Introduction

When you start implementing intrusion detection in the corporate LAN, it isn't necessary to spend a lot on IDS sensors or IDSM blades. This is even truer for networks in small offices, which don't have the budgets of larger corporations. An affordable start with intrusion detection can be made using the Firewall/IDS feature set of IOS, which a growing number of Cisco router platforms now support. Because IOS-IDS runs on existing network hardware and uses Syslog for alarm notification, it complements the existing security infrastructure without the need for new hardware and Director software. The downside of using IOS-based IDS is that the capabilities of IOS-IDS are limited if you compare them with the IDS sensors or IDSM. The performance of the router may suffer under the processing load of IDS and the number of signatures supported is limited.

In this chapter, we will discuss these performance issues and look at the limitations of IOS-IDS, as well as explore which router platforms are capable of running IOS-IDS and the number of signatures the IOS identifies. We will learn how to configure IOS-based IDS, see how IDS takes action when under attack, and learn how to verify and monitor an IDS configuration.

In Figure 11.1, we see some of the ways Cisco IOS-IDS can be employed within your network. Company A is using Cisco IOS-IDS to protect its LAN from attacks originating on the Internet. Company B has put IOS-IDS to use to protect a Frame-Relay link to one of...