Foundation and Supplemental Topics

CiscoWorks 2000

CiscoWorks 2000 is the heart of the Cisco family of comprehensive network management tools that allow you to easily access and manage the advanced capabilities of the Cisco Architecture for Voice, Video, and Integrated Data (AVVID). It provides the foundation that Intrusion Detection System Management Center (IDS MC) is built upon. IDS MC is a component of the CiscoWorks VMS bundle.

Before you can access the IDS MC application, you must first log in to CiscoWorks 2000. CiscoWorks 2000 also manages access to all of the applications in the VMS bundle. To use IDS MC, you need to understand the following CiscoWorks 2000 components:

• Login process

• Authorization roles

• Adding users

Login Process

To access the applications supported by CiscoWorks, such as IDS MC and the Security Monitor, you must first log in to the CiscoWorks server desktop. The CiscoWorks server desktop is the interface used for CiscoWorks network management applications such as IDS MC.

To log in to CiscoWorks, you connect to the CiscoWorks desktop via your web browser. The web server is listening on port 1741. Therefore, if your CiscoWorks desktop is on a machine named CW2000 with an IP address of 10.89.139.71, you could connect to it by entering either of the following URLs:

• http://CW2000:1741/

• http://10.89.139.71:1741/

Note

If you are on the CiscoWorks server, you can also access CiscoWorks through the localhost host address by using the following URL: http://127.0.0.1:1741/

Note

If you configure CiscoWorks to Secure HTTP (HTTPS), you access the CiscoWorks server by using port 1742. For HTTPS access, the example URLs become the following:

• https://CW2000:1742/

• https://10.89.139.71:1742/

At the initial CiscoWorks screen, you log in to CiscoWorks by entering a valid username and password (see Figure 10-1).

Figure 10-1. CiscoWorks Login Screen

Note

Initially, you can log in by using the administrator account created during installation. The default value is admin for both the username and the password (unless you changed these values during the installation process). For security reasons, you should change these values.

Authorization Roles

Like IDM, CiscoWorks enables you to define different roles for different users. These roles enable the user to perform specific operations when using CiscoWorks and any of the applications that are built upon CiscoWorks (like IDS MC and Security Monitor). CiscoWorks supports five user roles that are relevant to IDS MC and Security Monitor operations (see in Table 10-2).

Note

You can assign each user multiple authorization roles (depending on their responsibilities). CiscoWorks 2000 also supports two other roles: Export Data and Developer. These roles are not relevant to the IDS MC or Security Monitor operations.

Adding Users

As part of your IDS MC and Security Monitor configuration, you need to configure accounts for the various users who need to access these applications. The CiscoWorks 2000 Add User screen enables you to create new accounts that have access to the CiscoWorks 2000 applications. To create a new account in CiscoWorks 2000, perform the following steps:

Step 1.	Log in to the CiscoWorks 2000 desktop.
Step 2.	Choose Server Configuration > Setup > Security > Add Users. The Add User window appears. (See Figure 10-2.) Figure 10-2. CiscoWorks Add User Window
Step 3.	Enter values for the new user (Table 10-3 describes these various fields). Table 10-3. CiscoWorks Add User Fields Field Description User Name Username of the user being added Local Password Password for the new user Confirm Password Confirmation of the user's password E-Mail (Optional) User's e-mail address CCO Login (Optional) User's Cisco.com login name (used for downloading software updates from the Cisco website) CCO Password User's Cisco.com password (required only if CCO Login is specified) Confirm Password Confirmation of user's Cisco.com password (required only if CCO Password is entered) Proxy Login (Optional) Enter the user's proxy login (required if your network requires use of a proxy server) Proxy Password User's proxy password (required only if Proxy Login is specified) Confirm Password Confirmation of user's proxy login (required only if Proxy Login is specified)
Step 4.	In the Roles section of the Add User window, select the role(s) associated with the user's responsibilities. You can assign multiple roles to a single user.
Step 5.	Click on Add to complete the addition of the user to the CiscoWorks 2000 database.

Security Monitor

Security Monitor is a component of the CiscoWorks VMS product. VMS integrates into a single solution numerous security applications, such as the following:

• CiscoWorks

• Security Monitor

• VPN Monitor

• VMS Common Services

Security Monitor provides numerous features such as the following:

• Device monitoring

• Web-based monitoring

• Custom reporting

Using Security Monitor, you can monitor IPS/IDS events from up to 300 Cisco IPS-capable devices, such as the following:

• Sensor appliances

• IDS modules

• Router modules

• IOS routers

• PIX Firewalls

Using a compatible web browser, you can access the Security Monitor to administer and monitor the alerts from your IDS devices. Furthermore, you can easily use an extensive list of common reports to support your reporting requirements.

Installing Security Monitor

You can install Security Monitor on the following two platforms:

• Windows 2000

• Solaris

For more information on the Solaris requirements, refer to Cisco documentation.

Windows Installation

When installing Security Monitor, you need to understand the hardware and software requirements for the different components. The major components involved in a Security Monitor Windows installation are as follows:

• CiscoWorks 2000 server

• Client systems

• Sensors

Since the sensors are appliances, the software and hardware are fairly fixed. The other two components, however, are built on your own machines. To ensure an operable installation, these systems must match some minimum requirements.

Server Requirements

To support all of the functionality provided by Security Monitor and the underlying CiscoWorks 2000 foundation, your CiscoWorks 2000 server needs to match the following requirements:

• IDM PC-compatible computer

• 1 GHz (or faster) processor

• Color monitor with video card capable of viewing 16-bit color

• CD-ROM drive

• 10BASE-T (or faster) network connection

• Minimum of 1 GB of RAM

• 2 GB of virtual memory

• Minimum of 9 GB free hard drive space (formatted using NT Files System [NTFS])

• Windows 2000 Professional, Server or Advanced Server, with Service Pack 4 (and Terminal Services turned off)

Client Requirements

Your users access Security Monitor via a browser on their system. These user systems should meet certain minimum requirements to ensure successful system operation. Your client systems should meet the following requirements:

• IBM PC-compatible

• 300 MHz (or faster) processor

• Minimum 256 MB RAM

• 400 MB virtual memory (free space on hard drive for Windows)

In addition to meeting these requirements, your clients need to be running one of the following operating systems:

