Thông tin tài liệu
Chapter 16
Enterprise Intrusion Detection System Monitoring and Reporting
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-1
Objectives
Upon completion of this chapter, you will be able
to perform the following tasks:
• Define features and key concepts of the Security Monitor.
• Install and verify the Security Monitor functionality.
• Monitor IDS devices with the Security Monitor.
• Administer Security Monitor event rules.
• Use the reporting features of the Security Monitor.
• Administer the Security Monitor server.
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-2
Introduction
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-3
What Is the Security Monitor?
The Security Monitor provides event
collection, viewing, and reporting
capability for network devices.
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-4
Security Monitor Features
The following are the Security Monitor
features:
• Monitors the following devices:
– Sensor appliances
– IDS Modules
– IOS Routers
– PIX Firewalls
• Web-based monitoring platform
• Custom reporting capability
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-5
Installation
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-6
Installation Requirements
• Hardware
– IBM PC-compatible computer with 800 MHz or faster
– Color monitor capable of viewing 256 colors
– CD-ROM drive
– 100 Mbps or faster network connection
• Memory—1 GB of RAM minimum
• Disk drive space
– 12 GB minimum
– NTFS
• Software
– Windows 2000 Server with Service Pack 2
– ODBC Driver Manager 3.510 or later
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-7
Client Access Requirements
• Hardware—IBM PC-compatible computer with a 300 MHz or
faster
• Memory—256 MB of RAM minimum
• Disk drive space—400 MB virtual memory
• Software
– Windows 98 and NT 4.0
– Windows 2000 Professional with Service Pack 2
– Windows 2000 Server/Advanced Server with Service Pack 2
• Browser
– Internet Explorer 6.0 or later (recommended)
– Netscape Navigator 4.79 or later
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-8
Installation Overview
• VMS Common Services is required for the
Security Monitor.
• VMS Common Services provides the
CiscoWorks server-based components, software
libraries, and software packages developed for
the Security Monitor.
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-9
Security Monitor Installation
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-10
Component and Database Location
Selection
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-11
Database Password
and Syslog Port
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-12
Communication Properties
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-13
Upgrade Process
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-14
Getting Started
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-15
CiscoWorks Login
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-16
CiscoWorks User
Authorization Roles
• CiscoWorks user authorization roles allow different
privileges within the VMS and the Security Monitor:
– Help Desk—Read-only for the entire system
– Approver—Read-only for the entire system
– Network Operator—Read-only for the rest of the
system and generates reports
– Network Administrator—Configures devices, and
modifies reports and rules
– System Administrator—Performs all operations
• Users can be assigned multiple authorization roles.
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-17
CiscoWorks Add User
Choose Server Configuration>Setup>Security>Add Users.
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-18
Security Monitor Launch
Choose VPN/Security Management>Management Center>Security Monitor.
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-19
Understanding the
Security Monitor Interface
Path bar
Option bar
Tabs
Tools
TOC
Action buttons
© 2003, Cisco Systems, Inc. All rights reserved.
Page
Instructions
CSIDS 4.0—16-20
Security Monitor Configuration
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-21
Security Monitor Configuration
Security Monitor configuration operations are:
• Adding Devices—Security Monitor monitors the following types of
devices:
– RDEP IDS
– PostOffice IDS
– IOS IDS
– Host IDS
– PIX
• Monitoring Devices—Information monitored falls into the following three
categories:
– Connections
– Statistics
– Events
• Event Notification—Tasks involved to configure notification are as follows:
– Adding Event Rules
– Activating Event Rules
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-22
Devices—Add
Choose Devices.
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-23
RDEP Devices—Add
Choose Devices and Select Add.
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-24
RDEP Devices—Add (cont.)
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-25
PostOffice Devices—Add
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-26
IOS IDS Devices—Add
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-27
Devices—Import
Choose Devices and Select Import.
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-28
Devices—Import (cont.)
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-29
Monitor—Connections
Choose Monitor>Connections.
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-30
Monitor—Statistics
Choose Monitor>Statistics.
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-31
Monitor—Statistics (cont.)
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-32
Event Notification
• Event notification is completed by creating event rules.
• The following tasks are involved in creating an event rule:
– Assign a name to the event rule.
– Define the event filter criteria.
– Assign the event rule action.
– Define the event rule threshold and interval.
– Activate the event rule.
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-33
Event Rules—Step 1
Choose Admin>Event Rules>Add.
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-34
Event Rules—Step 2
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-35
Event Rules—Step 3
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-36
Event Rules—Step 4
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-37
Event Rules—Activation
Choose Admin>Event Rules>Activate.
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-38
Event Viewer
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-39
Event Viewer
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-40
Security Monitor—Event Viewer
Choose Monitor>Events.
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-41
Event Viewer Options
Configuring the Event Viewer involves
understanding the following options:
• Moving Columns
• Deleting Rows and Columns
• Collapsing columns
• Setting the Event Expansion Boundary
• Expanding Columns
• Suspending and Resuming New Events
• Changing Display Preferences
• Creating Graphs
• View Option
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-42
Event Viewer—Moving Columns
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-43
Event Viewer—Deleting Rows and Columns
Choose Monitor>Events>Delete.
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-44
Event Viewer—Collapsing Columns
Choose Monitor>Events>Collapse.
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-45
Event Viewer—Setting the Event Expansion
Boundary
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-46
Event Viewer—Expanding Columns
Choose Monitor>Events>Expand.
