Ips 5.0 New Features - Cisco 4215 - Intrusion Detection Sys Sensor Configuration Manual

Appendix A System Architecture
•
•
All IPS applications communicate with each other through a common API called IDAPI. Remote
applications (other sensors, management applications, and third-party software) communicate with
sensors through RDEP2 and SDEE protocols.
The sensor has the following partitions:
•
•
•

IPS 5.0 New Features

Cisco IPS 5.0 contains the following new features:
•
•
•
•
•
•
78-16527-01
AuthenticationApp—Verifies that users are authorized to perform CLI, IDM, ASDM, or RDEP
–
actions.
SensorApp (AnalysisEngine)—Performs packet capture and analysis.
CLI—The interface that is run when you successfully log in to the sensor through Telnet or SSH.
All accounts created through the CLI will use the CLI as their shell (except the service
account—only one service account is allowed). Allowed CLI commands depend on the privilege of
the user.
Application partition—A full IPS system image.
Maintenance partition—A special purpose IPS image used to reimage the application partition of
the IDSM-2. When you reimage the maintenance partition, all configuration settings are lost.
Recovery partition—A special purpose image used for recovery of the sensor. Booting into the
recovery partition enables you to completely reimage the application partition. Network settings are
preserved, but all other configuration is lost.
Ability to process and analyze traffic inline
Former 4.x applications merged into one application
The following applications have been merged in to one application with different threads supporting
the old functions: MainApp, Web Server, AuthenticationApp, Network Access Controller, LogApp,
and CtlTransSource.
Bypass mode
You can set the sensor in a mode where all IPS processing subsystems are bypassed and traffic is
permitted between the inline pairs directly. The bypass mode ensures that packets continue to flow
through the sensor when the sensor's processes are temporarily stopped for upgrades or when the
sensor's monitoring processes fail.
Risk Rating
RR is a value between 0 and 100 that represents a numerical quantification of the risk associated
with a particular event on the network. The calculation takes into account the value of the network
asset being attacked (for example, a particular server), so it is configured on a per-signature basis
(ASR and SFR) and on a per-server basis (TVR).
Signature updates
You must have a license to obtain signature updates.
–
The IPS signature update process is now similar to antivirus DAT file updates.
–
RDEP2
RDEP has been revised to RDEPv2, which supports an event standard called SDEE.
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
System Overview
A-3