Why Purchase IPS for Cisco Routers?

rmaerz · ‎08-14-2006

Can anyone tell me why I would populate my WAN with Cisco routers running IPS?

I was just told by TAC that Cisco will not be releasing signature 5799 (MS server service buffer overflow) for router IPS. So what's the point?

I feel like I've been dupe'd.

walter baziuk · ‎08-24-2006

I recently purchased 6 C3825 with the NIMS-IDS module. They worked like a charm.

Though new, they all came with V4.0 s/w for the IDS and the latest 12.4 IOS for the router itself. When i have a few free cycles, i'll update the IDS to V5. Anyone know any issues

Why use it?

1. It's one box

2. less cabling

3. simpler config and monitoring

4. cheaper over to buy

If you are familiar with your current seperate IDS, i'd say stay with it. If you're new top the game, go with the IDS in a 3825/45 option

marcabal · ‎08-24-2006

Just to provide a little clarity here.

There are 2 types of IDS/IPS for Cisco Access Routers.

There is the NM-CIDS modules, and there is the IOS IPS feature where the IPS functionality is built directly into the IOS of the router rather than using a separate module.

The NM-CIDS module is a fully functional IDS. It runs the same software as the other Cisco IPS Appliances and Modules and supports the full set of signatures and signature engines.

HOWEVER, the NM-CIDS does not support InLine monitoring, and can only do promiscuous monitoring.

The IOS IPS built directly into IOS has minimized IPS functionality, but can do InLine monitoring.

The IOS IPS supports many but not all signature engines that are supported in the IPS Appliances. If a signature (like 5799) can only be written using one of the engines not supported by IOS IPS, then the IOS IPS feature can not monitor for the vulnerability.

Whether to use IOS IPS, NM-CIDS, or an IPS Appliance will depend on your deployment and available funds.

Both NM-CIDS and IPS Appliances cost more than IOS IPS because of the additional hardware, and additional features.

If cost is your biggest constraint, then IOS IPS may be an effective alternative. You pay less for IOS IPS, but you need to understand that it will not provide the same level of signature coverage, and some attacks can't be monitored for by IOS IPS.

Some environments are WAN to WAN connections with no Ethernet in between. Appliances won't work in these environments because Appliances need Ethernet connections.

So NM-CIDS and IOS IPS are your only choices.

If you want promiscuous monitoring for your internet connection and the additional cost of the sensor is not a problem, then the NM-CIDS is a good purchase. It provides full signature converage promiscuously at less cost than the typical appliances.

If you want InLine monitoring then an Appliance or IOS IPS are your only options.

So you see it will depend on your type of deployment and available funds that will often determine which type of sensor to go with.

What we are seeing more and more often now is a hybrid deployment. The customer will purchase Appliances monitoring InLine to put in front of primary servers. But instead of spending the additional cost of Appliances for other areas of the network, they will instead purchase IOS IPS or NM-CIDS for monitoring those other areas of the network. This way get the best coverage for their most important servers, and provide at least some coverage for everything else.