Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống
1
/ 16 trang
THÔNG TIN TÀI LIỆU
Thông tin cơ bản
Định dạng
Số trang
16
Dung lượng
495,46 KB
Nội dung
Lab 2 Exercise—Cisco IDS Appliance
Software Upgrade and Cisco IDS Event
Viewer
Objectives
In this lab exercise you will complete the following tasks:
n
Update IDS appliance software using the IDS Device Manager (IDM).
n
Check the IDS appliance software version.
n
Install the Cisco IDS Event Viewer (IEV) software on the PC.
n
Add the IDS appliance to the list of devices monitored by the IEV.
n
Monitor IDS appliance events using the IEV.
Visual Objective
Figure-1 displays the lab topology you will use to complete this lab exercise:
Figure-1: Lab Network Topology
Copyright 2003, Cisco Systems, Inc.
IDS 4.0 Roadshow Lab 2
Passwords
Use the following passwords for this lab:
•
Lab Gear password: Your instructor will provide it.
•
IDS appliance username/password: The default account name and password are
cisco. However, the password for the cisco user should have been changed to
emmapeel in Lab 1.
•
PC client: The username is Administrator and the password is cisco
•
VNC password: When you connect to the PC, use a password of cisco at the VNC
screen.
Task 1—Access the Remote Pod and Login to the PC
Access the remote lab environment via a web browser and an Internet connection. You will
login to the lab pod environment, access the appropriate device console(s), and login to the
actual device(s) used in the lab.
Step 1
Access your lab pod using the Internet Explorer web browser. If you need help,
review the Accessing the Remote Lab Equipment section of the IDS 4.0 Roadshow
Lab 1 lab guide (Figure-2).
Step 2
Access the PC by first clicking on the green oval labeled PC Desktop. If you need
help, review the instructions starting with the After a Successful Login section of the
IDS 4.0 Roadshow Lab 1 lab guide (Figure-3).
Step 3
The VNC login screen should appear. Login with password cisco.
Step 4
You may need to login to the PC itself. If so, click on Send Ctrl-Alt-Del near the top
of the window. Login as Administrator with password cisco.
Step 5
You will be presented with a view of the PC desktop.
Figure-2: Example PC Desktop
IDS 4.0 Roadshow Lab 2
Copyright 2003, Cisco Systems, Inc.
Task 2—Check Network Connectivity Between the PC and the
IDS Appliance.
To do this lab, the IDS appliance should be configured as per Lab 1 (Cisco Intrusion Detection
System (IDS) Appliance Initial Configuration).
You should now be logged into the PC.
Check connectivity between the PC and the IDS appliance by doing the following steps.
Step 1
At the PC desktop, click on the Start->Run… menu and open a command window by
typing cmd into the Run window. Click OK and a command window should appear.
Step 2
At the command prompt, type ping 10.0.01. The output should look similar to that
shown in the figure below:
Figure-3: Successful ping of the IDS appliance
Step 3
If the pings are not successful, check that the IDS appliance is configured properly as
per Lab 1. You may want to double-check the PC network configuration settings if
the IDS appliance appears to be configured properly.
Step 4
Launch Internet Explorer on the PC by double clicking its icon on the PC desktop or
by selecting it from the Start->Programs->Internet Explorer menu.
Step 5
Access the IDS appliance by specifying a URL of https://10.0.0.1.
Note
IDS Device Manager Traffic is encrypted, so make sure you use HTTPS.
Step 6
In the first Security Alert window, click OK.
Step 7
Click Yes when prompted to accept the IDS appliance certificate.
Step 8
Login to the IDS Device Manager as the cisco user using the password that was
configured in Lab 1 (the instructions said to use emmapeel).
Step 9
You should now be at the IDS Device Manager home page.
Copyright 2003, Cisco Systems, Inc.
IDS 4.0 Roadshow Lab 2
Task 3—Upgrade the IDS Appliance Software.
