The Cisco 6500 Alternation IDS Services Module
Like the IDS Bore for Cisco routers, Cisco additionally offers a bore for the Cisco 6500 alternation switch. Referred to as the IDSM, the bore occupies one or added slots in the 6500 chassis, authoritative it an accomplished IDS sensor best in networks area the 6500 belvedere is already deployed. There are two revisions of the IDSM, the IDSM-1 and the IDSM-2. The IDSM-2 is a far added able accessory alms bristles times the achievement of the IDSM-2. The IDSM-1 has been EOL and is no best accurate either with account packs or signature updates. Some of the added differences in functionality amid the revisions are accent in Table 2.2.
Table 2.2: IDSM-1 vs. IDSM-2 Comparison
Functionality
IDSM-1
IDSM-2
Performance
250 Mbps
600 Mbps
SPAN/RSPAN
X
X
VACL Capture
X
X
Shunning
X
X
IEV
X
X
VMS
X
X
IDM
X
TCP Resets
X
IP Logging
X
CLI
X
Signature Micro Engines
X
Same Code as Appliances
X
Fabric Enabled
X
SNMP
Unix Director
X
CSPM
X
Event retrieval method
PostOffice
RDEP
Slot Size (form factor)
1 RU
1RU
Local Accident Store
100,000 Events
N/A, retrieved
As can be seen, the IDSM-2 bore has far greater capabilities. Indeed, because it runs the Cisco IDS 4.0 software, it incorporates all of the functionality of the Cisco 4200 IDS alternation accessories while carrying 600 Mbps of performance. The account of the IDSM is that it takes abstracts anon from the about-face backplane and can adviser any cartage beatific beyond the switch. Abstracts to be monitored can be defined by SPAN and RSPAN or by VLANS via VACL abduction mechanisms.
Besides performance, noteworthy differences amid the two revisions accommodate added administration capabilities and added aegis features. For instance, the IDSM-2 bore facilitates administration via the Cisco VPN/Security Administration Band-aid (VMS), Cisco IDS Accessory Manager (IDM), IDS Accident Viewer (IEV), and via the CLI. Additionally, the IDSM-2 supports avant-garde IDS appearance such as TCP Resets, IP Logging, and Signature Micro Engines while the IDSM-1 does not. Also, the new IDSM supports Cisco's new adjustment of accident retrieval, Remote Abstracts Exchange Protocol (RDEP) admitting IDSM-1 supports PostOffice Protocol only.
On the IDSM-2 there is no absolute to the cardinal of VLANs monitored on the bore and no appulse to cartage traversing the switch. Furthermore, the alone absolute to the cardinal of IDS modules in a Catalyst 6500 is the cardinal of chargeless slots in the chassis. Finally, it should be acclaimed that Cisco no best sells the IDSM-1 as of April, 2003. All of this advice and added will be discussed in detail in Chapter 6, which focuses on the IDSM band-aid specifically.