SA500 Series: Why is Cisco Small Business not updating the IPS on paid contracts?

Unanswered Question
Apr 6th, 2012

It has been four months since the last IPS update for the SA500 series. The threat environment has changed drastically. Our ASA IPS modules have gone thru dozens of updates, but the SA500 Series routers we bought IPS subscriptions for in December of 2011 have recieved zero updates. Has the IPS product been EOL'd on the SA500's? I thought it was odd when the SA500 IPS wasn't updated for a major compromise regarding the Microsoft RDP exploit.

Maybe the IPS signatures are under a review similar to what was done on the enterprise side regarding retirement of older signature over the past few months, but we would appreciate some information about the status of the Small Business signature/engine updates.

Ironically, one of the key reasons we upgraded to a contract based small business pro IPS product from our small business WRVS4400N was because Cisco stopped updating the signatures on it.

Any information would be appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
not12bhere Wed, 04/11/2012 - 20:44

Any information that a Cisco employee forum member could provide would be appreciated.

I have started having second thoughts about the entire IPS/IDS idea on the Small Business products...If the IPS signature subscription provides only protection against exploits that were solved via software updates months before the IPS signature update is even released, what is the value-add in an age of auto-updating windows 7 and java. At least on the enterprise line, sometimes we get a head start with the IPS signatures before a software update is released by the vendor. Not complaining, just asking for my own education.

Thanks in advance for any informative responses.

doug_counsil@ya... Wed, 04/11/2012 - 21:57

We have the same concerns.  Between the costs ($ for maintenance/licensing, extensive CPU and RAM use, loss of throughput, etc) and lack of benefits (some of the same reasons you mentioned above) we have decided to turn off IPS. 

We have entertained the idea of asking for a refund (we bought a 3 year license), but I have requested that a project manager address these concerns here on the forum before doing so.  Frankly, the current IPS implementation is rough enough in the SA500 Series routers without adding the lack of current/regular signature updates into the mix.

not12bhere Thu, 04/12/2012 - 19:27

I think we can safely assume that the reason we haven't seen any IPS updates is because of the slew of new small business products that were just launched. Access Points, RV routers, SPA IP phones. . . . how about supporting the products already in the market.

Curtis,

I have considered shutting off the IPS on the SA500 as well. Did you have a broadband connection with enough bandwidth to show a difference in performance? Our SA500 with IPS enabled currently pulls down 31mbps and updloads 3ish whereas our WRVS4400N WAN with IPS enabled could only pull down 21'ish tops. I am curious where the line exists with the SA500 in regards to max bandwidth versus IPS (I am guessing the WAN on the SA500 with IPS enabled tops out in the 40mbps realm) but would love a real world result. If you are running a SA540, you would likely have higher numbers than our SA520s as well.

doug_counsil@ya... Fri, 04/13/2012 - 09:00

We have a 30 Mbps down, 5 Mbps up connection with TimeWarner Cable.

With IPS enabled our SA540 can only achieve ~22 Mbps download speeds.  With it turned off we consistently get 30 Mbps.

Our configurations must be different than your SA520's.  I wonder what we are using that is causing the major slowdown?

doug_counsil@ya... Fri, 04/13/2012 - 09:28

Perhaps there are newer hardware versions of the SA500 Series routers?  Our SA540 is an early version.  Although we just bought it a couple months ago, I distinctly remember the label on the box (from Cisco to the reseller) was very old.

Our unit has 256 MB of RAM, a 500 Ghz CPU, and I believe 64 MB of Flash RAM.

not12bhere Wed, 04/18/2012 - 13:13

Here is my SA500's report on memory:

Total Memory:233584 KB
Used Memory:177204 KB
Free Memory:56380 KB
Cached Memory:71480 KB
Buffer Memory:10908 KB

Wasn't your SA540 supposed to have more WAN bandwidth than our SA520's. . .? Maybe the difference is in the metric I used to measure our WAN speed capability with Protectlink and IPS enabled (I used speedtest.net and have never researched how they come to their numbers).

