Cisco IOS Firewall IDS
Intrusion detection has been available as part of the Cisco IOS Firewall from the 12.05(T) release. The IDS capabilities are only available on the midrange to high-end router platforms. These include the following platforms, with more scheduled for release in the near future:
Cisco 1700
Cisco 2600
Cisco 3600
Cisco 7100
Cisco 7200
Once the router has the Cisco IOS Firewall IDS features installed and enabled, the router acts as an IDS sensor. The router passively monitors and analyzes all packet flow through the router and checks this data against the installed and configured IDS signatures. If suspect activity is detected, the router can be configured to
Send an alarm to a management platform— In this instance, either a syslog server or the Cisco Secure IDS Director can be used to receive the alarm.
Drop the packet— The packet is dropped from the router and not forwarded to its destination interface.
Reset the TCP connection— The reset function will send a packet with the RST (Reset) flag set to both the source and destination. This will terminate the current session between the hosts.
The 59 default IDS signatures are available for use with the Cisco IOS Firewall IDS. These can be disabled on a signature-by-signature basis if the requirements do not fit the network design.
The Cisco IOS Firewall IDS features can improve on perimeter security by adding additional perimeter visibility of network intrusion attempts. Network-based IDS systems listen to traffic passing on the network segment, whereas a router will receive and process all inbound and outbound traffic to and from a network.
The Cisco IOS Firewall IDS complements an existing Cisco Secure IDS installation and can act as a perimeter-based sensor, reporting as the IDS Sensor does to the IDS Director.
One drawback of using the Cisco IOS Firewall IDS is that it can reduce the performance of your router due to the heavy workload in running the IDS software.