Chapter 1 Introducing The Sensor - Cisco IPS 7.1 Installation Manual

How the Sensor Functions
Figure 1-1
Internet
The command and control interface is always Ethernet. This interface has an assigned IP address, which
allows it to communicate with the manager workstation or network devices (Cisco switches, routers, and
firewalls). Because this interface is visible on the network, you should use encryption to maintain data
privacy. SSH is used to protect the CLI and TLS/SSL is used to protect the manager workstation. SSH
and TLS/SSL are enabled by default on the manager workstations.
When responding to attacks, the sensor can do the following:
Insert TCP resets via the sensing interface.
•
Note
Make ACL changes on switches, routers, and firewalls that the sensor manages.
•
Note
Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1
1-2
Comprehensive Deployment Solutions
Attacker
Sensor deployed
in IDS mode
Main campus
Sensor deployed
in IPS mode
Service provider,
partner, or branch
office network
You should select the TCP reset action only on signatures associated with a TCP-based
service. If selected as an action on non-TCP-based services, no action is taken. Additionally,
TCP resets are not guaranteed to tear down an offending session because of limitations in
the TCP protocol.
ACLs may block only future traffic, not current traffic.
Public services segment
Sensor deployed
in IPS mode
Sensor deployed
in IPS mode
Sensor deployed in hybrid
mode to deliver IDS services
outside router and IPS
services inside the firewall
Chapter 1 Introducing the Sensor
Multiple IPS sensors
deliver a highly scalable,
load-balanced solution
via Cisco Etherchannel
technology on Cisco
Catalyst Switches
Campus core
OL-24002-01