Configuration:

We only use protectlink to block the advertising and malware categories. We do, however, have every signature of the dubious IPS enabled.SSLVPN/remote management is also disabled. Another thing that might have a major impact is that we have very few custom ACL/Firewall rules and run with IPV6 disabled.

doug_counsil@ya... Wed, 04/18/2012 - 13:46

That's interesting.  We don't even use any of the Protectlink functionality.

We have 99% of the IPS signatures enabled.  We found a few of them to be too sensitive.

We use both SSL and IPSEC VPN functionality.  We have two policies setup...  one that's compatiable with iPad, iPhone, Mac's, and Cisco VPN Client...  and another that is compatiable with IPSecuritas (Mac's only).

We have no custom ACL/firewall rules and IPv6 is disabled.

Based on the debug output, I think the SA500 Series routers are equipped with dual core CPUs.  Perhaps the second core is *turned on* when Protectlink is turned on?

doug_counsil@ya... Wed, 04/18/2012 - 13:50

Here's our current memory usage.  Remember, IPS is now turned off.

Total Memory:  233584 KB

Used Memory:  137492 KB

Free Memory:  96092 KB

Cached Memory:  64036 KB

Buffer Memory:  9592 KB

not12bhere Wed, 05/09/2012 - 16:05

It has now been almost six months since the last IPS update for the SA500.

This is the first time I have been truly disappointed with a Cisco SMB service.  No word/response on the forum. Is the IPS service dead? Does Cisco SMB have a plan for re-imbursing businesses that purchased the IPS contract for the device?

healthsolutionsplus Mon, 06/04/2012 - 09:19

We just bought SA540 and were really disappointed with signature updates being so old. We are actually considering returing out CISCO product and go with SonicWall. At least they update their signatures more often.

doug_counsil@ya... Wed, 06/06/2012 - 13:42

Cisco hasn't waited this long between IPS signature updates before.  I am beginning to wonder if this device is nearing EOL??? 

healthsolutionsplus Fri, 06/08/2012 - 12:26

I hope not. When I bought it, EOL wasn't mentioned by neither CDW nor CISCO reps. I created a support ticket for IPS updates. I will keep you guys informed of its status.

doug_counsil@ya... Sat, 06/09/2012 - 07:58

I am beginning to wonder if the next firmware Cisco releases for the SA500 series routers will be using a different type of IPS engine.  And therefore the signatures will be in a different format.  Maybe it's just wishful thinking on my part, but since we haven't seen any EOL accouncements, they may be working on another major maintanence firmware release...  as in 3.x.x... with more sophisicated IPS signatures?

It only makes sense.  They should try to integrate the signatures they produce for their Enterprise routers into the SA500 Series routers.  That way they wouldn't have to work on two separate types of signatures.

I wish someone in the know (like the Project Manager) would chime in.  We purchased a 3 year IPS contract and since then there have been no updates at all.  That is kinda sad. 

not12bhere Sat, 06/09/2012 - 10:40

This has become a great example of the failure of Cisco in the Small Business arena. I am guessing it is a matter of a lack of dedicated engineering resources to the small business division.

Curtis,

Just a heads up, but it "seems" like Cisco is about to  abandon small business in the Enterprise IPS product line as well. They  stopped updating the ASA5505 SSC-5 IPS firmware and capabilties in July  of last year (right when we bought ours!!!). It still uses the same IPS  signatures as the 5510+, but the writing is on the wall. No global  correlation, no un-retiring of signatures, no custom signatures, no  anomaly detection etc and they just announced ASA-CX which won't happen on the current ASA5505... I am really starting to feel like I wasted  thousands of dollars based on Cisco's reputation, which apparently only  applies at the big enterprise level. One look at PaloAlto's or  Sonicwall's UTM features at the same pricepoint really shows what a bad  cost v benefit analysis I did. In fairness to my decision, I also based the final decision on Cisco's support reputation. . .

