• Computers & Technology
  • Home Computing
  • Business & Culture
  • Programming
  • Software
  • Web Development
  • Certification
  • Networking
  • Security & Encryption
  • Computer Science
  • Operating Systems
  • Microsoft
  • Hardware
  • Databases
  • Graphic Design
  • Apple
  • Digital Music
  • Digital Photography & Video
  • Games & Strategy Guides
  • Project Management
  • Mobile & Wireless Computing
• Education & Reference
  • Encyclopedias
  • Test Preparation
  • Studying & Workbooks
  • Schools & Teaching
  • Writing, Research & Publishing Guides
  • Foreign Language Study & Reference
  • Atlases & Maps
  • Dictionaries & Thesauruses
  • Words, Language & Grammar
  • College & University
  • Trivia & Fun Facts
  • Consumer Guides
• Business & Investing
  • Industries & Professions
  • Management & Leadership
  • Organizational Behavior
  • Personal Finance
  • Small Business & Entrepreneurship
  • Popular Economics
  • Marketing & Sales
  • Finance
  • Skills
  • Business Life
  • Economics
  • Job Hunting & Careers
  • Biography & History
  • Reference
  • International
  • Real Estate
  • Investing
  • Women & Business
• Science & Math
  • Mathematics
  • Technology
  • Reference
  • Earth Sciences
  • Physics
  • Biological Sciences
  • Behavioral Sciences
  • Nature & Ecology
  • Astronomy & Space Science
  • History & Philosophy
  • Experiments, Instruments & Measurement
  • Agricultural Sciences

Chapter 14. Enterprise IDS Management with the Cisco IDS Management Center for VMS

Terms you'll need to understand:

• Virtual Private Network (VPN)/Security Management (VMS)

• Sensor device

• Sensor group

• Management Center for Intrusion Detection System Sensors (IDS MC) workflow

• Device tab sheet

• Configuration tab sheet

• Deployment tab sheet

• Pending deployment jobs

Techniques you'll need to master:

• Understanding the IDS MC architecture

• Identifying the IDS MC installation requirements

• Deploying configurations to sensor devices and sensor groups

• Configuring IDS MC communications settings

You might recall from Chapter 3, "Intrusion Detection Overview," that the IDS MC is a component of the VMS; the IDS MC works with Security Monitor for VMS to provide a Web-based interface for configuring, managing, maintaining, and monitoring multiple IDS sensors. You use the IDS MC to manage configurations for sensor devices and sensor groups; configuration files are stored in a database and deployed using the IDS MC workflow.

The IDS MC can manage sensor appliances with software version 3.0(1) S4, 4.0 and higher, and IDS Modules (IDSMs) with software version 3.0(5) S23 or higher. The IDS MC can manage configurations for up to 300 sensors and can import sensor configurations that have been configured by other IDS management tools. The IDS MC also allows you to push signature and sensor software updates out to sensors and sensor groups.

This chapter provides an overview of Enterprise IDS and its hierarchical elements, walks you through the IDS MC installation process and interface, and then guides you through configuration and management tasks using the IDS MC workflow.

Architecture

We start by going through an overview of the IDS MC architecture, directories, and processes. Figure 14.1 shows a high-level view of the IDS MC architecture.

The IDS MC is based on the framework and services of CiscoWorks Common Services. The components of CiscoWorks Common Services are

• Data storage and management A Sybase SQL Anytime database stores the configuration data for sensor devices and sensor groups. CiscoWorks Common Services allows you to manage this data with backup, restoration, and repair tasks .

• Web interface An Apache Web server provides the Web interface that allows you to connect to the CiscoWorks server via Hypertext Transfer Protocol (HTTP). After you initially access the CiscoWorks server, communications with the IDS MC then uses Secure HTTP (HTTPS).

• Session management User sessions are managed so that multiple users can connect to the IDS MC and perform configuration tasks without losing or corrupting any data.

• User authentication and permission management CiscoWorks Common Services performs permissions management based on user authorization roles, each of which defines a set of permissions for access to various functions within VMS.

• Common environment for the IDS MC Independent processes function within their own range of operations.

It's important to understand how the interaction between the client host, CiscoWorks server, IDS MC server, and the sensor occurs in Figure 14.1. To illustrate , if Phil wants to connect to the IDS MC from his laptop browser, the following process takes place:

• Initially, Phil points his browser to the CiscoWorks server via HTTP on port 1741 and logs into CiscoWorks.

• Phil then selects the IDS MC from the CiscoWorks interface, which triggers secure encrypted communications to the IDS MC server using HTTPS on port 443.

• When Phil sends configuration changes to the sensor using the IDS MC, the IDS MC connects to the sensor using Secure Shell (SSH).

Make sure you understand that communications from a client browser to CiscoWorks initially uses HTTP on port 1741; thereafter, communication between the client browser and IDS MC uses HTTPS on port 443.

HTTPS communication between a client browser and CiscoWorks uses port 1742; however, HTTPS communication between a client browser and the IDS MC uses port 443.

IDS MC Directories

Unless you specify otherwise , the IDS MC components are installed in the default directory where the CiscoWorks Common Services components are installed. This directory is X :\Program Files\CSCOPx (where X is the hard drive). Figure 14.2 shows the directories and components of the IDS MC.

Within the IDS home directory are the four subdirectories and their applications:

• Apache This is where the Apache Web server that serves the IDS MC Web pages is installed.

• Sybase This is where the Sybase SQL database, which stores sensor and IDSM configuration information, is installed.

• Tomcat This directory stores the Tomcat server, which dispatches servlets to the IDS MC from Common Services.

• Etc This directory stores the IDs and updates subdirectories, described as follows :

  Etc\ids This is where the IDS MC is stored.

  Etc\ids\updates This is where IDS update signatures, for both sensor devices and the IDS MC itself, are stored.

You should be prepared to know the four subdirectories in the IDS MC home directory and what functions the associated applications perform.

IDS MC Processes

Table 14.1 lists the processes that allow the IDS MC to perform its functions.

Table 14.1. IDS MC Processes

You should be prepared to answer questions regarding the processes that provide the IDS MC with its functionality. Key processes to focus on include IDS_Analyzer, IDS_DeployDaemon, IDS_Notifier, IDS_Receiver, and IDS_ReportScheduler.