Book Review - Cisco Security Pro’s Guide to Secure IDS

Networking/Security Forums -> News // Columns // Articles

Author: SpyguyLocation: Ottawa, ON PostPosted: Tue Nov 09, 2004 5:49 am    Post subject: Book Review - Cisco Security Pro’s Guide to Secure IDS
Cisco Security Professional’s Guide to Secure Intrusion Detection Systems

Authors: C. Tate Baumruck; James D. Burton; Scott Dentler; Ido Dubrawsky; Vitaly Osipov; Micheal Sweeney (Technical Editor)
Publisher: Syngress
Book Specifications: Soft-cover, 656 pages
Categories: Computers & Internet
User Level: Introductory
Suggested Publisher Price: $59.95USA/$79.95CAN/£39.95
ISBN: 1932266690 Cisco Security Professional’s Guide to Secure Intrusion Detection Systems UK Cisco Security Professional’s Guide to Secure Intrusion Detection Systems US

Info from Cover: Your Complete Guide to Cisco Enterprise IDS Management

- Complete Coverage of the Cisco Secure Policy Manager (CSPM)

- Step-by-step Instructions for Installing, Configuring, and Using the Cisco Intrusion Detection Sensor

- Includes Coverage of the Cisco Secure Intrusion Detection Systems Exam (CSIDS 9E0-100)


Cisco is one of the leaders in enterprise-scale Intrusion Detection Systems (IDS). They have provided a scalable product since 1999, which is often considered one of the best commercial IDS products out there. As with any IDS product, there are several facets that one must master in order to properly deploy and support an IDS infrastructure and Cisco IDS is no exception. Configuration, deployment, system management and signature updating are just a few of the considerations one will face while managing the hardware and software that comprises this product line. In addition, the management platform to be used must be deployed and learned as well; or an IDS infrastructure will quickly become an unmanageable mess.

The book is a valiant attempt at providing the reader with the information necessary to succeed at all these tasks. It also sets out to provide the information necessary to pass the Cisco Secure Intrusion Detection System Exam (CSIDS 9E0-100).


Over the course of eleven chapters, this book covers version 3.x of Cisco IDS, and the older IDS appliances, in a very comprehensive manner. Version 4.x is discussed, along with the newer hardware as well; but not to the same level of detail as the earlier version of the software. The book also contains a single appendix which provides a full listing of the entire Cisco IDS Signature Database, up to and including signature update S49. To be sure, this is nowhere near current (Cisco IDS is at Signature Update S125 as of the writing of this review), but it is a good reference none the less.

Chapter One is dubbed “Introduction to Intrusion Detection Systems.” This title is actually a bit generic, as the focus of the chapter is actually a discussion of Cisco’s AVVID Architecture and SAFE blueprint for network security. General concepts of network security, such as threats, network attacks and an overview of IDS is provided. A discussion of techniques used to defeat IDS is even included, though it is somewhat general in terms of what is discussed.

Chapter Two provides the true introduction to Cisco IDS. The various sensor appliances are listed and their respective uses discussed. IDS deployment concepts and considerations are also provided, and these are backed up with some good fictional case studies to provide the reader with a sense of how different IDS deployment is on a smaller network versus a full-blown Enterprise network architecture.

Chapter Three goes on to discussing how to initialize the IDS software on the appliances and discusses the default user names and passwords provided at install. In addition, the concept of using a SPAN port in a Cisco switch to provide network data to the IDS sensor is presented, though no configuration commands or examples are supplied since this is discussed in more detail in Chapter Nine. This chapter begins to reveal that this book was a victim of bad timing, as its tendency toward version 3.x of the Cisco IDS software begins to become apparent at this point.

Chapter Four is a chapter wholly dedicated to two defunct Cisco IDS management platforms; Cisco Secure Policy Manager (CSPM) and Unix Director. This chapter to me highlights the heavy focus on Cisco IDS 3.x, which is now entirely unsupported by Cisco, in the book. Given the current Cisco IDS software and hardware offerings, this chapter will be entirely useless to most readers, unless they are stuck maintaining an old IDS infrastructure that will not be upgraded to the current standard. Oddly enough, the management platform that succeeded these products and is currently offered by Cisco, VMS / IDSMC, is covered in a later chapter.

Chapter Five goes into further detail on configuration of the Cisco IDS appliances (in particular, the IDS-4210, IDS-4215, IDS-4220, IDS-4230, IDS-4235 and IDS-4250). Because there were major differences in the initial version of Cisco IDS v3.x and its later releases, the chapter is designed to address what the authors’ called “default settings that are unsuitable for production deployment.” While this is true, it only applies to version 3.x of the software. Version 4.x does not have the problems identified and, in my opinion, a reader attempting to manage a group of Cisco IDS appliances running the 4.x code could skip right from Chapter One to Chapter Five without missing anything important.