• Windows 2000 Professional with Service Pack 3

• Windows 2000 Server with Service Pack 3

• Windows XP with Service Pack 1 with Microsoft Virtual Machine

One final requirement is that your client systems need to use one of the following web browsers and have the Java plug-in version 1.41_02:

• Internet Explorer 6.0 with Service Pack 1

• Netscape Navigator 7.1

Security Monitor User Interface

Although the Security Monitor user interface is graphical and easy to use, it is helpful to understand how the interface is structured. The Security Monitor user interface is composed of the following major sections (see Figure 10-3):

• Configuration tabs

• Options bar

• Table of contents (TOC)

• Path bar

• Instruction box

• Content area

• Tools bar

Figure 10-3. Security User Interface

Configuration Tabs

The configuration tasks are divided into the following five major categories:

• Devices Enables you to perform initial setup of devices to be monitored by Security Monitor

• Configuration Enables you to configure event rules for Security Monitor

• Monitor Enables you to monitor information about your devices and launch the Event Viewer

• Reports Enables you to generate reports, view scheduled reports, and view reports

• Admin Enables you to administer system and database settings

To access one of the categories, click on the tab labeled with the appropriate name. These tabs are located across the top of the Security Monitor display.

Options Bar

After you click on one of the major configuration tabs, the options for that selection are displayed in a list located on the screen just below the configuration tabs. Figure 10-3 shows a screen in which the user has clicked on the Admin tab. The options associated with the Admin tab are as follows:

• Data Management

• System Configuration

• Event Viewer

Clicking on any of these options causes a menu of available choices to be displayed on the left side of the Security Monitor interface (known as the TOC).

TOC

The TOC is a menu of choices that is displayed down the left side of the Security Monitor interface. It represents the list of suboptions that you can select (based on the option chosen). In Figure 10-3, you can see that the Admin > System Configuration option provides the following selections:

• IP Log Archive Location

• E-Mail Server

• PostOffice Settings

• SYSLOG Settings

• DNS Settings

• Prune Archive Location

• Automatic Signature Download

Path Bar

The path bar provides a visual road map indicating where you are with respect to the Security Monitor interface. It is located above the TOC and below the options bar and begins with the text "You Are Here."

Figure 10-3 shows a situation in which the path bar's value is Admin > System Configuration > SYSLOG Settings. This indicates that you performed the following steps to reach the current screen:

Instruction Box

Some pages provide you with an instructions box on the right side of the Security Monitor display. This box (when displayed) provides you with a brief overview of the page you have selected. This information is a quick summary of information provided through the Help option on the tools bar.

Content Area

The content area displays information associated with the selection you click on the TOC menu. Sometimes the option selected from the options bar has no TOC options. In this situation, you can click on the option from the options bar to directly display information in the content area. An example of this is Configuration > Event Rules.

Tools Bar

The tools bar is located at the upper right of the Security Monitor interface. From the tools bar you can access the following items:

• Close

• Help

• About

Close enables you to close the Security Monitor program. The Help option displays Security Monitor's help information in a separate browser window. Finally, the About option displays the Security Monitor software version.

Security Monitor Configuration

Before you can use Security Monitor to analyze the events from your IPS devices, you must add the IPS devices to Security Monitor. You can configure the rules that Security Monitor uses to access events from the devices being monitored. For Remote Data Exchange Protocol (RDEP) devices, you can also monitor connection and statistical information. This section will focus on the following Security Monitor configuration operations:

• Adding devices

• Importing devices

• Event notification

• Monitoring devices

Adding Devices

Security Monitor enables you to view events from various Cisco IPS devices deployed throughout your network. Before you can monitor these devices, however, you must add them to Security Monitor. The Devices window (see Figure 10-4) shows you the devices that you have already added to Security Monitor and enables you to add or import new devices as well as perform the following operations on existing devices:

• Edit

• Delete

• View

Figure 10-4. Devices Window in Security Monitor

Security Monitor monitors the following types of devices:

• Cisco IDS

• Cisco IOS IDS/IPS

• Cisco PIX/FWSM

• Cisco Security Agent MC

• Remote Cisco Security Monitor

Adding RDEP Devices

Security Monitor uses RDEP to communicate with your Cisco IPS version 5.0 sensors. When adding an RDEP device to Security Monitor, you must specify the following information about the device:

• IP Address

• Device Name

• Web Server Port

• Username

• Password

• Minimum Event Level

The IP Address, Device Name, and Web Server Port fields identify the device so that Security Monitor can communicate it. The Username and Password fields provide the login credentials necessary to access the RDEP device. Finally, the Minimum Event Level field sets the minimum alert level for the events that Security Monitor will retrieve from the device. By default, only events of medium severity or higher are retrieved.

To add an RDEP device to Security Monitor, you need to perform the following steps:

Step 1.	Click on the Devices tab on the main Security Monitor screen. The Devices window will appear in the content area.
Step 2.	Click on the Add button. The Add Device window appears (see Figure 10-5). Figure 10-5. Security Monitor Add Device Window
Step 3.	Select the correct device being added by using the pull-down menu for the Device Type field. In this situation, you should select Cisco IDS (the default).
Step 4.	In the IP Address field, enter the IP address of the sensor.
Step 5.	In the Device Name field, enter the name of the sensor.
Step 6.	In the Username field, enter the username that Security Monitor will use to communicate with the sensor.
Step 7.	In the Password field, enter the password for the account that Security Monitor will use to communicate with the sensor.
Step 8.	Select the minimum level of events that you want Security Monitor to retrieve. Choices include High, Medium, Low, and Informational (the default is Medium).
Step 9.	Click on OK to add the new device to Security Monitor.

Adding PostOffice Devices

Security Monitor can receive events from Cisco IDS version 3.x sensors. You can add these devices by selecting Postoffice as the protocol. When adding a version 3.x sensor, you must specify the following fields (see Figure 10-6):

• IP Address

• Device Name

• Host ID

• Org Name

• Org ID

• Port

• Heartbeat

Figure 10-6. Adding a PostOffice Device

Note

The PostOffice protocol is a proprietary protocol used to communicate with Cisco IDS version 3.x sensors. This protocol should not be confused with the Post Office Protocol (POP) specified in RFC 1939 (http://www.faqs.org/rfcs/rfc1939.html), which is a mail-distribution protocol.

