So today I got my hands on our Cisco Intrusion Prevention System (IPS) server. I don't know all the features yet, but from the outside it's literally just Linux on a Dell Poweredge server. When you login to the box you don't get a shell, it drops you into this Cisco environment where you can issue a bunch of commands like

packet display fa0/0

Which just runs tethereal and displays packets in realtime. This isn't impressive since you can just run tcpdump or tethereal on the command line and get the exact same effect. This isn't the IPS's main feature however, it's just one tool an admin can use to see what's going on.

Once you've fully configured the IPS server the real fun begins. It will analyze *all* traffic on your network and can automatically make ACL updates on your PIX, switch or router. You can setup event action filters, and use built-in and custom signatures in conjunction with risk ratings that the IPS will calculate in order to automatically deny packets that have a strong probability of being malicious. Once you set everything up, you can monitor the different packets that the IPS server sees as possible attacks, but not do anything with them yet besides logging. This will give you a better idea as to what the IPS sees, since false positives are inevitable. Once tuned though, I see this device being very helpful in keeping a 24/7 watchdog on what's entering our network.