[ LiB ] |
Security Monitor configuration tasks fall into three main categories:
Adding devices, including Remote Data Exchange Protocol (RDEP), PostOffice, IOS IDS, CSA, Host IDS, and PIX IDS devices
Monitoring devices by analyzing connections, statistics, and events
Event notification, which includes the tasks for adding and activating event rules
You will notice that these configuration tasks fall primarily into the Device and Monitor tab sheets. However, some tasks for event notification fall under the Administration tab sheet. The next sections cover adding devices; monitoring connections, statistics, and events; and configuring event notification.
Before you can use Security Monitor to view events and alerts for IDS devices, you need to add the devices installed in your network to Security Monitor. On the Devices tab sheet, you see a list of devices that have already been added to the Security Monitor. The devices page also allows you to add, view, edit, delete, and import Cisco IDS devices from the IDS MC. Security Monitor can monitor the following types of devices:
RDEP IDS devices
PostOffice IDS devices
IOS IDS
Host CSA IDS
PIX IDS
Security Monitor allows you to monitor RDEP, PostOffice, IOS, host, and PIX IDS devices. |
You saw in Chapter 5, "Cisco IDS Architecture and Communications Protocols," that Cisco IDS version 4.0 sensors use RDEP to communicate with Security Monitor. To add RDEP IDS devices to Security Monitor, complete the following steps:
Setting | Description |
---|---|
IP address | The IP address of the RDEP device. |
NAT address | The network address translation (NAT) address of the RDEP IDS device; required if NAT is being used. |
Device name | Name of the RDEP IDS device. |
Description | Optional. |
Use encryption | Select this check box if the device uses Transport Layer Security (TLS), which is enabled by default. |
Web server port | Web server port used by the RDEP device. |
Username | Username used to log in to the RDEP device. |
Password | Password used with the username. |
Confirm password | Confirmation of the password. |
Minimum event level | The minimum event level to monitor. The default is medium, with the allowed values being informational, low, medium, and high. |
Recall from Chapter 5 that Cisco IDS version 3.x sensors use PostOffice to communicate with Security Monitor. To add PostOffice IDS devices to Security Monitor, complete the following steps:
Setting | Description |
---|---|
IP address | The IP address of the PostOffice device. |
NAT address | The NAT address of the PostOffice IDS device; required if NAT is being used. |
Device name | Name of the PostOffice IDS device. |
Description | Optional. |
Discover PostOffice settings using SSH | Select this check box to allow Security Monitor to discover the PostOffice settings via Secure Shell (SSH). |
Host ID | Host ID for the PostOffice device. |
Org ID | Organization ID for the PostOffice device. |
Org name | Organization name for PostOffice communications. |
Port | Port number for PostOffice communications. The default is 45000. |
Heartbeat | Heartbeat interval for PostOffice communications. The default interval is 5 seconds. |
Security Monitor can receive events from Cisco IDS devices that aren't sensors, such as IOS IDS, PIX IDS, and Host IDS devices. Here we go through the steps to add an IOS IDS device. Because the steps to add a PIX IDS or Host IDS device are very similar to those for the IOS IDS, we don't repeat the configuration steps to add PIX or CSA Host IDS devices. Follow these steps to add an IOS IDS device:
Setting | Description |
---|---|
IP address | The IP address of the IOS IDS device. |
NAT address | The NAT address of the IOS IDS device; required if NAT is being used. |
Device name | Name of the IOS IDS device. |
Description | Optional. |
Uses PostOffice check box | By selecting this check box, you can enter PostOffice settings for the IOS IDS device. |
If you already have an instance of IDS MC that is monitoring IDS devices, you can import these devices from IDS MC into Security Monitor, rather than add the device individually.
