Cisco IDS-4230-FE - Intrusion Detection Sys Fast Ethernet Sensor Installation And Configuration Manual page 37

Chapter 1 Introducing the Sensor
Modules
Figure 1-4 NM-CIDS in the Branch Office Router
Hacker A
HQ outside
26xx/36xx/37/NG
Branch
Untrusted
network
IDS network
module
Command
Hacker B
and control
Employee
The NM-CIDS has one internal 10/100 Ethernet port that connects to the router's
backplane. There is also one external 10/100-based Ethernet port that is used for
device management (management of other routers and/or PIX Firewalls to
perform shunning) and command and control of the NM-CIDS by IDS managers.
The NM-CIDS communicates with the router to exchange control and state
information for bringing up and shutting down the NM-CIDS and to exchange
version and status information. The NM-CIDS processes packets that are
forwarded from selected interfaces on the router to the IDS interface on the
NM-CIDS. The NM-CIDS analyzes the captured packets and compares them
against a rule set of typical intrusion activity called signatures. If the captured
packets match a defined intrusion pattern in the signatures, the NM-CIDS can take
one of two actions: it can make ACL changes on the router to block the attack, or
it can send a TCP reset packet to the sender to stop the TCP session that is causing
the attack.
Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1
1-13
78-15597-02