[an error occurred while processing this directive]

Cisco IPS 4200 Series Sensors

Deploying Cisco IOS Intrusion Detection Systems

Table Of Contents

Design Guide

Executive Summary

Cisco Comprehensive Security Solution

The Security Wheel

Developing a Strong Security Policy

Securing Your Network

Understand Your Network Topology

Monitoring the Network

Testing Security

Improving Security

Technical Highlights

Configuration Basics

Cisco IOS IDS Deployment Scenarios

Memory and Performance Impact

Differing Cisco IDS Products



Design Guide

Cisco IOS Intrusion Detection Systems

Executive Summary

Intrusion detection has become a critical component of Enterprise and Service Provider infrasturctures. Increasing complexity in public networks for data transport in light of new business applications, e-commerce, extranets and virtual private networks (VPNs) has created increased risks to the integrity and security of internal network.

In order to counter increasing security threats, Cisco IOS‚ Intrusion Detection Systems (IDS) offers added abilities for detection, logging, auditing and mitigation to a variety of existing security products. Cisco offers complementary technologies in firewall products (Cisco IOS Firewall, PIX, etc), encryption technologies (Cisco IOS IPSec VPNs, Cisco VPN-3000, Authentication, Authorization, and Accounting [AAA]) for a full-layered approach security.

Cisco IOS IDS includes intrusion detection technology for the full range of Cisco IOS routers. Cisco 1700, 2600, 3600, 7100, 7200, 7500, and RSM Series Routers support Cisco IOS IDS. The Cisco 830 Series router will support Cisco IOS IDS. It is targeted for November 2003 . These intrusion detection capabilities are ideal for monitoring intranet, extranet, and branch office Internet perimeters against network violations. Integrated into the routing path, Cisco IOS IDS uses signatures to identify common attacks, and to subsequently protect the network.

Cisco IOS IDS acts as an in-line intrusion detection sensor, watching packets as they traverse the router's interfaces and acting upon them in a definable fashion. When one or more packets in a session match a signature, Cisco IOS IDS may perform the following configurable actions:

Alarm: sends an alarm to a syslog server or Net Ranger Director

Drop: drops the packet

Reset: resets the TCP connection

Through the use of syslog and integration with CiscoWorks VPN/Security Management Solution (VMS), security operations can quantify their security posture and determine any threats to the networks. These metrics provide a machanism to track unauthorized network activity over time and evaluate security policy effectiveness, security activities, and budgeting considerations from a quantifiable perspective.

The remainder of this guide provides a background of information for Cisco IOS IDS, design considerations and scenarios for deployment. Cisco IOS IDS is available in Cisco IOS Software Release 12.0.(5)T and later releases. Advanced performance improvements for Cisco IOS IDS were released in Release 12.2.(8)T.

Cisco Comprehensive Security Solution

Intrusion detection implementation requires planning. Intrusion detection technology is a complementary tool that should be utilized alongside traditional security products. Cisco IOS IDS is one part of the end-to-end security solution. Products such as Firewalls, Encryption and Authentication, and Access Control Lists should be part of an integrated approach to implementing any Corporate Security Policy.

Considerations for the following should be taken into account to understand overall security concerns:

Security Wheel

Developing a Strong Security Policy

Securing the Network

Monitoring the Network

Testing Security

Improving Security

The Security Wheel

The Cisco security solution approach is one of an operational perspective rather than one of a products or policy approach. Like network management, the philosophy is one that addresses a dynamic, process towards security.

Figure 1. The Security Wheel

The Security Wheel is cylical, ensuring diligence and imporvement. The paradigm incorporates the following five step:

1. Develop a strong security policy

2. Secure the network

3. Monitor the network and respond to attacks

4. Test existing security safeguards

5. Manage and improve corporate security

Data gained from Steps 2 through 5 should always be reflected back to the corporate security policy in Step 1, so that high-level security expectations are being met.

Developing a Strong Security Policy

Consideration of the following is crucial in developing a strong security policy:

What assets must be protected?

What is the risk to those assets?

What is the impact (in terms of reputation, revenues, profits, research) of a successful attack?

How much sensitive information is available online? What is the impact if this information is damaged or stolen?

