The IDS MC
and Sensors
The Cisco IDS Management Center can manage up to
approximately 300 sensors. In the example deployment shown in Figure
10.1, the sensor is deployed on the network perimeter or demilitarized zone
(DMZ). Inside the protected network is a management host with the IDS MC
installed.
The sensor monitors traffic inside the DMZ between the inner
and outer firewall routers. The sensor has two interfaces: a control interface
that is connected to the internal network and a monitoring interface connected
to the DMZ network. The control interface provides for management and
configuration of the sensor. The monitoring interface, operating in promiscuous
mode, passively listens on the DMZ segment. When the sensor detects suspicious
network traffic on its monitoring interface, it will send an alarm or event to
the Security Monitor via the control interface. Through this same control
interface, the IDS Management Center manages the sensor and updates its software
versions and signature releases. The sensor uses the control interface to enable
blocks or shuns in routers or PIX firewalls. When the sensor uses a TCP RST
(reset) as a countermeasure against an attack it sends the TCP RST packets out
through the monitoring interface.
Sections
Comments (0 posted)
Syndication
