Foundation Summary


CiscoWorks 2000 is the heart of the Cisco family of comprehensive network management tools. It provides the foundation that Intrusion Detection System Management Center (IDS MC) is built upon. IDS MC is a component of the CiscoWorks VMS bundle. CiscoWorks supports five different user roles that are relevant to IDS MC operations. These roles are described in Table 10-6.

Table 10-6. CiscoWorks User Roles

User Role

Description

Help Desk

Read-only for the entire system

Approver

Read-only for entire system; includes the configuration approval privileges

Network Operator

Read-only for the entire system; generates reports and includes configuration-deployment privileges

Network Administrator

Read-only for the entire system; includes privileges to edit devices and device groups

System Administrator

Performs all operations


Security Monitor is a component of the CiscoWorks VMS product. VMS integrates into a single solution numerous security applications, such as the following:

  • CiscoWorks

  • Security Monitor

  • VPN Monitor

  • VMS Common Services

Security Monitor provides numerous features, such as the following:

  • Device monitoring

  • Web-based monitoring platform

  • Custom reporting capability

Using Security Monitor, you can receive IPS/IDS events from up to 300 Cisco IPS-capable devices, such as the following:

  • Sensor appliances

  • IDS modules

  • Router modules

  • IOS routers

  • PIX Firewalls

You can install Security Monitor on the following two platforms:

  • Windows 2000

  • Solaris

The minimum requirements for the Security Monitor server include the following:

  • IBM PC-compatible computer

  • 1 GHz (or faster) processor

  • Color monitor with video card capable of viewing 16-bit color

  • CD-ROM drive

  • 10BASE-T (or faster) network connection

  • Minimum of 1 GB of RAM

  • 2 GB of virtual memory

  • Minimum of 9 GB free hard drive space (NTFS)

  • Windows 2000 Professional, Server or Advanced Server, with Service Pack 4 (and Terminal Services turned off)

Your client systems that access Security Monitor should meet the following hardware requirements:

  • IBM PC-compatible

  • 300 MHz (or faster) processor

  • Minimum 256 MB RAM

  • 400 MB virtual memory (free space on hard drive for Windows)

Your client systems need to be running one of the following operating systems:

  • Windows 2000 Professional with Service Pack 3

  • Windows 2000 Server with Service Pack 3

  • Windows XP with Service Pack 1 with Microsoft Virtual Machine

One final requirement is that your client systems need to use one of the following web browsers to access Security Monitor:

  • Internet Explorer 6.0 with Service Pack 1

  • Netscape Navigator 7.1

The Security Monitor user interface is composed of the following major sections:

  • Configuration tabs

  • Options bar

  • TOC

  • Path bar

  • Instruction box

  • Content area

  • Tools bar

Security Monitor monitors the following types of devices:

  • Cisco IDS

  • Cisco IOS IDS/IPS

  • Cisco PIX/FWSM

  • Cisco Security Agent MC

  • Remote Cisco Security Monitor

When adding RDEP devices and IOS IPS devices to Security Monitor, you must specify the following information about the devices:

  • IP address

  • Device name

  • Web server port

  • Protocol

  • Username

  • Password

  • Minimum event level

When using the PostOffice protocol to add devices that communicate with Security Monitor, you need to specify the following information about the devices:

  • IP address

  • Device name

  • Host ID

  • Org Name

  • Org ID

  • Port

  • Heartbeat

You specify the following fields only when adding PIX/FWSM devices since they use syslog to communicate with Security Monitor:

  • IP Address

  • Device Name

You can define event rules that perform specific actions when the Security Monitor receives traffic matching specific properties. When defining an event rule, you can identify traffic based on the alert characteristics shown in Table 10-7.

Table 10-7. Event Rule Characteristics

Characteristic

Description

Originating Device

Enables you to specify a monitor device

Originating Device Address

Enables you to specify the originating address of the device

Attacker Address

Enables you to filter based on the IP address of the attacker

Victim Address

Enables you to filter based on the IP address of the victim or system being attacked

Signature Name

Enables you to filter based on the name of a signature

Signature ID

Enables you to filter based on the ID of a signature

Severity

Enables you to filter based on the severity of the alarm received (Informational, Low, Medium, or High)


When adding event rules, you need to perform the following four tasks:

Step 1.

Assign a name to the event rule

Step 2.

Define the event filter criteria

Step 3.

Assign the event rule action

Step 4.

Define the event rule threshold and interval

You can monitor the following information about the devices that you have added to Security Monitor:

  • Connections

  • Statistics

  • Events

You can view statistics about the following items:

  • Analysis Engine MAC, virtual sensor, TCP Stream Reassembly, and signature database statistics

  • Authentication Successful and failed login attempts to the RDEP device

  • Event Server General and specific subscription information about the devices that have connections to the server

  • Event Store General information on and number of specific events that have occurred

  • Host Network statistics, memory usage, and swap-file usage

  • Logger Number of events and log messages written by the logger process

  • Network Access Control Information about the sensor's current shunning (blocking) configuration

  • Transaction Server Counts indicating the failed and total number of control transactions for the server

  • Transaction Source Counts indicating the failed and total number of source control transactions

  • Web Server Configuration information for the device web server and statistics for connections to the web server

Using the Event Viewer, you can monitor the events that Security Monitor is receiving from all of the monitored devices. When launching the Event Viewer, you need to specify the following information:

  • Event Type

  • Column Set

  • Filter

  • Event Start Time

  • Event End Time

Configuring the Event Viewer involves understanding the following options:

  • Moving columns

  • Deleting rows and columns

  • Collapsing rows

  • Expanding rows

  • Suspending and resuming new events

  • Changing display preferences

  • Creating graphs

  • Using the Tools pull-down menu options

  • Resolving host names

You can create the following two types of graphs based on the data, or a subset of the data, shown in Event Viewer:

  • By Child

  • By Time

Security Monitor server administration and maintenance tasks fall into the following categories:

  • Data management

  • System configuration

  • Event viewer

Defining database rules involves specifying the parameters shown in Table 10-8.

Table 10-8. Database Rule Parameters

Parameter

Description

Database used space greater than (megabytes)

If selected, triggers the database rule when the database reaches a size greater than the value specified. The default is 500 MB.

Database free space less than (megabytes)

If selected, triggers the database rule when the free space on the drive (where the database is installed) falls below the specified size. The default is 1.

Total IDS events in database exceed

If selected, triggers the database rule when the total number of IDS events is more than the specified value. The default is 500,000.

Total CSA events in database exceed

If selected, triggers the database rule when the total number of CSA events is more than the specified value. The default is 500,000.

Total firewall events in database exceed

If selected, triggers the database rule when the total number of firewall events is more than the specified value. The default is 500,000.

Total Audit Log events in database exceed

If selected, triggers the database rule when the total number of Audit Log events is more than the specified value. The default is 500,000.

Total events in database exceed

If selected, triggers the database rule when the total number of all events is more than the specified value. The default is 1,000,000.

At scheduled date

If selected, allows the database rule to be triggered at the specified date and time. The default is set to the current date, and the time is left blank.

Repeat every

If selected, causes the rule to trigger again at the specified number of days, weeks, or months (valid only in conjunction with At scheduled date parameter).


System configuration tasks involve configuring the following communication properties:

  • IP Log Archive Location

  • E-Mail Server

  • PostOffice Settings

  • Syslog Settings

  • DNS Settings

  • Prune Archive Location

  • Automatic Signature Download

Security Monitor enables you to generate reports based on the audit and alarm information collected by Security Monitor. These reports can be generated immediately, or you can schedule them to be generated at a later time. The predefined IDS alarm report templates include the following:

  • IDS Summary Report

  • IDS Top Sources Report

  • IDS Top Destinations Report

  • IDS Top Alarms Report

  • IDS Top Source/Destination Pairs Report

  • IDS Alarm Source Report

  • IDS Alarm Destination Report

  • IDS Alarm Report

  • IDS Alarm Source/Destination Pair Report

  • IDS Alarms by Hour Report

  • IDS Alarms by Day Report

  • IDS Alarms by Sensor Report

  • 24-Hour Metrics Report

  • Daily Metrics Report

Creating a report using Security Monitor involves the following tasks:

  • Defining the report

  • Running the report

  • Viewing the report



CCSP IPS Exam Certification Guide
CCSP IPS Exam Certification Guide
ISBN: 1587201461
EAN: 2147483647
Year: 2004
Pages: 119
Authors: Earl Carter

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net