3.2 Ensure intrusion prevention is enabled for untrusted interfaces

Information

Enables the intrusion prevention with the IP audit feature on untrusted interfaces

Rationale:

The intrusion prevention is an additional feature for which the security appliance audits the traffic in order to identify vulnerability exploits. This is achieved because specific signatures are matched in the traffic. There are two types of signatures, attack signature for which the traffic is intended to harm the internal resource and informational signature for which the traffic is to gather information on internal resources through port scans, ping sweeps, DNS zone transfers and many others. The possible actions to prevent the intrusion are to drop the traffic, to reset the connection or to send an alarm.

Solution

Step 1: Acquire the Enterprise standard action <prevention_action> to be performed when an attack signature is matched. It is to be chosen between 'drop' (The packet is dropped) and 'reset' (The packet is dropped and the connection closed)

Step 2: Run the following to enable the audit policy against the attack signatures with the Enterprise standard action

hostname(config)# ip audit name <audit_name> attack action alarm <prevention_action>

Step 3: Identify the untrusted interface <interface_name>

Step 4: Run the following to enable the intrusion prevention on the untrusted interface

hostname(config)# ip audit interface <interface_name> <audit_name>

Default Value:

Disabled

See Also

https://workbench.cisecurity.org/files/3246

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6

Plugin: Cisco

Control ID: e4c594800fe8b9e17fa563f5ce79874da18240fa906563239a0eefc6c559a155