Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Verifying the Correct Signature Updates, Management Software, and Version

I am working today at a Client Site where I installed several months ago a Cisco IPS 4240 Sensor. The Sensor is currently running Version 6.0(3)E1.

I am not certain how to proceed with respect to signature updates on this box.

Under signature definition, it lists the following:

Signature Update S291.0 2007-06-18

I have noticed on the Security Software Page for IPS that the latest Signature File is S336. Should I install this on the IPS? In order to perform this, will it take down the IPS unit?

Also, there are several Management applications listed under the "Network IPS/IDS Management/Monitoring Software" heading, including: IME, IPC MC, and ICS. I am already using IDM as well as IEV respectively to Configure/ Monitor and then IEV to Alarm on certain Events. What are IME, IPC MC, and ICS and how are they different from IDM and IEV??

27 REPLIES
Gold

Re: Verifying the Correct Signature Updates, Management Software

Both OS patches and signature updates have the potential to distrupt service passing through the sensor when used in the in-line IPS mode. You should update the OS to 6.0(4) and then apply the latest signature update, but you could skip the OS patch and just update the signature pack if you don't require any of the fixes 6.0(4) provides.

Re: Verifying the Correct Signature Updates, Management Software

I would highly recommend to update the sensor OS to 6.0(4), as the upcoming Engine2 (E2) update will only support this version, as far as I can recall. This will require a reboot (So downtime for sure).

The signature update does not require a reboot, and to my knowledge if the sensor is configured with the default 'software bypass' settings, the sensing engine will just pass all traffic un-scanned while the signature is being installed (takes 1-2 minutes only).

A valid license file needs to be present tough, otherwise the signature will install, and then un-install itself, pretty annoying :)

Regards

Farrukh

Community Member

Re: Verifying the Correct Signature Updates, Management Software

Is there any reason why I would not go ahead and upgrade the Sensor to 6.1.1 vs. the 6.0.4?

Seems 6.1.1 is the latest published release on the Download Center...

Re: Verifying the Correct Signature Updates, Management Software

Yes that would be much better, as then you can enjoy the benefits of the IPS Manager Express (IME).

I think there is some issues with MARS support on the 6.1.x, so I did not do that on our customer network's as of yet. I think this is planned August or something. Other features include auto-updates for signatures from cisco.com.

Regards

Farrukh

Cisco Employee

Re: Verifying the Correct Signature Updates, Management Software

If you are using CSM for sensor management, then you would need to stay at 6.0 until 6.1 support is added into CSM.

Choosing between 6.0 and 6.1 is generally just a personal choice.

6.0 has been in the field longer and any issues with 6.0 are more well known.

6.1 on the other hand is still fairly new, and as with any new code, it has not yet been put through the ringer the way 6.0 has been.

If stability is number one priority then stay with 6.0.

If new features are your priority then go to 6.1.

Re: Verifying the Correct Signature Updates, Management Software

good information there marcabal, thanks :)

Regards

Farrukh

Community Member

Re: Verifying the Correct Signature Updates, Management Software

I am using IDM right now. Any issues with moving from 6.03 to 6.0.4 as the first post reply had recommended??

Re: Verifying the Correct Signature Updates, Management Software

Nope there should be no issues there. Even yesterday they announced the release date for the E2 update (June 15th). So be ready for that too :).

Regards

Farrukh

Community Member

Re: Verifying the Correct Signature Updates, Management Software

Dont mean to be a pest. What is the E2? Thanks for all your help.

Kevin

Re: Verifying the Correct Signature Updates, Management Software

No problem at all :). Engine 2 update = E2.

Have a look at this:

http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/idm/idm_signature_engines.html

Regards

Farrukh

Community Member

Re: Verifying the Correct Signature Updates, Management Software

In the recent Cisco's Bulletin, it stated that E2 engine update will be available by June 15, 2008.

Is there a reason why Cisco hasn't published it yet?

Thanks,

Community Member

Re: Verifying the Correct Signature Updates, Management Software

Question Farrukh

I looked at the link for a few minutes and see that there are many types of engines which govern the inspection of many types of traffic.

The Master Engine seems however to govern most of them.. Is the Pending E2 engine a "Master Engine" ?...

thanks as always

Kevin

Re: Verifying the Correct Signature Updates, Management Software

No the E2 engine is just an add-on to the existing engine.

For example a new "Advanced HTTP engine" handling AJAX /XML /DHTML etc. could be included (this is just an example).

Regards

Farrukh

Cisco Employee

Re: Verifying the Correct Signature Updates, Management Software

Think of it this way.

The Engine level of the sensor is a collection of individual Signature Engines.

E1 was the collection of signatures that existed back at the end of 2006/ beginning of 2007.

Since then we have created New Signature Engines, as well as updates to the Engines from E1.

The E1 engines that have not changed, the E1 engines that did get changed, as well as the New Engines are all collected together and will now be released as E2.

So E2 is just a version designator for the next collection of Signature Engines.

267
Views
38
Helpful
27
Replies
CreatePlease to create content