IDS Configuration

Previous page
Table of content
Next page
[ LiB ]  

You've already performed many of the configuration tasks in the Configuration tab sheet; you perform signature tuning, global sensing, blocking, and maintenance from the Configuration tab sheet. We need to cover a few remaining key tasks from the Configuration tab sheet before moving on to the Deployment tab sheet. They are sensor communications and IP logging.

Communication Settings

Version 4.x of the Cisco IDS software uses Remote Data Exchange Protocol (RDEP), which replaces the PostOffice protocol of earlier IDS versions. As you've seen, the IDS MC does not use RDEP to communicate with the sensor; it uses either HTTP/HTTPS or SSH. However, you can use the IDS MC to configure RDEP settings and to specify allowed hosts to connect to and configure a sensor or sensor group .

RDEP Protocol Settings

Complete the following steps to configure the RDEP protocol settings:

  1. Navigate to Configuration, Settings, Communications, RDEP Properties to display the RDEP Properties page. Enter a new port number that the Web server listens and responds on in the Web Server Port field.

  2. Select or clear the Enable Transaction Layer Security (TLS) check box. TLS provides cipher and secret key negotiation, session privacy and integrity, and server authentication. It allows the secure exchange of data between the RDEP server and the RDEP client.

  3. Enter the server identification in the Server ID field to identify the Web server on the sensor.

  4. Click Apply to display the RDEP Properties page, which refreshes to show the changes. Alternatively, click Reset to discard your updates and restore the previous settings.

Allowed Hosts

You might recall from Chapter 7, "Cisco IDS Navigation and General Configuration Using the Command-Line Interface," that you can use the CLI accessList command to define trusted hosts or networks that are allowed to connect to and configure the sensor. You can also use the IDS MC to define the trusted hosts, by following these steps:

  1. Navigate to Configuration, Settings, Communications, Allowed Hosts to display the Allowed Hosts page. Click the Add action button to display the Enter Allowed Host page.

  2. Enter the IP address and subnet mask of the allowed host in the IP address and subnet mask fields, respectively. If you are using NAT in your network, use the NAT address for the host or network.

  3. Click the OK action button to display the Allowed Hosts page, which refreshes to show your new allowed host. You can also use the Delete action button to delete an entry from the allowed hosts list.

Logging

We now cover the logging capabilities and configuration tasks using the IDS MC. As you would expect, event logging is enabled by default, whereas automatic IP logging, because of its potential impact on performance, must be enabled for an individual signature.

graphics/alert_icon.gif

Automatic IP logging, because of its impact on performance, must be enabled for an individual signature and for a specified duration.


Event Logging

Events are logged locally and can be any of the following types:

  • evError Application errors.

  • evAlert Intrusion detection alerts.

  • evStatus Status changes, such as the creation of a new IP log.

  • evShunRequest Shun requests .

  • evLogTransaction Record of control transactions processed by the sensor's applications.

All events are stored locally on the sensor's EventStore, as you saw in Chapter 5, "Cisco IDS Architecture and Communications Protocols." IDS Event Viewer (IEV) and Security Monitor can pull events occurring after a time that you specify. Whether or not events are pulled to a management console, they remain in the EventStore until a 4GB limit is reached.

graphics/alert_icon.gif

Events remain in the EventStore until the size limit of 4GB is reached.


Automatic IP Logging

The IDS IP logging feature is designed to make sure that there is always enough room to write a new IP log file. At startup, the sensor sets up a reusable ring of files for IP logging; after 2GB of logs have been generated, the sensor reuses files by overwriting the file with the oldest closing time. A log file is closed when it reaches its configured expiration or when its full capacity is used. Because files are pre-allocated, you do not have to delete them.

You saw in Chapter 8, "Command-Line Interface Commands," how to use the CLI to configure automatic IP logging, which captures raw IP packets for offline analysis with a third-party tool such as Ethereal, Tcpdump, or any other reader that is libcap-capable. You can retrieve IP log files by using the CLI copy command with File Transfer Protocol (FTP) or Secure Copy Protocol (SCP), or you can download them using the IDM.

The IDS MC (as well as the IDM) also allows you to define settings for automatic IP logging. First, you set the sensor's automatic IP logging properties to define how it logs IP sessions when it detects an attack; if you want the sensor to actually perform IP logging, you must explicitly specify this when you configure individual signatures. The following steps describe how to set up automatic IP logging using the IDS MC:

  1. Navigate to Configuration, Settings to display the Settings page. Select Logging, Automatic IP Logging from the TOC to display the Automatic IP Logging page.

  2. Enter values for the IDS MC Automatic IP Logging settings, as listed and described in Table 14.7.

    Table 14.7. IDS MC Automatic IP Logging Settings

    Setting

    Description

    Number of IP log files

    Number of IP log files for which the sensor will log IP session information. The default is 20.

    Maximum number of concurrently open log files

    Number of concurrent log files into which the sensor will log IP session information. The default is 20.

    *Maximum log file size

    Maximum number of packets that will be logged in an event. The default is 0.

    *Maximum number of packets in a log event (0 implies no limit)

    Maximum number of packets that will be logged in an event. The default is 0, which means there is no limit.

    *Duration of log

    Duration that the IP session information is logged, in seconds. The default is 30 seconds.


  3. Click Apply to save and apply the settings; the Automatic IP Logging page refreshes to show that the IDS MC applied the changes.

Cisco doesn't recommend changing the default settings for IP logging; if you do make changes, make it a general principle to decrease the values marked with an asterisk (*) in the table. This recommendation, again, is because of the performance impact that IP logging has on the sensor.

Finally, when you configure automatic IP logging at the group level, individual sensors are grayed out; if you want to edit the settings for an individual sensor, you have to check the Override check box.

graphics/alert_icon.gif

To change the automatic IP logging settings for an individual sensor from the IDS MC, check the Override check box to override the group.


[ LiB ]  

Previous page
Table of content
Next page
CSIDS Exam Cram 2 (Exam 642-531)
CSIDS Exam Cram 2 (Exam 642-531)
ISBN: N/A
EAN: N/A
Year: 2004
Pages: 213
BUY ON AMAZON
Metrics and Models in Software Quality Engineering (2nd Edition)
The New Solution Selling: The Revolutionary Sales Process That Is Changing the Way People Sell [NEW SOLUTION SELLING 2/E]
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
Junos Cookbook (Cookbooks (OReilly))
.NET-A Complete Development Cycle
MPLS Configuration on Cisco IOS Software
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy