Page 1 of 4 Data Sheet CISCO IOS IPS This data sheet provides an overview of the Cisco IOS ® Intrusion Prevention System IPS PRODUCT OVERVIEW In today’s business environment, network
Trang 1All contents are Copyright © 1992–2005 Cisco Systems, Inc All rights reserved Important Notices and Privacy Statement
Page 1 of 4
Data Sheet
CISCO IOS IPS
This data sheet provides an overview of the Cisco IOS ® Intrusion Prevention System (IPS)
PRODUCT OVERVIEW
In today’s business environment, network intrusions and attacks can come from outside or inside of the network Perpetrators can launch
denial of service (DoS) attacks or distributed denial of service (DDoS) attacks They can attack Internet connections and exploit network and host vulnerabilities At the same time, Internet worms and viruses can spread across the world in a matter of minutes There is often no time to wait for human intervention—the network itself must possess the intelligence to instantaneously recognize and mitigate these attacks, threats, exploits, worms, and viruses
An industry first, Cisco IOS Intrusion Prevention System (IPS) is an inline, deep-packet-inspection-based solution that helps enable Cisco IOS Software to effectively mitigate a wide range of network attacks without compromising router performance With the intelligence and performance
to accurately identify, classify, and stop malicious or damaging traffic in real time, Cisco IOS IPS is a core component of the Cisco® Self-Defending Network, enabling the network to defend itself
CISCO IOS IPS: BENEFITS AND CAPABILITIES
While it is common practice to deploy firewalls and inspect traffic for attacks at the headend, it is equally important to protect branch offices, to ensure that malicious traffic is stopped as close to the entry point into the network as possible By using Cisco IOS IPS at the branch, gateways can drop traffic, send alarms, or reset connections as needed to stop attacks at the point of origination and remove unwanted traffic from the network as quickly as possible
Primary Benefits
• Cisco IOS IPS uses the underlying routing infrastructure to provide an additional layer of security with investment protection
• Since Cisco IOS IPS is inline and supported on a broad range of routing platforms, attacks can be effectively mitigated to deny malicious traffic from both inside and outside the network
• When used in combination with Cisco IOS Firewall, VPN, and Network Admission Control (NAC) solutions, Cisco IOS IPS provides superior threat protection at all entry points into the network
• Cisco IOS IPS is supported by easy and effective management tools that help reduce operational complexity and expenditure, such as
Cisco Router and Security Device Manager (SDM) and Cisco Management Center for IPS Sensors, both part of CiscoWorks VPN/Security Management Solution (VMS)
Whether threats are targeted at endpoints, servers, or the network infrastructure, Cisco’s pervasive IPS solutions are designed to integrate smoothly into your network infrastructure and proactively protect your vital resources
Cisco leads the industry with the first routers to offer IPS capabilities Cisco IOS IPS is an inline, deep-packet-inspection-based solution that helps Cisco IOS Software effectively mitigate network attacks Cisco IOS IPS provides intrusion prevention and event notification using Cisco IPS and IDS technology, including Cisco IPS 4200 Series sensor appliances, Cisco Catalyst® 6500 Series IDS services modules, and Cisco IDS network modules for integrated services routers Because Cisco IOS IPS is inline, it can drop traffic, send an alarm, reset a connection, or deny an attacker; these capabilities enable the router to respond immediately to security threats and protect the network
Trang 2© 2005 Cisco Systems, Inc All rights reserved
Important notices, privacy statements, and trademarks of Cisco Systems, Inc can be found on cisco.com
Page 2 of 5
While the hub is a common location to deploy a firewall and inspect traffic for attacks, it is not the only location to consider when deploying security—attacks can also originate at the branch Through collaboration with IP Security (IPSec) VPN, generic routing encapsulation (GRE), and Cisco IOS Firewall, Cisco IOS IPS allows decryption, tunnel termination, firewalling, and traffic inspection at the first point of entry into the network (branch or hub)—an industry first Cisco IOS IPS helps to stop network attacks as close to the source as possible
Cisco IOS IPS offers the following capabilities:
• The ability to load and enable selected IPS signatures in the same manner as Cisco IPS sensor appliances
• Supports more than 1500 of the signatures supported by Cisco IDS sensor appliances
• The ability for a user to modify an existing signature or create a new signature to address newly discovered threats (each signature can be
enabled to send an alarm, drop a packet, reset a connection, or deny all malicious packets from an attacker)
An additional capability allows users who want maximum intrusion protection to select an easy-to-use signature file that contains “most-likely” worm and attack signatures Traffic matching these high-confidence-rated worm and attack signatures is configured to be dropped Cisco SDM provides an intuitive user interface to provision these signatures—including the ability to upload new signatures from Cisco.com without requiring
a change in software image—and configures the router appropriately for these signatures
SIGNATURE DEFINITION FILE (SDF)
The signature definition file (SDF) is a file that contains the signature details and configuration The Cisco IOS IPS-enabled router uses this SDF to update the existing IPS configuration in real time This means that the number of running signatures and the way that the signatures are configured for actions to take on a signature match (alarm, drop, reset, deny attacker) can all be changed without a Cisco IOS image update
