New to IPS 4240 - What else can I use to manage it?

itsadmins · ‎11-02-2005

I have just purchased a Cisco IPS 4240 and have it up and running. Have been using the IEV to view IPS information and that works ok. The VMS 2.2 that came included with the IPS will not work with the current Cisco works (LMS 2.5) installation that we have.

My question is, is there any other tool besides the IEV and the VMS 2.2 that I can use to mange/monitor my IPS? the IEV seems so limited.

I have downloaded the newer VMS from the Cisco site and am planning to test that this comming week, but wanted to know ahead of time if I needed to waste my time with this tool or not.

Thanks!

marcabal · ‎11-02-2005

The preferred viewer is quickly becoming: "Cisco Security Monitoring, Analysis and Response System"

Also known as "CS MARS".

Here is the data sheet:

http://www.cisco.com/en/US/products/ps6241/products_data_sheet0900aecd80272e64.html

It is an additional cost. It can monitor your IPS sensors, but the big advantage is the ability to monitor your other security devices (like firewalls) as well all from the same viewer.

Hopefully other Forum users will respond with their experience with MARS and/or other IPS alert viewers that they may be using.

sachinraja · ‎11-02-2005

Yeah... Marcoa is right. CS MARS can be used.. This is a new and really high end product.... I'm really not sure of the bugs on this product, but I think that the technical documentation on this product is less, when compared to products like VMS and IDM....

VMS will be best suited for your requirement, but I advice you to install the VMS on a seperate server & not on the LMS 2.5 server. There are lots of issues when you put these together....

Hope this helps.. all the best...

Raj

shanehenning · ‎11-03-2005

We have a Mars50. It correlates all the event information from a number of devices to include the ips 4240's. Unless I haven't found it yet, the sensors still need VMS to mangage signature and service pack updates unless it's done manually via IDM.

Shane

mhellman · ‎11-04-2005

The latest CSMARS release is promising and honestly the netforensics solution offered by Cisco probably wouldn't be a good fit for the op, but I think Cisco needs to rething pushing the MARS in leui of everything else. As a previous customer of netforensics, and now a user of CSMARS...there are definitely many things that netforensics does better than CSMARS.

My biggest beef with CSMARS is the seemingly casual way in which it treats time and "raw messages". IMHO, these should be sacred to any SIM. I can elaborate, but for the sake of brevity I'll just give a couple examples:

The signature name reported in the "raw message" that MARS makes available is not always correct. Also, custom signature events report as "unknown" in the "raw message". Clearly this is not a "raw message" by any reasonable interpretation...MARS is writing bits that never existed in the original message.

the event contextual information is very often truncated. If you rely on this a great deal, the MARS probably isn't for you. There's also no interface for decoding it, requiring a cut-and-paste into your favorite decoder.

Believe me, I could go on. On the bright side, the MARS is showing promise...I was able to cross off my list quite a few issues after the latest upgrade.

Matt

mhellman · ‎11-04-2005

The irony of it all. The one big issue I had previously crossed off my list is back...frequent event collection failures. It's a known bug. How failing to collect security events can be considered a SEV 3 is beyond me. I think that speaks volumes about how Cisco really feels about security.

http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsb86941

How's that for a bug description? The best way I can describe this product is that it is just plain immature and unreliable.

mhellman · ‎11-04-2005

You didn't say what version. Version 5 has a much better interface for monitoring and management. With a single sensor, I can't imagine using an external tool like VMS to manage/configure the device. It won't work near as well as using the interface provided on the device(even in v4 this was true).

If what you're really concerned about is monitoring (which is all IEV does), you have lots of options...there are plenty of security information management products that will fetch events from a Cisco sensor. Somebody mentioned MARS, which Cisco sells. Cisco also sells Netforensics, which is superior to MARS IMHO but a LOT more expensive, especially if you want correlation. Actually, VMS does a pretty good job of displaying events from sensors...It's one of the few redeeming qualities in the product;-) If that's all you're using it for then it might work well for you. There are even some Perl modules available which would allow you to collect events from a sensor.

itsadmins · ‎11-06-2005

I want to thank you guys for answering my question. After reading your posts and researching based on these posts, I believe that the VMS route will be the way to go in my environment.

BTW, I am using v. 4.1 of the IPS.

Again, many thanks!