Just to add a little bit to this conversation.
There are 3 main types of updates for the sensor:
1) Signature Updates - the updates just update the sensor with the new signatures that Cisco has created. These updates have been designed such that they can be applied to a running sensor. However, these updates can take a little bit of time for the sensor to process the update during which it will not analyze packets. This can be a concern for a sensor deployed inline (packets passing through the sensor). To address this the sensor has a feature known as Software ByPass. By default ByPass is configured for "auto". When the sensor is processing the signature update and not analyzing the packets, the Software ByPass will "auto"matically turn on and start passing the packets through the sensor without analysis. This way your network will not experience a downtime while the signatures are being updated. As soon as the new signature are processed the sensor will begin analyzing the packets again.
NOTE: On Low End Sensors like the IDS-4215, there is a problem being reported that the sensor runs out of memory while trying to process the new signatures. In the case of a bug like this, then the sensor needs to be rebooted to get it working again. So signature updates are designed to not require a reboot, but if a bug happens then a reboot may be necessary to get the sensor analyzing again.
2) Enging Updates - These updates are larger and will replace the binary (sensorApp) that analyzes the packets as well as applying new signatures. Once again the Software ByPass will automatically kick in when the old sensorApp is stopped, the new sensorApp started, and new signature applied. So with Software ByPass this update can be applied to running sensors without a reboot.
3) Major, Minor, or Service Pack updates - these updates will replace the entire operating system, install new sensor files, and carry forward the older version config to work with the new sensor version.
As there is a complete replacement of the operating system the sensor will be rebooted. In fact it reboots twice during this update. For these types of updates it is recommend that they be done during scheduled network down times.
As for auto update capability.
The sensor does have the ability to auto update itself from a local server on your network. The sensor will not auto update from cisco.com. This means you will need to manualy download the update from cisco.com and place it on your own internal server, and then configure the sensor to auto update from that internal server.
However CSM (Cisco Security Manager) which is the multi-sensor configuration tool does have the ability to automatically pull new updates from cisco.com.
So if you want to have the update automatically pulled from cisco.com and applied to the sensors, then you will need to purchase CSM 3.1.
