Quick Look at the Cisco IPS Sensor Initialized, Inline, and Managed
The task of deploying a network IPS (Intrusion Prevention System) device can be quite overwhelming for a network or security professional that hasn't done it before. The first and most important step in deploying a network IPS device is understanding the various modes and which mode applies to the deployment at hand. The following modes are supported on the Cisco IPS sensors:
All of these modes are discussed in great detail in the online configuration guides found on Cisco.com. In this article we'll first focus on the most commonly deployed Inline mode, which Is Inline Interface Pair Mode. Figure 1 shows an example at a high level of how an Inline VLAN Pair Mode is commonly deployed around the world today.
Before administrators/engineers can put the sensor in any mode or even manage it, they first must initialize the sensor. The steps below can also be found in the Cisco IPS Configuration guide on Cisco.com. It is highly recommended that administrators pay special attention to any notes found in the configuration guides in addition to the steps below.
The sensor is now initialized and ready for further configuration.
Inline Interface Pair Mode
Now that the sensor is initialized, the sensor is now ready for interface configurations. The following steps were taken from the Cisco IPS Configuration Guide, and summarized for the purposes of this article.
The Cisco IPS sensor is now configured for Inline VLAN Pair Mode as the example in Figure 1 shows.
With the initial setup of the IPS completed above, further configuration, management, and monitoring can be done using the Cisco IPS Manager Express (IME). To download IME, go to the url www.cisco.com/go/ime and follow the instructions to install. After it is installed, complete the following steps:
Once connected, the Sensor is displayed in the Device list with information related to the Sensor such as Time, Device Name, IP Address, Device Type, Event Status, Sensor Health, Global Correlation Status, version, License Expiration, Load, Memory, CPU and Signature Version. More details can be obtained in the Device Details pane. This altogether provides information at a glance.
To get a detailed presentation of this information, from the Home View, click on Dashboards (Home > Dashboards > Dashboard) as shown in Figure 3 below:
The Health Dashboard and the Events Dashboard are pre-populated with Gadgets by default. More Gadgets can be added to either of the dashboards and a customizable dashboard can be added by clicking on Add Dashboard located next to Video Help in the top right of the Dashboard pane.
In this article we briefly discussed the Cisco IPS sensor and one of the most commonly deployed modes of operation. We also discussed a method of managing the sensor once it is deployed. The Cisco IPS sensor is quite versatile and isn't a one size fits all, so it's important to follow the best practices around discovery, design, planning, etc. As a best practice for any product deployment, review the data sheets, design guides, and configuration guides available on Cisco.com.
David Burns joined Cisco in July 2008 as a systems engineer working for a U.S.-based SP Mobility account. He came to Cisco from a large U.S.-based cable company, where he was a senior network and security design engineer. Dave has held various roles prior to joining Cisco during his 10-plus years in the industry, working in SP operations, SP engineering, SP architecture, enterprise IT, and United States military intelligence communications engineering. He is currently the lead systems engineer in a number of areas that include Femtocell, Datacenter, MTSO, and security architectures. He holds various sales and industry and Cisco technical certifications, including CISSP, CCSP, CCDP, and two associate-level certifications. Dave recently passed the CCIE Security written exam, and is currently preparing for the CCIE Security Lab. Dave earned his Bachelor of Science degree in telecommunications engineering technology from Southern Polytechnic State University, Georgia, where he currently serves as a member of the industry advisory board for the Computer & Electrical Engineering Technology School.
Odunayo Adesina, CCIE No. 26695 (Routing and Switching), is a systems engineer with Cisco in the U.S. commercial segment. In this role for over four years, Odunayo has worked with commercial customers in St. Louis, Missouri, to help develop their enterprise network architectures, which are typically a combination of borderless, collaboration, and virtualization solutions. He has more than 11 years of experience in the industry and holds various industry and Cisco certifications, including the CISSP No. 54152, CCSP, CEH, and VSP. He was one of the first few people who were CSS1 certified when the Cisco security certification was first developed. Prior to his role at Cisco, Odunayo worked with a large service provider as a network engineer, implementing and managing security, routing, and switching solutions, and later as security specialist, driving ISO 27001 compliance, developing and enforcing security polices for the enterprise. He also worked with Cisco partners, where he implemented solutions across many industry verticals. Odunayo holds a bachelor of technology degree in electronics and electrical engineering from Ladoke Akintola University of Technology.
By David Burns, Odunayo Adesina, Keith Barker
Published: October 25, 2011
Published by Cisco Press.