Understanding Cisco IOS-Based IDS
Understanding Cisco IOS-based IDS starts with acumen that it is a altered affectionate of IDS than ahead seen. There are differences in hardware, software, performance, and signatures. To get a bigger compassionate of IOS-based IDS, we will altercate the afterward issues:
Supported router platforms
Performance
Signatures
Intrusion Response options
Supported Router Platforms
One of the above allowances of appliance IOS-based IDS is that you can add advance apprehension functionality to your network, appliance your absolute router hardware. Not all Cisco routers accept abutment for the Firewall IDS affection set of IOS; their cardinal about is growing. IDS has been accessible in IOS back adaptation 12.0(5)T. IOS has congenital IDS abutment for the afterward router platforms:
Cisco 1700 Series
Cisco 2600 Series
Cisco 3600 Series
Cisco 3700 Series
Cisco 7100 Series
Cisco 7200 Series
Cisco 7400 Series
Cisco 7500 Series
Performance
A router configured for IDS can be classified as an inline processing arrangement sensor. The router sits in the packets' path, analyzes anniversary packet that passes through and compares it to the signature base. For some packets, the router needs to advance state, and alike appliance state, information. Thus, you should accept that advancement this advice will accept some appulse on IDS performance, and that you should consistently analysis the configuration, if possible, afore arrangement deployment. Alike already it is deployed, the old agreement should be on duke as a backup. Some acceptable accoutrement to admeasurement CPU achievement include: MRTG and the CPU Adviser from Solarwinds.net. An account of how to use the chargeless MRTG to adviser the CPU appliance for a Cisco router can be begin at http://slowest.net/docs/howtos/mrtg/mrtg-cisco-cpu.html
As discussed beforehand in this book, diminutive signatures are triggered by a distinct packet that matches the signature. Auditing these kinds of signatures don't access achievement much. Compound signatures, on the added hand, are triggered by assorted packets, and IOS-IDS has to admeasure anamnesis to advance the accompaniment of anniversary session. IOS-IDS added allocates anamnesis to the agreement database and for centralized caching.
Signatures
Originally, Cisco IOS-IDS accurate 59 signatures, but starting with 12.2(11)YU and the latest 12.2T IOS releases, IOS-IDS supports a absolute of 100 signatures. These signatures are a array of the signatures accessible to the Cisco IDS Sensor that supports over 300 signatures and are called to analyze the best accepted arrangement attacks and advice acquisition scans.
In adverse to the acceptable Cisco IDS Sensor area signatures are adapted via appropriate files on a approved basis, signatures on IOS-IDS are not frequently updated. Signatures on an IOS-IDS can alone be adapted by installing a new IOS angel on all IDS routers.
As we will see after in this chapter, an IOS-IDS can alone use a Director to accelerate anxiety notifications. It is accordingly not accessible to actualize a custom signature for an IOS-IDS on the Director in case of a new blackmail for which no signature is accessible yet, such as the contempo SQL Slammer Worm.
Note Be acquainted that the accepted analysis actual of the Cisco Secure Advance Apprehension Systems Exam (CSIDS 9E0-100) still refers to a absolute cardinal of 59 signatures that Cisco IOS-IDS supports.
Intrusion Response Options
A router configured as an IOS-IDS sensor will clue and analysis the packet breeze through the router. Back a packet or a cardinal of packets bout a assertive signature, IOS-IDS will acknowledge to that bout in the way you accept configured it to respond. The router can be configured to accomplish one or added of the afterward actions:
Send an anxiety An IOS-IDS sensor can be configured to accelerate an anxiety back a signature is matched. An anxiety can be beatific to a Syslog server, a Director, or an IDS Sensor. The router will advanced the behind packet if no added accomplishments are configured.
Drop the packet If this affection is configured, an IOS-IDS sensor will bead behind packets anon back a signature is matched.
Reset a TCP affair An IOS-IDS sensor resets a TCP affair in which crooked activity takes abode if this activity is configured. It will do so by sending a packet with the Displace (RST) banderole set, to both the blackmailer and the victim. If no added accomplishments are configured on the IOS-IDS, the behind packet will still be forwarded to the victim. The best convenance is to use the bead and displace accomplishments together, as it will absolutely abolish the attack