Header
Home | Set as homepage | Add to favorites
  Search the Site     » Advanced Search
Sections
Syndication


Blogroll:

||||| ALL Cisco-Network ARTICLES |||||  
CCIE Journey,
The CCIE Journey,

Home : Intrusion Detection System : Supported Router Platforms

Supported Router Platforms

Nov 26,2008 by admin

small font medium font large font
image

Supported Router Platforms

One of the major benefits of using IOS-based IDS is that you can add intrusion detection functionality to your network, using your existing router hardware. Not all Cisco routers have support for the Firewall IDS feature set of IOS; their number however is growing. IDS has been available in IOS since version 12.0(5)T. IOS has built-in IDS support for the following router platforms:

  • Cisco 1700 Series

  • Cisco 2600 Series

  • Cisco 3600 Series

  • Cisco 3700 Series

  • Cisco 7100 Series

  • Cisco 7200 Series

  • Cisco 7400 Series

  • Cisco 7500 Series

Performance

A router configured for IDS can be classified as an inline processing network sensor. The router sits in the packets' path, analyzes each packet that passes through and compares it to the signature base. For some packets, the router needs to maintain state, and even application state, information. Thus, you should understand that maintaining this information will have some impact on IDS performance, and that you should always test the configuration, if possible, before network deployment. Even once it is deployed, the old configuration should be on hand as a backup. Some good tools to measure CPU performance include: MRTG and the CPU Monitor from Solarwinds.net. An explanation of how to use the free MRTG to monitor the CPU utilization for a Cisco router can be found at http://slowest.net/docs/howtos/mrtg/mrtg-cisco-cpu.html

As discussed earlier in this book, atomic signatures are triggered by a single packet that matches the signature. Auditing these kinds of signatures don't influence performance much. Compound signatures, on the other hand, are triggered by multiple packets, and IOS-IDS has to allocate memory to maintain the state of each session. IOS-IDS further allocates memory to the configuration database and for internal caching.

Signatures

Originally, Cisco IOS-IDS supported 59 signatures, but starting with 12.2(11)YU and the latest 12.2T IOS releases, IOS-IDS supports a total of 100 signatures. These signatures are a cross-section of the signatures available to the Cisco IDS Sensor that supports over 300 signatures and are selected to identify the most common network attacks and information gathering scans.

In contrast to the traditional Cisco IDS Sensor where signatures are updated via special files on a regular basis, signatures on IOS-IDS are not frequently updated. Signatures on an IOS-IDS can only be updated by installing a new IOS image on all IDS routers.

As we will see later in this chapter, an IOS-IDS can only use a Director to send alarm notifications. It is therefore not possible to create a custom signature for an IOS-IDS on the Director in case of a new threat for which no signature is available yet, such as the recent SQL Slammer Worm.


Note 

Be aware that the current test material of the Cisco Secure Intrusion Detection Systems Exam (CSIDS 9E0-100) still refers to a total number of 59 signatures that Cisco IOS-IDS supports.

Intrusion Response Options

A router configured as an IOS-IDS sensor will track and audit the packet flow through the router. When a packet or a number of packets match a certain signature, IOS-IDS will respond to that match in the way you have configured it to respond. The router can be configured to perform one or more of the following actions:

  • Send an alarm  An IOS-IDS sensor can be configured to send an alarm when a signature is matched. An alarm can be sent to a Syslog server, a Director, or an IDS Sensor. The router will forward the offending packet if no other actions are configured.

  • Drop the packet  If this feature is configured, an IOS-IDS sensor will drop offending packets immediately when a signature is matched.

  • Reset a TCP session  An IOS-IDS sensor resets a TCP session in which unauthorized activity takes place if this action is configured. It will do so by sending a packet with the Reset (RST) flag set, to both the offender and the victim. If no other actions are configured on the IOS-IDS, the offending packet will still be forwarded to the victim. The best practice is to use the drop and reset actions together, as it will completely terminate the attack.


246 times read

Related news
» Creating and Applying Audit Rules
by alperen posted on Sep 15,2009
» IDS MC and Signatures
by admin posted on Nov 26,2008
» Creating an Audit Rule
by alperen posted on Sep 15,2009
» Signature Types
by alperen posted on Mar 10,2010
» Signature and Alarm Management Review
by alperen posted on Mar 20,2010
Did you enjoy this article?
1 2 3 4 5
(total 0 votes)

comment Comments (0 posted) 

More Top News
CCSP-Cisco Certified Security Professional
arrow Cisco SAFE Implementation
arrow Preparation Documents
arrow Exam Topics
arrow Skills Required for the Exam
arrow Cisco SAFE Implementation Questions and Answers
arrow Access Control Lists Cisco
arrow Access List Basics
arrow Standard Access Lists
arrow Verifying ACLs
arrow Extended Access Lists
arrow TCP Access Lists
arrow UDP Access Lists
arrow ICMP Access Lists
arrow Named Access Lists
arrow Signature and Alarm Management Review
arrow Signature and Alarm Management Review Questions and Answers
arrow Event Viewer
arrow Managing Alarms
arrow Event Viewer Customization
arrow Preference Settings
arrow Sensor Installation
arrow Connecting to Your Network Sensor Appliance
arrow Sensor Bootstrap
arrow Sensor Installation and Configuration Review
arrow Sensor Installation and Configuration Questions and Answers
arrow Signature and Alarm Management
arrow CIDS Signatures
arrow Signature Series
arrow Signature Implementations
arrow Signature Classes
arrow Signature Types
arrow Signature Severity
Most Popular
Most Commented
Featured Author

admin

image
<| Cisco Articles | Maximum Learning | All Cisco-Network Study Notes | Privacy Policy |>
If you think you own the material being used without permission, contact alperenmad[at]hotmail.com. material will be removed from the site.