Chapter 11 Enterprise IDS Management © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—11-1 Objectives Upon completion of this chapter, you will be able to perform the following tasks: • Define features and key concepts of the IDS MC. • Describe the IDS MC Architecture. • Install the IDS MC. • Understand the IDS MC deployment. © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—11-2 Introduction © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—11-3 What is the IDS MC? The IDS MC is a web-based application that centralizes and accelerates the deployment and management of multiple IDS Sensors or IDSMs. SSH SSL PC Sensor SSH SSL IDS MC Laptop © 2003, Cisco Systems, Inc. All rights reserved. SSH Sensor Sensor CSIDS 4.0—11-4 IDS MC Features Features of the IDS MC Sensor are as follows: • Web-based management platform • Enterprise management of IDS devices – IDS appliance running version 3.0(1) S4 or higher – IDSM running version 3.0(5) S23 or later – Up to 300 Sensors • Provides the ability to create Sensor groups • Provides a mechanism to require approval of configurations • Provides the ability to import Sensor configurations • Pushes signature and service pack updates to the IDS devices © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—11-5 Windows Installation © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—11-6 Server Requirements—Windows • Hardware – IBM PC-compatible computer, 1 GHz Pentium CPU or faster – Color monitor with video card capable of viewing 16-bit of color – CD-ROM drive – 100 Mbps network connection or faster • Memory – 1 GB of RAM minimum – 2 GB of virtual memory minimum • Hard drive space – 12 GB of free space minimum – NTFS • Software – Windows 2000 Server or Professional with Service Pack 3 – Microsoft ODBC Driver Manager 3.510 or later © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—11-7 Client Access Requirements—Windows • Hardware—IBM PC-compatible computer, 300 MHz or faster • Memory – 256 MB of RAM minimum – 400 MB virtual memory • Operating system – Windows 98 – Windows NT 4.0 – Windows 2000 Professional with Service Pack 2 or 3 – Windows 2000 Server with Service Pack 2 or 3 – Windows 2000 Advanced Server – Windows XP Professional • Browser – Internet Explorer 5.5 with Service Pack 2 – Internet Explorer 6.0 – Netscape Navigator 4.76 © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—11-8 Installation Overview • CiscoWorks Common Services are required for the IDS MC. • CiscoWorks Common Services provide the CiscoWorks Server-based components software libraries, and software packages developed for the IDS MC. © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—11-9 Installation Process © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—11-10 Installation Process (cont.) © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—11-11 Installation Process (cont.) © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—11-12 Upgrade Process © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—11-13 Solaris Installation © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—11-14 Server Requirements—Solaris • Hardware – UltraSPARC II, IIi, or IIe chipsets – UltraSPARC III or IIIc chipsets • Memory—1 GB of RAM minimum • System Software—Solaris 2.7 or Solaris 2.8 © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—11-15 Client Access Requirements—Solaris • Hardware—Solaris SPARCstation or Sun Ultra 10 with a 333 MHz processor with one of the following operating systems: – Solaris 2.7 – Solaris 2.8 • Memory—1 GB of RAM minimum • Browser—Netscape Navigator 4.79 © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—11-16 Installation Overview • CiscoWorks Common Services are required for the IDS MC. • CiscoWorks Common Services provide the CiscoWorks Server-based components software libraries, and software packages developed for the IDS MC. © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—11-17 Installation Process SETUPDIR=/cdrom/idsmc1.02002-11-14 ====================================================================== Started : Wed Dec 11 17:01:19 CST 2002 ====================================================================== ===============- Software Install Tool Started. -===================== ===- Welcome to the IDS Management Center and Security Monitor 1.0 Setup program. ====================================================================== INFO: This server architecture is 32-bit compatible. INFO: /tmp directory has 777 permissions. INFO: /etc/hosts is readable by all. INFO: OS major is 5 and OS minor is 8 INFO: OS major or minor patch version not set. INFO: Checking group entry casusers..... INFO: Group created for installable packages is casusers. INFO: Checking user entry casuser..... INFO: casuser for installable packages exists. INFO: No user added to the system. INFO: Warning - No PRMOPT_INSTALL_TYPE section in TOC-file. INFO: Warning - No installation default mode set. © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—11-18 Installation Process (cont.) 1) IDS Management Center 2) Security Monitor 3) All of the Above (IDS Management Center + Security Monitor) Select one of the items using its number or enter q to quit [q] 1 INFO: You entered 1 as the option Loading properties from info files, working... Making a list of dependencies, working... Making a list of dependencies for CSCOids, working... Making a list of dependencies for CSCOnsdb, working... Making a list of dependencies for CSCOossh, working... Making a list of dependencies, working... INFO: performing prerequisite: /cdrom/idsmc1.02002-11-14/info/idscom/prerequisite INFO: performing prerequisite: CSCOids: /cdrom/idsmc1.02002-11-14/packages/CSCOids/ Enter IDS MC/Security Monitor Database Password: Confirm Password : INFO: Password Encryption is Successful. Enter IDS MC/Security Monitor Database Location : [/opt/CSCOpx/MDC/Sybase/Db/IDS] Entered value is /opt/CSCOpx/MDC/Sybase/Db/IDS Creating file /tmp/cscotmp/idsinstall.properties.... . . . © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—11-19 Installation Process (cont.) ====================================================================== Finished: Wed Dec 11 17:13:19 CST 2002 ====================================================================== ===============- Software Install Tool Completed. -===================== ====================================================================== © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—11-20 Architecture © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—11-21 IDS MC Architecture Overview SSH IDS device HTTP/HTTPS User © 2003, Cisco Systems, Inc. All rights reserved. IDS MC Data Store CiscoWorks Common Services CSIDS 4.0—11-22 IDS MC Directories IDS MC home directory \Apache \Sybase \Tomcat \Etc\ids \updates © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—11-23 IDS MC Processes The IDS MC is composed of the following processes: • • • • • • • IDS_Analyzer IDS_Backup IDS_DbAdminAnalyzer IDS_DeployDaemon IDS_Notifier IDS_Receiver IDS_ReportScheduler © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—11-24 Getting Started © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—11-25 CiscoWorks Login © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—11-26 CiscoWorks User Authorization Roles CiscoWorks user authorization roles allow for different privileges within IDS MC: • Help Desk—Read-only for the entire system. • Approver—Read-only for the rest of the system, and Approve configurations. • Network Operator—Read-only for the rest of the system, and deploy configurations. • Network Administrator—Read-only for the rest of the system, edit devices and device groups. • System Administrator—All operations may be performed by the system administrator. • Users can be assigned multiple authorization roles. © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—11-27 CiscoWorks Add User Choose Server Configuration>Setup>Security>Add Users. © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—11-28 IDS MC Launch Choose VPN/Security Management>Management Center>IDS Sensors. © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—11-29 Understanding the IDS MC Interface Path bar TOC Object Selector handle © 2003, Cisco Systems, Inc. All rights reserved. Option bar Tabs Object bar Page Instructions CSIDS 4.0—11-30 IDS Workflow © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—11-31 Workflow The workflow consists of the following three-step process: Step 1 Generate—Allows you to generate configuration files for Sensors. Step 2 Approve—(Optional.) Allows you to manage configuration files proposed for deployment. Step 3 Deploy—Allows you to submit new deployment jobs and manage deployment jobs. © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—11-32 Workflow—Generate Choose Deployment>Generate. © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—11-33 Workflow—Deploy Choose Deployment>Deploy>Submit. © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—11-34 Workflow—Deploy (Schedule) © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—11-35 Workflow—Deploy (Pending) Choose Deployment>Deploy>Pending. © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—11-36 Workflow—Deploy (Pending) (cont.) Choose Deployment>Deploy>Pending. © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—11-37 Summary © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—11-38 Summary • The IDS MC provides a web-based interface for configuring and managing multiple IDS Sensors. • The IDS MC allows for a three-step process of deploying new configurations to Sensors. – Generate the configuration. – Approve the configuration. (Optional.) – Deploy the configuration. • The IDS MC can be installed on Windows-based and Solaris-based servers. © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—11-39 Lab Exercise © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—11-40 Lab Visual Objective WEB FTP .50 Pods 1–5 Pods 6–10 .1 .1 172.30.P.0 sensorP RBB 172.30.Q.0 .2 ROUTER .4 172.26.26.0 .150 .2 10.0.P.0 .2 sensorQ .2 .4 ROUTER 10.0.Q.0 .100 .100 RTS © 2003, Cisco Systems, Inc. All rights reserved. RTS STUDENT PC STUDENT PC 10.0.P.12 10.0.Q.12 CSIDS 4.0—11-41 [...]