A-33
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2
OL-29168-01
Appendix A System Architecture
Communications
IDCONF
The Cisco IPS manages its configuration using XML documents. IDCONF specifies the XML schema
including the Cisco IPS control transactions. The IDCONF schema does not specify the contents of the
configuration documents, but rather the framework and building blocks from which the configuration
documents are developed. It provides mechanisms that let the IPS managers and CLI ignore features that
are not configurable by certain platforms or functions through the use of the feature-suppor ted attribute.
IDCONF messages are wrapped inside IDIOM request and response messages.
The following is an IDCONF example:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<request xmlns="http://www.cisco.com/cids/idiom" schemaVersion="2.00">
<editConfigDelta xmlns="http://www.cisco.com/cids/idconf">
<component name="userAccount">
<config typedefsVersion="2004-03-01" xmlns="http://www.cisco.com/cids/idconf">
<struct>
<map name="user-accounts“ editOp=“merge”>
<mapEntry>
<key>
<var name="name">cisco</var>
</key>
<struct>
<struct name="credentials">
<var name="role">administrator</var>
</struct>
</struct>
</mapEntry>
</map>
</struct>
</config>
</component>
</editDefaultConfig>
</request>
SDEE
The Cisco IPS produces various types of events including intrusion alerts and status events. The IPS
communicates events to clients such as management applications using the proprietary IPS-industry
leading protocol, SDEE, which is a product-independent standard for communicating security device
events. SDEE adds extensibility features that are needed for communicating events generated by various
types of security devices.
Systems that use SDEE to communicate events to clients are referred to as SDEE providers. SDEE
specifies that events can be transported using the HTTP or HTTP over SSL and TLS protocols. When
HTTP or HTTPS is used, SDEE providers act as HTTP servers, while SDEE clients are the initiators of
HTTP requests.
The IPS includes the web server, which processes HTTP or HTTPS requests. The web server uses
run-time loadable servlets to process the different types of HTTP requests. Each servlet handles HTTP
requests that are directed to the URL associated with the servlet. The SDEE server is implemented as a
web server servlet.
The SDEE server only processes authorized requests. A request is authorized if is originates from a web
server to authenticate the identity of the client and determine the privilege level of the client.