Cisco's NIDS Solution Grows Up

We deployed both the 4250 sensor and the beta of the new VMS 2.1 console in our Neohapsis partner lab in Chicago. A Cisco engineer helped us get the 4250 feeding data into the system. The 4250, a beefed-up sensor with a gigabit interface and hefty hardware (dual Intel Pentium III 1.2-GHz processors), can receive data in multiple formats, including Cisco POP and standard syslog. With a few configuration changes on the sensor and from the VMS interface, we were able to get everything communicating.

VMS reinstates one of our favorite event viewers, which took a brief hiatus with the release of the Cisco IEV (IDS Event Viewer). The VMS event viewer lets you dynamically sort IDS alert data based on just about any field type--source/destination IP address, alert type, reporting sensor--which makes it easy to slice and dice attack data. Although the functionality existed in earlier revisions of the Cisco Secure Policy Manager (CSPM), this iteration is completely Java-based. A Win32 interface still offers some advantages, such as right-click pull-down windows, that we missed with VMS.

VMS allows for the grouping of sensors and policies, which aids in controlling large deployments. For example, by placing multiple sensors in predefined groups, administrators can push configuration changes out to multiple sensors simultaneously. VMS also tracks policy updates and configuration changes, allowing organizations some accountability regarding proper change control.

It appears Cisco has been listening to its end users when it comes to aggregating event data. VMS can both manage and receive logs from a variety of Cisco devices, including IDS sensors, PIX firewalls and VPN products. Although VMS does not have any of the correlation capabilities found in products from companies such as ArcSight, GuardedNet and netForensics Corp., simple aggregation functionality is a step in the right direction.

Nothing's Perfect

Cisco says the 4250 sensor can inspect up to 550 Mbps of traffic, and says it plans to have a "line-speed" sensor shipping by later this quarter. Our 4250 and VMS console performed flawlessly for weeks. However, when it came time to update our sensors we ran into a few problems. Although VMS is more advanced on the updating front than its predecessors, it cannot automatically identify and download new signature sets. Administrators must upgrade both the sensors and the management console manually. We also ran into some snafus when we decided to readdress our sensor and console deployment: a complete reinstall of the VMS solution was required. Cisco needs to fix both the updating and readdressing problems in future versions.

Overall we're pleased with the direction Cisco is taking with VMS, but we still see room for improvement. The user interface needs a lot of work: The Web-based forms aren't nearly as usable as the Win32 menus found in VMS's predecessor (CSPM); there are multiple paths to the same destination; and it is easy to get lost when trying to understand what changes are "pending" and what changes have been "deployed."

Finally, we'd like to be able to view PIX and IDS data side-by-side using the same event viewer in one window. Correlating attacks across multiple device types is an invaluable feature. For now we'll have to rely on our SIM products for this type of functionality, but we look forward to seeing if Cisco adds this, and other improvements, to VMS.

Patrick Mueller is a senior security analyst for Chicago-based security consultancy Neohapsis, and Greg Shipley is the CTO. Write to them at [email protected] and [email protected].