IDSM vs IPS 4200
Hi all
I'm trying to design a data center security solution. I have a 6509 E with sup 720 and FWSM. My concern now is whether to go for IDSM or a 4200 sensor. I know about the through put limitations of both products. Can you all highlight any other pros and cons ?
thanks
I would recommend going for the appliances. It gets pretty difficult to troubleshoot the network with FWSM and IDSM in the same chassis. Etherchannels, STP, MAC-Learning.......you have to look at all that to see what exactly is happening in the network and the path taken by a particular packet. Since you have a 6500, you can load balance multiple IPS sensors using ECLB.
Also the appliances are modular, you can add interfaces etc.
Another downside is most network monitoring/management software(s) do not supported the IDSM properly, this includes Cisco's LMS and BMC Visualis/Dashboard. You will find the IDSM as a 'disconnected' device on both the Ciscoworks Campus Manager and BMC Visualis (on the network diagrams).
Regards
Farrukh
Similar Messages
-
Hi, Is it possible to have two IPS 4200 appliances in a failover or high availability pair? Or is it single with hardware bypass only?
ThanksIn data centers like these, redundant routers, switches, and even power supplies help ensure business continuity during an outbreak. The IPS appliances, however, do not support stateful failover. IPS devices maintain state with traffic flows and may drop traffic from an asymmetrical traffic flow. It is therefore important to factor this into the design.
You can use the bypass mode as a diagnostic tool and a failover protection mechanism. You can set the sensor in a mode where all the IPS processing subsystems are bypassed and traffic is permitted to flow between the inline pairs directly. The bypass mode ensures that packets continue to flow through the sensor when the sensor's processes are temporarily stopped for upgrades or when the sensor's monitoring processes fail. There are three modes: on, off, and automatic. By default, bypass mode is set to automatic. -
Does the Cisco IPS 4200 can support RADIUS for user authentication?
Does the Cisco IPS 4200 can support SYSLOG for sending logging to outside?Are you kidding me? Then how do you explain
the fact that security devices such as
checkpoint and ASA firewalls are allowed
authentication via tacacs/radius and you can
send syslog back to a syslog server. Normally
the information is got sent back via the
Command and Control (C&C) interface which
should be on a secure network in the first
place.
This is a limitation of the of the IDS itself.
I have not tried version 5.x or 6.x yet but
if they are similar to version 4.1, then
they are nothing but a Linux box. You can
"shell" into the box and install PAM on it
so that you can use external authentication
such as radius/tacacs or even LDAP. -
IPS 4200 Signature & Action IDs
I need a reference manual for the list of all the signatures and actions supported by Cisco IPS 4200 series appliances with software version 6.x.
I have tried locating this through the IPS product page but had no luck yet.
Please let me know where can I find this reference manual.
Thanks.Have you looked at the security center?
http://tools.cisco.com/security/center/search.x?search=Signature
Regards
Farrukh -
Hi,
Could anyone please tell me where can I find the information regarding the Fields of the log for IPS 4200? In what sequence do they appear in log files and what does each field signify?
Basically, I need the layout of the log file for the IPS logs. e.g. a sample layout would be something like this:
[timestamp] , [signatureID] , [vendor] [signature desc], [attacker IP] , [victim IP] , [attack type] , [action ID] , [action desc]
Thanks.
Regards,
PratikHere's an example of an SDEE message. I believe this is from a version 5.x sensor (it could be version 4, I don't see Risk Rating). Each time a new major version of software is release, new features are added and (if reportable) they show up as new fields in the SDEE messages.
testsensor4250XL
sensorApp
440
Sdee
10.1.1.119
1180958240541285000
10.1.1.119
0
1
R0VUIC9vc3Mvc3VydmV5LmFzcD7pdW1kYXlzPTUrMyBIVFRQ0=
11.1.1.2
60556
61.1.1.76
80 -
Hello Dears,
I have fresh installed IPS 4200 in Inline interface pair mode, Uptill now i m not getting any packet drops or complains from users.
What else to be done to configure IPS as a Professional setup for corporate Network.
ThanksNow the hard work begins.
Performing analysis on all medium and high severity signatures and performing these actions:
Tuning the signatures - Recurring false positive signatures that fire should be adjusted down in severity of disabled (if completely useless)
- Turning on packet captures to learn more about why a signature is fireing and help your analysis.
Remediation - Once you've found an infected host inside your network, clean it.
- If the attack is from outside your network, discover how it is getting in and modify the means of access (Firewall, VPN, etc) to prevent future attack vectors.
This should be plenty to get you started and keep you busy. Don't forget to rinse and repeat.
- Bob -
I'm looking for Failover/High available solutions for IPS 4200 Series
Hi all,
I tried to find out Failover/High available solutions for IPS 4200 series,I didn't saw failover solutions in IPS guide document. Anybody can be help me!I do not know if this is documented anywhere, but I can tell you what I do. As long as the IPS 4200 has power, with the right software settings, the unit can fail such that it will pass traffic. Should the unit loose power, it does stop all traffic. I run a patch cable in parallel with the in line IPS unit, in the same VLAN, with a higher STP cost. Thus all traffic will traverse the IPS unit when possible, but should something happen to it, a $10 patch cable takes over.
