Configuring Security Monitor

[ LiB ]  

Security Monitor configuration tasks fall into three main categories:

  • Adding devices, including Remote Data Exchange Protocol (RDEP), PostOffice, IOS IDS, CSA, Host IDS, and PIX IDS devices

  • Monitoring devices by analyzing connections, statistics, and events

  • Event notification, which includes the tasks for adding and activating event rules

You will notice that these configuration tasks fall primarily into the Device and Monitor tab sheets. However, some tasks for event notification fall under the Administration tab sheet. The next sections cover adding devices; monitoring connections, statistics, and events; and configuring event notification.

Adding Devices

Before you can use Security Monitor to view events and alerts for IDS devices, you need to add the devices installed in your network to Security Monitor. On the Devices tab sheet, you see a list of devices that have already been added to the Security Monitor. The devices page also allows you to add, view, edit, delete, and import Cisco IDS devices from the IDS MC. Security Monitor can monitor the following types of devices:

  • RDEP IDS devices

  • PostOffice IDS devices

  • IOS IDS

  • Host CSA IDS

  • PIX IDS

graphics/alert_icon.gif

Security Monitor allows you to monitor RDEP, PostOffice, IOS, host, and PIX IDS devices.


Adding RDEP Devices

You saw in Chapter 5, "Cisco IDS Architecture and Communications Protocols," that Cisco IDS version 4.0 sensors use RDEP to communicate with Security Monitor. To add RDEP IDS devices to Security Monitor, complete the following steps:

  1. From the Devices tab sheet, click the Add action button to display the Select Device Type list.

  2. Select the RDEP IDS radio button option and click Next to display the Enter Device Information page.

  3. Enter the values for the settings, as listed and described in Table 15.4.

    Table 15.4. Security Monitor Add RDEP Devices Information Settings

    Setting

    Description

    IP address

    The IP address of the RDEP device.

    NAT address

    The network address translation (NAT) address of the RDEP IDS device; required if NAT is being used.

    Device name

    Name of the RDEP IDS device.

    Description

    Optional.

    Use encryption

    Select this check box if the device uses Transport Layer Security (TLS), which is enabled by default.

    Web server port

    Web server port used by the RDEP device.

    Username

    Username used to log in to the RDEP device.

    Password

    Password used with the username.

    Confirm password

    Confirmation of the password.

    Minimum event level

    The minimum event level to monitor. The default is medium, with the allowed values being informational, low, medium, and high.


  4. Click Finish to display the Devices page. The list of Security Monitor devices should refresh to include the new RDEP device that you have just added.

PostOffice Devices

Recall from Chapter 5 that Cisco IDS version 3.x sensors use PostOffice to communicate with Security Monitor. To add PostOffice IDS devices to Security Monitor, complete the following steps:

  1. From the Devices tab sheet, press the Add action button to display the Select Device Type list.

  2. Select the PostOffice IDS radio button option and click Next to display the Enter Device Information page.

  3. Enter the values for the settings, as listed and described in Table 15.5.

    Table 15.5. Security Monitor Add PostOffice Devices Information Settings

    Setting

    Description

    IP address

    The IP address of the PostOffice device.

    NAT address

    The NAT address of the PostOffice IDS device; required if NAT is being used.

    Device name

    Name of the PostOffice IDS device.

    Description

    Optional.

    Discover PostOffice settings using SSH

    Select this check box to allow Security Monitor to discover the PostOffice settings via Secure Shell (SSH).

    Host ID

    Host ID for the PostOffice device.

    Org ID

    Organization ID for the PostOffice device.

    Org name

    Organization name for PostOffice communications.

    Port

    Port number for PostOffice communications. The default is 45000.

    Heartbeat

    Heartbeat interval for PostOffice communications. The default interval is 5 seconds.


  4. Click Finish to display the Devices page. The list of Security Monitor devices should refresh to include the new PostOffice device that you have just added.

