Module 2

Module 2: Configure
Network Intrusion Detection and Prevention
PDF created with pdfFactory trial version www.pdffactory.com

Overview

Cisco IOS Intrusion Prevention System

Cisco IOS Intrusion Prevention System (IPS)
• The Cisco IOS Intrusion Prevention System (IPS) with inline intrusion
capabilities provides an inline, deep-packet-inspection based IPS solution that
helps enable Cisco routers to effectively mitigate a wide range of network
attacks without compromising traffic forwarding performance.
• Cisco IOS IPS can accurately identify, classify, and stop malicious or
damaging traffic in real time, and is a core component of the Cisco Self-
Defending Network.

• The Cisco IOS IPS acts as an in-line IPS sensor, watching packets and
sessions as they flow through the router, and scanning each packet to match
any of the Cisco IOS IPS signatures.
• When it detects suspicious activity, it responds before network security can be
compromised and logs the event through Syslog or Security Device Event
Exchange (SDEE).

• When packets in a session match a signature, the Cisco IOS IPS can take any
of the following actions, as appropriate:
– send an alarm to a Syslog server or a centralized management interface
– drop the packet
– reset the connection

Extra: Key Benefits of the Cisco IOS IPS
• Provides network-wide, distributed protection from many attacks,
exploits, worms, and viruses exploiting vulnerabilities in operating
systems and applications
• Eliminates the need for a standalone IPS device at branch and
telecommuter offices as well as small and medium-sized business
networks
• Unique risk-rating-based signature event action policy processor
dramatically improves the ease of management of IPS policy
• Offers field-customizable worm and attack signature set and event
actions
• Offers inline inspection of traffic passing through any combination of
router LAN and WAN interfaces in both directions
• Works with Cisco IOS Firewall, control-plane policing, and other Cisco
IOS Software security features to protect the router and networks
behind the router
• Supports about 2000 attack signatures from the same signature
database available for Cisco Intrusion Prevention System (IPS)
appliances

Extra: Key Benefits of the Cisco IOS IPS
• The Cisco IOS IPS feature in the latest Cisco IOS 12.4(11)T2 release
also offers the following enhancements:
– Support for encrypted signatures provided by many vendors under
nondisclosure agreement (NDA)
– Risk rating value in IPS alarms for efficient event filtering,
monitoring, and correlation
– Support for the risk-rating-based Signature Event Action Processor
(SEAP) for automated adjustment of signature event actions based
on risk rating, a feature unique to Cisco IPS products
– Individual and category-based signature provisioning capabilities
through the Cisco IOS command-line interface (CLI)
– XML-based IDCONF signature provisioning mechanism (works
securely over HTTPS)
– Automated signature updates (at configurable periodic intervals)
from a local server

• Features and benefits of the Cisco IOS IPS

9

• Origin of Cisco IOS IPS

– Cisco IOS IPS restructures the existing Cisco IOS Software IDS.
– The primary difference between Cisco IOS Software IDS and the
new, enhanced Cisco IOS IPS is that an intrusion prevention
system monitors traffic and sends an alert when suspicious
patterns are detected, while an intrusion prevention system can
drop traffic, send an alarm, or reset the connection, enabling the
router to mitigate and protect against threats in real time.
– Cisco IOS IPS inherited the built-in 132 signatures from Cisco IOS
Software IDS technology.
– With the introduction of inline IPS capability, new signatures can be
added by downloading a signature definition file (SDF) into the
Flash memory of the router, or administrators can specify the
location of the SDF in the Cisco IOS IPS configuration on the
router.
10

• Router Performance
– The performance impact of intrusion prevention depends on the
number of signatures enabled, the level of traffic on the router, the
router platform, and other individual features enabled on the router,
such as encryption.
– The IPS process in the router sits directly in the packet path and
searches each packet for signature matches. In some cases, the
entire packet needs to be searched, and state information and even
application state and awareness must be maintained by the router.
11

Extra: Types of Signatures
• There are 4 categories of signatures :

