[ LiB ] |
We start by going through an overview of the IDS MC architecture, directories, and processes. Figure 14.1 shows a high-level view of the IDS MC architecture.
The IDS MC is based on the framework and services of CiscoWorks Common Services. The components of CiscoWorks Common Services are
Data storage and management A Sybase SQL Anytime database stores the configuration data for sensor devices and sensor groups. CiscoWorks Common Services allows you to manage this data with backup, restoration, and repair tasks .
Web interface An Apache Web server provides the Web interface that allows you to connect to the CiscoWorks server via Hypertext Transfer Protocol (HTTP). After you initially access the CiscoWorks server, communications with the IDS MC then uses Secure HTTP (HTTPS).
Session management User sessions are managed so that multiple users can connect to the IDS MC and perform configuration tasks without losing or corrupting any data.
User authentication and permission management CiscoWorks Common Services performs permissions management based on user authorization roles, each of which defines a set of permissions for access to various functions within VMS.
Common environment for the IDS MC Independent processes function within their own range of operations.
It's important to understand how the interaction between the client host, CiscoWorks server, IDS MC server, and the sensor occurs in Figure 14.1. To illustrate , if Phil wants to connect to the IDS MC from his laptop browser, the following process takes place:
Initially, Phil points his browser to the CiscoWorks server via HTTP on port 1741 and logs into CiscoWorks.
Phil then selects the IDS MC from the CiscoWorks interface, which triggers secure encrypted communications to the IDS MC server using HTTPS on port 443.
When Phil sends configuration changes to the sensor using the IDS MC, the IDS MC connects to the sensor using Secure Shell (SSH).
Make sure you understand that communications from a client browser to CiscoWorks initially uses HTTP on port 1741; thereafter, communication between the client browser and IDS MC uses HTTPS on port 443. |
HTTPS communication between a client browser and CiscoWorks uses port 1742; however, HTTPS communication between a client browser and the IDS MC uses port 443. |
Unless you specify otherwise , the IDS MC components are installed in the default directory where the CiscoWorks Common Services components are installed. This directory is X :\Program Files\CSCOPx (where X is the hard drive). Figure 14.2 shows the directories and components of the IDS MC.
Within the IDS home directory are the four subdirectories and their applications:
Apache This is where the Apache Web server that serves the IDS MC Web pages is installed.
Sybase This is where the Sybase SQL database, which stores sensor and IDSM configuration information, is installed.
Tomcat This directory stores the Tomcat server, which dispatches servlets to the IDS MC from Common Services.
Etc This directory stores the IDs and updates subdirectories, described as follows :
Etc\ids This is where the IDS MC is stored.
Etc\ids\updates This is where IDS update signatures, for both sensor devices and the IDS MC itself, are stored.
You should be prepared to know the four subdirectories in the IDS MC home directory and what functions the associated applications perform. |
Table 14.1 lists the processes that allow the IDS MC to perform its functions.
Process | Description |
---|---|
IDS_Analyzer | Defines event rules; requests user-specified notifications. |
IDS_Backup | Performs a backup and restore of the Sybase database within the IDS MC. |
IDS_DbAdminAnalyzer | Applies active database rules to the current state of the server on a periodic basis. |
IDS_DeployDaemon | Manages all configuration deployments. |
IDS_Notifier | Retrieves notification requests from other subsystems and performs the requested notification. |
IDS_Receiver | Receives Cisco IDS alarms and syslog security events; stores them in the Sybase database. |
IDS_ReportScheduler | Generates all scheduled reports . |
You should be prepared to answer questions regarding the processes that provide the IDS MC with its functionality. Key processes to focus on include IDS_Analyzer, IDS_DeployDaemon, IDS_Notifier, IDS_Receiver, and IDS_ReportScheduler. |
[ LiB ] |