Identifying the Sensor

Identifying the Sensor

Technically speaking, there are two types of sensor platforms available: the 4200 series sensors and the Catalyst 6000/6500 series IDS Module (or IDSM), both of which we cover in detail in Chapter 6. Within the 4200 series, there are four different sensor appliances offered in the Cisco product line. Depending on your budget, organizational needs, and the number of external connections to the Internet, multiple sensors or a single sensor could be the answer. It is important to be able to identify which sensor you will be working with considering there are some subtle differences between the models. The old Netranger sensors, 4220 and 4230, were bulky 7-inch, four-rack-unit (RU) models. The introduction of the newer blade-style models streamlined the chassis into a 1U format for all models, including 4210 (as shown in Figure 3.1), 4215, 4235, 4250, and 4250-XL. For the purpose of this chapter, we will focus on the model 4230 since it is one of the most commonly available and is still used on the Cisco IDS certification test..

Click To expand
Figure 3.1: 4210 Layout of Back Panel

Each of the sensors has two ports: a monitoring or sniffing interface which captures the traffic to analyze, and a control port that provides access to the sensor via Telnet, CSPM, and so on. The control port is the only port on the sensor that will actually be assigned an IP address on the network. Some modules have a console port that can be a DB9 connector, such as the 4230, or an RJ45 console cable jack.


 Note

Cisco best practices tell you the control port should be placed on an isolated network or out-of-band management network that routes traffic for management purposes on another network other than the enterprise. Cisco documentation refers to this type of network as the Command and Control Network.

It is critical that we can identify the monitoring or sniffing port on the IDS. On the 4210, the device name is /dev/iprb0. The 4210 sensor has two built-in ports directly on top of one another. The monitoring interface is the lower port, iprb0. The control port is iprb1, which is located above the sniffing port (refer to Figure 3.2). The 4220 and 4230 sensors have expandable slots. One of the ports is built-in, and the other is located on the expansion slot. That is, iprb0 can be found on the sensor, while, /dev/spwr0 is physically located in slot 5 in order to capture packets.

Click To expand
Figure 3.2: 4230 Layout of Back Panel

The 4230 and 4220 sensors have the ability to be configured in different manners to accommodate different networks. iprb0 is used for control in each configuration. For a token ring network, use /dev/mtok36, which is located in slot 6 to capture packets. For a FDDI network, /dev/ptpci, is used. It's located in slot 4.