 |
|
Brief
product description
The
Cisco Secure IDS is a network-based IDS using a dedicated security appliance as
the ‘sensor’. Sensors, which are high-speed security analysis devices,
analyse packets traversing the network to determine if the traffic is authorised
or malicious.� If the data stream in
a network exhibits unauthorised or suspicious activity, such as a SATAN attack,
a ping sweep, or the transmission of a secret research project code word,
sensors can detect the policy violation in real time, terminate the offending
session(s), and send alarms back to a central management console.�
The management console is
a scalable software-based management system that centrally monitors the activity
of multiple sensors, provides a visual alarm display, and acts as a remote
system configuration utility.
Architecture
The
appliance has one interface to promiscuously monitor the traffic and a second
interface for communication to the NT based ‘Director’ control software,
CSPM. (‘Director’ software running on HP/OV on Solaris or HP/UX is also
available)
At
what layer of the protocol stack is the product working?
Up
to layer 7
Documentation
A
User Guide manual is supplied in hard copy. All Documents are supplied on CD-ROM
and are also available on-line
What
are the minimum/recommended console OS and hardware requirements? Is a dedicated
machine required/recommended? Will it work on Windows 2000?
The
basic requirements of the Director are Windows NT with Service Pack 6a, IE 5.0,
200MHz Pentium, 96M RAM. Full details are at http://www.cisco.com/univercd/cc/td/doc/product/ismg/policy/ver22/install/overview.htm
What
are the minimum/recommended agent OS and hardware requirements? Is a dedicated
machine required/recommended? Will it work on Windows 2000?
The
IDS sensor is packaged as a turnkey, “plug-and-play” security appliance.�
The complete hardware and software package is manufactured, tested, and
supported by a single vendor.
What
components are installed on a detector?
The
Sensor comes with both the Operating System and IDS application pre-loaded and
configured. There is no need for the user to be aware of the OS.
Which
network types are supported
10/100
Ethernet
Any
specific recommendations for monitoring Gigabit networks with your product?
For
very high speed IDS Cisco recommends the ‘blade’ version of the product that
works within the Catalyst 6500 Switch. Multiple ‘blades’ can be added to
achieve Gigabit speeds
Which
OS platforms are actively monitored?
NT,
Novell, Solaris
Can
sensors/detectors be deployed and configured initially from a central console?
No.
During installation, the operator is required to enter six parameters on the
appliance (e.g., IP address, mask, locator Ids, etc.).�
For security reasons, physical access to the appliance is required for
initial configuration.
Once
deployed and configured, can sensors/detectors be managed from a central
console?
Yes.
They can be remotely configured and updated from the Cisco Secure Policy Manager
console (or other management options).
Authentication
between console and engines – Is it available? What algorithm/key lengths?
This
can be achieved via external encryption routers/firewalls. All the data is UDP
port 45000. Optional IPSec encryption is supported.
Secure
logon for policy management?
Yes
How
are policies distributed to engines?
Policy
is distributed to the Sensor via a control agent.� From the central policy database, configurations for each
managed Sensor is held and maintained.� When
the operator changes any parameter in the Sensor configuration, a new file is
transfer to the Sensor.� Standard
policy templates can be concurrently applied to multiple Sensors in the policy
domain.
How
are policy changes handled? Will the central console detect which agents are
using a changed policy and redeploy automatically, or does the administrator
have to do this manually?
If
a change is made to an active policy on a Sensor(s), the central policy server
will reapply the updated policy after confirming the action with the operator.�
There is a one-to-one or one-to-many mapping of policies to Sensors so
operator intervention is required
How
many attack signatures?
The
Cisco Secure IDS ships with over 300 generic group signatures each covering one
or more specific signatures
Can
the administrator define custom attack signatures?�
Administrators
can add custom string match signatures on any port.
How
are new attack signatures obtained and deployed?
The
updated signatures are obtained via our website. You can subscribe and receive
an email when a new signature update is posted.
Frequency
of signature updates? Provide dates of all updates in the last year.
Approximately
every 60 days. 2.2.1.2 on Dec/99; 2.2.1.3 on Mar/00; 2.2.1.4 on Apr/00; 2.2.1.5
(including IP fragmentation reassembly support and “anti-IDS” whisker
support) on Aug/00. This release 2.5.0.102 on Oct/00
What
infrastructure do you have behind the signature update process
We
have a dedicated team of engineers working on all aspects of IDS, scanning and
Security Posture Assessment.
Can
one signature update file be downloaded to the local network and used to update
all IDS engines from a central location, or is it necessary to initiate a live
connection to the Internet download server for each engine?
