It has been four months since the last IPS update for the SA500 series. The threat environment has changed drastically. Our ASA IPS modules have gone thru dozens of updates, but the SA500 Series routers we bought IPS subscriptions for in December of 2011 have recieved zero updates. Has the IPS product been EOL'd on the SA500's? I thought it was odd when the SA500 IPS wasn't updated for a major compromise regarding the Microsoft RDP exploit.
Maybe the IPS signatures are under a review similar to what was done on the enterprise side regarding retirement of older signature over the past few months, but we would appreciate some information about the status of the Small Business signature/engine updates.
Ironically, one of the key reasons we upgraded to a contract based small business pro IPS product from our small business WRVS4400N was because Cisco stopped updating the signatures on it.
Any information would be appreciated.
Any information that a Cisco employee forum member could provide would be appreciated.
I have started having second thoughts about the entire IPS/IDS idea on the Small Business products...If the IPS signature subscription provides only protection against exploits that were solved via software updates months before the IPS signature update is even released, what is the value-add in an age of auto-updating windows 7 and java. At least on the enterprise line, sometimes we get a head start with the IPS signatures before a software update is released by the vendor. Not complaining, just asking for my own education.
Thanks in advance for any informative responses.
We have the same concerns. Between the costs ($ for maintenance/licensing, extensive CPU and RAM use, loss of throughput, etc) and lack of benefits (some of the same reasons you mentioned above) we have decided to turn off IPS.
We have entertained the idea of asking for a refund (we bought a 3 year license), but I have requested that a project manager address these concerns here on the forum before doing so. Frankly, the current IPS implementation is rough enough in the SA500 Series routers without adding the lack of current/regular signature updates into the mix.
I think we can safely assume that the reason we haven't seen any IPS updates is because of the slew of new small business products that were just launched. Access Points, RV routers, SPA IP phones. . . . how about supporting the products already in the market.
I have considered shutting off the IPS on the SA500 as well. Did you have a broadband connection with enough bandwidth to show a difference in performance? Our SA500 with IPS enabled currently pulls down 31mbps and updloads 3ish whereas our WRVS4400N WAN with IPS enabled could only pull down 21'ish tops. I am curious where the line exists with the SA500 in regards to max bandwidth versus IPS (I am guessing the WAN on the SA500 with IPS enabled tops out in the 40mbps realm) but would love a real world result. If you are running a SA540, you would likely have higher numbers than our SA520s as well.
We have a 30 Mbps down, 5 Mbps up connection with TimeWarner Cable.
With IPS enabled our SA540 can only achieve ~22 Mbps download speeds. With it turned off we consistently get 30 Mbps.
Our configurations must be different than your SA520's. I wonder what we are using that is causing the major slowdown?
Perhaps there are newer hardware versions of the SA500 Series routers? Our SA540 is an early version. Although we just bought it a couple months ago, I distinctly remember the label on the box (from Cisco to the reseller) was very old.
Our unit has 256 MB of RAM, a 500 Ghz CPU, and I believe 64 MB of Flash RAM.
Here is my SA500's report on memory:
|Total Memory:||233584 KB|
|Used Memory:||177204 KB|
|Free Memory:||56380 KB|
|Cached Memory:||71480 KB|
|Buffer Memory:||10908 KB|
Wasn't your SA540 supposed to have more WAN bandwidth than our SA520's. . .? Maybe the difference is in the metric I used to measure our WAN speed capability with Protectlink and IPS enabled (I used speedtest.net and have never researched how they come to their numbers).
We only use protectlink to block the advertising and malware categories. We do, however, have every signature of the dubious IPS enabled.SSLVPN/remote management is also disabled. Another thing that might have a major impact is that we have very few custom ACL/Firewall rules and run with IPV6 disabled.
That's interesting. We don't even use any of the Protectlink functionality.
We have 99% of the IPS signatures enabled. We found a few of them to be too sensitive.
We use both SSL and IPSEC VPN functionality. We have two policies setup... one that's compatiable with iPad, iPhone, Mac's, and Cisco VPN Client... and another that is compatiable with IPSecuritas (Mac's only).
We have no custom ACL/firewall rules and IPv6 is disabled.
Based on the debug output, I think the SA500 Series routers are equipped with dual core CPUs. Perhaps the second core is *turned on* when Protectlink is turned on?
Here's our current memory usage. Remember, IPS is now turned off.
Total Memory: 233584 KB
Used Memory: 137492 KB
Free Memory: 96092 KB
Cached Memory: 64036 KB
Buffer Memory: 9592 KB
It has now been almost six months since the last IPS update for the SA500.
This is the first time I have been truly disappointed with a Cisco SMB service. No word/response on the forum. Is the IPS service dead? Does Cisco SMB have a plan for re-imbursing businesses that purchased the IPS contract for the device?
We just bought SA540 and were really disappointed with signature updates being so old. We are actually considering returing out CISCO product and go with SonicWall. At least they update their signatures more often.
Cisco hasn't waited this long between IPS signature updates before. I am beginning to wonder if this device is nearing EOL???
