Filter
Top Products
A-4
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Appendix A System Architecture
System Applications
The Cisco IPS software includes the following applications:
• MainApp—Initializes the system, starts and stops the other applications, configures the OS, and
performs upgrades. It contains the following components:
–
ctlTransSource (Control Transaction server)—Allows sensors to send control transactions. This
is used to enable the master blocking sensor capability of Attack Response Controller (formerly
known as Network Access Controller).
–
Event Store—An indexed store used to store IPS events (error, status, and alert system
messages) that is accessible through the CLI, IDM, IME, ASDM, or SDEE.
Note The Event Store has a fixed size of 30 MB for all platforms.
–
InterfaceApp—Handles bypass and physical settings and defines paired interfaces. Physical
settings are speed, duplex, and administrative state.
–
Logger—Writes all the log messages of the application to the log file and the error messages of
the application to the Event Store.
–
Attack Response Controller (formerly known as Network Access Controller) —Manages
remote network devices (firewalls, routers, and switches) to provide blocking capabilities when
an alert event has occurred. The ARC creates and applies ACLs on the controlled network
device or uses the shun command (firewalls).
–
NotificationApp—Sends SNMP traps when triggered by alert, status, and error events. The
NotificationApp uses the public domain SNMP agent. SNMP GETs provide information about
the general health of the sensor.
–
Web server (HTTP SDEE server)—Provides a web interface and communication with the other
IPS devices through the SDEE protocol using several servlets to provide the IPS services.
–
AuthenticationApp—Verifies that users are authorized to perform CLI, IDM, IME, ASDM, or
SDEE actions.
• SensorApp (Analysis Engine)—Performs packet capture and analysis.
• CollaborationApp—Interfaces with the MainApp and the SensorApp using various interprocess
communication technologies including IDAPI control transactions, semaphores, shared memory,
and file exchange.
• CLI—The interface that is run when you successfully log in to the sensor through Telnet or SSH.
All accounts created through the CLI will use the CLI as their shell (except the service
account—only one service account is allowed). Allowed CLI commands depend on the privilege of
the user.
All Cisco IPS applications communicate with each other through a common API called the IDAPI.
Remote applications (other sensors, management applications, and third-party software) communicate
with sensors through the SDEE protocol.
The sensor has the following partitions:
• Application partition—A full IPS system image.
• Recovery partition—A special purpose image used for recovery of the sensor. Booting into the
recovery partition enables you to completely reimage the application partition. Network settings are
preserved, but all other configuration is lost.