Adding IOS Devices

Besides receiving events from Cisco IPS sensors, Security Monitor can also receive events from other Cisco IDS devices (such as IOS routers and PIX Firewalls). You can add IOS devices by selecting IOS IDS/IPS in the Device Type field. When adding an IOS IDS device, you must specify the following fields:

• IP Address

• Device Name

• Web Server Port

• Protocol

• Username

• Password

• Minimum Event Level

Some IOS devices can run the PostOffice protocol. If you want Security Monitor to communicate with the IOS device using PostOffice, you need to select Postoffice in the Protocol field. This will enable you to enter the following PostOffice parameters:

• Host ID

• Org Name

• Org ID

• Port

• Heartbeat

Adding PIX Devices

Similar to IOS IDS devices, Security Monitor can be configured to receive events from PIX Firewalls. You must specify the following fields to add PIX Firewall devices.

• IP Address

• Device Name

Since the PIX Firewalls can communicate only via syslog (UDP port 514), you are not allowed to specify the protocol for PIX devices.

Importing Devices

Instead of adding new devices by specifying all of the information necessary for Security Monitor to communicate with them, you can import devices from an instance of IDS MC that is already monitoring the devices that you wish to add. To import a device from IDS MC into Security Monitor, perform the following steps:

Step 1.	Click on the Devices tab on the main Security Monitor screen. The Devices window will appear in the content area.
Step 2.	Click on the Import button. The Enter IDS MC Server Information window will appear in the content area. (See Figure 10-7.) Figure 10-7. Enter IDS MC Server Information Window
Step 3.	Enter the IP address (or hostname) of the IDS MC server from which you want to import devices.
Step 4.	Enter the username and password required to log in to the IDS MC server.
Step 5.	Click on the Next button to continue. The Select Devices window will appear in the content area. (See Figure 10-8.) It shows all of the devices that the IDS MC server is managing. Figure 10-8. Select Devices Window
Step 6.	Click on the check box next to each sensor that you want to import.
Step 7.	Click on the Finish button to import the selected sensors. A Summary window will be displayed in the content area. It indicates which sensors you imported.

Event Notification

When multiple security devices are deployed throughout your network, they can generate a large number of events. Analyzing every one of these events by using the Event Viewer can be very time-consuming. Furthermore, it may be impossible to monitor the Event Viewer 24 hours a day. You can define event rules that perform specific actions when the Security Monitor receives traffic matching specific properties. You could use this functionality, for instance, to cause Security Monitor to e-mail you when certain traffic is detected on your network.

When defining an event rule, you can identify traffic based on the alert characteristics shown in Table 10-4.

For each characteristic, you specify a value and one of the following operators to equate the characteristic to the value:

• < (Less than)

• <= (Less than or equal)

• = (Equal)

• != (Not equal)

• >= (Greater than or equal)

• > (Greater than)

Note

Not all of these operators are valid for each characteristic. For some of the characteristics (such as Originating Device), only "equal" and "not equal" are valid.

Each characteristic plus a value is known as a clause. You combine multiple clauses for a single rule by specifying one of the following Boolean operators:

• AND

• OR

• NOT

After entering your clauses that define which traffic the event rule applies to, you need to define the action that you want Security Monitor to perform for traffic that actually matches the rule. Each rule can perform one or more of the following actions:

• Notify via e-mail

• Log a console notification event

• Execute a shell script

Note

Each event rule you define can have up to five clauses. Furthermore, you can define up to 10 event rules that you can have active at one time.

Adding Event Rules

Event rules specify the criteria that an event must match in order to cause a specific action. When adding event rules, you need to perform the following four tasks:

• Assign a name to the event rule

• Define the event filter criteria

• Assign the event rule action

• Define the event rule threshold and interval

Complete the following steps to add an event rule:

Step 1.	Click on the Configuration tab on the main Security Monitor screen.
Step 2.	Select Event Rules from the options bar (or from the content area). The Event Rules window appears in the content area. (See Figure 10-9.) Figure 10-9. Event Rules Window
Step 3.	Click on the Add button. The Identify the Rule window will appear in the content area. (See Figure 10-10.) Figure 10-10. Identify the Rule Window
Step 4.	Enter a name for the rule in the Rule Name field.
Step 5.	Enter a textual description for the rule.
Step 6.	Click on the Next button. The Specify the Event Filter window will appear in the content area. (See Figure 10-11.) Figure 10-11. Specify the Event Filter Window
Step 7.	Define the clauses that make up the event rule and the associations between clauses.
Step 8.	Click on the Next button to continue. The Choose the Actions window will appear in the content area. (See Figure 10-12.) Figure 10-12. Choose the Actions Window
Step 9.	Click on the check box next to the action(s) that you want assigned to this event rule. Specify any rule-specific parameters (such as an e-mail address for the Notify via E-Mail option). You can assign one or more actions to each event rule. Note If you have not configured an e-mail server by following Admin > System Configuration > E-Mail Server, the e-mail option will not be available.
Step 10.	Click on the Next button to continue. The Specify Thresholds and Intervals window will appear in the content area. (See Figure 10-13.) Figure 10-13. Specify the Thresholds and Intervals Window
Step 11.	Enter a value for how many event occurrences are needed to trigger the rule's action(s) by entering a number into the Issue action(s) after (#event occurrences) field (the default is 3).
Step 12.	Enter a value indicating how many more events (after the initial triggering of the rule) are needed before the action(s) are triggered again; do this by entering a number in the Repeat action(s) again after (#event occurrences) field (the default is 5).
Step 13.	Define how many minutes must elapse before the count value is reset; do this by entering a value in the Reset count every (minutes) field. The minimum reset value is 5 minutes (the default is 30).
Step 14.	Click on the Finish button to complete the definition of the event rule.

Activating Event Rules

After defining an event rule, you must activate it by performing the following steps:

Note

You can deactivate event rules by following this same procedure but clicking on the Deactivate button instead of the Activate button.

