Filter
Top Products
44-5
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 44 Configuring IOS IPS Routers
Overview of Cisco IOS IPS Configuration
Initial Preparation of a Cisco IOS IPS Router
Before you add a Cisco IOS IPS router to the Security Manager inventory, you need to perform some
preparatory steps. The white paper Getting Started with Cisco IOS IPS with 5.x Format Signatures on
Cisco.com provides a step-by-step explanation of a basic configuration. Although you could do some of
the steps after adding the router to Security Manager, such as configuring interface rules, you should do
at least the basic steps.
The following procedure explains the steps you are required to complete in the CLI. These steps are
required because Security Manager either cannot complete them, or it is simply easier to do it in the CLI
(as a one-time configuration). The white paper includes additional steps that you can complete in the
CLI, and Security Manager can discover your configuration when you add the device to the inventory.
The more you do in CLI, the less you will have to configure in Security Manager.
Tip You also must complete the basic router configuration steps as explained in Setting Up SSL on Cisco
IOS Routers, page 2-4, Setting Up SSH, page 2-5, and Configuring Licenses on Cisco IOS Devices,
page 2-12. The following steps apply to the IPS configuration only.
Step 1 Create a directory for IPS files on flash. For example, the following command creates a directory named
ips:
router# mkdir ips
Create directory filename [ips]?
Created dir flash:ips
At this point, you can optionally configure the router to use this directory for IPS, or you can do it later
in Security Manager (in the IPS > General Settings policy). Use the following commands to configure it
in CLI:
router# configure terminal
router(config)# ip ips config location flash:ips
Step 2 Configure the Cisco IOS IPS crypto key. The crypto key is used to verify the digital signature for the
master signature file (sigdef-default.xml) whose contents are signed by a Cisco private key to guarantee
its authenticity and integrity at every release.
You can obtain the CLI required for the key from
http://download-sj.cisco.com/cisco/ciscosecure/ids/sigup/5.0/ios/realm-cisco.pub.key.txt (login to
Cisco.com is required).
Tip Configuring the key through the CLI is probably the easiest way to do it. Alternatively, you can
configure it in Security Manager by assigning the IOS_IPS_PUBLIC_KEY pre-defined
FlexConfig object to the router’s FlexConfig policy. For more information about FlexConfigs,
see Chapter 7, “Managing FlexConfigs”.
a. Open the text file and copy its contents to the clipboard (select all text then press Ctrl+C).
b. If necessary, enter configure terminal at the router CLI prompt.
c. Paste the copied text file at the router prompt.
d. Exit configuration mode.
e. Enter the show run command to confirm that the key was correctly configured.