Intrusion Detection with Cisco IOS

The Cisco IOS Firewall IDS acts as an inline intrusion detection sensor, watching packets and communication sessions as they flow through the router and scanning each packet to see whether it matches any of the IDS signatures.

Cisco developed its Cisco IOS Software–based intrusion detection capabilities in the Cisco IOS Firewall Feature Set with flexibility in mind so that individual attack signatures could be disabled in case of false positives. Also, although it is preferable to enable both the firewall and intrusion detection features of the FFS CBAC security engine to support a network security policy, each of these features can be enabled independently and on different router interfaces.

The Cisco IOS Firewall Feature Set includes intrusion detection technology in addition to basic firewall functionality. The Cisco FFS IOS acts as a limited inline intrusion detection sensor, watching packets and sessions as they flow through the router. (This is the inline aspect of its operation—scanning each packet to determine whether the contents match any of the IDS signatures it knows about.) When the router detects suspicious activity—in other words, when it believes that a packet contains an attack signature—it responds accordingly before network security can be compromised and logs the suspicious activity by using syslog and by communicating directly with a server running the Cisco Secure IDS Software.