Cisco Catalyst 6500 Series Intrusion Detection System (IDSM-2) Module
With the increased complexity of security threats, such as malicious Internet worms, denial of service (DoS) attacks, and e-business application attacks, achieving efficient network intrusion security is critical to maintaining a high level of protection. The Cisco® Catalyst® 6500 Series Intrusion Detection System Services Module (IDSM-2) is an important intrusion prevention system (IPS) solution for safeguarding organizations from costly and debilitating network breaches and for helping to ensure business continuity.
The second-generation Cisco IDSM-2 protects switched environments by integrating full-featured IPS functions directly into the network infrastructure through the widely deployed Cisco Catalyst chassis. This integration allows the user to monitor traffic directly off the switch backplane—a logical platform for additional services such as firewall, VPN, and IPS.
The Cisco IDSM-2 with Cisco IPS Sensor Software v6.0 helps users stop more threats with greater confidence, through the use of the following elements:
- Multivector threat identification—Detailed inspection of Layer 2–7 traffic protects your network from policy violations, vulnerability exploitations, and anomalous activity.
- Accurate prevention technologies—Cisco Systems’ innovative Risk Rating feature and Meta Event Generator provide the confidence to take preventive actions on a broader range of threats without the risk of dropping legitimate traffic.
When combined, these elements provide a comprehensive inline prevention solution, giving you the confidence to detect and stop the broadest range of malicious traffic before it affects business continuity.
Cisco Catalyst 6500 Series Intrusion Detection System (IDSM-2) Service Module
Cisco® integrated network security solutions enable organizations to minimize risk and maximize business continuity. The Cisco IDSM-2 for the Cisco Catalyst® 6500/7600 Series scales to multigigabit environments.
Figure 1. Cisco IDSM-2
Security threats have increased in complexity-multigigabit environments and efficient network intrusion security solutions are critical to maintaining a high level of protection. Vigilant protection ensures business continuity and minimizes the effect of costly intrusions. Cisco integrated network security solutions enable organizations to protect their connected business assets and increase the efficiency of intrusion prevention systems. The Cisco IDSM-2 is part of the Cisco Systems® family of intrusion detection and prevention (IDS/IPS) solutions. It works in concert with other Cisco IDS/IPS components to efficiently protect your data infrastructure.
The Cisco IDSM-2 is a services module for the widely deployed Cisco Catalyst chassis. With an installed base in the hundreds of thousands, the Cisco Catalyst chassis is a logical platform for additional services such as firewall, VPN, and IDS/IPS services. This second-generation services module provides unique benefits to customers seeking IDS/IPS attack protection.
FEATURES AND BENEFITS
Table 1 lists the features of the Cisco IDSM-2 for the Cisco Catalyst 6500/7600 Series.
Table 1. Cisco IDSM-2 Features
Features
| Features Details | Performance (passive) | - 600 Mbps
- 6,000 new TCP connections per second
- 6,000 HTTP transactions per second
- 60,000 concurrent connections
| Performance (inline) | - 500 Mbps
- 5,000 new TCP connections per second
- 5,000 HTTP transactions per second
- 50,000 concurrent connections
- Supports up to 500,000 concurrent connections
| Multigigabit scalability | - With no slot restriction on Cisco Catalyst 6500/7600 Series chassis, the 1-RU IDSM-2 can scale to up to 8 modules per chassis, providing up to 4 Gbps of inline prevention
| Hot swap modules | - IDSM-2 insertion/removal never affects the Cisco Catalyst switch
| Cisco Catalyst chassis benefits | - Cisco EtherChannel® load balancing
- Supervisor engine and power redundancy
- Port density
- Combining with other services modules to provide a scalable security solution
| WAN interoperability support | - Supports the Cisco FlexWAN module
| Accurate prevention technologies | - Advanced false positive reduction features provide confidence in data passed to the internal network by the user-adjustable Meta Event Generator and Risk Rating features
| Multiple capture techniques | - Multiple techniques include SPAN/RSPAN; VLAN access control list (ACL) capture combined with shunning; TCP resets when in passive mode; and drop actions when used inline allows
- Allows customers to monitor various network segments and traffic while providing timely action to mitigate threats
| VLAN ACLcapture | - Cisco is the only vendor to provide an in-switch IDS/IPS solution supplying access to the data stream via VLAN ACL capture
| Flexible deployment | - Can be deployed in Cisco Catalyst 6500/7600 Series chassis with a wide range of supervisor engines, running either hybrid Cisco Catalyst OS or Cisco IOS® Software, for distribution across wide and varied installed base networks
| Recommended minimum Cisco IOS Software support for Cisco IPS Sensor Software v5.1 | - For Cisco IOS Software Release 12.2(18)SFX4, the following features are supported on the Supervisor Engine 2, Supervisor Engine 32, and Supervisor Engine 720: inline VLAN pairing and Cisco EtherChannel load balancing
| Recommended minimum Cisco Catalyst OS support for Cisco IPS Sensor Software v5.1 | - For Cisco Catalyst OS 8.5(1), the following features are supported on the Supervisor Engine 1, Supervisor Engine 2, Supervisor Engine 32, and Supervisor Engine 720: inline VLAN pairing and Cisco EtherChannel load balancing
| Standardized code base | - Uses the same IPS code as the award-winning Cisco IPS 4200 Series appliances, allowing users to standardize on a single management technique
- Simplifies and speeds up installation, training, operation, and support
| Optional anti-X integrated services | - Partnership with Trend Micro augments Cisco's native signature development to provide the quickest and most complete signature updates for timely recognition and prevention of attacks
| Single device management using CLI or Cisco IPS Device Manager (IDM) | - Module can be configured using the CLI, which is available locally or remotely via Telnet or Secure Shell (SSH)
- Cisco IDM is a Web-based tool for sensor configuration and management. It can be accessed through Internet Explorer, Netscape, or Mozilla, and is enabled by default to use Secure Sockets Layer (SSL).
| Enterprise management and monitoring | - Cisco IPS Event Viewer (IEV) provides event monitoring for up to five IPS sensors
- Cisco Security Manager and Cisco Security Monitoring, Analysis, and Response System (Cisco Security MARS) provide world-class management and monitoring for sensor deployments of all sizes
| Physical Dimensions | - Height: 3.0 cm (1.2 in.)
- Width: 35.6 cm (14.4 in.)
- Depth: 40.6 cm (16 in.)
- Weight: 2.27 kg (5 lbs)
| Power | - Amps: 2.5
- Watts: 105
- Heat Dissipation: 450 BTUs
| Operating Environment | - Operating temperature: 0 to 40ºC (32 to 104.5ºF)
- Non-operating temperature: -20 to 65ºC (-4 to 149ºF)
- Operating relative humidity: 10 to 90% (non-condensing)
- Non-operating relative humidity: 5 to 95% (non-condensing)
- Operating and non-operating altitude: sea level to 3,050m (10,000 ft.)
|
ORDERING INFORMATION
Cisco IDSM-2 Part Numbers
Part Number
| Description | WS-SVC-IDS2-BUN-K9 | Cisco IDSM-2 if purchased as part of a Cisco Catalyst system | WS-SVC-IDS2-BUN-K9= | Cisco IDSM-2 (spare) |
Cisco IDSM-2 Service Part Numbers
Part Number
| Description | CON-xxxx-WIDSBNK9 | (as part of a Cisco Catalyst system) | CON-xxxx-IDSBNK9 | (spare) |
Service key for "xx" in the part number:
| SU1 = 8 x 5 x next business day | SU2 = 8 x 5 x 4-hour service | SU3 = 7 x 24 x 4-hour service | SU4 = 7 x 24 x 2 x next business day | SU01 = 8 x 5 x 4-hour service onsite | SU02 = 8 x 5 x 4-hour service onsite | SU03 = 7 x 24 x 4-hour service onsite | SU04 = 7 x 24 x 2-hour service onsite |
Current Code and Signature Revision
Software release: http://www.cisco.com/cgi-bin/tablebuild.pl/ips5
Signature release: http://www.cisco.com/cgi-bin/tablebuild.pl/ips5-sigup
Cisco Catalyst Supervisor Engine Hardware, Software Requirements, and Interoperability
Supported configurations, visit: https://tools.cisco.com/qtc/config/html/configureHomeGuest.html (Cisco.com login required)
REGULATORY COMPLIANCE
| Emissions | FCC Part 15 (CFR 47) Class A, ICES-003 Class A, EN55022 Class A, CISPR22 Class A, AS/NZS 3548 Class A, VCCI Class A with UTP cables, EN55022 Class B, CISPR22 Class B, AS/NZS 3548 Class B, VCCI Class B with FTP cables | Safety | CE marking according to UL 1950, CSA 22.2 No. 950, EN 60950, IEC 60950, TS 001, AS/NZS 3260 | Certifications | NEBS Level 3 pending (with Cisco Catalyst 7600)
Common Criteria Level 2 certified |
Export Restrictions
The Cisco IDSM-2 is classified as a "strong encryption" product and is export restricted. For more information, visit: http://www.cisco.com/wwl/export/crypto/tool/
For more information please email lynn@redlegg.com
Cisco IDSM-2 Bundle with 2-Gbps Performance
The Cisco® Intrusion Detection System Services Module (IDSM-2) 2-Gbps bundle is an integrated network security solution that enables organizations to minimize risk, maximize business continuity, and scale to multigigabit environments while optimizing productivity.
