© 2003, cisco systems, inc. all rights reserved. csids 4.0—16-1 chapter 16 enterprise intrusion...
TRANSCRIPT
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-1
Chapter 16
Enterprise Intrusion Detection System Monitoring and Reporting
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-2
Objectives
Upon completion of this chapter, you will be able to perform the following tasks: • Define features and key concepts of the Security Monitor.
• Install and verify the Security Monitor functionality.
• Monitor IDS devices with the Security Monitor.
• Administer Security Monitor event rules.
• Use the reporting features of the Security Monitor.
• Administer the Security Monitor server.
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-3
Introduction
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-4
What Is the Security Monitor?
The Security Monitor provides event collection, viewing, and reporting capability for network devices.
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-5
Security Monitor Features
The following are the Security Monitor features:• Monitors the following devices:
–Sensor appliances
– IDS Modules
– IOS Routers
–PIX Firewalls
• Web-based monitoring platform
• Custom reporting capability
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-6
Installation
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-7
Installation Requirements
• Hardware
– IBM PC-compatible computer with 800 MHz or faster
– Color monitor capable of viewing 256 colors
– CD-ROM drive
– 100 Mbps or faster network connection
• Memory—1 GB of RAM minimum
• Disk drive space
– 12 GB minimum
– NTFS
• Software
– Windows 2000 Server with Service Pack 2
– ODBC Driver Manager 3.510 or later
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-8
Client Access Requirements
• Hardware—IBM PC-compatible computer with a 300 MHz or faster
• Memory—256 MB of RAM minimum
• Disk drive space—400 MB virtual memory
• Software
– Windows 98 and NT 4.0
– Windows 2000 Professional with Service Pack 2
– Windows 2000 Server/Advanced Server with Service Pack 2
• Browser
– Internet Explorer 6.0 or later (recommended)
– Netscape Navigator 4.79 or later
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-9
Installation Overview
• VMS Common Services is required for the Security Monitor.
• VMS Common Services provides the CiscoWorks server-based components, software libraries, and software packages developed for the Security Monitor.
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-10
Security Monitor Installation
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-11
Component and Database Location Selection
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-12
Database Password and Syslog Port
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-13
Communication Properties
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-14
Upgrade Process
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-15
Getting Started
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-16
CiscoWorks Login
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-17
CiscoWorks User Authorization Roles
• CiscoWorks user authorization roles allow different privileges within the VMS and the Security Monitor:
– Help Desk—Read-only for the entire system
– Approver—Read-only for the entire system
– Network Operator—Read-only for the rest of the system and generates reports
– Network Administrator—Configures devices, and modifies reports and rules
– System Administrator—Performs all operations
• Users can be assigned multiple authorization roles.
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-18
CiscoWorks Add User
Choose Server Configuration>Setup>Security>Add Users.
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-19
Security Monitor Launch
Choose VPN/Security Management>Management Center>Security Monitor.
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-20
Understanding the Security Monitor Interface
Path bar
TOC
Option bar Tabs
InstructionsPage
Tools
Action buttons
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-21
Security Monitor Configuration
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-22
Security Monitor Configuration
Security Monitor configuration operations are:• Adding Devices—Security Monitor monitors the following types of
devices:– RDEP IDS– PostOffice IDS– IOS IDS– Host IDS– PIX
• Monitoring Devices—Information monitored falls into the following three categories:– Connections– Statistics– Events
• Event Notification—Tasks involved to configure notification are as follows:– Adding Event Rules– Activating Event Rules
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-23
Devices—Add
Choose Devices.
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-24
RDEP Devices—Add
Choose Devices and Select Add.
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-25
RDEP Devices—Add (cont.)
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-26
PostOffice Devices—Add
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-27
IOS IDS Devices—Add
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-28
Devices—Import
Choose Devices and Select Import.
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-29
Devices—Import (cont.)
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-30
Monitor—Connections
Choose Monitor>Connections.
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-31
Monitor—Statistics
Choose Monitor>Statistics.
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-32
Monitor—Statistics (cont.)