Adding IOS Devices

Security Monitor can receive events from Cisco IDS devices that aren't sensors, such as IOS IDS, PIX IDS, and Host IDS devices. Here we go through the steps to add an IOS IDS device. Because the steps to add a PIX IDS or Host IDS device are very similar to those for the IOS IDS, we don't repeat the configuration steps to add PIX or CSA Host IDS devices. Follow these steps to add an IOS IDS device:

  1. From the Devices tab sheet, press the Add action button to display the Select Device Type list.

  2. Select the PostOffice IDS radio button option and click Next to display the Enter Device Information page.

  3. Enter the values for the settings, as listed and described in Table 15.6.

    Table 15.6. Security Monitor Add IOS IDS Devices Information Settings

    Setting

    Description

    IP address

    The IP address of the IOS IDS device.

    NAT address

    The NAT address of the IOS IDS device; required if NAT is being used.

    Device name

    Name of the IOS IDS device.

    Description

    Optional.

    Uses PostOffice check box

    By selecting this check box, you can enter PostOffice settings for the IOS IDS device.


  4. Click Finish to display the Devices page. The list of Security Monitor devices should refresh to include the new IOS (or PIX or Host) IDS device that you have just added.

Importing Devices

If you already have an instance of IDS MC that is monitoring IDS devices, you can import these devices from IDS MC into Security Monitor, rather than add the device individually.

graphics/alert_icon.gif

Security Monitor allows you to import devices from IDS MC.


Complete the following steps to import devices from IDS MC:

  1. From the Devices tab sheet, press the Import action button to display the IDS MC Server Information page.

  2. Enter values for the settings listed in Table 15.7.

    Table 15.7. Security Monitor IDS MC Information Settings

    Setting

    Description

    IP address/host name

    The IP address or hostname of the IDS MC server.

    Web server port

    The Web server port address used for communication between IDS MC and Security Monitor.

    Username

    Name of the user who will log in to the IDS MC.

    Password

    Password for the username.


  3. Click Next to display the Select Devices page; select the sensors to import into Security Monitor.

  4. Click Next to display the Update NAT Addresses page; enter the NAT addresses of the sensors or IDSMs in the NAT address field, if applicable .

  5. Click Finish to display the Summary page where the import status is reported .

  6. Click OK to display the list of IDS devices that will be refreshed to include the devices you have just imported from IDS MC.

Monitoring Connections

After the Devices tab sheet is the Monitor tab sheet, with three options: connections, statistics, and events. Figure 15.4 shows the Monitor, Connections page.

Figure 15.4. The Monitor, Connections page with Connections, Statistics, and Event options for the Monitor tab sheet.

graphics/15fig04.jpg


Security Monitor communicates to the devices it monitors in different ways. With RDEP devices, Security Monitor connects to the sensor and retrieves the alerts. PostOffice devices, on the other hand, send the alert information directly to Security Monitor. You can monitor RDEP and PostOffice devices from the Monitor, Connections page.

Note that only RDEP and PostOffice devices can be monitored from the Monitor, Connections page. IOS devices (those not using PostOffice) and PIX devices communicate with Security Monitor in a connectionless manner using syslog messages.

Monitoring Statistics

Security Monitor can capture a wealth of statistical data about RDEP devices. Table 15.8 lists the type of information that you can view from the Monitor, Statistics page.

Table 15.8. Information for RDEP Devices in the Monitor, Statistics Page

Information

Description

Analysis engine statistics

Media Access Control (MAC), virtualSensor, Transmission Control Protocol (TCP) stream reassembly, and signature database statistics

Authentication statistics

Successful and failed login attempts to the RDEP device

Event Server statistics

General and specific subscription information about the devices with connections to the server

Event Store statistics

General and specific events that have occurred on the device

Host statistics

Network statistics, memory usage, and swap file usage

Logger statistics

Number of events and log messages written by the logger

Network Access Controller statistics

Information about the sensor's blocking/shunning configuration

Transaction server statistics

Counts showing the failed and total numbers of control transactions for the server

Transaction source statistics

Counts showing the failed and total numbers of source control transactions

Web server statistics

Configuration information for the device Web server and statistics for connections to the Web server


To view statistical information about specific RDEP devices, follow these steps:

  1. From the Monitor, Statistics page, select the radio button of the RDEP device from the list of configured RDEP devices. The Display Options drop-down menu appears.