Cisco intrusion detection and prevention (IDS/IPS) solutions enable organizations to protect their connected business assets from threats and increase their operating efficiency. As part of the Cisco Systems® family of IDS/IPSsolutions, the Cisco IDSM-2 bundle provides protection for data network infrastructures that require multigigabit performance. Network threats continue to increase in complexity; as a result, an organization's security solution must provide effective network intrusion prevention while maintaining business continuity.
Figure 1. Cisco Catalyst 6500 Intrusion Detection Service Module-2 Bundle
The Cisco IDSM-2 bundle combines market-leading intrusion prevention and switching into a single system that provides up to 2 Gbps of intrusion prevention performance. The bundle includes the Cisco Catalyst® 6506-E Switch chassis, the Cisco Catalyst 6500 Supervisor Engine 32, and four Cisco IDSM-2s.
With an installed base in the hundreds of thousands, the widely deployed Cisco Catalyst chassis is a logical platform for additional services such as firewall, VPN, and IDS/IPS. The Cisco IDSM-2 is a second-generation module for Cisco Catalyst chassis, providing unique benefits to customers seeking IDS/IPS attack protection. Cisco IPS Sensor Software Version 5.x delivers inline IPS capabilities to the Cisco IDSM-2.
Features and Benefits
Table 1 lists features of the Cisco IDSM-2 bundle.
Table 1. Cisco IDSM-2 Bundle Features
Features
| Details | Multigigabit Scalability | The IDSM-2 bundle provides 2 Gbps of IPS performance using 4 IDSM-2s | Hot Swap Modules | IDSM-2 insertion/removal never affects the Cisco Catalyst switch | Cisco Catalyst Chassis Benefits | Cisco EtherChannel® load balancing
Supervisor engine and power redundancy
Port density
Combining with other services modules to provide a scalable security solution | WAN Interoperability Support | FlexWAN support | Accurate Prevention Technologies | Advanced false positive reduction features provide confidence in data passed to the internal network by the user-adjustable Meta Event Generator and Risk Rating features | Multiple Capture Techniques | Multiple techniques include SPAN/RSPAN; VLAN access control list (ACL) capture combined with shunning; TCP resets when in passive mode; and drop actions when used inline
Allows customers to monitor various network segments and traffic while providing timely action to mitigate threats | VLAN ACL Capture | Cisco is the only vendor to provide an in-switch IDS/IPS solution supplying access to the data stream via VLAN ACL capture | Standardized Code Base | Uses the same IPS code as the award-winning Cisco IPS 4200 Series appliances, allowing users to standardize on a single management technique
Simplifies and speeds up installation, training, operation, and support | Optional anti-X Integrated Services | Partnership with Trend Micro augments Cisco's native detection and mitigation capabilities with the most complete anti-X updates for timely recognition and prevention of malware-based threats | Single Device Management Using CLI or Cisco IPS Device Manager (IDM) | Module can be configured using the CLI, which is available locally or remotely via Telnet or Secure Shell (SSH)
