We have installed an IPS 4215 with VMS 2.3.
Since upgrading to ver 6 of IPS I lost some functionality of the Management Console. Could not re-import the IPS sensor.
I have since found out that ver 6 is no longer supported with MC and we need to upgrade to CSM 3.1. That is not too bad but now VMS has gone altogether from the server (after installing CSM 3.1) and we have no reporting at all. I see the only solution to this is to purchase MARS, a very large cost for only one PIX and one IPS sensor.
My questions are:
Why should we upgrade to ver 6, how long is ver 5 going to be supported?
Is there any other way I can get some reporting or monitoring other than MARS? We could use syslog but that is not very functional.
It's not a good idea to try and run VMS on a server with anything else. VMS is slow enough without having another application competing for resources.
"Why should we upgrade to ver 6, how long is ver 5 going to be supported? "
It sounds like maybe you shouldn't. The v6 software offers some new functionality, most promising IMHO is passive OS detection and anomaly detection.
As you already noted in another post, you can use the IEV software to monitor events. It looks very similar to the VMS event viewer.
In addition to MARS and IEV already discussed, there are other third party tools that can access the SDEE and RDEP output from the Cisco IDS devices and do correlation.
I'm not sure of the appropriateness of discussing them here, so won't go into detail... but it should be acceptable to just note that they do exist; email me if you want to know some more about some of the ones we have looked at.
There is no offical word from Cisco on the End of Life date of 5.x, but typicaly, Cisco will keep 5.x alive for 18 months after releasing 6.x. Since 6.x was released in November, most folks are planning to be forced into a 6.x migration sometime around May 2008. 5.x will still work after that date, like 4.x and 3.x still do, but Cisco will stop producing signature updates for that version.
AS for your question about IPS ver 5 support.
IPS ver 5.1 will continue to be signature update supported until at least June of 2008.
And it will likely be longer than even that.
The official end date of signature update support will not be determined until an official End Of Sale announcement is made, and that has not happened as of yet.
So you can stay with 5.1 for quite a bit longer if you like.
Others have already posted some of the available options for configuration and monitoring.
One option that was not mentioned is to re-install VMS and use the Security Monitor within VMS to do your monitoring. Security Monitor will still work with IPS 6.0. It is just the IPS Management Center of VMS that can not configure an IPS 6.0 sensor.
For configuration you could then either install CSM 3.1 on a separate box, or since you only have one sensor just use IDM for managing the sensor configuration.
Back in December you responded to a post on this topic with the following information, "SecMon monitoring an IPS version 6.0 was tested. The existing SecMon version Can monitor IPS 6.0, but will only show the fields in the alerts that existed in IPS 5.1. SecMon will not show the new fields that are only seen in IPS 6.0. "
Does this caveat still hold true? Thanks for your continued support.
It was also tested with IPS 6.0(2)E1 as well, and the same still holds true.
SecMon can monitor it, but only shows the alert fields that were available in 5.1 sensors.