1-13
Installing Cisco Intrusion Prevention System Appliances and Modules 5.0
78-16124-01
Chapter 1 Introducing the Sensor
Modules
Note
NM-CIDS operates in promiscuous mode (IDS mode) only.
Figure 1-4
NM-CIDS in the Branch Office Router
NM-CIDS has one internal 10/100 Ethernet port that connects to the router’s backplane. There is also
one external 10/100-based Ethernet port that is used for device management (management of other
routers and/or PIX Firewalls to perform blocking) and command and control of NM-CIDS by IDS
managers.
NM-CIDS communicates with the router to exchange control and state information for bringing up and
shutting down NM-CIDS and to exchange version and status information. NM-CIDS processes packets
that are forwarded from selected interfaces on the router to the IDS interface on NM-CIDS. NM-CIDS
analyzes the captured packets and compares them against a rule set of typical intrusion activity called
signatures. If the captured packets match a defined intrusion pattern in the signatures, NM-CIDS can
take one of two actions: it can make ACL changes on the router to block the attack, or it can send a TCP
reset packet to the sender to stop the TCP session that is causing the attack.
In addition to analyzing captured packets to identify malicious activity, NM-CIDS can also perform IP
session logging that can be configured as a response action on a per-signature basis. When the signature
fires, session logs are created over a specified time period in a tcpdump format. You can view these logs
using Ethereal or replay the IP session using tools such as TCP Replay.
You can manage and retrieve events from NM-CIDS through the CLI or IDM.
The IDS requires a reliable time source. All the events (alerts) must have the correct time stamp,
otherwise, you cannot correctly analyze the logs after an attack. You cannot manually set the time on
NM-CIDS. NM-CIDS gets its time from the Cisco router in which it is installed. Routers do not have a
battery so they cannot preserve a time setting when they are powered off. You must set the router’s clock
each time you power up or reset the router, or you can configure the router to use NTP time
synchronization. We recommend NTP time synchronization. You can configure either NM-CIDS itself
or the router it is installed in to use NTP time synchronization. For more information, see
Time Sources
and the Sensor, page 1-14
.
87947
Untrusted
network
Command
and control
HQ
Hacker A
outside
Hacker B
employee
26xx/36xx/37/NG
Branch
NM-CIDS