Cisco IDM is a Web-based tool for sensor configuration and management. It can be accessed through Internet Explorer, Netscape, or Mozilla, and is enabled by default to use Secure Sockets Layer (SSL). | Enterprise Management and Monitoring Tools | Cisco IDS Event Viewer (IEV) provides event monitoring for up to five devices and provides a free monitoring tool for managing IPS events
Cisco Security Manager and Cisco Security MARS provide world-class management and monitoring for sensor deployments of all sizes |
Ordering Information
Table 2. Cisco IDSM-2 Bundle Part Numbers
Part Number
| Description | WS-C6506E-IPSC-K9 | Includes Cisco Catalyst 6506-E Switch, Supervisor Engine 32 with 8 x 1 Gigabit Ethernet Small Form-Factor Pluggable (SFP) plus 1 x 10/100/1000 uplink port, 8 copper SFP interfaces, 4 IDSM-2s, and 1 Power-Supply 3000W | WS-C6506E-IPSF-K9 | Includes Cisco Catalyst 6506-E Switch, Supervisor Engine 32 with 8 x 1 Gigabit Ethernet SFP plus 1 x 10/100/1000 uplink port, 8 multimode fiber SFP interfaces, 4 IDSM-2s, and 1 Power-Supply 3000W | WS-C6506E-IPS10GK9 | Includes Cisco Catalyst 6506-E Switch, Supervisor Engine 32 with 2 x 10 Gigabit Ethernet XENPAK plus 1 x 10/100/1000 uplink port, 2 short-range 10 Gigabit XENPAK interfaces, 4 IDSM-2s, and 1 Power-Supply 3000W |
Table 3. Cisco IDSM-2 Service Part Numbers
Part Number
- CON-SUxx-6506IPSC
- CON-SUxx-6506IPSF
- CON-SUxx-6506IPSG
Table 4. Service Key for "xx" in the Part Number
Description
| Description | SU1 = 8x5xnext business day | SU2 = 8x5x4-hour service | SU3 = 7x24x4-hour service | SU4 = 7x24x2xnext business day | SU01 = 8x5x4-hour service onsite | SU02 = 8x5x4-hour service onsite | SU03 = 7x24x4-hour service onsite | SU04 = 7x24x2-hours service onsite |
Current Code and Signature Revision
To download Cisco IPS Sensor Software Versions 5.x and higher, visit:
Software Release: http://www.cisco.com/cgi-bin/tablebuild.pl/ips5
Signature Release: http://www.cisco.com/cgi-bin/tablebuild.pl/ips5-sigup
Cisco Catalyst Supervisor Engine Hardware, Software Requirements, and Interoperability
There are numerous configuration options for the Cisco IDSM-2 bundle. For more information on supported configurations, visit http://www.cisco.com/appcontent/apollo/configureHomeGuest.html.
Table 5. Regulatory Compliance
Feature
| Description | Emissions | FCC Part 15 (CFR 47) Class A, ICES-003 Class A, EN55022 Class A, CISPR22 Class A, AS/NZS 3548 Class A, VCCI Class A with UTP cables, EN55022 Class B, CISPR22 Class B, AS/NZS 3548 Class B, VCCI Class B with FTP cables | Safety | CE marking according to UL 1950, CSA 22.2 No. 950, EN 60950, IEC 60950, TS 001, AS/NZS 3260 | Certifications | NEBS Level 3 pending (with Cisco Catalyst 7600 Series)
Common Criteria Level 2 certified |
Export Restrictions
The Cisco IDSM-2 is classified as a "strong encryption" product and is export restricted. For more information, visit http://www.cisco.com/wwl/export/crypto/tool/.
For more information email lynn@redlegg.com
Cisco Intrusion Prevention System Solution
Comprehensive, End-to-End Protection Cisco® Intrusion Prevention System (IPS) solutions accurately identify, classify, and stop malicious traffic, including worms, spyware, adware, network viruses, and application abuse, before they affect business continuity.
