Cisco Cisco Integrated Services Routers Intrusion Prevention System Module Prospecto
![Cisco](https://files.manualsbrain.com/attachments/7380d0050044647c30f5c24bbbf5d0c0b6d9bb84/common/fit/150/50/faa183d287233c52228cfea3dbc2a127fe780f60564fcb0955d9c3d1cd23/brand_logo.png)
Solution Overview
All contents are Copyright © 1992–2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 3 of 10
Cisco IPS AIM Protecting the Internet-Facing (Untrusted) Interface
The Internet is one of the major sources of attacks and exploits targeting today’s corporate
networks. Applying the IPS using the Cisco IPS AIM on router interfaces connected to the Internet
helps defend the corporate network against such vulnerabilities. Cisco IOS Firewall and Cisco IPS
AIM are complementary features to protect against malicious attacks. Cisco IOS Firewall restricts
access from the untrusted Internet and prevents intruders from evading the perimeter router on the
telecommuter side to gain access to the corporate network. However, common security attacks
can include IP spoofing, man-in-the-middle attacks, and unauthorized access attempting to slip
through the firewall. Telecommuter devices may have obtained exploits elsewhere that would then
threaten the internal corporate network. To mitigate this threat, you can deploy IPS inspection in
conjunction with the Cisco IOS Firewall at the incoming and outgoing interfaces of the perimeter
router to monitor and discard malicious activity. In a typical network topology, the branch offices
are the best places to enable IPS using the Cisco IPS AIM on both directions of the Internet-facing
interface. A common scenario is to enable split tunneling while running VPN tunnels to the
corporate network. Cisco recommends enabling IPS on the Internet traffic to protect the network
from attacks and exploits that might come into the branch office or telecommuter personal
computers, which could in turn affect the corporate network.
Cisco IPS AIM Within the Internal (Trusted) Network
In today’s corporate network environment, an increasing number of exploits and network attacks
are coming from within the corporate network itself. These attacks or exploits may be deliberate or
inadvertent (for example, an infected laptop brought into the office and connected to the corporate
LAN). Deploying IPS within the corporate network helps mitigate attacks, and helps to prevent
exploits from spreading within the network. Hub-and-spoke topologies are commonly used for
networks. In a typical network topology, the Cisco IPS AIM on the spoke routers provides
distributed protection for the network—attacks and exploits from one of the branch offices will not
spread throughout the rest of the network. The WAN link is also spared from being congested by
worms and denial-of-service (DoS) attacks, saving the valuable bandwidth for valid business
traffic. In addition, the hub router does not have to process all attacks and exploits from all branch
offices, thus leaving more CPU power and memory for other tasks. Deploying Cisco IPS as close
to the entry point into the network as possible mitigates the attacks and exploits before they spread
farther into the network. By facilitating Cisco IPS together with IP Security (IPsec) VPN, Cisco
Network Admission Control (NAC), and Cisco IOS Firewall, a Cisco router can perform encryption,
firewall, and traffic inspection at the point of entry into the network—an industry first. This setup
reduces the additional devices needed to support the system, reduces operating and capital
expenditures, and enhances security.
Packet Flow
Packets traverse routers in a particular order, and services and features are executed in a specific
sequence. Understanding this order and sequence is critical to successful deployment of IPS.
Packet flow is slightly different between promiscuous and inline IPS modes, as well as for ingress
and egress paths (Figures 2 and 3).
Figure 2. Packet Flow for Inline Mode