It has been four months since the last IPS update for the SA500 series. The threat environment has changed drastically. Our ASA IPS modules have gone thru dozens of updates, but the SA500 Series routers we bought IPS subscriptions for in December of 2011 have recieved zero updates. Has the IPS product been EOL'd on the SA500's? I thought it was odd when the SA500 IPS wasn't updated for a major compromise regarding the Microsoft RDP exploit.
Maybe the IPS signatures are under a review similar to what was done on the enterprise side regarding retirement of older signature over the past few months, but we would appreciate some information about the status of the Small Business signature/engine updates.
Ironically, one of the key reasons we upgraded to a contract based small business pro IPS product from our small business WRVS4400N was because Cisco stopped updating the signatures on it.
Any information would be appreciated.
I am beginning to wonder if the next firmware Cisco releases for the SA500 series routers will be using a different type of IPS engine. And therefore the signatures will be in a different format. Maybe it's just wishful thinking on my part, but since we haven't seen any EOL accouncements, they may be working on another major maintanence firmware release... as in 3.x.x... with more sophisicated IPS signatures?
It only makes sense. They should try to integrate the signatures they produce for their Enterprise routers into the SA500 Series routers. That way they wouldn't have to work on two separate types of signatures.
I wish someone in the know (like the Project Manager) would chime in. We purchased a 3 year IPS contract and since then there have been no updates at all. That is kinda sad.
This has become a great example of the failure of Cisco in the Small Business arena. I am guessing it is a matter of a lack of dedicated engineering resources to the small business division.
Just a heads up, but it "seems" like Cisco is about to abandon small business in the Enterprise IPS product line as well. They stopped updating the ASA5505 SSC-5 IPS firmware and capabilties in July of last year (right when we bought ours!!!). It still uses the same IPS signatures as the 5510+, but the writing is on the wall. No global correlation, no un-retiring of signatures, no custom signatures, no anomaly detection etc and they just announced ASA-CX which won't happen on the current ASA5505... I am really starting to feel like I wasted thousands of dollars based on Cisco's reputation, which apparently only applies at the big enterprise level. One look at PaloAlto's or Sonicwall's UTM features at the same pricepoint really shows what a bad cost v benefit analysis I did. In fairness to my decision, I also based the final decision on Cisco's support reputation. . .
Regardless of the above Enterprise issues, Cisco Small Business sold us these three year contracts last december, and now they haven't updated the IPS in 8 months. In fact, we have received ZERO IPS updates since our purchase. No update after the Micosoft RDP issue, and now, no update after the Microsoft Update certificate compromise, aka Flame. Since one of the real values of IPS is defending against threats that require patches that may not exist or been applied yet, an outdated IPS is almost useless for anything but detecting scanning/recon against your network.
At this point, without a response from Cisco in the near future, I plan to take my valuable time, and use it to post a lengthy but factually based review of their SA series security routers on the major vendor websites. I think one could appropriately describe the SA500 series as abandoned/EOL'd without a notice. I think the IPS contract situation may be a Better Business Bureau complaint at a minimum, but I will attempt to give Cisco a chance to address this with the community first. The only "service" that we purchased for the SA's that is still current is Microtrend's protectlink. . .
The hardware is solid, and this device has/had so much more potential.
I am very dissapointed.
Thanks for updating the threads to let us know about the IPS signature update release. I couldn't find release notes to go with the release. I installed the update on one of our SA500's and noticed that there are several, new, 2012 dated signatures. All of them are disabled ( I assume by default?) but when I click on them to read the cisco.com SBIPS descriptions i get page not found errors. Is it an issue on my end, or do you see the same thing? Would be nice to enable these new signatures, once I know what they are. . .
All of the new signatures were disabled by default for our SA540 as well. I assume that some of the existing signatures may have been updated, but if they were the signatures were kept enabled.
I see the same thing on our end when we click on the signatures. We decided to deploy the new signatures and enable them all today, even without knowing their descriptions.
I'll let you know if we see anything weird in our syslogs over the next few days.
It has been over a month and the links are still broken. Cisco, we still have no idea what the new signatures are. I have had them hit positively and I have zero idea what it means...
That sucks.... I'd just disable those new signatures before they stop anyone from accessing anything and you won't have any idea why its happening. What's worse than having no IPS? Not knowing what your IPS is doing.
New firmware is scheduled to release in the 3rd week of September and currently going through regression testing. Beta might be available earlier.
Thanks for the update on the next firmware release.
I take it the links associated to the new (and possibly existing) IPS signatures will be part of the firmware release?
We are currently running the latest beta firmware (126.96.36.199_1) for the SA540, and the links are still broken. I take it that the underlying links associated to each signature either need to change (which would require a new IPS signature file) or Cisco just needs to build the actual website pages.
Here is an example:
That link comes from the IPS signature file itself. In other words, the link is not embedded into the firmware.
Firmware 188.8.131.52 has been released but the IPS signature links are still broken. When should we expect new IPS signatures with links that work?
October 9th, there are still no updates related to the new firmware. Are the high memory usage issues fixed in this release? I have to reboot my SA520W every few weeks in order to free the memory. Coming from Netgear ProSafe products, I never experienced these issues before. So far, I own a SA520W router and SG300-10 switch. The insane memory usage do not help the Cisco solid reputation, I would apreciate some feedback from the Cisco technical engineers.