This task involves accessing the Cisco IDS Device Manager (IDM), and upgrading the IDS
appliance software to the latest version. The first step would be to go to Cisco’s web site and
download the new patch or IDS appliance signature update. As part of the lab, we have done that
for you already. The software you will need already resides on the PC.
Note
You can use SCP, FTP, HTTP, or HTTPS. In this lab, we will be using HTTP.
Complete the following steps to upgrade the IDS appliance software:
Step 1
You should now be at the IDS Device Manager home page. Click on the
Administration tab (arrow 1 in the figure below) on the area bar. The Administration
sub-area bar is displayed. Your IDS Device Manager window should look like the one
below in Figure 4:
1
2
Figure-4: IDS Device Manager Administration page
Step 2
Now click on Update (arrow 2) in Figure 4 (above).
Step 3
You should now be at the Update area of the Administration tab as show in the
figure below:
IDS 4.0 Roadshow Lab 2
Copyright 2003, Cisco Systems, Inc.
Figure-5: IDS Device Manager Update page
Step 4
Enter the following into the URI section of the Update settings box:
http://anonymous@10.0.0.11/IDS-K9-sp-4.0-2-S42.rpm.pkg
Note
Step 5
Click Apply to Sensor. After about five minutes, the update will complete and the
IDS appliance will reboot automatically with the updated system image.
Note
Step 6
There may not be any messages that inform you of the completion. The IDS appliance
will not communicate via the console or IDM during the upgrade process.
Try logging back into the IDS appliance via the console. If you get a console prompt,
the update should be complete.
Note
Step 7
If you are also logged into the IDS appliance via the console, log out before doing the
software update. No password is needed since we are using anonymous HTTP.
This process will take about 5 minutes to complete. If you try to log back in using IDM,
you may get a message that an update is in progress.
Login to the IDM application.
Copyright 2003, Cisco Systems, Inc.
IDS 4.0 Roadshow Lab 2
Task 4—Check the IDS Appliance Software Version
This task involves checking to make sure that the software upgrade completed. Complete the
following steps to check the IDS appliance software version by using the IDS Device Manager
application.
Note
You could also check the software version by using the show version command from
the IDS appliance CLI.
Step 1
If you are not already logged into the IDS Device Manager, login as the cisco user
using the appropriate password.
Step 2
Click on the Administration tab (arrow 1 in the figure below) on the area bar. The
Administration sub-area bar is displayed. Then click on Support in the
Administration sub-area bar (arrow 2):
1
2
Figure-6: IDS Device Manager Administration page
Step 3
IDS 4.0 Roadshow Lab 2
A Table of Contents (TOC) area opens on the left side of the Support window. Click
on System Information (arrow 3 in Figure-7 below) to get the IDS appliance
software version along with various other important pieces of information (arrow 4 in
Figure-7 below). Verify that the IDS appliance version is now 4.0(2)S42:
Copyright 2003, Cisco Systems, Inc.
3
4
Figure-7: IDS Device Manager System Information Output
Task 5—Install the IDS Event Viewer Software on the PC
This task involves installing the IDS Event Viewer (IEV) application. The first step
would be to go the Cisco website and download the latest IEV installation package
available. For this lab, that download has already been done for you. The installation
software you will need, IEV-4.0-1-S37, resides on the PC desktop.
Complete the following steps to install the IEV software on the PC:
Step 1
Launch the IEV installation application from the PC’s desktop by double clicking on
the icon for the file IEV-4.0-1-S37 (arrow 1 in Figure-8 below).
Copyright 2003, Cisco Systems, Inc.
IDS 4.0 Roadshow Lab 2
1
Figure-8: IDS Event Viewer Installer on PC Desktop
Step 2
The Cisco IDS Event Viewer 4.0 Welcome window opens. Click Next to continue
the installation wizard process. The Select Destination Location window opens.
Step 3
Accept the default installation location and click Next to continue with the wizard
installation process. The Select Program Manager Group window opens.