– Exploit signatures: Since exploit signatures typically identify a traffic pattern that is
unique to a specific exploit, each exploit variant may require an individual signature.
Attackers may be able to bypass detection by slightly modifying the attack payload.
Therefore, you often must produce an exploit signature for each attack tool variant.
– Connection signatures: Connection signatures generate an alarm based on the
conformity and validity of the network connections and protocols.
– String signatures: The string signature engines support regular expression pattern
matching and alarm functionality.
– DoS signatures: DoS signatures contain behavior descriptions that are considered
characteristic of a DoS attack.
12

• This figure matches the type of exploit signature with the OSI layer.
Exploit-specific signatures seek to identify network activity or upper-
level protocol transactions that are unique to a specific exploit or attack
tool.
13

• These are examples of exploit signatures in the network layer:

– The most common fragmentation attack attempts to exhaust target
resources by sending many non-initial fragments and tying up
reassembly buffers.
– Target systems can be configured to not accept IP datagrams with
certain IP options, such as source routing. Signatures can analyze
these datagrams before the datagrams are discarded. The
configuration for this analysis is based on the target operating
system or the default. This analysis is enabled by default, but may
be turned off to enhance performance.
– Distributed DoS (DDoS) attacks are the “next generation” of DoS
attacks on the Internet. Examples of DDoS attacks on the network
layer include Internet Control Message Protocol (ICMP) echo
request floods and ICMP-directed broadcasts (also known as smurf
attacks).
14

Cisco IOS IPS signatures
• As of Release 12.3(8)T, Cisco IOS IPS has 132 built-in signatures available in
the Cisco IOS Software image.
• The built-in signatures are hard-coded into the Cisco IOS Software image for
backward compatibility.
• Each signature can be set to send an alarm, drop the connection, or reset the
connection . Each action is enabled on a per-signature basis. Each signature
has an action assigned by default, based on the severity of the signature.
15

Cisco IOS IPS-Version 4 Signatures
• Cisco IOS IPS has the ability to download IPS signatures without the need for
a Cisco IOS Software image update .
16

• The Signature Definition File

– Cisco IOS IPS uses signature definition files (SDFs) that contain signature
descriptions for the most relevant attacks and are updated by Cisco on a
regular basis.
– The SDF is an Extensible Markup Language (XML) file with a definition of
each signature along with relevant configurable actions.
– Cisco IOS IPS reads in the SDF, parses the XML, and populates its
internal tables with the information necessary to detect each signature.
– The SDF contains the signature definition and configuration. Actions such
as alarm, drop, or reset can be selected for individual signatures within the
SDF.
– The SDF can be modified so the router will only detect specific signatures.
As a result, it can contain all or a subset of the signatures supported in
Cisco IOS IPS.
– The administrator specifies the location of the SDF. The SDF can reside on
the local Flash file system, this is the recommended option, or on a remote
server. Remote servers can be accessed via TFTP, FTP, Secure Copy
Protocol (SCP), or Remote Copy Protocol (RCP). After signatures are
loaded and complied onto a router running Cisco IOS IPS, the IPS can
begin detecting the new signatures immediately.
17

• Signature Micro-engines
– The IPS mechanism that matches the signatures against data packets is
called a micro-engine.
– An IPS system contains several micro-engines, and each micro-engine
handles a set of signatures, typically grouped together by protocol or some
other common characteristics.
– Cisco IOS IPS uses signature micro-engines (SMEs) to load the SDF and
scan signatures. Each engine categorizes a group of signatures, and each
signature detects patterns of misuse in network traffic.
• For example, all HTTP signatures are grouped under the HTTP engine.
– Signatures contained within the SDF are handled by a variety of SMEs.
The SDF typically contains signature definitions for multiple engines.
– The SME typically corresponds to the protocol in which the signature
occurs and looks for malicious activity in that protocol. A packet is
processed by several SMEs. Each SME scans for various conditions that
can lead to a signature pattern match.
– When an SME scans the packets, it extracts certain values, searching for
patterns within the packet via the regular expression engine.
18

