Intrusion Detection System (IDS)

Intrusion Detection System (IDS)

An intrusion detection system (IDS) device inspects all network activity passing through it and identifies suspicious patterns that might indicate a network or device attack. IDS can be categorized three ways.

Misuse detection vs. anomaly detection

With misuse detection, the IDS analyzes the data stream and compares it to databases of known attack signatures. The IDS can only look at previously documented, specific attacks. This is similar to the process many virus- scanning programs use, and, like those programs, the protection is only as good as the database of attack signatures available.

In anomaly detection (or profile detection), the administrator defines the baseline profile of the “normal” network traffic characteristics. The IDS monitors network segments and compares their state to the baseline, looking for deviations or anomalies.

Network-based vs. host-based systems

With network-based systems (NIDS), such the Cisco IDS 4200 Series appliances, the individual packets flowing through a network are analyzed by dedicated devices. As specialty devices, NIDS have been optimized to detect suspicious packets, which, typically, are overlooked by a firewall’s filtering rules.

A host-based system is IDS software configured on key resources such as servers, routers, or switches to examine activity on that device.

Passive system vs. reactive system

When a passive system detects a potential security threat, it logs the pertinent information and signals an alert message.

A reactive system would log the event and send out the alert but, at the same time, the IDS responds to block traffic from the suspected malicious source.

This capability to react to an evolving threat allows IDS implementations to provide protection beyond that of a firewall without IDS features. Furthermore, firewalls tend to be configured to look for bad traffic coming into the network, but remain oblivious to internal traffic. IDS can simultaneously protect the network from internal and external threats.

IOS Firewall Intrusion Detection System

The IOS Firewall IDS feature acts as an inline sensor, watching packets and sessions as they flow through the router, scanning each for pattern matches to any known IDS signatures. When packets in a session match a signature, the IDS system can be configured to do the following:

  • Send an alarm to a Syslog server and/or to a Cisco Secure IDS Director centralized management device (formerly the NetRanger system).

  • Discard the packet.

  • Reset the TCP connection.

While enabling both the firewall and intrusion detection features of the CBAC security engine to support a network security policy is preferable, each of these features can be enabled independently and on different router interfaces.

Devices Supporting the IOS Firewall IDS Features

Cisco IOS software-based intrusion detection is available on the Cisco uBR900, 1720, 2600, 3600, 7100, 7200, and 7500 series routers, and the RSM for Catalyst 5000 switches.

The IDS technology has been included with the firewall feature set since version 12.1 or 12.2 of the IOS, depending on the device platform. More models might be supported later. You must choose a feature set that contains the firewall and IDS features when you order or upgrade the device IOS. For this reason, a router IOS that supports the firewall features doesn’t necessarily mean that the IDS technology is included. Figure 7-1 shows a sample of the Cisco IOS Upgrade Planner from the Cisco web site for the model 1720 router. Notice that the firewall features (FW) and the intrusion features (IDS) are available in combination with various protocols and features, such as IPX. The IOS releases with firewall features without IDS are typically capped at version 12.0(4). Memory and flash requirements often increase, as does the cost of the IOS when additional features are added.

Click To expand
Figure 7-1: Cisco CCO IOS Upgrade Planner showing IDS feature sets

The following IOS image names are the latest 1720 release for IP with the firewall features only, while the second listing includes the IDS features. The last two entries are for a 2600 and a 7000 with RSP, respectively, with each having Enterprise and IPSec features. The o indicates firewall features, while the o3 indicates firewall and IDS features.


Cisco IDS Attack Signatures

The most recent Cisco IOS Firewall IDS uses 59 attack signatures, representing a broad cross section of intrusion-detection signatures, which identify severe breaches of security and the most common network attacks and information-gathering scans. Unlike virus protection software, IDS signatures aren’t updated periodically by the system. Currently, the number of signatures only changes if a version upgrade contains any additions or deletions. The Cisco IOS Firewall IDS signatures are categorized into four types:

  • Info Atomic

  • Info Compound

  • Attack Atomic

  • Attack Compound

To understand these categories better, the signature keywords are as follows:


Information-gathering activity, such as a port sweep.


Attacks attempted into the protected network, such as denial of service (DoS) attempts or the execution of illegal commands during an FTP session.


Simple patterns, such as an attempt to access a specific port on a specific host.


Complex patterns, such as a sequence of operations distributed across multiple hosts over an arbitrary period of time.

The intrusion detection signatures included in the Cisco IOS Firewall were chosen from a broad cross section of intrusion detection signatures as representative of the most common network attacks and information-gathering scans. A small sample of the signatures is included in the following table.

Sig ID

Signature Name

Sig Type



IP Fragment Attack

Attack, Atomic

Triggers when any IP datagram is received with the more fragments flag set to 1 or if an offset is indicated in the offset field.


ICMP Redirect

Info, Atomic

Triggers when an IP datagram is received with the protocol field in the IP header set to 1 (ICMP) and the type field in the ICMP header set to 5 (Redirect).


Ping of Death Attack

Attack, Atomic

Triggers when an IP datagram is received with the protocol field in the IP header set to 1 (ICMP), the Last Fragment bit is set, and (IP offset 5 8) + (IP data length) > 65535. In other words, the IP offset plus the rest of the packet is greater than the maximum size for an IP packet.


Half-open SYN Attack/SYN Flood

Attack, Compound

Triggers when multiple TCP sessions were improperly initiated on any of several well-known service ports. Detection of this signature is currently limited to FTP, Telnet, HTTP, and e-mail servers (TCP ports 21, 23, 80, and 25, respectively).

