Cisco's Network Sensor Platforms

Cisco's Network Sensor Platforms

As part of their flexible deployment strategy, Cisco offers several different Network IDS platforms to meet the varying needs of enterprise environments. Included in the Network IDS suite of products are the Cisco IDS 4200 Series sensors, the Cisco Catalyst 6000 IDS Modules, Cisco IDS Modules for 2600, 3600, and 3700 routers, and the Cisco router and firewall-based sensors. All of these devices represent the cost-effective, comprehensive security solutions Cisco can provide for custom-tailored network performance needs.

From the affordable Cisco IDS 4210 to the high performance IDS 4250XL, the Cisco 4200 Series devices provide an appliance-based detection system. Refer to Table 2.1 for details regarding the Cisco IDS platforms.

Cisco IDS Appliances

At the core of Cisco's IDS solution are the dedicated IDS sensors that compose the 4200 series. These appliance-based products are available in five performance levels as follows:

  • Cisco IDS 4210—45 Mbps

  • Cisco IDS 4215—80 Mbps

  • Cisco IDS 4230—100 Mbps

  • Cisco IDS 4235—250 Mbps

  • Cisco IDS 4250—500 Mbps

  • Cisco IDS 4250 XL—1000 Mbps

Each specific sensor incorporates the same richly featured functionality of Cisco IDS 4.0 software, yet has different interface and internal hardware that imposes varied traffic processing limitations. The flexibility of these small form factor devices facilitates easy integration into different environments from SOHO to enterprise to service provider networks.

Cisco rates the performance of their devices based on specific traffic variables such as new and concurrent TCP or HTTP sessions and average packet size. For instance, the performance rating of all the 4200 Series IDS sensors, except the 4250 XL, is based on an average packet size of 445 bytes. The 4250 XL Gigabit performance is based on 595 bytes packets. In general, smaller packet sizes add an increased overhead as devices must process more header information per number of packets vs. a smaller number of larger packets with less header overhead which will result in reduced performance.

Table 2.1: The Cisco Sensor Capability Matrix

Sensor

Throughput

Monitoring Interface

Control Interface

Optional Interfaces

RU

Cisco IDS 4210

45 Mbps

1 10/100 Base-TX

1 10/100Base-TX

N/A

1

Cisco IDS 4215

80 Mbps

1 10/100 Base-TX

1 10/100Base-TX

Four 10/100 BaseTX sniffing interfaces

1

Cisco IDS 4230

100 Mbps

1 10/100 Base-TX

1 10/100Base-TX

N/A

4

Cisco IDS 4235

250 Mbps

1 10/100/1000 Base-TX

1 10/100/1000 Base-TX

Four 10/100 BaseTX sniffing interfaces

1

Cisco IDS 4250

500 Mbps

1 10/100/1000 Base-TX

1 10/100/1000 Base-TX

Four 10/100Base-TX One 1000Base-SX

1

Cisco IDS 4250XL

1 Gbps

2 1000Base-SX (MTRJ)

1 10/100/1000 Base-TX

One 1000Base-SX

1

Cisco IDS Module for 2600, 3600, and 3700 Router

2600: 10 Mbps
3600: 45 Mbps
3700: 45 Mbps

Router internal bus

1 10/100/1000 Base-TX

N/A

1 Network Module Slot

Cisco IDS Module for 6500 Switch

600 Mbps

Switch backplane

Via Switch or direct Telnet

N/A

1 Slot

4210 Sensor

The Cisco 4210 Sensor is the newest member to the 4200 series lineup. It is a rack mountable, 1RU device that can deliver up to 45 Mbps of traffic analysis. The 4210 has two fixed ports, both 10/100Base-TX (Fast Ethernet) to be used for monitoring and control. Due to its processing capabilities, the Cisco 4210 is optimized to monitor multiple T1/E1, T3, or Ethernet environments. The 4210 could also function as a sensor in partially loaded Fast Ethernet environments.

The Cisco 4210 is ideally suited for SOHO, remote office locations, and other low bandwidth demand environments.

4215 Sensor

Similar to the 4210, the Cisco 4215 Sensor is a sensor designed for network infrastructure running at less than Fast Ethernet speeds. The 4215 could perform adequately in a typical partially loaded 100 Mbps environment. Capable of 80 Mbps, the 4215 improves upon the 4210 in throughput capability and in potential maximum interfaces. Instead of only one monitoring interface like the 4210, the 4215 has four additional (and optional) monitoring interfaces. This means that with the primary monitoring interface, the 4215 is able to provide intrusion detection on five different interfaces.

Because of the improved interface density, the 4215 is well suited for monitoring multiple, discrete network segments such as internal, external, and DMZ networks. Like most of the 4200 Series devices, the 4215 is 1 rack unit in height, making it a good fit for tight equipment rooms and closets.

4230 Sensor

The 4230 Sensor is one of the older models in the 4200 series. In fact, the Cisco IDS 4230 sensor was end-of-sale (EOS) as of July, 2002. While software and hardware support will continue for a limited time, this device is no longer available from Cisco. Instead, Cisco recommends the use of the 4235 sensor based on improved performance, size, and port density. We'll discuss the 4230 sensor in this chapter because the hardware is still included in the CSIDS 9E0-100 exam.

The 4230 sensor is a dual Pentium III-based sensor with two fixed 10/100Base-T ports. Like the 4210, one is reserved for monitoring, while the other is intended for command and control access. The 4230 is capable of handling 100 Mbps, which makes it a good choice for Fast Ethernet environments. At four RU, the 4230 is a larger device than the other 4200 series sensors.

4235 Sensor

As the replacement of the 4230 sensor, the 4235 improves on size, performance, port density, and port capacity. The 4235 offers performance up to 250 Mbps and due to its 10/100/1000-capable TX monitoring interface, the 4235 can be used in partially loaded gigabit environments. Ideally, the 4235 is suited for multiple T3 networks or high-speed switched environments.

The 4235 sensor, like the 4215, has the option of four additional 10/100Base-TX interfaces enabling IDS capabilities on multiple networks with one device. The 4235 is one RU in height and has a gigabit-capable control interface.

4250 Sensor

The Cisco IDS 4250 sensor incorporates many of the features of the 4235 sensor, but with increased performance of 500 Mbps. The 4250 is also the only 4200 series sensor that is scalable via a simple hardware upgrade for full line-rate gigabit performance. At one RU, the 4250 has a 10/100/1000Base-TX control and monitoring port. The 4250 also has the option of four additional 10/100Base-TX interfaces or one additional 1000Base-SX SC fiber interface. This flexibility enables the use of the 4250 in various environments including gigabit subnets and on switches used to aggregate traffic from numerous subnets.

4250 XL Sensor

The most capable of the Cisco 4200 IDS series, the 4250 XL performs at gigabit speeds and is ideal for fully or partially saturated gigabit network environments. Like the other sensors, the 4250 XL is one RU, but accommodates dual 1000Base-SX monitoring interfaces with MTRJ connectors. The 4250 XL also has a 10/100/1000Base-TX control interface and an additional and optional 1000Base-SX SC monitoring interface.