The Cisco IOS Intrusion Prevention System (IPS) with inline
intrusion capabilities provides an inline, deep-packet-inspection based IPS
solution that helps enable Cisco routers to effectively mitigate a wide range
of network attacks without compromising traffic forwarding performance. Cisco
IOS IPS can accurately identify, classify, and stop malicious or damaging
traffic in real time, and is a core component of the Cisco Self-Defending
Network.
Cisco IOS IPS capabilities include the ability to dynamically
load and enable selected IPS signatures in real time, support for more than 740
signatures supported by Cisco Intrusion Prevention System (IPS) sensor
platforms, and the ability for an administrator to modify an existing signature
or create a new signature to address newly discovered threats.
The Cisco
IOS IPS acts as an in-line IPS sensor, watching packets and sessions as they
flow through the router, and scanning each packet to match any of the Cisco IOS
IPS signatures. When it detects suspicious activity, it responds before network
security can be compromised and logs the event through Syslog or Security
Device Event Exchange (SDEE). The network administrator can configure the Cisco
IOS IPS to choose the appropriate response to various threats
.
When
packets in a session match a signature, the Cisco IOS IPS can take any of the
following actions, as appropriate:
- send an alarm to a Syslog server or a centralized management interface
- drop the packet
- reset the connection
The features and benefits of the Cisco IOS IPS are shown in Figure
.
Cisco developed the Cisco IOS software-based IPS capabilities and Cisco IOS
Firewall with flexibility in mind, so that individual signatures could be
disabled in case of false positives. Generally, it is preferable to enable both
the IOS firewall and IOS IPS to support network security policies. However,
firewall and IPS capabilities may be enabled independently and on different
router interfaces.
Origin of Cisco IOS IPS
Cisco IOS IPS
restructures the existing Cisco IOS Software IDS. The primary difference
between Cisco IOS Software IDS and the new, enhanced Cisco IOS IPS is that an
intrusion prevention system monitors traffic and sends an alert when suspicious
patterns are detected, while an intrusion prevention system can drop traffic,
send an alarm, or reset the connection, enabling the router to mitigate and
protect against threats in real time. Cisco IOS IPS inherited the built-in 132
signatures from Cisco IOS Software IDS technology. With the introduction of
inline IPS capability, new signatures can be added by downloading a signature
definition file (SDF) into the Flash memory of the router, or administrators
can specify the location of the SDF in the Cisco IOS IPS configuration on the
router.
Router Performance
The performance impact of intrusion
prevention depends on the number of signatures enabled, the level of traffic on
the router, the router platform, and other individual features enabled on the
router, such as encryption. Because the router is being used as a security
device, no packet is allowed to bypass the security mechanisms. The IPS process
in the router sits directly in the packet path and searches each packet for
signature matches. In some cases, the entire packet needs to be searched, and
state information and even application state and awareness must be maintained
by the router.