A. The Cisco® Incident Control System (ICS) was a solution that allows the network to adapt to and prevent new worm and virus threats before the network has been infected. It provided very rapid response to new outbreaks and allows a large variety of Cisco Systems® devices to become mitigation points for the new threat.
Q. Specifically, how does the Cisco ICS accomplish this?
A. The Cisco ICS accomplishes this using a direct link to Trend Micro's TrendLabs; where it obtains early warning of new viruses and worms and obtains specific worm and virus mitigation policies, which can be pushed to Cisco infrastructure devices, allowing them to become mitigation points for the new threat.
Q. What are the main components of the Cisco ICS?
A. The Cisco ICS is composed of two components: the Cisco ICS server software and a variety of infrastructure mitigation device licenses.
Q. What is the Cisco ICS server?
A. The Cisco ICS server is the management center for administration and delivery of functionality specific to the Cisco ICS. The Cisco ICS server is not designed to be the management platform for access control lists (ACLs) and intrusion prevention system (IPS) provisioning, nor is it designed as a device manager. The Cisco ICS server's functionality is limited to that related to the Cisco ICS.
Q. What is a mitigation device?
A. A mitigation device is a Cisco networking or security device that is enabled to receive the Cisco ICS coverage and thus is able to act as a defense point against new outbreaks. Mitigation devices can be a variety of devices, from mainline Cisco IOS® Software-based routers and switches to any IPS-enabled Cisco product, including Cisco IPS 4200 Series sensors, IDSM2 blade for Catalyst® switches, Cisco ASA 5500 Series adaptive security appliances, integrated services routers, and others.
Q. What are mitigation device licenses?
A. Mitigation device licenses are annualized licenses that must be purchased and installed in the Cisco ICS software. These licenses are what enable the mitigation devices to receive the Cisco ICS coverage. There must be one mitigation device license per mitigation device receiving the coverage.
Q. What are the differences between the Cisco ICS and the Cisco Services for IPS offerings?
A. The Cisco ICS is a valuable addition to Cisco Services for IPS and a premium class offering from Cisco providing a new standard in outbreak response for the industry. It provides near real-time updates to a broad range of mitigation devices providing broad, network-wide protection in a coordinated fashion. Cisco Services for IPS is an important part of an outbreak prevention strategy and provides timely signature updates to the broad range of Cisco IPS-enabled products, providing constant and regular updates to the protection profile offered by these products.
Q. Are different types of coverage offered by the Cisco ICS? What are they?
A. Two types of coverage are available under the Cisco ICS: ACL coverage and IPS coverage. The ACL coverage is for devices that do not have IPS capabilities, such as routers and switches running standard (non-security image) Cisco IOS Software. These devices will only receive the coarse outbreak prevention ACL (OPACL). The IPS coverage is for devices with loadable signature IPS capabilities such as Cisco IPS 4200 Series sensors, Cisco ASA 5500 Series adaptive security appliances with SSM-AIP modules, IDSM2 Catalyst 6500 modules, and routers running Cisco IOS Software security images. These devices will receive both the OPACLs and the outbreak prevention signatures (OPSigs).
Q. What is an OPACL?
A. An OPACL is the first rapid-response measure deployed by the Cisco ICS to mitigation devices. It is in the form of a broad, coarse ACL or signature whose objective is to block the newly discovered threat with an emphasis on speed of delivery while an OPSig is developed and tested.
Q. What is an OPSig?
A. An OPSig is the second rapid-response measure deployed by the Cisco ICS to mitigation devices. It is in the form of a high-fidelity, very specific signature whose objective is to block the newly discovered threat with an emphasis on accuracy. This signature is made available to mitigation devices shortly after the OPACL, and its purpose is to provide final and permanent protection against the discovered outbreak.
