Lab 3 Exercise—Cisco IDS Appliance Configuration Objectives In this lab exercise you will complete the following tasks: n Verify the network configuration of the IDS appliance. n Add an address to the list of hosts allowed remote access to the IDS appliance. n Log IP traffic from a specific address. n Monitor IDS appliance statistics. n Monitor IDS appliance events. Visual Objective The figure below displays the lab topology you will use to complete this lab exercise: Figure 1: Lab Network Topology Passwords Use the following passwords for this lab: • Copyright  2003, Cisco Systems, Inc. Lab Gear password: Your instructor will provide it. IDS 4.0 Roadshow Lab 3 • IDS appliance username/password: The default account name and password are cisco. However, the password for the cisco user should have been changed to emmapeel in Lab 1. • PC client: The username is Administrator and the password is cisco • VNC password: When you connect to the PC, use a password of cisco at the VNC screen. Task 1—Access the Remote Pod and Login to the PC Access the remote lab environment via a web browser and an Internet connection. You will login to the lab pod environment, access the appropriate device console(s), and login to the actual device(s) used in the lab. Step 1 Access your lab pod using the Internet Explorer web browser. If you need help, review the Accessing the Remote Lab Equipment section of the IDS 4.0 Roadshow Lab 1 lab guide (Figure-2). Step 2 Access the PC by first clicking on the green oval labeled PC Desktop. If you need help, review the instructions starting with the After a Successful Login section of the IDS 4.0 Roadshow Lab 1 lab guide (Figure-3). Step 3 The VNC login screen should appear. Login with password cisco. Step 4 You may need to login to the PC itself. If so, click on Send Ctrl-Alt-Del near the top of the window. Login as Administrator with password cisco. Step 5 You will be presented with a view of the PC desktop. Figure 2: Example PC Desktop IDS 4.0 Roadshow Lab 3 Copyright  2003, Cisco Systems, Inc. Task 2—Verify the Network Configuration of the IDS Appliance To do this lab, the IDS appliance should be configured as per Lab 1 (Cisco Intrusion Detection System (IDS) Appliance Initial Configuration) and Lab 2 (Cisco IDS Appliance Software Upgrade and Cisco IDS Event Viewer). You should be logged into the PC. Verify that your PC is able to ping the IDS appliance and that the IDS Device Manager (IDM) is available using the PC’s web browser. Step 1 Launch Internet Explorer on the PC by double clicking its icon on the PC desktop or by selecting it from the Start->Programs->Internet Explorer menu. Step 2 Access the IDS appliance by specifying a URL of https://10.0.0.1. Step 3 Login to the IDS Device Manager as the cisco user using the password that was configured in Lab 1 (the instructions said to use emmapeel). Step 4 You should now be at the IDS Device Manager home page. Click on the Device tab (arrow 1 in the figure below) on the area bar. The Sensor Setup sub-area bar is displayed. Your IDS Device Manager window should look like the one below: 1 2 Figure 3: IDS Device Manager Device Tab Step 5 Now click on Sensor Setup (arrow 2) in the figure above. Copyright  2003, Cisco Systems, Inc. IDS 4.0 Roadshow Lab 3 Step 6 You should now be at the Sensor Setup area of the Device tab as show in the figure below: 1 Figure 4: Device Manager “Sensor Setup” Page Step 7 Under TOC on the left side of the page, select Network (arrow 1 in the figure above). A list of IDS appliance network settings is displayed as shown in the figure below: Figure 5: IDS Appliance Network Settings IDS 4.0 Roadshow Lab 3 Copyright  2003, Cisco Systems, Inc. Step 8 Step 9 Verify the IDS appliance is configured with the values listed in the following table. If necessary, modify your IDS appliance to use these settings: IDS Appliance Settings Parameter Value Description Host Name sensor The alphanumeric identifier of the IDS appliance. IP address 10.0.0.1 The IP address of the IDS appliance. Netmask 255.255.255.0 The subnet mask of the IDS appliance. Default route 10.0.0.254 The IDS appliances’ default route for routing purposes, if needed. Enable TLS/SSL enabled (checked) Enables encrypted communications between web browsers and servers. Web Server Port 443 TCP port used by the web server. Port 443 is the default HTTPS port. Continue with the next Step if changes were made to the IDS appliance network settings. If no changes were made, go to the next Task. Step 10 If you made any changes, they must be saved. Click on Apply to Sensor to save and apply the IDS appliance network settings. You may see a dialog box with the following message: “The applied change required a system reset. It is recommended that you reboot the system now.” Click OK to reboot the IDS appliance with