Step 4
Accept the default Program Manager group and click Next to continue with the
installation wizard process. The Start Installation window opens.
Step 5
Click Back if any mistakes were made. Otherwise, click Next to continue with the
installation. The Installing window displays the IEV installation progress.
Step 6
The IEV application files are copied to the destination location. The IEV file copy
process takes approximately 2–4 minutes depending on system performance.
Step 7
Once the files are copied, the Installation Complete window opens.
Step 8
Click Finish to complete the IEV installation wizard process.
Step 9
The Install dialog window opens.
Step 10 Click OK to restart the system and complete the installation process.
Note
When the PC reboots, you will lose connectivity to it and the VNC window will contain
an error message. Just wait a minute and go back to the main lab diagram and click on
the PC and establish a new session.
Step 11 After the PC has rebooted, login again as Administrator with password cisco. You
should see a Cisco IDS Event Viewer shortcut icon on the PC desktop (arrow 2 in
Figure-9 below).
IDS 4.0 Roadshow Lab 2
Copyright 2003, Cisco Systems, Inc.
2
Figure-9: IDS Event Viewer Application Shortcut on PC Desktop
Task 6—Add the IDS Appliance as a Device to be Monitored
by the IEV
This task involves launching the IEV application and adding the IDS appliance as a
device that IEV will monitor. Complete the following steps to add the IDS appliance
to the list of devices monitored by the IEV:
Step 1
Double click on the Cisco IDS Event Viewer icon on the desktop to launch the IEV
OR choose Start>Programs>Cisco Systems>Cisco IDS Event Viewer>Cisco IDS
Event Viewer. The Cisco IDS Event Viewer application opens.
Step 2
Choose File>New>Device… from the main menu. The Device Properties window
opens.
Step 3
The following table contains the IDS appliance parameters to enter and a description
of each. Figure-10 shows what the Device Properties window should look like after
the information has been entered:
Cisco IDS Settings
Parameters
Description
Sensor IP Address
10.0.0.1
The IP address of the IDS appliance
Sensor Name
sensor
Alphanumeric identifier for the IDS
appliance
User Name
cisco
User name to use for communications
Password
emmapeel
Password to use with User Name
Copyright 2003, Cisco Systems, Inc.
IDS 4.0 Roadshow Lab 2
Figure-10: Device Properties for IDS appliance
Step 4
Enter the new IDS appliance information and click OK to save the information. A
Certificate Information window will open and you will be prompted with “Do you
want to trust the following certificate?” Click on Yes to accept the certificate. The
IDS appliance with the name sensor should appear in the Devices folder (as shown
below in Figure-11).
Figure-11: IDS Appliance “sensor” Added to Devices
Note
IDS 4.0 Roadshow Lab 2
If IDS Event Viewer cannot connect to the IDS appliance, a red X appears next to the
device name to indicate that no connection is present.
Copyright 2003, Cisco Systems, Inc.
Task 7—Monitor IDS Appliance Events Using the IDS Event
Viewer
This task involves using the IEV to monitor events detected by the IDS appliance.
The Hack Server (show in Figure-1, Visual Objective) is constantly generating a
variety of attacks. Complete the following steps to monitor the IDS appliance using
IEV:
Step 1
Right click on the sensor entry under Devices. Select Device Status. Figure-12 shows
what this step should look like:
Figure-12: Choosing Device Status for Device “sensor”
Step 2
The Device Status window opens. Take a few moments to examine the information
returned. Figure-13 shows what this step should look like:
Figure-13: Device Status for Device “sensor”
Copyright 2003, Cisco Systems, Inc.
IDS 4.0 Roadshow Lab 2
Step 3
Double-click Sig Name Group in the Views folder. The Sig Name Group view is
displayed in the right pane. Figure-14 shows this step:
Figure-14: The “Sig Name Group” View
Step 4
You can expand the columns in order to make the information a bit more readable.