For a complete listing and more information on IDS signatures, go to and do a search for Cisco IOS Firewall IDS Signature List, and then look through the resulting choices for the same phrase in bold.

False Positives

The signatures integrated into the IOS software monitor for severe breaches of security. They are used to watch for those data flows you wouldn’t normally expect to see in an operating network. A false positive is an erroneous report from an IDS, indicating it detected a potentially malicious pattern. The pattern appears to matches a signature but, in fact, is a valid and acceptable transmission. Any intrusion detection technology can and does report false positives. This can be looked at as erring on the side of security or caution, but it can also block necessary traffic.

The IOS-based intrusion-detection features were developed with flexibility in mind, so individual signatures could be disabled in case of false positives.

Cisco Secure IDS Director Support

The Cisco IOS Firewall intrusion detection capabilities have an enhanced reporting mechanism that permits logging to the Cisco Secure IDS Director console in addition to a Syslog server to provide a consistent view of all intrusion detection sensors throughout a network. Administrators can deploy the IOS Firewall IDS to complement their existing IDS systems. This allows IDS protection to be deployed to areas that might not support a Cisco Secure IDS Sensor. The IOS Firewall IDS signature features can be deployed alongside or independent of other Cisco IOS Firewall features.

The Cisco Secure IDS consists of three components:

  • Sensor

  • Director

  • Post Office

Cisco Secure IDS Sensors, dedicated high-speed network appliances, analyze the content and context of individual packets to determine if traffic constitutes a threat. If a data stream appears unauthorized or suspicious, such as a ping sweep or a SATAN attack, the sensors can detect the policy violation in real-time, forward alarms to a Cisco Secure IDS Director management console, and remove the offender from the network.

The Cisco Secure IDS Director is a software-based management system that can monitor the activity of multiple Cisco Secure IDS Sensors located on local or remote network segments. Events are sent to the Director by an IDS Sensor or an IDSM that detects a security violation. The smid daemon on the Director interprets this event information and passes it to the nrdirmap daemon, which is responsible for displaying this information on the Director’s maps.

Depending on the severity of an alarm, the alarm icon displays in different colors: red for severe, yellow for moderate, green otherwise. The Cisco Secure IDS Director is an application that runs on either HP or Sun Solaris UNIX workstations. The Director is covered in detail in the final chapter of this book.

The Cisco Secure IDS Post Office Protocol is the communication backbone that allows Cisco Secure IDS services and hosts to communicate with each other. All communication is supported by a proprietary, connection-based protocol that can switch between alternative routes to maintain point-to-point connections.


Version 2.2.2 of the Cisco Secure IDS Director replaces the name “Cisco Secure IDS Post Office Protocol” with “Communication Service.” The version 2.2.2 Installation program replaces the nr.postofficed daemon.

Performance Implications

The impact on performance of the IOS intrusion detection features depends on the number of signatures enabled, the router platform, the overall traffic level on the router, and other features enabled on the router—such as encryption, CBAC, and so on. Because the router is working as a security device, no packets are allowed to bypass the security mechanisms. The IDS process in the IOS Firewall router acts as a filter in the packet path, thus searching each packet for signature matches. Because the entire packet is searched in many cases, the state information, and even the application state and awareness, must be maintained by the router.

IOS IDS vs. Cisco Secure IDS

The Cisco Secure IDS Sensor is a dedicated appliance that passively monitors the network and reacts to suspicious signatures indicating potential malicious activity. The IDS device can be configured to block this activity. The Cisco IOS-based IDS system is an integral component of the IOS software and, therefore, lies directly in the packet path, rather than being a separate appliance. The IOS IDS technology expands the perimeter protection capabilities offered by the IOS Firewall by being able to take appropriate actions on packets and data flows that appear to be malicious network activity or to violate the organization security policy.

Other differences include the following:

  • The Cisco Secure IDS Sensor device processing speed is faster than that of the IOS feature because of the shared resources design of the integrated router-based solution.

  • The Cisco Secure IDS Sensor device includes more signatures than the intrusion detection feature on the Cisco IOS Firewall.

  • The Cisco Secure IDS Sensor device can reconfigure a Cisco router by dynamically adding an access control list to block intruders, but the IOS version can’t do this.

  • The Cisco Secure IDS Sensor device can be managed remotely by the Cisco Secure IDS Director. While the IOS version can send output to the IDS Director, it doesn’t take instructions from it.

When to Choose the Cisco IOS Firewall IDS Features

Because the IOS Firewall IDS supports intrusion detection features for a wide range of Cisco router platforms, it can make a powerful addition to any network perimeter. The features can be especially useful in locations where a router is being deployed to provide additional security between network segments, such as between the organization and a partner site.

The Firewall IDS features can provide increased protection between intranet connections, such as branch-office connections to the corporate office or even providing additional security for an internal department like an R&D program. Three examples of IOS Firewall IDS supporting the security goals of all sizes of organizations include:

  • Small and medium-sized businesses looking for a cost-effective way to add IDS features to their security policies for their network router(s).

  • Enterprise customers looking for a cost-effective way to extend their IDS security protection and policies across all network boundaries, including branch-office, intranet, and extranet perimeters.

  • Service providers that want to provide router-based managed firewall and intrusion detection services for their customers.

The IOS IDS support of the Cisco Secure IDS Director security-management system allows many routers and the Catalyst 6500 family of switches to provide additional security and visibility into the network in support of the organization’s Cisco Secure IDS appliance implementation. The Cisco Secure IDS appliance features and implementation are covered in detail in the last four chapters of this book.

Part III: Virtual Private Networks (VPNs)