Q. Can all mitigation devices receive OPACLs as part of the Cisco ICS?
A. Yes. Both ACL and IPS coverage devices can receive OPACLs.
Q. Can all mitigation devices receive OPSigs as part of the Cisco ICS service?
A. No. Only IPS coverage devices can receive OPSigs.
Q. What are the typical and target response times for OPACLs and OPSigs?
A. TrendLabs has steadily improved its response times on OPACL and OPSig delivery to where the typical response times are 15 minutes for OPACLs and 90 minutes for OPSigs. The stated target response times are 30 minutes for OPACLs and 150 minutes for OPSigs.
Q. I am not sure I like the idea of having the Cisco ICS server automatically changing ACLs on my network. How granular is my control over the policy deployment?
A. The Cisco ICS server allows for manual deployment of OPACLs. In this mode an automated notification will be sent to the administrator when an OPACL is available on the Cisco ICS server. The administrator will then have the opportunity to inspect and/or modify the ACL as well as to manually deploy it to only the desired mitigation devices.
Q. What components do I need to order from Cisco to deploy the Cisco ICS?
A. You will need to order the Cisco ICS server software and the appropriate number of licenses for mitigation devices. Table 1 shows the Cisco part numbers that are available.
Table 1. Part Numbers
Part Number
Description
ICS-SVR-V10-K9
Cisco Incident Control Server Software v1.0
ICS-LIC-IPS-HE-1
ICS License: IPS Service for high-end devices, Qty 1
ICS-LIC-IPS-LE-5
ICS License: IPS Service for low-end devices, Qty 5
You will also need to try to ensure that any IPS-enabled mitigation devices have valid Cisco Services for IPS SMARTnet® service contracts as a prerequisite.
Q. What if I do not want all of the licenses included in the bundle? Do I have to activate all the licenses at the same time?
A. No. For convenience, the Cisco ICS licenses can be partially fulfilled at registration time. That is, it is not required to activate all of the licenses purchased, but rather subsets of them can be activated at different times.
Q. What other equipment do I need to deploy the Cisco ICS?
A. You will need a Windows-based server platform to install the Cisco ICS server. You will also need one or more of the mitigation devices to which the Cisco ICS coverage will be deployed (see Table 2).
Table 2. Supported Mitigation Device Types and Minimum Software Required
Mitigation Device
Cisco IPS 4200 Series sensors with software v5.1 or greater*
Cisco ASA 5500 Series adaptive security appliances with an AIP-SSM card with software v5.1 or greater*
Cisco IDSM2 Sensor Blades for Catalyst 6500 with software v5.1 or greater*
Cisco routers with Cisco IOS Security Image Software Release 12.4(4)T or greater*
Cisco routers with Cisco IOS Software Release 12.3M or greater
Cisco Catalyst 3550 Series switches with Cisco IOS Software Release 12.1(22)EA5 or greater
Cisco Catalyst 6500 Series switches with Cisco IOS Software Release 12.2(18)SXD5 or greater
Cisco 7600 Series switches with Cisco IOS Software Release 12.2(17)SXB8 or greater
* These devices also require a valid Cisco Services for IPS SMARTnet service contract. Without a Cisco Services for IPS contract, these products will not be able to process the OPSigs.
Table 3 shows the minimum system requirements for the ICS server software.
Table 3. Minimum ICS Server System Requirements
Feature
Description
Operating Systems
• Windows 2000 Server or Advanced Server with SP3
• Windows 2003 Server Standard Edition or Enterprise Edition (English)
Hardware
• 866-MHz Intel Pentium III processor or equivalent
• 512 MB of RAM
• 350 MB of disk space
Web Server
• IIS: Windows 2000 IIS 5.0 or Windows 2003 IIS 6.0
• Apache: 2.0
Web Browser (for Management Interface Access)
• Internet Explorer v5.5 SP2
Q. Do I need to order anything from Trend Micro to deploy the Cisco ICS server and the Cisco ICS?
A. No. The complete solution is available from Cisco.
Q. Do I need to do anything to prepare my mitigation devices for the Cisco ICS coverage?
A. Yes. Mitigation devices with loadable IPS signature capabilities that will receive IPS coverage must be covered by a valid Cisco Services for IPS SMARTnet service contract as a prerequisite. Mitigation devices that will receive ACL coverage must be covered by a valid SMARTnet service contract as a pre-requisite.
Q. Are there minimum software revisions that my mitigation devices must be running?
A. Yes. Mitigation devices must be running a minimum software version that includes support for the Cisco ICS and the ability to communicate with the Cisco ICS server. Table 2, above, shows minimum software versions required for each mitigation device type or family. Table 4, below, shows minimum software versions required for each specific mitigation device.
Q. How do I know which Cisco ICS mitigation device license types to order?
A. The Cisco ICS mitigation device licenses are categorized based on the capabilities and throughput of the mitigation device and are available in convenient bundles. You simply need to decide which mitigation devices you want to use and their quantity and order the license types according to Table 4.
Table 4. Compatible Devices, Software Versions Required and License Types and Service Pre-requisites
Cisco ICS Coverage Type
Mitigation Device
Minimum Software Version
License Required
Service Contract Required
ACL Coverage (OPACL Only)
Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3800, 7200 and 7301 Series routers
Cisco IOS Software Release 12.3M
ACL (ICS-LIC-ACL-25)
SMARTnet or equivalent partner support program
Cisco 3550 Series switches
Cisco IOS Software Release 12.1(22)EA5
Cisco Catalyst 6500 Series switches
Cisco IOS Software Release 12.2(18)SXD5
Cisco 7600 Series switches
Cisco IOS Software Release 12.2(17)SXB8
IPS Coverage (OPACL Plus OPSig)
Cisco 3800 Series integrated services routers
Cisco IOS Software Release 12.4(4)T
IPS high-end (ICS-LIC-IPS-HE-1)
Cisco Services for IPS
Cisco 7200 Series routers
Cisco IOS Software Release 12.4(4)T
Cisco IPS 4235 Sensors
IPS v5.1
Cisco IPS 4240 Sensors
IPS v5.1
Cisco IPS 4250 Sensors
IPS v5.1
Cisco IPS 4250 XL Sensors
IPS v5.1
Cisco IPS 4255 Sensors
IPS v5.1
Cisco IDSM2 Catalyst Modules
IPS v5.1
Cisco ASA 5500 adaptive security appliances with AIP-SSM-20
ASA v7.0/IPS v5.1
Cisco IPS 4215 Sensor
IPS v5.1
IPS low-end (ICS-LIC-IPS-LE-5)
Cisco Services for IPS
Cisco ASA 5500 adaptive security appliances with AIP-SSM-10
ASA v7.0/IPS v5.1
Cisco 870 Series routers, Cisco 1700 Series modular access routers, Cisco 1800 Series integrated services routers, Cisco 2600XM routers, Cisco 2800 Series routers, Cisco 3600 Series routers, and Cisco 3700 Series multiservice access routers
Cisco IOS Software Release 12.4(4)T
Q. What kind of scalability testing has been performed with Cisco ICS and what are the resulting recommendations?
A. The scalability and performance of the Cisco ICS solution has been validated by Cisco in a lab that tests the network architectures of many enterprise customers. The Cisco ICS solution has been proven via testing to meet the needs of most target enterprise customers for scale (over 200 devices), network event collection performance (over 1000 per second), and quick deployment time for signature and ACL updates to many devices in large networks (under 8 minutes). Based on this testing, the product team is comfortable endorsing deployments of up to 500 mitigation devices. Deployments of more than 500 devices under a single ICS server should be validated and tested in the customer's environment prior to production roll-out. For deployments requiring numbers significantly larger than this, it is recommended that either multiple single-CPU or single dual-CPU servers be used to scale to the desired total number of mitigation devices. Future releases of ICS will add support for hierarchical ICS servers to allow for more centralized and consolidated single point of management of large deployments