Mike -
Cisco ips 4200 - errsystemerror-ct-sensorapp.443 not responding
Hi team,
Does anyone have come across the below error while accessing the cisco ips 4200 running with 7.0 version. The Gui closes automatically after this message.
errsystemerror-ct-sensorapp.443 not responding, clientpipe failed.
regards()Problem resolved by rebooting the device.. It is documented in cisco.
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_qanda_item09186a008025c533.shtml
When I attempt to log in to IPS, I receive this error message:
errSystemError-ct-sensorAPP.450 not responding, clientpipe failed
. How can I resolve this error?
A. In order to resolve this error, use the reset command in order to reboot the IPS.
Rate of this was helpful... -
I would like to configure an IDSM-2 in inline mode, I am having trouble about the deployment, I have a couple of questions;
1. If you configure 2 VLANs (existing) as VLAN pairs does this mean the exist connection between the 2 VLANs is broken?
ie they can only communicate to each other via IPS.
2. Where is the best place to deploy this type of IPS?Hello
1. If configure properly, it will definitely not break any connectivity (its a bump in the wire). Of course if some traffic is denied by any IPS signature itself, that is a different matter. Please see this example for more help:
http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_configuration_example09186a0080876d9f.shtml
2. Inline mode is deployed where you want proactive protection and the the IPS box you have has sufficient throughput and other resources that will allow it to monitor that segment of your network (or multiple segments for that matter..)
Regards
Farrukh -
Will IDS v4.1 software run on the IPS-4200 appliances?
I understand that Cisco IPS 5.0 software will run on the IDS-4200 series appliances (e.g. - IDS -4235).
Is the reverse true? Can I get Cisco IDS 4.1 to run on an IPS-4240 or an IPS-4255?
Just curious, since I may have to answer the question internally soon...
Thanks in advance,
Alex ArndtJust an FYI the only Appliances/Modules that support 5.0 that do not support 4.1 are the ASA-SSM-AIP-10 and ASA-SSM-AIP-20.
These 2 modules are brand new and will only support the 5.0 version.
To read more about the 2 new modules refer to:
http://www.cisco.com/en/US/products/ps6120/products_data_sheet0900aecd802930c5.html -
IPS 4200 appliances and performance
Hi All
We're looking into purchasing an IDS/IPS appliance, but am concerned about thruput and perf issues. We don't have the budget to stretch to the multiGigabit models to monitor multiple points on our gigabit backbone and network in addition to doing IPS on our internet connections, we are restricted to going for either the 4215 or the 4235 - how do i judge what is best for our needs.
We'd use any appliance as follows;
1.)IPS mode for 10meg internet connection
2.)IPS mode for 1meg SDSL connection
3.)IDS mode on gigabit backbone. May need to support multiVLAN monitoring but not essential.
Obviously we need to make sure we have the right number of ports on the appliance but i'm concerened about thruput and the dropping of packets. Is there any test i can do to work out what our aggregate bandwidth will be. The 80mbps of the 4215 doesn't sound anywhere near enough, seeing as we'll be moving to a 3750 1000bT stack for all our switching needs and particularly if the appliance will be working in hybrid mode.
Relatively small network of about 100 nodes. Pls advise MALet me give this a shot. First off, some caveats. I'm assuming all your links (including your backbone) are copper Ethernet. Now, onto the response...
Answer to Q1:
Assuming scalability is not an issue (you don't plan on upgrading this connection, do you?), the IDS-4215 with the IDS-4FE card installed and running IPS v5.0 is the solution here.
Main advantages, the device is good for a total of 85 Mbps throughput, so no issues with oversubscription if deployed inline, as the sensor will be monitoring a line with the speed of the lowest capable device. To ensure it will work, you can hard code the line speed and duplex settings to force it. Furthermore, with the additional interfaces and the IPS software, it will be just as good as an IPS-4240 on the link, but without the cost.
Answer to Q2:
Same solution as Q1, since the sensor is more than powerful enough for the line speed. Again, if the connection is upgraded (say, to a fast DSL line), you'll still be OK if you deploy inline and hard code the line settings.
Answer to Q3:
This is the tricky one. Obviously, if you had a core switch that supported it, an IDSM-2 would be a great option. Alternative, as you've already stated, the IPS-4255 with its 600 Mbps throughput capability would work too. Unfortunately, you've identified the one thing that usually dissuades folks with small networks like yours from using these two solutions - cost. (Oops, no you didn't say that, so I'm just going to assume... And yes, I know the dangers of assuming, but I'm throwing caution to the wind.)
An IPS-4240 is capable of a total aggregate throughput of 250 Mbps. If you gig backbone is really underutilized (in other words, averaging less that 20% usage), you can use in IPS-4240 to good effect. The only problem is that it will start dropping packets the moment the throughput goes over its capacity. The good thing is that there is a signature designed to tell you just when this happens (SigID 993). You could try using the IPS-4240 and ensure it has SigID 993 enabled and see how it works out, but it won't last long if you're worried about losing packets because the utilization is routinely over 250 Mbps (or 25% of your gig line).
