IDSM vs IPS 4200

Similar Messages

• IPS 4200 Fault tolerance

  Hi, Is it possible to have two IPS 4200 appliances in a failover or high availability pair? Or is it single with hardware bypass only?
  Thanks

  In data centers like these, redundant routers, switches, and even power supplies help ensure business continuity during an outbreak. The IPS appliances, however, do not support stateful failover. IPS devices maintain state with traffic flows and may drop traffic from an asymmetrical traffic flow. It is therefore important to factor this into the design.
  You can use the bypass mode as a diagnostic tool and a failover protection mechanism. You can set the sensor in a mode where all the IPS processing subsystems are bypassed and traffic is permitted to flow between the inline pairs directly. The bypass mode ensures that packets continue to flow through the sensor when the sensor's processes are temporarily stopped for upgrades or when the sensor's monitoring processes fail. There are three modes: on, off, and automatic. By default, bypass mode is set to automatic.

• Cisco IPS 4200 Series Feature

  Does the Cisco IPS 4200 can support RADIUS for user authentication?
  Does the Cisco IPS 4200 can support SYSLOG for sending logging to outside?

  Are you kidding me? Then how do you explain
  the fact that security devices such as
  checkpoint and ASA firewalls are allowed
  authentication via tacacs/radius and you can
  send syslog back to a syslog server. Normally
  the information is got sent back via the
  Command and Control (C&C) interface which
  should be on a secure network in the first
  place.
  This is a limitation of the of the IDS itself.
  I have not tried version 5.x or 6.x yet but
  if they are similar to version 4.1, then
  they are nothing but a Linux box. You can
  "shell" into the box and install PAM on it
  so that you can use external authentication
  such as radius/tacacs or even LDAP.

• IPS 4200 Signature & Action IDs

  I need a reference manual for the list of all the signatures and actions supported by Cisco IPS 4200 series appliances with software version 6.x.
  I have tried locating this through the IPS product page but had no luck yet.
  Please let me know where can I find this reference manual.
  Thanks.

  Have you looked at the security center?
  http://tools.cisco.com/security/center/search.x?search=Signature
  Regards
  Farrukh

• CIsco IPS 4200 Log Fields

  Hi,
  Could anyone please tell me where can I find the information regarding the Fields of the log for IPS 4200? In what sequence do they appear in log files and what does each field signify?
  Basically, I need the layout of the log file for the IPS logs. e.g. a sample layout would be something like this:
  [timestamp] , [signatureID] , [vendor] [signature desc], [attacker IP] , [victim IP] , [attack type] , [action ID] , [action desc]
  Thanks.
  Regards,
  Pratik

  Here's an example of an SDEE message. I believe this is from a version 5.x sensor (it could be version 4, I don't see Risk Rating). Each time a new major version of software is release, new features are added and (if reportable) they show up as new fields in the SDEE messages.
  testsensor4250XL
  sensorApp
  440
  Sdee
  10.1.1.119
  1180958240541285000
  10.1.1.119
  0
  1
  R0VUIC9vc3Mvc3VydmV5LmFzcD7pdW1kYXlzPTUrMyBIVFRQ0=
  11.1.1.2
  60556
  61.1.1.76
  80

• IPS 4200 Series

  Hello Dears,
  I have fresh installed IPS 4200 in Inline interface pair mode, Uptill now i m not getting any packet drops or complains from users.
  What else to be done to configure IPS as a Professional setup for corporate Network.
  Thanks

  Now the hard work begins.
  Performing analysis on all medium and high severity signatures and performing these actions:
    Tuning the signatures - Recurring false positive signatures that fire should be adjusted down in severity of disabled (if completely useless)
                                   - Turning on packet captures to learn more about why a signature is fireing and help your analysis.
    Remediation - Once you've found an infected host inside your network, clean it.
                      - If the attack is from outside your network, discover how it is getting in and modify the means of access (Firewall, VPN, etc) to prevent future attack vectors.
  This should be plenty to get you started and keep you busy. Don't forget to rinse and repeat.
  - Bob

• I'm looking for Failover/High available solutions for IPS 4200 Series

  Hi all,
  I tried to find out Failover/High available solutions for IPS 4200 series,I didn't saw failover solutions in IPS guide document. Anybody can be help me!

