Here is a portion of some notes that I came across for IPS – instead of wasting away on my hard drive, I figured I would post in case some of you might enjoy. I will post more sections if I receive no hate mail :-)

I. IPS Overview

a. Detection versus Protection

i. Detect can do just that – detect

ii. Prevention systems can detect and prevent – risks include latency, false positives, and the risk of the device being overrun

b. Detection technologies

i. Profile based – anomaly detection – activity deviates from “normal” activity; tough to define normal, prone to a high number of false positives

ii. Signature based – pattern matching – less prone to false positives; this is the primary Cisco technology

iii. Protocol Analysis – similar to sig based but more in-depth analysis; checks the contents of the payload

c. Evasive Techniques

i. Flooding

1. flood network with noise then launch attack

ii. Fragmentation

1. break the attack up into fragments so it is harder to recognize

iii. Encryption

1. send attack through encrypted tunnel

iv. Obfuscation

1. disguise the attack to conceal it using special characters or representations

d. Network Sensors

i. network mod, 4215, AIP-SSM, 4240, 4255, IDS Blade

ii. Legacy 4210, 4235, 4250

e. Sensor Appliances

i. command and control interface – has IP address for management workstation

ii. monitoring interface – no IP address and not visible on the network

1. promiscuous mode – IDS only

2. in-line mode – OS 5.0 or higher; two monitoring interfaces or more; IPS

iii. Reliable IPS (inline IPS features)

1. Risk Rating – event severity, signature fidelity, asset value

2. High availability – HSRP, EtherChannel

3. App firewall features

4. Accurate worm mitigation through event correlation

iv. Defense-in-Depth

1. Host Intrusion Prevention System

v. Terminology

1. False Alarms

a. False Positive

b. False Negative

2. True Alarms

a. True Positive

b. True Negative

vi. IPS Architecture

1. Eventstore

2. Analysis Engine

3. Main App

4. Web Server

5. SSH/Telnet

6. IDAPI – comm. channel between apps

7. NAC – initiates blocking

8. Notification APP – SNMP

9. Sensor Interfaces

You can leave a response, or trackback from your own site.

7 Responses to “An Overview of Cisco IPS”

  1. Carlos says:

    Very good for my studies for the written.

  2. That is awesome – I will be sure to post more – and I will also enhance the above a bit since I see some elaboration is needed.

  3. [...] An Overview of Cisco IPS Here is a portion of some notes that I came across for IPS (tags: cisco security ccie reference ids ips) [...]

  4. CCIE Pilot says:


    Well if you want hate mail here it is.
    I hate if you do not post or share your brain notes to us. Hehehe.

    Thanks for sharing. Pls post all your notes if you can. ;-0

    -CCIE Pilot

  5. Andrey says:

    Nice and quite complete overview on Cisco IPS.

  6. Sor1 says:

    Thanks a lot!!!
    I was just researching of what is the Cisco IPS to write for my uni report. In the Cisco site as usual you have to read here and there a ton of information to make something to resemble an overview :-/

    Thanks again for this, now i have better picture of what the IPS can do :)

  7. Manpreet Kaur says:

    Good One Thanksssss


Leave a Reply


CCIE Bloggers