Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống
1
/ 68 trang
THÔNG TIN TÀI LIỆU
Thông tin cơ bản
Định dạng
Số trang
68
Dung lượng
1,8 MB
Nội dung
267_cssp_ids_08.qxd 9/30/03 2:31 PM Page 382 267_cssp_ids_09.qxd 9/30/03 4:27 PM Page 383 Chapter Capturing Network Traffic Solutions in this Chapter: I Switching Basics I Configuring SPAN I Configuring RSPAN I Configuring VACLs I Using Network Taps I Using Advanced Capture Methods I Dealing with Encrypted Traffic and IPv6 Summary Solutions Fast Track Frequently Asked Questions 383 267_cssp_ids_09.qxd 384 9/30/03 4:27 PM Page 384 Chapter • Capturing Network Traffic Introduction Capturing traffic is one of the most basic configuration skills needed for a successful IDS deployment Capturing traffic is also one of the most misunderstood processes of deploying an IDS sensor.The axiom “if the switch port can’t see the traffic, then neither can the IDS sensor” must be followed A successful IDS sensor deployment requires that the sensor see all the traffic of interest wherever it has been placed on the network.To add to the fun of capturing traffic are virtual LANs (VLANs) And to kick up the anxiety level a notch, there are VPNs, SSL, and IP version All of this must be accounted for when trying to roll out the IDS sensors In the old days of networks, there were hubs or what is called “transparent bridges.”These were very simple devices and it was easy to sniff or capture traffic since the traffic went everywhere With the advent of switching, however, life became more difficult.The switch is nothing more than single-port transparent bridges tied to together in a common chassis So the collision domain has been broken up but not the broadcast domain.This is why on a switched network you can capture broadcast traffic till the cows come home but not much else We will show you in this chapter how to get around this troublesome improvement in network design Of course, there are VLANs which thankfully many IDS sensors can work with, but this is not true of encryption It’s almost impossible to use an IDS sensor on encrypted traffic And encryption comes in a lot of flavors nowadays We have SSL, VPNs, IPSec, SSH, and many others.To effectively capture traffic, we must be aware of these limitations and how to get around them One of the newest kinks in the world of IDS sensors capturing traffic is the deployment of IP version While it’s still not a very mainstream issue, it will be in the coming years and we need to be aware of it now NOTE To verify that the monitoring interface actually sees traffic, use the Solaris snoop command: snoop –d [name of interface] For a 4230 IDS sensor, the Ethernet interface name is spwrX, as shown in the following example: snoop –d spwr0 ; where spwr0 is the monitor interface, and snoop –d spwr1 ; where spwr1 is the control interface For Token Ring, the interface name is mtok36, and for FDDI, the interface name is ptpci www.syngress.com 267_cssp_ids_09.qxd 9/30/03 4:27 PM Page 385 Capturing Network Traffic • Chapter For a 4210 IDS appliance sensor, the Ethernet interface name is different, as shown next: snoop -d iprb0 ; where iprb0 is the monitor interface, and snoop –d iprb1; where iprb1 is the control interface Use CTRL-C to break out of snoop Switching Basics During the last five or so years, Ethernet networks have silently undergone a major change Earlier, they were built using hubs, but now almost everywhere switches are used.This change becomes very apparent when we start to consider the effects on the traffic-capturing process and the implementation of intrusion detection systems Let’s see what the major difference between hubs and switches is and what problems a switched environment presents to IDS The primary difference between a switch and a hub is that the hub is considered shared media or a single collision domain Anything that one port on a hub sees, all ports will see, such as that in Figure 9.1 Figure 9.1 A Hub Broadcasts All Traffic IDS sensor Host C Hub Host A (Source) Host B (Destination) Hub floods each packet from all ports On the other hand, a switch is a more intelligent device than the average hub, it learns which MAC addresses are located on each of its ports and then stores that information in a lookup table When the switch receives an Ethernet www.syngress.com 385 267_cssp_ids_09.qxd 386 9/30/03 4:27 PM Page 386 Chapter • Capturing Network Traffic packet destined for a specific MAC address, the switch forwards it only to the corresponding port, as shown in Figure 9.2 Figure 9.2 Switch Operation IDS sensor Host C Switch Host A (Source) Switch forwards unicast packets only to their destination ports Host B (Destination) But there are exceptions to this rule on switches.The switch will send the frame out a single port unless it is a broadcast frame, in which case all ports except the one the frame arrived on will get a copy of the frame.There is a second modification to this rule if the frame’s