Pervasive Network Integration Cisco IPS solutions defeat threats from multiple vectors, including network, server, and desktop endpoints. The solutions extend across Cisco platforms, from purpose-built appliances and integrated firewall and IPS devices to services modules for routers and switches. A Cisco IPS solution protects the network from policy violations, vulnerability exploitations, and anomalous activity through detailed inspection of traffic at Layers 2 through 7-across your network
Collaborative Threat Prevention
A Cisco IPS solution employs a unique, system wide security ecosystem that assesses and reacts to threats, delivering unmatched network scalability and resiliency. This ubiquitous alliance includes cross-solution feedback linkages, common policy management, multivendor event correlation, attack path identification, passive/active fingerprinting, and host-based (Cisco Security Agent) IPS collaboration.
Proactive Posture Adaptation
As your network threat posture changes, a Cisco IPS solution evolves and adapts to stay ahead of the security landscape, mitigating threats by both known and unknown attacks. Extensive behavioral analysis, anomaly detection, policy adjustments, and rapid threat response techniques save time, resources, and most importantly-your organization's assets and productivity.
IPS technology strategically deployed throughout the network provides unmatched end-to-end, day-zero protection (Figure 1). With a Cisco IPS solution, your infrastructure and your business are protected.
Figure 1. Cisco IPS Solutions Deliver Comprehensive Day-Zero Protection Prevention Throughout the Network
Comprehensive Integrated, Collaborative, and Adaptive Network Protection
Today's complex network architectures involve multiple segments, branches, and ingress/egress points-with ever-growing requirements for network access while maintaining security. In this constantly evolving landscape, network security requires more than single-point solutions.
As a core component of the Cisco Self-Defending Network, a Cisco IPS solution delivers comprehensive threat prevention from attacks and threats, regardless of their origin or history. Cisco IPS solutions proactively protect your network through a unique ability to collaborate with other network security resources, ensuring business connectivity across the entire infrastructure. When combined, these elements provide a comprehensive, inline prevention solution, giving you the confidence to detect and stop the broadest range of malicious traffic before it affects business continuity.
Pervasive Network Integration
Cisco IPS solutions integrate into the network, providing unparalleled visibility and network wide threat intelligence. This visibility protects your network from:
Policy violations-Cisco IPS solutions provide strict control of application usage and policy conformance through traffic inspection, including instant messaging and peer-to-peer applications; strict HTTP enforcement; Port 80 inspection; and traffic filtering based on MIME types and OS fingerprinting. The solutions also provide user and endpoint contextual information.
Vulnerability exploitations-Cisco IPS solutions stop exploitation of known vulnerabilities in a wide array of operating systems, network services, applications, and protocols, and provide protection from new worms and viruses prior to their vulnerabilities becoming known or published.
Anomalous activity-Cisco's best-in-class anomaly detection feature detects worms by learning the "normal" traffic patterns of the network, and then scanning for anomalous behavior. Fast-propagating network worms scan the network in order to infect other hosts. For each protocol or service, the anomaly detection program studies what is normal scanning activity, and accumulates this information in a threshold histogram and an absolute scanner threshold. The scanner threshold specifies the absolute scanning rate above which any source is considered malicious.
Behavioral analysis-Cisco IPS solutions provide the ability to detect infection characteristics based on dynamic learning capabilities of network usage.
Multivector Threat Identification
At the core of Cisco IPS solutions are numerous methods for the inspection and analysis of traffic in Layers 2 through 7. These methods provide comprehensive threat identification, often supporting the development of signatures to a vulnerability prior to the release of an exploit to provide you with day-zero protection. These multivector threat identification methods are described in Table 1.
Table 1. Cisco IPS Solution Multivector Threat Identification Methods
Feature
| Benefits | Rate Limiting | Allows the IPS device to limit certain types of traffic by preventing it from utilizing an excessive amount of bandwidth.
Signals external devices such as Cisco IOS® Software-based routers to perform rate limiting to accomplish the same function. | IPv6 Detection | Enhanced visibility into IPv6 traffic makes it easier to identify malicious traffic. | IP in IP Detection | Identifies malicious traffic within mobile IP traffic. | Stateful Pattern Recognition | Identifies vulnerability-based attacks through the use of multipacket inspection across all protocols, thwarting attacks that hide within a data stream. | Protocol Analysis | Cisco IPS solutions provide protocol decoding and validation for network traffic.