Monitoring Devices

You can monitor information about the devices that you have added to Security Monitor. This information falls into the following three categories:

• Connections

• Statistics

• Events

Monitoring Connections

Security Monitor needs to communicate with all of the devices from which it receives information. With RDEP devices, Security Monitor actually connects to the sensor and retrieves the alerts. PostOffice devices send the information directly to Security Monitor. You can check the status of RDEP and PostOffice devices by using the Connections window. (See Figure 10-14.)

Figure 10-14. The Connections Window

If the Connection status is either "Connected" or "Connected TLS," Security Monitor is receiving events from the device correctly. A Connection status of "Not Connected" represents a problem and can indicate one of the following conditions:

• The device has been added to Security Monitor, but it is not yet configured to send event data. This situation commonly arises if you add devices to Security Monitor before you have actually deployed them on your network.

• The device is configured incorrectly. For PostOffice devices, verify that the device is sending events to the correct IP address (for Security Monitor) on the correct port.

• Security Monitor is configured incorrectly. Verify the settings for the device in Security Monitor to make sure that the PostOffice communication parameters match the actual device parameters or that the RDEP logging credentials and IP address are valid.

• Network connectivity between Security Monitor and the device has been lost. Try to ping the device from the underlying CiscoWorks software on the Security Monitor server.

Note

IOS IDS devices (those not using PostOffice or RDEP) and PIX Firewalls do not show up in the connection list, since they send information to the Security Monitor in a connectionless fashion by using syslog messages.

Monitoring Statistics

You can view a wealth of statistical information about your RDEP devices. Using the Statistics window (see Figure 10-15), you can view statistics about the following items:

• Analysis Engine MAC, virtual sensor, TCP Stream Reassembly, and signature database statistics

• Authentication Successful and failed login attempts to the RDEP device

• Event Server General and specific subscription information about the devices that have connections to the server

• Event Store General information on and number of specific events that have occurred

• Host Network statistics, memory usage, and swap-file usage

• Logger Number of events and log messages written by the logger process

• Network Access Controller Information about the sensor's current shunning (blocking) configuration

• Transaction Server Counts indicating the failed and total number of control transactions for the server

• Transaction Source Counts indicating the failed and total number of source control transactions

• Web Server Configuration information for the device web server and statistics for connections to the web server

Figure 10-15. Statistics Window

To view any of these statistics, follow these steps:

Step 1.	Click on the Monitor tab on the main Security Monitor screen.
Step 2.	Select Device from the options bar (or the content area). This displays the Monitor Device window. (See Figure 10-16.) Figure 10-16. Monitor Device Window
Step 3.	Select the device on which you want to view statistics by using the object selector. In this example, the device selected is Ids4240.
Step 4.	Select Statistics from the TOC. This displays the Statistics window in the content area. (See Figure 10-15.)
Step 5.	Select which statistical information you want to view by using the radio button next to one of the displayed categories. In this example, the Event Store category is selected.
Step 6.	Click on the View button to view the selected information. The information is displayed in a separate browser window (see Figure 10-17). Figure 10-17. EventStore Statistics for Device Ids4240

Note

You can view multiple statistical reports (one at a time) since each of the reports is displayed in a new browser window. These reports are a snapshot of the information from the device and are not updated. To get updated information, you must generate another report.

Monitoring Events

Finally, you can monitor the events that Security Monitor is receiving from all of the monitored devices. This is probably the most important feature of Security Monitor since it enables you to identify attacks against your network. You view the events that Security Monitor has collected through the Security Monitor Event Viewer, which is accessed by choosing Monitor > Events. Before the event viewer is launched, you need to specify the criteria on which events should be included in the display (see Figure 10-18).

Figure 10-18. Launch Event Viewer Window

You basically specify a time window and event type for the information that you want included in the Event Viewer display by configuring the following parameters:

• Event Type

• Column Set

• Filter

• Event Start Time

• Event End Time

You can specify numerous options for the Event Type field by using the Event Type pull-down menu. Some of the options that you can choose from are as follows:

• All IDS Alarms

• CSA Alarms

• PIX Security Summaries

• PIX Deny Inbound

• Audit Log

The Column Set parameter determines the column set that will be used when the Event Viewer is launched. The default is Last Saved so that the Event Viewer columns appear the same as the last configuration that you saved.

Any events in the Security Monitor database that match the specified criteria will be displayed in the Event Viewer display. By default, the Event Type is set to All IDS Alarms, the Event Start Time is set to At Earliest, and the Event End Time is set to Don't Stop. These values cause all of the available IDS alarm events to be displayed.

Security Monitor Event Viewer

The Event Viewer combines the functionality of a spreadsheet with that of a hierarchical, drilldown directory to create a collection of event records called a drillsheet (drilldown spreadsheet). The drillsheet displays groups of similar event records on a single row of the grid, enabling you to detect patterns in the data.

The Event Viewer contains a grid plane that organizes and displays event records. The Event Viewer can read and display both real-time and historical events from the Security Monitor database. You can configure the grid plane to display information about alerts detected by the monitored devices in a variety of ways, thereby customizing the interface to your requirements.

Configuring the Event Viewer involves understanding the following options:

• Moving columns

• Deleting rows and columns

• Collapsing rows

• Expanding rows

• Suspending and resuming new events

• Changing display preferences

• Creating graphs

• Using the Tools pull-down menu options

• Resolving host names

Moving Columns

The default order of fields within an alarm entry may not suit your operational environment. You can change the order in which the columns are displayed in the Event Viewer. To move a column, click and drag the column header of the column to the new position where you want it to be.

Note

This change will persist only if you save the changes by choosing Columns > Save Column Set.

Deleting Rows and Columns

When an alarm has been acknowledged, dealt with, or both, you may want to remove it from the Event Viewer grid or from the actual Security Monitor database. At other times, you may want to remove certain columns from the Event Viewer display to make the display easier to work with. You can delete both rows and columns from the Event Viewer display. You access the delete options by right-clicking on a specific alert entry to display a popup window with various options. (See Figure 10-19.)

Figure 10-19. Row and Column Deletion Options

You have three deletion options to choose from:

• Delete From This Grid

• Delete From Database

• Delete Column

Delete from This Grid

To remove a row from the Event Viewer display, you right-click on a field in the row to be deleted. Then you select Delete From This Grid to delete the selected alert from the Event Viewer where the action is being performed. This procedure will not delete alerts from other Event Viewer instances or the Security Monitor database.

Note

This change is not persistent. If you open another instance of the Event Viewer, the original rows will be restored.

Delete from Database

To remove a row from the Security Monitor database, you right-click on a field in the row to be deleted. Then you select Delete From Database to delete the selected alert from all of the open Event Viewers as well as the Security Monitor database. If you use this option, the alert is completely gone, and you cannot display it in the Event Viewer again, even if you open another Event Viewer instance.

Delete Column

To remove columns from the Event Viewer display, you first right-click on a field in the column that you want to delete. Then select Columns > Delete Column from the popup window to remove the selected column from the Event Viewer display.

Note

This change is persistent only if you save the changes by choosing Columns > Save Column Set.

Collapsing Rows

To reduce the number of lines displayed on the Event Viewer grid, multiple alarms are collapsed into a single row based on a specific number of fields (known as the expansion boundary). By default, the expansion boundary is only the first field. All alarm entries with the same value for the first field are consolidated into a single row on the Event Viewer display.

To examine specific alarms, you may expand the display so that only a few alarms are consolidated on each row in the Event Viewer display. Although this is helpful when you are analyzing a specific attack, the Event Viewer grid can quickly become cluttered with more alarms than you can manage. When your Event Viewer display is too cluttered, you can collapse the display so that multiple alarms are consolidated onto a single line. From the Rows pull-down menu, you have the following collapse options to consolidate rows in the Event Viewer:

• Collapse > First Group

• Collapse > All Rows

Note

Besides using the Rows pull-down menu, you can also collapse columns by using the arrow icons pointing to the left (see Figure 10-20). The single left arrow icon performs the same operation as Collapse > First Group, and the double left arrow icon performs the same operation as Collapse > All Rows.

Figure 10-20. Event Viewer Window

Collapse > First Group

Using the Collapse > First Group option from the Rows pull-down menu, you can quickly collapse a selected row to the first row that causes some consolidation (a reduction in the number of lines displayed in the Event Viewer).

Note

Collapsed rows are not a persistent change. This means that closing the Event Viewer and re-opening it will bring back the default settings and expansion boundary.

Collapse > All Rows

The Collapse > All Rows option from the Rows pull-down menu enables you to consolidate all of the alarm entries based on the first column in the Event Viewer display. Using this feature, you can quickly collapse all of the rows without having to collapse them one group at a time.

Note

Collapsed rows are not a persistent change. This means that closing the Event Viewer and re-opening it will bring back the default settings and expansion boundary.

Expanding Rows

Besides collapsing the entries on the display, you may frequently need to expand the amount of alarm detail shown on the Event Viewer grid. Expanding columns provides more information and causes more rows to be displayed in the Event Viewer. When expanding columns, you have the following two options from the Rows pull-down menu:

• Expand > First Group

• Expand > All Rows

Note

Besides using the Rows pull-down menu, you can also expand columns by using the arrow icons pointing to the right (see Figure 10-20). Clicking on the single right-arrow icon performs the same operation as choosing Expand > First Group, and clicking on the double right-arrow icon performs the same operation as choosing Expand > All Rows.

Expand > First Group

To expand the number of rows displayed by the Event Viewer, you can click Expand > First Group from the Rows pull-down menu. This option expands the fields to the first field that causes more rows to be displayed.

Note

When expanding columns in your Event Viewer, you will eventually increase the number of row entries being displayed. The count field shows you how many entries are consolidated into a single row in the Event Viewer. This consolidation is based on the columns that are currently expanded. As you expand fields, fewer of the alarm entries will have the same values for all of the expanded columns. When you expand all of the columns, each row will probably represent only one alarm entry (count equal to 1) since it is unlikely that two separate alarm entries will have the exact same values for every column.

Note

Expanded rows are not a persistent change. This means that closing the Event Viewer and re-opening it will bring back the default settings and expansion boundary.

Expand > All Rows

Expanding an alarm entry one group at a time can be tedious, especially if the column that you are interested in is many fields away. In one click you can expand all of the fields for the currently selected row. To expand all of the columns for the current alarm entry, select Expand > All Columns from the Rows pull-down menu.

Note

Expanded rows are not a persistent change. This means that closing the Event Viewer and re-opening it will bring back the default settings and expansion boundary.

Suspending and Resuming New Events

Sometimes you may want to freeze the Event Viewer display and temporarily display no more alarms. This might happen during a flood of alarms. If alarms keep updating the Event Viewer, you may have difficulty analyzing what is happening. At that point, it is nice to freeze your Event Viewer window so that you can investigate the alarms that you already have in your window.

Security Monitor provides you the capability to suspend the Event Viewer from displaying new alarms. To suspend the Event Viewer, choose Suspend New Events from the Events pull-down menu. (See Figure 10-21.) To resume alarms, choose Resume New Events from the Events pull-down menu. Only one of the options is available at a time. For instance, when you have suspended alarms, the resume option becomes available (it is no longer grayed out). Furthermore, suspending alarms does not prevent new alarms from being added to the Security Monitor database; it only prevents them from being displayed in your current Event Viewer.

Figure 10-21. Events Pull-Down Menu

Changing Display Preferences

This section describes the different preference settings that you can use to customize the Event Viewer. To access the Preferences window, choose Tools > Options. This will display the Preferences window. (See Figure 10-22.)

Figure 10-22. Event Viewer Preferences Window

The settings available in this window fall into six basic categories:

• Actions

• Cells

• Sort By

• Boundaries

• Severity Indicator

• Database

Actions

The Actions group box in the Preferences window (see Figure 10-22) allows you to set the following parameters:

• E-Mail Recipients

• Command Timeout

• Time To Block

• Subnet Mask

The Command Timeout value determines how long (in seconds) the Event Viewer will wait for a response from the sensor before it concludes that it has lost communication with the sensor. In most cases, you will not need to modify this value. If you find that you are experiencing frequent command timeout errors, you might consider increasing the Command Timeout value or diagnosing the reason your Event Viewer is experiencing such a slow response time.

The Command Timeout value applies to all functions that require communication through the PostOffice infrastructure. For example, functions such as retrieving sensor statistics, viewing sensor block lists, and requesting that the sensor block a particular IP address all must be completed during the specified Command Timeout period. This timeout value is not used for non-PostOffice functions, such as DNS queries. The default value is 10 seconds, with an allowable range between 1 and 3600 seconds (one hour).

