Cisco released the IPS 6.1 minor release upgrade early last week. It sports a newly minted GUI manager/monitor and has a couple new features worth noting. The new GUI manager/monitor called IPS Manager Express (IME) is leaps above the previous GUI. Adding any stateful security solution into a network topology where asymmetric traffic paths exist has always been a real challenge. Given that Cisco’s IPS solution is stateful it can sometimes be a challenge to add inline inspection to asymmetric traffic flows. In some cases you can create a design that solves the asymmetric problem. See my previous article on the topic for IPS in the datacenter. However, in some cases it might make sense to just throttle back the stateful nature of the Cisco IPS in order to deal with the asymmetric problem. Cisco IPS 6.1 now includes just such a feature: sensor-1(config-ana-vir)# inline-TCP-evasion-protection-mode ? strict Full TCP ordering and sequence checking will be applied to all TCP sessions on this virtual sensor. asymmetric Relaxed TCP ordering and sequence checking will be applied to all TCP sessions on this virtual sensor. The free event monitoring GUI for Cisco IPS has been given a complete face lift for IPS 6.1. The legacy IEV (IPS Event Viewer) is being retired and the new IME (IPS Manager Express) is being ushered in. IEV was purely a monitoring platform but the new IME can be used to manage and monitor up to 5 IPS sensors. IME embeds Cisco IPS Device Manager (IDM) within IME to offer a seamless configuration and monitoring application for the SMB market. IDM has also been given some new features like a startup wizard, improved sensor health monitoring, customizable dashboards, performance improvements, and new policy and signature tables. The goal of the improvements is to improve ease of use and application performance. Let’s take a look at some new feature screenshots from the new IME. First there is the new dashboard view. It has the concept of gadgets and dashboards that can be added, deleted, moved around to suit your needs. You can also, in many cases, click to obtain more detailed information without having to leave the dashboard view. [img]http://www.jheary.com/events-dashboard.gif[/img]
Here is the new sensor health dashboard view. Again you can add, move, delete the gadgets and dashboards shown. [img]http://www.jheary.com/health-dashboard.gif[/img]
Here is where you can configure the health thresholds of the sensor: [img]http://www.jheary.com/IME-health.gif[/img]
IME has new reports that are exportable and savable as PDF or RTF. Take a look: [img]http://www.jheary.com/ime-reports.gif[/img]
IME’s new events viewer is super flexible. Here are two of the different views. It even can cross launch wireshark so you can see the trigger packet and other captured packets that are part of a IPS event. As you can see from the tabs at the bottom of the screenshots you can see all sorts of information for each IPS event. Some notable ones are related attacks and explanation. From here it links to CVE docs and Cisco Intellishield reports that correspond to the attack. [img]http://www.jheary.com/ime-events.gif[/img]
[img]http://www.jheary.com/ime-events2.gif[/img]
The last shot I’ll mention is the ease of use enhancements to creating an IPS security policy. IME has a new way of creating IPS policy and has embedded video help throughout the whole of IME! The video help files are very well done and should help users come up to speed quickly on the system. The video help is an interactive training video that is context specific, meaning if you click on the video help button while in policy configuration you get the video for how to do policy configuration. Very sweet! [img]http://www.jheary.com/IME-policy.gif[/img]
A video help example Screenshot: [img]http://www.jheary.com/IME-videohelp.gif[/img]
Here is a list of some of the other new features that released with IPS 6.1:
- Finally you get automatic signature updates downloaded directly from Cisco.com to each of your sensors. It works just like you’d expect, you tell the sensor to go to Cisco.com and download its updates on some configurable periodic basis.
- Ability to use unauthenticated NTP time sources on the IPS sensors. As a security professional this is not a feature I’d recommend you use, but it can be a nice to have when your working in a secure environment.
- Improved sensor and security health statistics and monitoring.
-
Well that’s a quick overview of what’s new in IPS 6.1.1 and IME. It is a strong release for smaller IPS shops with 5 or less sensors to manage and monitor or for those that prefer to manage IPS devices individually as opposed to using CS-Manager.
I’d be interested to hear your feedback on IME, you can download it here to check it out if you own a Cisco sensor. It even has a demo mode that doesn’t require you to have a live sensor. What features would you like to see in future releases of IPS? What features do you think Cisco IPS still lags behind other market players?
For more information on Cisco IPS 6.1 see here and here.
The opinions and information presented here are my personal views and not those of my employer.