Cisco IOS Intrusion Prevention System
Cisco IOS Intrusion Prevention System (IPS)

The Cisco IOS Intrusion Prevention System (IPS) with inline intrusion capabilities provides an inline, deep-packet-inspection based IPS solution that helps enable Cisco routers to effectively mitigate a wide range of network attacks without compromising traffic forwarding performance. Cisco IOS IPS can accurately identify, classify, and stop malicious or damaging traffic in real time, and is a core component of the Cisco Self-Defending Network.

Cisco IOS IPS capabilities include the ability to dynamically load and enable selected IPS signatures in real time, support for more than 740 signatures supported by Cisco Intrusion Prevention System (IPS) sensor platforms, and the ability for an administrator to modify an existing signature or create a new signature to address newly discovered threats.

The Cisco IOS IPS acts as an in-line IPS sensor, watching packets and sessions as they flow through the router, and scanning each packet to match any of the Cisco IOS IPS signatures. When it detects suspicious activity, it responds before network security can be compromised and logs the event through Syslog or Security Device Event Exchange (SDEE). The network administrator can configure the Cisco IOS IPS to choose the appropriate response to various threats .

When packets in a session match a signature, the Cisco IOS IPS can take any of the following actions, as appropriate:

  • send an alarm to a Syslog server or a centralized management interface
  • drop the packet
  • reset the connection

The features and benefits of the Cisco IOS IPS are shown in Figure .

Cisco developed the Cisco IOS software-based IPS capabilities and Cisco IOS Firewall with flexibility in mind, so that individual signatures could be disabled in case of false positives. Generally, it is preferable to enable both the IOS firewall and IOS IPS to support network security policies. However, firewall and IPS capabilities may be enabled independently and on different router interfaces.

Origin of Cisco IOS IPS
Cisco IOS IPS restructures the existing Cisco IOS Software IDS. The primary difference between Cisco IOS Software IDS and the new, enhanced Cisco IOS IPS is that an intrusion prevention system monitors traffic and sends an alert when suspicious patterns are detected, while an intrusion prevention system can drop traffic, send an alarm, or reset the connection, enabling the router to mitigate and protect against threats in real time. Cisco IOS IPS inherited the built-in 132 signatures from Cisco IOS Software IDS technology. With the introduction of inline IPS capability, new signatures can be added by downloading a signature definition file (SDF) into the Flash memory of the router, or administrators can specify the location of the SDF in the Cisco IOS IPS configuration on the router.

Router Performance
The performance impact of intrusion prevention depends on the number of signatures enabled, the level of traffic on the router, the router platform, and other individual features enabled on the router, such as encryption. Because the router is being used as a security device, no packet is allowed to bypass the security mechanisms. The IPS process in the router sits directly in the packet path and searches each packet for signature matches. In some cases, the entire packet needs to be searched, and state information and even application state and awareness must be maintained by the router.


Web Links