Cisco Cisco IPS 4255 Sensor Weißbuch
Technical Overview
All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 2 of 18
Cisco Security Agent/IPS Collaborative Architecture
The architecture integrating Cisco Security Agent and IPS relies on the interaction of three
major components:
●
Cisco IPS (Sensor): Any Cisco IPS platform running at minimum Cisco IPS Sensor
Software Version 6.0, configured either in inline protection (IPS) or promiscuous
mode (IDS).
●
Cisco Security Agents (Agents): Host-based IPS software running on servers and
desktops to be protected and monitored.
●
Management Center for Cisco Security Agents (Cisco Security Agent MC): Cisco
Security Agent MC is a standalone application that provides centralized security policy
configuration, monitoring, and administration for Cisco Security Agents. In addition, Cisco
Security Agent MC performs global correlation based on event and posture information
generated by the Cisco Security Agents. Cisco Security Agent MC 5.0 or later is required to
integrate with IPS.
The components of the architecture and their interactions are depicted in Figure 1.
Figure 1. Cisco Security Agent/IPS Collaborative Architecture
Note:
The minimum software versions required for integration are Cisco Security Agent MC 5.0
and Cisco IPS Sensor Software 6.0.
The Cisco Security Agent is a host-based agent that seats between the applications and OS
kernel, gaining maximum endpoint visibility, and providing defense-in-depth protection to mission-
critical servers and desktops. As part of their operation, Cisco Security Agents generate valuable
event and posture information that is collected and correlated by Cisco Security Agent MC. The
transfer of information between the agents and Cisco Security Agent MC is protected by the use of
SSL.
In addition to the detailed endpoint information collected from agents, Cisco Security Agent MC
global correlation generates threat data that can be valuable to Cisco IPS. When shared with
Cisco IPS, this data helps increase the sensor visibility on endpoints and global threats. The Cisco
IPS sensor accesses this information via Secure Device Event Exchange (SDEE), a protocol
developed by a consortium (led by Cisco) designed for the secure exchange of network event
information. Communications between Cisco Security Agent MC and IPS are protected with
SSL/TLS encryption and HTTP authentication.