MAC address is not in the forwarding table of the switch In this situation, the switch then “floods” the frame out of all of its ports except the one the frame arrived on So, to review switch theory in simple terms, a switch consists of a set of oneport hubs (each port) which breaks up the collision domain into multiple collision domains Since the switch is a layer-2 device, the broadcast domain does not change until we get to the router Neither hubs nor switches will change the header of the frame so we will see the term “transparent bridges,” something which refers to the fact that the frame header is not changed in transit through the hub or switch It is this “switching” of the frame between ports that makes our life with the IDS sensor much more difficult, but not impossible The problem posed by switches is that no matter how you connect a trafficcapturing device to a switch, it will not see any traffic, with the exclusion of broadcast packets.There are several options available to avoid this problem (besides using hubs instead of switches, which is usually not practical from the point of view of bandwidth consumption) www.syngress.com 267_cssp_ids_09.qxd 9/30/03 4:27 PM Page 387 Capturing Network Traffic • Chapter One approach is to use network taps that tend to be passive devices and which are inserted between a monitored network device and a switch A network tap copies the information from the monitored link to a separate cable which is plugged into an IDS sensor.Taps are designed in a “fail-open” way so that if they break or lose power, the monitored link is not affected.Taps exist for almost any type of line or connection speed, including optical and Gigabit Ethernet lines We will discuss the usage of taps in more detail at the end of this chapter Another way to address the capturing problems created by switches is to use a SPAN ports feature, provided by most switches currently on the market SPAN stands for Switch Port Analyzer and is also sometimes called “port mirroring,” although technically port mirroring is a subset of port spanning features A switch can be configured to have a dedicated port to which any packet that passes through the switch is copied Depending on the switch model, this process can cause an overhead in packet processing, although there are switches where spanning ports not affect switching capacity NOTE When using spanning ports, only packets that get inside the switching backplane are copied to the spanning port So, for example, frames with incorrect CRCs are dropped when they enter the switch and are consequently not copied to any of the SPAN ports The last option, which is available only with the Cisco Catalyst 6000 IDS Module, is to monitor network traffic directly on a switch backplane Since IDSM has access to the switching fabric, there is no need to copy packets between ports to redirect them to IDS, thus the only configuration task remaining is to specify the “interesting” traffic that needs to be monitored (see Figure 9.3).This is done using VLAN access-lists or VACLs, which we look at in more detail next www.syngress.com 387 267_cssp_ids_09.qxd 388 9/30/03 4:27 PM Page 388 Chapter • Capturing Network Traffic Figure 9.3 Monitoring Traffic by IDSM Catalist 6000 switch Network traffic Switch backplane Network traffic monitoring interface IDSM All three options are discussed in this chapter, although the main means of using IDS in a switched environment is still the port spanning feature, which will be described in more detail than the other two Configuring SPAN Different models of Cisco switches have different capabilities regarding the number of ports that can be dedicated simultaneously as SPAN ports, restrictions on how VLAN-separated traffic is monitored, and so on.They also differ in the way the SPAN feature is configured, mainly because there are two different command-line interfaces—one for IOS-based switches, and the other for CatOS switches (supervisor engines of high-end switches, to be more precise) We will start from the simpler IOS-based interface, which is applicable to the 2900/3500 series and those 4000/6000 switches that run the integrated Cisco IOS feature set (the supervisor engine in native mode) Configuring an IOS-Based Switch for SPAN With IOS-based switches, there are two configuration types depending on which switch model you are working on A simpler SPAN feature is used on series 2900/3500 switches, while a more powerful SPAN feature set can be applied to 4000 or 6000 series switches running an integrated Cisco IOS command set We will discuss both, starting with a simpler SPAN configuration www.syngress.com 267_cssp_ids_09.qxd 9/30/03 4:27 PM Page 389 Capturing Network Traffic • Chapter Configuring 2900/3500 Series Switches The Catalyst 2900/3500 series have basic port spanning features, while the IOSbased SPAN configuration is initiated using just one main command: port monitor This command is used in the