With the flexibility to be either overlaid or integrated into the network, Cisco's range of intrusion detection products have been developed to make security a core component of any network infrastructure.

by Jeff Goldman [April 10, 2002]

Cisco Systems entered the world of intrusion detection with the acquisition of WheelGroup Corp. in February of 1998. WheelGroup was founded by members of the Air Force's Information Warfare Center, which released the first network IDS product back in 1995. After the acquisition, WheelGroup's NetRanger product was christened Cisco IDS.

According to Joel McFarland, Manager of Product Marketing for Cisco's IDS Solutions, the company's aims stretched beyond simply offering Cisco IDS as another network appliance. "A lot of the rationale behind the acquisition of this technology was to help drive security into the network infrastructure, to make it a fundamental and ubiquitous part of the actual network fabric," he said.

Cisco Systems 170 W. Tasman Drive San Jose, California 95134 Voice: (800) 553-NETS (553-6387)

Toward that end, the company put a subset of its intrusion detection capability into the Cisco IOS Software in 1999. Over the next few years, Cisco integrated full-featured intrusion detection into its PIX Firewalls, and into a line card that plugs into the company's Catalyst switches. Still, McFarland says, that was only phase two of the process of integrating IDS into Cisco's products.

"Over the last two years, we've continued to enhance our product line of dedicated IDS appliances," McFarland said. "We have a number today, and we'll have more in the future. We've also been continuing to invest in the high-speed area of the science. We have a lineage of history that understands the problem, but we've also morphed the technology and enhanced its detection capabilities."

Saturated networks
McFarland says the range of ways in which Cisco's IDS product can be implemented, both as an appliance and as an integrated part of other solutions, is unique. "We have pervasive IDS protection, not only from dedicated devices like from appliances, but also delivered in integrated form factors within the operating system of the switches and routers and integrated in hardware into the actual switch infrastructure," he said.

The extremely flexible response capabilities of the product itself, McFarland says, are another key selling point. "We have the ability to tear down active connections, to reconfigure the router, to reconfigure the firewall, to reconfigure the switch, to terminate the session, or to log session information to allow the operator to collect forensics information," he said.

In detecting attacks, Cisco IDS uses a combination of methods. "You hear a lot about whether a product uses simple pattern matching, whether it's heuristics or anomaly based, or whether it's protocol decode," McFarland said. "The reality is that we've done a remarkably terrible job of marketing the fact that, since the inception of the technology, Cisco's actually been using a blending of all of those approaches."

That means that the product isn't dependent upon signature updates to prevent attacks. "We can identify attacks more generically, rather than forcing the customer to do rapid signature updates as a way of chasing attacks," McFarland said. "We're able to identify broader classes of attacks without rapidly revving our signatures."

Performance is also a focus for Cisco, but McFarland urges realism in looking at the metrics. "In practice, most vendors are struggling to go past 100 to 200 Mbps of performance," he said. "Cisco has invested heavily in this area over the last year, and what you will see over the next month or two are some very high speed solutions both in the appliance and the line card form factors."

Cisco's host IDS offering, licensed from Entercept Security Technologies, both detects and prevents attacks at the application level. "The Cisco solution is fairly unique in that it has the capability of actually stopping attacks," McFarland said. "During Nimda and Code Red, servers that had the host sensor on them were prevented from infection due to the ability to actually shield the application."

The company's basic IDS appliance, the IDS-4210, starts at $8,000 while its high-performance product, the IDS-4230, is currently priced at $19,000. The Catalyst 6000 IDS line card module lists for $14,995. Cisco's host-based IDS solution costs $2,150 for the Web server edition, and $1,750 for a standard server. Still, McFarland says, look for all of those prices to drop significantly very soon.

"We've recognized some manufacturing efficiencies that will allow us to push the price/performance envelope fairly aggressively here over the next couple of months," McFarland said. "You will see a fairly aggressive posture on price/performance with some of the efficiencies we've seen from a manufacturing and a component availability perspective."

Sensitive nature
For sensor management, ISPs can use Cisco's Secure Policy Manager or UNIX Director, but McFarland says a much broader range of options is just around the corner. "Cisco, in the first half of this calendar year, is investing heavily in the management side of our product line, and what you will see coming out very shortly is a multi-tiered management strategy," he said.

Members of Cisco's AVVID (Architecture for Voice, Video and Integrated Data) partner program also have access to a proprietary API that lets them do large-scale management and monitoring. Given that capability, many of Cisco's AVVID partners offer the company's security solutions to their customers as a managed service.

One such partner is Exodus, which started implementing intrusion detection about two years ago. According to Dick O'Connor, Exodus' Director of Managed Security Services Field Operations, Cisco IDS was simply the logical choice. "We're a major partner of Cisco's, so it was a fairly natural thing for us to look at their products," he said.

Because Exodus offers multi-vendor solutions, they do also work with ISS' RealSecure IDS product, but O'Connor says they're very satisfied with Cisco IDS. "We're extraordinarily pleased with Cisco's ability to give us a product that's very solid," he said. "When we install that product, it stays up and running on a consistent basis: we don't have to worry about it going up and down."

The ability to create their own management architecture for the products, O'Connor says, was particularly important to Exodus. "Other products are relatively difficult to do that with: we don't get as much control over them," he said. "With Cisco, we basically use their equipment as it comes off the shelf, but we have our own management structure to handle it."

That means that Exodus has the ability to offer its customers a truly customized IDS solution. "We put all the information on a very nice graphical interface for our customers, so they can look at every attempt at intrusion, whether successful or not, in near real time," O'Connor said. "To do that, we need a product where we can process the data as we see fit for our customers."

Exodus Information Systems Engineer Robert Lau explains that most products wouldn't offer that kind of flexibility. "If it's too much of a black box, which products seem to be going towards these days, it's very hard to integrate with an existing infrastructure," Lau said. "Cisco has definitely provided the flexibility to integrate."

At the end of day, McFarland says, the focus of that flexibility is on making security a core component of the network fabric. "We understand that there are groups where security operations and network operations are separate, as well as environments where they're not using Cisco networking equipment, but as much as possible, we want to make it a part of the actual foundation of the network," he said.

— End

Online Resources:
   Intrusion Detection Systems Directory
   IDS Quick Reference Chart

Related articles:
	[Dec. 24, 2001]	White Paper: Reducing Network Security Risk
	[Sept. 25, 2001]	Physical Security Augments Logical Security
	[July 11, 2001]	ISP-Planet Survey: MSSPs