Overview of IDM and IDS/IPS Management Console (IDS/IPS MC)IDM (Intrusion Detection Manager) is a Web-based utility for configuring the sensors. IDM is included as part of the sensor software and can be accessed through the sensor's web server. IDM can be used only to configure the sensor on which it is running. IEV (Intrusion Detection Event Viewer) is a Windows program that you can download free from Cisco.com and install on your own desktop. You then need to configure it to connect to the sensor and pull alarms from the sensor. IEV is limited to pulling events from five sensors, so it is only suitable for small installations (see Chapter 22, "Troubleshooting IEV and Security Monitors" for more details on IEV). For larger deployments (more than five sensors) we recommend purchasing VPN and Security Management Solution (VMS). VMS contains two utilities used for managing and monitoring IDS/IPS sensors:
IDS/IPS MC and Security Monitor ProcessesA set of processes manage the tasks that IDS/IPS MC and Security Monitor perform. If one of those processes is not running, the function they are responsible for will not work. If there are some problems in running the application, it is always a good practice to check that all those processes are running. The following list outlines the processes and their main functions:
If any of those processes is not running, the task that the process controls will not work. To check the status of the processes and start them, go to Server Configuration > Administration > Process Management. From there you can view the status of the processes, stop the processes, or start stopped processes. All the processes that start with "IDS_" are related to the Security Monitor or IDS/IPS MC. As mentioned before, IDS/IPS MC is used to manage single or multiple sensors on different sensor platforms. It is important to understand and be aware of the versions of sensor supported by different IDS/IPS MC versions. Refer to the following link to find out the devices and sensor versions that are supported by different versions of IDS/IPS MC:
Communication ArchitectureIDS/IPS MC uses both SSH (secure shell) and HTTPS (SSL) protocols to communicate with an IDS/IPS sensor to perform its task. Following is the list of functions it performs with the help of SSH and HTTPS:
So all communication takes place between IDS/IPS MC and the sensor using both SSH and SSL. Hence, it is extremely important to open these protocols in both directions if there is a firewall between IDS/IPS MC and the sensor. |