Overview of IDM and IDSIPS Management Console (IDSIPS MC)


Overview of IDM and IDS/IPS Management Console (IDS/IPS MC)

IDM (Intrusion Detection Manager) is a Web-based utility for configuring the sensors. IDM is included as part of the sensor software and can be accessed through the sensor's web server. IDM can be used only to configure the sensor on which it is running.

IEV (Intrusion Detection Event Viewer) is a Windows program that you can download free from Cisco.com and install on your own desktop. You then need to configure it to connect to the sensor and pull alarms from the sensor. IEV is limited to pulling events from five sensors, so it is only suitable for small installations (see Chapter 22, "Troubleshooting IEV and Security Monitors" for more details on IEV).

For larger deployments (more than five sensors) we recommend purchasing VPN and Security Management Solution (VMS). VMS contains two utilities used for managing and monitoring IDS/IPS sensors:

  • IDS/IPS Management Console (IDS/IPS MC) A Web-based configuration tool designed for configuration of multiple sensors.

  • Security Monitor (SecMon) A Web-based alarm viewing tool used for monitoring large numbers of sensors (see Chapter 22, "Troubleshooting IEV and Security Monitor" for troubleshooting Security Monitor).

IDS/IPS MC and Security Monitor Processes

A set of processes manage the tasks that IDS/IPS MC and Security Monitor perform. If one of those processes is not running, the function they are responsible for will not work. If there are some problems in running the application, it is always a good practice to check that all those processes are running. The following list outlines the processes and their main functions:

  • IDS_Analyzer Processes event rules and requests user-specified notifications when appropriate.

  • IDS_Backup Is responsible for the IDS/IPS MC and SecMon backup and restore processes.

  • IDS_DbAdminAnalyzer Periodically checks the database rules created and starts the execution if the triggering conditions are met.

  • IDS_DeployDaemon Manages the configuration deployment.

  • IDS_EvsServer Is the daemon for the Event viewer.

  • IDS_Notifier Receives notification requests (script, e-mail, or console) from other subsystems and performs the requested notifications.

  • IDS_Receiver Receives events and syslog and stores them in the database.

  • IDS_ReportScheduler Generates schedules reports.

If any of those processes is not running, the task that the process controls will not work. To check the status of the processes and start them, go to Server Configuration > Administration > Process Management. From there you can view the status of the processes, stop the processes, or start stopped processes. All the processes that start with "IDS_" are related to the Security Monitor or IDS/IPS MC.

As mentioned before, IDS/IPS MC is used to manage single or multiple sensors on different sensor platforms. It is important to understand and be aware of the versions of sensor supported by different IDS/IPS MC versions. Refer to the following link to find out the devices and sensor versions that are supported by different versions of IDS/IPS MC:

http://www.cisco.com/en/US/products/sw/cscowork/ps3990/products_device_support_tables_list.html

Communication Architecture

IDS/IPS MC uses both SSH (secure shell) and HTTPS (SSL) protocols to communicate with an IDS/IPS sensor to perform its task. Following is the list of functions it performs with the help of SSH and HTTPS:

  • Importing the configuration of a sensor When IDS/IPS MC imports the configuration from a sensor, it logs in to the sensor using SSH. Then the actual configuration of the sensor is transferred using RDEP protocol, which uses HTTPS (HTTP/SSL).

  • Deploying the configuration to a sensor The deployment of configuration uses different protocols in different versions. Before IDS/IPS MC 2.0, the deployment of the configuration to the sensor is performed using SSH. Basically IDS/IPS MC types the command using an SSH connection to the sensor, which is a very time-consuming process. Starting with IDS/IPS MC version 2.0, the changes of the configuration are pushed to the sensor using RDEP (HTTP/SSL), which is much more efficient.

  • Upgrading the signature or service packs to the sensor Upgrade of signature or service packs require both SSH and HTTPS. Command execution by IDS/IPS MC to the sensor is performed using SSH, and the actual signature or service packs are transferred to the sensor using HTTPS (HTTP/SSL).

So all communication takes place between IDS/IPS MC and the sensor using both SSH and SSL. Hence, it is extremely important to open these protocols in both directions if there is a firewall between IDS/IPS MC and the sensor.



Cisco Network Security Troubleshooting Handbook
Cisco Network Security Troubleshooting Handbook
ISBN: 1587051893
EAN: 2147483647
Year: 2006
Pages: 190
Authors: Mynul Hoda

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net