Another option, though this is actually pricier than buying an IPS-4255, would be to configure two SPAN ports on the backbone core switch and hang two IPS-4240 sensors off of it, one per SPAN. Configure the SPANs based on your key VLANs that you want to monitor and you have effectively created a 500 Mbps monitoring solution without resorting to using the high-end device or buying a 3rd party solution (say, an IDS load balancer...). Of course, if cost savings is an issue, I still think the IPS-4255 is the better choice, but your stated restrictions have me thinking that you may be prevented from using it thanks to a limitation in your procurement mechnism...
Anyway, despite your limitations, you can do it. You just need to be aware of and consider the potential issues.
I hope this helps,
Alex Arndt -
IDSM-2 IPS (5.x) / Cat IOS questions
Is my understanding correct that a Catalyst 6500 running Cat IOS supports only Promiscious mode and that Cat IOS does not support IDSM-2 (5.x) Inline mode?
Are there any plans to incorporate Inline Mode (5.x) under Cat IOS in the future, or am I missing something here?An upcoming version of CatIOS code will definately support inline mode.
The IPS 5.0 code, as you're aware, was the first version of IDS code to support inline mode. With the standalone sensors, running it inline requires a physical cabling change. With the IDSM-2 in particular though, you need to be able to configure the Cat-IOS code to push traffic through the device in inline mode.
Unfortunately getting new versions of CatIOS code out the door is not that easy, since there are about 10,000 other features (not just IPS) in the code that are also wanting to be updated, plus other new features, plus all the testing and re-testing that needs to go on before a release. Supporting inline IPS is just one of many major features scheduled for the switch software.
The Release Notes for IPS 5.0 code do say the following:
IDSM-2 only supports inline mode for Catalyst Software 8.4.4(1) with Supervisor Engine 1a, Supervisor Engine 2, Supervisor Engine 32, and Supervisor Engine 720. Inline support for Cisco IOS will be added at a later date. -
IPS 4200 - cascade and increase throughput?
Hi all,
I'm planning to buy an IPS 4255 appliance, but I might need to increase the throughput in the future. Can I add IPS appliances parallel as and when I need higher throughput. Can those multiple appliances work as a single unit and not influence my existing design, when I need to upgrade the IPS throughput. Also, can this be done with any of the models in the 4200 family, interchangeably ?
Lot of questions, sorry if too much
thanksIf you have a 6500 switch you can connect multiple devices and load share (not balance) via ECLB, have a look at:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids12/eclbips5.htm
But as Marhew said, there is no 'clustering' technology available to my knowledge which allows a single-IP management functionality. However you can deploy multiple sensors at the same time with Cisco Security Manager (CSM).
Regards
Farrukh -
Hi,
Can somebody help me how IPS bypass interface module for 4200 is used? Is it that, when IPS appliance fails (no power, hardware failure), traffic can readily flow from outside interface to inside bypassing the IPS? Usually in inline placement, IPS appliance is the point of failure during hardware failure, is the bypass module introduced to defy such failure?The bypass module is only available on the 4260 and 4270 sensors. It can give you a hardware short of the Ethernet pairs in the event of a sensor power failure. The rest of the sensor product line uses a software bypass. We have found both of these methods to be less then reliable when a sensor experiences a software crash (the software need to realize the sensing app has crashed in order to activate the bypass). Using an external device has proven to be much more reliable.
A simple switch, with two VLANS can be used. Connect the two VLANS externally with your sensor and a patch cable. Assign a higher Spanning Tree Protocol cost to the cable connecting your two VLANS. The cable becomes a hot standby path to your sensor.
- Bob -
Hi, i have the correct time (local) on IPS with an UTC offset positionned but on the Event Viewer windows the time of events is always in UTC time and not in local time (system time).
That is an issue or normally ?It's a feature;-) normal. the event viewer on the sensor is not very user friendly when it comes to entering date/time ranges.
Maybe you are looking for
-
Delivery Split during creation of delivery using ME2O
The system creates two delivery documents for the same vendor while using transaction ME2O. There is no delivery split criteria defined in customizing
-
The Iphone available in france on appel store?
Hello, (I'm sorry, I don't speak english very well, because I'm french) According Appel, the Iphone would only be available in France on November 29. But visiting the site, we saw the french could buy from this page: http://store.apple.com/Apple/WebO
-
I reinstalled my Adobe Acrobat 6.0 Professional only to get the message "Your version of Acrobat Professional/Standard 6 isn't compatible with this version of Windows" when I tried to run the program. I am using Windows 8.1 on a Dell laptop PC. How
-
Datapump through grid control 12C
hi, I have created a schema in database which has exp_full_database privilege to run datapump jobs (verified by running a datapump API job too). I have a os user(non dba group) which has ability to run expdp command. I also created an administrator i
-
Is it possible to automate a series of actions in Aperture?
I've recently started using automate of repeated features in Photoshop. Now that I'm getting used to the speed increase in workflow, I'm looking for something similar in Aperture. Is there some kind of automate of workflow that is available for Apert