cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
827
Views
5
Helpful
3
Replies

IDS Standalone vs IDS blade in 6509

adushey
Level 1
Level 1

Can someone give me some real world experiences as to the advantages of the IDS blade for the 6509 vs the standalone boxes? Also, how far behind is the 65xx IDS blade from signature updates? It seems on CCO they go a month or more before updates, whereas on the IDS standalones its more often. Also, what is the plan on CSPM integrated IDS/Firewall support instead of the 2 versions?

Thanks in advance

3 Replies 3

albadger
Level 1
Level 1

Both the sensor appliance and the IDSM blade have their advantages and disadvantages - and these will also depend on your current network environment and design.

What I think is a major consideration is that unlike a hub, by design, a switch will forward packets only to the necessary port, rather than out all ports. Hence, to sniff traffic, you will need to span a port in the switch. This can be limiting to the sensor appliance, but not to the IDSM blade. In a switched environment, the major advantage of the IDSM is that it will sniff packets that traverse the backplane of the switch, regardless of the port the data comes in on.

As for CSPM - I am not aware of any plans to merge the two streams. It is most likely that they will always remain separate.

There are other considerations as far as management of a sensor is concerned - the new IDM (part of 3.1 code) and the new IDS Management Console which should be available with the release of the next VMS bundle later in the year.

From a Catalyst 6000 switch deployment standpoint, both the appliance and the module can be deployed in similar situations. The port that the appliance sniffing port plugs into as well as the sniffing port of the module will have to be configured as either a switch span port or a vacl capture port.

In early version of Cat IOS the vacl capture feature could only be used with the module, but later version of Cat IOS allow vacl capture to be configured for a port connected to an appliance. With this latest change in Cat IOS there is now no difference in deployment strategy between the module and appliance.

Since both can be similarly deployed in a Cat 6000 environment, the difference in features on the module and appliance that have to be compared.

NOTE: For other switches you would have to use the appliance since the module is only supported in the Cat 6000/6500 switches and 7600 Routers.

The module's signature updates are not as frequent as the appliance. This is

because the module updates requires changes to the binaries and recompiles of code. The appliance, however, supports the addition of new signatures through the use of configuration entries for the signature engines. So to add signatures on the appliance is simply adding configuration lines to the configuration files (much faster than writing code and changing binaries on the module).

The appliance also has IDM for web based configuraiton on the sensor itself. And also has IEV that can be downloaded from IDM for alarm viewing. The module requires that you purchase CSPM or the Unix Director for management and alarm viewing.

From a performance perspective the module performs better than the older IDS-4210, and IDS-4230 sensors. But the new IDS-4235 and IDS-4250 sensors perform better than the module. The IDS-4235 is the best to compare with the module. The module performs around 125Mbps while the IDS-4235 performs at 200 Mbps at a cheaper price.

BUT there are advantages to using the module. For some customers they don't have the rack space available for deploying the appliances. They already have the 6500 switches with empty slots, so adding in the module doesn't require an expensive build out to add more racks to their wiring closet. You also have the power built into the switch so no extra power outlets have to be used, and the switch already has redundant power supply options.

There is also the ability to remotely power down and power back up the module, as well as remotely re-image the module. It doesn't sound like much until you deal with enterprise customers with deployments world wide. Simply re-imaging a sensor at a remote site on the other half of the world can be a major issue. Your sensor harddrive has been corrupted or a major version requires a re-image, if it is an appliance it means sending someone to load the CD and re-image the sensor. This can be expensive to hire contractors to do, and have trained personnel on site, and can take days to complete during which time your sensor may be off line. But with the module, I can telnet to the switch and through switch commands power off the module, and power it back up, boot it into a maintenance mode, and in the maintenance partition I can completely re-image the application partition where the IDS code runs. SO my entire update and software maintenance can be done here from my desk today even if the sensor is on the other side of the world. I only need on site assistance if a hardware problem is found. This has been a major expense saver for several customers.

Also the IDSM gets covered under the standard switch miantenance contracts, unlike the appliance which requires a seperate maintenance contract.

In the end it's up to you decide whihc features are more important to you at this time.

For most customers with local installations and the wiring closet space, the decision is generally the IDS-4235 or IDS-4250 appliances because of the better price performance ratio, and richer IDS feature set. But for those enterprise customers with world wide deployments the module can be very attractive.

Cisco does understand that for many customers all of these features are important, and we are keeping this in mind in planning future development efforts.

Thanks so much, I appreciate such complete answers!