The Cisco IOS IDS technology works as an inline sensor,
monitoring packets as they travel between the router’s interfaces. If a packet,
or group of packets, in a session matches an active signature, the IOS IDS can
perform any or all of the following actions based on the predefined router
configuration.
Two basic steps are necessary to set up the packet auditing
process for the Cisco IOS Firewall IDS router.
-
Create an audit rule specifying which signatures are to be
applied to packet traffic and the specific action(s) to take when a match is
found.
-
Apply the audit rule to a router interface, specifying a
traffic direction (in or out).
As packets pass through an interface covered by the audit rule,
they’re monitored by a series of audit modules in the following order:
-
IP module
-
TCP, UDP, or ICMP modules (as appropriate)
-
Application-level modules
If a pattern matching a known signature is found by any audit
module, then the following action(s) occur, based on the instructions included
in the router configuration. Any or all of the actions can be configured.
|
Note |
Cisco recommends the drop and reset actions be used
together. |
If multiple signature matches occur as a packet is processed by a
module, only the first match triggers the specified action—the packet is either
discarded (drop) or moved immediately to the next audit module (alarm or reset).
Additional matches in other modules can trigger additional alarms, but only one
per audit module. This separates the IOS IDS implementation from the Cisco
Secure IDS Sensor appliance, which identifies all signature matches for each
packet.
Sections
Comments (0 posted)
Syndication
