Introducing Cisco IOS IPS
The Cisco IOS Intrusion Prevention System can help detect and mitigate
attacks against routers and hosts. This section reviews the components and
configuration of the IOS IPS.
Defining IDS/IPS Terms
The following terms are important to an understanding of intrusion detection
systems (IDS) and intrusion prevention systems (IPS):
■ Intrusion detection system—An IDS is a device that listens passively
to network traffic and produces alerts when suspicious activity is
detected. An IDS is often located outside the traffic forwarding path
and monitors traffic that is copied to a Switched Port Analyzer (SPAN)
port on a switch.
■ Intrusion prevention system—An IPS is a device that not only alerts
on suspicious activity, but that can also be configured to actively block
it. An IPS is typically located in the forwarding path. The Cisco IOS
IPS is a feature offered in Cisco IOS security images that allows the
router to detect and respond to possible network attacks.
■ Signature-based approach—Signature-based IDS/IPS devices detect
possible attacks by matching preconfigured patterns (that is, “signatures”)
in network traffic.
■ Policy-based approach—Policy-based IDS/IPS devices detect attacks
based on thresholds or other policies, such as a number of half-open
TCP SYN sessions.
■ Anomaly-based approach—Anomaly-based IDS/IPS devices profile
network traffic and build up a set of patterns that is considered
“normal.” Traffic that falls outside of normal parameters triggers alerts
or other actions.
■ Honeypot approach—“Honeypots” are systems that are deliberately
left vulnerable to network attacks so that security researchers can
analyze an attack methodology. The network design must prevent a
compromised honeypot from ever having access to legitimate systems.
■ Host-based IDS/IPS—A host-based IDS/IPS (HIDS/HIPS) resides on
end-system hosts. It is typically written to prevent attacks against a
particularly operating system, such as the installation of unauthorized
software.
¦ Network-based IDS/IPS—A network-based IDS/IPS (NIDS/NIPS)
resides on the transport network. It may be a passive IDS located on a
switch SPAN port or an active IPS colocated on a firewall or router.