Data Sheet CISCO IOS IPS ® This data sheet provides an overview of the Cisco IOS Intrusion Prevention System (IPS) PRODUCT OVERVIEW In today’s business environment, network intrusions and attacks can come from outside or inside of the network Perpetrators can launch denial of service (DoS) attacks or distributed denial of service (DDoS) attacks They can attack Internet connections and exploit network and host vulnerabilities At the same time, Internet worms and viruses can spread across the world in a matter of minutes There is often no time to wait for human intervention—the network itself must possess the intelligence to instantaneously recognize and mitigate these attacks, threats, exploits, worms, and viruses An industry first, Cisco IOS Intrusion Prevention System (IPS) is an inline, deep-packet-inspection-based solution that helps enable Cisco IOS Software to effectively mitigate a wide range of network attacks without compromising router performance With the intelligence and performance to accurately identify, classify, and stop malicious or damaging traffic in real time, Cisco IOS IPS is a core component of the Cisco® Self-Defending Network, enabling the network to defend itself CISCO IOS IPS: BENEFITS AND CAPABILITIES While it is common practice to deploy firewalls and inspect traffic for attacks at the headend, it is equally important to protect branch offices, to ensure that malicious traffic is stopped as close to the entry point into the network as possible By using Cisco IOS IPS at the branch, gateways can drop traffic, send alarms, or reset connections as needed to stop attacks at the point of origination and remove unwanted traffic from the network as quickly as possible Primary Benefits • Cisco IOS IPS uses the underlying routing infrastructure to provide an additional layer of security with investment protection • Since Cisco IOS IPS is inline and supported on a broad range of routing platforms, attacks can be effectively mitigated to deny malicious traffic from both inside and outside the network • When used in combination with Cisco IOS Firewall, VPN, and Network Admission Control (NAC) solutions, Cisco IOS IPS provides superior threat protection at all entry points into the network • Cisco IOS IPS is supported by easy and effective management tools that help reduce operational complexity and expenditure, such as Cisco Router and Security Device Manager (SDM) and Cisco Management Center for IPS Sensors, both part of CiscoWorks VPN/Security Management Solution (VMS) Whether threats are targeted at endpoints, servers, or the network infrastructure, Cisco’s pervasive IPS solutions are designed to integrate smoothly into your network infrastructure and proactively protect your vital resources Cisco leads the industry with the first routers to offer IPS capabilities Cisco IOS IPS is an inline, deep-packet-inspection-based solution that helps Cisco IOS Software effectively mitigate network attacks Cisco IOS IPS provides intrusion prevention and event notification using Cisco IPS and IDS technology, including Cisco IPS 4200 Series sensor appliances, Cisco Catalyst® 6500 Series IDS services modules, and Cisco IDS network modules for integrated services routers Because Cisco IOS IPS is inline, it can drop traffic, send an alarm, reset a connection, or deny an attacker; these capabilities enable the router to respond immediately to security threats and protect the network All contents are Copyright © 1992–2005 Cisco Systems, Inc All rights reserved Important Notices and Privacy Statement Page of While the hub is a common location to deploy a firewall and inspect traffic for attacks, it is not the only location to consider when deploying security—attacks can also originate at the branch Through collaboration with IP Security (IPSec) VPN, generic routing encapsulation (GRE), and Cisco IOS Firewall, Cisco IOS IPS allows decryption, tunnel termination, firewalling, and traffic inspection at the first point of entry into the network (branch or hub)—an industry first Cisco IOS IPS helps to stop network attacks as close to the source as possible Cisco IOS IPS offers the following capabilities: • The ability to load and enable selected IPS signatures in the same manner as Cisco IPS sensor appliances • Supports more than 1500 of the signatures supported by Cisco IDS sensor appliances • The ability for a user to modify an existing signature or create a new signature to address newly discovered threats (each signature can be enabled to send an alarm, drop a packet, reset a connection, or deny all malicious packets from an attacker) An additional capability allows users who want maximum intrusion protection to select an easy-to-use signature file that contains “most-likely” worm and attack signatures Traffic matching these high-confidence-rated worm and attack signatures is configured to be dropped Cisco SDM provides an intuitive user interface to provision these signatures—including the ability to upload new signatures from Cisco.com without requiring a change in software image—and configures the router appropriately for these signatures SIGNATURE DEFINITION FILE (SDF) The signature definition file (SDF) is a file that contains the signature details and configuration The Cisco IOS IPS-enabled router uses this SDF to update the existing IPS configuration in real time This means that the number of running signatures and the way that the signatures are configured for actions to take on a signature match (alarm, drop, reset, deny attacker) can all be changed without a Cisco IOS image update Cisco IOS IPS ships with one of three preconfigured SDFs: 128MB.sdf, 256MB.sdf, or attack-drop.sdf At least one of these files is available in flash memory on all Cisco IOS IPS-enabled routers that are shipped with Cisco IOS Software Release 12.3(14)T or higher These SDFs contain the latest high-fidelity (low false positives) worm/virus/IM/peer to peer (P2P) blocking signatures for detecting security