Chapter 16 Enterprise Intrusion Detection System Monitoring and Reporting © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-1 Objectives Upon completion of this chapter, you will be able to perform the following tasks: • Define features and key concepts of the Security Monitor. • Install and verify the Security Monitor functionality. • Monitor IDS devices with the Security Monitor. • Administer Security Monitor event rules. • Use the reporting features of the Security Monitor. • Administer the Security Monitor server. © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-2 Introduction © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-3 What Is the Security Monitor? The Security Monitor provides event collection, viewing, and reporting capability for network devices. © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-4 Security Monitor Features The following are the Security Monitor features: • Monitors the following devices: – Sensor appliances – IDS Modules – IOS Routers – PIX Firewalls • Web-based monitoring platform • Custom reporting capability © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-5 Installation © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-6 Installation Requirements • Hardware – IBM PC-compatible computer with 800 MHz or faster – Color monitor capable of viewing 256 colors – CD-ROM drive – 100 Mbps or faster network connection • Memory—1 GB of RAM minimum • Disk drive space – 12 GB minimum – NTFS • Software – Windows 2000 Server with Service Pack 2 – ODBC Driver Manager 3.510 or later © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-7 Client Access Requirements • Hardware—IBM PC-compatible computer with a 300 MHz or faster • Memory—256 MB of RAM minimum • Disk drive space—400 MB virtual memory • Software – Windows 98 and NT 4.0 – Windows 2000 Professional with Service Pack 2 – Windows 2000 Server/Advanced Server with Service Pack 2 • Browser – Internet Explorer 6.0 or later (recommended) – Netscape Navigator 4.79 or later © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-8 Installation Overview • VMS Common Services is required for the Security Monitor. • VMS Common Services provides the CiscoWorks server-based components, software libraries, and software packages developed for the Security Monitor. © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-9 Security Monitor Installation © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-10 Component and Database Location Selection © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-11 Database Password and Syslog Port © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-12 Communication Properties © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-13 Upgrade Process © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-14 Getting Started © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-15 CiscoWorks Login © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-16 CiscoWorks User Authorization Roles • CiscoWorks user authorization roles allow different privileges within the VMS and the Security Monitor: – Help Desk—Read-only for the entire system – Approver—Read-only for the entire system – Network Operator—Read-only for the rest of the system and generates reports – Network Administrator—Configures devices, and modifies reports and rules – System Administrator—Performs all operations • Users can be assigned multiple authorization roles. © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-17 CiscoWorks Add User Choose Server Configuration>Setup>Security>Add Users. © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-18 Security Monitor Launch Choose VPN/Security Management>Management Center>Security Monitor. © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-19 Understanding the Security Monitor Interface Path bar Option bar Tabs Tools TOC Action buttons © 2003, Cisco Systems, Inc. All rights reserved. Page Instructions CSIDS 4.0—16-20 Security Monitor Configuration © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-21 Security Monitor Configuration Security Monitor configuration operations are: • Adding Devices—Security Monitor monitors the following types of devices: – RDEP IDS – PostOffice IDS – IOS IDS – Host IDS – PIX • Monitoring Devices—Information monitored falls into the following three categories: – Connections – Statistics – Events • Event Notification—Tasks involved to configure notification are as follows: – Adding Event Rules – Activating Event Rules © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-22 Devices—Add Choose Devices. © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-23 RDEP Devices—Add Choose Devices and Select Add. © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-24 RDEP Devices—Add (cont.) © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-25 PostOffice Devices—Add © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-26 IOS IDS Devices—Add © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-27 Devices—Import Choose Devices and Select Import. © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-28 Devices—Import (cont.) © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-29 Monitor—Connections Choose Monitor>Connections. © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-30 Monitor—Statistics Choose Monitor>Statistics. © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-31 Monitor—Statistics (cont.) © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-32 Event Notification • Event notification is completed by creating event rules. • The following tasks are involved in creating an event rule: – Assign a name to the event rule. – Define the event filter criteria. – Assign the event rule action. – Define the event rule threshold and interval. – Activate the event rule. © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-33 Event Rules—Step 1 Choose Admin>Event Rules>Add. © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-34 Event Rules—Step 2 © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-35 Event Rules—Step 3 © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-36 Event Rules—Step 4 © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-37 Event Rules—Activation Choose Admin>Event Rules>Activate. © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-38 Event Viewer © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-39 Event Viewer © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-40 Security Monitor—Event Viewer Choose Monitor>Events. © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-41 Event Viewer Options Configuring the Event Viewer involves understanding the following options: • Moving Columns • Deleting Rows and Columns • Collapsing columns • Setting the Event Expansion Boundary • Expanding Columns • Suspending and Resuming New Events • Changing Display Preferences • Creating Graphs • View Option © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-42 Event Viewer—Moving Columns © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-43 Event Viewer—Deleting Rows and Columns Choose