How is IPS Indore for architecture


The CiscoWorks Management Center for IPS Sensors (IPS MC) is the management console for Cisco IPS devices. IPS MC Version 2.2 supports the provision of the IPS function (Intrusion Prevention System) on Cisco IOS® Software routers. This document describes how to use IPS MC 2.2 to configure Cisco IOS IPS.

For more information on using IPS MC, including configuring non-Cisco IOS software based devices, see the CiscoWorks Management Center for IPS Sensors documentation at the URL:



There are no special requirements for this document.

Components used

The information in this document is based on CiscoWorks Management Center for IPS Sensors (IPS MC) Release 2.2.

The information in this document was produced by the devices in a specific laboratory environment. All devices used in this document started with an empty (standard) configuration. With your network up and running, make sure you understand the potential implications of a command.


For more information about document conventions, see the Cisco Technical Tips Conventions.


Basic understanding of configuration tasks

IPS MC is used to manage the configuration of a group of Cisco IOS IPS routers. Note that IPS MC does not manage the alerts from routers running IPS. Cisco recommends the Cisco Security Monitoring, Analysis and Response System (Cisco Security MARS) for IPS monitoring. Configuration management consists of a number of tasks that are described in this document. These tasks can be broken down into three phases: importing, configuring and deploying as shown in this picture.

Each phase has its own responsibilities and tasks:

  • import - Import a router into IPS MC. You need to import a router into IPS MC before you can configure it with IPS MC. A router can only be imported if there is an initial IPS configuration on the router (details on this can be found later in this document).

  • configuration - Configure the device. For example, you can configure a Cisco IOS IPS router to use one of the predefined signature files recommended by Cisco. Configuration changes are saved in the IPS MC, but are not sent to the router in this phase.

  • Provision - Configuration changes are made on the device. In this phase you undertake to transfer the changes made during configuration tasks to the routers.

  • Additional tasks - IPS MC provides a feature to automatically download signature updates from

You need to understand this step-by-step approach in order to use IPS MC effectively. It differs from device-based management GUIs, such as: B. Cisco Router and Security Device Manager (SDM). Device-based GUIs operate directly on a single router, while IPS MC is designed for network-wide use of router groups (and other IPS devices such as Cisco IPS 4200 series sensors).

This document provides information about each of the tasks in the diagram to help you manage Cisco IOS IPS routers using IPS MC.

Initial configuration of Cisco IOS IPS routers

In order to successfully import or add a Cisco IOS IPS router to the IPS MC, you must complete certain initial configuration steps on the Cisco IOS IPS routers. This section describes these steps.

You must enable Secure Shell (SSH) Protocol on a Cisco IOS IPS router for configuration, import, and deployment through Cisco IPS MC. In addition, the Security Device Event Exchange (SDEE) protocol must be enabled for event reporting (although these alerts are not sent to IPS MC as IPS MC is only used for provisioning, not reporting). Finally, you need to make sure that the clock setting on the IPS router is synchronized with the IPS MC.

Proceed as follows to configure your IOS IPS router:

  1. Create a local username and password for the router.

    Router #config terminal Router (config) #username password
  2. Enable local login on the VTY line interface.

    Router #config terminal Router (config) #line vty 0 15 Router (config-line) #login local Router (config-line) #exit

    If the CLI (Transport Input / Transport Output Command Line Interface) is configured under the VTY line configuration, make sure that SSH is enabled. Example:

    Router #conf terminal Router (config) #line vty 0 15 Router (config-line) #transport input ssh telnet Router (config-line) #exit
  3. Generate a 1024-bit RSA key (if one does not already exist).

    SSH is activated automatically after generating encryption keys.

    Router #conf terminal Enter configuration commands, one per line. End with CNTL / Z. Router (config) #crypto key generate rsa The name for the keys will be: Choose the size of the key modulus in the range of 360 to 2048 for your general purpose keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 1024% Generating 1024 bit RSA keys, keys will be non-exportable ... [OK] Router (config) # * Jan 23 00: 44: 40.952:% SSH-5-ENABLED : SSH 1.99 has been enabled Router config) #
  4. Enable SDEE on the router.

    Router (config) #ip ips notify sdee
  5. Enable HTTPS.

    HTTP or HTTPS is required for IPS MC to communicate with the router using SDEE to collect event information.

    Router (config) #ip http authentication local Router (config) #ip http secure server
  6. Use the external Network Time Protocol (NTP) server or the clock command to configure the clock setting on the IPS router.

    Router (config) #clock set hh: mm: ss day month year

The Cisco IOS IPS router is now ready and can be imported into the IPS-MC for further configuration and administration purposes.

Importing a Cisco IOS IPS Router into an IPS MC

When you have completed the initial configuration of the router, you can add (or import) this to the IPS MC.