configuration of a port dedicated to the SPAN feature (also called a monitor port or SPAN destination port—essentially, the port where traffic is copied to), and the parameter , which lists interfaces that should be monitored by this SPAN port (SPAN source ports).Two main restrictions must be taken into consideration when configuring port spanning on these switches: The SPAN destination port and all the ports it monitors must belong to the same VLAN If the parameter is not specified, all ports from this VLAN (to which a monitor port belongs) are monitored There are also some restrictions regarding which ports can act as SPAN destination ports (all restrictions are described in the corresponding model documentation): I The monitor port must belong to the same VLAN as the monitored ports It is not possible to change VLAN membership on the monitor port or ports being monitored I The monitor port cannot be a trunk port or dynamic-access port On the other hand, a static-access port can monitor a VLAN on a trunk, dynamic-access, or multi-VLAN port.The VLAN monitored will be the VLAN to which the monitor port belongs I An ATM port cannot be a monitor port I The monitor port cannot belong to a Fast EtherChannel or Gigabit EtherChannel port group I The monitor port cannot have more security enabled I The monitor port cannot be a multi-VLAN port I Port monitoring does not work if both the monitor and the monitored ports are protected ports www.syngress.com 389 267_cssp_ids_09.qxd 390 9/30/03 4:27 PM Page 390 Chapter • Capturing Network Traffic NOTE The monitor port does not run STP (Spanning Tree Protocol—the word “span” in this term is not related to SPAN ports), so it is advisable not to connect this port to anything but IDS systems If, for example, it is connected to a hub or bridge so that it creates a loop in the network, it can affect packet forwarding heavily Let’s take a look at the following situation shown in Figure 9.4 We have a Catalyst 2900 switch with ports Fa0/1, Fa0/2, and Fa0/3 belonging to a VLAN 1, and ports Fa0/4, Fa0/5, and Fa0/6 belonging to a VLAN Port Fa0/1 will be used to monitor VLAN (source ports Fa0/2 and Fa0/3), and port Fa0/4 will monitor VLAN (ports Fa0/5 and Fa0/6) Figure 9.4 An Example Using the 2900 Series Switch Fa0/3 Fa0/6 Vlan2 Vlan Fa0/2 Fa0/5 Fa0/1 Fa0/4 Cisco IDS Sensors www.syngress.com 267_cssp_ids_09.qxd 9/30/03 4:27 PM Page 391 Capturing Network Traffic • Chapter Before SPAN ports are configured, the corresponding part of switch configuration appears as the following: ! interface FastEthernet0/1 ! interface FastEthernet0/2 ! interface FastEthernet0/3 ! interface FastEthernet0/4 switchport access vlan ! interface FastEthernet0/5 switchport access vlan ! interface FastEthernet0/6 switchport access vlan ! This simply states that ports Fa0/1 to Fa0/3 belong to the default VLAN 1, while ports Fa0/4 to Fa0/6 belong to VLAN In order to configure port Fa0/1 as a monitor port, we need to put it in the configuration mode and enter the list of ports to be monitored: sw2900(config)# int Fa0/1 sw2900(config-if)# port monitor fastethernet 0/2 sw2900(config-if)# port monitor fastethernet 0/3 sw2900(config-if)# ^Z These commands state that each packet received or transmitted through ports Fa0/2 and Fa0/3 will be copied to port Fa0/1 If there are any other ports in VLAN 1, they will not be monitored If we want to monitor the whole VLAN 2, we would simply use these commands: sw2900(config)# int Fa0/1 sw2900(config-if)# port monitor sw2900(config-if)# ^Z www.syngress.com 391 267_cssp_ids_10.qxd 9/30/03 6:04 PM Page 435 Cisco Enterprise IDS Management • Chapter 10 policy In many respects, IDS can be considered the enforcement of that policy because it provides a continual audit of the network traffic An in-depth discussion of the development of a security policy is beyond the scope of this chapter as well as this book For a more detailed discussion of security policies and how to develop them, please refer to the bibliography at the end of the chapter Installing the Cisco IDS Management Center The Cisco IDS MC is a component of the VPN/Security Management Solution (VMS) that, in turn, is part of the CiscoWorks2000 software package.The VMS software suite includes additional components such as CiscoWorks2000 Common Services, which provides for user roles and MC access privileges to be defined as well as for data storage Additionally, it offers data storage for CiscoWorks client applications that use its services Other components of VMS include the PIX Management Center, VPN Router Management Center, VPN Monitor, the Cisco Security Agent Management Center, and the Security Monitor.This discussion will focus primarily on the installation of the IDS MC; however, it is often helpful to understand the combined installation requirements of the required VMS bundle Server Hardware Requirements CiscoWorks2000 and the VMS bundle can be installed and operated on either a Windows 2000 