threats, allowing easier deployment and signature management for the user Pre-built SDFs provide a good starting point—users not have to create their own SDFs from scratch from the wide range of signatures available in Cisco IOS Software Signatures can be appended or modified from these SDFs New signatures that are created by Cisco will be posted to Cisco.com at http://www.cisco.com/cgi-bin/tablebuild.pl/ios-sigup The latest signatures can be downloaded and merged with existing signatures on the router This can be done with Cisco management tools like Cisco SDM and the Cisco Management Center for IPS Sensors How a customer selects signatures will depend on several factors, including what the customer is trying to protect, and the type of signature, memory, and platforms However it is not recommended to load all signatures without looking at the platform, memory, or type of signature SIGNATURE MICRO ENGINES Cisco IOS IPS uses signature micro-engines (SMEs) to load the SDFs and scan signatures Each engine is customized for the protocol and fields it is designed to inspect and defines a set of legal parameters that have allowable ranges or sets of values The SMEs look for malicious activity in a specific protocol, using a parallel signature scanning technique to scan for multiple patterns within an SME at any given time © 2005 Cisco Systems, Inc All rights reserved Important notices, privacy statements, and trademarks of Cisco Systems, Inc can be found on cisco.com Page of ATTACK MITIGATION Cisco IOS IPS is typically used in a distributed IPS mitigation fashion In a typical Cisco IOS router network, routers are deployed throughout the network, including all entry points from outside networks, such as remote VPN branch offices, partner connected links, and telecommuter remoteaccess connections Cisco IOS IPS gives customers the ability to detect attempts from outside hackers trying to use these remote locations as a backdoor into the protected network Cisco IOS IPS will detect such attacks before they can move farther into the network by providing early detection at the distributed remote connections Examples of attacks (worms and viruses) that can be detected by Cisco IOS IPS: • ANTS, Bagle, MyDoom, Netsky, Agobot, Minmai, Klez, Sober, Zotob, Norvag, Phatbot, MyTob, GaoBot, Blaster, W2K RPC DoS, ZAFI.D, Slapper, Apache/mod_ssl, Slammer, Agobot, GaoBot, Blaster, Phatbot, Nachi, Ping Tunnel MANAGEMENT Cisco SDM 2.2 and the Cisco Management Center for IPS Sensors 2.2, which is a component of CiscoWorks VMS, can be used to fully manage the IPS features running on Cisco IOS routers This includes tuning existing signatures on the router, creating custom signatures, adding new signatures, and—in the case of Cisco Management Center for IPS Sensors 2.2—deploying signatures to a large number of routers FOR MORE INFORMATION For more information about Cisco IOS IPS, visit http://www.cisco.com/go/iosips or contact your local Cisco account representative © 2005 Cisco Systems, Inc All rights reserved Important notices, privacy statements, and trademarks of Cisco Systems, Inc can be found on cisco.com Page of Corporate Headquarters Cisco Systems, Inc 170 West Tasman Drive San Jose, CA 95134-1706 USA www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 European Headquarters Cisco Systems International BV Haarlerbergpark Haarlerbergweg 13-19 1101 CH Amsterdam The Netherlands www-europe.cisco.com Tel: 31 20 357 1000 Fax: 31 20 357 1100 Americas Headquarters Cisco Systems, Inc 170 West Tasman Drive San Jose, CA 95134-1706 USA www.cisco.com Tel: 408 526-7660 Fax: 408 527-0883 Asia Pacific Headquarters Cisco Systems, Inc 168 Robinson Road #28-01 Capital Tower Singapore 068912 www.cisco.com Tel: +65 6317 7777 Fax: +65 6317 7799 Cisco Systems has more than 200 offices in the following countries and regions Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices Argentina • Australia • Austria • Belgium • Brazil • Bulgaria • Canada • Chile • China PRC • Colombia • Costa Rica • Croatia • Cyprus Czech Republic • Denmark • Dubai, UAE • Finland • France • Germany • Greece • Hong Kong SAR • Hungary • India • Indonesia • Ireland • Israel Italy • Japan • Korea • Luxembourg • Malaysia • Mexico • The Netherlands • New Zealand • Norway • Peru • Philippines • Poland • Portugal Puerto Rico • Romania • Russia • Saudi Arabia • Scotland • Singapore • Slovakia • Slovenia • South Africa • Spain • Sweden • Switzerland • Taiwan Thailand • Turkey • Ukraine • United Kingdom • United States • Venezuela • Vietnam • Zimbabwe Copyright 2005 Cisco Systems, Inc All rights reserved CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, PostRouting, Pre-Routing, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, StrataView Plus, TeleRouter, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc and/or its affiliates in the United States and certain other countries All other trademarks mentioned in this document or Website are property of Systems, their respective The use of the word partner does not imply a partnership relationship between © the 2005 Cisco Inc.owners All rights reserved Cisco and any other company (0502R) notices, privacy statements, and trademarks of Cisco Systems, Inc can be found on cisco.com 205233.CG_ETMG_KS_12.05 Important Printed in the USA Page of © 2005 Cisco Systems, Inc All rights reserved Important notices, privacy statements, and trademarks of Cisco Systems, Inc can be found on cisco.com Page of ... of Cisco Systems, Inc.; and Access Registrar, Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco. .. time © 2005 Cisco Systems, Inc All rights reserved Important notices, privacy statements, and trademarks of Cisco Systems, Inc can be found on cisco. com Page of ATTACK MITIGATION Cisco IOS IPS is... contact your local Cisco account representative © 2005 Cisco Systems, Inc All rights reserved Important notices, privacy statements, and trademarks of Cisco Systems, Inc can be found on cisco. com Page