| [ LiB ] |
mainApp Configures the sensor's OS and IP address; responsible for starting and stopping all other IDS applications.
logApp
Handles writing all application log messages to the log file and
NAC Network Access Control is used to control managed devices.
ctlTransSource Controls transactions between sensors; enables NAC's master blocking capability.
sensorApp Sensing engine; processes signature and alarm channel configurations and generates alert events in the EventStore.
EventStore A 4GB, shared, memory-mapped file where all events are stored. Only sensorApp can store alert events in the EventStore.
cidWebServer Consists of the following servlets:
IDM IDS Device Manager; a Web-based device management interface.
Event Server Serves events to external systems such as IDS Event Viewer (IEV).
Transaction Server Allows external management applications to initiate control transactions with the sensor.
IP log server Used to serve IP logs to external systems.
The Event Server, Transaction Server, and IP log server all use Remote Data Exchange Protocol (RDEP).
Account privileges:
Administrator Account used to perform all operations on the sensor.
Operator
A
Viewer A user who can perform all viewing operations.
Service A special role that allows the user to log in to a native OS shell; there can only be one service account at a time.
The default sensor administrator username and password is cisco , cisco .
Event Messages Contain IDS status, alarms, and error messages stored on sensors. Client applications such as IEV and Security Monitor use PostOffice Protocol or RDEP to collect these messages from sensors.
IP logs
Messages used by the management
PostOffice A pushing protocol used in version 3.x and below to allow Event Messages collection. PostOffice requires a HostID, HostName, OrganizationID, and OrganizationName.
RDEP A pull-based application-level communication protocol that formats the event messages and IP log messages into Extensible Markup Language (XML) documents.
RDEP uses HTTPS (TLS/SSL) or HTTP communication between RDEP
Communication protocols:
|
Device |
IDS 4.0+ Communication Protocol |
|---|---|
|
IDS 4.0 (Master Blocker) |
RDEP (HTTP/HTTPS) |
|
IDS Event Viewer (IEV) |
RDEP (HTTP/HTTPS) |
|
Security Monitor |
RDEP (HTTP/HTTPS) |
|
IDS MC |
Telnet/Secure Shell (SSH) |
|
PIX Firewalls |
Telnet/SSH |
|
IOS Routers |
Telnet/SSH |
|
IDS 3.x |
PostOffice |
| [ LiB ] |
| [ LiB ] |
Command and control interface Used to configure the sensor and control other managed devices. This is the only interface an IDS sensor can have an IP address on.
The default command and control interface IP address is 10.1.9.201 and is typically located on int1.
A sensing interface is used to monitor the networks for malicious traffic and commonly used to send TCP resets in responses to attacks.
The IDS-4250-XL has dedicated TCP reset interfaces because it cannot send TCP resets on the normal monitoring ports. The TCP reset interface is interface 0 on the IDS-4250-XL.
IDSM2 module Module used in the Catalyst 4000 and 6000 series switches. The IDSM2 can have only two SPAN sessions but unlimited VACLs. However, a Policy Feature Card (PFC) is required to support VACLs.
NM-CIDS module Supported only on the 2600, 3600, and 3700 model routers.
When upgrading the 4220 and 4230, make sure you swap the monitoring and command and control interface cables before you upgrade.
The 4210 and 4220 both have only 256MB of RAM and should be increased to 512MB before you upgrade to IDS 4.0 software.
After you reboot your sensor from an upgrade or
| [ LiB ] |