Server platform or a Sun Solaris platform.The hardware requirements for CiscoWorks2000 and VMS are specified in Table 10.1 Table 10.1 Server Hardware Requirements Component Minimum Requirement Hardware IBM PC Compatible with GHz or faster Pentium CPU Operating System Windows 2000 Professional, Server, and Advanced Server (Service Pack 3) Sun UltraSPARC 60 MP with 440 MHz or faster processor or Sun UltraSPARC III system (i.e., Sun Blade 2000 or Sun Fire 280R) Solaris with the following patches: 108528-13 108827-15 108528-13 108827-15 Continued www.syngress.com 435 267_cssp_ids_10.qxd 436 9/30/03 6:04 PM Page 436 Chapter 10 • Cisco Enterprise IDS Management Table 10.1 Server Hardware Requirements Component Additional Software File System Memory Virtual Memory Hard Drive Space Java Version Minimum Requirement Microsoft ODBC N/A Driver Manager 3.510 or later NTFS UFS 1GB (minimum) experience shows 1.5GB to 2GB is more practical 1GB (minimum) 9GB (minimum); this will increase depending on what reporting and logging is enabled Be sure to monitor the log file size Sun Java plug-in 1.3.1-b24 The VMS product suite should not be installed on a Microsoft Windows Server system that is a domain controller or a terminal server.The remainder of this chapter will focus on the installation of the IDS MC on a Windows 2000 system For additional information regarding the installation of the IDS MC on a Solaris server, please refer to Cisco’s web site (www.cisco.com) CiscoWorks Architecture Overview The IDS MC architecture is shown in Figure 10.3.The MC itself relies upon the services provided by the CiscoWorks Common Services software.The Common Services component provides a comparable environment for all of the MCs Some of these services include data storage and management, session management, a web interface, and user authentication and permission management Before installing the Cisco IDS Management Center, it is important to understand related software that may be prerequisites for successful installation www.syngress.com 267_cssp_ids_10.qxd 9/30/03 6:04 PM Page 437 Cisco Enterprise IDS Management • Chapter 10 Figure 10.3 The IDS MC Architecture IDS Sensor/ Module User HTTP/HTTPS SSH IDS Sensor/ Module SSH IDS Management Center CiscoWorks Common Services Event Database The IDS MC provides a Web-based interface for managing and configuring Cisco IDS sensor appliances and the IDS module for the Catalyst chassis.The MC is built on top of the CiscoWorks framework, allowing it to leverage the ability to define user roles.These roles provide for the definition of user management privileges, including the ability to generate as well as deploy IDS configurations.The IDS MC requires the CiscoWorks Common Services component to provide the necessary base components, software libraries and other software packages.The CiscoWorks Common Services is comprised of the following components: I Data Storage and Management The Common Services data store is provided by a Sybase SQL Anytime database Data backup, and repair and restoration capabilities of the database, are also provided by the Common Services package www.syngress.com 437 267_cssp_ids_10.qxd 438 9/30/03 6:04 PM Page 438 Chapter 10 • Cisco Enterprise IDS Management I Session Management Allows multiple users to connect to the MC and perform configuration and management tasks without data corruption or loss I User Management Provides for authentication and authorization I Web Interface Provided by an Apache Web server allowing for connections to the MC system through a Web browser Access to the CiscoWorks2000 server is done on a secure encrypted channel over TCP port 1741 Once the user has authenticated to the CiscoWorks2000 server, communication with the IDS MC is conducted over TCP port 443 IDS MC Installation The IDS MC software installs its components into the same directory as the CiscoWorks Common Services software components.This is typically in the directory: Program Files\CSCOPx.The directory structure is shown in Figure 10.4 Figure 10.4 The IDS MC Directory Tree Structure Program Files\CSCOPx \Apache \Sybase \Tomcat \Etc\ids \updates Cisco chose to use an open source program called Apache for the built-in Web server for CiscoWorks.The subdirectory \Apache is where the Apache Web Server is installed and from where Apache serves the Web pages that are displayed when using the IDS MC.The Sybase subdirectory is where the Sybase SQL Anytime database is installed as well as where all data from the IDS appliances and the IDSM sensors is stored.The Tomcat subdirectory is where the Tomcat www.syngress.com 267_cssp_ids_10.qxd 9/30/03 6:04 PM Page 439 Cisco Enterprise IDS Management • Chapter 10 application server is installed.This server provides servlets to the IDS MC from the Common Services.The Etc\ids directory is where the IDS MC is actually stored.The updates subdirectory is where the signature update packs are stored for the MC to push out to the