  I do not know if this is documented anywhere, but I can tell you what I do. As long as the IPS 4200 has power, with the right software settings, the unit can fail such that it will pass traffic. Should the unit loose power, it does stop all traffic. I run a patch cable in parallel with the in line IPS unit, in the same VLAN, with a higher STP cost. Thus all traffic will traverse the IPS unit when possible, but should something happen to it, a $10 patch cable takes over.
  Mike

• Cisco ips 4200 - errsystemerror-ct-sensorapp.443 not responding

  Hi team,
  Does anyone have come across the below error while accessing the cisco ips 4200 running with 7.0 version. The Gui closes automatically after this message.
  errsystemerror-ct-sensorapp.443 not responding, clientpipe failed.
  regards()

  Problem resolved by rebooting the device.. It is documented in cisco.
  http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_qanda_item09186a008025c533.shtml
  When I attempt to log in to IPS, I receive this error message:
  errSystemError-ct-sensorAPP.450 not responding, clientpipe failed
  . How can I resolve this error?
  A. In order to resolve this error, use the reset command in order to reboot the IPS.
  Rate of this was helpful...

• Idsm 2- IPS Deployment

  I would like to configure an IDSM-2 in inline mode, I am having trouble about the deployment, I have a couple of questions;
  1. If you configure 2 VLANs (existing) as VLAN pairs does this mean the exist connection between the 2 VLANs is broken?
  ie they can only communicate to each other via IPS.
  2. Where is the best place to deploy this type of IPS?

  Hello
  1. If configure properly, it will definitely not break any connectivity (its a bump in the wire). Of course if some traffic is denied by any IPS signature itself, that is a different matter. Please see this example for more help:
  http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_configuration_example09186a0080876d9f.shtml
  2. Inline mode is deployed where you want proactive protection and the the IPS box you have has sufficient throughput and other resources that will allow it to monitor that segment of your network (or multiple segments for that matter..)
  Regards
  Farrukh

• Will IDS v4.1 software run on the IPS-4200 appliances?

  I understand that Cisco IPS 5.0 software will run on the IDS-4200 series appliances (e.g. - IDS -4235).
  Is the reverse true? Can I get Cisco IDS 4.1 to run on an IPS-4240 or an IPS-4255?
  Just curious, since I may have to answer the question internally soon...
  Thanks in advance,
  Alex Arndt

  Just an FYI the only Appliances/Modules that support 5.0 that do not support 4.1 are the ASA-SSM-AIP-10 and ASA-SSM-AIP-20.
  These 2 modules are brand new and will only support the 5.0 version.
  To read more about the 2 new modules refer to:
  http://www.cisco.com/en/US/products/ps6120/products_data_sheet0900aecd802930c5.html

• IPS 4200 appliances and performance

  Hi All
  We're looking into purchasing an IDS/IPS appliance, but am concerned about thruput and perf issues. We don't have the budget to stretch to the multiGigabit models to monitor multiple points on our gigabit backbone and network in addition to doing IPS on our internet connections, we are restricted to going for either the 4215 or the 4235 - how do i judge what is best for our needs.
  We'd use any appliance as follows;
  1.)IPS mode for 10meg internet connection
  2.)IPS mode for 1meg SDSL connection
  3.)IDS mode on gigabit backbone. May need to support multiVLAN monitoring but not essential.
  Obviously we need to make sure we have the right number of ports on the appliance but i'm concerened about thruput and the dropping of packets. Is there any test i can do to work out what our aggregate bandwidth will be. The 80mbps of the 4215 doesn't sound anywhere near enough, seeing as we'll be moving to a 3750 1000bT stack for all our switching needs and particularly if the appliance will be working in hybrid mode.
  Relatively small network of about 100 nodes. Pls advise MA