• attack-drop.sdf
– The attack-drop.sdf file is available in flash on all Cisco access routers that are
shipped with Cisco IOS Release 12.3(8)T or later.
– The attack-drop.sdf file can then be loaded directly from flash into the Cisco IOS IPS
system. If flash is erased, the attack-drop.sdf file may also be erased. This may
happen when erasing the contents of flash memory before copying a new Cisco IOS
image to flash. If this occurs, the router will refer to the built-in signatures within the
Cisco IOS image.
– The attack-drop.sdf file can also be downloaded onto the router from the weblink
below. A valid CCO login is required to access the site.
19

Extra: Cisco IOS IPS signatures
Cisco IOS IPS-Version 4 Signatures
20

Extra: Built-in signatures
• Built-in signatures are removed from Cisco IOS IPS starting from Cisco
IOS Software Release 12.4(11)T.
• In previous releases, built-in signatures are predefined signatures
bundled with Cisco IOS Software.
• These built-in signatures exist solely to maintain backward
compatibility with the previous Cisco IOS Intrusion Detection System
(IDS), which has about 135 signatures.
• Cisco does not recommend using built-in signatures.
21

Extra: The basic and advanced signature sets
• The basic signature set (in file 128MB.sdf) is the Cisco recommended
signature set for routers with 128 MB or more memory.
• The advanced signature set (in file 256MB.sdf) is the Cisco recommended
signature set for routers with 256 MB or more memory.
• Cisco decommissioned the use of the file attack-drop.sdf. Although it is still
possible to use this file in Cisco IOS Software releases prior to Cisco IOS
Software Release 12.4(11)T, because of the very limited and old attack
coverage the signatures in that file provides, Cisco does not recommend its
use in production environments.
– These files can be downloaded from Cisco.com at
http://www.cisco.com/pcgi-bin/tablebuild.pl/ios-sigup.
22

23

• Cisco IOS IPS in Cisco IOS Software Release
12.4(9)T2 or earlier release supports action on a
signature can be changed by accessing the device-level
application (Cisco SDM 2.2 or later) or network-level
application (the CiscoWorks Management Center for IPS
Sensors [IPS MC] 2.2).
• Action can be set to Alarm, Drop, Reset,
denyAttackerInline, or DenyFlowInline.
• Cisco IOS IPS in Cisco IOS Software Release

12.4(11)T or later supports signature action
configuration using the command-line interface (CLI).
24

25

Cisco IOS IPS configuration tasks
• Verify the configuration. This includes using the available show, clear, and
debug commands for the IOS IPS.
26

Install the Cisco IOS IPS
• Use this procedure to install the latest Cisco IOS IPS signatures on a router for
the first time. This procedure allows the administrator to load the default, built-
in signatures or the attack-drop.sdf file, but not both .
• To merge the two signature files, the administrator must load the default, built-
in signatures as described in this procedure. Then, the default signatures can
be merged with the attack-drop.sdf file.
27

• Whenever signatures are replaced or merged, the router prompt is suspended

while the signature engines for the newly added or merged signatures are
being built. The router prompt will be available again after the engines are built.
• Depending on the platform and how many signatures are being loaded,
building the engine can take up to several seconds. It is recommended that
logging messages are enabled to monitor the engine building status.
28

built-in signatures are predefined signatures

bundled with Cisco IOS Software
• Upgrade to the latest SDF

An important part of IPS is keeping up with the latest attack signatures. The
attack signatures in the router should be kept up to date with the latest IPS
signature file, attack-drop.sdf
29

• Support for ip auditCommands

– The latest IPS image will read and convert all commands that begin
with the words ip audit to ip ips.
– For example, the ip ips notify command replaces the ip audit
notify command. If the ip audit notify command is part of an
existing configuration, the IPS will interpret it as the ip ips notify
command.
– Although IPS will accept the audit keyword, it will generate the ips
keyword when the configuration is shown. Also, if the help
character (?) is issued, the CLI will display the ips keyword instead
of the audit keyword, and the Tab key used for command
completion will not recognize the audit keyword.
30

