Information
Enables the intrusion prevention with the IP audit feature on untrusted interfaces
Rationale:
The intrusion prevention is an additional feature for which the security appliance audits the traffic in order to identify vulnerability exploits. This is achieved because specific signatures are matched in the traffic. There are two types of signatures, attack signature for which the traffic is intended to harm the internal resource and informational signature for which the traffic is to gather information on internal resources through port scans, ping sweeps, DNS zone transfers and many others. The possible actions to prevent the intrusion are to drop the traffic, to reset the connection or to send an alarm.
Solution
Step 1: Acquire the Enterprise standard action <prevention_action> to be performed when an attack signature is matched. It is to be chosen between 'drop' (The packet is dropped) and 'reset' (The packet is dropped and the connection closed)
Step 2: Run the following to enable the audit policy against the attack signatures with the Enterprise standard action
hostname(config)# ip audit name <audit_name> attack action alarm <prevention_action>
Step 3: Identify the untrusted interface <interface_name>
Step 4: Run the following to enable the intrusion prevention on the untrusted interface
hostname(config)# ip audit interface <interface_name> <audit_name>
Default Value:
Disabled