A small correction.
The IDS feature in the Pix image itself are limited to a few hard coded signatures and only reports with syslog.
The original IDS feature in the IOS Firewall Router image itself were limited to a few hard coded signatures and only reports with syslog (and the old 3.x Postoffice communications).
BUT The new IOS Firewall Router images DO have a newer set of IDS/IPS features. No longer are the signatures hard coded into the image. The IOS Firewall image now contains IDS/IPS Engines (like the 4.1 Appliances and Modules) that can be configured with an XML file in order to add new signatures.
This new Router image can also report with RDEP2 style communications.
(RDEP2 is based on the original RDEP used in the version 4.1 Appliances and Modules, but has been modified to use the newer Security Device Event Exchange (SDEE) format for requesting and sending the events. We took the original RDEP format and began discussions with other vendors and came up with a newer SDEE format that can be used by all IDS vendors. This newer format is what the IOS Firewall image now uses)
The main differences between the IOS Firewall Router image with the IDS/IPS features, and the IDS Appliances and Modules (including the NM-CIDS which is a IDS module for the router) are the following:
1) The number and types of engines. The Appliance and Modules support a larger number and type of engines and can, therefore, support some signatures that can not be done by the IOS Firewall.
2) The number of signatures configurable per engine. The Appliances and Modules support a larger number of signatures per engine than the IOS Firewall.
3) Ease of configuration. The Appliances and Modules have the CLI and IDM for help in configuring the signatures and even creating custom signatures.
The IOS Firewall uses a XML file that must either be edited manually by the user or edited by another tool.
An IDS MC version is being created to help users in editing and maintaining this XML signature file for the IOS Firewall.
4) The IOS Firewall supports a drop action. So when the attack is seen it can drop the packets en route. The Appliances and Modules can execute TCP Resets and create ACLs on other devices but can not drop the actual packet. (This feature is commonly known as IPS Intrusion Prevention Systems or as InLine IDS). This feature is being added in the next version of the Appliances and Modules.
So there are many common features, with the Appliances and Modules being more fully featured.
The router's IOS Firewall image is in fact a good compliment to the Appliances and Modules.
The Appliances and Modules can be used to monitor for a larger list of attacks and be placed at strategic points in the network (like behind the firewall).
Most users won't be able to afford a full featured IDS for each of their subnets.
For these additional subnets the IOS Firewall image can least give protection for the top list of viruses/worms.
Because of the limited signature set of the IOS Firewall the router can not watch for all of or as many attacks as the Appliances and Modules. But the IOS Firewall images can be invaluable during times of Virus or Worm outbreaks.
The top worm and virus signatures can be loaded on the IOS Firewall on the router, and can be configured to drop the attacks. This way at least these top issues can be monitored and protected from on a per subnet basis using existing router equipment loaded with the newer IOS Firewall images.
In the case of many enterprise customers, the Appliances and Modules can be deployed at headquarters providing full protection there.
And not being able to afford a complete sensor for each small remote site (where they may only have 10 users for example) they can load IOS Firewall on their existing Access Routers at each remote site to at least give protection for the top issues of the day.