Configure logging using Syslog or SDEE
• As of Cisco IOS Release 12.3(11)T, Cisco IOS IPS provides two

methods to report IPS intrusion alerts.
• These methods are Cisco IOS logging, Syslog, and Security Device
Event Exchange (SDEE).
31

• SDEE is a new standard that specifies the format of messages and

protocol used to communicate events generated by security devices,
such as the exchange of IPS messages between IPS clients and IPS
servers.
• SDEE utilizes HTTP and XML to provide a standardized interface.
• The Cisco IOS IPS router will still send IPS alerts via Syslog.
32

• Storing SDEE Events in the Buffer

– When SDEE notification is enabled using the ip ips notify sdee command,
200 hundred events can automatically be stored in the buffer.
– When SDEE notification is disabled, all stored events are lost.
– A new buffer is allocated when the notifications are re-enabled.
• When specifying the size of an events buffer, note the following functionality:
– It is circular. When the end of the buffer is reached, the buffer will start
overwriting the earliest stored events. If overwritten events have not yet
been reported, a buffer overflow notice will be received.
– If a new, smaller buffer is requested, all events that are stored in the
previous buffer will be lost.
– If a new, larger buffer is requested, all existing events will be saved.
33

Router(config)#
ip http server
logging on
logging ip ips log
logging syslog_server_IP
logging trap [warnings | …]
• SDEE Prerequisites
– To use SDEE, the HTTP server must be enabled with the ip http server
command.
– If the HTTP server is not enabled, the router cannot respond to the SDEE
clients because it cannot not see the requests.
• The default number of events is 100. Raising the number of events past 100
may cause memory and performance impacts because each event in the event
queue requires 32 KB of memory.
34

Extra: Logging Level
35

36

37

38

Verify the IPS configuration
39

Extra: Verify the IPS version
• To check the current system version, use the show

subsys name ips command.
– IPS 4.x uses a version format of 2.xxx.xxx
– IPS 5.x uses a version format of 3.xxx.xxx
40

Extra: Cisco IOS IPS configuration tasks with 5.x
signatures
• Built-in signatures are removed from Cisco IOS IPS starting from Cisco
IOS Software Release 12.4(11)T.
• These built-in signatures exist solely to maintain backward
compatibility with the previous Cisco IOS Intrusion Detection System
(IDS), which has about 135 signatures.
• Cisco does not recommend using built-in signatures.
• You must load one of the following images on your router to install
Cisco IOS IPS 5.x: adventerprisek9, advsecurityk9, and
advipservicesk9.
41

Extra: Cisco IOS IPS configuration tasks with 5.x
signatures
• Reference: Getting Started with Cisco IOS IPS with 5.x Format Signatures
42

Configure Attack Guards
on the PIX Security Appliance
43

Mail Guard
• Mail Guard provides a safe conduit for Simple Mail Transfer Protocol (SMTP)
connections from the outside to an inside e-mail server.
• Mail Guard enables a mail server to be deployed within the internal network
without it being exposed to known security problems with some mail server
implementations.
44

Mail Guard
• When configured, Mail Guard allows only seven SMTP commands as specified
in RFC 821 section 4.5.1.
– These commands are HELO, MAIL, RCPT, DATA, RSET, NOOP, and
QUIT.
– Other commands, such as KILL, WIZ, and so forth, are intercepted by the
PIX Security Appliance and are never sent to the mail server inside the
network.
• The PIX responds with an OK even to denied commands, so that attackers will
not know that their attempts are being thwarted.
45

Mail Guard
• By default, the PIX Security Appliance inspects port 25 connections for SMTP
traffic.
• If there are SMTP servers on the network that are using ports other than port
25, the fixup protocol smtp command must be used to have the PIX inspect
these other ports for SMTP traffic.
46

DNS Guard
• In an attempt to resolve a name to an IP address, a host may query the same

DNS server multiple times.
• The DNS Guard feature of the PIX Security Appliance recognizes an outbound
DNS query and allows only the first answer from the server back through the
PIX. All other replies from the same source are discarded.
• DNS Guard closes the UDP conduit opened by the DNS request after the first
DNS reply and not wait for the normal UDP timeout.
47

