There are several items that need to be addressed when managing the IDS sensors on the network:

• How secure is the network going to be? Are we looking at everything or looking for specific events driven by our security policy?

• How many people will have access to the management console and who can modify the configuration?

• How much logging is going to take place? Do we log everything or only the events we care about?

• How often do we generate reports?

• Will alarms be sent to e-mail/pagers?

• Do I shun or carry out TCP resets?

This only scratches the surface of planning your management solution. Depending on your business needs, you may find some solutions suit your business better than others. No matter what the solution though, IDS management is a full-time job with or without the central management solution. The central management solution just makes it much easier. You will find yourself constantly tuning signatures to reduce the amount of traffic that is generated. Be warned that the initial traffic can seem overwhelming, but in the end it's manageable. In fact, having any of these management solutions in place makes life easy, letting you implement one change at one location that affects all the sensors simultaneously.

In this chapter, we cover all the IDS management applications in depth. Cisco has three different methods: Cisco Secure Policy Manager (CSPM), IDS Device Manager (IDM), and Cisco IDS Director. After covering management solutions, we take a look at the Cisco Network Security Database (NSDB). Like most management solutions, initial deployment and configuration is the toughest. So it is our intent to cover these steps thoroughly.