use with the IOS IPS or Get the latest signature file from Cisco.com and save to PC option and fill in the appropriate text box. The signature file is an IOS IPS update package with the naming convention of IOS-Snnn-CLI.pkg, where nnn is the number of the signature set.
Step 7. To download the latest signature file from Cisco.com, click Download.
The Cisco IOS IPS signature file contains default signature information. Any changes made to this configuration are not saved to the signature file but rather in a special file called the delta file. The delta file is saved to router flash memory. For security, the delta file must be digitally signed by a key which is also obtained from Cisco.com.
Place the public-key information in the Name and Key fields.
Step 8. Obtain the public key at http://www.cisco.com/pcgi-bin/tablebuild.pl/ios-v5sigup.
Step 9. Download the key to a PC.
Step 10. Open the key file in a text editor and copy the text after the phrase "named-key" into the Name field. For example, if the line of text is "named-key realm-cisco.pub signature" copy "realm-cisco.pub signature" to the Name field.
Step 11. Copy the text between the phrase "key-string" and the word "quit" into the Key field. The text might look as follows:
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101 00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16 17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128 B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E 5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35 FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85 50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36 006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE 2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3 F3020301 0001
Step 12. Click Next.
Since Cisco IOS Release 12.4(11) or later, the location for storing signature information and the type of signature category can be specified.
Step 13. In the Config Location and Category window, in the Config Location section, click the ellipsis (...) button next to the Config Location field to specify where to store the XML signature files, including the delta file that is created when changes are made to the signature file.
Step 14. Because router memory and resource constraints can limit using all the available signatures, choose a category in the Choose Category field that allows the Cisco IOS IPS to function efficiently on the router. The basic signature category is appropriate for routers with less than 128 MB of flash memory, and the advanced signature category is appropriate for routers with more than 128 MB of flash memory.
Step 15. Click Finish. The IPS Policies Wizard confirms the configured information in a summary screen.
Use the show running-config command to verify the IPS configuration generated by the SDM IPS Wizard.
Virtual Fragment Reassembly (VFR) enables the Cisco IOS Firewall to create the appropriate dynamic ACLs, thereby protecting the network from various fragmentation attacks. To enable VFR on an interface, use the ip virtual-reassembly command in interface configuration mode.
The Cisco IOS CLI can be used to retire or unretire individual signatures or a group of signatures that belong to a signature category. When a group of signatures are retired or unretired, all signatures in that category are retired or unretired.
Some unretired signatures (either unretired as an individual signature or within an unretired category) might not compile because of insufficient memory, invalid parameters, or if the signature is obsolete.
The IOS CLI can also be used to change signature actions for one signature or a group of signatures based on signature categories. To change an action, the event-action command must be used in IPS Category Action mode or Signature Definition Engine mode.
The event-action command has several parameters, including produce-alert, deny-packet-inline, and reset-tcp-connection.
IPS signatures are loaded as part of the procedure to create a Cisco IOS IPS rule using the IPS rule wizard. To view the configured signatures on the router, choose Configure > Intrusion Prevention > Edit IPS > Signatures > All Categories. Because signatures optimize a configuration, confirm that all the correct signatures are loaded on the router or security device. From this window, administrators can add customized signatures or import signatures that are downloaded from Cisco.com. They can also edit, delete, enable, and disable signatures.
The signature tree enables an administrator to filter the signature list according to the type of signature that they want to view. To modify a signature, right-click on the signature and choose an option from the context menu. To change the severity of the signature, choose Set Severity To.
Cisco SDM can be used to tune a signature configuration. To tune a signature, choose Configure > Intrusion Prevention > Edit IPS > Signatures > All Categories. A list of available signatures appears.
To modify a signature action, right-click on the signature and choose Actions from the context menu. The Assign Actions window appears. The available actions depend on the signature, but the following are the most common actions:
To access and configure signature parameters, choose the signature and then click the Edit button in the Intrusion Prevention System (IPS) window.
Signatures have different parameters:
After IPS is implemented, it is necessary to verify the configuration to ensure correct operation. There are several show commands which can be used to verify the IOS IPS configuration.
The show ip ips privileged EXEC command can be used with other parameters to provide specific IPS information.
Use the clear ip ips configuration command to disable IPS, remove all IPS configuration entries, and release dynamic resources. The clear ip ips statistics command resets statistics on packets analyzed and alarms sent.
To verify the IPS configuration on the router using SDM, choose Configure > Intrusion Prevention > Edit IPS. The Edit IPS tab shows all the interfaces on the router and whether they are configured for Cisco IOS IPS. If "Enabled" appears in either the Inbound or Outbound column, Cisco IOS IPS is enabled for that direction of traffic on that interface. If "Disabled" appears in either column, Cisco IOS IPS is disabled for that direction on the interface.
The Virtual Fragment Reassembly (VFR) Status field shows the status of VFR on an interface. If VFR is enabled on the interface, the column displays "On." If VFR is disabled, the column displays "Off."
The Edit IPS tab also contains buttons that allow the administrator to configure and manage Cisco IOS IPS policies, security messages, and signatures.
As of Cisco IOS Release 12.3(11)T, Cisco IOS IPS provides two methods to report IPS intrusion alerts:
To specify the method of event notification, use the ip ips notify [log | sdee] global configuration command.
SDEE is the preferred method of reporting IPS activity. SDEE uses HTTP and XML to provide a standardized interface. It can be enabled on an IOS IPS router using the ip ips notify sdee command. The Cisco IOS IPS router can still send IPS alerts via syslog.
Administrators must also enable HTTP or HTTPS on the router when enabling SDEE. The use of HTTPS ensures that data is secured as it traverses the network.
When Cisco SDEE notification is disabled, all stored events are lost. A new buffer is allocated when the notifications are re-enabled. SDEE uses a pull mechanism. With a pull mechanism, requests come from the network management application, and the IDS or IPS router responds. SDEE becomes the standard format for all vendors to communicate events to a network management application.
The buffer stores up to 200 events by default. If a smaller buffer is requested, all stored events are lost. If a larger buffer is requested, all stored events are saved. The default buffer size can be altered with the ip sdee events events command. The maximum number of events is 1,000. The clear ip ips sdee {events | subscription} command clears SDEE events or subscriptions.
The ip ips notify command replaces the older ip audit notify command. If the ip audit notify command is part of an existing configuration, the IPS interprets it as the ip ips notify command.
A management appliance such as MARS, or management software such as IEV, CSM, or SDM, must be used to view SDEE messages. For example, to view SDEE alarm messages in Cisco SDM, choose Monitor > Logging > SDEE Message Log.
Syslog messages can also be viewed in SDM by choosing Monitor > Logging > Syslog.