The Time To Block value specifies how long (in minutes) the sensor blocks traffic from the specified source when you issue a Block command from the Event Viewer. The block duration value that can be specified for the sensor in the Network Topology tree (NTT) applies only to blocks that are generated automatically by that sensor. The Time To Block value in the Preferences dialog box applies only to manually generated blocks from the Event Viewer. The default value is 1440 minutes (one day). The allowable range is from 1 to 525,600 minutes (one year).

The Subnet Mask value is used to define the network portion of the IP address that will be used to block a range of addresses. Your sensors use this information when they publish a blocking rule to the blocking devices on your network. The Subnet Mask is applied only to the Block > Network and Remove Block > Network options from the Event Viewer. The default value is 255.255.255.0 and represents a class C address range.

Cells

The Blank Left and Blank Right check boxes in the Cells section of the Preferences window enable you to specify whether certain cells will be blank or filled in (see Figure 10-22).

When you choose the Blank Left check box, you can control whether values that are suggested by a cell above a row are filled in on following rows in the Event Viewer. For example, consider the following alarms triggered by the same source IP address of 172.30.4.150: WWW perl interpreter attack, WWW IIS view source attack, and WWW IIS newdsn attack. If the Blank Left box is selected, the grid appears as follows:

If the Blank Left box is not selected, the grid appears as follows:

When you choose Blank Right, you can control how the collapsed cells are displayed in the Event Viewer. When cells are collapsed their background color is gray. If the collapsed values are different, a plus sign is displayed. When Blank Right is selected, a plus sign is displayed in a collapsed cell regardless of whether or not the cell values are different.

The default setting is for Blank Right to be unselected. In this state, a plus sign is displayed in collapsed cells only if the values in the cells differ. If the values in the collapsed cell are the same, the actual value is displayed in the Event Viewer.

Sort By

The Sort By group box in the Preferences window (see Figure 10-22) enables you to specify how the events are sorted in the Event Viewer. You can choose from the following two options:

• Count

• Content

When you choose to sort by count, the entries in the Event Viewer are sorted by the count of alarms listed in the first column of each row. If you sort by content, the entries in the Event Viewer are sorted alphabetically by the first field that is unique (starting with the far left field and moving to the right until a differing field value is found).

Boundaries

The Boundaries group box in the Preferences window (see Figure 10-22) enables you to set the following values:

• Default Expansion Boundary

• Maximum Events Per Grid

• Show New Event Row Warning

The Default Expansion Boundary value specifies the default number of columns in which the cells of a new event are expanded. By default, only the first field of an event is expanded.

Note

The expansion boundary is the block of columns that will be automatically expanded when a new alarm entry comes into the table. The block of columns is contiguous and starts at the first column in the Event Viewer. By default the expansion boundary expands the first field of an alarm entry. When setting a new expansion boundary, you have to specify only the number of columns to be expanded. All columns from the first column to the column count that you specify will be expanded for new alarm entries.

The Maximum Events per Grid defines the maximum number of alarms that can be displayed in a single Event Viewer. When the maximum value is reached, an error message is displayed. The default value is 50,000 alarms.

Severity Indicator

There are two event Severity Indicator options that you can select from (see Figure 10-22):

• Color

• Icon

The default setting uses colors to indicate severity in the Event Viewer. The color affects the background of the Count field. The following colors are used to indicate alarm severity:

• Red High severity

• Yellow Medium severity

• Green Low severity

Besides the default color severity indicator, you can also choose to display the severity of your alarms by using icons. The icons used to display alarm severity are the following:

• Red exclamation point High severity

• Yellow flag Medium severity

• No icon Low severity

Database

The Database group box in the Preferences window (see Figure 10-22) enables you configure whether the Event Viewer automatically retrieves new events from the Security Monitor database. If you check the Auto Query Enabled check box, you can configure how often the Event Viewer automatically retrieves events from the Security Monitor database.

Note

You can manually retrieve new events from the Security Monitor database by selecting Get New Events from the Events pull-down menu.

Creating Graphs

You can create graphs of the data, or a subset of the data, shown in Event Viewer. These graphs represent a static snapshot of the information and are not updated dynamically. You can choose from the following two types of graphs on the Graphs pull-down menu (see Figure 10-23):

• By Child

• By Time

Figure 10-23. Event Viewer Graph Options

By Child

To see the distribution of children events, select By Child from the Graphs pull-down menu. The graph displays the children events (the events in the column to the right of the selected node) across the X-axis and the number of occurrences along the Y-axis. Event severity is indicated by the color of the bar.

By Time

To see how the selected events are distributed over time, select By Time from the Graphs pull-down menu. The graph displays along the X-axis the range of time over which the event occurred and along the Y-axis the number of occurrences. Event severity is indicated by the color of the bar.

Tools Pull-Down Menu Options

Selecting the Tools pull-down menu in the Event Viewer enables you to access the following items:

• Explanation

• Trigger Packet

• IP Logs

• Statistics

• Options

Explanation

Selecting Explanation from the Tools pull-down menu displays the Network Security Database (NSDB) entry for the highlighted alert. The NSDB is the Cisco HTML-based encyclopedia of network-vulnerability information. You can examine the NSDB for information on a specific alarm. The Cisco Secure Encyclopedia (CSEC) is the online equivalent of the NSDB.

Note

Unlike IPS Device Manager (IDM), which requires Internet access to retrieve NSDB information, the CiscoWorks VPN/Security Management Solution (VMS) provides the NSDB information as part of the software package. Therefore, NSDB information can be viewed without Internet access.

CSEC has been developed as a central warehouse of security knowledge to provide Cisco security professionals with an interactive database of security vulnerability information. CSEC contains detailed information about security vulnerabilities such as countermeasures, affected systems and software, and Cisco Secure products that can help you test for vulnerabilities or detect when malicious users attempt to exploit your systems. The CSEC can be found at http://www.cisco.com/go/csec.

Trigger Packet

For many signatures it is helpful to capture the initial traffic that caused the signature to fire. Cisco IPS enables signatures to capture the actual trigger packet for its signatures. Selecting Trigger Packet from the Tools pull-down menu displays the trigger packet for the signature (if the signature is configured to capture it).