FragGuard and Virtual Reassembly
• FragGuard and Virtual Reassembly is a PIX Security Appliance feature that

provides IP fragment protection.
– Virtual reassembly is the process of gathering a set of IP fragments,
verifying integrity and completeness, tagging each fragment in the set with
the transport header, and not combining the fragments into a full IP packet.
– Virtual Reassembly provides the benefits of full reassembly by verifying the
integrity of each fragment set and tagging it with the transport header. It
also minimizes the buffer space that must be reserved for packet
reassembly.
– Full reassembly of packets is expensive in terms of buffer space that must
be reserved for collecting and combining the fragments. Since combining
of fragments is not performed with virtual reassembly, no preallocation of
the buffer is needed.
48

• By default, the PIX Security Appliance accepts up to 24 fragments to

reconstruct a full IP packet.
• Based on the network security policy, an administrator should consider
configuring the PIX to prevent fragmented packets from traversing the PIX by
entering the fragment chain 1 interface command on each interface.
– Setting the limit to 1 means that all packets must be unfragmented.
• Note the following regarding fragment configuration:
– The default values will limit DoS attacks caused by fragment flooding.
– If an interface is not specified, the command applies to all interfaces.
49

• The fragment command provides management of packet fragmentation and improves

the compatibility of the PIX Security Appliance with the Network File System (NFS).
• NFS is a client-server application that enables a computer user to view and optionally
store and update files on a remote computer as though they were on the user’s own
computer.
• In general, the default values of the fragment command should be used . However, if a
large percentage of the network traffic through the PIX is NFS, additional tuning may be
necessary to avoid database overflow.
50

• The fragment size command can be used to set the maximum number of
packets in the fragment database.
• Use the fragment chain command to specify the maximum number of packets
into which a packet can be fragmented, and use the fragment timeout
command to specify the maximum number of seconds the PIX Security
Appliance waits after the first fragment is received before discarding a
fragment waiting for reassembly.
51

• Setting the database-limit of the size option to a large value can make the PIX
Security Appliance more vulnerable to a DoS attack by fragment flooding.
• Do not set the database-limit equal to or greater than the total number of
blocks in the PIX 1550 or 16384 memory pool. See the show blocks
command for more details.
• Use the clear fragment command to reset the fragment databases and
defaults.
52

AAA Flood Guard
• DoS attacks are based on the premise of utilizing the

resources of a device so extensively that other legitimate
traffic is crowded out.
• For example, when AAA is being used in a network for
authentication, a common DoS attack is to send many
forged authentication requests to the PIX Security
Appliance, thus overwhelming AAA resources.
53

AAA Flood Guard
• The floodguard command enables the PIX Security Appliance to

reclaim resources if the user authentication, or uath, subsystem runs
out of resources.
– If an inbound or outbound uauth connection is being attacked or
overused, the PIX actively reclaims TCP resources.
– When the resources are depleted, the PIX shows messages
indicating that it is out of resources or out of TCP users.
• If the PIX uauth subsystem is depleted, TCP user resources in different
states are reclaimed, depending on urgency, in the following order:
– Timewait
– FinWait
– Embryonic
– Idle
• The floodguard command is enabled by default.
54

SYN Flood Guard
• SYN flood attacks, also known as TCP flood or half-open connections attacks,
are common DoS attacks perpetrated against IP servers.
• In PIX Security Appliance Software Version 5.2, the SYN Flood Guard feature
of the static command offers an improved mechanism for protecting systems
reachable via a static ACL from TCP SYN attacks.
55

SYN Flood Guard
• TCP Intercept
• For each SYN, the PIX Security Appliance responds on behalf of the server with an
empty SYN/ACK segment.
• The PIX retains pertinent state information, drops the packet, and waits for the
acknowledgement from the client. If the ACK is received, a copy of the client SYN
segment is sent to the server, and the TCP three-way handshake is performed between
the PIX and the server.
• Only if this three-way handshake completes will the connection be allowed to resume as
normal.
56