sensors or to the MC itself IDS MC Processes The IDS MC is composed of the following system processes: I IDS_Analyzer I IDS_Backup I IDS_DbAdminAnalyzer I IDS_DeployDaemon I IDS_Notifier I IDS_Receiver I IDS_ReportScheduler The IDS_Analyzer defines event rules and requests user-specified notifications when appropriate.The IDS_Backup process provides for database backup and restore capabilities to the MC.The DbAdminAnalyzer applies various active database rules to the current state of the server.The IDS_DeployDemon provides for the deployment of configurations to IDS sensors IDS_Notifier retrieves and performs MC subsystem notification requests.The IDS_Receiver receives alarms and syslog events from IDS appliance sensors and IDS modules for the Catalyst chassis and stores them in the Sybase database As its name implies, the IDS_ReportScheduler handles the generation of reports in the MC VMS Component Compatibility Most VMS components require CiscoWorks2000 Common Services to be installed on the same server While it may seem more efficient to combine some of these VMS components on one server, this cannot always be done due to compatibility and performance reasons For example, both the IDS Management Center and the Security Monitor are delivered on the same CD-ROM package Both require CiscoWorks 2000 Common Services.The IDS MC and the Security Monitor may be installed together or separately on different host servers However, for optimal performance, separate installation of these two applications on different host servers is recommended www.syngress.com 439 267_cssp_ids_10.qxd 440 9/30/03 6:04 PM Page 440 Chapter 10 • Cisco Enterprise IDS Management Other VMS components that are not compatible on the same server as the IDS Management Center include the Cisco Secure Policy Manager (CSPM).To attempt this may result in the installation of a second instance of the post office process on the host server Client Installation Requirements Accessing CiscoWorks2000 and IDS Management Center is accomplished through a Web interface.This allows clients to access the IDS Management Center by using a browser.The minimum system requirements for a client are specified in Table 10.2 Table 10.2 Client System Requirements Component Hardware Software Memory Virtual Memory Browser www.syngress.com Minimum Requirement IBM PC Compatible Sun Ultra 10 or Sun with minimum SPARCstation with a 300MHzPentium 333MHz processor Processor Windows 2000 Server, Solaris or Professional Edition with Service Pack Windows XP Professional, Service Pack with Microsoft Virtual Machine 256MB 400MB 512MB Microsoft Internet Ex- Netscape Navigator 4.76 plorer 6.0, Service Pack for Solaris for Windows operating systems with Microsoft Virtual Machine Netscape Navigator 4.79 on any of the following: Windows 2000 Server Professional Edition with Service Pack Windows XP Professional, Service Pack 267_cssp_ids_10.qxd 9/30/03 6:04 PM Page 441 Cisco Enterprise IDS Management • Chapter 10 Installation Steps Once the prerequisite components have been verified, the basic installation steps for the IDS MC are as follows: Log in as the local administrator Insert the CD-ROM containing the “Monitoring Center for Security and Management Center for IDS Sensors” program If the installation program does not start, select Run from the Start button Browse for the setup program on the CD-ROM drive Open the Setup program and click OK If the installation program does start, click Install on the Installer page Click Next The Software License Agreement page appears Be sure you understand the Agreement, then click Yes to accept its terms The installation now begins.To install both the IDS MC and the Security Monitor, click the Typical Installation radio button.To install only the IDS MC or the Security Monitor, click the Custom Installation button, and select either the IDS MC only radio button or the Security Monitor only radio button Click Next The System Requirements page appears Verify that the system meets the minimum disk space and memory requirements Click Next The Verification page appears Verify the selected components Click Next The Select Database Location page appears By default, the IDS database is located in the directory where CiscoWorks Common Services is installed.To specify a different directory for the database, enter a directory path in the Database File Location field provided Click Next The “Select Database Password” page appears Enter the database password in both the Password and Confirm Password fields Click Next Either the Select CW2000 Syslog Port page or the Restart page appears I If the Security Monitor is installed, the Select CW2000 Syslog Port page appears Specify the UDP port to be used by CiscoWorks The default value of 52514 is recommended Click Next.The Configure Communications Properties page appears Enter the host ID, organization ID, IP address, hostname, and organization name into the appropriate fields Click Next