I have recently installed both IDS and CSPM on an IDC site. I observed the following integration problem between the two.

First I generate the policy through CSPM and apply it on the Policy Enforcement Points(PEP). With specific to gateway routers, a specific ACL is generated by CSPM.

Later I configure the IDS with the gateway router as a managed device. I also enabled automatic shunning on intrusion detection which the IDS does it by replacing the original ACL with its ACL 199/198 option.

In the process, I observed the following difficulties.

1. ACL 199/198 which the IDS writes on the gateway router (in place of original ACL), does not incorporate allthe policies of the original ACL. Therefore my granular security policy is off the interface, which is as good as void.

2. Next time I update the policies from the CSPM, my revised ACL is generated. But IDS replaces it again upon the first instance of intrusion.

What essentially happening is that my detailed security policy generated from CSPM is almost always outside the PEP interface. Cisco TAC adviced me disable automatic shunning feature (by deselecting managed daemon on IDS) so that CSPM ACL resides on the interface. But I am losing a key functionality of IDS - i.e automatic shunning.

Did any one face similar problem? Any way I can get the complete functionality of both CSPM & IDS?

I would be glad to provide more details if required.

Sekhar