Solved

Step by step plan for Cisco SourceFire IDS upgrade.

Posted on 2015-02-02
5
392 Views
1 Endorsement
Last Modified: 2015-02-10
Best practice, best procedure plan to upgrade Cisco SourceFire IDS devices on network.
We area upgrading/replacing  our older IDS models with newer ones.
Would like to know best plan to migrate the new model onto the network and the old ones off.
(e.g. swap out each device one-for-one, apply the old configuration onto the new one?)
Is this a good/best practice?
1
Comment
Question by:tygurr61
  • 3
5 Comments
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
Comment Utility
For IDS it is normally in SPAN port and not inline so it make easier not to impact the network traffic (referencing the the network diagram and ran through by network and ops team will be good), I will likely have to route segment by segment (from small to big user pool, non critical to critical system resided) into the both IDSes running in co-existence. Minimally alerts are still being covered with rules running as you try to migrate them over esp for custom ones. if they are SNORT rule based, importing from your old IDS into new Sourcefire should not be an issue. Making it easier if the old IDS can export the rule .. or the snort.conf in old to new IDS will already be usable

always good to backup config of old IDS while slowly it become decommissioned  as you assessed the trigger in the new IDS and bring it to full loading on all segments. the backup is in event of recovery and booting up if the new IDS is failing after period of monitoring - a working week  may be a good estimate depending on site coverage.

but will be advisable to contact Cisco TAC for advice (see their deployment, migration services in pdf) as well since you are their new customer esp if you going to have active and passive clone (which probably it is seldom for IDS but more for IPS. Just for info Sourcefire NGIPS appliances have built in programmable fail open capabilities and it is definitely a best practice to enable that when the sensors are used in line. You could have redundancy on the network and no state sharing between sensors currently)
0
 

Author Comment

by:tygurr61
Comment Utility
I've requested that this question be deleted for the following reason:

Expert gave me suggestions.
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
Strange that you wanted to delete the question, you minimally have closed it by concluding if it helps and highlight your feedback to help share insights from the discussion and post. Pls consider the deletion request.
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
Thanks for sharing
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include tâ€Ĥ
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now