This data sheet provides an overview of the Cisco IOS® Intrusion Prevention System (IPS) solution.
Product Overview
In today's business environment, network intruders and attackers can come from outside or inside the network. They can launch distributed denial-of-service attacks, they can attack Internet connections, and they can exploit network and host vulnerabilities. At the same time, Internet worms and viruses can spread across the world in a matter of minutes. There is often no time to wait for human intervention-the network itself must possess the intelligence to instantaneously recognize and mitigate these attacks, threats, exploits, worms and viruses.
Cisco IOS Intrusion Prevention System (IPS) is an inline, deep-packet inspection-based solution that enables Cisco IOS Software to effectively mitigate a wide range of network attacks. While it is common practice to defend against attacks by inspecting traffic at data centers and corporate headquarters, distributing the network level defense to stop malicious traffic close to its entry point at branch or telecommuter offices is also critical.
Cisco IOS IPS: Major Use Cases and Key Benefits
Although it is common practice to use IPS to inspect traffic for attacks at the headend or central locations, protecting branch and telecommuter offices, partner or service provider managed customer networks is also important to ensure that malicious traffic is stopped as close to the network entry point as possible. IOS IPS helps to protect your network in 3 ways:
Key Benefits
• Provides network-wide, distributed protection from many attacks, exploits, worms and viruses exploiting vulnerabilities in operating systems and applications
• Eliminates the need for a standalone IPS device at branch and telecommuter offices as well as small and medium-sized business networks
• Unique, risk rating based signature event action processor dramatically improves the ease of management of IPS policies
• Offers field-customizable worm and attack signature set and event actions
• Offers inline inspection of traffic passing through any combination of router LAN and WAN interfaces in both directions
• Starting with 12.4(20)T IOS® Release, similar to Cisco® IOS® VPN, Firewall and NAT features, IOS IPS protection rules are also Virtual Route Forwarding (VRF) aware, supporting overlapping addresses and IPS event alarms distinguishable with VRF ID
• Works with Cisco IOS® Firewall, control-plane policing, and other Cisco IOS Software security features to protect the router and networks behind the router
• Supports nearly 2250 attack signatures from the same signature database available for Cisco Intrusion Prevention System (IPS) appliances. However, only a subset of those supported signatures may be loaded and can actively scan for respective attacks simultaneously due to memory restrictions.
Table 1. Cisco IOS IPS in the Latest IOS Release Offers the Following Capabilities
Feature
Advantage/Benefit
Supports Signatures for Vulnerabilities in Microsoft SMB and MSRPC Protocols as well as Signatures Provided by Vendors under NDA
Efficient protection against many new Microsoft and other vulnerabilities, some even before their public release
Risk Rating Value in IPS Alarms Based on Signature Severity, Fidelity, and Target Value Rating
Allows more accurate and efficient IPS event monitoring by filtering or separating events with low/high Risk Rating
Supports Signature Event Action Processor (SEAP)
Quick and automated adjustment of signature event actions based on calculated Risk Rating of the event
Automated Signature Updates from a Local TFTP or HTTP(S) Server
Protection from latest threats with minimal user intervention
VRF Awareness (Virtual IPS)-New in 12.4(20)T IOS Release
Allows enterprises to apply IPS on only certain virtual network segments (VRFs) or in a different way on each VRF, and distinguish among the IPS alarms/events generated within each virtual segment
IDCONF (XML) Signature Provisioning Mechanism
Offers secure provisioning through Cisco Security Manager 3.1 and Cisco Router and Security Device Manager (SDM) 2.4 over HTTPS
Individual and Category-Based Signature Provisioning through Cisco IOS CLI
Offers granular customization and tuning of signatures through custom scripts
Same Signature Format and Database as the Latest Cisco® IPS Appliances and Modules
Offers common deployment and attack signature definitions between Cisco IPS appliances and Cisco IOS® IPS
Platform Support
Cisco IOS IPS is available in Advanced Security, Advanced Enterprise, and Advanced IP Services software feature sets on routers listed in Table 2. The base ISR security router bundle includes the appropriate software image, along with enough memory and storage to support IPS features and other threat defense capabilities.
Table 2. Feature Availability
Product Family
Platforms Supported
800
871, 876, 877, 878, 88x
1800
1801, 1802,1803,1811,1812,1841, 1861
2600
2691
2800
2801, 2811,2821,2851
3700
3725, 3745
3800
3825, 3845
7200
7204VXR,7206VXR
7301
7301
Basic and Advanced Signature Categories
In Cisco IOS Software Release 12.4(11)T and later T-Train releases, IOS IPS signature provisioning is best accomplished by selecting one of the two signature categories dedicated to IOS IPS users: IOS Basic or IOS Advanced categories. Users may also select individual signatures and can tune their parameters through the command-line interface (CLI), Cisco Configuration Professional (CCP) or Cisco Security Manager (CSM).