Which users have access to those assets?

What do users (including partners and customers) expect in terms of security control procedures and mechanisms?

Should users be trusted?

Are users accessing assets locally or remotely, or a mixture of both?

Do distinct parts of the organization have different security requirements?

What types of traffic exist on the network?

Are the needs of security consistent with the business/operational needs of the organization?

Is there a strong commitment from management to provide sufficient resources to implement security policies and technologies?

Is there a strong commitment for security awareness training?

A strong security policy should be clearly defined, implemented, and documented, yet simple enough that users can easily conduct business within its parameters. A policy of strong password creation can only work if there is a system to validate password selection.

In many ways, the security policy is a risk management plan, as it documents the risk threshold an organization is willing to accept. Because no security technology provides one hundred percent protection, and in most cases organizations do not have the budget to implement all required security elements, the security policy rates assets and applies commensurable levels of security.

A critical element often overlooked is the policy on incident response. What is the official organization response if a policy is violated?

For additional information on the development and implementation of information security policies, refer to SANS Institute Resources: http://www.sans.org/newlook/resources/policies/policies.htm

Securing Your Network

Once the security policy is developing, the network must be secured with multiple technologies: firewalls, intrusion detection, AAA, etc. However, this cannot occur without complete understanding of the user, assets, and network topology.

Understand Your Network Topology

Careful inspection of the following will help to prevent possible miscalculations in deploying and configuring Cisco IOS IDS:

Network size and complexity

Locations of critical resources (file servers, hosts, etc.) on the network

Connections with other networks, both Internet and extranets

The amount and type of network traffic

Consideration of these placement points will help determine where Cisco IOS IDS can be enabled. All connections to the network that require protection should receive the same degree of consideration.

Monitoring the Network

Once the network has been secured, activity should be monitored, either via syslog or through the use CiscoWorks VMS. When a security violation does occur, an appropriate response is crucial:

Logging the event

Resetting the TCP connection

Dropping the offending packets

Possible reconfiguration of the ACLs on the router, in order to deny the attack

Specific responses should be detailed within the security policy.

Testing Security

Periodic scans of the network for new vulnerabilities are appropriate. Changes in the network and service/technology advancement can create new "security holes". These aspects are inevitable and should be considered normal operations within a growing network. New test procedures for testing security as well as testing the pre-established policy should be part of this review procedure for improvement.

Improving Security

Analyze all the metrics that are collected. Each part of the security cycle will produce different information, which can then be prioritized. When responding to a threat, consider:

A) Identify resources required to respond

B) Incident response policy

C) Chart ownership and monitoring of security

Keep abreast of any new network threats by improving on the established security policy. Continue to implement the Security Wheel cycle.

Technical Highlights

Cisco IOS IDS supports intrusion detection technology for midrange and high-end router platforms with firewall support. It is ideal for any network perimeter, and especially for locations in which a router is deployed, and additional security between network segments is required. It also can protect intranet and extranet connections where additional security is mandated, and branch-office sites connecting to the corporate office or Internet.

Intrusion detection systems provide a level of protection beyond the firewall by protecting the network from internal and external attacks and threats. Cisco IOS IDS enhances perimeter firewall protection by taking appropriate action on packets and flows that violate the security policy or represent malicious network activity.

Cisco IOS IDS acts as an in-line intrusion detection sensor, watching packets as they traverse the router's interfaces and acting upon them in a definable fashion. When one or more packets in a session match a signature, Cisco IOS IDS may perform the following configurable actions:

Alarm: sends an alarm to a syslog server or Net Ranger Director

Drop: drops the packet

Reset: resets the TCP connection

Intrusion detection systems customers that have already deployed Cisco IDS "appliance sensors" can deploy Cisco IOS IDS signatures to complement their existing systems. This allows an intrusion detection system to be deployed in areas that may not support a Cisco IDS Sensor. Cisco IOS IDS signatures can be deployed alongside or independently of other Cisco IOS Firewall features.

Cisco IOS Firewall with intrusion detection can be added as an icon on the Cisco VMS Security Monitor screen, providing a consistent view of all intrusion detection sensors throughout a network. Cisco IOS Firewall intrusion detection capabilities have an enhanced reporting mechanism that permits event logging to the Security Monitor console via Cisco IOS syslog.