www.syngress.com 441 267_cssp_ids_10.qxd 442 9/30/03 6:04 PM Page 442 Chapter 10 • Cisco Enterprise IDS Management I If only the IDS MC is installed, the Restart page appears On the Restart page, select Yes to restart the computer Choose No to restart the computer at a later time Select Finish.The computer must be restarted before it is possible to use the IDS MC or Security Monitor Getting Started Access to the IDS MC is provided through the Apache Web server on the CiscoWorks2000 host.This provides for easy access through either a web browser meeting the requirements defined in Table 10.2.The CiscoWorks 2000 Apache Web server listens for incoming connections on TCP port 1741 of the CiscoWorks2000 host.To access the CiscoWorks2000 system, enter one of the following URLs: I http://127.0.0.1:1741 Use this if the IDS MC server is the local machine I http://A.B.C.D:1741 Use this if A.B.C.D is the IP address of the IDS MC server Log into the CiscoWorks2000 Server Desktop, as shown in Figure 10.5.The default login name and password for the CiscoWorks2000 system include the following: I Default login name: admin I Default password: admin After entering the login Name and Password, click Connect Note, it is highly recommended that the password of the admin account be changed from the default value of admin immediately upon installation and configuration of CiscoWorks2000 in order to prevent unauthorized users from gaining administrative access to the CiscoWorks2000 software www.syngress.com 267_cssp_ids_10.qxd 9/30/03 6:04 PM Page 443 Cisco Enterprise IDS Management • Chapter 10 Figure 10.5 The CiscoWorks Login Screen Authorization Roles CiscoWorks provides for five different default types of accounts or authorization roles that can be created for IDS MC users.These authorization roles and their respective privileges are summarized in Table 10.3 Table 10.3 Authorization Roles Authorization Role Privileges View Create/Modify/Delete Help Desk View reports and alarms Approver View reports and alarms Network Operator View reports and alarms Network Administrator System Administrator View reports and alarms Cannot delete reports or alarms Cannot generate reports Approve configurations Cannot delete reports or alarms Cannot generate reports Deploy configurations Delete reports and alarms Generate reports Edit devices and device groups View reports and alarms Edit devices and device groups Delete reports and alarms Generate reports Import lists (files) and notification scripts www.syngress.com 443 267_cssp_ids_10.qxd 444 9/30/03 6:04 PM Page 444 Chapter 10 • Cisco Enterprise IDS Management Creating accounts with different authorization roles allows an administrator to delegate different responsibilities to different IDS Management Center users Each account holder or user can be given the authority needed to carry out his responsibilities Installation Verification To verify the successful installation of CiscoWorks 2000 and the IDS MC, select the Server Configuration entry on the CiscoWorks2000 Server Desktop, as shown in Figure 10.6.Then select About the Server and Applications and Versions Figure 10.6 Server Configuration Verify that the following key CiscoWorks components are installed: I Apache The Apache Web server provides the Web interface used by a client to access the IDS Management Center I CWCS SQL Components A Sybase SQL server is used to provide the database services required by the IDS Management Center I Cisco Works Common Services (CWCS) There are a multitude of services provided by CWCS that are required by the IDS Management Center www.syngress.com 267_cssp_ids_10.qxd 9/30/03 6:04 PM Page 445 Cisco Enterprise IDS Management • Chapter 10 Adding Users to CiscoWorks Adding users to the CiscoWorks system is straightforward.To add a new user to the CiscoWorks2000 system: Open the Server Configuration tab in the right side panel of the CiscoWorks interface Select Setup and then Security, as shown in Figure 10.7 Figure 10.7 CiscoWorks Server Configuration Add User Select the Add Users option Enter values for the setting listed in Table 10.4 and shown in Figure 10.8 Table 10.4 CiscoWorks “Add Users” Information CiscoWorks2000 “Add Users” Setting Username Local Password Confirm Password E-mail CCO Login CCO Password (optional) Confirm Password Proxy Login Information Name of new user account to add Account password Password confirmation User’s e-mail address (optional) User’s CCO login account name (optional) User’s CCO login account password CCO Password confirmation (optional) User’s proxy server login name (optional) Continued www.syngress.com 445 267_cssp_ids_10.qxd 446 9/30/03 6:04 PM Page 446 Chapter 10 • Cisco Enterprise IDS Management Table 10.4 CiscoWorks “Add Users” Information CiscoWorks2000 “Add Users” Setting Information Proxy Password Confirm Password User’s proxy server password (optional) Proxy password confirmation (optional) Figure 10.8 The CiscoWorks2000 Add User Web