SYN Flood Guard
• SYN Cookies
• In the SYN cookies implementation of TCP, when the server receives a SYN packet, it
responds with a SYN-ACK packet where the ACK sequence number is calculated from
the source address, source port, source sequence number, destination address,
destination port, and a secret seed.
• Then the server releases all state.
• If an ACK returns from the client, the server can recalculate it to determine if it is a
response to a previous SYN-ACK. If so, the server can directly enter the
TCP_ESTABLISHED state and open the connection.
• In this way, the server avoids managing a batch of potentially useless half-open
connections
57

Connection limits
• Use the static command to limit the number of embryonic connections allowed
to the server to protect internal hosts against DoS attacks.
• Use the nat command to protect external hosts against DoS attacks and to
limit the number of embryonic connections from the external host
58

Connection limits
• Use the udpudp_max_conns field to set the maximum number of simultaneous

UDP connections the local_ip hosts are each allowed to use.
• Idle connections are closed after the time that is specified by the timeout
connection command.
59

Configure Intrusion Prevention
60

Intrusion detection and the PIX Security Appliance
• With intrusion detection enabled, the PIX can detect signatures and generate a
response when a set of rules is matched to network activity.
• It can monitor packets for more than 55 intrusion detection signatures and can
be configured to send an alarm to a Syslog server or a server running Cisco
Security Monitor, drop the packet, or reset the TCP connection.
• The PIX Security Appliance can detect 2 different types of signatures, these
are informational signatures and attack signatures.
61

Configure intrusion detection
62

Configure IDS policies
63

64

65

Configure Shunning
66

Overview of shunning
• The shun feature of the PIX Security Appliance allows a PIX, when combined with a
Cisco IDS Sensor, to dynamically respond to an attacking host by preventing new
connections and disallowing packets from any existing connection.
• A Cisco IDS device instructs the PIX to shun sources of traffic when those sources of
traffic are determined to be malicious.
• The shun command, intended for use primarily by a Cisco IDS device, applies a blocking
function to an interface receiving an attack.
67

Example of shunning an attacker
• Host 172.26.26.45 has been attempting a DNS zone transfer from host 192.168.0.10
using a source port other than the well-known DNS port of TCP 53.
• The offending host (172.26.26.45) has made a connection with the victim (192.168.0.10)
with TCP.
• The connection in the PIX Security Appliance connection table reads as follows:
172.26.26.45, 4000 → 10.0.0.11 PROT TCP
68

Summary
• This module expanded upon the idea that network security is a

constant cycle of securing, monitoring, testing, and improving, centered
on a security policy.
• This module discussed a number of methods that administrators can
use to secure a network.
• The initialization and configuration of a Firewall IPS router was
discussed and the student gained hands-on experience by configuring
an IPS router through lab activities.
69

Module 2

Enviado por

Dados do documento

Descrição original:

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Module 2

Enviado por

Direitos autorais:

Formatos disponíveis

Module 2: Configure

Network Intrusion Detection and Prevention

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

• Features and benefits of the Cisco IOS IPS

PDF created with pdfFactory trial version www.pdffactory.com

• Origin of Cisco IOS IPS

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

• There are 4 categories of signatures :

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

• These are examples of exploit signatures in the network layer:

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

Cisco IOS IPS-Version 4 Signatures

PDF created with pdfFactory trial version www.pdffactory.com

• The Signature Definition File

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

Cisco IOS IPS-Version 4 Signatures

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

• Cisco IOS IPS in Cisco IOS Software Release

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

• Whenever signatures are replaced or merged, the router prompt is suspended

PDF created with pdfFactory trial version www.pdffactory.com

built-in signatures are predefined signatures

• Upgrade to the latest SDF

PDF created with pdfFactory trial version www.pdffactory.com

• Support for ip auditCommands

PDF created with pdfFactory trial version www.pdffactory.com

• As of Cisco IOS Release 12.3(11)T, Cisco IOS IPS provides two

PDF created with pdfFactory trial version www.pdffactory.com

• SDEE is a new standard that specifies the format of messages and

PDF created with pdfFactory trial version www.pdffactory.com

• Storing SDEE Events in the Buffer

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

• To check the current system version, use the show

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com