It’s simple, right? Intrusion Detection Systems (IDSs) monitor for signs of intrusion but do not take action, but Intrusion Prevention Systems (IPSs) monitor for signs of intrusion and take action, right? Actually . . . not! Some vendors make this distinction, but Cisco does not. The following is a high-level description of Cisco’s definition of what constitutes an IDS or IPS:

    IDS. According to Cisco, an IDS works offline to the data stream going through the network, analyzing copies of the traffic instead of forcing the data to flow through it. Specifically:

    Monitors copies of the data flow.

    Does not impede network traffic.

    Allows some traffic deemed malicious to enter or leave the network.

    IPS. An IPS places itself in the data stream, thus seeing all the traffic that goes through that part of the network. Specifically:

    Monitors traffic and content from layers 2 through 7 in real-time.

    Must be capable of handling all ingress and egress traffic where it is deployed.

    Prevents traffic deemed malicious from entering or leaving the network.

As shown in Figure 8.1, where you deploy the system and how you configure it will determine whether it is an IDS or IPS. Here are some examples of Cisco IDS and IPS technologies:

    The AIP-SSM card can be configured on a Cisco ASA 5500 Series security appliance in either promiscuous (IDS) or inline (IPS) mode.

    Cisco IOS IPS is configured as a process on a Cisco IOS router.

    Cisco has a whole product line of rackmount IPS appliances that can be physically implemented in line with the network traffic or configured to look at copies of the traffic only.

    Software deployed on an IP host such as an application server or a client workstation.

Where you deploy IDS and IPS technologies will dictate what they can see and how they can deal with intrusion attempts (and how quickly). You can deploy them in two places:

    In the network. Called network IDS and network IPS.

    On a host. Host-based IPS or HIPS.

In Figure 8.2, an attacker on the Internet launches a hack on the public HTTP server deployed in the DMZ.

FIGURE 8.2 Network IDS may miss trigger packet.

As indicated in Figure 8.2, this attack might be missed by a network IDS because it is not deployed inline with the ingress packets to the network and will probably not be able to react to the trigger packet of the attack The following steps illustrate this logic. The numbers in the list refer to the labels in Figure 8.2:

TABLE 8.1 Comparing IDS and IPS Technologies

TABLE 8.2 IDS and IPS Sensor Types

Putting the terms together, an example solution might be a network IPS that uses signatures and policies to detect and block attacks. This leads to the next question, which is: “What response and monitoring actions can be employed by IPS technologies?”

What follows is a list of some of the actions that we can configure on Cisco sensors:

    Deny Attacker Inline. Terminates current packet and shuns all subsequent packets from this attacker for a specified time period, regardless of whether they are part of new TCP connections.

    Deny Connection Inline. Terminates current and future packets in a specific TCP connection.

    Deny Packet Inline. Terminates the packet only.

    Log Attacker Packets. Logs all packets with an attacker’s IP address.

    Log Pair Packets. Logs events in an attack pair that contains the attacker and victim address pair. This is useful for identifying specific flows.

    Log Victim Packets. Logs all packets with a victim’s IP address.

    Produce Alert. Sends an alert to the Event Store (internal log buffer).

    Produce Verbose Alert. Sends an encoded dump (capture) of the offending packet in the alert.

    Request Block Connection. Sends a request to another device (router, switch, firewall) to block this connection.

    Request Block Host. Sends a request to another device (router, switch, firewall) to block this attacker.

    Request SNMP Trap. Instructs the sensor to send an SNMP trap.

    Reset TCP Connection. Sends TCP RSTs to terminate the TCP connection.

Back in Chapter 4, we discussed options for secure management and logging, focusing mainly on syslog and SNMP. So, we already have our mind around the concept of sending event-triggered alerts to the various reporting servers in our network. This is handy, because referring to Figure 8.2, the reference network diagram indicates that a MARS (Monitoring, Analysis, and Response System) appliance has been deployed in a separate VLAN inside the Cisco IOS firewall. This section isn’t a discussion about how to log to these servers. It is a discussion of what to log and how to log (management) and real-time monitoring of events as they unfold in the traffic streams through our network. The scale of the solution has to match the scale of the network, both in the number of devices deployed, as well as the volume of traffic that is being moved across the monitored devices. As we have seen, some of those same metrics define whether the IPS is inline to the traffic or not.