Once
the ‘Director’ management station has the new signature set it downloads it
to all the ‘Sensors’
Can
signature updates be scheduled and fully automated?�
It
is important that the network operators know that a new signature set is
deployed, updates are invoked manually from the central ‘Director’
What
network protocols are analysed?�
The
Cisco Secure Intrusion Detection System can monitor all of the major TCP/IP
protocols, including IP, Internet Control Message Protocol (ICMP), TCP, and User
Datagram Protocol (UDP).� It can
also statefully decode application-layer protocols such as FTP, Simple Mail
Transfer Protocol (SMTP), HTTP, Domain Name System (DNS), remote procedure call
(RPC), NetBIOS, NNTP and Telnet
What
application-level protocols are analysed?�
n/a
Can
the product perform protocol decodes?�
No
Can
the product perform session recording on suspect sessions?�
Yes
Block/tear
down session?�
Both
TCP reset (sent to attacker and attacked host) and/or reconfiguration of an
Access Control List on a router are optional and can be configured on a per
signature basis.
Ability
to monitor user-defined connections (i.e. report on an FTP connection to a
specific server?)�
No,
but you can look for a specific string (e.g. the banner) from an FTP server
Monitor
changes in critical system files?
No
Monitor
changes in user-defined files?
No
Monitor
changes in Registry?
No
Monitor
unauthorised access to files?
No
Monitor
administrator activity (creation of new users, etc)?
Yes
Monitor
excessive failed logins?
No
List
any other resources/locations that are monitored.�
n/a
Track
successful logins, monitoring subsequent file activity, etc?�
No
Detect
network-level packet based attacks?�
Yes
Detect
all types of port scans (full connect, SYN stealth, FIN stealth, UDP)?
Yes
Detect
and report on nmap OS fingerprinting?�
Yes
Perform
packet reassembly? Resistance to known IDS evasion techniques?
�Yes
Reconfigure
firewall? If so, which firewall(s) and how?
No,
but in the current release ACLs can be added to Cisco IOS Firewall, just as they
can to Cisco routers. In a future release ACLs can be added to the Cisco Secure
PIX Firewall.
Option
to record everything for “forensic” investigation? Where is this data
stored? How is it secured from tampering?�
Optionally
on both the hard drive in the ‘Sensor’ and in the ‘Director’, physical
security is assumed
Reporting
from engine to console - range of action/alert options (detail these)�
Alert
and/or log and/or TCP reset and/or reconfigure router ACL
What
provision is made for temporary communications interruption between detector and
console? Where are alerts stored? Is the repository secure?
Data
is stored on the hard drive on the ‘Sensor’
Can
alerts be reported to the central console in real time without the use of third
party software? How easy is it to filter and extract individual events?�
All
events go to the screen in real-time. Filters can be applied on each signature
and also be based on source IP address.
Does
the software offer advice on preventative action to ensure the attack does not
happen again?
There
is a configurable on-line HTML database. Apart from full details about each
signature there is a section which can be customised so that a user knows
exactly what to do with any particular signature
Integration
with other scanning/IDS products?�
Cisco
has integrated host-based data using a third party management console.�
Integration of our scanning product is planne
Log
file maintenance – automatic rotation, archiving, reporting from archived
logs, etc.
Archival
and purging can be scheduled via the browser.
Management
reporting – range of reports/custom reports/how easy is it to filter and
extract detail? Different reports for technicians and management/end users?
Reporting
for the Cisco IDS is provided through third-party applications like netForensics
and TeleMate.Net
Report
management – can they be scheduled for automatic production? Can they be
e-mailed to administrators or published straight to a Web site?�
See
above
What
are the limitations and restrictions on enterprise-wide alerting and reporting?
Can reports consolidate output from every 1) server, 2) detect
See
above
How
is it licensed? How is the license enforced?�
There
are no licensing restrictions on the ‘Sensor’. The ‘Director’ has no
restrictions – except the Lite version which is restricted to managing three
devices (‘Sensors’, Cisco IOS Firewall routers or Cisco Secure PIX
Firewalls)
End
user pricing information�
Sensor
4210 $8000
Sensor 4230 $19000
List price of CSPM lite (3 devices) $2000, [full CSPM $14995].
End user price of netForensics Workgroup software from $14,995 for 5 devices
Ongoing
cost of maintenance/updates
Annual
List Price of SMARTnet for 4210 from $1656. Annual List Price of CSPM Software
Application Support $400, [full CSPM $3000]. Annual end user price of
netForensics software subscription from $1,500.
Click here to return to
the Cisco Secure IDS Review
Click here to return to the Cisco Secure IDS
results
Click here to return to the IDS Index Section
Send mail to webmaster
with questions or�
|