Monitor>Events>Delete. © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-44 Event Viewer—Collapsing Columns Choose Monitor>Events>Collapse. © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-45 Event Viewer—Setting the Event Expansion Boundary © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-46 Event Viewer—Expanding Columns Choose Monitor>Events>Expand. © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-47 Event Viewer—Suspending and Resuming New Events © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-48 Event Viewer—Changing Display Preferences Choose Monitor>Events>Preferences. © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-49 Event Viewer—Creating Graph Choose Monitor>Events>Graph. © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-50 Event Viewer—View Option Choose Monitor>Events>View. © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-51 Administration and Reporting © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-52 Security Monitor Administration © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-53 Admin—Database Rules Choose Admin>Database Rules>Add. © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-54 Admin—Database Rules (cont.) Choose Admin>Database Rules>Add>Next. © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-55 Admin—System Configuration Settings Choose Admin>System Configuration. © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-56 Admin—PostOffice Settings Choose Admin>System Configuration>Postoffice Settings. © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-57 Admin—Defining Event Viewer Preferences © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-58 Admin—Defining Event Viewer Preferences (cont.) Choose Admin>Event Viewer>Your Preferences. © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-59 Security Monitor Reports © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-60 Reports—Generate Choose Reports>Generate. © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-61 Reports—Generate (cont.) © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-62 Reports—Schedule Report © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-63 Reports—View Choose Reports>View. © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-64 Summary © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-65 Summary • Security Monitor is a component of the Virtual Private Network (VPN)/Security Management Solution (VMS) product. • The Security Monitor is a web-based tool that provides event collection, viewing, and reporting capabilities for IDS devices. • The Security Monitor can monitor the following devices: – Appliance Sensors – IDS Modules – Router Modules – IOS Routers – PIX Firewalls • To efficiently monitor the events from multiple devices on your network, you can configure Event Rules for Security Monitor. © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-66 Summary (cont.) • Event Rules enables you to perform one of the following actions when Security Monitor receives certain events: – Send an email notification – Generate an audit (console) message – Execute a script • Event Viewer enables you to view the alerts received by your monitored devices in a graphical interface. • Security Monitor can generate reports based on the information stored in the Security Monitor database. © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-67 Lab Exercise © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-68 Lab Visual Objective WEB FTP .50 Pods 1–5 .4 .6 .10 WEB FTP SMTP POP RBB 172.30.Q.0 .2 ROUTER idsmP Pods 6–10 .1 .1 172.30.P.0 sensorP 172.26.26.0 .150 .2 10.0.P.0 .100 .2 sensorQ .2 .4 ROUTER .6 10.0.Q.0 .10 .100 RTS RTS STUDENT PC REMOTE: 10.1.P.12 LOCAL: 10.0.P.12 © 2003, Cisco Systems, Inc. All rights reserved. idsmQ WEB FTP SMTP POP STUDENT PC REMOTE: 10.1.Q.12 LOCAL: 10.0.Q.12 CSIDS 4.0—16-69 [...]...Component and Database Location Selection © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 6-1 1 Database Password and Syslog Port © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 6-1 2 Communication Properties © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 6-1 3 Upgrade Process © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 6-1 4 Getting Started © 2003, Cisco Systems,... reserved CSIDS 4.0—1 6-1 5 CiscoWorks Login © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 6-1 6 CiscoWorks User Authorization Roles • CiscoWorks user authorization roles allow different privileges within the VMS and the Security Monitor: – Help Desk—Read-only for the entire system – Approver—Read-only for the entire system – Network Operator—Read-only for the rest of the system and generates reports... Devices and Select Add © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 6-2 4 RDEP Devices—Add (cont.) © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 6-2 5 PostOffice Devices—Add © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 6-2 6 IOS IDS Devices—Add © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 6-2 7 Devices—Import Choose Devices and Select Import © 2003, Cisco Systems,... 4.0—1 6-2 8 Devices—Import (cont.) © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 6-2 9 Monitor—Connections Choose Monitor>Connections © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 6-3 0 Monitor—Statistics Choose Monitor>Statistics © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 6-3 1 Monitor—Statistics (cont.) © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 6-3 2... rule threshold and interval – Activate the event rule © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 6-3 3 Event Rules—Step 1 Choose Admin>Event Rules>Add © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 6-3 4 Event Rules—Step 2 © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 6-3 5 Event Rules—Step 3 © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 6-3 6 ... Management>Management Center>Security Monitor © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 6-1 9 Understanding the Security Monitor Interface Path bar Option bar Tabs Tools TOC Action buttons © 2003, Cisco Systems, Inc All rights reserved Page Instructions CSIDS 4.0—1 6-2 0 Security Monitor Configuration © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 6-2 1 Security Monitor Configuration Security... Network Administrator—Configures devices, and modifies reports and rules – System Administrator—Performs all operations • Users can be assigned multiple authorization roles © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 6-1 7 CiscoWorks Add User Choose Server Configuration>Setup>Security>Add Users © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 6-1 8 Security Monitor Launch Choose VPN/Security... PIX • Monitoring Devices—Information monitored falls into the following three categories: – Connections – Statistics – Events • Event Notification—Tasks involved to configure notification are as follows: – Adding Event Rules – Activating Event Rules © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 6-2 2 Devices—Add Choose Devices © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 6-2 3