Q. Will I have to renew my mitigation device licenses? How often?
A. Yes. Mitigation device licenses are one-year licenses. However, for convenience and ease of license management, all licenses expire on one of four quarterly dates: March 31, June 30, September 30, and December 31. Licenses are initialized upon product registration with Cisco, and their expiration date will always be a minimum of 12 months from the registration date. In addition, as part of renewing the licenses for the mitigation devices, the SMARTnet or Cisco Services for IPS contracts covering the mitigation devices must also be renewed.
Q. What mechanism/protocol does the Cisco ICS server use to communicate with the TrendLabs ActiveUpdate (AU) servers?
A. The Cisco ICS server uses HTTPS to poll and download information from the TrendLabs AU servers. This communication is always an outbound connection from the Cisco ICS server to the TrendLabs AU servers.
Q. How often does Cisco ICS communicate with the TrendLabs AU servers?
A. The default is for the Cisco ICS server to poll the TrendLabs AU servers every 5 minutes, but this parameter is configurable within the Cisco ICS server's user interface.
Q. Do I have to do anything special to allow the Cisco ICS server to communicate with the TrendLabs AU servers?
A. You may need to modify your firewall configuration to allow for the outbound connection from the Cisco ICS server to the TrendLabs AU servers to pass through it.
Q. What mechanism/protocol does the Cisco ICS server use to communicate with mitigation devices?
A. It depends on the mitigation device. For the ACL coverage, the Cisco ICS server uses the Secure Shell (SSH) Protocol. For the IPS coverage, the Cisco ICS server uses HTTPS to deploy the outbreak prevention ACLs or OPACLs and OPSigs and uses Security Device Event Exchange (SDEE) to query event logs.
Q. I have mission-critical applications running on my network that I cannot afford to disrupt, even if it means increasing my chances of infection. Does the Cisco ICS allow for this type of scenario?
A. Yes. The Cisco ICS server allows for global configuration of ports and/or protocols that may never be affected by an OPACL.
Q. What is the Trend Micro Damage Cleanup Service (DCS)?
A. The Trend Micro DCS is a product offered by Trend Micro that can be integrated with the Cisco ICS to provide infection removal on Windows-based machines. The DCS service uses information obtained from the Cisco ICS to identify and target the infected machines for cleanup. Please contact Trend Micro or an authorized Trend Micro reseller for more information.
Q. Is there anything I need to do to prepare my network for the Cisco ICS coverage?
A. Yes. To prepare your network for Cisco ICS, you should consider the Cisco services portfolio that provides a complete range of reactive, proactive and consultative services that map to each stage of your network's lifecycle.
Q. How can I help ensure that my Cisco ICS deployment will be successful?
A. Cisco Services and Support provides a complete range of services, including consulting services and technical support. Cisco Advanced Services offers requirements analysis, planning, design, and implementation consulting to help your customer deploy an effective ICS solution.
Employing a proven methodology for implementing ICS, Advanced Services consultants design and deploy consistent, efficient ICS policies and procedures. Advanced Services offers the following services:
• Cisco ICS Readiness Assessment-Network engineers assess the readiness of corporate network infrastructure devices, operations processes, and architecture to support the Cisco ICS. Security experts will determine which devices in the network support the Cisco ICS and suggest changes or improvements to the existing network to enable the network to benefit from Cisco ICS capabilities.
• Cisco ICS Design Development-Advanced Services consultants assist in developing a design for integrating Cisco ICS into the network infrastructure, providing an in-depth analysis of the technical, procedural, and resource requirements for a pilot or corporate-wide deployment. Network security engineers then develop a detailed design for the solution and implement a pilot or limited deployment to verify and refine the design.