Cisco IOS IDS utilizes signatures to detect patters of misuse in the network. Each signature is categorized by severity and complexity. Signatures are classified by both severity and complexity:


Informational signatures: detect information (ie: port sweep)

Attack signatures: detect malicious activity (ie: illegal ftp commands; Denial of Service (DoS attempt),


Atomic signatures: detect simple patterns (ie: attempt on a specific host or within a single packet)

Compound signatures: detect complex patterns (ie: attack on multiple hosts, over extended time periods with multiple packets)

Configuration Basics

1. Initialize Cisco IOS IDS—ip audit parameters (alarm, drop, and/or reset)

An audit rule specifies the signatures that should be applied to a packet traffic and the actions to be taken when a match is found. The signature list can include any number of signatures. Signatures can be disabled in case of false positives, or based on the needs of the network.

Note: it is generally recommended that drop and reset actions be used together.

Command Syntax:

	ip audit info {action [alarm] [drop] [reset]} 	! Sets the default actions for 
info and attack signatures
	ip audit attack {action [alarm] [drop] [reset]}
	ip audit name audit-name {info | attack} [list standard-acl] [action [alarm] [drop] 
[reset]] 	! Creates audit rules, where audit-name is a user-defined name for an audit rule.

2. Determine logging Policy

Command Syntax:

	ip audit notify log	! Sends event notifications (alarms) to either a Cisco Secure 
IDS Director, a syslog server, or both.

3. Configure and Apply Audit Rules—which interfaces, what routing path?

Audit rules can be applied to an interface on the router with a specific direction (in or out).

If the audit rule is applied to the in direction on the interface, packets passing through the interface are audited before the inbound ACL can to discard them. This alerts an administrator if an attack or information-gathering activity is underway. Because of this sequences of events, IDS can trigger even if the router would otherwise reject the activity.

Audit rules that are applied in the out direction on an interface are conversly auditing packets after they have entered the router through another interface. Inbound ACLs of other interfaces may discard packets before they are audited. As such, IDS alarms may be lost even though the attack or information-gathering activity was thwarted.

Command Syntax:

	interface interface-number	! Enters interface configuration mode.
	ip audit audit-name {in | out}	! Applies an audit rule at an interface. With this 
command, audit-name is the name of an existing audit rule, and direction is either in or 

4. Verify the Configuration

	show ip audit configuration
	show ip audit interface
	show ip audit statistics

5. Optionally Disabling Signatures

	ip audit signature signature-id {disable | list acl-list} 	! Disables individual 

Cisco IOS IDS Deployment Scenarios

Cisco IOS IDS capabilities are ideal for providing additional visibility at intranet, extranet, and branch-office Internet perimeters. Network administrators enjoy more robust protection against attacks on the network and can automatically respond to threats from internal or external hosts.

Cisco IOS IDS is intended to satisfy the security goals of all of our customers, and is particularly appropriate for the following scenarios:

Enterprise: interested in a cost-effective way to extend perimeter security across all network boundaries, specifically branch-office, intranet, and extranet perimeters.

Small and medium businesses: need a cost-effective router that has an integrated firewall with intrusion-detection capabilities.

Service Providers: may want to deploy this as the router/firewall for a managed service. They can set this at subscribers' sites to provide firewalling and intrusion detection within the necessary function of a router.

Commonly referred to as "perimeter protection" Cisco IOS IDS can be placed to monitor traffic between the network and the Internet. Companies generally also use a firewall to protect the perimter, which the most common deployment scenario. This enables the both incoming and outgoing traffic to be monitored.

An internal attacker can additionally take advantagte of network services that otherwise go unprotected. For this reason, the perimeter protection offers little help. Placing Cisco IOS IDS on other segments, and in the routing path solves this problem and can shield from outside attacks, while addressing often overlooked networks: extranet, remote access, and less secure intranet networks.

Although partner companies generally have security policies of their own, there is often little reassurrance that these policies are adequately enforced. Outsiders often may enter a network through this type of connection, so it should also be protected and firewalled.