Cisco IPS Sensor Software Version 6.0 monitors all major TCP/IP protocols, including but not limited to IP, Internet Control Message Protocol (ICMP), TCP, and User Datagram Protocol (UDP).
Cisco IPS Sensor Software also provides stateful decoding of application-layer protocols such as FTP, Simple Mail Transfer Protocol (SMTP), HTTP, SMB, Domain Name System (DNS), remote procedure call (RPC), NetBIOS, Network News Transfer Protocol (NNTP), generic routing encapsulation (GRE), and Telnet. | Traffic Anomaly Detection | Provides anomaly identification for attacks that may cover multiple sessions and connections, using techniques based on identifying changes in normal network traffic patterns (i.e. ICMP flood with a predefined number of ICMP packets within a certain amount of time). | Protocol Anomaly Detection | Identifies attacks based on observed deviations in the normal RFC behavior of a protocol or service (i.e. HTTP response without an HTTP request). | Layer 2 Detection | Identifies Layer 2 Address Resolution Protocol (ARP) attacks and man-in-the-middle attacks, which are prevalent in switched environments. | Application Policy Enforcement | Provides deep analysis and control of a broad set of applications, including:
Peer-to-peer
Instant messaging
Tunneled applications over Port 80
Allows the user to make policy decisions about various traffic types and Multipurpose Internet Mail Extensions (MIME) types to help ensure that malicious traffic is disallowed from traversing the network. | Anti-IPS Evasion Techniques | Traffic normalization
IP defragmentation
TCP stream reassembly
De-obfuscation | Customizable Policies | Gives users the flexibility to create new policies or modify existing policies to meet their unique security objectives, using the innovative Cisco Threat Analysis Micro Engine policy language. |
Risk Rating
Cisco IPS solutions provide unparalleled contextual analysis of data to determine its threat and eliminate false positives. This innovative technology is called Risk Rating. Risk Rating increases the accuracy and confidence of IPS packet drop actions by delivering a risk-balanced approach to classifying threats. Risk Rating employs a unique multidimensional algorithm that takes into account several terms, listed in Table 2.
Table 2. Risk Rating Features
Risk Rating Component
| Description | Event Severity | A user-modifiable weighted value that characterizes the damage potential of the suspect traffic | Signature Fidelity | A user-modifiable weighted value that characterizes the fidelity of the signature that has detected the suspect activity | Asset Value | A user-defined value that represents the user's perceived value of the target host | Attack Relevancy | An internal weighted value that characterizes any additional knowledge that the sensor may have about the target of the event |
The resulting risk rating is an integer value that is dynamically applied to every IPS signature, policy, or anomaly detection algorithm. The higher the value, the greater the security risk of the trigger event for the associated alert. The result is a mechanism that allows the user to develop policies for the prevention of network attacks or to better characterize events for prioritization of further investigation. The user is empowered to make more intelligent decisions on inline IPS actions while virtually eliminating the possibility of dropping valid traffic.
Threat Rating
New with Cisco IPS Sensor Software Version 6.0, the Threat Rating feature provides a single view of the threat environment of the network. Threat Rating can minimize alarms and events through the ability to customize the viewer to only show events with a high Threat Rating value. The Threat Rating value is derived as follows:
Dynamic adjustment of event Risk Rating based on success of response action
If response action was applied, Risk Rating is deprecated (TR < RR)
If response action was not applied, Risk Rating remains unchanged (TR = RR)
The result is a single value by which the threat risk is determined. This eases the management of alarms and determination of risk on the network.
Collaborative Threat Prevention
Protecting the network requires an IPS solution that delivers more than individual attack mitigation. To provide system wide security, the IPS must scale the protection to other security points throughout the network. Cisco IPS solutions provide unique, unparalleled protection through the ability to determine network resource information, and to collaborate and communicate with those resources. Cisco IPS solutions include:
· IPS/Cisco Security Agent collaboration-Collaboration between Cisco IPS solutions and Cisco Security Agent provides in-depth protection by communicating endpoint information to the IPS for contextual analysis. In addition using the Cisco Security Agent Watch List, the IPS is able to quarantine suspicious hosts. The result is protection on the network from hosts that the endpoint has deemed malicious.
Cross-solution feedback-Alarmed network traffic can be communicated with other network security devices and tools to provide a system wide protection from attacks on single segments.