We need to know the following:

    What is happening in real-time (monitoring)

    IPS actions and event information collection (management)

    Analysis of the archived information (reporting)

Cisco makes the following points about event management and monitoring:

    Management and monitoring comprises two key functions:

    Real-time event monitoring and management

    Analysis of the archived event information (reporting)

    Depending on scale, management and monitoring can be deployed on a single server or on separate servers.

    Recommended maximum of 25 well-tuned sensors reporting to a single IPS management console (management consoles will be discussed shortly).

Cisco IPS Management Software

Table 8.3 outlines Cisco’s portfolio of IPS management software.

TABLE 8.3 Cisco IPS Management Software

Note

The day after the IINS version 1.0 course was released, Cisco announced a new, freeware IPS management solution called IME (IPS Manager Express). It fully supports the newer 6.x version of the IPS signatures and also has limited support for version 5.x signatures. For more information on Cisco IME, navigate to this link: http://www.cisco.com/en/US/products/ps9610/index.html.

Figure 8.3 illustrates the Threat Analysis Console of the Cisco IPS Event Viewer (IEV)

FIGURE 8.3 Cisco IPS Event Viewer.

Recall that IPS technology can be either network- or host-based, although they often co-exist as complementary solutions. With host-based IPS (HIPS), software is deployed right on the application server or client. Cisco’s HIPS solution is the Cisco Security Agent (CSA). Here are some features and recommendations about HIPS:

    HIPS audits files systems, OS registries, log files, and system resources.

    CSA should be installed on every host that requires HIPS.

    CSA protects the individual host by detecting intrusion attempts.

    CSA does not require special hardware.

    Because CSA is behavior-based, it can stop even newer attacks in real-time whose behavior it identifies as malicious.

Referring to Figure 8.4, if we installed CSA on the public HTTP server that we first saw in Figure 8.2, it might obviate the need to configure the Cisco IOS firewall as a Network IPS. We could then manage the CSA with the CSA Management Center (CSA MC) on the Systems Administrator workstation. This might work on a small network, but imagine if you have a large network of thousands of IP hosts. You would need to install, configure, and manage all of those CSA instances. Often, CSA is deployed in parts of the network—on critical application servers, for instance—and used to complement Network IPS systems if possible.

FIGURE 8.4 CSA deployment in the reference network.

Figure 8.5 illustrates how CSA works to protect an IP host from malicious applications directly at the kernel level.

FIGURE 8.5 HIPS in action.

The steps in Figure 8.5 are as follows:

Here are some other points about how HIPS operates:

    HIPS intercepts both operating system and application calls.

    Rules control application and network protocol stacks.

    Processor controls set limits on the following:

    Buffer overflow.

    Registry updates.

    Writes to system directory.

    Launching of installation programs.

    HIPS is behavior-based.

Table 8.4 outlines the pros and cons of Host Intrusion Prevention Systems (HIPS).

TABLE 8.4 HIPS Pros and Cons

Figure 8.6 illustrates a network IPS deployed on the WAN side of a Cisco IOS firewall. It is deployed in such a way that it will see the inbound traffic (represented as an arrow) from an attacker on the outside. It is an IPS because it is inline with the flow of traffic from the outside. The features of a network IPS are explained more thoroughly next.

FIGURE 8.6 Network IPS.

Here are some features of a network IPS:

    Connected to the network where, if properly deployed, a single sensor can monitor traffic for many hosts or at least a small group of important hosts.

    Sensors are appliances with software that is tuned for its role in intrusion detection analysis:

    The underlying operating system is hardened.

    Hardware is optimized for intrusion detection analysis.

    Scalable—networks are easily protected as they grow:

    New end system hosts and devices can be added without the need for new sensors (unlike HIPS).

    New sensors can be easily added to new or existing networks.

Most of the points in Table 8.6 were already made, but it is useful to summarize them in one place to compare HIPS and network IPS.

TABLE 8.6 HIPS and Network IPS Comparison

Figure 8.7 illustrates Cisco’s portfolio of IPS appliance.

FIGURE 8.7 Cisco IPS appliances.

Here is a list of Cisco’s four solutions for IPS appliances:

    Cisco IPS 4200 Series Sensors. Standalone rackmount appliance.

    Cisco ASA AIP-SSM. Advanced Inspection and Prevention Security Services Module for the ASA 5500 Series adaptive security appliances.