your changes. Step 11 The System Control page will display, asking you if you really want to reset the IDS appliance. Click Apply to Sensor and give the IDS appliance a few minutes to reboot. Continue on to the next Task. Task 3—Add an Address to the List of Allowed Hosts This task involves adding network addresses of those hosts and networks that are allowed remote management access to the IDS appliance. This task is just for practice; the address is just made up. Complete the following steps to add an address to the list of allowed hosts: Step 1 Click on the Device tab in the area bar. The Device sub-area bar is displayed. Step 2 Click on Sensor Setup in the sub-area bar. The Sensor Setup TOC is displayed. Step 3 Select Allowed Hosts from the TOC. The list of allowed networks and hosts is displayed. Your screen should look like the figure below: Copyright  2003, Cisco Systems, Inc. IDS 4.0 Roadshow Lab 3 Figure 6: IDS Appliance “Allowed Hosts” Step 4 Select Add. The Adding page is displayed. Step 5 Enter 192.168.1.0 in the IP Address field. Step 6 Enter 255.255.255.0 in the Netmask field. Step 7 Your screen should look like the figure below: Figure 7: Adding an Allowed Network IDS 4.0 Roadshow Lab 3 Copyright  2003, Cisco Systems, Inc. Step 8 Click Apply to Sensor to save the allowed network you just added. Step 9 You will be presented with the updated Allowed Hosts page. Your screen should look like the figure below: Figure 8: “Allowed Hosts” with New Network Added Task 4—Log Traffic from a Specific Address This task involves configuring the IDS appliance to log all IP traffic from a specific IP address, regardless if an attack has been launched. Complete the following steps to log IP traffic from a specific address: Step 1 Click on the Administration tab in the area bar. The Administration sub-area bar is displayed. Step 2 Click on IP Logging from the sub-area bar. The IP Logging Configuration page is displayed. Your screen should resemble the figure below: Copyright  2003, Cisco Systems, Inc. IDS 4.0 Roadshow Lab 3 Figure 9: IP Logging Configuration Page Note Log files are already present in the figure above. Your IDS appliance probably won’t have any existing log files at this point. Step 3 Click the Add button. Step 4 At the Adding page, enter the IP address of the Hack Server 10.1.1.6. Leave the Log For fields blank. Your screen should look like the figure below: Figure 10: Adding an IP Address to Log IDS 4.0 Roadshow Lab 3 Copyright  2003, Cisco Systems, Inc. Step 5 Click Apply to Sensor to save the IP logging settings. Notice that the last entry in the list (item 5) has a status of added. This denotes a logging process that has been created but is not yet active. Your screen should resemble the figure below: Figure 11: An IP Address has been Added Step 6 After a few moments, refresh the IP Logging Configuration page to see a Status of started. (A different logfile (item 7) is shown for this example): Figure 12: IP Logging has Started Copyright  2003, Cisco Systems, Inc. IDS 4.0 Roadshow Lab 3 Step 7 Place the cursor over the More arrow for a particular log entry to see information about the status of a logging process. The figure below shows the status for the logging process 137854311 (item 7). (The page needs to be refreshed to see changes): Figure 13: Viewing Information for a Logging Process Step 8 Stop a logging process by selecting its Log ID and clicking on Stop. The logging process for 137854311 (item 7) is being stopped in the figure below: Figure 14: Stopping a Logging Process IDS 4.0 Roadshow Lab 3 Copyright  2003, Cisco Systems, Inc. Step 9 The figure below shows that logging process 137854311 (item 7) has a Status of completed. Notice that the number of Packets Captured is 15283 compared to 3767 in an earlier screenshot: Figure 15: Information about a Completed Logging Process Step 10 To examine the contents of a logfile, click on the appropriate Log ID. The figure below shows the hyperlink for 137854311 (item 7) being selected: Figure 16: Clicking a Hyperlink to an IDS Appliance Logfile Copyright  2003, Cisco Systems, Inc. IDS 4.0 Roadshow Lab 3 Step 11 Clicking on a Log ID hyperlink will start the download process of the logfile from the IDS appliance to the PC. You can save the logfile to disk or view it directly. The figure below shows an example where the logfile will be viewed without saving it first: Figure 17: Viewing a Logfile without Saving First Note The IP log is automatically overwritten when the IDS appliance uses up its allocated space for IP logging. Task 5—Monitor the IDS Appliance Statistics This task involves monitoring the IDS appliance statistics using IDM. Complete the following steps: Step 1 IDS 4.0 Roadshow Lab 3 Click on the Monitoring tab in the IDM area bar. The Monitoring sub-area bar is