Foundation Topics

This chapter discusses the Cisco IOS IPS. Unlike the Cisco IOS IDS, which was tightly integrated with the Cisco IOS Firewall feature set, IPS is an independent component of Cisco IOS Software Release 12.3T and later.

This chapter covers six main topics that pertain to the Cisco IOS IPS, as follows:

• Cisco IOS IPS configuration

• Initializing the Cisco IOS IPS

• Working with Cisco IOS IPS signatures and rules

• Verifying the Cisco IOS IPS configuration

• Cisco IOS IPS deployment strategies


This section describes the Cisco IOS features and new enhancements. Cisco IOS IPS Features

The Cisco IOS IPS feature set provides inline packet-inspection capability as packets flow through the router. It also looks for any traffic matching a specific signature that indicates malicious traffic. If it finds traffic that matches a signature, it can quickly react and eliminate the threat before it adversely affects the network. You can configure the Cisco IOS IPS to react by notifying a syslog or management server via an alarm, by dropping the matched packets or resetting the TCP connection, or by a combination or these actions. Note that these features have always been incorporated in Cisco IOS Software via the Cisco IOS Firewall feature set. However, the new IPS-based features include several enhancements:

• Expanded signature capability Cisco IOS IPS provides more than 700 signatures supported in the hardware platforms, and enables you to modify an existing signature or create new custom signatures. New signatures can be loaded without having to upgrade the Cisco IOS Software image.

• Parallel signature scanning All the signatures in a single micro-engine are scanned in parallel fashion rather than serially.

• Extended ACL support Support for both named and numbered extended ACLs as opposed to standard numbered ACLs.

Attacks detected by Cisco IOS IPS signatures are broken down into four types:

• Exploit An activity to gain access to a compromised system or network resource

• Denial-of-service (DoS) An activity to send large numbers of requests to a system or network resource with the intention to disrupt normal operations

• Reconnaissance An information-gathering activity to collect data on system and network resources as targets that have a potential to be compromised later

• Misuse An activity that violates corporate policy

The four signature types can apply to either of the following categories:

• Atomic Atomic signatures trigger the IPS with simple patterns usually with a single packet to a single host. These signatures tend to be less memory intensive because the IPS is not required to gather large amounts of data.

• Compound Compound signatures require the IPS to gather and compare greater and more complex amounts of data to trigger an event. It is usually an attack on multiple hosts, over extended time periods, and with multiple packets.

0 0

Post a comment