Position the cursor over a line which delineates a column; when the cursor changes to
a double-arrow line hold the mouse button down and drag the column line to make the
column wider. Figure-15 shows this step:
Figure-15: Expanding a Column in the View
Note
IDS 4.0 Roadshow Lab 2
If you don’t see any alarms, try refreshing the alarm view by clicking on the Refresh
Views icon (circle arrow) in the icon menu bar. You can also double-click on Sig Name
Group in the Views folder. If the number of alarms doesn’t increase, or there still aren’t
any alarms, it could be that the Hack Server isn’t generating alarms. Contact the
instructor in this case.
Copyright 2003, Cisco Systems, Inc.
Step 5
Right-click an alarm and choose Expand Whole Details from the drop-down menu.
The Expanded Details Dialog window opens. Figure-16 and Figure-17 show this
step:
Figure-16: “Expand Whole Details” Menu
Note
The alarm named WWW IIS Internet Printing Overflow is a good one to use. This
alarm will have all the properties mentioned in this Task.
Figure-17: “Expand Whole Details” View
Copyright 2003, Cisco Systems, Inc.
IDS 4.0 Roadshow Lab 2
Step 6
Right-click on an alarm in the Expanded Details Dialog window and choose View
Alarms. The Alarm Information Dialog window opens. Figure-18 and Figure-19
show this step:
Figure-18: “View Alarms” Menu
Figure-19: “Alarm Information” Dialog View
Step 7
Right-click a column heading and choose Show All Columns from the drop-down
menu to display all the data associated with the alarm. Figure-20 shows this step:
Figure-20: “Show All Columns” Menu
IDS 4.0 Roadshow Lab 2
Copyright 2003, Cisco Systems, Inc.
Step 8
Right-click the alarm and choose Show Context from the drop-down menu to view
the context data associated with the alarm. The Decoded Alarm Context window
opens and displays the context data. Figure-21 and Figure-22 show this step:
Figure-21: “Show Context” Menu
Note
Context data will show details of the packet that triggered the alarm. Not all signatures
provide context data, so if Show Context is grayed out, pick another alarm and try
again.
Figure-22: “Decoded Alarm Context” Window
Step 9
Close the Decoded Alarm Context, Alarm Information Dialog, and the Expanded
Details Dialog windows. You should be back at the Sig Name Group view.
Note
Copyright 2003, Cisco Systems, Inc.
You may need to drag a window in order to see the close box in the upper right of the
window. You can also close windows by selecting the appropriate window in the
Windows Task Bar (usually at the bottom of the screen), right-clicking on the name, and
then selecting Close.
IDS 4.0 Roadshow Lab 2
Step 10 Right-click an alarm and choose NSDB Link… from the drop-down menu to view the
Network Security Database entry associated with the alarm. The Network Security
Database window opens as a web browser window and displays the signature
description. Figure-23 and Figure-24 show this step:
Figure-23: NSDB Link Menu
Figure-24: Example Network Security Database (NSDB) Entry
Step 11 Close the Network Security Database window.
Step 12 Repeat Steps 5−9 to view the context data associated with the other IDS appliance
events that have been generated.
You have successfully completed this Lab when you have updated the IDS appliance
system software, installed the IDS Event Viewer software, and monitored IDS
appliance events using the IEV software.
IDS 4.0 Roadshow Lab 2
Copyright 2003, Cisco Systems, Inc.
