I found this response really frustrating.

As the thread title says, it's IOS IPS. That's a router with IPS on it.

Looking up messages in MySDN is obviously NOT sufficient. A large number of signatures may or may not be attacks. How can I tell? Should I respond? Should I raise the threshold? Should I disable the signature?

As I said "I suppose one could just watch the alert chatter and disable or delete signatures that seem too noisy. Doesn't seem very secure."

Everyone says IOS IPS is limited in some mysterious unspecified ways. Nobody says how. It's useless, un-actionable information.

So, am I stuck guessing?

/kenw

Well I'm sorry, if my answer is not to your satisfaction but I've been using MySDN for around 6 months and I find it very useful. MySDN provides me enough information to make some decisions about tunning my IDS's Appliances. To tell you the truth the only router with IPS's that I ever used was 1710 for a SOHO and the IPS options to tune the built in device is very little.

I recommend you getting an NM-CIDS for your router, it provides you with all the customizable options that an IPS appliance like an IDS-4215 would ( 4215 run at speeds of 80mb/s while the CIDS runs at 45).

I dont really recommend an router doing an ASA/IPS applicance job's, but you know if that is your budget.

PS.

you can always try :

show ip ips signatures detail | include

so you can identify a few things about the signatures.

There's a term from mathematics: "necessary but not sufficient". That's MySDN. Sure, it's a great site, but without knowing more detail about what triggered the alerts, I can't make a valid decision about how to respond.

I'm running an 1811w with very current IOS and lots of RAM, FWIW.

ASA/IPS appliances are new to me. I'm a router man from way back, always felt them to be more powerful than PIXes and the like, but objective info in this business, especially for the small business market, is just about non-existent.

In any case, thanks for the suggestion about the NM-CIDS, but I don't think they're available for 1800s.

If they were, would they protect me from brute force password guessing via RDP (remote desktop protocol) connections? I don't worry about all those wierd, subtle attacks and virus signatures (I have antivirus software, thanks) -- let's just block the script kiddies.

/kenw

yeap they would, I dont know if they have a signature for that, but you always can create one, that is what I did for ssh brutal force. I had about 50 different IPs every day banging on my ssh at least for 3 hours before they would give up, that takes a lot resorces out of my machine.

I created a simple rule, more than 5 trys in less than than 2 mins I'd block the connection :)

PS. you can always use the IDS-4210 running at least 5.1 they are cheepppppp :) that would fix

I can only find pricing on IDS-4215: NOT cheap for small businesses that have no on-site IT staff. More expensive than the 1811W router with IOS IPS.

The Cisco techs don't recommend 5.x for IOS yet -- they say it has issues. I'm not clear what the difference is. They also say custom signatures aren't supported.

One thing that puzzles me: the standard set of signatures do NOT seem well suited to typical small businesses. Those are only going to have a few inbound ports open: HTTP, HTTPS, SSL, SMTP, RDP, maybe POP3 if they're crazy. Every one of those should have a prebuilt password guessing signature. Any site that doesn't already run decent virus protection deserves what it gets -- dump those signatures altogether.

/kenw

Well they recomend right now version 6.x because is the lastest out. I 2 customers, one has a 4215 and runs 6.0 and the other one is kind a little be like your case, very low budget but I got him a 4210 with 5.1 software, it does the job and since the has appliance is behind the firewall is harder to exploit the appliance.

it has bugs but since he does not want to get smatnet or a newer appliance like a 4215 the IDS-4210 does the trick

PS. I got it used on EBa*** ( i dont think I can say that here LOL)

I got smartnet, no problem there. Man it's a complex topic!