... CSIDS 4.0—1 1-2 2 IDS MC Directories IDS MC home directory \Apache \Sybase \Tomcat \Etc \ids \updates © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 1-2 3 IDS MC Processes The IDS MC is composed of the following processes: • • • • • • • IDS_ Analyzer IDS_ Backup IDS_ DbAdminAnalyzer IDS_ DeployDaemon IDS_ Notifier IDS_ Receiver IDS_ ReportScheduler © 2003, Cisco Systems, Inc All rights reserved CSIDS... reserved CSIDS 4.0—1 1-2 8 IDS MC Launch Choose VPN/Security Management> Management Center >IDS Sensors © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 1-2 9 Understanding the IDS MC Interface Path bar TOC Object Selector handle © 2003, Cisco Systems, Inc All rights reserved Option bar Tabs Object bar Page Instructions CSIDS 4.0—1 1-3 0 IDS Workflow © 2003, Cisco Systems, Inc All rights reserved CSIDS... Making a list of dependencies for CSCOids, working Making a list of dependencies for CSCOnsdb, working Making a list of dependencies for CSCOossh, working Making a list of dependencies, working INFO: performing prerequisite: /cdrom/idsmc1.0200 2-1 1-1 4/info/idscom/prerequisite INFO: performing prerequisite: CSCOids: /cdrom/idsmc1.0200 2-1 1-1 4/packages/CSCOids/ Enter IDS MC/Security Monitor Database Password:... installable packages exists INFO: No user added to the system INFO: Warning - No PRMOPT_INSTALL_TYPE section in TOC-file INFO: Warning - No installation default mode set © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 1-1 8 Installation Process (cont.) 1) IDS Management Center 2) Security Monitor 3) All of the Above (IDS Management Center + Security Monitor) Select one of the items using its number... ============== =- Software Install Tool Completed -= ==================== ====================================================================== © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 1-2 0 Architecture © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 1-2 1 IDS MC Architecture Overview SSH IDS device HTTP/HTTPS User © 2003, Cisco Systems, Inc All rights reserved IDS MC Data Store... Server-based components software libraries, and software packages developed for the IDS MC © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 1-1 7 Installation Process SETUPDIR=/cdrom/idsmc1.0200 2-1 1-1 4 ====================================================================== Started : Wed Dec 11 17:01:19 CST 2002 ====================================================================== ============== =-. .. All rights reserved CSIDS 4.0—1 1-2 4 Getting Started © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 1-2 5 CiscoWorks Login © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 1-2 6 CiscoWorks User Authorization Roles CiscoWorks user authorization roles allow for different privileges within IDS MC: • Help Desk—Read-only for the entire system • Approver—Read-only for the rest of the system,...Installation Process (cont.) © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 1-1 1 Installation Process (cont.) © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 1-1 2 Upgrade Process © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 1-1 3 Solaris Installation © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 1-1 4 Server Requirements—Solaris • Hardware – UltraSPARC II, IIi, or... Systems, Inc All rights reserved CSIDS 4.0—1 1-3 3 Workflow—Deploy Choose Deployment>Deploy>Submit © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 1-3 4 Workflow—Deploy (Schedule) © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 1-3 5 Workflow—Deploy (Pending) Choose Deployment>Deploy>Pending © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 1-3 6 ... Database Password: Confirm Password : INFO: Password Encryption is Successful Enter IDS MC/Security Monitor Database Location : [/opt/CSCOpx/MDC/Sybase/Db /IDS] Entered value is /opt/CSCOpx/MDC/Sybase/Db /IDS Creating file /tmp/cscotmp/idsinstall.properties © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 1-1 9 Installation Process (cont.) ======================================================================