Chapter Six deals with the Intrusion Detection System Module, or IDSM. It is heavy on the original version of the unique IDS solution, the IDSM-1, and this leaves it short. The IDSM-1 is no longer supported by Cisco and has been replaced by the IDSM-2. Unfortunately, there wasn’t as much information provided for this newer solution. This is too bad since, in my opinion, the IDSM is a very cool piece of kit. Instead of leaving Cisco IDS relegated to being deployed at network perimeters or choke points, it actually permits network IDS at the LAN level. This is accomplished by performing IDS signature analysis on an Cisco Catalyst 6500 series switch.

Chapter Seven is where this book proves its worth, even if its content is out of date. This chapter talks about the heart and soul of Cisco IDS, the “Alarms and Signatures” of Cisco IDS. Of particular appeal is the inclusion of how to build a custom signature. Unfortunately, this process is described in more detail for the older version of the software than the newer version.

Chapter Eight delves into another important feature of Cisco IDS, which is “Blocking.” Because this is a Cisco product, the IDS sensors can be configured to interact with either a Cisco router or PIX firewall to dynamically reconfigure your network in response to an attack. The chapter is absolute in it details of the blocking feature and describes the concept, considerations and how to configure and implement this novel capability. It even appears that this chapter is focused more on version 4.x of Cisco IDS, instead of 3.x, which is a good thing.

Chapter Nine provides guidance and techniques on how to provide a Cisco IDS sensor with network data for the purposes of monitoring. Switching basics, SPAN, RSPAN, VACLs, using TAPS, advanced capturing methods and dealing with IPv6 and encryption are all discussed at great length, making this yet another important chapter.

Chapter Ten finally sets out to tackle the Cisco IDS Management Center, aka IDSMC. For the current version of Cisco IDS, this is the way to go. In my opinion though, the chapter could have been improved by discussing another option provided by Cisco, which is VMS Basic (a free, 5-device version of VMS). That being said, the goal of the book is to be a guide to the Cisco IDS Exam, so this information would not be relevant for the CSIDS 9E0-100 version of the exam that the book is focused on.

Finally, though not listed in the contents, Chapter Eleven discusses another element of the Cisco IDS product line, Cisco Firewall/IDS. Designed to be a solution for SOHO networks or as a protection mechanism for branch offices as part of a larger Cisco IDS infrastructure, Cisco IOS-based IDS attempts to provide basic IDS and firewall capabilities in selected Cisco routers. This is another chapter that is mostly up-to-date and it gives the reader an excellent explanation of this fairly recent development in the Cisco IDS product line.

For a full listing of chapters please click here.

Style and Detail

The book is well put together, having been assembled using durably thick pages and an easy to open, pliable outer binding. The best feature of this book is the inclusion of a “Summary,” “Solutions Fast Track” and “Frequently Asked Questions” section at the end of each chapter. The summary provides a good overview of the preceding chapter, while the “Solutions Fast Track” is designed to provide study hints for the Cisco Secure IDS exam because it supplies the definitions and information one would expect Cisco to seek during the examination. The FAQ provides quick answers to common questions the authors’ felt most readers might have with the related Chapter’s content.

Another great feature is the wealth of screenshots included within the book, which are used to great effect when discussing the various configuration points and the usage of other elements of the Cisco IDS software. Noteworthy is the fact that the screenshots are actually readable. This makes them an invaluable aid if this book is to be used as a reference while working with Cisco IDS. Diagrams and figures are used as well throughout the book to illustrate certain points or concepts and these too prove to be very valuable.


I reviewed this book as someone who has been using Cisco IDS since its acquisition by Cisco from Wheelgroup back in 1999. As a result I was intimately familiar with all the various topics covered by the book. That being said, I felt that the book was written in such a way that even a new user of Cisco IDS or, more importantly, someone using this book as a study aid for the Cisco Secure IDS Exam would have no problem understanding the information provided. In fact, I found that this book would make an excellent day-to-day reference for supporting the various elements of a Cisco IDS infrastructure, if only it reflected the current version of Cisco IDS and its various components, both hardware and software.

If there is a failing of the book, it is its heavy focus on the now defunct version 3.x of the Cisco IDS software, while mostly neglecting version 4.x of the product. Given the publishing date of this book in 2003, it came at a time when Cisco was migrating its product line from 3.x to the current version. Given the timing, it is hard to fault either the authors or the publisher for this, as Cisco’s schedule was obviously beyond their control.