  2. Select the statistics you want to view for this particular RDEP device from the Display Options drop-down menu.

  3. Click View; a Security Monitor Device Statistics window opens displaying the statistical information that you have selected for this particular RDEP device.

Monitoring Events

The last option in the Monitor tab sheet is the Monitor, Events page. Monitoring events is very likely the most important function of the Security Monitor because it allows you to view and analyze attacks against your network.

Before you can monitor events, however, you have to configure event rules to specify the criteria that an event must meet for an action to occur. The following steps describe how you create an event rule:

  1. Create an event rule and assign a name to it.

  2. Define the event filter criteria.

  3. Assign the event rule action.

  4. Define the event rule threshold and interval.

  5. Activate the event rule.

graphics/alert_icon.gif

When preparing for the exam, remember the five steps for creating an event rule.


Event Rules

With event rules, you can define filters for the event data generated by your IDS devices (similar to applying an access list to a debug command, for example) and to specify an action to be taken when the filter conditions are met. This action could be to send an email, log a console notification to the audit log, or execute a script, for instance.

As we step through each of the Security Monitor tab sheets, we now have to jump ahead to the Admin tab sheet to create event rules that we need for the Monitor, Events page. The steps to create an event rule are as follows :

  1. Navigate to Admin, Event Rules to display the Identify the Rule page. Enter a rule name in the Rule Name field; if you want, you can also add a description for your new event rule.

  2. Click Next to display the Specify Event Filter page. You see an array of drop-down menus to create filter criteria and operators.

  3. Choose from these options:

    • Originating device

    • Originating device address

    • Attack address

    • Victim address

    • Signature name

    • Signature ID

    • Severity

    The following operators are available: < , <= , = , != , >= , and > . Use the drop-down menus to create the appropriate filters and criteria.

  4. Click Next to display the Choose the Actions page. Enter the settings for the Rule Actions Settings, as listed and described in Table 15.9.

    Table 15.9. Security Monitor Rule Actions Settings

    Setting

    Description

    Notify via email

    Check box that, if selected, enables Security Monitor to send an email when the event rule is triggered.

    Recipients

    Addresses to receive an email when the event rule is triggered. Separate multiple addresses with a comma.

    Subject

    Subject of the email that will be sent to the recipients.

    Message

    Message body of the email that will be sent to the recipients.

    Log a console notification event

    Check box that, if selected, enables Security Monitor to log a notification report to the console when the event rule is triggered.

    Subject

    Subject of the notification report.

    Message

    Message body of the notification report.

    Execute a script

    Check box that, if selected, enables Security Monitor to execute a script when the event rule is triggered.

    Script file

    Drop-down menu with a list of script options that can be executed if the Execute a Script box is selected.

    Argument

    Additional arguments that can accompany a script that executes when the event rule is triggered.


    graphics/note_icon.gif

    It is possible to create your own scripts to be executed with the event action settings by saving your created script in the default Security Monitor directory in the following subdirectory: \CSCOpx\MDC\etc\ids\scripts .


    graphics/caution_icon.gif

    Running some scripts against the Security Monitor database can result in unknown consequences; therefore, write your custom scripts with caution!


  5. Now that you've entered your event action settings, click Next to display the Specify the Thresholds and Intervals page.

  6. Enter the thresholds in the Issue Actions After field, the Repeat Actions Again After field, and the Reset Count Every field, as shown in Figure 15.5.

    Figure 15.5. The Specify the Thresholds and Intervals page to create an event rule from Admin, Event Rules.

    graphics/15fig05.jpg


  7. Click Finish to save and apply the threshold and intervals settings.

  8. Finally, the last step to create the event rule is to activate it. From the Admin, Event Rules page, select the event rules you want to activate and press the Activate action button.

You have now completed all the steps to create the event rule and can return to the Monitor, Events page to launch the Security Monitor Event Viewer.

[ LiB ]  


CSIDS Exam Cram 2 (Exam 642-531)
CSIDS Exam Cram 2 (Exam 642-531)
ISBN: N/A
EAN: N/A
Year: 2004
Pages: 213

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net