    Cisco Catalyst 6500 Series IDSM-2. Intrusion Detection System Services Module for the Catalyst 6500 Series switch.

    Cisco IPS AIM. IPS Advanced Integration Module for Cisco 1841, 2800, and 3800 Series Integrated Services routers.

All of these devices share the same code as the Cisco IPS 4200 Series IPS appliance. This was not an accident, as Cisco product planners wanted to ensure commonality of the configuration interface (and code base) as networks grow and needs change requiring more and different sensors. This makes it easier for IT security staff to grow with the product.

IDS and IPS technologies use signatures to detect malicious network activity. This is similar to Anti-X products—virus scanners, for example. A good IPS solution enables you to update the signatures regularly as new threats emerge because the IPS is only as good as the ability of its signatures to detect intrusive activity. Here are the characteristics of IPS signatures:

    A network IPS signature is a set of rules used to detect intrusive activity.

    Sensors use signatures to test network packets for signs of known attacks. The signatures have predefined actions to respond to a detected attack.

    When a signature-based IPS is first installed, there will be false positives. You must fine tune the signatures to reduce the frequency of false positives by modifying certain signature parameters.

    Built-in signatures cannot be added or deleted, although they may be tuned to reduce false positives (see the following note).

    Some signatures have sub-signatures nested in them. These sub-signatures may be used by other signatures. Changing a sub-signature affects only that sub-signature and not the signature that uses it.

Signature Micro-Engines

Conceptually, signatures are a database of patterns that match attacks. The signatures don’t do anything by themselves, but they are read-in, cached, and parsed by real-time processing daemons called signature micro-engines (SME). A signature micro-engine is a self-contained parallel process that has the following characteristics:

    Signature micro-engines support IPS signatures.

    Signatures that are read into a micro-engine are scanned in parallel for efficiency and maximum throughput.

    Micro-engines group a category of signatures.

    Each micro-engine is customizable for the protocol and PDU fields that it is designed to inspect.

    Micro-engines specify permissible, legal ranges for the items that they are designed to inspect.

    Micro-engines use router memory to compile, load, and merge signatures (see the following note). These signatures use “regular expressions” (REGEXs) for pattern matching. This will be very familiar to readers from the Unix world where REGEXs are quite common in shell scripts. Signatures are customized or written with REGEX. Compiling takes more RAM than the finished signature, so you must be careful to stay within the RAM requirements of your platform for the number of signatures that will be used.

Note

Micro-engines use router memory to compile, load, and merge signatures only when Cisco IOS IPS is used as the IPS is a software process hosted on an IOS router in that case. The four appliances listed previously are self-contained environments with their own flash memory, RAM, and CPUs. It’s not clear whether the exam makes this distinction, so the “right wrong answer” is above.

The third item in the list states that micro-engines group a category of signatures. Table 8.7 shows the list of supported micro-engines and the categories of signatures they group as of Cisco IOS release 12.4(6)T.

TABLE 8.7 Supported Signature Micro-Engine in IOS 12.4(6)T

Note

Atomic signatures examine simple packets. “Simple” in this context means that the test is simple—for example, an ATOMIC.TCP signature micro-engine provides for simple TCP packet alarms based on source and destination port numbers and flags (SYN, RST, ACK, PSH, URG, FIN). For example, the ATOMIC.TCP SME would be able to analyze a TCP session and reset the session if the two connection partners aren’t playing by the rules. Remember the Reset TCP Connection action in the “IPS Attack Responses” subsection earlier in the chapter?

When a signature is matched due to an attack or a policy violation, the SME in which the signature is compiled will raise an alarm, after which an action is taken to respond. The signature is said to “fire.” The whole efficacy of the IPS solution hinges on the ability of the sensor to react quickly with an IPS action response using the action specified in the signature. Anyone fond of watching Hollywood dramas would quickly state that there are usually more false alarms than there are real ones. In the real world, reacting to false alarms can result in embarrassment, but no real damage is done. If a network IPS blocks legitimate traffic because of a false alarm (a so-called false positive), there might be real damage done to the throughput and quality of service offered by the network. Alarms are either false or true, negative or positive:

    False Positive. Normal traffic or a non-malicious action causes the signature to fire.

    True Positive. An attack is properly detected by the IPS.

    False Negative. An attack is not detected by the IPS.

    True Negative. Legitimate traffic does not cause signatures to fire.

