The Cisco Secure Intrusion Detection System (CIDS) is a network-based IDS that uses signatures to detect intrusive activity on your network. The CIDS systems rely on both a sensor platform to capture and analyze network traffic, and an Event Viewer that acts as a centralized alarm and event display platform for the distributed CIDS infrastructure. Communication between these two platforms is handled via the Cisco proprietary PostOffice protocol.
Two types of sensors are available with CIDS:
4200 Series Network Sensor Appliance
6000 Series Catalyst Intrusion Detection System Module (IDSM)
The 4200 series network sensor appliance consists of three different models. Each model is uniquely tuned for a specific network requirement. These three models and their associated performance features are
4210—Capable of monitoring and analyzing 45 Mbps
4235—Capable of monitoring and analyzing 200 Mbps
4250—Capable of monitoring and analyzing 500 Mbps
The IDSM is a integrated line card that can be inserted into any 6000 series Catalyst switch. The IDSM is capable of copying packets directly off the switch backplane and can monitor up to 100 Mbps. Because the IDSM monitors copies of packets off the switch backplane, it needn’t be in the forwarding path of network traffic and won’t affect switch throughput performance. Both the 4200 series network appliance and the IDSM can be configured and managed with either director platforms, but the Device Manager can’t be installed on an IDSM.
The director platforms allow for centralized configuration and management of the distributed sensor infrastructure. CIDS offers two director platforms, either of which can be used with any type of CIDS sensors. The two director platforms are as follows:
Cisco Secure Policy Manager (CSPM)
CIDS Director for UNIX
CSPM is for use on Windows NT 4.0, while CIDS Director for UNIX is an HP OpenView application that runs on Sun Solaris or HPUX. Both offer a GUI interface.
Communication between the sensor and director platforms is facilitated with the Cisco proprietary PostOffice protocol. The PostOffice protocol isn’t an e-mail protocol like SMTP, POP, or IMAP. Instead, it’s a protocol maintained by Cisco that brings reliability, redundancy, and fault tolerance to the CIDS communication architecture.
Each sensor contains a web application called Device Manager. The Device Manager Application can be used to configure and manage each sensor. The CIDS exam focuses on the use of Device Manager for the configuration of network sensors.
The CIDS application system is made up of services or daemons that each performs a unique function within the CIDS architecture. Daemons run on both the sensors and director platforms, and the most critical daemons, such as postofficed, run on both the sensor and director platform. At a minimum, the following daemons must be running on a functioning sensor:
packetd
postofficed
fileXferd
loggerd
The daemons that must be installed and running on a director platform include the following:
smid
postofficed
fileXferd
loggerd
While monitoring the network, the Cisco Secure Intrusion Detection System generates a wealth of information that’s stored in log files. These log files include information such as the alarms generated, daemon error conditions, commands issued, and IP session information. Four types of log files are generated by CIDS:
Event (Alarm) logs
Command logs
Service Error logs
IP Session logs
1.? |
Which of the following sensor models is capable of delivering 200 Mbps or more of monitoring and analyzing?
|
|
2.? |
On which of the following operation systems will CSPM operate properly?
|
|
3.? |
What is the command that can be used to start the IDS system on a 4200 series network sensor appliance?
|
|
4.? |
Which of the following daemons is responsible for the monitoring and analyzing of network traffic?
|
|
5.? |
Where are archived IP session log files located?
|
|
6.? |
Which file would you open to see the IP address and UDP port associated with the host name of a CIDS component?
|
|
7.? |
What is the default installation directory on all CIDS sensors?
|
|
8.? |
What command would return the current services running and their versions?
|
|
9.? |
What is the protocol used as a communication vehicle between the sensor and director platforms?
|
|
10.? |
The CIDS Director for UNIX will run on which of the following operating systems?
|
|
11.? |
Why should IP blocking be used cautiously?
|
|
12.? |
What type of files are stored in the /usr/nr/etc directory?
|
|
13.? |
What is a token?
|
|
14.? |
What script can assist administrators in troubleshooting communication issues between CIDS devices?
|
|
15.? |
Which of the following files should not be changed unless directed by Cisco?
|
|
16.? |
What are the four types of log files?
|
|
17.? |
The director platform can be configured to respond automatically to an attack by what?
|
|
18.? |
Which of the following daemons are responsible for file deletion and for moving log files to the database staging area?
|
|
19.? |
Which of the following daemons allow the director platforms to configure sensors remotely?
|
|
20.? |
Which of the following daemons runs only on the sensor or only on the director, but doesn’t run on both?
|
|
Answers
1.? |
C. and D. Both the 4235 and 4250 are capable of 200 Mbps or better |
2.? |
A. Windows NT 4.0 |
3.? |
B. idsstart |
4.? |
A. packetd |
5.? |
D. /usr/nr/var/iplog/new |
6.? |
B. routes |
7.? |
C. /usr/nr |
8.? |
A. idsvers |
9.? |
D. PostOffice |
10.? |
A. and C. HPUX and Sun Solaris |
11.? |
D. Because hackers can use this feature to attack your infrastructure |
12.? |
A. and B. Configuration and System files |
13.? |
A. A configuration parameter |
14.? |
C. idsconn |
15.? |
A. signature |
16.? |
D. event, error, IP session, command |
17.? |
D. None of the above |
18.? |
D. sapd |
19.? |
A. .fileXferd |
20.? |
B. and C. packetd (sensor), smid (director) |