Cisco IPS Active Update Bulletin
Cisco IPS Active Update Bulletin
05/28/08
May, 28th 2008

Greetings! This bulletin describes updates to the Cisco IPS product line. As always, please feel free to e-mail us if you have any comments or questions (ips-news@cisco.com). We also encourage you to participate in the Cisco IPS User's Forum at: http://www.cisco.com/discuss/security.

IN THIS ISSUE:

  1. Announcing the S335 Signature Update for IPS

  2. Announcing Availability of Cisco IPS Manager Express (IME) and IPS Version 6.1

  3. Upcoming E2 Engine Update

  4. Upcoming End-of-Life (EOL) for new signature updates in 4.x format for Cisco IOS IPS feature

  5. Announcing Cisco IPS Signature correlation available in the Cisco. Security IntelliShield Alert Manager Service Search Access Feature

  6. Subscribe to the Product Alert Tool for IPS Related Field Issues

  7. Subscription Information

1. Announcing the S335 Signature Update for Cisco IPS
The S335 signature update contains the following new signatures:

PLATFORMSIGID  SIGNAME     ENGINE SEVERITY ENABLED
5.x, 6.x 6543.0 CiscoWorks Common Services Arbitrary Code Injection SERVICE-HTTP High True
5.x, 6.x 6944.0 CUPS CGI Compile Search Overflow SERVICE-HTTP High True

The S335 signature update does not contain any modified signatures.

IMPORTANT NOTES:

All signature updates are cumulative. The S335 signature update contains all previously released signature updates.

You must have a valid Cisco Services for IPS contract per sensor to receive and use software upgrades including signature updates from Cisco.com.

A Cisco Services for IPS Services License is required for the installation of all signature updates. The Cisco Services for IPS Services License can be requested from http://www.cisco.com/go/license for all sensors covered by a maintenance contract.

To manage your maintenance contracts use the Service Contract Center:

http://www.cisco.com/cgi-bin/front.x/scccibdispatch?AppName=ContractAgent
 

SUPPORTED PLATFORMS:

The S335 signature update can ONLY be applied to version 5.1(5)E1 or later sensors as follows:

This signature update is supported on the IDS-4210, IDS-4215, IDS-4235, IPS-4240, IDS-4250, IPS-4255 and IPS-4260 Series Sensor Appliances, the WS-SVC-IDSM2 series Intrusion Detection System Module (IDSM2), the NM-CIDS Intrusion Detection System Network Module, and the ASA-SSM-AIP-10 and ASA-SSM-AIP-20 series Cisco ASA Advanced Inspection and Prevention Security Service Modules, and Cisco 87x, 1800, 2800, 3800 and 7200 series routers with Advanced Security IOS image.

IPS S335 Software Update Files:

Sensor appliances, IDSM2, NM-CIDS, ASA-SSM-AIP modules:
http://www.cisco.com/kobayashi/sw-center/ciscosecure/ids/crypto/index.shtml

IOS IPS in Mainline and T-Train Releases prior to 12.4(11)T Release:
http://www.cisco.com/pcgi-bin/tablebuild.pl/ios-sigup

IOS IPS in 12.4(11)T or later T-Train Releases:
http://www.cisco.com/pcgi-bin/tablebuild.pl/ios-v5sigup

Note: Posting of signature release files for IOS IPS may take a few additional days.

 

2. Announcing Availability of Cisco IPS Manager Express (IME) and IPS Version 6.1

Cisco announces the posting of the All-New Cisco IPS Manager Express (IME) and Cisco IPS Software 6.1 to CCO. 

 

This software is available for immediate download from the following URLs*:

IPS Download Page: http://www.cisco.com/kobayashi/sw-center/ciscosecure/ids/crypto/index.shtml
IME Download Page: http://www.cisco.com/cgi-bin/tablebuild.pl/ips-ime

 

* You must have a Cisco.com account and an active Cisco Services for IPS contract to download and use this software.


New Cisco IPS Manager Express and Cisco IPS Software v6.1

The new Cisco IPS Manager Express (IME) is a powerful yet easy-to-use all-in-one IPS management application for up to 5 IPS sensors. In conjunction with Cisco IPS software Version 6.1, IME can be used to provision, monitor, troubleshoot and provide reports for IPS 4200 Series sensors, ASA 5500 IPS solution, AIM-IPS on ISRs, and IDSM2 on Catalyst 6500s. With IPS software Versions 5.1 or 6.0, or IOS IPS, you can use IME to monitor and provide reports only, with limited dashboard support.

