CiscoWorks 2000 is the heart of the Cisco family of comprehensive network management tools. It provides the foundation that Intrusion Detection System Management Center (IDS MC) is built upon. IDS MC is a component of the CiscoWorks VMS bundle. CiscoWorks supports five different user roles that are relevant to IDS MC operations. These roles are described in Table 10-6. Table 10-6. CiscoWorks User RolesUser Role | Description |
---|
Help Desk | Read-only for the entire system | Approver | Read-only for entire system; includes the configuration approval privileges | Network Operator | Read-only for the entire system; generates reports and includes configuration-deployment privileges | Network Administrator | Read-only for the entire system; includes privileges to edit devices and device groups | System Administrator | Performs all operations |
Security Monitor is a component of the CiscoWorks VMS product. VMS integrates into a single solution numerous security applications, such as the following: CiscoWorks Security Monitor VPN Monitor VMS Common Services Security Monitor provides numerous features, such as the following: Using Security Monitor, you can receive IPS/IDS events from up to 300 Cisco IPS-capable devices, such as the following: Sensor appliances IDS modules Router modules IOS routers PIX Firewalls You can install Security Monitor on the following two platforms: The minimum requirements for the Security Monitor server include the following: IBM PC-compatible computer 1 GHz (or faster) processor Color monitor with video card capable of viewing 16-bit color CD-ROM drive 10BASE-T (or faster) network connection Minimum of 1 GB of RAM 2 GB of virtual memory Minimum of 9 GB free hard drive space (NTFS) Windows 2000 Professional, Server or Advanced Server, with Service Pack 4 (and Terminal Services turned off) Your client systems that access Security Monitor should meet the following hardware requirements: Your client systems need to be running one of the following operating systems: Windows 2000 Professional with Service Pack 3 Windows 2000 Server with Service Pack 3 Windows XP with Service Pack 1 with Microsoft Virtual Machine One final requirement is that your client systems need to use one of the following web browsers to access Security Monitor: The Security Monitor user interface is composed of the following major sections: Configuration tabs Options bar TOC Path bar Instruction box Content area Tools bar Security Monitor monitors the following types of devices: When adding RDEP devices and IOS IPS devices to Security Monitor, you must specify the following information about the devices: IP address Device name Web server port Protocol Username Password Minimum event level When using the PostOffice protocol to add devices that communicate with Security Monitor, you need to specify the following information about the devices: IP address Device name Host ID Org Name Org ID Port Heartbeat You specify the following fields only when adding PIX/FWSM devices since they use syslog to communicate with Security Monitor: You can define event rules that perform specific actions when the Security Monitor receives traffic matching specific properties. When defining an event rule, you can identify traffic based on the alert characteristics shown in Table 10-7. Table 10-7. Event Rule CharacteristicsCharacteristic | Description |
---|
Originating Device | Enables you to specify a monitor device | Originating Device Address | Enables you to specify the originating address of the device | Attacker Address | Enables you to filter based on the IP address of the attacker | Victim Address | Enables you to filter based on the IP address of the victim or system being attacked | Signature Name | Enables you to filter based on the name of a signature | Signature ID | Enables you to filter based on the ID of a signature | Severity | Enables you to filter based on the severity of the alarm received (Informational, Low, Medium, or High) |
When adding event rules, you need to perform the following four tasks: Step 1. | Assign a name to the event rule
| Step 2. | Define the event filter criteria
| Step 3. | Assign the event rule action
| Step 4. | Define the event rule threshold and interval
| You can monitor the following information about the devices that you have added to Security Monitor: Connections Statistics Events You can view statistics about the following items: Analysis Engine MAC, virtual sensor, TCP Stream Reassembly, and signature database statistics Authentication Successful and failed login attempts to the RDEP device Event Server General and specific subscription information about the devices that have connections to the server Event Store General information on and number of specific events that have occurred Host Network statistics, memory usage, and swap-file usage Logger Number of events and log messages written by the logger process Network Access Control Information about the sensor's current shunning (blocking) configuration Transaction Server Counts indicating the failed and total number of control transactions for the server Transaction Source Counts indicating the failed and total number of source control transactions Web Server Configuration information for the device web server and statistics for connections to the web server Using the Event Viewer, you can monitor the events that Security Monitor is receiving from all of the monitored devices. When launching the Event Viewer, you need to specify the following information: Event Type Column Set Filter Event Start Time Event End Time Configuring the Event Viewer involves understanding the following options: Moving columns Deleting rows and columns Collapsing rows Expanding rows Suspending and resuming new events Changing display preferences Creating graphs Using the Tools pull-down menu options Resolving host names You can create the following two types of graphs based on the data, or a subset of the data, shown in Event Viewer: Security Monitor server administration and maintenance tasks fall into the following categories: Data management System configuration Event viewer Defining database rules involves specifying the parameters shown in Table 10-8. Table 10-8. Database Rule ParametersParameter | Description |
---|
Database used space greater than (megabytes) | If selected, triggers the database rule when the database reaches a size greater than the value specified. The default is 500 MB. | Database free space less than (megabytes) | If selected, triggers the database rule when the free space on the drive (where the database is installed) falls below the specified size. The default is 1. | Total IDS events in database exceed | If selected, triggers the database rule when the total number of IDS events is more than the specified value. The default is 500,000. | Total CSA events in database exceed | If selected, triggers the database rule when the total number of CSA events is more than the specified value. The default is 500,000. | Total firewall events in database exceed | If selected, triggers the database rule when the total number of firewall events is more than the specified value. The default is 500,000. | Total Audit Log events in database exceed | If selected, triggers the database rule when the total number of Audit Log events is more than the specified value. The default is 500,000. | Total events in database exceed | If selected, triggers the database rule when the total number of all events is more than the specified value. The default is 1,000,000. | At scheduled date | If selected, allows the database rule to be triggered at the specified date and time. The default is set to the current date, and the time is left blank. | Repeat every | If selected, causes the rule to trigger again at the specified number of days, weeks, or months (valid only in conjunction with At scheduled date parameter). |
System configuration tasks involve configuring the following communication properties: IP Log Archive Location E-Mail Server PostOffice Settings Syslog Settings Security Monitor enables you to generate reports based on the audit and alarm information collected by Security Monitor. These reports can be generated immediately, or you can schedule them to be generated at a later time. The predefined IDS alarm report templates include the following: IDS Summary Report IDS Top Sources Report IDS Top Destinations Report IDS Top Alarms Report IDS Top Source/Destination Pairs Report IDS Alarm Source Report IDS Alarm Destination Report IDS Alarm Report IDS Alarm Source/Destination Pair Report IDS Alarms by Hour Report IDS Alarms by Day Report IDS Alarms by Sensor Report 24-Hour Metrics Report Daily Metrics Report Creating a report using Security Monitor involves the following tasks: Defining the report Running the report Viewing the report |