IOS Basic and IOS Advanced signature categories are pre-selected signature sets intended to serve as a good starting set for most users of IOS IPS. They contain the latest high-fidelity (low false positives) worm, virus, IM, or peer-to-peer blocking signatures for detecting security threats, allowing easier deployment and signature management. Cisco IOS IPS also allows selection and tuning of signatures outside those two categories.
Signature categories are an integral part of Cisco signature update packages posted at http://www.cisco.com/pcgi-bin/tablebuild.pl/ios-v5sigup. Those signature update packages are cumulative of all previous Cisco IPS signature updates and can be downloaded to the router from a local PC or server using the router CLI.
Signature Definition Files
Cisco IOS IPS in IOS Mainline and T-Train releases prior to 12.4(11)T uses signature definition files (SDF) that contain the list of signatures to scan for with their configured parameters, actions and other details. To help users with their initial signature selection, Cisco provides two preconfigured SDFs: 128MB.sdf and 256MB.sdf intended for use on routers with 128MB and 256MB DRAM, respectively. The latest SDFs and the complete set of supported signatures can be downloaded from http://www.cisco.com/pcgi-bin/tablebuild.pl/ios-sigup. However, the last (final) update to those preconfigured (recommended) SDFs will be posted around July 18, 2008. Note that those signature files (SDFs) can not be used with Cisco IOS Software 12.4(11)T or later Releases. Cisco strongly recommends users of IOS IPS feature to upgrade their routers to the latest 12.4T release available on CCO to be able to download signature update packages written in Cisco IPS version 5.x/6.x signature format as described in the previous section.
Signature Micro Engines
Cisco IOS IPS uses Signature Micro-Engines (SMEs) to load (into the router's memory) and scan for a set of attack signatures. Each engine is customized for inspecting a Layer 4 or 7 protocol and its fields/arguments. Within each packet carrying data for that protocol, it looks for a set of legal parameters that have allowable ranges or sets of values. It also scans for malicious activity specific to that protocol using a parallel signature scanning technique to scan for multiple patterns within an SME at any given time.
Attack Mitigation
Cisco IOS IPS can protect your network against nearly 2250 attacks, exploits, worms and viruses listed at the latest signature list for IOS IPS. Some examples of attacks that can be detected and stopped by Cisco IOS IPS include ANTS, Bagle, MyDoom, Netsky, Agobot, Minmai, Klez, Sober, Zotob, Norvag, Phatbot, MyTob, GaoBot, Blaster, W2K RPC DoS, ZAFI.D, Slapper, Apache/mod_ssl, Slammer, GaoBot, Blaster, Nachi and Ping Tunnel.
Actions for Detected Signatures
Each individual signature or category of signatures selected to scan traffic for matching attacks can be configured to take any combination of the following 5 actions when triggered:
1. Send an alarm via syslog and/or generate/log SDEE (Secure Device Event Exchange) event
2. Drop malicious packet
3. Send TCP-Reset packets to both ends of the connection to terminate the session
4. Deny all packets from the attacker (source address) temporarily
5. Deny further packets belonging to the same TCP session (connection) from the attacker (source address).
Configuration and Signature Provisioning
The router CLI and Cisco Router and Security Device Manager (SDM) version 2.5 or Cisco Configuration Professional (CCP) 1.1 can be used for configuration of IOS IPS as well as highly granular provisioning and tuning of IPS signatures on a single router running Cisco IOS 12.4(11)T2 or later releases. In addition, Cisco Security Manager (CSM) version 3.1 or 3.2 or may be used for management of IPS policies and signature sets on multiple routers running Cisco IOS 12.4(11)T2 or later releases. For information on management of IOS IPS in IOS releases prior to 12.4(11)T or Mainline releases, please refer to IOS IPS in previous releases.
Event Monitoring
Upon detecting an attack signature, Cisco IOS IPS can send a syslog message and/or generate/log an alarm in Secure Device Event Exchange (SDEE) format. SDM 2.5 or CCP 1.1 may be used to monitor events generated by a single router and Cisco IPS Manager Express (IME) may be used to monitor IPS events generated by up to 5 routers. For monitoring events from more than 5 routers, Cisco highly recommends the Cisco Security Monitoring, Analysis, and Response System (MARS) appliance for network wide monitoring and correlation of IPS alarms, although any compatible monitoring application or device supporting syslog and/or SDEE may be used.
For More Information
For more information about Cisco IOS IPS, visit http://www.cisco.com/go/iosips or contact your local Cisco account representative.
