Filter
Top Products
A-24
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Appendix A System Architecture
SensorApp
–
Alert
–
Block host
–
Block connection
–
Generate SNMP trap
–
Capture trigger packet
• Statistics Processor—This processor keeps track of system statistics such as packet counts and
packet arrival rates.
• Layer 2 Processor—This processor processes layer 2-related events. It also identifies malformed
packets and removes them from the processing path. You can configure actionable events for
detecting malformed packets such as alert, capture packet, and deny packet. The layer 2 processor
updates statistics about packets that have been denied because of the policy you have configured.
• Database Processor—This processor maintains the signature state and flow databases.
• Fragment Reassembly Processor—This processor reassembles fragmented IP datagrams. It is also
responsible for normalization of IP fragments when the sensor is in inline mode.
• Stream Reassembly Processor—This processor reorders TCP streams to ensure the arrival order of
the packets at the various stream-based inspectors. It is also responsible for normalization of the
TCP stream. The normalizer engine lets you enable or disable alert and deny actions.
The TCP Stream Reassembly Processor normalizer has a hold-down timer, which lets the stream
state rebuild after a reconfiguration event. You cannot configure the timer. During the hold-down
interval, the system synchronizes stream state on the first packet in a stream that passes through the
system. When the hold down has expired, sensorApp enforces your configured policy. If this policy
calls for a denial of streams that have not been opened with a 3-way handshake, established streams
that were quiescent during the hold-down period will not be forwarded and will be allowed to
timeout. Those streams that were synchronized during the hold-down period are allowed to
continue.
• Signature Analysis Processor—This processor dispatches packets to the inspectors that are not
stream-based and that are configured for interest in the packet in process.
• Slave Dispatch Processor—A process found only on dual CPU systems.
The SensorApp also supports the following units:
• Analysis Engine—The nalysis Engine handles sensor configuration. It maps the interfaces and also
the signature and alarm channel policy to the configured interfaces.
• Alarm Channel—The Alarm Channel processes all signature events generated by the inspectors. Its
primary function is to generate alerts for each event it is passed.
Inline, Normalization, and Event Risk Rating Features
The SensorApp contains the following inline, normalization, and event risk rating features:
• Processing packets inline
When the sensor is processing packets in the data path, all packets are forwarded without any
modifications unless explicitly denied by policy configuration. Because of TCP normalization it is
possible that some packets will be delayed to ensure proper coverage. When policy violations are
encountered, the SensorApp allows for the configuration of actions. Additional actions are available
in inline mode, such as deny packet, deny flow, and deny attacker.