[...]... Steps 5−9 to view the context data associated with the other IDS appliance events that have been generated You have successfully completed this Lab when you have updated the IDS appliance system software, installed the IDS Event Viewer software, and monitored IDS appliance events using the IEV software IDS 4.0 Roadshow Lab 2 Copyright 2003, Cisco Systems, Inc ... Copyright 2003, Cisco Systems, Inc IDS 4.0 Roadshow Lab 2 Step 6 Right-click on an alarm in the Expanded Details Dialog window and choose View Alarms The Alarm Information Dialog window opens Figure-18 and Figure-19 show this step: Figure-18: “View Alarms” Menu Figure-19: “Alarm Information” Dialog View Step 7 Right-click a column heading and choose Show All Columns from the drop-down menu to display...Task 7—Monitor IDS Appliance Events Using the IDS Event Viewer This task involves using the IEV to monitor events detected by the IDS appliance The Hack Server (show in Figure-1, Visual Objective) is constantly generating a variety of attacks Complete the following steps to monitor the IDS appliance using IEV: Step 1 Right click on the sensor entry under Devices Select Device Status Figure-12 shows what... with the alarm Figure-20 shows this step: Figure-20: “Show All Columns” Menu IDS 4.0 Roadshow Lab 2 Copyright 2003, Cisco Systems, Inc Step 8 Right-click the alarm and choose Show Context from the drop-down menu to view the context data associated with the alarm The Decoded Alarm Context window opens and displays the context data Figure-21 and Figure-22 show this step: Figure-21: “Show Context” Menu... right-clicking on the name, and then selecting Close IDS 4.0 Roadshow Lab 2 Step 10 Right-click an alarm and choose NSDB Link… from the drop-down menu to view the Network Security Database entry associated with the alarm The Network Security Database window opens as a web browser window and displays the signature description Figure-23 and Figure-24 show this step: Figure-23: NSDB Link Menu Figure-24:... Copyright 2003, Cisco Systems, Inc Step 5 Right-click an alarm and choose Expand Whole Details from the drop-down menu The Expanded Details Dialog window opens Figure-16 and Figure-17 show this step: Figure-16: “Expand Whole Details” Menu Note The alarm named WWW IIS Internet Printing Overflow is a good one to use This alarm will have all the properties mentioned in this Task Figure-17: “Expand Whole Details”... right pane Figure-14 shows this step: Figure-14: The “Sig Name Group” View Step 4 You can expand the columns in order to make the information a bit more readable Position the cursor over a line which delineates a column; when the cursor changes to a double-arrow line hold the mouse button down and drag the column line to make the column wider Figure-15 shows this step: Figure-15: Expanding a Column... Figure-12 shows what this step should look like: Figure-12: Choosing Device Status for Device “sensor” Step 2 The Device Status window opens Take a few moments to examine the information returned Figure-13 shows what this step should look like: Figure-13: Device Status for Device “sensor” Copyright 2003, Cisco Systems, Inc IDS 4.0 Roadshow Lab 2 Step 3 Double-click Sig Name Group in the Views folder The Sig... signatures provide context data, so if Show Context is grayed out, pick another alarm and try again Figure-22: “Decoded Alarm Context” Window Step 9 Close the Decoded Alarm Context, Alarm Information Dialog, and the Expanded Details Dialog windows You should be back at the Sig Name Group view Note Copyright 2003, Cisco Systems, Inc You may need to drag a window in order to see the close box in the... the column line to make the column wider Figure-15 shows this step: Figure-15: Expanding a Column in the View Note IDS 4.0 Roadshow Lab 2 If you don’t see any alarms, try refreshing the alarm view by clicking on the Refresh Views icon (circle arrow) in the icon menu bar You can also double-click on Sig Name Group in the Views folder If the number of alarms doesn’t increase, or there still aren’t any ... file IEV -4.0- 1-S37 (arrow in Figure-8 below) Copyright 2003, Cisco Systems, Inc IDS 4.0 Roadshow Lab Figure-8: IDS Event Viewer Installer on PC Desktop Step The Cisco IDS Event Viewer 4.0 Welcome... now be at the IDS Device Manager home page Copyright 2003, Cisco Systems, Inc IDS 4.0 Roadshow Lab Task 3—Upgrade the IDS Appliance Software This task involves accessing the Cisco IDS Device Manager... certificate The IDS appliance with the name sensor should appear in the Devices folder (as shown below in Figure-11) Figure-11: IDS Appliance “sensor” Added to Devices Note IDS 4.0 Roadshow Lab If IDS Event