Header
Home | Set as homepage | Add to favorites
  Search the Site     » Advanced Search
Sections
Syndication


Blogroll:

||||| ALL Cisco-Network ARTICLES |||||  
CCIE Journey,
The CCIE Journey,

Home : Intrusion Detection System : Cisco PostOffice Protocol

Cisco PostOffice Protocol

Nov 24,2008 by admin

small font medium font large font
image

Cisco PostOffice Protocol

To manage and maintain the Cisco IDS devices, Cisco first developed a proprietary protocol known as PostOffice Protocol. It is now being replaced by RDEP, which we'll describe later. The PostOffice Protocol is not to be confused with the Post Office Protocol POP3 (TCP port 110) commonly used by mail clients to retrieve Internet mail. Rather, the Cisco PostOffice Protocol is a UDP service that functions, by default, over port 45000 to provide messaging between the management console and IDS sensors. After Cisco IDS Software Version 2.2.1, this default port is configurable. The PostOffice Protocol provides messaging for:

  • Command data

  • Error and alarm messages

  • Command and IP logs

  • Redirects

  • Device heartbeats

The PostOffice Protocol is primarily a "push" technology as opposed to the "pull" mechanism of RDEP. Because PostOffice Protocol was the primary means of communication between security devices, Cisco developed reliability, redundancy, and fault-tolerance schemes within the protocol to ensure messaging success.

While a UDP-based service, PostOffice Protocol requires acknowledgement of alarm message delivery. This promotes reliability since the IDS sensor will continue to send alert messages until it receives acknowledgement from the console. Redundancy and fault tolerance are enabled via multiple IDS console devices configured to service the same group of sensors. The PostOffice Protocol permits sensors to propagate messages up to 255 destinations, which allows for redundant alarm notifications and ensures the appropriate personnel are notified when an alarm is received. Similarly, up to 255 addresses can be specified for a single console host. This facilitates fault tolerance; should one route to a console address fail, another could easily initiate connectivity.

With PostOffice, administrators must assign each IDS sensor a unique identifier composed of some of the following attributes:

  • Host ID  The Host ID must be a unique numeric value greater than zero, such as 30.

  • Organization ID  The Organization ID must be a numeric value greater than zero, such as 100. This number can be the same for multiple sensors.

  • Host name  The Host name is an alphanumeric string that identifies the host, such as Sensor1B.

  • Organization name  The Organization name is an alphanumeric string that identifies the company or organization, such as AcmeCorp.

An example of the PostOffice naming convention is shown in Figure 2.1.

Click To expand
Figure 2.1: PostOffice Protocol Addressing

This helps the security team identify sensors in large environments, but it is also required for the PostOffice Addressing scheme, which is composed of three components. The host and organization identifiers signify the first two components of the addressing scheme, while the third component is a unique application identifier. All three of these unique identifiers are used by the protocol to route command and control communications.

For example, in Figure 2.2, a sensor with Host ID 3 and Org ID 20 issues a PostOffice Protocol alert using Application ID 10006 destined for an IDS console with Host ID 30 and Org ID 20. Upon receiving the alert, the Console acknowledges it via Application ID 10000 to the sensor.

Click To expand
Figure 2.2: PostOffice Addressing Scheme

194 times read

Related news
» Remote Data Exchange Protocol
by admin posted on Nov 24,2008
» Analyzing
by alperen posted on Feb 24,2010
» Managing Cisco's IDS Sensors
by admin posted on Nov 24,2008
» Cisco Secure Intrusion Detection System
by alperen posted on Feb 24,2010
» Cisco Secure Intrusion Detection System Review
by alperen posted on Feb 26,2010
Did you enjoy this article?
1 2 3 4 5
(total 0 votes)

comment Comments (0 posted) 

More Top News
CCSP-Cisco Certified Security Professional
arrow Cisco SAFE Implementation
arrow Preparation Documents
arrow Exam Topics
arrow Skills Required for the Exam
arrow Cisco SAFE Implementation Questions and Answers
arrow Access Control Lists Cisco
arrow Access List Basics
arrow Standard Access Lists
arrow Verifying ACLs
arrow Extended Access Lists
arrow TCP Access Lists
arrow UDP Access Lists
arrow ICMP Access Lists
arrow Named Access Lists
arrow Signature and Alarm Management Review
arrow Signature and Alarm Management Review Questions and Answers
arrow Event Viewer
arrow Managing Alarms
arrow Event Viewer Customization
arrow Preference Settings
arrow Sensor Installation
arrow Connecting to Your Network Sensor Appliance
arrow Sensor Bootstrap
arrow Sensor Installation and Configuration Review
arrow Sensor Installation and Configuration Questions and Answers
arrow Signature and Alarm Management
arrow CIDS Signatures
arrow Signature Series
arrow Signature Implementations
arrow Signature Classes
arrow Signature Types
arrow Signature Severity
Most Popular
Most Commented
Featured Author

alperen

image
<| Cisco Articles | Maximum Learning | All Cisco-Network Study Notes | Privacy Policy |>
If you think you own the material being used without permission, contact alperenmad[at]hotmail.com. material will be removed from the site.