Cisco IOS IPS ships with one of three preconfigured SDFs: 128MB.sdf, 256MB.sdf, or attack-drop.sdf At least one of these files is available in flash memory on all Cisco IOS IPS-enabled routers that are shipped with Cisco IOS Software Release 12.3(14)T or higher These SDFs contain the latest high-fidelity (low false positives) worm/virus/IM/peer to peer (P2P) blocking signatures for detecting security threats, allowing easier deployment and signature management for the user Pre-built SDFs provide a good starting point—users do not have to create their own SDFs from scratch from the wide range of signatures available in Cisco IOS Software Signatures can be appended or modified from these SDFs
New signatures that are created by Cisco will be posted to Cisco.com at http://www.cisco.com/cgi-bin/tablebuild.pl/ios-sigup The latest signatures can be downloaded and merged with existing signatures on the router This can be done with Cisco management tools like Cisco SDM and the Cisco Management Center for IPS Sensors How a customer selects signatures will depend on several factors, including what the customer is trying to protect, and the type of signature, memory, and platforms However it is not recommended to load all signatures without looking at the platform, memory, or type of signature
SIGNATURE MICRO ENGINES
Cisco IOS IPS uses signature micro-engines (SMEs) to load the SDFs and scan signatures Each engine is customized for the protocol and fields
it is designed to inspect and defines a set of legal parameters that have allowable ranges or sets of values The SMEs look for malicious activity
in a specific protocol, using a parallel signature scanning technique to scan for multiple patterns within an SME at any given time
Trang 3© 2005 Cisco Systems, Inc All rights reserved
Important notices, privacy statements, and trademarks of Cisco Systems, Inc can be found on cisco.com
Page 3 of 5
ATTACK MITIGATION
Cisco IOS IPS is typically used in a distributed IPS mitigation fashion In a typical Cisco IOS router network, routers are deployed throughout the network, including all entry points from outside networks, such as remote VPN branch offices, partner connected links, and telecommuter remote-access connections Cisco IOS IPS gives customers the ability to detect attempts from outside hackers trying to use these remote locations as a backdoor into the protected network Cisco IOS IPS will detect such attacks before they can move farther into the network by providing early detection at the distributed remote connections Examples of attacks (worms and viruses) that can be detected by Cisco IOS IPS:
• ANTS, Bagle, MyDoom, Netsky, Agobot, Minmai, Klez, Sober, Zotob, Norvag, Phatbot, MyTob, GaoBot, Blaster, W2K RPC DoS, ZAFI.D, Slapper, Apache/mod_ssl, Slammer, Agobot, GaoBot, Blaster, Phatbot, Nachi, Ping Tunnel
MANAGEMENT
Cisco SDM 2.2 and the Cisco Management Center for IPS Sensors 2.2, which is a component of CiscoWorks VMS, can be used to fully manage the IPS features running on Cisco IOS routers This includes tuning existing signatures on the router, creating custom signatures, adding new signatures, and—in the case of Cisco Management Center for IPS Sensors 2.2—deploying signatures to a large number of routers
FOR MORE INFORMATION
For more information about Cisco IOS IPS, visit http://www.cisco.com/go/iosips or contact your local Cisco account representative
Trang 4© 2005 Cisco Systems, Inc All rights reserved
Important notices, privacy statements, and trademarks of Cisco Systems, Inc can be found on cisco.com
Page 4 of 5
Corporate Headquarters
Cisco Systems, Inc
170 West Tasman Drive
San Jose, CA 95134-1706
USA
www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
European Headquarters
Cisco Systems International BV Haarlerbergpark
Haarlerbergweg 13-19
1101 CH Amsterdam The Netherlands www-europe.cisco.com Tel: 31 0 20 357 1000 Fax: 31 0 20 357 1100
Americas Headquarters
Cisco Systems, Inc
170 West Tasman Drive San Jose, CA 95134-1706 USA
www.cisco.com Tel: 408 526-7660 Fax: 408 527-0883
Asia Pacific Headquarters
Cisco Systems, Inc
168 Robinson Road
#28-01 Capital Tower Singapore 068912 www.cisco.com Tel: +65 6317 7777 Fax: +65 6317 7799
Cisco Systems has more than 200 offices in the following countries and regions Addresses, phone numbers, and fax numbers are listed on
the Cisco Website at www.cisco.com/go/offices
Argentina • Australia • Austria • Belgium • Brazil • Bulgaria • Canada • Chile • China PRC • Colombia • Costa Rica • Croatia • Cyprus Czech Republic • Denmark • Dubai, UAE • Finland • France • Germany • Greece • Hong Kong SAR • Hungary • India • Indonesia • Ireland • Israel Italy • Japan • Korea • Luxembourg • Malaysia • Mexico • The Netherlands • New Zealand • Norway • Peru • Philippines • Poland • Portugal Puerto Rico • Romania • Russia • Saudi Arabia • Scotland • Singapore • Slovakia • Slovenia • South Africa • Spain • Sweden • Switzerland • Taiwan Thailand • Turkey • Ukraine • United Kingdom • United States • Venezuela • Vietnam • Zimbabwe
Copyright 2005 Cisco Systems, Inc All rights reserved CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ
Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX,
Post-Routing, Pre-Post-Routing, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, StrataView Plus, TeleRouter, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc and/or its affiliates in the United States and certain other countries
All other trademarks mentioned in this document or Website are the property of their respective owners The use of the word partner does not imply a partnership relationship between
Printed in the USA
Trang 5© 2005 Cisco Systems, Inc All rights reserved
Important notices, privacy statements, and trademarks of Cisco Systems, Inc can be found on cisco.com
Page 5 of 5