1-3
Installing Cisco Intrusion Prevention System Appliances and Modules 5.0
78-16124-01
Chapter 1 Introducing the Sensor
How the Sensor Functions
•
Make ACL changes on switches, routers, and firewalls that the sensor manages.
Note
ACLs may block only future traffic, not current traffic.
•
Generate IP session logs, session replay, and trigger packets display.
IP session logs are used to gather information about unauthorized use. IP log files are written when
a certain event or events occur that you have configured the appliance to look for.
•
Implement multiple packet drop actions to stop worms and viruses.
Sensor Interfaces
The command and control interface is permanently mapped to a specific physical interface, which
depends on the type of sensor you have. You can let the sensing interfaces operate in promiscuous mode,
or you can pair the network sensing interfaces into logical interfaces called “inline pairs.” You must
enable the interfaces or inline
pairs before the sensor can monitor traffic.
Note
On appliances, the sensing interfaces are disabled by default. On modules, the sensing interfaces are
always enabled and cannot be disabled.
The sensing interface does not have an IP address assigned to it and is therefore invisible to attackers.
This lets the sensor monitor the data stream without letting attackers know they are being watched.
Promiscuous mode is contrasted by inline technology where all packets entering or leaving the network
must pass through the sensor. For more information, see
Promiscuous Mode, page 1-3
and
Inline Mode,
page 1-4
.
The sensor monitors traffic on interfaces or inline pairs that are assigned to the default virtual sensor.
For more information, refer to
Assigning Interfaces to the Virtual Sensor
.
To configure the sensor so that traffic continues to flow through inline pairs even when SensorApp is not
running, you can enable bypass mode. Bypass mode minimizes dataflow interruptions during
reconfiguration, service pack installation, or software failure.
The sensor detects the interfaces of modules that have been installed while the chassis was powered off.
You can configure them the next time you start the sensor. If a module is removed, the sensor detects the
absence of the interfaces the next time it is started. Your interface configuration is retained, but the
sensor ignores it if the interfaces are not present.
The following interface configuration events are reported as status events:
•
Link up or down
•
Traffic started or stopped
•
Bypass mode auto activated or deactivated
•
Missed packet percentage threshold exceeded
Promiscuous Mode
In promiscuous mode, packets do not flow through the IPS. The sensor analyzes a copy of the monitored
traffic rather than the actual forwarded packet. The advantage of operating in promiscuous mode is that
the IPS does not affect the packet flow with the forwarded traffic. The disadvantage of operating in