Automating Signature Updates for Cisco IPS/IDS Sensors

As the variety, sophistication, and sheer volume of server and network threats increase, so does the demand for Intrusion Prevention Systems/Intrusion Detection Systems (IPS/IDS). These network devices recognize malicious traffic, including viruses, worms, and various traffic patterns indicative of hacking techniques targeting both operating systems and applications.

The network filtering to determine the presence of such events is based upon a set of " signatures" , packet sequences that define each intrusion. When an event is detected, an alert is triggered, and in the case of IPS devices, traffic from the offending IP address is immediately blocked. But, like anti-virus software on PCs, IPS/IDS devices are only as effective as the latest signatures of which they are aware. Security software companies rush to fingerprint new threats as soon as they are discovered and release signature updates that can detect these threats. Systems and network administrators must be just as proactive by installing these updates as soon as they are available.

Cisco Systems, Inc. offers a family of IPS/IDS sensors -- both standalone appliances and switch/router modules. Cisco releases regular signature update files as new threats are discovered, which can vary in frequency from daily to every few weeks. Updates are made available on Cisco's FTP site and announced via a mailing list to which anyone with a valid CCO (Cisco Connection Online) account may subscribe. The operating system includes an automatic upgrade utility feature that installs an update from a local file server on a configurable schedule. However, automating signature downloads to the local file server requires purchasing either Cisco Security Manager (CSM) or its predecessor, CiscoWorks VPN/Security Management System (VMS). Both products are costly and are Windows based (although VMS, which is being phased out, offers a Solaris version as well).