NM-CIDS - 100 Signature limit?

Unanswered Question
Feb 11th, 2008

While I have experience with the 42xx sensor appliances I have not previously worked with the nm-cids modules. I have been told though that they are limited to use about 100 signatures. From their talk about memory and cpu restrictions it made sense. So my questions are:

1.) True?

2.) If true, then how is the selection made of which 100 signatures to use? Dealer's Choice? Cisco's Choice but modifiable?

3.) Links to any discussions of the differences between the appliances and modules both for management and signature choices.

4.) I saw the EOL message for the nm-cids not long ago. While that means it is still viable for a couple years has there been any discussion on what is going to replace the nm-cids - or if anything will?

Cost-wise it could become a problem to sell to our customers if we have to replace every nm-cids with a full-blown appliance. If the limitations I was told about the nm-cids are true I would hazard a guess that the (100 sig) limit was being problematic and a root cause of the decision to EOL them - The smallest appliance (4215 now?) is more costly but certainly more robust and managable I would imagine.

Anyways, I am looking for links, documents, past discussions, etc., to help guide my recommendations to the customer. Everyone's 2-cents is valuable! Thanks much!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
marcabal Mon, 02/11/2008 - 12:08

The NM-CIDS runs the standard signature set that is used on the Appliances.

The same signature update installed on the Appliances is used for the NM-CIDS.

The 100 signature limitation confusion is often a result of confusion between NM-CIDS and IOS IPS. IOS IPS is IPS features within the IOS image on the router itself, while NM-CIDS is IDS software running on a module within the router, where the module has it's own processors, memory, and software image. The IOS IPS is limited on the number of signatures becuase it must share memory and cpu with the other features of the router. NM-CIDS, however, has it's own memory and cpu for signature analysis and does not have the same signature limits as IOS IPS.

IOS IPS if often discussed as having 100 signature limits, but NM-CIDS, on the other hand, is capable of running the same set of enabled signatures as used on the Appliances.

(NOTE: Both the NM-CIDS AND the Appliances have memory limits that prevent all 3000+ signatures from being enabled, but it has enough memory for the standard set of enabled signatures which is well over 100 and likely even over 1000 signatures.)

The NM-CIDS and appliances are managed similarly and the same signature updates are used for the NM-CIDS and Appliances with the same same set of Enabled signatures.

The biggest difference for the NM-CIDS is that it is not capable of inline monitoring and is restricted to promiscuous monitoring.

As you stated the NM-CIDS has been announced for End of Sale/Life.

http://www.cisco.com/en/US/prod/collateral/modules/ps2797/end_of_life_notice_eol_for_cisco_intrusion_detection_system.html

The NM-CIDS is being replaced by the AIM-IPS:

http://www.cisco.com/en/US/prod/collateral/routers/ps5853/ps5875/product_data_sheet0900aecd806c4e2a_ps2641_Products_Data_Sheet.html

The AIM-IPS just like the NM-CIDS has it's own memory and CPU and just like the NM-CIDS it runs the same signature update as the appliances.

But an advantage that the AIM-IPS has over the NM-CIDS is that it is capable of inline monitoring.

The AIM-IPS datasheet is available on cisco.com, but it is not yet orderable. It should be orderable within the next 2 or 3 months.

By the way the IDS-4215 would not be a recommended replacement at is also being End of Sale/Life:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/ps5367/end_of_life_notice_for_cisco_ids_4215_sensor.html

The AIM-IPS would be the preferred replacement once it becomes available.

h-schupp Mon, 02/11/2008 - 13:26

Thank you for a concise yet complete answer to my question(s). I will make sure I make myself knowledgable about the new AIM-IPS modules. Do you have any insight (just have you heard anything concrete) as to whether they are going to be making any "trade-up" offers for the AIM-IPS'.

Good catch on the 4215 EOL - "That" one I knew :) I was actually just speaking generically about if there was going to be a need to replace nm-cids modules with appliances - but your answer here gives me all the information I need. Again, thanks much! Hank Schupp

Actions

This Discussion