The IDS4215 is an EoL piece of hardware under the IPS4200 family. I know a Singaporean vendor who sold this hardware at a high price despite this hardware is as old as 2600xm series routers. I managed to get this IDS at a reasonable price over ebay.
What is an IDS?
Intrusion Detection System is a system that detects anomaly and invoke an action. The action may be alerting ASA or other firewall but it will not stop anomaly from harming your system. Unlike IPS, it cannot drop the suspicious traffic itself. The IDS4215 is a computer that is operating a linux kernel (2.4) it uses Redhat distribution. It could be a x86 architecture, which you can have chance to use the IPS software in your own x86 architecture computer (perhaps, but i do not know how…)
Getting started
IDS# setup
--- System Configuration Dialog ---
At any point you may enter a question mark '?' for help.
User ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.
Current Configuration:
service host
network-settings
host-ip 192.168.1.10/24,192.168.1.1
host-name IDS
telnet-option disabled
access-list 192.168.1.0/24
ftp-timeout 300
no login-banner-text
exit
time-zone-settings
offset 480
standard-time-zone-name UTC
exit
summertime-option disabled
ntp-option disabled
exit
service web-server
port 443
exit
service interface
physical-interfaces FastEthernet0/1
admin-state enabled
exit
exit
service event-action-rules rules0
overrides
override-item-status Enabled
risk-rating-range 90-100
exit
exit
Current time: Tue Jun 28 14:31:08 2011
Setup Configuration last modified: Tue Jun 28 12:49:35 2011
Continue with configuration dialog?[yes]:
You can use the setup script or you can do it yourself manually. Let’s go through the setup script.
Setup Configuration last modified: Tue Jun 28 12:49:35 2011 Continue with configuration dialog?[yes]: Enter host name[IDS]: Enter IP interface[192.168.1.10/24,192.168.1.1]: Enter telnet-server status[disabled]: Enter web-server port[443]: Modify current access list?[no]: Modify system clock settings?[no]: Modify interface/virtual sensor configuration?[no]: Modify default threat prevention settings?[no]: No changes were made to the configuration.
This is just a run through, i do not want to change my setup configuration as of now. If you just got your IDS box, I recommend you say Yes to Modify current access list. You need to specify an access list so that your system is allowed to manage the IDS, if you do not specify the access-list all traffic will be dropped. You can choose not to manage via ssh or https, if this is what you want then you can ignore the access list portion.
Cisco IPS device manager (IDM)
It is recommended to use JRE version 1.4.2 (any release) to launch the IDM, and I am using WinXP SP3 1GB RAM, 20GB HDD, JRE 1.4.2 (initial release). You have to set the maximum heap size to 256mb, if you do not IDM will refuse to launch. I recommend you read this on how to increase the JRE heap size.
Signature definition
An IDS/IPS without an updated signature file is as good as getting a trial version Antivirus software. You need to pay for yearly subscription for a license.
cyruslab 