CHAP TER
44-1
User Guide for Cisco Security Manager 4.4
OL-28826-01
44
Configuring IOS IPS Routers
Some Cisco IOS routers, such as integrated services routers (ISRs), include native IPS capabilities based
on IPS 5.1 software. You can configure some basic IPS inspection on these devices to supplement IPS
sensor inspection or to support small networks.
This chapter contains the following topics:
Understanding Cisco IOS IPS, page 44-1
Overview of Cisco IOS IPS Configuration, page 44-3

Understanding Cisco IOS IPS

You can use Cisco Security Manager with the Cisco IOS Intrusion Prevention System (IOS IPS) to
manage intrusion prevention on Cisco routers that use supported Cisco IOS Software releases
12.4(11)T2 and higher.
The Cisco IOS IPS acts as an in-line intrusion prevention sensor, watching packets and sessions as they
flow through the router and scanning each packet to match any of the Cisco IOS IPS signatures. When
it detects suspicious activity, it responds before network security can be compromised and logs the event
through Cisco IOS syslog messages or Security Device Event Exchange (SDEE).
You can configure Cisco IOS IPS to choose the appropriate response to various threats. The Signature
Event Action Processor (SEAP) can dynamically control actions that are to be taken by a signature event
on the basis of parameters such as fidelity, severity, or target value rating. You can configure these
actions in Security Manager through the Signatures and Event Actions policies.
When packets in a session match a signature, Cisco IOS IPS can take any of the following actions, as
appropriate:
Send an alarm to a syslog server or a centralized management interface.
Drop the packet.
Reset the connection.
Deny traffic from the source IP address of the attacker for a specified amount of time.
Deny traffic on the connection for which the signature was seen for a specified amount of time.
Cisco developed its Cisco IOS software-based intrusion-prevention capabilities and Cisco IOS Firewall
with flexibility in mind, so that individual signatures could be disabled in case of false positives.
Generally, it is preferable to enable both the firewall and Cisco IOS IPS to support network security
policies. However, each of these features can be enabled independently and on different router interfaces.