Solved

Step by step plan for Cisco SourceFire IDS upgrade.

Posted on 2015-02-02
5
436 Views
1 Endorsement
Last Modified: 2015-02-10
Best practice, best procedure plan to upgrade Cisco SourceFire IDS devices on network.
We area upgrading/replacing  our older IDS models with newer ones.
Would like to know best plan to migrate the new model onto the network and the old ones off.
(e.g. swap out each device one-for-one, apply the old configuration onto the new one?)
Is this a good/best practice?
1
Comment
Question by:tygurr61
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 40586463
For IDS it is normally in SPAN port and not inline so it make easier not to impact the network traffic (referencing the the network diagram and ran through by network and ops team will be good), I will likely have to route segment by segment (from small to big user pool, non critical to critical system resided) into the both IDSes running in co-existence. Minimally alerts are still being covered with rules running as you try to migrate them over esp for custom ones. if they are SNORT rule based, importing from your old IDS into new Sourcefire should not be an issue. Making it easier if the old IDS can export the rule .. or the snort.conf in old to new IDS will already be usable

always good to backup config of old IDS while slowly it become decommissioned  as you assessed the trigger in the new IDS and bring it to full loading on all segments. the backup is in event of recovery and booting up if the new IDS is failing after period of monitoring - a working week  may be a good estimate depending on site coverage.

but will be advisable to contact Cisco TAC for advice (see their deployment, migration services in pdf) as well since you are their new customer esp if you going to have active and passive clone (which probably it is seldom for IDS but more for IPS. Just for info Sourcefire NGIPS appliances have built in programmable fail open capabilities and it is definitely a best practice to enable that when the sensors are used in line. You could have redundancy on the network and no state sharing between sensors currently)
0
 

Author Comment

by:tygurr61
ID: 40595085
I've requested that this question be deleted for the following reason:

Expert gave me suggestions.
0
 
LVL 63

Expert Comment

by:btan
ID: 40595086
Strange that you wanted to delete the question, you minimally have closed it by concluding if it helps and highlight your feedback to help share insights from the discussion and post. Pls consider the deletion request.
0
 
LVL 63

Expert Comment

by:btan
ID: 40602406
Thanks for sharing
0

Featured Post

Are You Ransomware's Next Victim?

Worried about ransomware attacks hitting your organization?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with WatchGuard Total Security!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
Keystroke loggers have been around for a very long time. While the threat is old, some of the remedies are new!
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question