The following list of best practices is most appropriate in the context of a large network with multiple IPS sensors. Some of these ideas will be familiar to anyone who has had to set up a deployment of new code to client workstations within a large LAN domain. Even the bandwidth of a modern, high-speed Gigabit Ethernet core can be severely strained if some intelligent design is not employed when updating several devices simultaneously. From a security perspective, it makes good sense to perform your updates separate from the data plane of the production network, using the management network. To summarize:

    Set the sensors to automatically update their signature packs instead of doing a manual upgrade of individual sensors.

    Employ a dedicated FTP server in the management network from which the sensors can fetch the signature packs.

    Stagger the time of day for checking and downloading of the signature packs to prevent over-taxing network resources.

    Make the deployment of updates simpler by grouping IPS sensors together in a few larger profiles.

Figure 8.8 shows Autoupdate enabled in the Cisco SDM for an IOS IPS configuration. Note that in this example, autoupdate is set up to fetch the signature packs from a Trivial File Transfer Protocol (TFTP) server.

FIGURE 8.8 Configuring Autoupdate in the Cisco SDM for IOS IPS.

In this section, we introduce the Cisco IOS IPS router solution and walk through a complete configuration using the Cisco SDM. We will also look at logging options available and methods in both the SDM and the CLI to verify the configuration.

Cisco states that the Cisco IOS IPS is an inline network IPS. Actually, it’s a bit redundant saying this, since we have established that whether a device is inline to the traffic or analyzes copies of the traffic offline is what marks the difference between IPS and IDS technology in the first place. Regardless, one of the advantages of having the IPS run on the router is that, unlike IPS deployments where the sensor and the router are separate and must be configured to cooperate with one another, the IPS logic is integral to the router and can leverage on the router’s firewall to take response actions to intrusions. We covered the various response actions in the last section.

Cisco IOS IPS Signature Integration

As stated, the Cisco IOS IPS borrows heavily from the Cisco IPS 4200 Series of sensors and Catalyst 6500 IDSM IPS modules. Table 8.8 shows the features of the signatures in the Cisco IOS IPS.

TABLE 8.8 Cisco IOS IPS Signature Feature Summary

Configuring Cisco IOS IPS with the Cisco SDM

We configure the Cisco IOS IPS using the Cisco SDM, starting with an IOS router with no IPS configuration on it.

Note

There’s no requirement that the IOS IPS work in conjunction with either CBAC (Cisco IOS classic firewall) or the newer Zone-Based Policy Firewall (ZPF), both of which were discussed in Chapter 5, “Using Cisco IOS Firewalls to Implement a Network Security Policy.” The Cisco IOS IPS could simply be added to basic router functionality on the edge of the network for network designers that subscribe to the separation of services philosophy, with a firewall configured with Cisco ZPF establishing a separate, inner perimeter.

Figure 8.9 illustrates the Cisco SDM home page, indicating an unconfigured IOS IPS.

FIGURE 8.9 Cisco SDM showing unconfigured IOS IPS.

Figure 8.10 illustrates the SDM Configure->Intrusion Prevention System (IPS) window.

FIGURE 8.10 Cisco SDM Configure->Intrusion Prevention System (IPS) window.

Before we start configuring the IPS, let’s look at some of the choices we have when we navigate to Configure->Intrusion Prevention from the home page in the Cisco SDM, as indicated in Figure 8.10. Along the top of the Intrusion Prevention System (IPS) window are these choices, presented as tabs:

    Create IPS. Contains a single choice—the IPS Rule wizard (see the following note) used to automate the creation of a Cisco IOS IPS rule and all facets of configuring the IPS.

    Edit IPS. Enables you to manually edit Cisco IOS IPS rules and either associate or disassociate them from interfaces.

    Security Dashboard. Enables you to view Cisco’s Top Threat table and deploy signatures to counter those threats.

    IPS Migration. This is used to migrate IOS IPS configurations, which were created in earlier versions of the Cisco IOS software. You must be running IOS Software Release 12.4(11)T or later to use this function.

There is also the Launch IPS Rule Wizard button that (although you really want to press it now!) we will look at shortly.

Note

Substitute the words “IPS signature configuration” for “IPS rule configuration” every time you see it in the SDM. In some of the dialogs, SDM calls signatures “rules.” This is inconsistent use of the word “rule” because the Launch IPS Rule Wizard button (see Figure 8.10, as well as the previous paragraph) does not launch a wizard where you can change the signatures! The word “rule” in that context means policy. Ouch!

