1-12
Installing Cisco Intrusion Prevention System Appliances and Modules 5.0
78-16124-01
Chapter 1 Introducing the Sensor
Modules
Introducing IDSM-2
The Cisco Catalyst 6500 Series Intrusion Detection System Services Module (IDSM-2) is a switching
module that performs intrusion prevention in the Catalyst 6500 series switch and 7600 series router. You
can use the CLI or IDSM to configure IDSM-2. You can configure IDSM-2 for promiscuous or inline
mode.
IDSM-2 performs network sensing—real-time monitoring of network packets through packet capture
and analysis. IDSM-2 captures network packets and then reassembles and compares the packet data
against attack signatures indicating typical intrusion activity. Network traffic is either copied to IDSM-2
based on security VACLs in the switch or is copied to IDSM-2 through the switch’s SPAN port feature.
These methods route user-specified traffic to IDSM-2 based on switch ports, VLANs, or traffic type to
be inspected (see
Figure 1-3
).
Figure 1-3
IDSM-2 Block Diagram
IDSM-2 searches for patterns of misuse by examining either the data portion and/or the header portion
of network packets. Content-based attacks contain potentially malicious data in the packet payload,
whereas, context-based attacks contain potentially malicious data in the packet headers.
You can configure IDSM-2 to generate an alert when it detects potential attacks. Additionally, you can
configure IDSM-2 to transmit TCP resets on the source VLAN, generate an IP log, and/or initiate
blocking countermeasures on a firewall or other managed device. Alerts are generated by IDSM-2
through the Catalyst 6500 series switch backplane to the IPS manager, where they are logged or
displayed on a graphical user interface.
Introducing NM-CIDS
The Cisco Intrusion Detection System Network Module (NM-CIDS) integrates the Cisco IDS
functionality into a branch office router. With NM-CIDS, you can implement full-featured IDS at your
remote branch offices. You can install NM-CIDS in any one of the network module slots on the Cisco
2600, 3600, and 3700 series routers. NM-CIDS can monitor up to 45 Mbps of network traffic. See
Software and Hardware Requirements, page 8-2
for a list of supported routers. Only one NM-CIDS is
supported per router.
Figure 1-4 on page 1-13
shows the router in a branch office environment.
Cisco 6500 switch
IDSM-2
Alarms and configuration through
IDSM-2 command and control port
IPS management console
Source traffic
Destination traffic
Source traffic
Destination traffic
Switch
backplane
Copied VACL traffic
or SPAN traffic to
IDSM-2 monitor port
132249