Solved

Step by step plan for Cisco SourceFire IDS upgrade.

Posted on 2015-02-02
5
414 Views
1 Endorsement
Last Modified: 2015-02-10
Best practice, best procedure plan to upgrade Cisco SourceFire IDS devices on network.
We area upgrading/replacing  our older IDS models with newer ones.
Would like to know best plan to migrate the new model onto the network and the old ones off.
(e.g. swap out each device one-for-one, apply the old configuration onto the new one?)
Is this a good/best practice?
1
Comment
Question by:tygurr61
  • 3
5 Comments
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 40586463
For IDS it is normally in SPAN port and not inline so it make easier not to impact the network traffic (referencing the the network diagram and ran through by network and ops team will be good), I will likely have to route segment by segment (from small to big user pool, non critical to critical system resided) into the both IDSes running in co-existence. Minimally alerts are still being covered with rules running as you try to migrate them over esp for custom ones. if they are SNORT rule based, importing from your old IDS into new Sourcefire should not be an issue. Making it easier if the old IDS can export the rule .. or the snort.conf in old to new IDS will already be usable

always good to backup config of old IDS while slowly it become decommissioned  as you assessed the trigger in the new IDS and bring it to full loading on all segments. the backup is in event of recovery and booting up if the new IDS is failing after period of monitoring - a working week  may be a good estimate depending on site coverage.

but will be advisable to contact Cisco TAC for advice (see their deployment, migration services in pdf) as well since you are their new customer esp if you going to have active and passive clone (which probably it is seldom for IDS but more for IPS. Just for info Sourcefire NGIPS appliances have built in programmable fail open capabilities and it is definitely a best practice to enable that when the sensors are used in line. You could have redundancy on the network and no state sharing between sensors currently)
0
 

Author Comment

by:tygurr61
ID: 40595085
I've requested that this question be deleted for the following reason:

Expert gave me suggestions.
0
 
LVL 62

Expert Comment

by:btan
ID: 40595086
Strange that you wanted to delete the question, you minimally have closed it by concluding if it helps and highlight your feedback to help share insights from the discussion and post. Pls consider the deletion request.
0
 
LVL 62

Expert Comment

by:btan
ID: 40602406
Thanks for sharing
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Rate limit for DNS queries 7 74
SHA2 certs for IIS AND Java? 2 85
Palo Alto Networks: View Tunnel packet counts? 2 27
Securing a laptop that travels frequently 21 85
The 21st century solution to antiquated pagers.
One of the biggest threats in the cyber realm pertains to advanced persistent threats (APTs). This paper is a compare and contrast of Russian and Chinese APT's.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question