 

Cisco IPS Manager Express also provides a Demo mode so you can demo the new IPS features and functionality without connecting to a live Cisco IPS device. IME is included as part of the Cisco IPS software and is available for no additional charge to customers with active Cisco Services for IPS maintenance contracts.

Key features of Cisco IPS Manager Express:

  • Customizable Dashboard
  • Powerful monitoring with Real-time  and Historical Viewing
  • Integrated Policy Provisioning  with Risk Rating
  • Flexible Reporting  Tool
  • Startup Wizard
  • RSS Feed Integration
  • Video Help
  • Email Notification
  • Demo Mode
  • 75 events per  second
  • Up to 5 IPS  sensors


Key features of Cisco IPS Software version 6.1 (including IPS Device Manager 6.1)

  • Automatic Signature  updates
  • Simplified Startup
  • Integrated Policy Provisioning  with Risk Rating
  • Sensor Health  Dashboard
  • Password integrity  protection
  • Sensor health  information
  • Enhanced configuration  copy

Refer to the following URL for additional information regarding IME:  www.cisco.com/go/ime.

Note: IPS Software version 6.1 is not supported on the IDS-4210/15/35/50 Series appliances or the NM-CIDS network module.

Supported IPS Sensors and IPS sensor software:

IPS Sensor

IPS Sensor software

IPS Manager Express (IME)

Cisco IPS 4240, 4255, 4260, 4270

Security Services Module 10, 20, and 40 (AIP-SSM-10, AIP-SSM-20, and AIP-SSM-40)

Cisco IPS Advanced Integration Module (AIM)

Cisco Catalyst. 6500 Series Intrusion Detection System (IDSM-2) Services Module

IPS software version 6.1

Sensor Configuration

Sensor Health Dashboard

Events Dashboard

Event Monitoring

Reporting

Up to 5 devices

Cisco IPS 4215, 4235, 4240, 4250, 4255, 4260, 4270

Security Services Module 10, 20, and 40 (AIP-SSM-10, AIP-SSM-20, and AIP-SSM-40)

Cisco IPS Advanced Integration Module (AIM)

Cisco Catalyst. 6500 Series Intrusion Detection System (IDSM-2) Services Module

Cisco Network Module-Cisco Intrusion Detection System (NM-CIDS)

IPS software version 6.0

Events Dashboard

Events Monitoring

Reporting

Up to 5 devices

Cisco IPS 4210, 4215, 4235, 4240, 4250, 4255, 4260

Security Services Module 10 and 20 (AIP-SSM-10 and AIP-SSM-20)

Cisco Catalyst. 6500 Series Intrusion Detection System (IDSM-2) Services Module

Cisco Network Module-Cisco Intrusion Detection System (NM-CIDS)

IPS software version 5.1

Events Dashboard

Events Monitoring

Reporting

Up to 5 devices

Cisco IOS. IPS (on integrated services routers)

12.3(14)T7, 12.4(15)T2

Events Dashboard

Events Monitoring

Reporting

Up to 5 devices

 

3. Upcoming E2 Engine Update

In preparation for the next scheduled engine update, please review the following table and ensure that your IPS sensors have been migrated to a release that is “Eligible for Engine Update” to automatically take advantage of the new detection capabilities when the engine update is available.  Currently, these are IPS 6.0(4) or 6.1(1) for 6.x sensors and 5.1(7) for 5.x sensors.

Release

Prior to
5.1(5)E1

5.1(5)E1
5.1(6)E1

5.1(7)E1

6.0(1)E1
6.0(2)E1
6.0(3)E1

6.0(4)E1

6.1(1)E1

Signature Support

No

Yes

Yes

Yes

Yes

Yes

Eligible for Engine Update?

No

No

Yes

No

Yes

Yes

Legend

Red: Signature updates are not supported for this release

Yellow: Signature updates are currently available for this release.  Future engine updates will not be available for this release.  Signatures will not be available for this release after an engine update.

Green: Signature updates are available for this release.  Future engine updates will be created for this release.

The E2 engine update will only be supported on sensors running 5.1(7), 6.0(4) or 6.1(1).  IPS sensors running service pack versions older than 6.0(4) or 5.1(7) must be upgraded prior to or immediately upon the release of the E2 engine update. 

Warning: After E2 is released, your sensors must be running release 5.1(7)E2, 6.0(4)E2 or 6.1(1)E2 to continue to install signature updates. 

Please note that there is a 60-day grace period after a service pack or minor release during which any engine updates will be released for both the current and previous release.  After 60 days, only the current release will receive an engine update.  Customers who choose to remain on an older release will be required to update to the latest service pack in order to maintain up-to-date protection. 

