I am working today at a Client Site where I installed several months ago a Cisco IPS 4240 Sensor. The Sensor is currently running Version 6.0(3)E1.
I am not certain how to proceed with respect to signature updates on this box.
Under signature definition, it lists the following:
Signature Update S291.0 2007-06-18
I have noticed on the Security Software Page for IPS that the latest Signature File is S336. Should I install this on the IPS? In order to perform this, will it take down the IPS unit?
Also, there are several Management applications listed under the "Network IPS/IDS Management/Monitoring Software" heading, including: IME, IPC MC, and ICS. I am already using IDM as well as IEV respectively to Configure/ Monitor and then IEV to Alarm on certain Events. What are IME, IPC MC, and ICS and how are they different from IDM and IEV??
Both OS patches and signature updates have the potential to distrupt service passing through the sensor when used in the in-line IPS mode. You should update the OS to 6.0(4) and then apply the latest signature update, but you could skip the OS patch and just update the signature pack if you don't require any of the fixes 6.0(4) provides.
I would highly recommend to update the sensor OS to 6.0(4), as the upcoming Engine2 (E2) update will only support this version, as far as I can recall. This will require a reboot (So downtime for sure).
The signature update does not require a reboot, and to my knowledge if the sensor is configured with the default 'software bypass' settings, the sensing engine will just pass all traffic un-scanned while the signature is being installed (takes 1-2 minutes only).
A valid license file needs to be present tough, otherwise the signature will install, and then un-install itself, pretty annoying :)
Is there any reason why I would not go ahead and upgrade the Sensor to 6.1.1 vs. the 6.0.4?
Seems 6.1.1 is the latest published release on the Download Center...
Yes that would be much better, as then you can enjoy the benefits of the IPS Manager Express (IME).
I think there is some issues with MARS support on the 6.1.x, so I did not do that on our customer network's as of yet. I think this is planned August or something. Other features include auto-updates for signatures from cisco.com.
If you are using CSM for sensor management, then you would need to stay at 6.0 until 6.1 support is added into CSM.
Choosing between 6.0 and 6.1 is generally just a personal choice.
6.0 has been in the field longer and any issues with 6.0 are more well known.
6.1 on the other hand is still fairly new, and as with any new code, it has not yet been put through the ringer the way 6.0 has been.
If stability is number one priority then stay with 6.0.
If new features are your priority then go to 6.1.
I am using IDM right now. Any issues with moving from 6.03 to 6.0.4 as the first post reply had recommended??
Nope there should be no issues there. Even yesterday they announced the release date for the E2 update (June 15th). So be ready for that too :).
No problem at all :). Engine 2 update = E2.
Have a look at this:
In the recent Cisco's Bulletin, it stated that E2 engine update will be available by June 15, 2008.
Is there a reason why Cisco hasn't published it yet?
I looked at the link for a few minutes and see that there are many types of engines which govern the inspection of many types of traffic.
The Master Engine seems however to govern most of them.. Is the Pending E2 engine a "Master Engine" ?...
thanks as always
No the E2 engine is just an add-on to the existing engine.
For example a new "Advanced HTTP engine" handling AJAX /XML /DHTML etc. could be included (this is just an example).
Think of it this way.
The Engine level of the sensor is a collection of individual Signature Engines.
E1 was the collection of signatures that existed back at the end of 2006/ beginning of 2007.
Since then we have created New Signature Engines, as well as updates to the Engines from E1.
The E1 engines that have not changed, the E1 engines that did get changed, as well as the New Engines are all collected together and will now be released as E2.
So E2 is just a version designator for the next collection of Signature Engines.