Management of 4240 and 4255

thomascollins · ‎10-03-2006

We have three IDS/IPS devices that we recently aquired, and are planning to deploy.

If I understand correctly, I can manage them directly using the CLI, or using the free single device Cisco IPS Device Manager?

If I want centralized management, would I look to Cisco Security Manager or CiscoWorks VPN/Security Management Solution? Are both still available or has VMS been replaced by Cisco Security Manager?

Any rough ideas on list price? And pros/cons?

THANKS!

marcabal · ‎10-03-2006

Cisco Security Manager (CSM) is replacing Cisco Works VPN Security Management Solution (VMS) for configuration management of multiple sensors.

Cisco MARS is replacing the VMS for alert monitoring of multiple sensors.

VMS contained utilities for both multi-sensor configuration and multi-sensor alert monitoring.

CSM, however, only does multi-sensor configuraiton, and CS MARS is used for multi-sensor alert viewing.

With only 3 sensors, however, you may find that just using IDM and CLI on each of the 3 sensors may be good enough for you to start with.

If you get more sensors or just feel you really want a multi-sensor manager then CSM is what you will need to purchase.

You will also need an alert viewer. For 5 or less sensors there is a free utility IEV (Intrusion Detection/Prevention Event Viewer). It does a pretty good job for a free utility.

If you are getting more thatn 5 sensors, or want more features in your event viewer, then you would look into purchasing CS MARS.

I am not sure of the list prices of CSM and CS MARS.

IDM is part of the standard sensor package (no additional cost).

IEV is free to users with maintenance contracts on their sensors.

If just starting out with Cisco IPS, then there is one other thing to be aware of.

For signature updates each of the sensors need to be covered under an IPS Service contract.

The IPS Service contract will include a license that you will need to install on your sensor. The license is required for the installation of signature updates.

To recieve signature updates you will also need to be running IPS version 5.1(2) or higher on your sensors.

thomascollins · ‎10-04-2006

Thanks very much, that was very helpful.

I have confirmed that all sensors will be under IPS contracts.

As for CS MARS/CSM vs VSM...is VSM still available for sale? We are looking into a third party monitoring solution that claims to require we run Cisco VMS 2.3. I haven't checked with them yet if they'll support CS MARS.

Thanks..

Tom

andrew.burns · ‎10-04-2006

Hi,

Ciscoworks VMS is still current and available for sale:

http://www.cisco.com/en/US/products/sw/cscowork/ps2330/prod_software_versions_comparison.html

However, I'd definitely go for the CSM/MARS combo if I had the choice based on the folloing quote:

"Cisco is not adding support for additional features and new devices in CiscoWorks VMS. Customers that require provisioning for Cisco firewalls, VPN?s, and Intrusion Prevention Systems (IPS) should consider the successor product Cisco Security Manager."

HTH

Andrew.

marcabal · ‎10-04-2006

And to follow along with that quote that Andrew posted, CiscoWorks VMS will NOT support new major/minor versions of IPS.

New major/minor versions of IPS will only be supported in CSM.

rhermes · ‎10-04-2006

By new major/minor versions of IPS do you mean within 5.x, like 5.1(4) or 5.2? Or do you mean 6.0?

I know the new IPS devices like the ASA's SSM IPS cards are not (and will never be) supported in VMS. How much life can I expect to get out of my existing VMS platform, assuming I keep my existing sensors?

I had plans on using my VMS 2.3 thoughout most of next year. It gets a little tiring when Cisco forces a management platform change every 2 years.

marcabal · ‎10-04-2006

5.1(4) would be a service pack.

It has the same major.minor as existing 5.1 sensors.

So 5.1(4) would continue to be supported by VMS 2.3.

Even later 5.1(5), 5.1(6), etc... Service Packs would continue to be supported by VMS 2.3.

However 5.2 would be a change in minor version. The .2 is a minor version upgrade.

The VMS 2.3 would not have configuration options for the new features and so would not be able to support a 5.2 sensor.

But this really isn't an issue. No plans in place for a 5.2 release.

Similarly 6.0 would be a change in major version. And so VMS 2.3 would not be able to support 6.0.

The EOS/EOL for VMS 2.3 has not yet been posted. So I would not expect the End of Support for VMS 2.3 for at least another year or more.

From an IPS perspective, the VMS support timeframe will likely be tied to how long signature updates will be provided for the IPS 5.1 versions.

There won't be a 5.2 release (6.0 is next), so lets talk of the effect that a 6.0 release would have on 5.1 signature udpates.

So for a Major 6.0 Release the End Of Signature Support policy states:

"For major-to-major releases (e.g., Version"A".x to Version"B".y, where "A" and "B" are consecutive version #s): Minimum of eighteen (18) months of signature release support after the end-of-sale announcement of that older software release."

http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/prod_bulletin0900aecd80358daa.html

So at this point and time you will have a minimum of 18 more months of 5.1 sig support, after the release of 6.0.

So my best guess is that when a VMS 2.3 EOS/EOL policy does come out it will probably state support for at least the additional 18 months that 5.1 signatures are being supported.

So if you are already running VMS 2.3, and are not in a rush to get IPS 6.0 when it releases, then you will probably be fine staying on IPS 5.1 and VMS 2.3 through most if not all of next year and part of the year after that.

BUT if you are a first time user, then I would suggest starting with CSM now.

thomascollins · ‎10-05-2006

Thanks, that was very helpful.

Since I only have three sensors, I could also start with the free IDM (IPS Device Manager) correct? And free event viewer? I'll probably go with CSM and CS MARS in the long term, but to get me started, I'd like to begin with free tools.