Cisco IPS-4240-K9 - Intrusion Protection Sys 4240 Installation Manual page 25

Intrusion prevention system appliances and modules 5.0

Hide thumbs Also See for IPS-4240-K9 - Intrusion Protection Sys 4240:

Installation instructions manual (14 pages)

Getting started manual (12 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

page of 196

/ 196
Contents
Table of Contents
Bookmarks

Table of Contents

Chapter 1

Introducing the Sensor

NM-CIDS operates in promiscuous mode (IDS mode) only.

Note

Figure 1-4

NM-CIDS has one internal 10/100 Ethernet port that connects to the router's backplane. There is also

one external 10/100-based Ethernet port that is used for device management (management of other

routers and/or PIX Firewalls to perform blocking) and command and control of NM-CIDS by IDS

managers.

NM-CIDS communicates with the router to exchange control and state information for bringing up and

shutting down NM-CIDS and to exchange version and status information. NM-CIDS processes packets

that are forwarded from selected interfaces on the router to the IDS interface on NM-CIDS. NM-CIDS

analyzes the captured packets and compares them against a rule set of typical intrusion activity called

signatures. If the captured packets match a defined intrusion pattern in the signatures, NM-CIDS can

take one of two actions: it can make ACL changes on the router to block the attack, or it can send a TCP

reset packet to the sender to stop the TCP session that is causing the attack.

In addition to analyzing captured packets to identify malicious activity, NM-CIDS can also perform IP

session logging that can be configured as a response action on a per-signature basis. When the signature

fires, session logs are created over a specified time period in a tcpdump format. You can view these logs

using Ethereal or replay the IP session using tools such as TCP Replay.

You can manage and retrieve events from NM-CIDS through the CLI or IDM.

The IDS requires a reliable time source. All the events (alerts) must have the correct time stamp,

otherwise, you cannot correctly analyze the logs after an attack. You cannot manually set the time on

NM-CIDS. NM-CIDS gets its time from the Cisco router in which it is installed. Routers do not have a

battery so they cannot preserve a time setting when they are powered off. You must set the router's clock

each time you power up or reset the router, or you can configure the router to use NTP time

synchronization. We recommend NTP time synchronization. You can configure either NM-CIDS itself

or the router it is installed in to use NTP time synchronization. For more information, see

and the Sensor, page

78-16124-01

NM-CIDS in the Branch Office Router

Untrusted

Command

and control

1-14.

Installing Cisco Intrusion Prevention System Appliances and Modules 5.0

Hacker A

outside

26xx/36xx/37/NG

network

NM-CIDS

Modules

Branch

Hacker B

employee

Time Sources

1-13

Table of Contents

Show Quick Links

Hide quick links:

Table of Contents

Related Products for Cisco IPS-4240-K9 - Intrusion Protection Sys 4240

This manual is also suitable for:

Ids-4210 Ids-4215 Ids-4235 Ids-4250 Idsm-2 Ips-4240 ... Show all

Cisco IPS-4240-K9 - Intrusion Protection Sys 4240 Installation Manual page 25

Hide quick links:

Related Manuals for Cisco IPS-4240-K9 - Intrusion Protection Sys 4240

Related Products for Cisco IPS-4240-K9 - Intrusion Protection Sys 4240

This manual is also suitable for:

Table of Contents