Cisco Cisco IPS 4255 Sensor Weißbuch
Technical Overview
All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 3 of 18
Note:
Cisco Security Agent MC authenticates by providing X.509 certificates while the
IPS sensor authenticates using a username and password.
To start receiving information, an IPS sensor needs to open a SDEE subscription with Cisco
Security Agent MC. After the communication channels are authenticated and established, two
types of messages are exchanged between Cisco Security Agent MC and IPS sensors:
●
Cisco Security Agent Posture Events: Contains host posture information collected by
Cisco Security Agent MC such as the IP address and the OS type of the hosts running
Cisco Security Agent. To receive posture events an IPS has to open a subscription. After
the subscription is open Cisco Security Agent MC sends an initial state message with the IP
addresses and OS types of all known agents. After the initial state the Cisco Security Agent
MC keeps the IPS informed through updates.
●
Quarantine Events: Generated by Cisco Security Agent MC to communicate IPS sensors
the list of hosts that are being quarantined. A host is quarantined either manually by a
Cisco Security Agent MC administrator or rule-generated by global correlation. Quarantine
events include the reason for the quarantine, the protocol associated with a rule violation
(TCP, UDP, or ICMP), an indicator on whether a rule-based violation was associated with
an established TCP connection or a UDP session, and the IP address of the host to be
quarantined. IPS sensors must subscribe before they can start receiving quarantine events.
Cisco Security Agent MC sends an initial state message containing the list of all the hosts
under quarantine, and reports any subsequent quarantine incidents via updates.
Deployment Considerations
In general, the same best practices used to deploy Cisco Security Agent and Cisco IPS as
standalone products apply when the two are implemented together in the same environment;
therefore, it is always a good idea to follow those principles whenever possible. In addition to
adopting the design best practices for Cisco Security Agent and Cisco IPS, there are few important
considerations that should be noted when integrating the two products:
Inline Protection (IPS) and Promiscuous (IDS) Modes
Cisco Security Agent can be integrated with Cisco IPS sensors that are configured either in
inline protection (IPS) mode or promiscuous detection (IDS) mode. This results in greater flexibility
because there are different valid reasons why a network administrator may opt to deploy IPS in
one mode or the other.
Even though there are many possible designs, in a typical inline protection mode deployment
the IPS will seat between the Cisco Security Agents and the rest of the network. In this way the
IPS can block attacks dynamically as malicious packets move through the system. In a typical
promiscuous mode deployment, the IDS will be connected to a switch port configured to capture
traffic from and to the hosts protected with Cisco Security Agents. These designs are illustrated
in Figure 2.
Figure 2. Typical IPS/IDS Deployment Designs