Cisco Blogs

Cisco Blog > Security

Anomaly vs Vulnerability Detection Using Cisco IPS

The Cisco IPS network based intrusion prevention system (NIPS) uses signatures to detect network-based attacks. Signatures can be created in a variety of engines based on the type of network traffic being inspected. Cisco signatures have very flexible configurations. In this blog post, I will discuss the trade-offs between two basic approaches for signature configuration: anomaly detection and vulnerability detection.

With Cisco IPS, anomaly detection is a broad approach of detecting malicious network activity. Signatures written to detect broad categories of anomalous activity will catch many different attack vectors, but at a cost. The parameters of a signature designed to detect an anomaly will often put a strain on the system running Cisco IPS in the form of memory or CPU usage, limiting the number of signatures that may be enabled. They also carry a high false positive risk due to their broad approach.

Vulnerability based signatures are targeted and require less overhead. These signatures normally target one or more attack vectors associated with a specific CVE. Their engine parameters typically use less memory and impact the CPU performance less on the IPS device, permitting more signatures to be active. They also allow the user to finely tune the configuration based on the types of vulnerable systems in a user’s network. False positive risk is low if the active signature set is tuned for a user’s network environment. Read More »

Tags: , ,

ITD: Load Balancing, Traffic Steering & Clustering using Nexus 5k/6k/7k/9k

Cisco Intelligent Traffic Director (ITD) is an innovative solution to bridge the performance gap between a multi-terabit switch and gigabit servers and appliances. It is a hardware based multi-terabit layer 4 load-balancing, traffic steering and clustering solution on the Nexus 5k/6k/7k/9k series of switches.

It allows customers to deploy servers and appliances from any vendor with no network or topology changes. With a few simple configuration steps on a Cisco Nexus switch, customers can create an appliance or server cluster and deploy multiple devices to scale service capacity with ease. The servers or appliances do not have to be directly connected to the Cisco Nexus switch.

ITD won the Best of Interop 2015 in Data Center Category.

With our patent pending innovative algorithms, ITD (Intelligent Traffic Director) supports IP-stickiness, resiliency, consistent hash, exclude access-list, NAT (EFT), VIP, health monitoring, sophisticated failure handling policies, N+M redundancy, IPv4, IPv6, VRF, weighted load-balancing, bi-directional flow-coherency, and IPSLA probes including DNS. There is no service module or external appliance needed. ITD provides order of magnitude CAPEX and OPEX savings for the customers. ITD is much superior than legacy solutions like PBR, WCCP, ECMP, port-channel, layer-4 load-balancer appliances.

ITD provides :

  1. Hardware based multi-terabit/s L3/L4 load-balancing at wire-speed.
  2. Zero latency load-balancing.
  3. CAPEX savings : No service module or external L3/L4 load-balancer needed. Every Nexus port can be used as load-balancer.
  4. Redirect line-rate traffic to any devices, for example web cache engines, Web Accelerator Engines (WAE), video-caches, etc.
  5. Capability to create clusters of devices, for example, Firewalls, Intrusion Prevention System (IPS), or Web Application Firewall (WAF), Hadoop cluster
  6. IP-stickiness
  7. Resilient (like resilient ECMP), Consistent hash
  8. VIP based L4 load-balancing
  9. NAT (available for EFT/PoC). Allows non-DSR deployments.
  10. Weighted load-balancing
  11. Load-balances to large number of devices/servers
  12. ACL along with redirection and load balancing simultaneously.
  13. Bi-directional flow-coherency. Traffic from A–>B and B–>A goes to same node.
  14. Order of magnitude OPEX savings : reduction in configuration, and ease of deployment
  15. Order of magnitude CAPEX savings : Wiring, Power, Rackspace and Cost savings
  16. The servers/appliances don’t have to be directly connected to Nexus switch
  17. Monitoring the health of servers/appliances.
  18. N + M redundancy.
  19. Automatic failure handling of servers/appliances.
  20. VRF support, vPC support, VDC support
  21. Supported on all linecards of Nexus 9k/7k/6k/5k series.
  22. Supports both IPv4 and IPv6
  23. Cisco Prime DCNM Support
  24. exclude access-list
  25. No certification, integration, or qualification needed between the devices and the Cisco NX-OS switch.
  26. The feature does not add any load to the supervisor CPU.
  27. ITD uses orders of magnitude less hardware TCAM resources than WCCP.
  28. Handles unlimited number of flows.

