02-22-2005 11:28 PM - edited 03-10-2019 01:17 AM
how can i setup automatic updates on my IDS MC. I want the software to download the newest updates with autometic update implementation to the sensor.
02-23-2005 07:53 AM
Not available yet. Hopefully they will implement this soon!
02-23-2005 09:19 AM
There are a few issues that I would have with IDSMC auto-updating.
First, updates for IDSMC are released in two flavours; application updates and sensor (aka signature) updates. Given this, which one would you want IDSMC to perform "automagically" without any intervention? Assuming that its the sensor updates you want to automate, there's now an issue of defining just how "automatic" you want it be.
Sensor updates are distributed from the Cisco web site (http://www.cisco.com/cgi-bin/tablebuild.pl/idsmc-ids4-sigup) in ZIP format. Do you just want IDSMC to find a new sensor release and download it automatically or do you want IDSMC to deploy it to the sensors automatically as well?
Automating the deployment of Signature updates, in my mind anyway, is not a very good idea. This is primarily due to the fact that youll end up with a signature update in place with no prior opportunity to gauge its impact on your IDS, your alert monitoring solution (be it Secmon or a SIMS) or the personnel receiving these alarms. The manual process at least gives you an opportunity to consider the necessity of the signature deployment and let you decide if you really need it now or if it can wait until the next release. If necessary, you then can give a heads up to anyone impacted by the configuration change. If youre in an environment where change management tracking and update testing are required prior to production deployment, automatic updates are useless.
As for IDSMC application updates, that too is something that I would want an opportunity to review and possibly test before I put it into production, but I digress.
Additionally, theres the whole issue of the impact on your infrastructure should you allow auto-updates. There are bandwidth (first, the initial download of the signature and then its subsequent deployment to your IDS grid) and sensor availability considerations to keep in mind. Most organisations mandate major updates where bandwidth will be impacted take place off-peak. Also, the sensor isnt monitoring when its being updated. The lack of coverage imposed by a sensor update is something that should be scheduled and signed-off on by the appropriate management to avoid problems (both operational and administrative).
In any case, the biggest negative I see is the additional overhead and potential performance impact on IDSMC itself should something like this be added to the code.
Of course, this is all just my 2 cents
Alex Arndt
03-17-2005 10:12 AM
Alex,
I agree with you in theory, but I have to say that in practice I would much rather have the ability than not. A IDS or IPS device is only as good as the signatures it's able to see. Without the one you need, how much is it really helping you?
Also, although we are looking at two separate things, a good comparison would be virus signature updates for your virus protection software. Sure, you can test each signature update as it comes out in your lab before updating the clients. But as the time between vulnerabilities and exploits for them continues to lessen, it only makes sense to give us a quicker way to ensure our networks are protected.
Auto-updating, or some means of distributing signature updates without a keypress or intervention should at lease be an option, even if not every site uses it. I haven't seen the 2.1 MC code but I do like the idea of auto-update on the 5.0 sensors themselves. Now if I could just bridge the piece for getting the signatures as well ...
03-20-2005 07:35 AM
Kelly,
Your position is a good one, and one I won't argue with it.
My original post was intended primarily to play the role of devil's advocate in order to ensure that some of the potential negative ramifications of auto-updating were posted in this forum for folks new to IDS/IPS and the whole Cisco product line to consider.
The time between vulnerability announcements and someone releasing point-and-shoot exploit code to take advantage of them is definitely getting shorter. What's going to drive an individual organisation's position on auto-updates versus testing is going to be a combination of their security policy and their willingness to accept problems should they occur as a result of using such a capability.
In any case, I personally appreciate you putting a human face on this issue. It's often far too easy to approach these topics from a purely technical standpoint
Alex Arndt
02-28-2005 07:08 AM
IDS MC 2.01 has the ability to automatically download new signature updates, but you'll still have to push out it out manually to the sensor.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide