Cisco Cisco IPS 4255 Sensor
5
Release Notes for Cisco Intrusion Prevention System 7.0(1)E3
OL-18483-01
New and Changed Information
New and Changed Information
Cisco IPS 7.0 contains the following new features:
•
Global correlation
IPS 7.0 contains a new security capability, Cisco Global Correlation, which uses the immense
security intelligence that we have amassed over the years. At regular intervals, Cisco IPS receives
threat updates from the Cisco SensorBase Network, which contain detailed information about
known threats on the Internet, including serial attackers, Botnet harvesters, Malware outbreaks, and
dark nets. The IPS uses this information to filter out the worst attackers before they have a chance
to attack critical assets. It then incorporates the global threat data in to its system to detect and
prevent malicious activity even earlier.
security intelligence that we have amassed over the years. At regular intervals, Cisco IPS receives
threat updates from the Cisco SensorBase Network, which contain detailed information about
known threats on the Internet, including serial attackers, Botnet harvesters, Malware outbreaks, and
dark nets. The IPS uses this information to filter out the worst attackers before they have a chance
to attack critical assets. It then incorporates the global threat data in to its system to detect and
prevent malicious activity even earlier.
•
IME 7.0(1) introduces support for the global correlation features:
–
Support for configuring the global correlation features on sensors running IPS 7.0(1).
–
Support for viewing and monitoring alerts from IPS 7.0(1) sensors containing global correlation
data.
data.
–
Support for generating global correlation reports.
•
10GE interface card
The 10GE interface card (part numbers IPS-2X10GE-SR-INT and IPS-2X10GE-SR-INT=) provides
two 10000 Base-SX (fiber) interfaces. The IPS 4260 supports one 10GE interface card for a total of
two 10GE fiber interfaces. The IPS 4270-20 supports up to two 10GE interface cards for a total of
four 10GE fiber interfaces.
two 10000 Base-SX (fiber) interfaces. The IPS 4260 supports one 10GE interface card for a total of
two 10GE fiber interfaces. The IPS 4270-20 supports up to two 10GE interface cards for a total of
four 10GE fiber interfaces.
Note
Support for the 10GE interface card has been added to IPS 6.1(2), 6.2(1), and 7.0(1).
•
We deprecated the RDEP event server service in IPS 6.1 and we removed it in IPS 7.0(1). We added
the SDEE event server service to IPS 5.0 as a replacement for the RDEP event server service. We
supported both the SDEE event server and RDEP event server through IPS 5.0, 5.1, 6.0, and 6.1 to
allow time for monitoring tools to transition to using the SDEE event server for retrieval of events.
With IPS 7.0(1), monitoring tools must use the SDEE event server service for the retrieval of events.
the SDEE event server service to IPS 5.0 as a replacement for the RDEP event server service. We
supported both the SDEE event server and RDEP event server through IPS 5.0, 5.1, 6.0, and 6.1 to
allow time for monitoring tools to transition to using the SDEE event server for retrieval of events.
With IPS 7.0(1), monitoring tools must use the SDEE event server service for the retrieval of events.
•
7.0(1)E3 includes the S388 signature update and the E3 signature engine, which includes the
following:
following:
–
Signature date and type
The signature date represents the date at which the signature was first created. The date is stored
in the format YYYYMMDD. The signature type represents the category in which a specific
signature falls. Signatures are broadly classified as vulnerability, exploit, anomaly, component,
or other. The default is other.
in the format YYYYMMDD. The signature type represents the category in which a specific
signature falls. Signatures are broadly classified as vulnerability, exploit, anomaly, component,
or other. The default is other.
–
Duplicate packet detector statistics
Duplicate packet statistics are now added to the TCP Normalizer Stage Statistics section of the
show statistics virtual sensor command output. Large numbers of duplicate packets being
reported by the Normalizer can aid in the detection of sensor deployment and configuration
problems. Duplicate packets are often seen in situations where a single virtual sensor is
monitoring two or more networks, and is seeing a TCP connection crossing two or more of these
networks. In this situation you can reconfigure the sensor to monitor each network using a
different virtual sensor. If both networks must be monitored by a single virtual sensor, configure
the virtual sensor with the inline-TCP-session-tracking-mode parameter set to either
interface-and-vlan or vlan-only.
show statistics virtual sensor command output. Large numbers of duplicate packets being
reported by the Normalizer can aid in the detection of sensor deployment and configuration
problems. Duplicate packets are often seen in situations where a single virtual sensor is
monitoring two or more networks, and is seeing a TCP connection crossing two or more of these
networks. In this situation you can reconfigure the sensor to monitor each network using a
different virtual sensor. If both networks must be monitored by a single virtual sensor, configure
the virtual sensor with the inline-TCP-session-tracking-mode parameter set to either
interface-and-vlan or vlan-only.