Cisco IDS Communication Overview
Cisco IDS sensors have two interfaces, a command and control interface and a monitoring interface. The command and control interface is assigned an IP address and is used for event monitoring, device configurations, communication with blocking devices such as IOS routers and PIX Firewalls, and network access to the sensor using Telnet, SSH, or HTTP. The monitoring interface, with no assigned IP address, operates in "stealth mode" to analyze traffic originating from the untrusted network and to prevent attacks on the protected network.
PostOffice protocol (not to be confused with the Internet mail protocol POP3) is used in versions 3.x and earlier, and is used for communications between the sensor and external and management systems. PostOffice uses UDP port 45000 and a proprietary addressing scheme that is explained in Chapter 6, "Sensor Appliance Installation."
RDEP replaces the PostOffice protocol and uses HTTP and HTTPS to exchange XML documents between the sensor and external devices and systems. Unlike PostOffice, which uses a push method for reporting events and alarms, RDEP uses a pull method to pull alarms at its own pace. Alarms remain on the sensor until a 4GB limit is reached, at which point alarms are overwritten. RDEP is also covered further in Chapter 6.
On sensors using version 4 and communicating with RDEP, alarms remain on the sensor until a 4GB limit is reached. At this point, alarms are overwritten.