Regardless of the above Enterprise issues, Cisco Small Business sold us these three year contracts last december, and now they haven't updated the IPS in 8 months. In fact, we have received ZERO IPS updates since our purchase.  No update after the Micosoft RDP issue, and now, no update after the Microsoft Update certificate compromise, aka Flame. Since one of the real values of IPS is defending against threats that require patches that may not exist or been applied yet, an outdated IPS is almost useless for anything but detecting scanning/recon against your network.

At this point, without a response from Cisco in the near future, I plan to take my valuable time, and use it to post a lengthy but factually based review of their SA series security routers on the major vendor websites. I think one could appropriately describe the SA500 series as abandoned/EOL'd without a notice. I think the IPS contract situation may be a Better Business Bureau complaint at a minimum, but I will attempt to give Cisco a chance to address this with the community first. The only "service" that we purchased for the SA's that is still current is Microtrend's protectlink. . .

The hardware is solid, and this device has/had so much more potential.

I am very dissapointed.

not12bhere Fri, 06/15/2012 - 18:43

Doug,

Thanks for updating the threads to let us know about the IPS signature update release. I couldn't find release notes to go with the release. I installed the update on one of our SA500's and noticed that there are several, new, 2012 dated signatures. All of them are disabled ( I assume by default?) but when I click on them to read the cisco.com SBIPS descriptions i get page not found errors. Is it an issue on my end, or do you see the same thing? Would be nice to enable these new signatures, once I know what they are. . .

doug_counsil@ya... Fri, 06/15/2012 - 19:02

All of the new signatures were disabled by default for our SA540 as well.  I assume that some of the existing signatures may have been updated, but if they were the signatures were kept enabled.

I see the same thing on our end when we click on the signatures.  We decided to deploy the new signatures and enable them all today, even without knowing their descriptions.

I'll let you know if we see anything weird in our syslogs over the next few days.

doug_counsil@ya... Thu, 06/28/2012 - 07:54

All of the links for the new IPS signatures are still broken.

Cisco, please update the links for the IPS signature descriptions!

not12bhere Mon, 07/30/2012 - 20:15

It has been over a month and the links are still broken. Cisco, we still have no idea what the new signatures are. I have had them hit positively and I have zero idea what it means...

healthsolutionsplus Wed, 08/01/2012 - 13:06

That sucks.... I'd just disable those new signatures before they stop anyone from accessing anything and you won't have any idea why its happening. What's worse than having no IPS? Not knowing what your IPS is doing.

doug_counsil@ya... Wed, 08/01/2012 - 14:48

We have enabled all of the new IPS signatures and haven't hit any of them yet.  I agree though, we need descriptions ASAP.

sgaddiko Mon, 08/06/2012 - 09:22

Hi,

New firmware is scheduled to release in the 3rd week of September and currently going through regression testing. Beta might be available earlier.

Thanks.

doug_counsil@ya... Mon, 08/06/2012 - 10:34

Thanks for the update on the next firmware release.

I take it the links associated to the new (and possibly existing) IPS signatures will be part of the firmware release?

doug_counsil@ya... Tue, 08/07/2012 - 13:36

We are currently running the latest beta firmware (2.2.0.3_1) for the SA540, and the links are still broken.  I take it that the underlying links associated to each signature either need to change (which would require a new IPS signature file) or Cisco just needs to build the actual website pages.

Here is an example:

http://tools.cisco.com/go/redirect/viewSBIPSSignature.x?sigID=2012-000827

That link comes from the IPS signature file itself.  In other words, the link is not embedded into the firmware.

doug_counsil@ya... Thu, 12/27/2012 - 14:30

Firmware 2.2.0.7 has been released but the IPS signature links are still broken.  When should we expect new IPS signatures with links that work?

florenm1970 Tue, 10/09/2012 - 18:14

October 9th, there are still no updates related to the new firmware. Are the high memory usage issues fixed in this release? I have to reboot my SA520W every few weeks in order to free the memory. Coming from Netgear ProSafe products, I never experienced these issues before. So far, I own a SA520W router and SG300-10 switch. The insane memory usage do not help the Cisco solid reputation, I would apreciate some feedback from the Cisco technical engineers.

