CiscoWorks Management Center for IPS Sensors is a tool for configuring Cisco
® network sensors, switch intrusion prevention system (IPS) sensors, IPS network modules for routers, and inline intrusion prevention software in routers. The tool allows administrators to save time by using group profiles to configure multiple sensors concurrently. It also provides a powerful signature management feature that increases the accuracy and specificity of detecting possible network intrusions.
CiscoWorks Management Center for IPS Sensors is a component of the CiscoWorks VPN/Security Management Solution (2.3) , which combines Web-based tools for configuring, monitoring, and troubleshooting:
• Network IPSs
• Network intrusion prevention systems (IPSs)
• Host-based IPSs
• Router-based IPSs
An integral part of the SAFE Blueprint from Cisco, CiscoWorks VMS is an integrated security management solution that addresses the needs of both small- and large-scale VPN and security deployments by helping to protect productivity gains and to reduce operating costs. Unlike point security products from multiple vendors that can leave vulnerable gaps, CiscoWorks VMS provides a comprehensive solution that brings separate security and VPN technologies together into a single secure network. Many enterprises have increased the number of IPS sensors to provide security against network attacks. With a scalable architecture, CiscoWorks Management Center for IPS Sensors helps centrally manage these sensors and provides added security in a way that helps reduce management time and cost of operations.
CiscoWorks Management Center for IPS Sensors 2.2 includes the following new features:
• Additional Support for Cisco IPS Sensor Software 5.1-Cisco IPS Sensor Software is an inline, network-based solution that accurately identifies, classifies, and stops malicious traffic, including worms, spyware and adware, network viruses, and application abuse, before business continuity is affected.
• Support for the Cisco Incident Control System-The Cisco Incident Control System helps prevent new worm and virus outbreaks by enabling the network to rapidly adapt and provide a distributed response. Today, worm or virus outbreaks can spread around the world in minutes. A rapid response after an outbreak is detected is necessary to help ensure the safety of enterprise networks. Collaborating with existing Cisco outbreak prevention solutions, the Cisco Incident Control System provides rapid distribution of worm and virus immunization capabilities throughout the network. This fast, proactive approach helps to ensure network availability and to decrease the costs associated with damage cleanup.
The primary features of the Cisco Incident Control System include:
– Uses up-to-the-moment threat intelligence from Trend Micro, an industry-leading antivirus and worm expert
– Provides rapid response, enabling proactive prevention of worms and viruses
– Empowers existing Cisco network and security devices to adapt in real time for a coordinated, networkwide response
CiscoWorks Management Center for IPS Sensors detects changes to devices affected by Cisco Incident Control System and notifies the user via the tool's Sensor Health and Welfare feature. The Management Center for IPS Sensors also handles configuration of proactive prevention signatures used by the Cisco Incident Control System. It provides user-detailed information pertaining to:
• Support of Distributed Threat Mitigation-Distributed Threat Mitigation is a collaborative solution that proactively identifies and distributes IPS signatures for the most active threats detected on the network. It provides distributed and rapid threat mitigation using Cisco IOS® IPS. CiscoWorks Management Center for IPS Sensors detects changes to devices affected by Distributed Threat Management and notifies the user via Sensor Health and Welfare.
• Support of Cisco IOS IPS-With inline intrusion capabilities, Cisco IOS IPS is the first system in the industry to provide an inline, deep-packet-inspection-based IPS solution that helps enable Cisco routers to effectively mitigate a wide range of network attacks without compromising traffic forwarding performance. Armed with the intelligence to accurately identify, classify, and stop malicious or damaging traffic in real time, Cisco IOS IPS is a core component of the Cisco Self-Defending Network, which enables the network to protect itself. This technology uses Cisco IPS Sensor Software and signatures. Because Cisco IOS IPS is inline, it can drop traffic, send an alarm, or reset a connection, enabling the router to respond immediately to security threats. CiscoWorks Management Center for IPS Sensors provides in-depth configuration of Cisco IOS IPS
• Support of Cisco IOS IPS signature definition files (SDFs)
Signature Definition File (SDF)
The SDF is integral to Cisco IOS IPS. The SDF is an Extensible Markup Language (XML) file with a definition of each signature, along with relevant configurable actions. Cisco IOS IPS reads in the SDF, parses the XML, and populates its internal tables with the information necessary to detect each signature. Actions such as alarm, drop, or reset can be selected for individual signatures within the SDF. The SDF can be modified so the router will only detect specific signatures; as a result, it can contain all or a subset of the signatures supported in Cisco IOS IPS. The user specifies the location of the SDF. The SDF can reside on the local flash file system (recommended) or on a remote server. Remote servers can be accessed via Trivial File Transfer Protocol (TFTP), FTP, Secure Copy Protocol (SCP), or Remote Copy Protocol (RCP).