For more information on supported versions please click here: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/prod_bulletin0900aecd80358daa.html

 

4. Upcoming End-of-Life (EOL) for new signature updates in 4.x format for Cisco IOS IPS feature

IOS IPS in Mainline and T-Train Releases prior to 12.4(11)T Release:
http://www.cisco.com/pcgi-bin/tablebuild.pl/ios-sigup


IMPORTANT ANNOUCEMENT:
Cisco announces the upcoming End-of-Life (EOL) for new signature updates in Cisco IPS version 4.x format for Cisco IOS IPS feature. No new signature releases (IOS-Sxxx.zip files) in 4.x format and no new updates to the pre-built Basic or Advanced signature sets (128MB.sdf and 256MB.sdf files) will be posted at the link above after June 30, 2008. Customers using IOS IPS feature with those versions of IOS software that work only with 4.x format IPS signatures are strongly encouraged to upgrade their routers to run IOS 12.4(15)T3 release as soon as possible. Note that 12.4(15)T2 IOS images have been deferred due to a major issue related to ISDN support and have been replaced by 12.4(15)T3 images.

 

5. Cisco IPS Signature correlation available in the Cisco. Security IntelliShield Alert Manager Service Search Access Feature

The Cisco IPS Team is pleased to announce the correlation of Cisco IPS Signature information within the IntelliShield Alert Manager Search Access Feature. Cisco Services for IPS clients that subscribe to the service now have access to perform targeted searches to display Cisco IPS Signatures associated with different alerts to ensure they have the most up to date intelligence. Subscribers can view a new IPS Signature list page that is searchable and will display Cisco IPS Signatures associated with IntelliShield Alerts. IntelliShield Alerts also contain the associated Cisco IPS Signature information within each alert.

The IntelliShield Alert Manager Search Access Feature provides clients with access to one of the most extensive collections of vendor-neutral security intelligence alerts in the industry. Clients can access a fully indexed and searchable database that extends back over six years and contains more than 1700 vendors, 5500 products, and 20,000 distinct versions of applications.

To obtain access to the IntelliShield Alert Manager Search Access Feature, each user is required to provide either a valid IPS License File or a valid IPS Serial Number to authorize the creation of this user account. Only one user account is permitted for each IPS License File or IPS Serial Number. Please proceed to the registration page at the following link to obtain your access:

https://intellishield.cisco.com/security/alertmanager/intelliShieldSearch 

Email support is available for users of the Cisco Security IntelliShield Alert Manager Service Search Access Feature at  intellishieldsearch-support@cisco.com . Support is provided by Cisco during the hours of 7:00 a.m. and 7:00 p.m. Eastern Time.

 

6. Subscribe to the Product Alert Tool for IPS Related Field Issues

Interested in knowing the latest on field notices, product alerts, and end-of-sale information relating to your IDS and IPS hardware? We have recently updated the Cisco Product Alert Tool to include IDS and IPS appliances.

Simply visit: http://tools.cisco.com/Support/PAT/do/ViewMyProfiles.do  and follow these steps:

- Select Create a new Alert Profile.
- Name your profile anything you would like.
- Under Select Your Product, select: Intrusion Prevention System
- Click Add so that "Intrusion Prevention System" is added to the "Products in your profile" list
- Select the message types you wish to receive
- Confirm your email address
- Click Submit.

You will be kept up to date with the latest news on your IPS hardware appliances. If you have any questions, please direct them to ips-news@cisco.com.

 

7. Subscription Information

If you wish to receive this bulletin, you can subscribe now.

We would like to know what you think about this bulletin. We are also interested in what you'd like to see in future editions. Please take a moment to send us your comments at ips-news@cisco.com.
 

Additional Information
 
Links
  • Software Center - Download the latest Cisco IPS software.
  • User Forum - Participate in the IPS Forum, part of our Networking Professionals Connection.
  • Home Page - Visit our Cisco IPS home page for product literature, news, and awards.
  • Cisco Security Center- Visit the Cisco Security Center site for information on emerging threats and the Cisco network IPS signatures available to protect your network..
  • Training - Learn about available IPS training courses and Cisco Security Certifications.
  • IPS Technical Documentation - Visit our Cisco IPS Technical Documentation site for configuration guides, maintenance guides, release and installation notes and more
  • SAFE Blueprint - The SAFE Blueprint is a flexible, dynamic blueprint for security and VPN networks, based on the Cisco Architecture for Voice, Video and Integrated Data (AVVID), that enables businesses to securely and successfully take advantage of e-business economies and compete in the Internet economy.
  • IntelliShield Alert Manager Search Access Feature - Search through an extensive collection of security intelligence reports. Registration required.