The newest (and greatly preferred) GUI tool to configure the Cisco Intrusion Prevention System sensor is IPS Manager Express, a product that actually replaces two alternatives. Originally a network administrator required IPS Device Manager (IDM) to configure the device and IPS Event Viewer to display the event alarms; now both provisioning and monitoring are part of a single elegant platform. This article gives a “brief tour” of the product’s demo mode.
After downloading and installing the approximately 120MB setup.exe file, two desktop shortcuts are created: one for actual sensor use and the second for demo mode only. When you launch the demo mode shortcut, the following screen results:
The five minute video tour is worth the time it takes to watch since it gives an excellent overview of the impressive set of available features. My first impression after seeing this was how “ASDM-like” the interface is, especially for configuration.
The product has a start up wizard
As seen above, the schematic diagrams along with the rather detailed text explanation is similar to the Adaptive Security Device Manager product wizards on the ASA security appliance. Under the monitoring section, the capabilities growth beyond the older IPS Event Viewer product is readily apparent. The demo mode lets you “simulate” a real-time alert view. When this is done, there are several tabs available at the bottom of the screen. The first of these, the summary tab, is shown below:
The next tab on the bottom, Explanation, gives the signature version that first supported the exploit along with the release date, severity level, and whether or not there are any known benign triggers (normal network activity that would yield a false positive). I omitted that display since I found the Related Threats tab’s capabilities impressive:
When the hyperlink Worm: Zotob is clicked, a webpage launches to the Cisco Security Center:
You can find another noteworthy improvement over the older IEV product under the next tab, Trigger Packet. When this is selected, the following window appears:
Besides the more “sniffer-like” protocol headers display (vs. the “raw dump” approach previously taken), note the Wireshark (Ethereal) button in the lower right-hand corner. When this is clicked, it launches the linked application showing a more detailed packet decode.
The IPS Manager Express product also comes with some customizable reporting capabilities which can be examined in the demo version under a sub-area:
Both pie and bar chart formats can be shown. In the menu system to the left, note the “global correlation” options. Cisco Systems is placing increased emphasis on the “bigger picture” approach to more effectively utilize Security Information Management by correlating the monitored IPS sensor with other sources of information. A final screenshot of one of the dashboards shows an impressive live feed of relevant Cisco security information from RSS:
When you click on one of the items in the feed, a web page opens with further information about the specific vulnerability.
Hopefully the previous screenshots gave you a positive impression of the IPS Manager Express’ rich provisioning and monitoring capabilities. I would truly recommend the demo version for a “test drive”.