If the Cisco IOS IPS-enabled router is configured to scan packets using the SDF, it will get signature and engine information from the SDF. All or a subset of the routers in a network can use the same SDF or use a different SDF, depending on the requirements of the network. Some routers may allow for activating more signatures than less powerful routers.
SDFs Posted on Cisco.com
Cisco IOS IPS ships with one of three preconfigured SDFs: 128MB.sdf, 256MB.sdf, and attack-drop.sdf. These files are available in flash memory on all Cisco IOS IPS-enabled routers that are shipped with Cisco IOS Software Release 12.3(14)T or higher. These SDFs contain the latest high-fidelity (low false positives) worm, virus, instant messaging, and peer-to-peer (P2P) blocking signatures for detecting security threats, allowing easier deployment and signature management for the user. Pre-built SDFs provide a good starting point for users-they do not have to create their own SDFs from the wide range of signatures available in Cisco IOS Software. Signatures can be appended or modified from these SDFs.
128MB.sdf and 256MB.sdf
As of Cisco IOS Software Release 12.3(14)T, two pre-built SDFs have been introduced: 128MB.sdf and 256MB.sdf. 128MB.sdf is primarily created for routers with 128 MB of DRAM and contains 300 signatures. 256MB.sdf is primarily created for routers with 256 MB of DRAM and contains 500 signatures. These two SDFs contain signatures that are supported by the newly introduced STRING engines, namely STRING.TCP, STRING.UDP, and STRING.ICMP. These engines are supported in Cisco IOS Software Release 12.3(14)T. In the event that these SDFs are loaded on a router with an image prior to Release 12.3(14)T, the STRING signatures will not load.
The attack-drop.sdf contains 82 high-fidelity signatures, providing customers with the latest available detection of security threats. The attack-drop.sdf file is available in flash memory on all Cisco access routers that are shipped with Cisco Router and Security Device Manager (SDM) 1.2 or higher. The attack-drop.sdf file can also be downloaded onto a router from Cisco.com.
• Support for Single Interface, Multi-VLAN IPS Configuration-With introductory inline support, CiscoWorks Management Center for IPS Sensors now gives the user the ability to assign VLAN pairs to a single interface.
• Support of Rate-Limiting Configuration-Allows the IPS device to limit certain types of traffic by preventing the traffic from using an excessive amount of bandwidth. This feature can also signal external devices such as Cisco IOS Software routers to perform rate limiting to accomplish the same function.
• Multi-user Support-Automatically puts tasks such as sensor import and deployments in the background. This allows users to continue with the full functional use of CiscoWorks Management Center for IPS Sensors.
• Auto-Apply Signature Update-Allows the user to download and automatically update Cisco IPS sensors with signature updates, minor releases, and patches from Cisco.com.
• Copy Signature Wizard-Provides the ability to copy signature tunings from one device to many devices.
• Global Event Configurations-Makes it possible to globally apply event action overrides, event action filters, and event variables to all Cisco IPS sensors.
• Out-of-Band Configuration Detection-Detects out-of-band configuration made to devices by other management components. Once an out-of-band configuration is detected, users can be notified via Sensor Health and Welfare.
FEATURES AND BENEFITS
Easy to Use
• Easy to use Web-based interface
• Wizards that walk the user through common management tasks
• Access to the Network Security Database, which provides meaningful information about alarms to assist operators without IPS security expertise
Ability to define a hierarchy of sensors, containing groups and subgroups.
• Support for several hundred sensor deployments from each console
• Use of a robust relational database to store a high volume of data
Five authorization roles to delegate responsibility to different administrators.
Ability to determine which administrators can generate, approve, and deploy configurations.
Enhanced Signature Management
Ability to create and customize signatures for further tuning.
Sensors can be configured to block an attack by generating access control list (ACL) rules for a Cisco router or firewall.
• Cisco network IDS/IPS Sensors-Cisco IDS Sensor Software 4.0 and 4.1; Cisco IPS Sensor Software 5.0 and 5.1
Cisco offers a wide range of services programs to accelerate customer success. These innovative programs are delivered through a unique combination of people, processes, tools, and partners, resulting in high levels of customer satisfaction. Cisco services help you to protect your network investment, optimize network operations, and prepare your network for new applications to extend network intelligence and the power of your business. For more information about Cisco Services, see
Cisco Technical Support Services or
Cisco Advanced Services.