© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Lesson 4 Cisco Intrusion Detection System Architecture

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Objectives

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Objectives Upon completion of this lesson, you will be able to perform the following tasks: List and describe the Sensors interoperating applications. Explain the communication infrastructure of the Cisco IDS. Explain Sensor user accounts and roles. Configure user accounts and roles.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Cisco IDS Software Architecture

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Software Architecture Overview EventStore, IDAPI, and the Linux operating system sensorApp cidWebServer (HTTP/HTTPS) cidCLI Linux TCP/IP stack SSHD and/or Telnet IDM Transaction Server Event Server IPLog Server ctlTransSource NAC mainApp logApp authentication

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS SensorApp Internals The sensorApp consists of the following: virtualSensor virtualAlarm

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Cisco IDS Communication

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Communications Overview IDAPI handles internal communications. RDEP handles external communications. RDEP uses either HTTP or HTTPS to transmit XML documents between the Sensor and external systems. RDEP uses a pull communication model. –The pull communication model allows the management console to pull alarms at its own pace. –Alarms remain on the Sensor until the 4-GB limit is met. When the limit is met, alarms are overwritten.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Sensor External Communications IDM HTTPS Security Monitor HTTPS RDEP IEV HTTPS RDEP IDS MC HTTPSSSH Client CLI SSH Client HTTPS

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS RDEP Requests and Responses IEV has initiated an encrypted HTTP over TLS/SSL connection with the Sensor. After the connection is established, IEV begins sending RDEP event requests to the Sensor. The Sensor responds with RDEP event response messages. Monitoring IEV Sensor Command and control Network uri-es-request XML doc Entity body HTTP header

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS User Accounts and Roles

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS User Accounts Users access a Sensor by logging in to a user account. User accounts are created on the Sensor. Multiple accounts can be created. The authentication application configures and manages authentication.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS User Account Roles User accounts have roles. Roles determine the user privileges. The following roles can be assigned to an account: –Administrator –Operator –Viewer –Service

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS The Service Account Special account that enables root access Sensor allows only one service account Not created by default Should be created for troubleshooting !Caution! Do not make modifications to the Sensor through the service account except under the direction of the TAC.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Summary

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Summary The Cisco IDS software consists of the following interoperating applications: mainApp, sensorApp, cidWebServer, authentication, logApp, NAC, ctlTransSource, and cidCLI. RDEP is an application-level communications protocol used to exchange IDS event messages and IP log messages between the Sensor and external systems. Users access a Sensor by logging in to user accounts that you create on the Sensor. User accounts have roles that determine the privileges of the user on the Sensor. Create and use a service account only under the direction of TAC for troubleshooting.