While we’re on the subject, sharp-eyed readers will notice that the SDM wizard is called the Intrusion Prevention System wizard, whereas we have been calling it the Intrusion Protection System up to now. This is just semantics, and you shouldn’t read anything into the difference because they actually mean the same thing. Just when you thought you were figuring out the terminology!

The reference diagram for configuring Cisco IOS IPS is found in Figure 8.11. It is a slight modification to the reference diagram found in Figure 8.6 that we have been using in this chapter. The management VLAN is VLAN 3. The production VLAN is VLAN 1. This is where the wired workstations reside that belong to our internal knowledge workers. Similarly, there is a separate VLAN, VLAN 99, deployed for our wireless hotspot. Essentially, all three of these VLANs represent internal networks for the purpose of configuring the IOS IPS. FastEthernet 4 is the external, Internet-facing interface.

FIGURE 8.11 Reference diagram for configuring Cisco IOS IPS.

Because there is currently no IPS configured, we follow these steps to configure the Cisco IOS IPS:

1. Navigate to Configure->Intrusion Prevention->Create IPS. The screen that appears is illustrated in Figure 8.12.

   FIGURE 8.12 Cisco SDM Create IPS Wizard.

   

2. Push the Launch IPS Rule Wizard button.

3. If this is a first-time configuration, an information window appears, indicating that “SDM will open a subscription with the router to get the SDEE events.” Press OK.

4. The Welcome to the IPS Policies Wizard screen appears. Click Next. The Select Interfaces screen opens and is illustrated in Figure 8.13.

   FIGURE 8.13 Select Interfaces screen of the IPS Policies Wizard.

   

5. Place a check mark beside each interface in the check box corresponding to the direction, Inbound and Outbound, that you want to inspect the packets for signs of intrusion. In this example, FastEthernet4 is the Internet-facing interface, and Vlan1, Vlan3, and Vlan99 are all inside the perimeter (refer to Figure 8.11).

6. Click Next. The Signature File and Public Key window appears and is illustrated in Figure 8.14.

   FIGURE 8.14 Signature File and Public Key screen of the IPS Policies Wizard.

   

   Note

   Recall that there are no built-in signatures as of IOS Software Release 12.4(11)T. Some IOS routers ship from Cisco with .SDF (Signature Definition Files) already in flash memory. Also, when you download and install the SDM, there are SDF files included with the SDM archive for different amounts of RAM that can get you started without having to go to CCO. That said, the latest signature files are available on CCO to users with sufficient access.

   In this window, you can push either of two radio buttons:

    Specify the signature file you want to use with the IOS IPS.

    Get the latest signature file from Cisco.com and save to PC.

If you choose the first choice, you will be led through a dialog that enables you to fetch the signature file from one of the following: router flash, the local PC, or the URL of an external source such as a web server.

Note

When fetching the file from your PC, the signature file will be of the form sigv5-SDM-Sxxx.zip, where xxx is the signature set’s version number. If you choose to specify the router’s flash, use the format IOS-Sxxx-CLI.pkg.

If you choose the second choice, you will be prompted for where you want to save the file; you then are prompted for your username and password on CCO and to save the SDF file (in .zip format) to your local PC’s hard drive and subsequently install on the IPS. Incidentally, this will also download the update files in the form of a .pkg file, which you can push to the router (see the preceding note).

In both cases, you must enter the name and value of Cisco’s public key before you proceed. This is because any changes you make to the signatures (so called “deltas”) will need to be signed with this key for security reasons. You must visit this URL to look up both the name of the key to put in the Name field and the key’s value to put in the Key field. The URL is http://www.cisco.com/pcgi-bin/tablebuild.pl/ios-v5sigup.

Enter the values in both fields as indicated; then proceed by clicking Next.

7.    The Config Location and Category windows appear as illustrated in Figure 8.15.

FIGURE 8.15 Config Location and Category screen of the IPS Policies Wizard.