Passive/active fingerprinting-Contextual endpoint profiling based on passive OS fingerprinting and/or static mapping is added to the values within the Risk Rating algorithm to determine block action thresholds. This automated, contextual analysis makes it easier to determine the legitimacy of an attack and reduces false positives.
Attack-path identification-When using Cisco Security Monitoring, Analysis, and Response System (Cisco Security MARS) as part of an IPS solution, attacks can be visually displayed and policies can be updated in real time to secure the network.
Multivendor event correlation-Using Cisco Security MARS, Cisco IPS sensors, and other security devices together provides network wide visibility and information correlation.
Adaptive Behavior
To protect against today's sophisticated attacks and deliver true day-zero protection, the security measures of a network must be capable of understanding the network, and assessing suspicious attacks based on their malicious nature without prior knowledge of those attacks. Cisco IPS solutions adapt to the network, providing protection that is specific and unique to every individual network.
Anomaly detection/behavioral analysis-New with Cisco IPS Sensor Software Version 6.0, protection of your network from malicious worms and DoS attacks can be automated, based on the sensor's ability to learn network behavior, and alarm when traffic patterns deviate from determined normal patterns. Although normal traffic can be configured statically, the sensor's ability to protect from day-zero attacks using these intelligent engines delivers unprecedented protection, beyond traditional policy-based network security.
On-device and network event correlation-Cisco Meta Event Generator provides "on-box" correlation methods to deliver accurate worm classification. Cisco IPS Sensor Software Version 6.0 incorporates advanced sensor-level event correlation and knowledge base anomaly detection that gives security administrators an automated method for enhancing the confidence level in the classification of malicious activity detected by the IPS sensor. This provides a mechanism that allows for corresponding actions to deliver network wide containment of worm and virus injection vectors, as well as worm propagation.
Integrated Deployment Options
Cisco offers a wide range of network IPS deployment solutions, enabling customers to implement intrusion prevention in ways that are most effective for their environments. All solutions are designed for high availability and backed by outstanding customer support. Deployment options include dedicated appliances, switch and router modules, and software-based solutions (Table 3).
Table 3. Cisco IPS Solutions
Product
| Description | Performance | Cisco IPS 4200 Series Sensor | Dedicated hardware appliance platform | Cisco IPS 4240 Sensor: 250 Mbps
Cisco IPS 4255 Sensor: 600 Mbps
Cisco IPS 4260 Sensor: 1 Gbps
Cisco IPS 4270 Sensor: 4 Gbps | Cisco IDS Services Module 2 (IDSM-2) | IPS Security Module for Cisco Catalyst 6500 Series Switches | 500 Mbps | Cisco Advanced Inspection and Prevention Security Services Module (AIP-SSM) | IPS Security Module for the Cisco ASA 5500 Series Adaptive Security Appliance | AIP-SSM 10: up to 225 Mbps, depending on host ASA
AIP-SSM 20: up to 500 Mbps, depending on host ASA
AIP-SSM 40: up to 650 Mbps, depending on host ASA | Cisco IPS Advanced Integration Module (AIM-IPS) | Cisco network module for Cisco access routers, providing IPS capability | Up to 45 Mbps, depending on the host ISR | Cisco IPS Network Module (NME-IPS) | Cisco network module for Cisco access routers, providing IDS capability | Up to 75 Mbps, depending on the host ISR | Cisco IOS IPS | Focused set of IPS capabilities using Cisco IOS Software on the router | Varies |
Powerful Management, Event Correlation, and Services
Cisco uses a range of management and correlation tools and support services to provide an effective and complete IPS solution, regardless of deployment size or environment.
Table 4. Cisco IPS Solution Tools and Services
Solution
| Product | Management Solutions | Command-line interface (CLI): A full-featured Cisco IOS Software-like CLI that provides device configuration over a Secure Shell (SSH) Protocol connection.
Cisco IPS Device Manager: A single device manager that provides a secure, browser-based GUI for configuration and alarm viewing. Cisco IPS Device Manager can be easily accessed from practically any desktop, regardless of the operating system being used. The result is rapid access to data from systems throughout the enterprise. The familiar browser interface enhances ease of use, and with Secure Sockets Layer (SSL), data security is maintained.