Page The IDS MC If the IDS MC installation is successful, an entry for the Management Center will appear Selecting the Management Center entry will prompt the IDS Sensors entry to appear Selecting the IDS Sensors entry brings up the Management Center IDS Sensors interface, shown in Figure 10.9 Figure 10.9 The Management Center for IDS Sensors Page www.syngress.com 267_cssp_ids_10.qxd 9/30/03 6:04 PM Page 447 Cisco Enterprise IDS Management • Chapter 10 The Devices tab of this page allows for the definition of sensor groups as well as the addition or deletion of sensors from the system as described in the next section Setting Up Sensors and Sensor Groups Sensors are the “eyes and ears” of the Cisco IDS Management Center.They are placed strategically at the perimeter of the network and near key resources within the enterprise Each of the sensors deployed in the network have been configured with a unique IP address.The IDS MC uses this IP address to communicate with the sensor Once these sensors are deployed and assigned IP addresses, they can be configured and managed from within the MC Configuring & Implementing Monitoring Connections A sensor is commonly placed on a connection to monitor traffic between the network to be protected and other networks In Figure 10.10, a protected enterprise network is comprised of two intranets: the E-Commerce network and the R&D network Here, sensors have been deployed to monitor four different types of connections Starting from the upper left, the sensors offer the following protection: I Perimeter Protection The most common deployment for a sensor is to be placed between the network to be protected and the Internet This is known as perimeter protection I Remote Access Protection A dial-in server is used only by employees but may still be vulnerable to external attack A sensor is placed on the interior side of the dial-in server connection I Intranet Protection While the R&D network is an internal network, it may require a different level of security and hence a sensor is deployed between the two intranets I Extranet Protection A business partner may have similar network security policies but the level of protection may differ A sensor is deployed between the two extranets Continued www.syngress.com 447 267_cssp_ids_10.qxd 448 9/30/03 6:05 PM Page 448 Chapter 10 • Cisco Enterprise IDS Management Figure 10.10 Monitoring Connections Internet E-Commerce Network Business Partner Dial-in Server Research and Development Network The IDS MC Hierarchy The IDS MC maintains a hierarchy of sensors, sensor groups and sensor subgroups Groups provide the capability of managing multiple sensors performing similar functions Rather than configuring each sensor individually, the IDS MC allows for the configuration of groups of sensors.This dramatically reduces the administrative burden on security personnel Figure 10.11 illustrates an example of an IDS MC sensor group hierarchy At the top of the group hierarchy is the Global group.There can be many levels of groups and sensors under the Global group Each of the lower-level groups, subgroups, and sensors are added manually Figure 10.11 The IDS MC Hierarchy www.syngress.com 267_cssp_ids_10.qxd 9/30/03 6:05 PM Page 449 Cisco Enterprise IDS Management • Chapter 10 Creating Sensor Subgroups A sensor subgroup can be added to any group including the Global group.The following steps can be used to create a sensor subgroup: From the Management Center for IDS Sensors page (Figure 10.7), select the Devices tab, then choose Sensor Group.The Sensor Group page will appear, as shown in Figure 10.11 The Sensor Group page displays a tree of multiple levels of sensor groups and sensors At present, there is a Global group as well as three subgroups: Core, Internet, and VPN Select the name of the group under which the new subgroup will appear Click the Create Subgroup button The Add Group page appears, as shown in Figure 10.12 Enter the new subgroup’s name in the Group Name field Describe the new group in the Description field Under settings, select the parent group’s settings or copy the settings from a group in the pull-down menu Click OK to create the new subgroup Figure 10.12 The Add Group Page The Sensor Group page reappears, containing the newly created group In Figure 10.13, this new group is named Campus www.syngress.com 449 ... configurations to the sensors I It manages and distributes signatures to the sensors IDS MC and Security Monitor Closely related to the Cisco IDS MC is the Cisco Monitoring Center for Security, also... simply states that ports Fa0/1 to Fa0/3 belong to the default VLAN 1, while ports Fa0/4 to Fa0/6 belong to VLAN In order to configure port Fa0/1 as a monitor port, we need to put it in the configuration... documentation): I The monitor port must belong to the same VLAN as the monitored ports It is not possible to change VLAN membership on the monitor port or ports being monitored I The monitor port cannot