The Cisco Secure Intrusion Detection System (CIDS) is a
network-based IDS that uses signatures to detect intrusive activity on your
network. The CIDS systems rely on both a sensor platform to capture and analyze
network traffic, and an Event Viewer that acts as a centralized alarm and event
display platform for the distributed CIDS infrastructure. Communication between
these two platforms is handled via the Cisco proprietary PostOffice
protocol.
Two types of sensors are available with CIDS:
The 4200 series network sensor appliance consists of three
different models. Each model is uniquely tuned for a specific network
requirement. These three models and their associated performance features
are
-
4210—Capable of monitoring and analyzing 45 Mbps
-
4235—Capable of monitoring and analyzing 200 Mbps
-
4250—Capable of monitoring and analyzing 500
Mbps
The IDSM is a integrated line card that can be inserted into any
6000 series Catalyst switch. The IDSM is capable of copying packets directly off
the switch backplane and can monitor up to 100 Mbps. Because the IDSM monitors
copies of packets off the switch backplane, it needn’t be in the forwarding path
of network traffic and won’t affect switch throughput performance. Both the 4200
series network appliance and the IDSM can be configured and managed with either
director platforms, but the Device Manager can’t be installed on an IDSM.
The director platforms allow for centralized configuration and
management of the distributed sensor infrastructure. CIDS offers two director
platforms, either of which can be used with any type of CIDS sensors. The two
director platforms are as follows:
CSPM is for use on Windows NT 4.0, while CIDS Director for UNIX is
an HP OpenView application that runs on Sun Solaris or HPUX. Both offer a GUI
interface.
Communication between the sensor and director platforms is
facilitated with the Cisco proprietary PostOffice protocol. The PostOffice
protocol isn’t an e-mail protocol like SMTP, POP, or IMAP. Instead, it’s a
protocol maintained by Cisco that brings reliability, redundancy, and fault
tolerance to the CIDS communication architecture.
Each sensor contains a web application called Device Manager. The
Device Manager Application can be used to configure and manage each sensor. The
CIDS exam focuses on the use of Device Manager for the configuration of network
sensors.
The CIDS application system is made up of services or daemons that
each performs a unique function within the CIDS architecture. Daemons run on
both the sensors and director platforms, and the most critical daemons, such as
postofficed, run on both the sensor and director platform.
At a minimum, the following daemons must be running on a functioning sensor:
-
packetd
-
postofficed
-
fileXferd
-
loggerd
The daemons that must be installed and running on a director
platform include the following:
-
smid
-
postofficed
-
fileXferd
-
loggerd
While monitoring the network, the Cisco Secure Intrusion Detection
System generates a wealth of information that’s stored in log files. These log
files include information such as the alarms generated, daemon error conditions,
commands issued, and IP session information. Four types of log files are
generated by CIDS:
-
Event (Alarm) logs
-
Command logs
-
Service Error logs
-
IP Session logs
Sections
Comments (0 posted)
Syndication
