Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Step by step plan for Cisco SourceFire IDS upgrade.

Posted on 2015-02-02
5
Medium Priority
?
457 Views
1 Endorsement
Last Modified: 2015-02-10
Best practice, best procedure plan to upgrade Cisco SourceFire IDS devices on network.
We area upgrading/replacing  our older IDS models with newer ones.
Would like to know best plan to migrate the new model onto the network and the old ones off.
(e.g. swap out each device one-for-one, apply the old configuration onto the new one?)
Is this a good/best practice?
1
Comment
Question by:tygurr61
  • 3
5 Comments
 
LVL 65

Accepted Solution

by:
btan earned 1500 total points
ID: 40586463
For IDS it is normally in SPAN port and not inline so it make easier not to impact the network traffic (referencing the the network diagram and ran through by network and ops team will be good), I will likely have to route segment by segment (from small to big user pool, non critical to critical system resided) into the both IDSes running in co-existence. Minimally alerts are still being covered with rules running as you try to migrate them over esp for custom ones. if they are SNORT rule based, importing from your old IDS into new Sourcefire should not be an issue. Making it easier if the old IDS can export the rule .. or the snort.conf in old to new IDS will already be usable

always good to backup config of old IDS while slowly it become decommissioned  as you assessed the trigger in the new IDS and bring it to full loading on all segments. the backup is in event of recovery and booting up if the new IDS is failing after period of monitoring - a working week  may be a good estimate depending on site coverage.

but will be advisable to contact Cisco TAC for advice (see their deployment, migration services in pdf) as well since you are their new customer esp if you going to have active and passive clone (which probably it is seldom for IDS but more for IPS. Just for info Sourcefire NGIPS appliances have built in programmable fail open capabilities and it is definitely a best practice to enable that when the sensors are used in line. You could have redundancy on the network and no state sharing between sensors currently)
0
 

Author Comment

by:tygurr61
ID: 40595085
I've requested that this question be deleted for the following reason:

Expert gave me suggestions.
0
 
LVL 65

Expert Comment

by:btan
ID: 40595086
Strange that you wanted to delete the question, you minimally have closed it by concluding if it helps and highlight your feedback to help share insights from the discussion and post. Pls consider the deletion request.
0
 
LVL 65

Expert Comment

by:btan
ID: 40602406
Thanks for sharing
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is about my experience upgrading my consulting machine to Windows 10 Version 1709 (The Fall 2017 Creator Update)
The Internet has made sending and receiving information online a breeze. But there is also the threat of unauthorized viewing, data tampering, and phoney messages. Surprisingly, a lot of business owners do not fully understand how to use security t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question