Remote access networks are also notorious for their vulnerability to attack. Although generally designated for employee use, external attackers often expliot vunerabilities in authorization, authentication and or wireless technologies. Cisco IOS IDS defends and monitors against such weaknesses in this area.

As mentioned earlier, intranet connections should also be monitored and protected with Cisco IOS IDS. Research and Development networks and Engineering resources, for example, often require additional security mesurements to protect proprietary information. For these areas, a robust security solution can be achieved by utilizing a combined approach of strong access control lists, Cisco IOS Firewall, and Cisco IOS IDS. (Figure 2).

Figure 2. Combined Security Approach

When Cisco IOS IDS is deployed, audit rules are applied specifying the direction of traffic through an interface (in or out).

Audit rules applied to the in direction on an interface will allow packets passing through the interface to be audited before inbound ACLs.

Audit rules applied to the out direction of an interface allow signature matching to occur against packets after they enter the router through another interface. In this case, inbound ACLs may discard packets before they are audited. Unintentional loss of Cisco IOS IDS alarms may result, despite the avoidance of an attack or information-gathering activity. Detection of such unsuccessful violations and attack attempts are often equally as important as detecting successful attacks.

Memory and Performance Impact

The performance impact of intrusion detection will depend on the configuration of the signatures, the level of traffic on the router, the router platform, and other individual features enabled on the router (ie: encryption, source route bridging). Enabling or disabling individual signatures will not alter performance significantly; however, signatures that are configured to use ACLs will have a significant performance impact.

The network only uses this router as a security device; therefore, no packet is allowed to bypass the security mechanisms. Cisco IOS IDS sits directly in the packet path, so it searches each packet for signature matches. In some cases, the entire packet will need to be searched, while the router must maintain state information, application state, and awareness.

There is no traffic-dependent memory requirement for auditing atomic signatures. For auditing compound signatures, CBAC allocates memory to maintain the state of each session for each connection. Memory is also allocated for the configuration database and for internal caching.

Differing Cisco IDS Products

Cisco IOS IDS (Router Sensor): Cisco IOS IDS delivers in-line integrated intrusion protection in the routing path with a feature-rich set of networking services. It provides real-time monitoring, interception, and response to network misuse with a broad set of the most common attack and information-gathering intrusion detection signatures.

Cisco IDS -4210, 4235, 4250 (Network Sensor Appliance): Network sensor provides a comprehensive dedicated appliance model to protect the network of observation from malicious activity.

Cisco IDS Module (Integrated Switch sensor): Integrated Switch Sensor is designed to protect switched environments by integrating full-featured IDS functionality directly into the network infrastructure. This allows the user to monitor traffic directly off the switch backplane.

Cisco IDS Host Sensor: The Host Sensor provides comprehensive protection for the server operating system and the applications running on the servers. It is installed on each server, guarding operating system and applications, as well as access to those applications. The system employs call interception techniques to provide the only proactive server security system.

Firewall Sensor: Integration of IDS functionality into Cisco PIX Series Firewalls. This protects common network-based attacks.


Cisco IOS IDS supports intrusion detection technology for midrange and high-end router platforms with firewall support. It is ideal for any network perimeter, and especially for locations which a router is being deployed and additional security between network segments is required. It also can protect intranet and extranet connections where additional security is mandated, as well as branch-office sites connecting to the corporate office or Internet.

Intrusion detection should be considered an integral component when designing and implementing a layered approach towards security. Sensors may be placed on almost any network segment of the enterprise-wide network where security visibility is required. Perimeter placements, internal network segments where critical resources are located, extranet connections, and DMZs are the most minimal of locations to consider when implementing and maintaining a security policy.

The Security Wheel can help to attain the goal of security in an ever-changing environment. To ensure that a high percentage of security objectives are achived, always secure, monitor, test, and improve.


Cisco IOS IDS (Product Documentation)


Improving Security on Cisco Routers


Security Technical Tips


Configuring Context-Based Access Control


Configuring Cisco IOS IDS


Defining Strategies to Protect Against TCP SYN Denial of Service Attacks


Cisco IOS IDS Signature List


SANS Institute Resource Project—The SANS Security Policy Project


[an error occurred while processing this directive]