I hope not. When I bought it, EOL wasn't mentioned by neither CDW nor CISCO reps. I created a support ticket for IPS updates. I will keep you guys informed of its status.
I am beginning to wonder if the next firmware Cisco releases for the SA500 series routers will be using a different type of IPS engine. And therefore the signatures will be in a different format. Maybe it's just wishful thinking on my part, but since we haven't seen any EOL accouncements, they may be working on another major maintanence firmware release... as in 3.x.x... with more sophisicated IPS signatures?
It only makes sense. They should try to integrate the signatures they produce for their Enterprise routers into the SA500 Series routers. That way they wouldn't have to work on two separate types of signatures.
I wish someone in the know (like the Project Manager) would chime in. We purchased a 3 year IPS contract and since then there have been no updates at all. That is kinda sad.
This has become a great example of the failure of Cisco in the Small Business arena. I am guessing it is a matter of a lack of dedicated engineering resources to the small business division.
Just a heads up, but it "seems" like Cisco is about to abandon small business in the Enterprise IPS product line as well. They stopped updating the ASA5505 SSC-5 IPS firmware and capabilties in July of last year (right when we bought ours!!!). It still uses the same IPS signatures as the 5510+, but the writing is on the wall. No global correlation, no un-retiring of signatures, no custom signatures, no anomaly detection etc and they just announced ASA-CX which won't happen on the current ASA5505... I am really starting to feel like I wasted thousands of dollars based on Cisco's reputation, which apparently only applies at the big enterprise level. One look at PaloAlto's or Sonicwall's UTM features at the same pricepoint really shows what a bad cost v benefit analysis I did. In fairness to my decision, I also based the final decision on Cisco's support reputation. . .
Regardless of the above Enterprise issues, Cisco Small Business sold us these three year contracts last december, and now they haven't updated the IPS in 8 months. In fact, we have received ZERO IPS updates since our purchase. No update after the Micosoft RDP issue, and now, no update after the Microsoft Update certificate compromise, aka Flame. Since one of the real values of IPS is defending against threats that require patches that may not exist or been applied yet, an outdated IPS is almost useless for anything but detecting scanning/recon against your network.
At this point, without a response from Cisco in the near future, I plan to take my valuable time, and use it to post a lengthy but factually based review of their SA series security routers on the major vendor websites. I think one could appropriately describe the SA500 series as abandoned/EOL'd without a notice. I think the IPS contract situation may be a Better Business Bureau complaint at a minimum, but I will attempt to give Cisco a chance to address this with the community first. The only "service" that we purchased for the SA's that is still current is Microtrend's protectlink. . .
The hardware is solid, and this device has/had so much more potential.
I am very dissapointed.
Thanks for updating the threads to let us know about the IPS signature update release. I couldn't find release notes to go with the release. I installed the update on one of our SA500's and noticed that there are several, new, 2012 dated signatures. All of them are disabled ( I assume by default?) but when I click on them to read the cisco.com SBIPS descriptions i get page not found errors. Is it an issue on my end, or do you see the same thing? Would be nice to enable these new signatures, once I know what they are. . .
All of the new signatures were disabled by default for our SA540 as well. I assume that some of the existing signatures may have been updated, but if they were the signatures were kept enabled.
I see the same thing on our end when we click on the signatures. We decided to deploy the new signatures and enable them all today, even without knowing their descriptions.
I'll let you know if we see anything weird in our syslogs over the next few days.
All of the links for the new IPS signatures are still broken.
Cisco, please update the links for the IPS signature descriptions!
It has been over a month and the links are still broken. Cisco, we still have no idea what the new signatures are. I have had them hit positively and I have zero idea what it means...
That sucks.... I'd just disable those new signatures before they stop anyone from accessing anything and you won't have any idea why its happening. What's worse than having no IPS? Not knowing what your IPS is doing.
We have enabled all of the new IPS signatures and haven't hit any of them yet. I agree though, we need descriptions ASAP.
New firmware is scheduled to release in the 3rd week of September and currently going through regression testing. Beta might be available earlier.
Thanks for the update on the next firmware release.
I take it the links associated to the new (and possibly existing) IPS signatures will be part of the firmware release?
We are currently running the latest beta firmware (22.214.171.124_1) for the SA540, and the links are still broken. I take it that the underlying links associated to each signature either need to change (which would require a new IPS signature file) or Cisco just needs to build the actual website pages.
Here is an example:
That link comes from the IPS signature file itself. In other words, the link is not embedded into the firmware.
Firmware 126.96.36.199 has been released but the IPS signature links are still broken. When should we expect new IPS signatures with links that work?
October 9th, there are still no updates related to the new firmware. Are the high memory usage issues fixed in this release? I have to reboot my SA520W every few weeks in order to free the memory. Coming from Netgear ProSafe products, I never experienced these issues before. So far, I own a SA520W router and SG300-10 switch. The insane memory usage do not help the Cisco solid reputation, I would apreciate some feedback from the Cisco technical engineers.