Configuring the Cisco IDSM Sensor

Introduction

The Cisco IDSM sensor blade is viewed with a mixture of awe, dread, and ignorance. This sensor is certainly one of the least understood and underutilized sensors in the Cisco IDS product line. In part, this stems from the cost of the hardware to support the IDSM sensor module and the difficulty in finding solid information on the sensor itself. In this chapter, we try to dispel the myths of the IDSM sensor and help you understand it and use it effectively.

This chapter provides an overview of the architecture of the IDSM sensor, how it fits into the network, how to configure the sensor, and how to troubleshoot it. You will see that the sensor, even though it is a module in the Catalyst switch, is not much different than any other IDS sensor from an operational perspective. There are differences in the command line (which we'll discuss), as well as other dissimilarities, like having direct access to the span ports and VLAN access-lists which more conventional IDS sensors do not have. There are also a few things the IDSM can't do that more conventional IDS sensors can. We will discuss some of the differences between the IDSM and conventional IDS sensors, which are now falling by the wayside with the advent of the new IDSM sensor version 2 released by Cisco.

We would be remiss if we did not explore one of the most critical skills in managing the Cisco IDSM sensor: how to apply service packs and updated signatures. As seen in earlier chapters, one of the best ways to stay ahead of threats is to keep current with both service packs and signature files, so this is a "must have" skill.

In a perfect world, everything would work correctly the very first time we configured it, but alas, we do not live in a perfect world. Therefore, we will show you how to troubleshoot the IDSM sensor should you have problems getting it to work correctly.