Analyzing

Packets captured by the sensors are reassembled, if required, and then compared against the signature database. When the sensors analyze network traffic, they’re looking for patterns of activity that match known intrusive activity. These patterns are defined in the signature database held on the network sensors. Patterns of activity can be as basic as an attempt to access a specific port on a specific host or as complex as a set of operations directed at a number of different hosts over an extended period of time. If a signature is matched, the sensor logs the information and sends an alarm to the director platform through the command and control interface.

Communications

The sensors and the director platforms must have a communication medium to allow for the sending of alarms, sensor configurations, and messages. Cisco’s proprietary PostOffice protocol provides this communication vehicle used by the sensors to communicate with one another and management consoles.

PostOffice Protocol

The PostOffice protocol is a proprietary protocol only used between the sensors and directors and shouldn’t be confused with common e-mail protocols, such as SMTP, IMAP, or POP. The PostOffice protocol is not an e-mail protocol. Through the use of the PostOffice protocol, the director platforms can send configuration files to the sensors, and the sensors can send messages and alarms to a centralized sensor or director. The messages sent between the directors and the sensors are controlled by services running on both devices. These services, called daemons, run on both the sensors and directors. Daemons are discussed in the sections “CIDS Software Architecture” and “Daemon Configuration Files.”

The PostOffice protocol uses User Datagram Protocol (UDP) as the transport layer protocol on port 45000. The PostOffice protocol also uses a proprietary addressing scheme to address all CIDS infrastructure devices. The following are the message types sent among CIDS service, sensors, and directors:

Command Messages

Error Messages

Command Log Messages

Alarm Messages

IP log Messages

Redirect Messages

Heartbeat Messages

Communication between services on both the sensors and the directors represents a critical component of Cisco’s IDS system. Because of its critical nature, Cisco developed the PostOffice protocol to be reliable, redundant, and fault tolerant.

PostOffice Reliability

When a sensor detects an intrusion, it must send an alarm to the centralized director or sensor. Because of its critical nature, the PostOffice protocol supports guaranteed delivery of all messages sent from the sensors to the directors. As seen in Figure 24-5, guaranteed delivery is accomplished through the use of acknowledgments. When a sensor sends a message, it expects to receive an acknowledgment (ack) in a predetermined amount of time. If an acknowledgment isn’t received, the sensor will repeatedly repeat the message until the director replies with an ack.

Figure 24-5: Reliable message delivery via the PostOffice protocol

PostOffice Redundancy

The PostOffice protocol allows for redundancy by allowing sensors to send messages to redundant director or sensor platforms. By sending alarms and messages to multiple platforms located in diverse locations, the CIDS infrastructure can be engineered for both redundancy and fault tolerance. You can configure the sensors to send alarms and messages to a maximum of 255 different destinations. Figure 24-6 illustrates a redundant director platform design.

Figure 24-6: Redundant director platforms

PostOffice Fault Tolerance

The PostOffice protocol allows the configuration of up to 255 alternate IP addresses for any single platform. These alternate IP addresses can represent separate network interface cards installed on a multihomed director platform, as seen in Figure 24-7. The sensors can be configured to use a primary address to reach a director platform and a secondary address if the primary address is unreachable. Sensors only use the secondary addresses if the primary address is unreachable. The sensors use a watchdog process to detect when the connectivity to the primary IP address is reestablished. Once a connection to the primary address is reestablished, the sensor resumes communications using the primary address.

Figure 24-7: CIDS multihomed director platform

By placing the director platform on a multihomed system, you allow the director to send and receive traffic on two or more networks. Using multihomed directors provides additional protection from network failures. By multihoming your director platform, you’re providing fault tolerance by creating multiple paths between your sensors and your directors. Figure 24-7 illustrates a multihomed director platform design.

Note

A multihomed system is any system that has multiple network interfaces to separate networks. The networks can be logically separated or both physically and logically separated. Routers, by definition, are multihomed devices because they receive traffic on one network, and then route that traffic to another network. Multihomed computer systems running Unix or Windows NT/2000/XP can be configured as a router.

PostOffice Protocol Addressing

For devices within the CIDS infrastructure to communicate efficiently, the PostOffice protocol requires a unique protocol specific address for each device. Each device within the CIDS infrastructure has both a numeric identifier and an alphanumeric identifier.

The numeric identifier is a combination of the host ID and the organization ID, and is used for network communications. All devices within the same management must have the same organizational ID. Devices contained in the same organizational infrastructure share the same organizational ID, however, each device must have unique host IDs.

The alphanumeric identifier is used as the common name for the devices and is made up of the host name and the organizational name. As seen in Figure 24-8, each sensor and director platform has both a host ID and a host name. Each device also has both an organizational ID and an organizational name.

Figure 24-8: PostOffice host and organization addressing

The host ID and organizational ID are two parts of a three-part addressing scheme used by the PostOffice protocol. The third component that makes up a complete PostOffice protocol address is a unique application ID. All command and control messages are addressed using these three unique identifiers. Application IDs are discussed further in the section “The Services File.”