Cisco IPS Sensor software version 6.0 is a comprehensive, end-to-end protection solution for network-based sensors that delivers the latest IPS capabilities, enhanced performance, security improvements, and a range of new enhanced features.
Cisco IPS Sensor Software protects the network from policy violations, vulnerability exploitations, and anomalous activity through detailed inspection across the network of traffic at Layers 2 through 7.
Cisco IPS Sensor Software offers intrusion detection and prevention capabilities to shield the network from multiple threats and safeguard it from both known and unknown attacks before they can affect the network.
The new enhanced software uses a unique multi-vector threat identification algorithm that is capable of identifying an extensive range of attacks using multiple inspection and classification capabilities. The new enhanced feature has extended application intelligence to detect and prevent covert channel tunneling through common application ports such as HTTP port 80.
Cisco IPS Sensor Software supports both the IDS and IPS capabilities for hybrid operation, acting simultaneously as an IDS sensor and an IPS sensor.
Cisco IPS Sensor Software is available on Cisco IPS 4200 Series appliances and on the Cisco Catalyst 6500 Series Intrusion Detection System Services Module (IDSM-2).
The following is a brief summary of some of the advanced IPS features and capabilities in the Cisco IPS Sensor OS Software Version 6.0 release:
Advanced and enhanced inline intrusion prevention functionality.
Hybrid OS with detection and prevention capabilities allowing a single sensor to operate simultaneously as an IDS sensor and an IPS sensor.
Extended application inspection technologies that allow enforcement of policy decisions based on content detected at the application layer.
Stateful pattern recognition that helps identify vulnerability-based attacks through the use of multipacket inspection across all protocols, thwarting attacks that hide within a data stream.
Detection and prevention of covert channel tunneling through common application ports such as HTTP port 80.
H225 VoIP engine to inspect H225 protocol for attacks on multiple H.323 gatekeepers, VoIP gateways, and endpoint terminals. Voice over IP (VoIP) engine provides deep packet inspection for call signaling messages, ensuring protocol compliance of H225 call setup messages.
Support for the inspection and mitigation of threats in MPLS environments.
Advanced traffic normalization algorithms, such as fragmentation and TCP session normalization.
Enhanced visibility into IPv6 traffic to identify attacks in IPv6 environments through the inspection of IPv4 traffic being tunneled in IPv6.
IP-in-IP detection to identify malicious traffic within mobile IP traffic.
New risk rating feature that can be used for event action overrides that adds actions based on the risk of the alert.
New Threat Rating (Enhanced Risk Rating), which is the extension of risk rating that has been lowered by event actions that have been taken.
New Anomaly Detection component that creates a baseline of normal network traffic. This baseline is used to detect worm-infected hosts. Protocol Anomaly Detection identifies attacks based on observed deviations in the normal RFC behavior of a protocol or service (for example, HTTP response without an HTTP request).
Layer 2 attack detection through identification of ARP-based attacks and man-in-the-middle attacks.
New Passive OS Fingerprinting to determine host operating systems by inspecting characteristics of the packets exchanged on the network.
A new Sensor Virtualization feature offering multiple virtual sensors running on the same appliance, each configured with different signature behavior and traffic feeds.
Improved TCP session tracking modes to help inline sensors correctly track TCP sessions in complex network configurations.