Security Monitor allows you to import devices from IDS MC. |
Complete the following steps to import devices from IDS MC:
Setting | Description |
---|---|
IP address/host name | The IP address or hostname of the IDS MC server. |
Web server port | The Web server port address used for communication between IDS MC and Security Monitor. |
Username | Name of the user who will log in to the IDS MC. |
Password | Password for the username. |
After the Devices tab sheet is the Monitor tab sheet, with three options: connections, statistics, and events. Figure 15.4 shows the Monitor, Connections page.
Security Monitor communicates to the devices it monitors in different ways. With RDEP devices, Security Monitor connects to the sensor and retrieves the alerts. PostOffice devices, on the other hand, send the alert information directly to Security Monitor. You can monitor RDEP and PostOffice devices from the Monitor, Connections page.
Note that only RDEP and PostOffice devices can be monitored from the Monitor, Connections page. IOS devices (those not using PostOffice) and PIX devices communicate with Security Monitor in a connectionless manner using syslog messages.
Security Monitor can capture a wealth of statistical data about RDEP devices. Table 15.8 lists the type of information that you can view from the Monitor, Statistics page.
Information | Description |
---|---|
Analysis engine statistics | Media Access Control (MAC), virtualSensor, Transmission Control Protocol (TCP) stream reassembly, and signature database statistics |
Authentication statistics | Successful and failed login attempts to the RDEP device |
Event Server statistics | General and specific subscription information about the devices with connections to the server |
Event Store statistics | General and specific events that have occurred on the device |
Host statistics | Network statistics, memory usage, and swap file usage |
Logger statistics | Number of events and log messages written by the logger |
Network Access Controller statistics | Information about the sensor's blocking/shunning configuration |
Transaction server statistics | Counts showing the failed and total numbers of control transactions for the server |
Transaction source statistics | Counts showing the failed and total numbers of source control transactions |
Web server statistics | Configuration information for the device Web server and statistics for connections to the Web server |
To view statistical information about specific RDEP devices, follow these steps:
The last option in the Monitor tab sheet is the Monitor, Events page. Monitoring events is very likely the most important function of the Security Monitor because it allows you to view and analyze attacks against your network.
Before you can monitor events, however, you have to configure event rules to specify the criteria that an event must meet for an action to occur. The following steps describe how you create an event rule:
When preparing for the exam, remember the five steps for creating an event rule. |
With event rules, you can define filters for the event data generated by your IDS devices (similar to applying an access list to a debug command, for example) and to specify an action to be taken when the filter conditions are met. This action could be to send an email, log a console notification to the audit log, or execute a script, for instance.
As we step through each of the Security Monitor tab sheets, we now have to jump ahead to the Admin tab sheet to create event rules that we need for the Monitor, Events page. The steps to create an event rule are as follows :
Originating device
Originating device address
Attack address
Victim address
Signature name
Signature ID
Severity
Setting | Description |
---|---|
Notify via email | Check box that, if selected, enables Security Monitor to send an email when the event rule is triggered. |
Recipients | Addresses to receive an email when the event rule is triggered. Separate multiple addresses with a comma. |
Subject | Subject of the email that will be sent to the recipients. |
Message | Message body of the email that will be sent to the recipients. |
Log a console notification event | Check box that, if selected, enables Security Monitor to log a notification report to the console when the event rule is triggered. |
Subject | Subject of the notification report. |
Message | Message body of the notification report. |
Execute a script | Check box that, if selected, enables Security Monitor to execute a script when the event rule is triggered. |
Script file | Drop-down menu with a list of script options that can be executed if the Execute a Script box is selected. |
Argument | Additional arguments that can accompany a script that executes when the event rule is triggered. |
It is possible to create your own scripts to be executed with the event action settings by saving your created script in the default Security Monitor directory in the following subdirectory: \CSCOpx\MDC\etc\ids\scripts . |
Running some scripts against the Security Monitor database can result in unknown consequences; therefore, write your custom scripts with caution! |
You have now completed all the steps to create the event rule and can return to the Monitor, Events page to launch the Security Monitor Event Viewer.
[ LiB ] |