Cisco Security Management Solution: A powerful but easy-to-use solution to centrally provision all aspects of device configurations and security policies for Cisco IPSs, firewalls, and VPNs. The solution is effective for managing even small networks consisting of fewer than 10 devices, but also scales to efficiently manage large-scale networks composed of thousands of devices. Scalability is achieved through intelligent policy-based management techniques that can simplify administration.
Cisco Router and Security Device Manager (SDM): An intuitive, Web-based device manager that provides easy and reliable deployment and management of Cisco access routers, including Cisco IOS IPS, Cisco AIM, and Cisco NM-CIDS. | Enterprise IPS Monitoring and Event Correlation Solutions | Cisco Security MARS: An appliance-based solution that correlates data from across the enterprise and uses your existing network and security investments to identify, isolate, and recommend precision removal of offending elements. When used in conjunction with Cisco IPS Sensor Software Version 6.0, Cisco Security MARS provides a total collaborative solution, protecting your entire network infrastructure from attacks, viruses, worms, and other malicious traffic. | Services | Cisco Services for IPS: As a part of the Cisco Technical Support Services portfolio, Cisco Services for IPS combines Cisco SMARTnet® services with access to IPS signatures into one comprehensive service program that features the following deliverables:
Access to Cisco IPS signatures for a broad range of threats with standard release intervals
Access to operating system software updates such as Cisco IPS Sensor Software Version 6.x
Access to the Cisco Technical Assistance Center, any time, anywhere in the world
Access to Cisco.com and Cisco knowledge base
Options for advanced hardware replacement with or without a field engineer to replace failed hardware
For IPS-enabled mitigation devices, this service is required to process signature updates.
For more information about Cisco Services for IPS, visit http://www.cisco.com/en/US/products/ps6076/serv_group_home.html |
Other Features
Auto and manual sensor bypass configuration-High availability can be achieved through numerous mechanisms for Cisco IPS sensors. Resiliency and redundancy can be delivered through unique network collaboration; for example, Hot Standby Router Protocol (HSRP) configuration and Cisco EtherChannel® load balancing on Cisco Catalyst switches can divert traffic to a secondary IPS device upon the failure of a primary device. Cisco IPS Sensor Software Version 6.0 also delivers on-box bypass mechanisms that allow the IPS sensor to automatically assume a fail-open condition upon certain types of sensor failure. This bypass mechanism can also be configured manually. The manual configuration requires the user to switch the sensor into bypass mode to achieve the fail-open condition. The result is increased reliability of the IPS device.
Support for Security Device Event Exchange (SDEE)-SDEE is a standardized IPS communications protocol developed by Cisco for the IDS Consortium at ICSA. Through SDEE, Cisco IPS Sensor Software Version 6.0 delivers a flexible, standardized API to the IPS sensor, facilitating the integration of third-party management and monitoring solutions with the Cisco IPS solution. This gives users a choice of third-party solutions to monitor events generated by Cisco IPS sensors.
Extensions to monitoring and notification mechanisms through the delivery of sensor alerts using SNMP traps-In addition to existing alarm formats, Cisco IPS Sensor Software Version 6.0 offers users a tool for transmitting IPS alarms from the sensor to monitoring tools that require alarms to be generated in Simple Network Management Protocol (SNMP) format. SNMP can also be used to poll the IPS sensor for critical diagnostic and status information that gives the user vital signs of the sensor's health.
System Requirements
Inline IPS services require more than one monitoring interface on Cisco IPS 4200 Series sensors. For information on upgrade options, please refer to the Cisco IPS 4200 Series data sheet at http://www.cisco.com/go/4200.
Cisco IPS Sensor Software Version 6.0 is supported on Cisco 4240, 4255, 4260, and 4270 Sensors; the IDSM-2 for Cisco Catalyst 6500 Series Switches; the AIP SSM for Cisco ASA 5500 Series Adaptive Security Appliances; and the IPS Advanced Integration Module (AIM) on Cisco access routers. It is supported in promiscuous-based IDS mode only for the Cisco IDS Network Module.
For More Information
Email lynn@redlegg.com or call 877 811 5040 x102
|
