RE: CISCOs new IPS

[Barnes Brandon A1C AFWA/SCHS <brandon.barnes () afwa af mil>]

Christoph,

I can tell you from real world experience that Cisco has not been the best
choice for IDS/IPS.

Their IDS (specifically, the network appliances) seem to have been a
knee-jerk reaction to market demand. Like most of Cisco's products lately,
there's little innovation on their side and a lot of money being thrown at
smaller companies that may not have a wholly developed product.

Their support has been very lack-luster. We actually allowed one TAC case to
go on for months with no response. Finally, we voiced our frustration to our
area Cisco reps, that finally (sort of) got things done. It got us a
response from our TAC Engineer, but the issue fixed itself (magic, I know.)
This is how most issues have been with the IDS. The TAC engineer can't
figure it out so we either have to rebuild our Cisco Works server, reload
our appliances, or just wait for it to fix itself.

In that same meeting with the Cisco reps, they assured us that our devices
were no where near end of life. An announcement from Cisco about a month ago
has proclaimed the death of the IDS line (specifically the products we have)
and their movement towards IPS.

A specific problem we've had is with the IDS module for Cisco Works. This
software seems to be delicately stuck together with toothpicks and
bubble-gum. Cisco just recently came out with (but failed to inform us) a
2.0 version of the software. On paper it looks great. Fixes all the problems
we've had and adds features that address our annoyances. I'm glad we didn't
load it on our production server. Setting it up in the lab we got everything
setup, only to find we can't even bring the event viewer up. Apparently 2.1
and 2.3 are coming soon.

Because of all this we've recently been in the market for a replacement.
We've been doing a lot of research as well as our own testing. Everything
we've read about the Cisco IPS screams "stay away." It's often the lowest
rated system out of those tested.

I hoped this helped allow you a good perspective. I hope that you find
information on both sides as we are just one source.

-Brandon

-----Original Message-----
From: Christoph Pertl (tm011081) [mailto:tm011081 () fh-stpoelten ac at] 
Sent: Wednesday, December 15, 2004 00 32
To: focus-ids () securityfocus com
Subject: CISCOs new IPS

Hi,

I'm right now in the middle of a Project with the goal to implement an IPS 
in an existing infrastructure. One of our possible Partners offers us the 
new IPS Product from Cisco.

Does anyone of you now something about this machine or at least about the 
older IDS-Box because I think the Inspection Engine will be the same?

Any Information about how well it performs in a real environment would be 
great

Christoph 


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------