Cisco IDS (formerly known as NetRanger) is a network-based intrusion detection system, which means that it monitors all traffic on a subnet and compares individual packets, or groups of packets, against known attack signatures in an attempt to identify illegal activity. Cisco IDS was one of the first to be supplied as a dedicated network appliance, with all the hardware and software necessary to get you up and running. The sensor appliance comes in four versions (rated from 200Mbps to a Gigabit), each running a heavily modified version of Red Hat Linux, hardened and complete with a familiar Cisco Command Line Interface (CLI) and customised packet drivers. We tested the Gigabit-rated Cisco IDS-4250-XL. This is offered in a 1U chassis (a Dell PowerEgde server) dual 1.26GHz Pentium III processors, 2GB of RAM, two auto sensing 10/100/1000BaseT (RJ-45) Ethernet interfaces (one for monitoring) and a customised accelerator card that offloads some of the processing normally performed on the primary CPU of the host processor. The card provides on-board processing and deep packet inspection capabilities enabling the 4250-XL to monitor at Gigabit rates. Management of IDS Sensors is available via two products: IDS Device Manager (IDM)
This is provided free with the sensor, and offers centralised web-based configuration. However, IDM is designed to manage only a single device at a time. It does not, for example, provide a means to distribute a single policy across multiple sensors. CiscoWorks VPN/Security Management Solution (VMS)
This is the flagship product suite from Cisco that combines web-based applications for configuring, monitoring, and troubleshooting Virtual Private Networks (VPNs), firewalls, and both network and host-based IDS. This provides centralised management, configuration, policy deployment, alert handling and reporting for all IDS appliances across a corporate network. Also available is Cisco Threat Response (CTR), which has been incorporated into Cisco's product line through the acquisition of Psionic Software. CTR uses a just-in-time investigation of the targeted host to determine if the attack was successful. Cisco has struggled in the past to produce enough functionality out of the box to make the product attractive in its own right without the use of third party management and reporting tools. That may be about to change with the release of 4.0. The IDM and IEV (Intrusion Event Manager) have improved tremendously since the last release, and whilst they do not (and are not designed to) offer enterprise-class centralised management and monitoring capabilities for multiple sensors, they do provide the means to manage a limited number of sensors on a one-to-one basis, and do an excellent job of it. CiscoWorks is where it steps up a gear into true centralised management, monitoring and reporting. Although there are still one or two enhancements we would like to see, the product shows real promise. As it stands, there is centralised policy management and deployment (still with some rough edges), real-time monitoring, forensic analysis and summary reporting - all from the same console. Signature editing, tuning and creation are well catered for and the interface makes it simple to search for, and make changes to, large groups of signatures in one hit. A two-stage configuration generation and deployment feature makes it as safe as possible to work on policies without accidentally wiping out production sensors. If something goes wrong, there is the ability to roll back to a previous configuration. We would like to see some further slight improvements in terms of signature search in the editor, the modification of signatures at a global or group level/sensor level and the ability to annotate alerts from within CiscoWorks. Some means of accessing older alerts that have been pruned from the database for complete forensic analysis would also be extremely useful, as would more extensive cross-sensor correlation capabilities. Performance has been at the forefront of the designer’s minds during the development of this latest release. Since our first look at the product as beta code in late 2002 things have improved even further. The recognition rate was excellent both in terms of absolute coverage and accuracy, with very few misidentified events or false positives. The tracking of open connections has been improved significantly for this release, although there is still some work to do on memory management to prevent failure of the sensor when pushed significantly beyond the supported connection limits of 500,000. Detection rates are also very high when handling ‘normal’ traffic - the use of the new Intel card should see the Cisco IDS scale to Gigabit speeds easily. Bob Walder is a co-founder of the NSS Group.