For example,

  • Load-balance traffic to 256 servers of 10Gbps each.
  • Load-balance to cluster of Firewalls. ITD is much superior than PBR.
  • Scale IPS, IDS and WAF by load-balancing to standalone devices.
  • Scale the NFV solution by load-balancing to low cost VM/container based NFV.
  • Scale the WAAS / WAE solution.
  • Scale the VDS-TC (video-caching) solution.
  • Scale the Layer-7 load-balancer, by distributing traffic to L7 LBs.
  • ECMP/Port-channel cause re-hashing of flows. ITD is resilient, and doesn’t cause re-hashing on node add/delete/failure.

Documentation, slides, videos:

Email Query or

Please note that ITD is not a replacement for Layer-7 load-balancer (URL, cookies, SSL, etc). Please email: for further questions.

Connect on twitter: @samar4

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

ITD Deployment with Transparent mode security devices

ITD (Intelligent Traffic Director) is getting a lot of interest about transparent (Layer 2) mode device support.

Here is a 10 minute video that shows step by step ITD deployment for Transparent mode security devices, such as Firewalls, IPS, IDS, Web application Firewalls (WAF), ASA, Cisco Sourcefire, etc:

ITD is a hardware based multi-Tbps Layer 4 load-balancing, traffic steering and clustering solution on Nexus 5k/6k/7k/9k series of switches. It supports IP-stickiness, resiliency, NAT (EFT), VIP, health monitoring, sophisticated failure handling policies, N+M redundancy, IPv4, IPv6, VRF, weighted load-balancing, bi-directional flow-coherency, and IPSLA probes including DNS. There is no service module or external appliance needed.

Solution Guide: ITD with Layer 2 Firewall / IPS / IDS

Here is more information about ITD:

Please send email to if you have any questions.


Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Securing the IoE with OpenAppID

We introduced OpenAppID in early 2014 with the goal of empowering customers and the open source community to control application usage in their network environments. Since then, we have increased our coverage from 1,000 OpenAppID detectors to more than 2,600, and have received valuable feedback from the community on ways to improve the product.

The case of having an open, application-focused detection language and processing module for Snort has attracted the attention of the Internet of Everything (IoE) world. There are countless devices out there using the Internet on their own, varying from a remote IP based camera to an industrial based sensor in which may include some security features on them.

With the combination of OpenAppID and Snort we are giving the capability to the open source community to create their own application-based protocols and classifications, which can be used to Read More »

Tags: , , , , , ,

Security or Hybrid WAN’s? Do you need to choose?

Security is hot topic on everyone’s mind and for IT it is a constant challenge to stay ahead of the latest threats and vulnerabilities that their organizations face on a daily basis. Take a quick look at the news and it won’t take you long to find an article talking about the latest cyber attack that resulted in the leak of personal data. So what can organizations and more specifically IT teams do to protect themselves from threats and vulnerabilities. Personally I don’t think you can protect yourselves from all threats and vulnerabilities. Cyber threats will continue to exist and cyber criminals will continue to develop increasingly sophisticated attacks to evade even the most robust security barriers. Even if you were to isolate your network from the internet an intruder could overcome your physical security and launch an attack from within your organization.

So what can you do to protect yourself? I view security as a way to reduce your exposure to threats and you should at a minimum make sure you have the appropriate security measures in place to reduce your exposure to threats and vulnerabilities. While you may never be able to stay one step ahead of cyber attacks you should be in a position to detects threats and be able to mitigate them as fast as possible to reduce your exposure.

Read More »

Tags: , , , , , , , , , , , ,