Cisco released the IPS 6.1 minor release upgrade early last week. It sports a newly minted GUI manager/monitor and has a couple new features worth noting. The new GUI manager/monitor called IPS Manager Express (IME) is leaps above the previous GUI.
Adding any stateful security solution into a network topology where asymmetric traffic paths exist has always been a real challenge. Given that Cisco’s IPS solution is stateful it can sometimes be a challenge to add inline inspection to asymmetric traffic flows. In some cases you can create a design that solves the asymmetric problem. See my previous article on the topic for IPS in the datacenter. However, in some cases it might make sense to just throttle back the stateful nature of the Cisco IPS in order to deal with the asymmetric problem. Cisco IPS 6.1 now includes just such a feature:
sensor-1(config-ana-vir)# inline-TCP-evasion-protection-mode ?
strict Full TCP ordering and sequence checking will be applied to all TCP sessions on this virtual sensor.
asymmetric Relaxed TCP ordering and sequence checking will be applied to all TCP sessions on this virtual sensor.
The free event monitoring GUI for Cisco IPS has been given a complete face lift for IPS 6.1. The legacy IEV (IPS Event Viewer) is being retired and the new IME (IPS Manager Express) is being ushered in. IEV was purely a monitoring platform but the new IME can be used to manage and monitor up to 5 IPS sensors. IME embeds Cisco IPS Device Manager (IDM) within IME to offer a seamless configuration and monitoring application for the SMB market. IDM has also been given some new features like a startup wizard, improved sensor health monitoring, customizable dashboards, performance improvements, and new policy and signature tables. The goal of the improvements is to improve ease of use and application performance.
Let’s take a look at some new feature screenshots from the new IME.
First there is the new dashboard view. It has the concept of gadgets and dashboards that can be added, deleted, moved around to suit your needs. You can also, in many cases, click to obtain more detailed information without having to leave the dashboard view.
Here is the new sensor health dashboard view. Again you can add, move, delete the gadgets and dashboards shown.
Here is where you can configure the health thresholds of the sensor:
IME has new reports that are exportable and savable as PDF or RTF. Take a look:
IME’s new events viewer is super flexible. Here are two of the different views. It even can cross launch wireshark so you can see the trigger packet and other captured packets that are part of a IPS event. As you can see from the tabs at the bottom of the screenshots you can see all sorts of information for each IPS event. Some notable ones are related attacks and explanation. From here it links to CVE docs and Cisco Intellishield reports that correspond to the attack.
The last shot I’ll mention is the ease of use enhancements to creating an IPS security policy. IME has a new way of creating IPS policy and has embedded video help throughout the whole of IME! The video help files are very well done and should help users come up to speed quickly on the system. The video help is an interactive training video that is context specific, meaning if you click on the video help button while in policy configuration you get the video for how to do policy configuration. Very sweet!
A video help example Screenshot:
Here is a list of some of the other new features that released with IPS 6.1:
Well that’s a quick overview of what’s new in IPS 6.1.1 and IME. It is a strong release for smaller IPS shops with 5 or less sensors to manage and monitor or for those that prefer to manage IPS devices individually as opposed to using CS-Manager.
I’d be interested to hear your feedback on IME, you can download it here to check it out if you own a Cisco sensor. It even has a demo mode that doesn’t require you to have a live sensor. What features would you like to see in future releases of IPS? What features do you think Cisco IPS still lags behind other market players?
For more information on Cisco IPS 6.1 see here and here.
The opinions and information presented here are my personal views and not those of my employer.
Jamey Heary, CCIE No. 7680, is a security consulting systems engineer at Cisco. He leads its Western Security Asset team and is a field advisor for Cisco's global security virtual team. Jamey is the author of the recently published Cisco NAC Appliance: Enforcing Host Security with Clean Access. His areas of expertise include network and host security design and implementation, security regulatory compliance, and routing and switching. His other certifications include CISSP, CCSP, and Microsoft MCSE. He is also a Certified HIPAA Security Professional. Jamey has been working in the IT field for 14 years and in IT security for 9 years.
The opinions expressed in this Weblog are those of the writer and may not represent the opinions of Network World.
|
|
Finally. The GUI looks
Finally. The GUI looks AWESOME. Again, Finally. ASDM, IDM SE, next up ACS? Good job Cisco, the Security product suite is really getting to be a force.
GUIs
Agreed, I think they did a great job on IME. A GUI overhaul is in the works for ACS with 5.0. From what I've seen of the early code it looks fantastic. The next major GUI overhaul to come though is CSA 6.0. I plan on writing on that topic soon. Stay tuned.
-Jamey
IPS Manager Express 6.1
I always appreciate Jamey's thorough reviews of Cisco Security products - well done on this one!
Also, I agree with the other comments that Cisco is finally turning out wonderful management products. For some time I have struggled with Cisco's IDS/IPS solutions in terms of getting useful data from them (ie. top attackers, statistics on incidents seen and signatures triggered, knowing what actions are taken in response, etc.) IPS Manager Express appears to do all of this and more - with a excellent GUI and dashboard features.
My management will really appreciate the reports I should be able to give and I will certainly have a better grasp on my IPS environment.
Thank you Cisco Development. PLEASE keep on pushing forward with your security and management systems - definitely moving in the right direction.
IME
Thanks michael for your comments. Good to hear that you think Cisco is moving in the right direction for mgmt products. Especially, I think with the free device managers. If you haven't seen the latest security device manager (SDM) for IOS routers it is worth a look, lots of upgrades. I especially like the one click lockdown features based on NSA best practices.
-Jamey
Post new comment