Why Upgrade to IPS ver 6

Unanswered Question
Apr 25th, 2007
User Badges:

Hi,

We have installed an IPS 4215 with VMS 2.3.

Since upgrading to ver 6 of IPS I lost some functionality of the Management Console. Could not re-import the IPS sensor.


I have since found out that ver 6 is no longer supported with MC and we need to upgrade to CSM 3.1. That is not too bad but now VMS has gone altogether from the server (after installing CSM 3.1) and we have no reporting at all. I see the only solution to this is to purchase MARS, a very large cost for only one PIX and one IPS sensor.


My questions are:

Why should we upgrade to ver 6, how long is ver 5 going to be supported?

Is there any other way I can get some reporting or monitoring other than MARS? We could use syslog but that is not very functional.


Thank you

Scott

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.7 (4 ratings)
Loading.
scottyd Wed, 04/25/2007 - 14:57
User Badges:

I have another question.

Is it possible to run CSM and VMS on the same server?

We still want to use VMS to monitor a PIX.


pmccubbin Thu, 04/26/2007 - 04:40
User Badges:
  • Silver, 250 points or more

It's not a good idea to try and run VMS on a server with anything else. VMS is slow enough without having another application competing for resources.

mhellman Thu, 04/26/2007 - 05:42
User Badges:
  • Blue, 1500 points or more

"Why should we upgrade to ver 6, how long is ver 5 going to be supported? "


It sounds like maybe you shouldn't. The v6 software offers some new functionality, most promising IMHO is passive OS detection and anomaly detection.


As you already noted in another post, you can use the IEV software to monitor events. It looks very similar to the VMS event viewer.

Nick Egloff Thu, 04/26/2007 - 08:28
User Badges:

In addition to MARS and IEV already discussed, there are other third party tools that can access the SDEE and RDEP output from the Cisco IDS devices and do correlation.


I'm not sure of the appropriateness of discussing them here, so won't go into detail... but it should be acceptable to just note that they do exist; email me if you want to know some more about some of the ones we have looked at.


Thanks!

...Nick

rhermes Thu, 04/26/2007 - 09:24
User Badges:
  • Gold, 750 points or more

There is no offical word from Cisco on the End of Life date of 5.x, but typicaly, Cisco will keep 5.x alive for 18 months after releasing 6.x. Since 6.x was released in November, most folks are planning to be forced into a 6.x migration sometime around May 2008. 5.x will still work after that date, like 4.x and 3.x still do, but Cisco will stop producing signature updates for that version.

marcabal Thu, 04/26/2007 - 10:33
User Badges:
  • Cisco Employee,

AS for your question about IPS ver 5 support.

IPS ver 5.1 will continue to be signature update supported until at least June of 2008.

And it will likely be longer than even that.

The official end date of signature update support will not be determined until an official End Of Sale announcement is made, and that has not happened as of yet.


So you can stay with 5.1 for quite a bit longer if you like.


Others have already posted some of the available options for configuration and monitoring.


One option that was not mentioned is to re-install VMS and use the Security Monitor within VMS to do your monitoring. Security Monitor will still work with IPS 6.0. It is just the IPS Management Center of VMS that can not configure an IPS 6.0 sensor.

For configuration you could then either install CSM 3.1 on a separate box, or since you only have one sensor just use IDM for managing the sensor configuration.

cgiulini Tue, 05/08/2007 - 11:12
User Badges:

Marcoa,


Back in December you responded to a post on this topic with the following information, "SecMon monitoring an IPS version 6.0 was tested. The existing SecMon version Can monitor IPS 6.0, but will only show the fields in the alerts that existed in IPS 5.1. SecMon will not show the new fields that are only seen in IPS 6.0. "


Does this caveat still hold true? Thanks for your continued support.


Regards,


Chad

marcabal Tue, 05/08/2007 - 12:58
User Badges:
  • Cisco Employee,

Yes,


It was also tested with IPS 6.0(2)E1 as well, and the same still holds true.

SecMon can monitor it, but only shows the alert fields that were available in 5.1 sensors.


ray.caparros Thu, 08/09/2007 - 13:50
User Badges:

Installed CSM 3.0.1 and tried to add devices with IPS 6.0 and failed.


Anyone had this problem?

scottyd Thu, 08/09/2007 - 13:55
User Badges:

You need to use 3.1.

Otherwise it should work.

Scott

marcabal Thu, 08/09/2007 - 13:56
User Badges:
  • Cisco Employee,

Check your version of CSM

CSM 3.0.1 does Not support IPS 6.0

CSM 3.1.0 Does support IPS 6.0


Very easy to confuse the 2 versions.



Actions

This Discussion