Configuring Basic AIP-SSM Settings

This section demonstrates how SecureMe's IPS administrator uses ASDM to configure basic settings on the AIP-SSM.

Licensing

When SecureMe's IPS administrator first launches ASDM, he discovers that the system does not have a valid license. To correct this problem, the administrator chooses Cisco Connection Online to obtain the license directly from Cisco.com, as shown in Figure 20-4.

Figure 20-4. Licensing

ASDM sends the serial number to Cisco over an HTTP connection to obtain the license key. The license key is displayed after it is retrieved.

Optionally, the IPS administrator can also upload the license information from a file stored on his local workstation.

Verifying Network Settings

The IPS administrator is informed that a new router is installed in the management subnet. The AIP-SSM gateway information needs to be updated with the router's IP address (10.89.149.254). Figure 20-5 shows how to add the new IP address under the ASDM network settings.

Figure 20-5. AIP-SSM Network Settings

The administrator notices that Telnet access is enabled on the AIP-SSM. He proceeds and disables it, because SSH and ASDM access is only required by SecureMe's security policy. Under the network settings, you can modify any of the following options:

  • Host name of the AIP-SSM.
  • IP address of the management interface on the AIP-SSM (the default IP address is 10.1.9.201).
  • Network mask.
  • Default gateway address (the default is 10.1.9.1).
  • The FTP timeout when an FTP client communicates with the AIP-SSM (default is 300 seconds).
  • The AIP-SSM web server security level and port. It is strongly recommended that you enable TLS/SSL.
  • Whether Telnet access is enabled or disabled. It is not enabled by default, because it is not a secure method.

Adding Allowed Hosts

The IPS administrator wants to connect to the IPS from his home workstation when connecting using the Cisco VPN client. He connects to a cluster of Cisco ASA appliances in Chicago to gain access to the private networks. These appliances are configured to always assign his VPN client a static IP address (192.168.75.34). Consequently, he adds this IP address in the Allowed Hosts section on ASDM, as shown in Figure 20-6.

Figure 20-6. Allowed Hosts Section

After navigating to the Allowed Hosts option under the Sensor Setup section, the IPS administrator clicks Add and adds the 192.168.75.34 IP address with a 32-bit subnet mask (255.255.255.255).

Configuring NTP

It is recommended that you use an NTP server as the AIP-SSM time source. The IPS administrator in Los Angeles installed a new NTP server (10.89.149.207) on the management network. He configures the NTP server parameters by choosing Configuration > Features > IPS > Sensor Setup > Time, as shown in Figure 20-7.

Figure 20-7. NTP Configuration

The IPS administrator adds the IP address of the NTP server (10.89.149.207). He also enters the NTP MD5 key (cisco123) and key ID (1) for NTP authentication. The NTP server uses the associated key when transferring data to the AIP-SSM.

Adding Users

Four different types of users can be configured in the AIP-SSM:

  • Viewers
  • Operators
  • Administrators
  • Service

Note

The definition of each account type is discussed in Chapter 14.

In the following scenario, the IPS administrator needs to create the service account to be able to enter into the AIP-SSM service mode.

Note

The service user cannot log in to ASDM. This user is only used to log in to the AIP-SSM service mode (bash shell) for administrative purposes. The service account should only be used for troubleshooting purposes with the assistance of the Cisco Technical Assistance Center (TAC).

The service account is added as illustrated in Figure 20-8.

Figure 20-8. Adding Users

The security administrator navigates to Configuration > Features > IPS > Sensor Setup > Users and clicks the Add button. He enters service as the username and selects Service from the User Role drop-down menu. The corresponding password is also entered and confirmed, as shown in Figure 20-8.

Part I: Product Overview

Introduction to Network Security

Product History

Hardware Overview

Part II: Firewall Solution

Initial Setup and System Maintenance

Network Access Control

IP Routing

Authentication, Authorization, and Accounting (AAA)

Application Inspection

Security Contexts

Transparent Firewalls

Failover and Redundancy

Quality of Service

Part III: Intrusion Prevention System (IPS) Solution

Intrusion Prevention System Integration

Configuring and Troubleshooting Cisco IPS Software via CLI

Part IV: Virtual Private Network (VPN) Solution

Site-to-Site IPSec VPNs

Remote Access VPN

Public Key Infrastructure (PKI)

Part V: Adaptive Security Device Manager

Introduction to ASDM

Firewall Management Using ASDM

IPS Management Using ASDM

VPN Management Using ASDM

Case Studies



Cisco Asa(c) All-in-one Firewall, IPS, And VPN Adaptive Security Appliance
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
ISBN: 1587052091
EAN: 2147483647
Year: 2006
Pages: 231

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net