© 2004, Cisco Systems, Inc. All rights reserved. CSIDS 4.14-1 Lesson 4 Cisco Intrusion Detection System Architecture.

Презентация:



Advertisements
Похожие презентации
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Lesson 7 Using the Intrusion Detection System Device Manager to Configure the Sensor.
Advertisements

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Lesson 5 Configuring the Sensor.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 3 Cisco PIX Firewall Technology and Features.
© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Configuring Rules Configuring Windows-Only Rules.
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Lesson 12 Cisco Intrusion Detection System Maintenance.
© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Configuring Groups and Policies Building an Agent Kit.
© 2004 Cisco Systems, Inc. All rights reserved. IPTT v AVVID Troubleshooting Tools Applying Cisco CallManager and Operating System Troubleshooting.
© 2005, Cisco Systems, Inc. All rights reserved. IPS v Lesson 4 Using IPS Device Manager.
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Lesson 13 Configure the Cisco Virtual Private Network 3002 Hardware Client for Software.
Troubleshooting CallManager, Network Signaling and Dial Plan © 2004 Cisco Systems, Inc. All rights reserved. IPTT v Troubleshooting CallManager CTI,
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Lesson 11 Blocking Configuration.
© 2001, Cisco Systems, Inc. CSIDS Chapter 10 IP Blocking Configuration.
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Lesson 6 Sensor Management and Monitoring.
© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Monitor and Manage IP Telephony Introducing Cisco Unified CallManager Serviceability.
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Lesson 11 Configure the Cisco Virtual Private Network 3002 Hardware Client for Unit and.
© 2001, Cisco Systems, Inc. CSIDS Chapter 9 Signature and Intrusion Detection Configuration.
Escalating TAC Service Request © 2004 Cisco Systems, Inc. All rights reserved. IPTT v TAC Service Request and Telephone Service Providers.
© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Configuring Rules Configuring Rules Common to Windows and UNIX.
Chapter 21: Managing ATM VLANs 21-1 Copyright © 1998, Cisco Systems, Inc.
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Lesson 8 Configure the Cisco VPN Client Auto-Initiation Feature.
Транксрипт:

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Lesson 4 Cisco Intrusion Detection System Architecture

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Objectives

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Objectives Upon completion of this lesson, you will be able to perform the following tasks: List and describe the Sensors interoperating applications. Explain the communication infrastructure of the Cisco IDS. Explain Sensor user accounts and roles. Configure user accounts and roles.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Cisco IDS Software Architecture

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Software Architecture Overview EventStore, IDAPI, and the Linux operating system sensorApp cidWebServer (HTTP/HTTPS) cidCLI Linux TCP/IP stack SSHD and/or Telnet IDM Transaction Server Event Server IPLog Server ctlTransSource NAC mainApp logApp authentication

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS SensorApp Internals The sensorApp consists of the following: virtualSensor virtualAlarm

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Cisco IDS Communication

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Communications Overview IDAPI handles internal communications. RDEP handles external communications. RDEP uses either HTTP or HTTPS to transmit XML documents between the Sensor and external systems. RDEP uses a pull communication model. –The pull communication model allows the management console to pull alarms at its own pace. –Alarms remain on the Sensor until the 4-GB limit is met. When the limit is met, alarms are overwritten.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Sensor External Communications IDM HTTPS Security Monitor HTTPS RDEP IEV HTTPS RDEP IDS MC HTTPSSSH Client CLI SSH Client HTTPS

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS RDEP Requests and Responses IEV has initiated an encrypted HTTP over TLS/SSL connection with the Sensor. After the connection is established, IEV begins sending RDEP event requests to the Sensor. The Sensor responds with RDEP event response messages. Monitoring IEV Sensor Command and control Network uri-es-request XML doc Entity body HTTP header

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS User Accounts and Roles

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS User Accounts Users access a Sensor by logging in to a user account. User accounts are created on the Sensor. Multiple accounts can be created. The authentication application configures and manages authentication.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS User Account Roles User accounts have roles. Roles determine the user privileges. The following roles can be assigned to an account: –Administrator –Operator –Viewer –Service

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS The Service Account Special account that enables root access Sensor allows only one service account Not created by default Should be created for troubleshooting !Caution! Do not make modifications to the Sensor through the service account except under the direction of the TAC.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Summary

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Summary The Cisco IDS software consists of the following interoperating applications: mainApp, sensorApp, cidWebServer, authentication, logApp, NAC, ctlTransSource, and cidCLI. RDEP is an application-level communications protocol used to exchange IDS event messages and IP log messages between the Sensor and external systems. Users access a Sensor by logging in to user accounts that you create on the Sensor. User accounts have roles that determine the privileges of the user on the Sensor. Create and use a service account only under the direction of TAC for troubleshooting.