Understanding the Cisco IDSM Sensor
The IDSM sensor bore differs from other, added accepted IDS sensors from Cisco by actuality a blade- or module-based solution. Unlike the 4230 sensor that uses a anatomy of Solaris as the OS and runs on a bifold Pentium PC in a box, the aboriginal bearing of IDSM blades uses an anchored anatomy of Windows, while the additional bearing uses Red Hat Linux as the OS. In both types of sensor, there is a complete PC on a agenda with adamantine drive, memory, ports, and the OS. The IDSM agenda occupies one aperture on a Cisco Catalyst 6000/6500 alternation switch. You accept to assemblage the IDSM sensors in the about-face to accumulated the throughput of the IDSM which until afresh was 250 Mbps of traffic. Figure 6.1 shows an architectural appearance of the IDSM. Notice how cartage flows through the switch, and how the IDSM can see the traffic.
Figure 6.1: The Cisco IDSM Architectonics
This architectonics is one of the affidavit the Cisco IDSM is so little understood. The actuality that the IDSM sensor absolutely sits in the about-face as a brand and anon connects to the about-face backplane confuses abounding people. Contributing to the abashing is the adversity in award any advice on installing and configuring the IDSM sensor. The Cisco IDSM sensor is not a bargain accessory and, as a result, there are not actual abounding IDSM sensors installed. This amount is assorted back you accede that you aboriginal charge the Catalyst 6000/6500 anatomy afore installing and application the IDSM sensor. The amount of the Catalyst about-face anatomy abandoned precludes accepting one of the IDSM sensors in your home lab or alike in best bartering Cisco labs.
As we mentioned, the IDSM sensor has a processor, RAM, BIOS, and a adamantine drive, which is archetypal of a PC-like architecture. Unlike a PC, however, there are two ports. The aboriginal anchorage is the ecology port, while the additional is alleged a Ascendancy Port. The ecology anchorage is anchorage 1 and is set up to automatically block all VLANs by default. Anchorage 1 uses 802.1q as the trunking protocol. The ascendancy anchorage is anchorage 2, which will accept an IP abode assigned to it through which the ISDM sensor is managed.
The earlier IDSM v1 sensor was abundant added bound in what it could, and could not, do about to the IDS appliance. For example, the earlier IDSM sensor could not action TCP resets, command-line management, Web-based management, or IP logging. The new IDSMv2 sensor offers all of these improvements and more, such as not accepting to use the Cisco Postoffice agreement to acquaint amid sensors or the director. Back the new IDSM-2 sensor can run 4.0 and newer code, the sensor can use a new agreement alleged Remote Abstracts Exchange or RDEP. This new agreement is not accessible to the IDSM-1 back the IDSM-1 cipher development chock-full at adaptation 3.1. However, with adaptation 3.0 and 3.1 code, the anchorage cardinal acclimated for the Cisco Postoffice Agreement can now be defined to whatever the ambassador would like the anchorage cardinal to be.
The IDSM-1 sensor can adviser up to 100 Mbps of cartage based on a minimum packet admeasurement of 64 bytes, while the IDSM-2 sensor can adviser up to 600 Mbps of traffic. In both IDSM sensor units, the cartage is captured anon off the about-face backplane. It is accessible to use added again one IDSM sensor to calibration the ecology adeptness of the IDSM sensor and about-face combination. If the Cisco about-face has a Policy Feature Agenda (PFC), the about-face can be configured to use VACLs to abduction the traffic. All accurate Cisco switches can use the About-face Anchorage Analyzer (SPAN) option. If the about-face has an MSFC, it can use MLS IP to abduction traffic. The IDSM differs from the accepted IDS in that it can adviser assorted VLANs accompanying by accepting the ecology anchorage configured as a trunk. Back the IDSM sensor sits on the backplane of the about-face and has absolute admission to the abstracts flow, it does not appulse the about-face performance. The signatures and attacks that the IDSM can ascertain mirror those acclimated by the 4200 alternation of sensors.