思科安全网络基础篇.pptVIP

思科路由器安全配置－IOS IPS部署步骤……序1 思科路由器安全配置－IOS IPS部署步骤……序2 2、合并IOS IPS Signatures文件包。 下载256MB.SDF文件，注意路由器RAM的容量必须满足安装要求。 通过TFTP方式COPY 下载好的IPS Signatures 文件包进入ISR 存储FLASH. 配置ISR合并：最新的IPS Signatures 文件包与IOS内嵌的IPS Signatures文件进行合并。 Router# copy disk2: 256MB.sdf ips-sdf 存储合并后的文件 Router# copy ips-sdf disk2:256MB.sdf 思科路由器安全配置－IOS IPS部署步骤……序3 配置ISR路由器启用IPS功 路由器全局配置模式具体详细配置如下： ********************************************************************** ip ips sdf location flash:/256MB.sdf 配置IOS IPS Signatures 位置。 ip ips deny-action ips-interface 配置ISR路由器启用IPS 攻击拦截功能。 ip ips notify SDEE 配置IOS IPS通过SDEE方式发送消息。 ip ips signature 2000 0 disable 为了减小误报 DISABLE一些ips signature。 ip ips signature 2004 0 disable ip ips signature 2001 0 disable ip ips name bjlotinfo 指定IOS IPS 模板名称。 ip source-track syslog-interval 120 ip sdee messages 500 ip sdee alerts 1000 *********************************************************************** 思科路由器安全配置－IOS IPS部署步骤……序4 路由器接口配置模式具体详细配置如下： *********************************************************************** interface GigabitEthernet0/0 description To-ISP#guanghuanxinwang#10M--old line ip address 6 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip flow egress ip ips bjlotinfo in 在ISR相应的外网、内网接口上启用IPS功能。 ip route-cache flow load-interval 30 duplex full speed 1000 media-type sfp fair-queue no cdp enable no mop enabled ************************************************************************ * * * * * The intent has shifted from the past when many of the security threats were from script kiddies or individuals looking more to have fun and make a name for themselves than anything else. Early attacks like web defacements were a nuisance, but did not cause serious damage. As the attempts to get more broad scale attention increased, the impact of attacks increased but it still wa