• Cisco ICS Implementation Engineering-To be fully effective, the Cisco ICS must be carefully deployed, configured, and integrated into the network infrastructure. Cisco security engineers provide support through a full-scale implementation, working with IT staff to develop detailed deployment plans, including installation, configuration, integration, and management. After the plans are completed, Cisco security engineers can provide onsite installation, configuration, testing, and tuning to help ensure the deployment integrates smoothly into your production environment.
After deploying an ICS solution, Cisco offers Technical Support Services to help ensure that Cisco products operate efficiently, remain highly available, and benefit from the most up-to-date system software.
Q. Which Technical Support Services help me prepare my mitigation devices for Cisco ICS?
A. The Cisco Technical Support Services that are prerequisites for mitigation devices are Cisco SMARTnet services and the Cisco Services for IPS. Be certain to purchase these services for mitigation devices you intend to cover with Cisco ICS before deploying the Cisco ICS.
Q. What is Cisco Services for IPS?
A. Cisco Services for IPS is an integral part of the Cisco Self-Defending Network strategy and an element of the Cisco Technical Support Services portfolio. It is a comprehensive support for Cisco IPS-enabled mitigation devices that delivers timely information and signature file updates with standard release intervals. Cisco Services for IPS allows IPS-enabled mitigation devices to stay current on the latest threats so that malicious or damaging traffic is accurately identified, classified, and stopped in real time.
Q. What services do I receive by purchasing Cisco Services for IPS?
A. Cisco Services for IPS combines deliverables of Cisco SMARTnet services with access to IPS signatures into one comprehensive service program. For IPS-enabled mitigation devices, it is a prerequisite for the premium service Cisco ICS and features the following deliverables:
• Access to Cisco IPS signatures for a broad range of threats with standard release intervals
• Access to operating system software updates such as IPS v5.x
• Access to the Cisco Technical Assistance Center, all the time, anywhere in the world
• Access to Cisco.com and knowledge base
• Options for advance hardware replacement with or without a field engineer to replace failed hardware
A. The Technical Support Services portfolio includes Cisco SMARTnet services to address support requirements for, and protect investment in, Cisco networking products. For ACL coverage devices, such as switches and routers with Cisco IOS Software Release 12.3M, it is a prerequisite for the premium service Cisco ICS and features the following deliverables:
• Ongoing access to Cisco operating system updates, such as Cisco IOS Software
• Access to the Technical Assistance Center for rapid resolution of technical problems with Cisco hardware and operating system software, any time, anywhere in the world
• Access to Cisco.com and comprehensive knowledge base of technical information
• Options for advance hardware replacement with or without a field engineer to replace failed hardware
Q. What is Software Application Support plus Upgrades?
A. The Technical Support Services portfolio includes Software Application Support plus Upgrades (SASU) to address support requirements for, and protect investment in, application software such as Cisco ICS server software. SASU offers the following features:
• Access to application software updates, including bug fixes, maintenance, and minor and major releases
• Access to the Technical Assistance Center for rapid resolution of technical problems with Cisco application software, any time, anywhere in the world
• Access to Cisco.com and comprehensive knowledge base of technical information
Table 5 shows support deliverables for Cisco SMARTnet services, Cisco Services, and SASU.
Table 5. Support Deliverables for Cisco SMARTnet Services, Cisco Services, and SASU
Support Deliverable
Cisco SMARTnet Services
Cisco Services for IPS
SASU
Access to Application Software Updates
-
-
x
Cisco Authored Signature Updates
-
x
-
Access to Operating System Updates
x
x
-
Access to Cisco.com Knowledge Base
x
x
x
Access to Technical Support
x
x
x
Advance Hardware Replacement Options
x
x
-
Product Intended For
Mitigation devices not featuring IPS capability
Mitigation devices featuring IPS capability
ICS server
The Cisco Technical Support Services portfolio includes many services designed to help protect investment in Cisco technology by enabling customers to extend and enhance the operational lifetime of their Cisco mitigation devices, operating system software, and application software.