Here are the basic commands used to configure the IOS IPS with the CLI. We’ll start with an example that matches the worked example that we have just completed with the SDM and then look at the commands one by one and in the order shown (note: the configuration for interfaces Vlan99 and Vlan3 has been omitted):

Here is an explanation of the commands (see the previous configuration for specific examples used in our reference network):

    ip ips config location. This global configuration command specifies the location of the IPS configuration. In this example, it is in the flash:/ips/ directory.

    ip ips notify. This global configuration command specifies the method of event notification. In this example, SDEE is being used.

    ip ips name. This global configuration command specifies the IPS rule (policy) name—sdm_ips_rule in this example.

    ip ips signature-category. This global configuration command configures the router to support the default basic or advanced signature set.

    ip ips ips_rule_name. This interface configuration command applies the named IPS rule (policy) on the selected interface.

    ip virtual-reassembly. This interface configuration command turns on Virtual Fragment Reassembly (VFR). Dynamic ACLs are created to protect the network against various fragmentation attacks.

You may recall earlier that one of Cisco’s recommendations for IPS best practices is to set the alert level of any signature to the severity level of the signature itself. You can set the severity level of a signature, both the included ones as well as ones you create, by following these steps:

Recall that IPS signatures have default actions or “responses.” (See the subsection “Signature Attack Responses” for a complete list of responses and their meaning.) The SDM enables you to change these actions. To change the action for a signature, follow these steps (using the Email signature category as an example):

1. From the SDM, navigate to Configure->Intrusion Prevention->Edit IPS->Signatures->Email.

2. Select the signature whose severity level you want to change; then right-click to bring up the context menu. Select Assign Actions from the context menu. A new Assign Actions window appears, as illustrated in Figure 8.21.

FIGURE 8.21 Edit IPS / Assign Actions dialog.

3.    Place a check mark in the box beside the action(s) you want to take. The actions you can choose from are the following:

    Deny Attacker Inline

    Deny Connection Inline

    Deny Packet Inline

    Produce Alert (the default for this IMAP Email Signature)

    Reset TCP Connection

4.    Click OK.

5.    Click Apply Changes in the Edit IPS window when you are done.

The Cisco IOS IPS supports both the Security Device Event Exchange (SDEE) and syslog protocols to send alerts.

Recall that an alarm is generated when an enabled signature is triggered. The alarms are stored in a buffer on the sensor. One disadvantage of syslog is that the syslog server is passive, relying on the sensor to send alerts to it. This is indicated by the arrow in Figure 8.23 pointing to the syslog server from the Cisco IOS IPS. SDEE, on the other hand, is a subscription type of service where hosts can pull alarms from the sensor at any time. This is indicated by the two-headed arrow indicated in Figure 8.23. SDEE-format messages are much richer in their information content.

FIGURE 8.23 SDEE and Syslog support in Cisco IOS IPS.

Here are some other things you need to know about SDEE:

    1,000 events can be stored in the SDEE buffer. 200 is the default. Disabling SDEE notification erases the buffer.

    Network management applications pull SDEE messages from the IOS IPS.

    SDEE is evolving as the standard format for security reporting network management.

    SDEE is vendor-independent.

    SDEE uses HTTP or HTTPS (more secure) for transport, thus must be enabled on the router.

    The IOS IPS still sends alerts via syslog.

Viewing the SDEE Message Log

Navigate to Monitor->Logging->SDEE Message Log to view the SDEE message log. This dialog is illustrated in Figure 8.24.

FIGURE 8.24 Viewing the SDEE message log.

Here’s an example of an SDEE message captured in the CLI. The IPS is sending an alert of a possible fragmentation attack since signature 1207 has been triggered:

May 20 12:37:24.723: %IPS-4-SIGNATURE: Sig:1207 Subsig:0 Sev:25 IP
Fragment Too Many Datagrams [192.168.2.119:0 -> 192.168.2.254:0]
RiskRating:25

Viewing the Syslog Message Log

Navigate to Monitor->Logging->Syslog to view the syslog message log. This dialog is illustrated in Figure 8.25.

FIGURE 8.25 Viewing the Syslog message log.

This section outlines procedures to verify IOS IPS operation with both the SDM and the CLI.

Verifying IPS Policies (Rules)

Navigate to Configure->Intrusion Prevention->Edit IPS to verify that IPS has been enabled on interfaces and in which direction. This is illustrated in Figure 8.26.

FIGURE 8.26 Verifying IOS IPS operation in the Cisco SDM.

Also note in Figure 8.26 that VFR (Virtual Fragment Reassembly) has been enabled on all of the interfaces. The IOS IPS cannot detect intrusions by examining fragments of IP packets. They must be coalesced so the entire packet can be checked.

Of course, the Edit IPS tab can be used to edit and not just verify the IPS!