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-47
Event Viewer—Suspending and Resuming
New Events
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-48
Event Viewer—Changing Display
Preferences
Choose Monitor>Events>Preferences.
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-49
Event Viewer—Creating Graph
Choose Monitor>Events>Graph.
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-50
Event Viewer—View Option
Choose Monitor>Events>View.
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-51
Administration and Reporting
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-52
Security Monitor Administration
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-53
Admin—Database Rules
Choose Admin>Database Rules>Add.
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-54
Admin—Database Rules (cont.)
Choose Admin>Database Rules>Add>Next.
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-55
Admin—System Configuration Settings
Choose Admin>System Configuration.
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-56
Admin—PostOffice Settings
Choose Admin>System Configuration>Postoffice Settings.
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-57
Admin—Defining Event Viewer Preferences
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-58
Admin—Defining Event Viewer Preferences
(cont.)
Choose Admin>Event Viewer>Your Preferences.
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-59
Security Monitor Reports
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-60
Reports—Generate
Choose Reports>Generate.
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-61
Reports—Generate (cont.)
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-62
Reports—Schedule Report
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-63
Reports—View
Choose Reports>View.
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-64
Summary
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-65
Summary
• Security Monitor is a component of the Virtual Private Network
(VPN)/Security Management Solution (VMS) product.
• The Security Monitor is a web-based tool that provides event
collection, viewing, and reporting capabilities for IDS devices.
• The Security Monitor can monitor the following devices:
– Appliance Sensors
– IDS Modules
– Router Modules
– IOS Routers
– PIX Firewalls
• To efficiently monitor the events from multiple devices on your
network, you can configure Event Rules for Security Monitor.
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-66
Summary (cont.)
• Event Rules enables you to perform one of the following
actions when Security Monitor receives certain events:
– Send an email notification
– Generate an audit (console) message
– Execute a script
• Event Viewer enables you to view the alerts received by your
monitored devices in a graphical interface.
• Security Monitor can generate reports based on the
information stored in the Security Monitor database.
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-67
Lab Exercise
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-68
Lab Visual Objective
WEB
FTP
.50
Pods 1–5
.4
.6
.10
WEB
FTP
SMTP
POP
RBB
172.30.Q.0
.2
ROUTER
idsmP
Pods 6–10
.1
.1
172.30.P.0
sensorP
172.26.26.0
.150
.2
10.0.P.0
.100
.2
sensorQ
.2
.4
ROUTER
.6
10.0.Q.0
.10
.100
RTS
RTS
STUDENT PC
REMOTE: 10.1.P.12
LOCAL: 10.0.P.12
© 2003, Cisco Systems, Inc. All rights reserved.
idsmQ
WEB
FTP
SMTP
POP
STUDENT PC
REMOTE: 10.1.Q.12
LOCAL: 10.0.Q.12
CSIDS 4.0—16-69
[...]...Component and Database Location Selection © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 6-1 1 Database Password and Syslog Port © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 6-1 2 Communication Properties © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 6-1 3 Upgrade Process © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 6-1 4 Getting Started © 2003, Cisco Systems,... reserved CSIDS 4.0—1 6-1 5 CiscoWorks Login © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 6-1 6 CiscoWorks User Authorization Roles • CiscoWorks user authorization roles allow different privileges within the VMS and the Security Monitor: – Help Desk—Read-only for the entire system – Approver—Read-only for the entire system – Network Operator—Read-only for the rest of the system and generates reports... Devices and Select Add © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 6-2 4 RDEP Devices—Add (cont.) © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 6-2 5 PostOffice Devices—Add © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 6-2 6 IOS IDS Devices—Add © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 6-2 7 Devices—Import Choose Devices and Select Import © 2003, Cisco Systems,... 4.0—1 6-2 8 Devices—Import (cont.) © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 6-2 9 Monitor—Connections Choose Monitor>Connections © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 6-3 0 Monitor—Statistics Choose Monitor>Statistics © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 6-3 1 Monitor—Statistics (cont.) © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 6-3 2... rule threshold and interval – Activate the event rule © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 6-3 3 Event Rules—Step 1 Choose Admin>Event Rules>Add © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 6-3 4 Event Rules—Step 2 © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 6-3 5 Event Rules—Step 3 © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 6-3 6 ... Management>Management Center>Security Monitor © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 6-1 9 Understanding the Security Monitor Interface Path bar Option bar Tabs Tools TOC Action buttons © 2003, Cisco Systems, Inc All rights reserved Page Instructions CSIDS 4.0—1 6-2 0 Security Monitor Configuration © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 6-2 1 Security Monitor Configuration Security... Network Administrator—Configures devices, and modifies reports and rules – System Administrator—Performs all operations • Users can be assigned multiple authorization roles © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 6-1 7 CiscoWorks Add User Choose Server Configuration>Setup>Security>Add Users © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 6-1 8 Security Monitor Launch Choose VPN/Security... PIX • Monitoring Devices—Information monitored falls into the following three categories: – Connections – Statistics – Events • Event Notification—Tasks involved to configure notification are as follows: – Adding Event Rules – Activating Event Rules © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 6-2 2 Devices—Add Choose Devices © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 6-2 3
Ngày đăng: 23/10/2015, 18:07
Xem thêm: Tài Liệu CCNA - Enterprise Intrusion Detection System Monitoring And Reporting, Tài Liệu CCNA - Enterprise Intrusion Detection System Monitoring And Reporting, Admin—Defining Event Viewer Preferences (cont.)