Having said that, I had some expectation that I would none-the-less find some newer information made available by the publisher online. In an effort to salvage my impression of the value of this book, I registered it with Syngress via their web page with the hope that I’d find some updated information, since the publisher promises a “One-year warranty against content obsolescence due to vendor product upgrades.” Despite this promise, I found that there was no newer information available. Given the recent release of an updated exam; Cisco Security Intrusion Detection System Exam (CSIDS 642-531), this book is too out-of-date to be useful to anyone beyond filling the role of a historic reference. In order to become a “must-have” reference, a revision of this book is in order. Removing the obsolete 3.x information, while beefing up the information pertaining to the current Cisco IDS product and examination, would go a long way to making this book relevant to the entire line of Cisco IDS products.

In light of the dated content and the lack of updates on the Syngress site to reflect more recent information, this book gets a 6 out of 10.

Alex Arndt
(aka Spyguy)

This review is copyright 2004 by the author and Security-Forums Dot Com, and may not be reproduced in any form in any media without the express permission of the author, or Security-Forums Dot Com.

Last edited by Spyguy on Wed Jan 05, 2005 3:59 am; edited 1 time in total

Author: maxeypad PostPosted: Tue Nov 09, 2004 9:41 pm    Post subject:
Realistically speaking, how is the cisco IDS more "enterprise" than snort lets say?

I've never really cared for the term enterprise because it is used so tastelessly throughoug the IT industry to ( I feel) make businesses feel like they are buying the software the big boys use even if the solution is hardly that

Author: bsdjunkie PostPosted: Tue Nov 09, 2004 9:52 pm    Post subject:
Realistically speaking, how is the cisco IDS more "enterprise" than snort lets say?

Snort is not officially "Supported" Most large organizations will not touch an open source tool (even when it is superior and free) unless there is support for it in contract form. They want to have someone to point a finger at and call when it breaks.

Author: SpyguyLocation: Ottawa, ON PostPosted: Wed Nov 10, 2004 3:13 am    Post subject: Ever hear of Sourcefire?
Why do you think Marty Roesch (et al) started Sourcefire? Wink

As I understand it, the whole idea was to put a company behind the Snort IDS concept in order to package it up, offer it as an appliance with a centralized management and reporting facility and, offer the all-important technical support.

With out at least tech support, most products won't take off in corporate environments...

Author: delete852Location: Washington DC PostPosted: Wed Nov 10, 2004 6:59 am    Post subject:
Thats true a lot of organizations don't use Open source, however with snort there is source fire, and they will give u the SLA which most companies seek.

Author: SpyguyLocation: Ottawa, ON PostPosted: Thu Nov 11, 2004 5:37 pm    Post subject:
maxeypad wrote:
Realistically speaking, how is the cisco IDS more "enterprise" than snort lets say?

I think it's only fair that I answer this question directly.

But first, some "ground rules" to contextualize the response. I'm going to go with the following assumption - when you said Snort, you meant the Open Source version, not the Sourcefire supported one I alluded to in another post in this thread.

So, back to it. What makes Cisco IDS an Enterprise-grade security product? IMHO, it's a number of factors. They are, in no particular order:

- The sensor is sold as an appliance and is fully supported by the vendor (both hardware and software)
- There are various sensor options to meet the monitoring needs of different parts of the network (i.e. - Gigabit appliances for big pipes or backbones, the availability of Ethernet or Fibre NIC equiped sensors, appliances that offer throughput monitoring capabilities appropriate to their intended role; 80 megabit performance in a SOHO appliance, 200 megabit appliance for an ethernet sensor, etc.)
- There a various management options for the tuning and updating of the IDS sensors. Level should be from an individual device up to hundreds of them. To be clear, it's the ability to manage more than half a dozen of them centrally. This may be accomplished using a variety of interfaces, both included with the sensor(s) or sold separately.
- The monitoring software can be used centrally for all sensors and/or deployed in a hierarchical fashion (i.e. - Enterprise SOC, regional SOC, etc.)
- The monitoring solution is able to correlate events across multiple sensors. In other words, if three different sensors in different parts of the Enterprise (one at the corporate Internet gateway, one in the external server farm and, one in front of the corporate firewall) all report a TCP SYN flood, they should be displayed as one "event" in the monitoring solution's interface
- The monitoring solution should either incorporate a basic database for trending or other analysis, or at least offer the option to export the data in a format that can be imported into a more appropriate application to perform this purpose

These are just my personal list of key features than make an IDS solution Enterprise-ready. BTW, and again this is just my opinion (though it is firmly based on personal experience), Cisco IDS accomplishes these things rather handily.

Networking/Security Forums -> News // Columns // Articles

output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group