Solved: Re: Cisco IDS Management Options, please help

msmitha · ‎06-17-2003

I need to deploy two CSIDS network probes now with a possibility of adding upto 20 more. To start with, I don't want to build a central CSIDS mangement system. I would prefer to go with just the network probes for now and manage them using the web interfaces. When I add more network probes, can I build the central CSIDS management system and get all the probes to report to the central system? If yes, what are my options? Are there any considerations I need to know about right now? Please help. Thanks.

robertcrabbe · ‎06-17-2003

It is very easy to add VMS to the setup. You do not have to re-image or re-install the sensors. On the sensor side, it only involves setting up the sensors to forward events to the VMS box. On the VMS side, it involves setting up the VMS box to receive events from and manage the sensors.

If your IDS Event Vjiewer box is the same as your VMS box, then you won't need to make any changes on your sensors - that is, assuming the IP address and hostname is the same for both boxes.

View solution in original post

robertcrabbe · ‎06-17-2003

There are two things you need to be concerned with: managing alerts and managing the sensors.

You can manage the sensors with the IDS Device Manager. You cannot manage the alerts with the IDS device manager.

You can manage the alerts with the IDS Event Viewer or with VMS Security Monitor. IDS Even Viewer is free. In your case, I would recommend using the IDS Event Viewer until you're ready to purchase VMS.

Alternatively, you can manage the sensors by telneting to them and running commands, by using the menu, or by editing files if you know Solaris/UNIX pretty well.

In fact, you will need to do the initial setup with the menu if I remember correctly, but this doesn't involve much more than giving the command and control interface an IP address.

msmitha · ‎06-17-2003

First, thanks for the quick post.

If I deploy 2 sensors right now using the IDS DM and IDS EV only or using CLI methods and decide to go with the VMS solution later, would that involve re-imaging or re-installation on the sensors? Or would it be a simple setting on the sensors to forward events and receive policy changes and config info from the VMS box? In other words, how easy is it to add the VMS to the setup?

Thanks.

robertcrabbe · ‎06-17-2003

It is very easy to add VMS to the setup. You do not have to re-image or re-install the sensors. On the sensor side, it only involves setting up the sensors to forward events to the VMS box. On the VMS side, it involves setting up the VMS box to receive events from and manage the sensors.

If your IDS Event Vjiewer box is the same as your VMS box, then you won't need to make any changes on your sensors - that is, assuming the IP address and hostname is the same for both boxes.

mcerha · ‎06-17-2003

It's even easier to upgrade to VMS when using 4.0 sensors. You probably won't need to do anything on the sensors other than allow the VMS system to talk to the sensor's IP address. With 4.0, the sensors don't push information to a mgmt. console. The mgmt. console subscribes to the sensor and pulls the information, so almost all of the command & control configuration setup occurs on the mgmt. side.

msmitha · ‎06-18-2003

My understanding is that we have the VMS option or using the IDS DM and IDS EV and maybe with or without some unix utilities.

For Ver 4.x, does Cisco support the Unix Director or the CSPM?

marcabal · ‎06-18-2003

CSPM and Unix Director do not support Version 4.x sensors.

Enterprise users will need to upgrade to VMS ( IDS Management Center and Security Monitor ) when they upgrade to version 4.x sensors.

csmeriglio · ‎06-18-2003

Is VMS scalable to this size deployment? Is there a msg/second or device # limitation???

ywadhavk · ‎06-19-2003

Hi Cheri,

The VMS is quite scalable. Security monitor can sustain upto 500 alarms/sec for IDS, 200 syslog/sec and the MCs can handle upto 300 devices.

Hope this helps you.

Thanks,

yatin