  1. Start the web browser and point to the CiscoWorks server.

    The CiscoWorks Login Manager is displayed.

    Note: The default web server port number is 1741. Therefore, you should use a URL similar to http: // <Server IP address>: 1741 / is.

  2. Enter your username and password to log in.

    The CiscoWorks main page appears.

  3. In the left navigation pane, select the option VPN / Security Management Solution Select (VPN / Security Management Solution), and then select Management Center out.

    The Management Center for IPS Sensors page is displayed.

    The following five tabs are displayed on this page:

    • equipment: On the Devices tab, you can perform the initial setup and management of all devices in the system.

    • configuration - You can perform deployment functions on the "Configuration" tab. You can configure devices on an individual device level or on a group level. A device group can contain several devices. All changes made through configuration tasks must be saved. The configuration function does not immediately make changes to the devices. You will need to use the deployment feature to deploy the changes.

    • Provision: Use the Deployment tab to deploy configuration changes to devices. The "Schedule" feature provides flexible control over when the configuration changes should take effect.

    • Reports: The Reports tab allows you to generate various reports on system operation.

    • Admin: The Admin tab allows you to perform system administration tasks such as database administration, system configuration, and license management.

  4. Click the tab equipmentto add a new device.

    The "Sensor" page is displayed.

  5. click on Add.

    The Select Type page appears.

    You must inform IPS MC which function you want to perform. This list describes the individual options:

    • Import configuration from device - Use this option to add IPS MC devices currently running on the network.

    • Create standard configuration - Use this option to add devices that are not already running on the network.

    • Add multiple devices - Use this option to add multiple devices. You can create a CSV or XML file that contains all the device information and then import it into IPS MC to add the devices at the same time.

      Tip: The sample files in CSV format and XML format are located in: InstallDirectory \ MDC \ etc \ ids \ and are named MultipleAddDevices-format.csv or MultipleAddDevices-format.xml.

  6. Select the appropriate Add type option and click Next.

  7. Select the group that you want to add the Cisco IOS IPS Router to, or use the default global group, then click Further.

    The Sensor Information page is displayed.

  8. On the Identification page, enter the identification information for the device.

    Note: If the user does not have permission level 15, you must provide the enable password. On the last line of the identification page, select the check box Use SSH credentials.

  9. click on Further.

    The Add Sensor Summary is displayed.

  10. click on Complete.

    The device has been successfully added to the IPS MC.

    Note: If errors occur during the import process, enable the following options:

    • Required configuration - These configurations are required for communication between the IPS MC and Cisco IOS IPS routers.

    • Connectivity - Make sure the IPS MC can reach the Cisco IOS IPS routers.

    • Clock: Check the times on the IPS MC and Cisco IOS IPS router. The time of day is a critical component of the HTTPS certificate that is used for authentication. The times must be within 12 hours of each other. (Best practice is a few hours at most.)

    • Cisco IOS IPS Certificate - Sometimes the saved Cisco IOS IPS certificate is wrong. To delete a certificate from Cisco IOS IPS, you have to remove the trust point from the Cisco IOS IPS router.

    • Additional configuration: If the ip http timeout policy configured with a small number of maximum requirements, such as ip http timeout-policy idle 600 life 86400 requirements 1, you have to increase the maximum request number. Example: ip http timeout-policy idle 600 life 86400 requests 8400

Configure the Cisco IOS IPS router to use pre-configured signature files

After importing the router into the IPS MC, you need to select the Signature Definition File (SDF) (a text-based file that contains the threat signatures used by the IPS router) and the action to be taken when each signature is triggered (ex E.g. drop, TCP reset, alarm).

Cisco Systems® recommends using predefined Cisco SDF files. There are currently three such files: attack-drop.sdf, 128 MB.sdf, and 256 MB.sdf. IPS MC can automatically download these files from For more information, see Download automatic signature updates.

This procedure uses a single device as an example and starts a router with no IPS configuration. You can also use this procedure for multiple devices at the group level.

  1. Click the tab configuration.

    The "Configuration" page is displayed.

  2. In the object picker on the left side of the page, select the Cisco IOS IPS router that you want to configure.

    Note: Most of the configuration settings in IPS MC 2.2 can be configured at both group and device level. For example, the global, iosips, and sdmlab groups are all configurable collections. This example uses a single device (cisco) from the sdmlab group.

    Once you have selected the router to be configured, the path bar at the top of the configuration page shows the current configuration area. For example, the range for this example is Global> sdmlab> cisco. cisco is the current configuration object (i.e. the router selected from the object selection window.

  3. In the Configuration menu bar click on Settings.

    The Settings page is displayed.

