From: Guyler, Rik (rguyler@shp-dayton.org)
Date: Mon Nov 14 2005 - 10:23:27 GMT-3
Tim, if you have an older IDS then updates are manually applied. There are
options like doing it directly on the device or you can use VMS, the
security side of CiscoWorks. We use VMS ourselves for our security related
devices.
As for versions, I don't if Cisco is still selling anything with 4.x on it
but it doesn't seem likely as they are really pushing the newer IPS line
with 5.x code. We currently have to manually update the signature version
by downloading the signature from CCO (valid account required...probably by
having a SmartNet) and then pushing it with VMS. Cisco now offers a new
service with the newer devices but I don't know all the details. There is
some new automation but it could be just to notify you that a new sig is
available and may have nothing to do with actually getting it into the
device. We are just now in the process of ordering a pair of the new IPS's
and I specified to include the new service offering so we'll see.
As for your specific questions, some of those are too broad to really answer
accurately. When you ask "how long" does it take to setup an IDS, you might
as well ask how long does it take to setup a router, a switch, or anything
else. The real answer is it depends. It depends on the network, the
engineer and any other intangibles that may arise. Somebody that is fairly
familiar with the device and the install is not too tricky then I would
think a couple of hours might be all it would take. More likely, however,
it will be somebody that doesn't have intimate knowledge of these devices
and so there will be OTJ learning involved so I would allow for perhaps a
day to get it setup, tweaked and tested. Plus you usually will have to go
over with the customer what their responsibilities include, if any and that
could also lead to some training on the product as well.
As for placement, the new IPS devices are meant to be placed inline although
I believe they can also be setup in a promiscuous fashion as the IDS devices
tend to be. I like inline because then there is no doubt that all traffic
goes through the device. I've always been suspicious of promiscuous
anything. Inside, outside, or both are your options and again it depends on
the device(s) in question. If you can do both then do both. I like to see
what hits the outside of the firewall and also what hits the inside. Makes
a good barometer for the firewall if you want to see what gets through and
what doesn't. In our physical topology, all remote access comes in behind
the FW so we are prone to infections or compromise behind the FW as well so
we are adding IPS's there as well. I would say if you have to pick only one
location then behind the FW could be the best location. If no remote access
exists and the only ingress point is through the FW then outside may give
you a better view of what's going on. So as you can see, the short answer
here like so many other questions is it depends.
-----Original Message-----
From: Tim [mailto:ccie2be@nyc.rr.com]
Sent: Sunday, November 13, 2005 1:09 PM
To: 'Cisco certification'
Subject: IDS signatures - big picture stuff
Hi guys,
This morning I was searching the Cisco site for over an hour trying to find
out more about IDS signatures - the big picture stuff.
For example, is Cisco still selling the 4.1 version of the IDS software? I
checked the EOS page but couldn't tell. To me, it looks like new IDS's
aren't being sole, you have to get an IPS with 5.1. Is that true?
As new threats are discovered and new signatures created, what does a
customer need to have and do to add them? A SmartNet contract? Does
keeping the set of signatures up to date work basically the same way as it
does with Anti-Virus software?
Approx how many signatures are included with an IDS/IPS? And, has the number
of signatures included been going up quickly over time?
Today, I've been reading through an IDS Exam Cram (very well written and
informative IMHO) and I noticed that a large percentage of signatures are
enabled by default. Then it occurred to me no mention was made of what the
default action is when traffic matching an enabled signature is seen or what
the default severity is.
Can anybody tell me what the default response action is and what the default
severity is? Does it depend on which particular signature is triggered?
And, now for the last questions.
Let's assume a client has just bought a new IDS and needs an IDS engineer to
set it up for his network. This client isn't a very technical person - he's
a manager and asks manager type questions. He happens to have 2 questions:
Should he set up the IDS in front of or behind the firewall and why?
How many hours will it take for the engineer to set up the IDS? (This
manager doesn't know or care about the details of customizing signatures.
He just needs to know how much money he has to budget to get the job done to
have the IDS work properly for his network.)
Assume for simplicity, his network is a pure windows shop and has 1
connection to the internet and no other external connections.
Please forgive me for all the questions. It's just hard getting up to speed
on new technologies without someone around to show you the ropes and fill in
the blanks.
Thanks, Tim
This archive was generated by hypermail 2.1.4 : Thu Dec 01 2005 - 09:12:06 GMT-3