Cisco Secure Intrusion Detection System








2.3
CIDS Sensor Platforms



2.3.1

Sensor platform features









Two main components make up CIDS: the Sensor
and the Director platforms. The Sensor is the most critical component
because it detects, responds to, and reports unauthorized activity to a
Director platform. It uses a rules-based engine to distill large volumes
of IP network traffic into meaningful security events. It detects
unauthorized activity by sniffing or capturing raw traffic from the
network and then analyzing it for intrusion detection signatures in
real-time. The Sensor, if configured to do so, re-assembles packets before
the signature analysis is performed, thus avoiding a potential intrusion
detection defeating technique.
When signatures are triggered, the Sensor
logs the event and sends an alarm notification to a Director platform. It
can automatically terminate the TCP session that triggered the signature,
block the IP address by dynamically creating an access control list (ACL)
in a managed Cisco IOS router, or both. Sensors can also log an IP session
that triggers a signature. An operator may manually block host or network
IP addresses that generated alarms.
All Sensor platforms are hardware
appliances that are tuned for performance, have been security hardened,
and are designed for ease of maintenance. The hardware, including CPU and
memory, for each appliance was selected for optimal performance of
intrusion detection analysis. The appliance's host operating system was
also configured securely to protect against possible attacks.