    Use the Settings page to change the configuration settings for the selected object. The configuration settings specific to Cisco IOS IPS routers can be found in the "Terms of Use" section on the left. The following tasks are available in the TOC section:

    • ID - Basic information about the Cisco IOS IPS router Here you can specify a predefined SDF file.

    • signature - Cisco IOS IPS router signatures

    • Signature assistant - Signature wizard for adding custom signatures

    • Cisco IOS IPS rules - To configure Cisco IOS IPS rules used for interfaces

    • Cisco IOS IPS filters - Cisco IOS IPS filters

    • Cisco IOS IPS reassembly - Configuration of the virtual IP reassembly of the interface

    • Cisco IOS IPS SDEE Properties - To configure the SDEE settings

    • General characteristics of Cisco IOS IPS - additional configurations related to Cisco IOS IPS

  4. Choose Identificationto configure predefined SDF files.

    The identification page is displayed.

  5. From the SDF Type drop-down list, select the appropriate predefined SDF, then click Applyto apply the changes.

    The Cisco IOS IPS supports more than 1,600 signatures, which is beyond the memory capacity of the router. The SDFs were designed as a convenient way to select and load the most important signatures. There are currently three SDFs to choose from. They vary in size so you can choose an SDF file based on the DRAM capacity of your routers. The options available are described here:

    • UNSET - The SDF type is not set.

    • ATTACK-DROP: This SDF is suitable for routers with 64 MB DRAM.

    • 256 MB - This SDF is suitable for routers with 256 MB DRAM.

    • 128 MB - This SDF is suitable for routers with 128 MB DRAM.

    Note: The 128 and 256 MB SDFs require a minimum of 2.001 Engine. You can find this information in the field Settings> Identification UI> Version.

    Warning: IPS MC does not include storage management functionality for Cisco IOS IPS routers. Use caution when choosing SDF files for your Cisco IOS IPS router. Make sure that the Cisco IOS IPS router has enough space to run the selected SDF file.

    Note: If you change the SDF type, you may get the following message: If you change the SDF type, you can choose to keep or discard signature optimization information on the device. Click OK to discard. Click Cancel to continue.

  6. click on Abortto keep your signature tuning information.

    Now that you have successfully selected a predefined SDF for the router Cisco, you can carry out further signature adjustments such as adding or editing or even create your own signatures. You can skip the signature tuning tasks and go straight to Create a Rule to Apply to the Interface (s).

  7. In the "Configuration" menu bar, click Pending.

    The Pending page appears.

    At this point the configuration task is complete. However, you must complete the deployment task in order to deploy the changes to the target device.

Change of predefined SDF signatures

After you have selected a predefined SDF file for a router, you can perform additional signature customization tasks. You can add, edit, delete, and change signatures as you wish, or create your own if necessary. In this example, IPS MC is used to add additional signatures and change the actions.This picture shows the signature configuration interface.

You can use the signature configuration to enable or disable signature actions, select or disable them, add a signature, delete a signature, change signature actions, and edit signature parameters. Create custom signatures using the signature wizard on the left.

In the signature configuration UI, some information is displayed by default. Selected indicates whether the signature will be included in the SDF file that is sent to the router. If no signature is selected, it will not be added. Enabled is only applied when a signature is selected. When a signature is disabled, the IPS engines will not send events for that specific signature. If a signature is disabled, it is also automatically disabled.

The last two columns (Prop Src and Param Src) indicate where the signature or its parameters come from. The signature could come from pre-configured SDF files or from the factory defaults found in the IOS file updates (shown as IOS IPS Defaults). These values ​​also apply to the parameter column.

Storage considerations are important when adding signatures to Cisco IOS IPS routers. If you add more signatures than the Cisco IOS IPS router can handle, the IPS MC will not be able to deploy the configuration changes to the devices.

To add the 5489 / x signatures to the Cisco IOS IPS router, do the following:

  1. Choose Configuration, and then use the Object Selector tool to select the Cisco IOS IPS router for which you want to configure IPS signatures.

  2. Choose Configuration> Settings> Signatures> IOS IPS off.

    The signature (s) on the Group page is (are) displayed.

  3. In the resulting signature list, select Filter by ID and enter the signature ID 5489.

  4. click on Filterto search for signatures.

    The search results are displayed.

    Note: IPS MC does not support new categorization in Cisco SDM.

  5. Check the box next to Unselected Signatures and click on the bottom toolbar Choose.

  6. click on To editto change signature actions.

    The Edit Signature (s) page is displayed.

  7. Activate that Checkbox Selected, and choose alarm, Drop and Reset from the action list.

  8. Check the box Overwrite, and then click OK.

    All signatures are changed with the desired actions.

  9. Go to the Pending task and save any changes. The configuration task is now complete.

    Tip: Pay close attention to the Prop Src column. After the change, the source was named on the device cisco changed, d. that is, all tuning information is saved separately from the preset SDF files. This mechanism enables the IPS MC to retain custom signature changes.

