For example, the main log lists a "fragmented IP attack" (a type of attack more commonly known by specific examples, such as jolt2 and teardrop). The log would be more intuitive if the more commonly known names of specific attacks were used. However, the system supports hyperlinks to third-party Web sites (such ass Security Focus) that provide more detailed explanations of the terms. Context-sensitive help worked well and provided adequate information in most cases.
Other key management features include the ability to export all logs in comma-separated-value format, which allows use of any spreadsheet application. It is also possible to maintain multiple configuration settings (such as a Web configuration, database configuration and others) on the management console, with the ability to export and import different configurations through FTP. There is also a "notes" field so managers can track individual attacks. This note recording requires an HTML editor.
Physical installation of the Catalyst 6000 IDS Module blade is fairly straightforward. Users should note, though, that while Catalyst switch blades are hot-swappable, the Catalyst 6000 IDS Module blade is not.
One glaring omission of the Catalyst 6000 IDS Module package we tested was the lack of a built-in alarm or SNMP trap facility, which could send out an e-mail or a trap to notify administrators of critical events. Cisco told us that although there was no built-in facility for sending alerts, the software has the flexibility to let users build their own application. In this case, end users, not Cisco, would be responsible for creating and supporting this feature. We think it should be integrated into the product, however.
Finally, while the Catalyst 6000 IDS Module we tested monitored and reported suspicious activity and attacks, it did not offer any means to intercept, avert or inhibit attacks. Cisco engineers say they are working on making this capability available in the next version of the product.
The Catalyst 6000 IDS Module represents a new thrust in intrusion detection, allowing tight integration of the IDS application within the switch itself. A top performer compared with the current IDS competition, it also supports a hardware architecture that has the potential to scale to much higher speeds.
This potential doesn't come without a price -- the complex management interface takes some getting used to. The ability to shun attacks -- not yet available -- will enable this product to better realize its full potential.