© 2003, cisco systems, inc. all rights reserved. csids 4.0—16-1 chapter 16 enterprise intrusion...

© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-1

Chapter 16

Enterprise Intrusion Detection System Monitoring and Reporting


Objectives

Upon completion of this chapter, you will be able to perform the following tasks: • Define features and key concepts of the Security Monitor.

• Install and verify the Security Monitor functionality.

• Monitor IDS devices with the Security Monitor.

• Administer Security Monitor event rules.

• Use the reporting features of the Security Monitor.

• Administer the Security Monitor server.


Introduction


What Is the Security Monitor?

The Security Monitor provides event collection, viewing, and reporting capability for network devices.


Security Monitor Features

The following are the Security Monitor features:• Monitors the following devices:

–Sensor appliances

– IDS Modules

– IOS Routers

–PIX Firewalls

• Web-based monitoring platform

• Custom reporting capability


Installation


Installation Requirements

• Hardware

– IBM PC-compatible computer with 800 MHz or faster

– Color monitor capable of viewing 256 colors

– CD-ROM drive

– 100 Mbps or faster network connection

• Memory—1 GB of RAM minimum

• Disk drive space

– 12 GB minimum

– NTFS

• Software

– Windows 2000 Server with Service Pack 2

– ODBC Driver Manager 3.510 or later


Client Access Requirements

• Hardware—IBM PC-compatible computer with a 300 MHz or faster

• Memory—256 MB of RAM minimum

• Disk drive space—400 MB virtual memory

• Software

– Windows 98 and NT 4.0

– Windows 2000 Professional with Service Pack 2

– Windows 2000 Server/Advanced Server with Service Pack 2

• Browser

– Internet Explorer 6.0 or later (recommended)

– Netscape Navigator 4.79 or later


Installation Overview

• VMS Common Services is required for the Security Monitor.

• VMS Common Services provides the CiscoWorks server-based components, software libraries, and software packages developed for the Security Monitor.


Security Monitor Installation


Component and Database Location Selection


Database Password and Syslog Port


Communication Properties


Upgrade Process


Getting Started


CiscoWorks Login


CiscoWorks User Authorization Roles

• CiscoWorks user authorization roles allow different privileges within the VMS and the Security Monitor:

– Help Desk—Read-only for the entire system

– Approver—Read-only for the entire system

– Network Operator—Read-only for the rest of the system and generates reports

– Network Administrator—Configures devices, and modifies reports and rules

– System Administrator—Performs all operations

• Users can be assigned multiple authorization roles.


CiscoWorks Add User

Choose Server Configuration>Setup>Security>Add Users.


Security Monitor Launch

Choose VPN/Security Management>Management Center>Security Monitor.


Understanding the Security Monitor Interface

Path bar

TOC

Option bar Tabs

InstructionsPage

Tools

Action buttons


Security Monitor Configuration


Security Monitor Configuration

Security Monitor configuration operations are:• Adding Devices—Security Monitor monitors the following types of

devices:– RDEP IDS– PostOffice IDS– IOS IDS– Host IDS– PIX

• Monitoring Devices—Information monitored falls into the following three categories:– Connections– Statistics– Events

• Event Notification—Tasks involved to configure notification are as follows:– Adding Event Rules– Activating Event Rules


Devices—Add

Choose Devices.


RDEP Devices—Add

Choose Devices and Select Add.


RDEP Devices—Add (cont.)


PostOffice Devices—Add


IOS IDS Devices—Add


Devices—Import

Choose Devices and Select Import.


Devices—Import (cont.)


Monitor—Connections

Choose Monitor>Connections.


Monitor—Statistics

Choose Monitor>Statistics.


Monitor—Statistics (cont.)


Event Notification

• Event notification is completed by creating event rules.

• The following tasks are involved in creating an event rule:

– Assign a name to the event rule.

– Define the event filter criteria.

– Assign the event rule action.

– Define the event rule threshold and interval.

– Activate the event rule.


Event Rules—Step 1

Choose Admin>Event Rules>Add.


Event Rules—Activation

Choose Admin>Event Rules>Activate.


Event Viewer


Security Monitor—Event Viewer

Choose Monitor>Events.


Event Viewer Options

Configuring the Event Viewer involves understanding the following options:• Moving Columns

• Deleting Rows and Columns

• Collapsing columns

• Setting the Event Expansion Boundary

• Expanding Columns

• Suspending and Resuming New Events

• Changing Display Preferences

• Creating Graphs

• View Option


Event Viewer—Moving Columns


Event Viewer—Deleting Rows and Columns

Choose Monitor>Events>Delete.


Event Viewer—Collapsing Columns

Choose Monitor>Events>Collapse.


Event Viewer—Setting the Event Expansion Boundary


Event Viewer—Expanding Columns

Choose Monitor>Events>Expand.


Event Viewer—Suspending and Resuming New Events


Event Viewer—Changing Display Preferences

Choose Monitor>Events>Preferences.


Event Viewer—Creating Graph

Choose Monitor>Events>Graph.


Event Viewer—View Option

Choose Monitor>Events>View.


Administration and Reporting


Security Monitor Administration


Admin—Database Rules

Choose Admin>Database Rules>Add.


Admin—Database Rules (cont.)

Choose Admin>Database Rules>Add>Next.


Admin—System Configuration Settings

Choose Admin>System Configuration.


Admin—PostOffice Settings

Choose Admin>System Configuration>Postoffice Settings.


Admin—Defining Event Viewer Preferences


Admin—Defining Event Viewer Preferences (cont.)

Choose Admin>Event Viewer>Your Preferences.


Security Monitor Reports


Reports—Generate

Choose Reports>Generate.


Reports—Generate (cont.)


Reports—Schedule Report


Reports—View

Choose Reports>View.


Summary


Summary

• Security Monitor is a component of the Virtual Private Network (VPN)/Security Management Solution (VMS) product.

• The Security Monitor is a web-based tool that provides event collection, viewing, and reporting capabilities for IDS devices.

• The Security Monitor can monitor the following devices:

– Appliance Sensors

– IDS Modules

– Router Modules

– IOS Routers

– PIX Firewalls

• To efficiently monitor the events from multiple devices on your network, you can configure Event Rules for Security Monitor.


Summary (cont.)

• Event Rules enables you to perform one of the following actions when Security Monitor receives certain events:

– Send an email notification

– Generate an audit (console) message

– Execute a script

• Event Viewer enables you to view the alerts received by your monitored devices in a graphical interface.

• Security Monitor can generate reports based on the information

stored in the Security Monitor database.


Lab Exercise


.6

idsmP

.6

idsmQ.4

sensorP

.4

sensorQ

.100

172.30.Q.0172.30.P.0

Lab Visual Objective

STUDENT PC

.2

.2

STUDENT PC

ROUTER

.1

.2

.2

ROUTER

.1

REMOTE: 10.1.P.12LOCAL: 10.0.P.12

REMOTE: 10.1.Q.12LOCAL: 10.0.Q.12

10.0.P.0 10.0.Q.0

RTS RTS

.100

Pods 1–5 Pods 6–10

.10WEBFTP

SMTPPOP

WEBFTP

SMTPPOP

.10

172.26.26.0.150

.50

WEBFTP

RBB

© 2003, cisco systems, inc. all rights reserved. csids 4.0—16-1 chapter 16 enterprise intrusion...

Documents

cisco systems

security monitor server

security monitor features

reporting slide

later slide

security monitor functionality

introduction slide

started slide