Table of Contents
Advertisement
Appendix A
Intrusion Detection System Architecture
IDS software includes the following IDS applications:
Each application has its own configuration file in XML format.
Note
•
•
•
•
•
•
•
Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1
78-15597-02
MainApp—Initializes the system, starts and stops the other applications,
configures the OS, and performs updates.
SensorApp (Analysis Engine)—Performs packet capture and analysis.
Authentication (AuthenticationApp)—Verifies that users are authorized to
perform CLI, IDM, or Remote Data Exchange Protocol (RDEP) actions.
LogApp (Logger)—Writes all the application's log messages to the log file
and the application's error messages to the EventStore.
NAC (NetworkAccess)—Manages remote network devices (PIX Firewall,
routers, and switches) to provide blocking capabilities when an alert event has
occurred. NAC (Network Access Controller) creates and applies Access
Control Lists (ACLs) on the controlled network device, or uses the shun
command (PIX Firewall) to another RDEP server.
ctlTransSource (TransactionSource)—Allows sensors to send control
transactions. This is used to enable the NAC's master blocking sensor (MBS)
capability.
cidwebserver (WebServer)—Provides a web interface and communication
with other IDS devices through RDEP using several servlets to provide IDS
services. These servlets are shared libraries that are loaded into the
cidWebserver process at run-time:
IDM—Provides the IDM web-based management interface.
–
Event server—Used to serve events to external management applications
–
such as Security Monitor.
Transaction server—Allows external management applications such as
–
the IDS MC to send control transactions to the sensor.
IP log server—Used to serve IP logs to external systems.
–
System Overview
A-3
Advertisement
Table of Contents
Troubleshooting
