What Is the Cisco IOS Firewall IDS?


The IOS IDS is part of the IOS Firewall features and performs similar functions, if not the exact same functions, as the Cisco IDS appliance and the Cisco IDS module. The basics of a Cisco IDS device are that it analyzes packets that pass by an interface. Those packets are analyzed by the IDS device against a set of predefined signatures that Cisco builds. Cisco actually has a group that is responsible for developing these signatures that are used with packet analysis. This group is called the Cisco Countermeasures Response Team (CCRT).

When you think of a signature, what comes to mind? Maybe it is something that is used to identify people. Maybe this thought also comes to mind: A signature is a unique pattern for each and every individual. That is exactly what a signature is on an IDS device. It is a pattern that uniquely identifies potentially malicious behavior, and the router can compare that pattern (signature) to packets to determine whether a particular packet is malicious.

When the IDS is configured, the router continues to do its normal routing functions. However, the router also compares packets to the predefined list of signature patterns to determine whether the packets are malicious. When the router determines that a packet is malicious, it can simultaneously take the configured actions and perform the IDS services configured on the router.

Understanding the Cisco IOS Firewall IDS

IDS services on an IOS router or PIX Firewall behave similarly to the other Cisco IDS offerings. Those other offerings are dedicated IDS devices that do nothing else but analyze packets against the predefined list of signatures. However, as you might expect, those dedicated devices are more powerful than the IDS functions on an IOS router or PIX Firewall. As a matter of fact, the IOS routers really have fewer capabilities than the dedicated devices. But what is important to remember is that the functionality is the same on both the dedicated devices and the IOS routers running IDS services.

Issues to Consider Before Deploying IOS IDS

Let's first discuss what we mean by fewer capabilities on an IOS router running IDS services when compared to a dedicated IDS device. First, the IOS Firewall contains only a subset of the total number of signatures that are available on the dedicated devices.

graphics/alert_icon.gif

The number of signatures that is predefined with the IOS Firewall is either 59 or 100. How many signatures you get depends on the version of IOS Firewall that you are running.


Second, there are no signature "tuning" capabilities with the IOS Firewall. You can tweak the signatures on the dedicated IDS devices to fit your own organization's security environment. For instance, such tweaking can involve things such as the number of packets that must match a particular signature before an event will trigger. You have the ability to create your own signatures on the dedicated devices, but you do not with the IOS Firewall. The actions that a router can take when a packet matches a signature are different from those of the dedicated devices.

There are some other important issues to consider when deciding to implement the IOS router IDS functions. These issues deal with memory resources and CPU resources. The router needs CPU resources to compare packets against signatures, and the router needs memory to store the entire packet to analyze it.

In addition to these caveats, let's mention one more. Hackers are continuously creating new attacks, tools, viruses, and Trojan horses. However, the only way to get a signature update with the IOS Firewall is to wait for a new IOS release. If you use a dedicated IDS device instead of the IOS Firewall, you can get a signature update every two weeks, or daily, depending on what new attacks are discovered .

graphics/alert_icon.gif

Depending on the router platform, router traffic level, and router services, among other things, IDS services on a router can be CPU intensive , can affect router performance, and can require memory for limited persistent storage.




CCSP SECUR Exam Cram 2
CCSP SECUR Exam Cram 2 (642-501)
ISBN: B000MU86IQ
EAN: N/A
Year: 2003
Pages: 291
Authors: Raman Sud

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net