Cisco IDS Management

Cisco IDS Management

Introduction

There is so much more to intrusion detection than just putting a sensor out on a network and then never addressing it again. Someone has to take the time and manage the sensors. It would not be very efficient to have to go to each of the sensors on a network and look at them on an individual basis. What if you saw something suspicious? Then you would have to go to the others and try and correlate the events. That is not the most efficient way to manage a group of security sensors. Luckily, we have a central management solution to help us manage our Cisco IDS sensors.

There are several items that need to be addressed when managing the IDS sensors on the network:

  • How secure is the network going to be? Are we looking at everything or looking for specific events driven by our security policy?

  • How many people will have access to the management console and who can modify the configuration?

  • How much logging is going to take place? Do we log everything or only the events we care about?

  • How often do we generate reports?

  • Will alarms be sent to e-mail/pagers?

  • Do I shun or carry out TCP resets?


This only scratches the surface of planning your management solution. Depending on your business needs, you may find some solutions suit your business better than others. No matter what the solution though, IDS management is a full-time job with or without the central management solution. The central management solution just makes it much easier. You will find yourself constantly tuning signatures to reduce the amount of traffic that is generated. Be warned that the initial traffic can seem overwhelming, but in the end it's manageable. In fact, having any of these management solutions in place makes life easy, letting you implement one change at one location that affects all the sensors simultaneously.

In this chapter, we cover all the IDS management applications in depth. Cisco has three different methods: Cisco Secure Policy Manager (CSPM), IDS Device Manager (IDM), and Cisco IDS Director. After covering management solutions, we take a look at the Cisco Network Security Database (NSDB). Like most management solutions, initial deployment and configuration is the toughest. So it is our intent to cover these steps thoroughly