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-33
Event Notification
• Event notification is completed by creating event rules.
• The following tasks are involved in creating an event rule:
– Assign a name to the event rule.
– Define the event filter criteria.
– Assign the event rule action.
– Define the event rule threshold and interval.
– Activate the event rule.
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-34
Event Rules—Step 1
Choose Admin>Event Rules>Add.
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-35
Event Rules—Step 2
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-36
Event Rules—Step 3
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-37
Event Rules—Step 4
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-38
Event Rules—Activation
Choose Admin>Event Rules>Activate.
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-39
Event Viewer
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-40
Event Viewer
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-41
Security Monitor—Event Viewer
Choose Monitor>Events.
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-42
Event Viewer Options
Configuring the Event Viewer involves understanding the following options:• Moving Columns
• Deleting Rows and Columns
• Collapsing columns
• Setting the Event Expansion Boundary
• Expanding Columns
• Suspending and Resuming New Events
• Changing Display Preferences
• Creating Graphs
• View Option
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-43
Event Viewer—Moving Columns
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-44
Event Viewer—Deleting Rows and Columns
Choose Monitor>Events>Delete.
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-45
Event Viewer—Collapsing Columns
Choose Monitor>Events>Collapse.
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-46
Event Viewer—Setting the Event Expansion Boundary
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-47
Event Viewer—Expanding Columns
Choose Monitor>Events>Expand.
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-48
Event Viewer—Suspending and Resuming New Events
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-49
Event Viewer—Changing Display Preferences
Choose Monitor>Events>Preferences.
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-50
Event Viewer—Creating Graph
Choose Monitor>Events>Graph.
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-51
Event Viewer—View Option
Choose Monitor>Events>View.
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-52
Administration and Reporting
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-53
Security Monitor Administration
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-54
Admin—Database Rules
Choose Admin>Database Rules>Add.
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-55
Admin—Database Rules (cont.)
Choose Admin>Database Rules>Add>Next.
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-56
Admin—System Configuration Settings
Choose Admin>System Configuration.
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-57
Admin—PostOffice Settings
Choose Admin>System Configuration>Postoffice Settings.
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-58
Admin—Defining Event Viewer Preferences
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-59
Admin—Defining Event Viewer Preferences (cont.)
Choose Admin>Event Viewer>Your Preferences.
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-60
Security Monitor Reports
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-61
Reports—Generate
Choose Reports>Generate.
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-62
Reports—Generate (cont.)
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-63
Reports—Schedule Report
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-64
Reports—View
Choose Reports>View.
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-65
Summary
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-66
Summary
• Security Monitor is a component of the Virtual Private Network (VPN)/Security Management Solution (VMS) product.
• The Security Monitor is a web-based tool that provides event collection, viewing, and reporting capabilities for IDS devices.
• The Security Monitor can monitor the following devices:
– Appliance Sensors
– IDS Modules
– Router Modules
– IOS Routers
– PIX Firewalls
• To efficiently monitor the events from multiple devices on your network, you can configure Event Rules for Security Monitor.
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-67
Summary (cont.)
• Event Rules enables you to perform one of the following actions when Security Monitor receives certain events:
– Send an email notification
– Generate an audit (console) message
– Execute a script
• Event Viewer enables you to view the alerts received by your monitored devices in a graphical interface.
• Security Monitor can generate reports based on the information
stored in the Security Monitor database.
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-68
Lab Exercise
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-69
.6
idsmP
.6
idsmQ.4
sensorP
.4
sensorQ
.100
172.30.Q.0172.30.P.0
Lab Visual Objective
STUDENT PC
.2
.2
STUDENT PC
ROUTER
.1
.2
.2
ROUTER
.1
REMOTE: 10.1.P.12LOCAL: 10.0.P.12
REMOTE: 10.1.Q.12LOCAL: 10.0.Q.12
10.0.P.0 10.0.Q.0
RTS RTS
.100
Pods 1–5 Pods 6–10
.10WEBFTP
SMTPPOP
WEBFTP
SMTPPOP
.10
172.26.26.0.150
.50
WEBFTP
RBB