displayed. Select Statistics from the sub-area bar. The Statistics page is displayed. Your screen should look like the figure below.: Copyright  2003, Cisco Systems, Inc. Figure 18: The Statistics Page Step 2 Statistics can be found relating to the web server, transactions, network access, logging, hosts, event store, analysis engine, and authentication. Take a few minutes to look this page over. There is a lot of information available here. Task 6—Monitor the IDS Appliance Events This task involves monitoring the IDS appliance events using IDM. Complete the following steps: Step 1 Click on the Monitoring tab in the IDM area bar. The Monitoring sub-area bar is displayed. Select Events from the sub-area bar. The Events page is displayed. Your screen should look like the figure below: Copyright  2003, Cisco Systems, Inc. IDS 4.0 Roadshow Lab 3 Figure 19: The Events Display Page Step 2 Step 3 IDS 4.0 Roadshow Lab 3 Fill in Filters (No Selection Displays All) fields using the following information: Filters Field Field Value Show Alerts/High: Select the box by Show Alerts and High Show Error Events/Fatal: Select the box by Show Error Events and Fatal Past Hours: 1 Your screen should look like the figure below: Copyright  2003, Cisco Systems, Inc. Figure 20: The Completed Events Display Filters Page Step 4 Click on Apply to Sensor. If everything is working properly you should see a page containing a number of events. Your screen should resemble the figure below: Figure 21: Events Gathered using the Events Display Filter Step 5 Take a few minutes to look through the information gathered. You have completed this lab if you have verified the network configuration of the IDS appliance, added an address to the list of allowed hosts, configured logging, monitored statistics, and monitored events. Copyright  2003, Cisco Systems, Inc. IDS 4.0 Roadshow Lab 3 [...]... automatically overwritten when the IDS appliance uses up its allocated space for IP logging Task 5—Monitor the IDS Appliance Statistics This task involves monitoring the IDS appliance statistics using IDM Complete the following steps: Step 1 IDS 4.0 Roadshow Lab 3 Click on the Monitoring tab in the IDM area bar The Monitoring sub-area bar is displayed Select Statistics from the sub-area bar The Statistics page... figure below shows the hyperlink for 137854311 (item 7) being selected: Figure 16: Clicking a Hyperlink to an IDS Appliance Logfile Copyright  2003, Cisco Systems, Inc IDS 4.0 Roadshow Lab 3 Step 11 Clicking on a Log ID hyperlink will start the download process of the logfile from the IDS appliance to the PC You can save the logfile to disk or view it directly The figure below shows an example where... Step 1 Click on the Monitoring tab in the IDM area bar The Monitoring sub-area bar is displayed Select Events from the sub-area bar The Events page is displayed Your screen should look like the figure below: Copyright  2003, Cisco Systems, Inc IDS 4.0 Roadshow Lab 3 Figure 19: The Events Display Page Step 2 Step 3 IDS 4.0 Roadshow Lab 3 Fill in Filters (No Selection Displays All) fields using the following... Copyright  2003, Cisco Systems, Inc Figure 18: The Statistics Page Step 2 Statistics can be found relating to the web server, transactions, network access, logging, hosts, event store, analysis engine, and authentication Take a few minutes to look this page over There is a lot of information available here Task 6—Monitor the IDS Appliance Events This task involves monitoring the IDS appliance events... to look through the information gathered You have completed this lab if you have verified the network configuration of the IDS appliance, added an address to the list of allowed hosts, configured logging, monitored statistics, and monitored events Copyright  2003, Cisco Systems, Inc IDS 4.0 Roadshow Lab 3 ...  2003, Cisco Systems, Inc Figure 20: The Completed Events Display Filters Page Step 4 Click on Apply to Sensor If everything is working properly you should see a page containing a number of events Your screen should resemble the figure below: Figure 21: Events Gathered using the Events Display Filter Step 5 Take a few minutes to look through the information gathered You have completed this lab if ... Figure 2: Example PC Desktop IDS 4.0 Roadshow Lab Copyright  2003, Cisco Systems, Inc Task 2—Verify the Network Configuration of the IDS Appliance To this lab, the IDS appliance should be configured... System (IDS) Appliance Initial Configuration) and Lab (Cisco IDS Appliance Software Upgrade and Cisco IDS Event Viewer) You should be logged into the PC Verify that your PC is able to ping the IDS. .. (arrow in the figure above) A list of IDS appliance network settings is displayed as shown in the figure below: Figure 5: IDS Appliance Network Settings IDS 4.0 Roadshow Lab Copyright  2003, Cisco