In the previous section where you changed the SDF file types, the IPS MC asked you if you wanted to keep the signature tuning information. This is the signature tuning information that is referenced.

Select custom signatures

If you do not want to use the default SDF files that are preset, you can use the steps in the Changing Preconfigured SDF Signatures section to select the tuning signatures for your devices. On the identification page, you need to make sure the SDF type is UNSET. For more information, see Step 3 in Configuring the Cisco IOS IPS Router to Use Preconfigured Signature Files.

Create a rule for the interface (s)

After setting the signature, you need to enable IPS on the Cisco IOS routers. To enable IPS on the router, you need to create an IPS rule and apply it to at least one interface.

  1. Choose Configuration, and then use the Object Selector window to select the Cisco IOS IPS router that you want to configure. In the path bar, check that your scope is at the device level and not the group level.

  2. Choose Configuration> Settings> IOS IPS Rules, and then click Add.

    The Enter IPS Rules Details page is displayed.

  3. Enter information for the rule name and interface to which you want to apply the rule and direction.

  4. click on OK.

    The IOS IPS Rules page is displayed.

    You can also create rules for both directions for an interface.

  5. You must save the configuration changes and go through the provisioning process to commit changes to the affected device or group of devices.

    You can perform other IPS-related configurations, but all other tasks are optional and not required. You can find all of the options to the left of the configuration user interface. The optional configuration options are not covered in this document.

Provision of the configuration

After you have made any configuration changes, you must use the deployment task to push the changes to the devices. All configurations made so far are saved locally on the IPS MC server.

To deploy configuration changes, go to the deployment page and do the following:

  1. Click the tab Provision, and choose Generate to generate configuration changes.

    The Generate page is displayed.

  2. Select the Cisco Device you just configured and click to generate.

  3. click on OKto accept the generated configuration, and then click OK.

    A status page is displayed.

  4. click on To updateuntil the Generation task is completed successfully.

  5. In the menu bar click "Deployment" and in the group "SDMLAB" click Authorizeto view a list of configurations that require approval.

    The Approve page is displayed.

  6. Select the task (s) and click Authorize.

    On the Deployment menu bar, click Provide, and then click Send.

    The Submit page is displayed.

  7. Select the devices that you want to submit the deployment task for.

  8. Select the Cisco Device and click Provide.

    The Select Configurations page is displayed.

  9. Select the configuration you are currently using on the Cisco Device and click Further.

    The Enter Job Properties page appears.

  10. You can either deploy the changes immediately or schedule a task at a later time. In this example, select the option Right away and then click Further.

    A brief overview of tasks is displayed and can be provided.

  11. click on Complete.

    At the end of the deployment, the status of the deployment process is displayed in a dialog box.

    You have successfully deployed Cisco IOS IPS configurations on the device. If you are configuring multiple devices, you can make configuration changes at the group level and then apply the changes to all Cisco IOS IPS routers belonging to the same group.

    Tip: This process is lengthy, but a quick deployment feature is available. If you use this feature, you don't have to complete the process Generate> Approve> Deploy (Generate> Approve> Deploy) run through. To use the feature, do the following:

    1. There are a number of small icons at the top of the user interface. Hover over the first icon and see the tooltip shown in this image:

    2. To enable the Build and Deploy task, go to Admin> System Configuration> Configuration File Managementand clear the check box Activate manual configuration file change.

    3. Hovering the mouse pointer over the first icon indicates that the task is activated.

    4. Click on this icon.

      IPS MC automatically generates configuration changes and makes them available on the devices.

Download signature updates automatically

IPS MC supports updates to the automatic download signature. Signature updates can be downloaded for sensor platforms as well as for Cisco IOS IPS platforms. To configure this feature, go to Admin> System Configuration> Auto Download IPS Updates.

The Auto Download IPS Update page appears.

You must have a valid account to download this signature update. To check the automatically downloaded files, go to the root directory of the IPS MC installation. By default, this is the files \ CSCOpx \ MDC \ etc \ ids \ updates program.

This picture shows an image of the downloaded files in this directory.

You will see the sensor update files. The Cisco IOS software update file and the preconfigured SDF files will be downloaded.

Update the Cisco IOS IPS router with new SDF files

For Cisco IOS IPS routers that are provided with predefined SDF files, the Cisco IPS MC detects the new version as soon as a new version of the SDF files is available via automatic download or copying to the update directory. After the user interface has been updated, the device icons for the corresponding devices turn yellow.

  1. click on Provision, and step through the Generate, Approve, and Deploy process.

  2. If the deployment is successful, the Cisco IOS IPS router will use a new version of SDF files.

Related information