IP Logs

One of the actions that a signature can initiate is IP logging. This action captures raw packets for a connection so that you can analyze them. To view the IP log information using Security Monitor, you highlight the alarm that contains the IP log information and then select IP Log from the Tools pull-down menu.

Statistics

You can view event statistics for a row in Event Viewer. The statistics include the following information:

• Severity level for the row

• Number of child nodes for the row

• Number of events represented by the row

• Percentage of the total events (based on the events currently displayed by the Event Viewer) that the selected row represents

To access the statistics for a specific row, you select the row by clicking on a field in the row. Then you click on Statistics from the Tools pull-down menu. A pop-up window appears in the content area, indicating the statistics (see Figure 10-24).

Figure 10-24. Event Statistics Popup Window

Options

Selecting Options from the Tools pull-down menu enables you to configure preference settings that you can use to customize the Event Viewer. Configuring these options has already been explained in the "Changing Display Preferences" section earlier in the chapter.

Resolving Host Names

By default, the alerts stored by the Event Viewer indicate the IP addresses of the systems involved in the event. Using the Resolve option from the Actions pull-down menu, you can cause the Event Viewer to attempt to resolve the host names for the IP addresses in the selected alerts.

Note

Since a single row can represent multiple alarms, it may take the Event Viewer a significant amount of time to resolve all of the IP addresses. If you attempt to resolve a large number of alerts, a warning pop-up window will appear in the content area, indicating that your request could take several minutes to complete.

Security Monitor Administration

Although a large percentage of your time will be spent using the Event Viewer functionality of Security Monitor, there are also various tasks that you may need to perform to administer and maintain your Security Monitor software. Security Monitor server administration and maintenance tasks fall into the following categories:

• Data management

• System configuration settings

• Defining Event Viewer preferences

Data Management

When the Security Monitor database becomes large, system performance may begin to degrade. How large the database can become depends upon many factors, including system specifications and the number and types of applications running on the system. Using database rules, you can automatically manage the size of your database, send e-mail notifications, log a console notification event, or execute a script when specific thresholds or intervals are met. Database thresholds may be reached, for example, if the database exceeds a certain size or if the database receives more than a defined number of events.

By defining custom database rules, you can keep your Security Monitor database working at its peak efficiency. To add your own custom database rule, perform the following steps:

Step 1.	Click on the Admin tab on the main Security Monitor screen.
Step 2.	Select Data Management from the options bar (or the content area). This displays the Data Management window in the content area (see Figure 10-25). Figure 10-25. Data Management Window
Step 3.	Select Database > Rules from the TOC. This displays the Database Rules window in the content area (see Figure 10-26). Figure 10-26. Database Rules Window
Step 4.	Click on the Add button. The Enter Rule Name window appears in the content area.
Step 5.	In the Rule Name field, enter the name of the database rule being created.
Step 6.	In the Comment field, enter a textual description of the rule.
Step 7.	Click on Next. The Choose the Actions window appears in the content area (see Figure 10-27). Figure 10-27. Choosing Actions for Database Rules
Step 8.	Choose the actions that the rule will initiate by selecting the check boxes next to the available actions. Note These actions are the same as those that you specify for event rules (see the "Event Notification" section earlier in this chapter).
Step 9.	Click on Next. The Specify the Trigger Conditions window appears in the content area (see Figure 10-28). Figure 10-28. Specify the Trigger Conditions Window
Step 10.	Select any of the parameters shown in Table 10-5 that you want to use in the database rule by clicking on the radio button next to the parameter and adjusting the value for the parameter. Table 10-5. Database Rule Parameters Parameter Description Database used space greater than (megabytes) If selected, triggers the database rule when the database reaches a size greater than the value specified. The default is 500 MB. Database free space less than (megabytes) If selected, triggers the database rule when the free space on the drive (where the database is installed) falls below the specified size. The default is 1. Total IDS events in database exceed If selected, triggers the database rule when the total number of IDS events is more than the specified value. The default is 500,000. Total CSA events in database exceed If selected, triggers the database rule when the total number of CSA events is more than the specified value. The default is 500,000. Total firewall events in database exceed If selected, triggers the database rule when the total number of firewall events is greater than the specified value. The default is 500,000. Total Audit Log events in database exceed If selected, triggers the database rule when the total number of Audit Log events is greater than the specified value. The default is 500,000. Total events in database exceed If selected, triggers the database rule when the total number of all events is more than the specified value. The default is 1,000,000. At scheduled date If selected, allows the database rule to be triggered at the specified date and time. The default is set to the current date, and the time is left blank. Repeat every If selected, causes the rule to trigger again at the specified number of days, weeks, or months. (This is valid only in conjunction with the At scheduled date parameter).
Step 11.	Click on the Finish button to complete the addition of the new database rule.

System Configuration Settings

Selecting Admin > System Configuration enables you to configure the following communication properties:

• IP Log Archive Location

• E-Mail Server

• PostOffice Settings

• Syslog Settings

• DNS Settings

• Prune Archive Location

• Automatic Signature Download

The IP Log Archive Location enables you to specify the location on the system where the IP log information for the alerts will be stored. For Windows, the default location is C:\PROGRA~1\ CSCOpx\MDC\secmon\iplogs.

The E-mail Server enables you to configure its properties and to specify the e-mail server that Security Monitor uses for event notifications. PostOffice Settings enables you to specify the settings used to establish the communication infrastructure between Security Monitor and Cisco IDS version 3.x IDS devices. Syslog Settings enables you to specify the port that Security Monitor uses to monitor syslog messages along with the IP address and port that it will send syslog messages to if you choose to forward syslog messages.

The DNS Settings option enables you to configure whether DNS lookups are performed in the following two situations:

• When generating firewall reports

• When decoding IP log and trigger packets

When the database is pruned, the information is archived on the hard disk of the system. The Prune Archive Location option enables you to specify the location at which this pruned database information will be stored. In Windows, the default location is C:\PROGRA~1\CSCOpx\ MDC\secmon\AlertPruneData.

Attackers are continually developing new attacks to launch against your network. Therefore, it is important that you keep your signature definitions as current as possible. Using the Automatic Signature Download option, you can configure how often Security Monitor checks for new signature updates from either Cisco.com or your own local server.

Note

Although the option is titled "Automatic Signature Download," it can be used to retrieve signature updates as well as service packs for your sensors.

Defining Event Viewer Preferences

When working in the Event Viewer, you can configure your Event Viewer preferences (see the "Changing Display Preferences" section earlier in this chapter). Some of the changes, however, such as setting the default expansion boundary, are not persistent and are lost whenever you close the Event Viewer. If you want your preferences to be applied every time you open the Event Viewer, you need to change the Event Viewer preferences by using the administration options. Administratively, you can configure your Event Viewer preferences by using the following three options:

• Your Preferences

• Default Preferences

• Users

After choosing Your Preferences, you can configure you own personal display preferences. These changes will apply only to the user account in which you are currently logged in to Security Monitor. These options enable you to customize the Event Viewer to your personal preferences.

The Default Preferences option, on the other hand, changes the default display settings for all users. You can use this option to establish display preferences from which all users will benefit.

After choosing Users, you can view the list of users who have event-viewing preferences stored in the database.

Security Monitor Reports

Security Monitor enables you to generate reports based on the audit and alarm information collected by Security Monitor. These reports can be generated immediately, or you can schedule them to be generated later. Although you can create your own custom report templates, Security Monitor provides the following predefined report templates for IDS alarms:

• IDS Summary Report Provides a summary of event information for an organization during a specified time period. It is filterable by Date/Time, Organization, Source Direction, Destination Direction, Signature or Signature Category, and Event Level.

• IDS Top Sources Report Reports the specified number of source IP addresses that have generated the most events during a specified time period. It is filterable by Date/Time, Top n (where n is the number of sources), Destination Direction, Destination IP Address, Signature or Signature Category, Sensor, and Event Level.

• IDS Top Destinations Report Reports the specified number of destination IP addresses that have been targeted for attack during a specified time period. It is filterable by Date/Time, Top n (where n is the number of destinations), Source Direction, Source Address, Signature or Signature Category, Sensor, and Event Level.

• IDS Top Alarms Report Reports the specified number of top alarms (by signature name) that have been generated during a specified time period. It is filterable by Date/Time, Top n (where n is the number of alarms), Source Direction, Destination Direction, Source Address, Destination Address, Signature or Signature Category, Sensor, and Event Level.

• IDS Top Source/Destination Pairs Report Reports the specified number of source/destination pairs (that is, connections or sessions) that have generated the most alarms during a specified time period. It is filterable by Date/Time, Top n (where n is the number of source/destination pairs), Signature or Signature Category, Sensor, Event Level, Source Direction, Destination Direction, Source Address, and Destination Address.

• IDS Alarm Source Report Reports alarms based on the source IP address that generated the alarm. It is filterable by Date/Time, Destination Direction, Destination Address, Signature or Signature Category, Sensor, Event Level, Alarm Count, Source Direction, and Source Address.

• IDS Alarm Destination Report Reports alarms based on the destination IP address that generated the alarm. It is filterable by Date/Time, Source Direction, Source Address, Signature or Signature Category, Sensor, Event Level, Event Count, Destination Direction, and Destination Address.

• IDS Alarm Report Reports logged alarms based on signature names. It is filterable by Date/Time, Source Direction, Destination Direction, Source Address, Destination Address, Sensor, Event Level, Event Count, and Signature or Signature Category.

• IDS Alarm Source/Destination Pair Report Reports logged alarms based on source/destination IP address pairs (that is, connections or sessions). It is filterable by Date/Time, Signature or Signature Category, Sensor, Event Level, Alarm Count, Source Direction, Destination Direction, Source Address, and Destination Address.

• IDS Alarms by Hour Report Reports alarms in one-hour intervals over the time specified by the user. It is filterable by Date/Time, Source Direction, Destination Direction, Source Address, Destination Address, Signature or Signature Category, Sensor, Event Level, and Event Count.

• IDS Alarms by Day Report Reports alarms in one-day intervals over the time specified by the user. It is filterable by Date/Time, Source Direction, Destination Direction, Source Address, Destination Address, Signature or Signature Category, Sensor, Event Level, and Event Count.

• IDS Alarms by Sensor Report Reports logged alarms based on the sensor (host ID) that detected the event. It is filterable by Date/Time, Source Direction, Destination Direction, Source Address, Destination Address, Signature or Signature Category, Sensor, Event Level, and Event Count.

• 24-Hour Metrics Report Reports all alarm traffic from the most recent 24 hours in 15-minute intervals. There are no filters for this report.

• Daily Metrics Report Reports event traffic totals (by day) from the selected date until the current date. Reporting occurs in 24-hour intervals, starting at midnight. The report shows events by platform (PIX, IOS, Sensor, RDEP) and event type (IDS or Security).

Creating a report using Security Monitor involves the following tasks:

• Defining the report

• Running the report

• Viewing the report

Defining the Report

When creating an IDS report using Security Monitor, you can either create a custom report template (from scratch or by modifying an existing report template) or use one of the predefined report templates. When modifying an existing report template, you can specify the following filtering parameters (see Figure 10-29) to customize the template to your IPS/IDS reporting requirements:

• Report Template

• Event Level

• Event Count

• Date and Time Characteristics

• Source Direction

• Source IP Address

• Destination Direction

• Destination IP Address

• IDS Devices

Figure 10-29. Report Filtering Window

Running the Report

When you want to generate a report, you can run the report by using one of the following two options (see Figure 10-30):

• Run

• Run with Options

Figure 10-30. Defined Reports Window

Selecting Run causes the report to be generated immediately. Selecting Run with Options enables you to schedule a report to be run or to export the report information to the VMS server (see Figure 10-31).

Figure 10-31. Run with Options Window

When scheduling an IDS report to run using Security Monitor, you need to specify the following parameters (see Figure 10-32):

• Date

• Time

• Frequency

Figure 10-32. Schedule Report Window

Viewing the Report

After generating your reports, you can view them by choosing Reports > Completed. This displays the Choose Completed Report window in the content area (see Figure 10-33).

Figure 10-33. Choose Completed Report Window

To view a report that you have generated, click on the name of the report that you want to view. The report is then displayed in a new browser window (see Figure 10-34).

Figure 10-34. 24-Hour Alarm Metrics Report