Solved

Step by step plan for Cisco SourceFire IDS upgrade.

Posted on 2015-02-02
5
442 Views
1 Endorsement
Last Modified: 2015-02-10
Best practice, best procedure plan to upgrade Cisco SourceFire IDS devices on network.
We area upgrading/replacing  our older IDS models with newer ones.
Would like to know best plan to migrate the new model onto the network and the old ones off.
(e.g. swap out each device one-for-one, apply the old configuration onto the new one?)
Is this a good/best practice?
1
Comment
Question by:tygurr61
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 64

Accepted Solution

by:
btan earned 500 total points
ID: 40586463
For IDS it is normally in SPAN port and not inline so it make easier not to impact the network traffic (referencing the the network diagram and ran through by network and ops team will be good), I will likely have to route segment by segment (from small to big user pool, non critical to critical system resided) into the both IDSes running in co-existence. Minimally alerts are still being covered with rules running as you try to migrate them over esp for custom ones. if they are SNORT rule based, importing from your old IDS into new Sourcefire should not be an issue. Making it easier if the old IDS can export the rule .. or the snort.conf in old to new IDS will already be usable

always good to backup config of old IDS while slowly it become decommissioned  as you assessed the trigger in the new IDS and bring it to full loading on all segments. the backup is in event of recovery and booting up if the new IDS is failing after period of monitoring - a working week  may be a good estimate depending on site coverage.

but will be advisable to contact Cisco TAC for advice (see their deployment, migration services in pdf) as well since you are their new customer esp if you going to have active and passive clone (which probably it is seldom for IDS but more for IPS. Just for info Sourcefire NGIPS appliances have built in programmable fail open capabilities and it is definitely a best practice to enable that when the sensors are used in line. You could have redundancy on the network and no state sharing between sensors currently)
0
 

Author Comment

by:tygurr61
ID: 40595085
I've requested that this question be deleted for the following reason:

Expert gave me suggestions.
0
 
LVL 64

Expert Comment

by:btan
ID: 40595086
Strange that you wanted to delete the question, you minimally have closed it by concluding if it helps and highlight your feedback to help share insights from the discussion and post. Pls consider the deletion request.
0
 
LVL 64

Expert Comment

by:btan
ID: 40602406
Thanks for sharing
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question