Beginning in October 2009, students will be required to demonstrate mastery of the Cisco IOS Intrusion Prevention System (IPS) for the CCIE R/S track. This blog post introduces candidates to this relatively new security feature. Note this series of blog posts will focus on Tier 1 knowledge. This information allows mastery for the Core Knowledge section and builds a foundation for later mastery at the Command Line Interface.

Intrusion Prevention replaces mere Intrusion Detection from previous IOS versions. IDS for the IOS was certainly nice (you get alerted when a security attack is occurring), but obviously, stopping an attack is much more powerful.

The first thing to master about IOS IPS is the fact that, like the IPS appliances from Cisco, this technology is based on signatures. A signature is a "definition" of an attack type. Cisco places these definitions on the IOS router using an SDF - a Signature Definition File. Not that it is a huge consideration in the CCIE R/S lab, but realize in the "real world", routers come with default, built-in signatures, or administrators can download updated SDF files from Cisco. The graphical user interface called the SDM (Cisco Router and Security Device Manager) automates the process of finding, downloading, and installing the latest and greatest SDF files.

Just like the "big brother" appliances, the Cisco IOS IPS device can respond to suspected attack packets in a variety of ways. These responses include:

• Log using the Cisco IOS syslog message
• Log using a Cisco security message format called SDEE (Security Device Event Exchange)
• Drop the packet
• Reset the connection
• Deny traffic from the source IP address or connection for a specified amount of time

Cisco IOS IPS systems often require careful tuning in order to balance administrator workload with acceptable levels of network protection. The language of tuning the sensor centers around four commonly confused terms - False Positive, False Negative, True Positive, and True Negative.

In order to master these terms, just remember these things: any term that includes False is a BAD THING, while True is a GOOD THING; and Positive refers to an event/signature being triggered, while Negative refers to an event/signature not being triggered. With these facts in mind, notice how easy it is to master these terms:

• False Positive - an event was triggered and the packet was not actually attack traffic
• False Negative - an event was not triggered and the packet was actual attack traffic
• True Positive - an event was triggered and the traffic was actual attack traffic
• True Negative - an event was not triggered and the traffic was not actual attack traffic

We hope you have enjoyed Part 1 of this blog series, and thank you for reading! While all of our Security Track products feature coverage of this feature, R/S Track products are currently being updated with Tier 1, 2, and 3 information as appropriate.