  Let me give this a shot. First off, some caveats. I'm assuming all your links (including your backbone) are copper Ethernet. Now, onto the response...
  Answer to Q1:
  Assuming scalability is not an issue (you don't plan on upgrading this connection, do you?), the IDS-4215 with the IDS-4FE card installed and running IPS v5.0 is the solution here.
  Main advantages, the device is good for a total of 85 Mbps throughput, so no issues with oversubscription if deployed inline, as the sensor will be monitoring a line with the speed of the lowest capable device. To ensure it will work, you can hard code the line speed and duplex settings to force it. Furthermore, with the additional interfaces and the IPS software, it will be just as good as an IPS-4240 on the link, but without the cost.
  Answer to Q2:
  Same solution as Q1, since the sensor is more than powerful enough for the line speed. Again, if the connection is upgraded (say, to a fast DSL line), you'll still be OK if you deploy inline and hard code the line settings.
  Answer to Q3:
  This is the tricky one. Obviously, if you had a core switch that supported it, an IDSM-2 would be a great option. Alternative, as you've already stated, the IPS-4255 with its 600 Mbps throughput capability would work too. Unfortunately, you've identified the one thing that usually dissuades folks with small networks like yours from using these two solutions - cost. (Oops, no you didn't say that, so I'm just going to assume... And yes, I know the dangers of assuming, but I'm throwing caution to the wind.)
  An IPS-4240 is capable of a total aggregate throughput of 250 Mbps. If you gig backbone is really underutilized (in other words, averaging less that 20% usage), you can use in IPS-4240 to good effect. The only problem is that it will start dropping packets the moment the throughput goes over its capacity. The good thing is that there is a signature designed to tell you just when this happens (SigID 993). You could try using the IPS-4240 and ensure it has SigID 993 enabled and see how it works out, but it won't last long if you're worried about losing packets because the utilization is routinely over 250 Mbps (or 25% of your gig line).
  Another option, though this is actually pricier than buying an IPS-4255, would be to configure two SPAN ports on the backbone core switch and hang two IPS-4240 sensors off of it, one per SPAN. Configure the SPANs based on your key VLANs that you want to monitor and you have effectively created a 500 Mbps monitoring solution without resorting to using the high-end device or buying a 3rd party solution (say, an IDS load balancer...). Of course, if cost savings is an issue, I still think the IPS-4255 is the better choice, but your stated restrictions have me thinking that you may be prevented from using it thanks to a limitation in your procurement mechnism...
  Anyway, despite your limitations, you can do it. You just need to be aware of and consider the potential issues.
  I hope this helps,
  Alex Arndt

• IDSM-2 IPS (5.x) / Cat IOS questions

  Is my understanding correct that a Catalyst 6500 running Cat IOS supports only Promiscious mode and that Cat IOS does not support IDSM-2 (5.x) Inline mode?
  Are there any plans to incorporate Inline Mode (5.x) under Cat IOS in the future, or am I missing something here?

  An upcoming version of CatIOS code will definately support inline mode.
  The IPS 5.0 code, as you're aware, was the first version of IDS code to support inline mode. With the standalone sensors, running it inline requires a physical cabling change. With the IDSM-2 in particular though, you need to be able to configure the Cat-IOS code to push traffic through the device in inline mode.
  Unfortunately getting new versions of CatIOS code out the door is not that easy, since there are about 10,000 other features (not just IPS) in the code that are also wanting to be updated, plus other new features, plus all the testing and re-testing that needs to go on before a release. Supporting inline IPS is just one of many major features scheduled for the switch software.
  The Release Notes for IPS 5.0 code do say the following:
  IDSM-2 only supports inline mode for Catalyst Software 8.4.4(1) with Supervisor Engine 1a, Supervisor Engine 2, Supervisor Engine 32, and Supervisor Engine 720. Inline support for Cisco IOS will be added at a later date.

• IPS 4200 - cascade and increase throughput?

  Hi all,
  I'm planning to buy an IPS 4255 appliance, but I might need to increase the throughput in the future. Can I add IPS appliances parallel as and when I need higher throughput. Can those multiple appliances work as a single unit and not influence my existing design, when I need to upgrade the IPS throughput. Also, can this be done with any of the models in the 4200 family, interchangeably ?
  Lot of questions, sorry if too much
  thanks

  If you have a 6500 switch you can connect multiple devices and load share (not balance) via ECLB, have a look at:
  http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids12/eclbips5.htm
  But as Marhew said, there is no 'clustering' technology available to my knowledge which allows a single-IP management functionality. However you can deploy multiple sensors at the same time with Cisco Security Manager (CSM).
  Regards
  Farrukh

• Bypass Interface for IPS 4200

  Hi,
  Can somebody help me how IPS bypass interface module for 4200 is used? Is it that, when IPS appliance fails (no power, hardware failure), traffic can readily flow from outside interface to inside bypassing the IPS? Usually in inline placement, IPS appliance is the point of failure during hardware failure, is the bypass module introduced to defy such failure?

  The bypass module is only available on the 4260 and 4270 sensors. It can give you a hardware short of the Ethernet pairs in the event of a sensor power failure. The rest of the sensor product line uses a software bypass. We have found both of these methods to be less then reliable when a sensor experiences a software crash (the software need to realize the sensing app has crashed in order to activate the bypass). Using an external device has proven to be much more reliable.
  A simple switch, with two VLANS can be used. Connect the two VLANS externally with your sensor and a patch cable. Assign a higher Spanning Tree Protocol cost to the cable connecting your two VLANS. The cable becomes a hot standby path to your sensor.
  - Bob

• Event viewer on IPS 4200 DM

  Hi, i have the correct time (local) on IPS with an UTC offset positionned but on the Event Viewer windows the time of events is always in UTC time and not in local time (system time).
  That is an issue or normally ?

  It's a feature;-) normal. the event viewer on the sensor is not very user friendly when it comes to entering date/time ranges.