Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

IDS & IPS

Friends i was trying to know the differents between the IDS and the IPS so anyone can help me with it ?

3 REPLIES
New Member

Re: IDS & IPS

Hi there,

IDS as you already know Intrusion Detection System and IPS (Intrusion Prevention System).

Basic difference, IDS will only alert you, IPS will alert as well as protect you. IDS was a part of earlier IOS lower than 12.3(8)T ones, if i remeber correctly. Which could only scan for signature from packets and send a log/alert to syslog on mamagement console.

Cisco's moving towards IPS on IOS devices on and after 12.3(8)T, go for it.

IPS, prevents the attack,basically can take three action :

-Alert

-Reset : Resets TCP session

-Drop : Drop the packet altogether.

IPS does an Inline scan. Looks into each packet on parralel basis, i.e. they have something called SME's(Signature Micro Engine), categorized on protocol basis mailny, i.e., like we have many HTTP type attacks, so one SME will cover all type of HTTP signature and will check every packet in parralel to find a match in any signature for HTTP SME. This is how it works.

In IPS we can send logs to syslog, or via POP or as preffered SDEE(Security Decive Event Excahnge)

Mainly in IPS, S in abbreviation is either security or signature.

I sometimes get cofussed, well thats another part.

Seach for few abbreviated terms that I mentioned above on Cisco, you'll find lot of detail. I am also learing it.

:)

New Member

Re: IDS & IPS

thanks alot friend, it was really helpful for me but one thing else.... i have an IDS and i want to move to IPS so are there any way that i will change my IDS to the IPS and what is the requirment to that? also let say that i want to block the intrusion from a 1 network or a host what should i do to do that with IDS? shall i use SHUN or what can you provide me with this info plzz ?

thanks alot for helping

New Member

Re: IDS & IPS

Which product are you using Cisco Router? If you are I may help you, but right now as I said previously, I am too learning IPS stuff. On Cisco Router IPS starts from IOS 12.3(8)T, I read some where that it has backward compatibility with IDS, never tested it though... Once you move to any IOS version that supports IPS, its actually pretty easy to configure, apply IPS on outbound/inbound your wish. And yes, rather than I telling you commands, pick up Cisco press's SNRS guide they have all what it takes to implement IPS on Router (and in deepest detail, but enough to kick start). Cisco pulishes new definations every 2 weeks at :

http://www.cisco.com/cgi-bin/tablebuild.pl/ios-sigup

get the latest signatures, apply on router, you just need to decide whether you want to reset, drop or alert, when signature pattern matches, its recommended to use reset and drop when signature pattern matches, but it may differ, according to your requirement. :)

309
Views
4
Helpful
3
Replies
CreatePlease to create content