Tom Watts Tue, 10/09/2012 - 18:30

Hi Floren, your comment seems to be off topic.

But to answer your question, the high cpu utilization at this point seems to be a cosmetic issue. The internal reporting of the unit I think has an issue. The SA500 has a long history of showing high utilizations but there haven't been any factual grounds to show the unit is failing due to lack of memory or cpu... in fact the SA520 is pretty darn close to the same specs as a ASA5505 in terms of hardware... so I'd be very surprised.

Do you actually see a degradation in performance or just based it off the monitoring of the device?  Also, what is wrong with the SG300 switch? I will be very keen to hear.

But, if you could, please make a separate topic to address those concerns as this one is more geared toward the IPS/firmware releases.

-Tom
Please rate helpful posts

florenm1970 Tue, 10/09/2012 - 19:07

Hi Tom,

I'm more concerned if any related work was done on the new firmware about the memory usage on SA520W, I did not noticed any issues with the SG300. I mentioned both products so everyone geta a better idea how is set my current network at home. I'm glad you acknowledge the memory issues, even if they are cosmetic. I started a thread related to this.

doug_counsil@ya... Thu, 12/27/2012 - 14:31

Firmware 2.2.0.7 has been released but the IPS signature links are still  broken.  When should we expect new IPS signatures with links that work?

not12bhere Fri, 12/28/2012 - 09:01

Cisco,

As Curtis mentioned, you have another firmware out for this device which we appreciate, but it has been almost half a year and your small business products have yet to actually tell us what the current signatures on the IPS do. As a user of the ASA IPS products for many years, I know that the enterprise products customers would be demanding action after a few hours of not knowing what their IPS signatures were doing. I understand that the SMB team may not have access to the same level of resources as enterprise, but at the same time, your small business products program is releasing the replacement hardware for this product right now.

Cisco charged a significant premium for the IPS license on the SA500 series (relative to a small business product) and have failed to meet your obligations in both IPS signature updates and now the basic requirement of describing what the current ones do.

With all of the players moving into the SMB UTM market, I would be hard pressed to give any client a positive recommendation on buying a Cisco SMB router/security product. The Cisco alternative I advocated in the past as an alternative to the SA500series, the ASA5505 with IPS, has been issued an End of Life, and Cisco stopped updating the IPS features over a year ago on the ASA5505's IPS SSC.

Someone needs to get Cisco's act together on the UTM SMB/Branch front.

For now, I would be happy to;

1) Have descriptions of what the IPS signatures we paid for are supposed to be doing,

2) Know why the SA500 series is always at maxed out memory usage,

3) Learn why even though no IPS signature is firing, enabling the IPS feature on the SA500 series interferes with VOIP, AOL emails, HULU videos, the youtube android app, xbox live and google play music samples . . .

Again, thank you for the firmware update. Any response from Cisco on the issues Curtis and I have mentioned would be appreciated.

doug_counsil@ya... Fri, 12/28/2012 - 10:54

I opened a TAC case for the invalid link descriptions.  The case number is 624313101.  I also inquired about when we could expect the next IPS signature update.

mpyhala Fri, 12/28/2012 - 17:12

All,

I found this thread while investigating case number 624313101. The links that start with 2012 are certainly not working correctly. As a workaround you can remove 2012- from the URL and then you will be able to view the IPS signature description. It appears that the signatures that start with 2012 are old and possibly outdated and that is why they are disabled by default.

I requested an update regarding a new IPS signature release and the best information I have is that there will be no update released in the very near future. Our Subject Matter Expert will inquire during the next develpment meeting scheduled for January. If any update is planned in the near future after that I will post here.

- Marty

Actions

Login or Register to take actions

This Discussion

Posted April 6, 2012 at 6:10 AM
Stats:
Replies:35 Avg. Rating:
Views:3704 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard