Download presentation
Presentation is loading. Please wait.
Published byRose Harmon Modified over 9 years ago
1
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-1 Chapter 16 Enterprise Intrusion Detection System Monitoring and Reporting
2
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-2 Objectives Upon completion of this chapter, you will be able to perform the following tasks: Define features and key concepts of the Security Monitor. Install and verify the Security Monitor functionality. Monitor IDS devices with the Security Monitor. Administer Security Monitor event rules. Use the reporting features of the Security Monitor. Administer the Security Monitor server.
3
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-3 Introduction
4
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-4 What Is the Security Monitor? The Security Monitor provides event collection, viewing, and reporting capability for network devices.
5
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-5 Security Monitor Features The following are the Security Monitor features: Monitors the following devices: –Sensor appliances –IDS Modules –IOS Routers –PIX Firewalls Web-based monitoring platform Custom reporting capability
6
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-6 Installation
7
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-7 Installation Requirements Hardware –IBM PC-compatible computer with 800 MHz or faster –Color monitor capable of viewing 256 colors –CD-ROM drive –100 Mbps or faster network connection Memory—1 GB of RAM minimum Disk drive space –12 GB minimum –NTFS Software –Windows 2000 Server with Service Pack 2 –ODBC Driver Manager 3.510 or later
8
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-8 Client Access Requirements Hardware—IBM PC-compatible computer with a 300 MHz or faster Memory—256 MB of RAM minimum Disk drive space—400 MB virtual memory Software –Windows 98 and NT 4.0 –Windows 2000 Professional with Service Pack 2 –Windows 2000 Server/Advanced Server with Service Pack 2 Browser –Internet Explorer 6.0 or later (recommended) –Netscape Navigator 4.79 or later
9
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-9 Installation Overview VMS Common Services is required for the Security Monitor. VMS Common Services provides the CiscoWorks server-based components, software libraries, and software packages developed for the Security Monitor.
10
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-10 Security Monitor Installation
11
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-11 Component and Database Location Selection
12
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-12 Database Password and Syslog Port
13
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-13 Communication Properties
14
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-14 Upgrade Process
15
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-15 Getting Started
16
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-16 CiscoWorks Login
17
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-17 CiscoWorks User Authorization Roles CiscoWorks user authorization roles allow different privileges within the VMS and the Security Monitor: –Help Desk—Read-only for the entire system –Approver—Read-only for the entire system –Network Operator—Read-only for the rest of the system and generates reports –Network Administrator—Configures devices, and modifies reports and rules –System Administrator—Performs all operations Users can be assigned multiple authorization roles.
18
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-18 CiscoWorks Add User Choose Server Configuration>Setup>Security>Add Users.
19
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-19 Security Monitor Launch Choose VPN/Security Management>Management Center>Security Monitor.
20
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-20 Understanding the Security Monitor Interface Path bar TOC Option barTabs Instructions Page Tools Action buttons
21
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-21 Security Monitor Configuration
22
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-22 Security Monitor Configuration Security Monitor configuration operations are: Adding Devices—Security Monitor monitors the following types of devices: –RDEP IDS –PostOffice IDS –IOS IDS –Host IDS –PIX Monitoring Devices—Information monitored falls into the following three categories: –Connections –Statistics –Events Event Notification—Tasks involved to configure notification are as follows: –Adding Event Rules –Activating Event Rules
23
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-23 Devices—Add Choose Devices.
24
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-24 RDEP Devices—Add Choose Devices and Select Add.
25
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-25 RDEP Devices—Add (cont.)
26
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-26 PostOffice Devices—Add
27
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-27 IOS IDS Devices—Add
28
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-28 Devices—Import Choose Devices and Select Import.
29
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-29 Devices—Import (cont.)
30
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-30 Monitor—Connections Choose Monitor>Connections.
31
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-31 Monitor—Statistics Choose Monitor>Statistics.
32
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-32 Monitor—Statistics (cont.)
33
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-33 Event Notification Event notification is completed by creating event rules. The following tasks are involved in creating an event rule: –Assign a name to the event rule. –Define the event filter criteria. –Assign the event rule action. –Define the event rule threshold and interval. –Activate the event rule.
34
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-34 Event Rules—Step 1 Choose Admin>Event Rules>Add.
35
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-35 Event Rules—Step 2
36
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-36 Event Rules—Step 3
37
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-37 Event Rules—Step 4
38
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-38 Event Rules—Activation Choose Admin>Event Rules>Activate.
39
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-39 Event Viewer
40
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-40 Event Viewer
41
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-41 Security Monitor—Event Viewer Choose Monitor>Events.
42
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-42 Event Viewer Options Configuring the Event Viewer involves understanding the following options: Moving Columns Deleting Rows and Columns Collapsing columns Setting the Event Expansion Boundary Expanding Columns Suspending and Resuming New Events Changing Display Preferences Creating Graphs View Option
43
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-43 Event Viewer—Moving Columns
44
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-44 Event Viewer—Deleting Rows and Columns Choose Monitor>Events>Delete.
45
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-45 Event Viewer—Collapsing Columns Choose Monitor>Events>Collapse.
46
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-46 Event Viewer—Setting the Event Expansion Boundary
47
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-47 Event Viewer—Expanding Columns Choose Monitor>Events>Expand.
48
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-48 Event Viewer—Suspending and Resuming New Events
49
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-49 Event Viewer—Changing Display Preferences Choose Monitor>Events>Preferences.
50
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-50 Event Viewer—Creating Graph Choose Monitor>Events>Graph.
51
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-51 Event Viewer—View Option Choose Monitor>Events>View.
52
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-52 Administration and Reporting
53
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-53 Security Monitor Administration
54
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-54 Admin—Database Rules Choose Admin>Database Rules>Add.
55
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-55 Admin—Database Rules (cont.) Choose Admin>Database Rules>Add>Next.
56
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-56 Admin—System Configuration Settings Choose Admin>System Configuration.
57
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-57 Admin—PostOffice Settings Choose Admin>System Configuration>Postoffice Settings.
58
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-58 Admin—Defining Event Viewer Preferences
59
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-59 Admin—Defining Event Viewer Preferences (cont.) Choose Admin>Event Viewer>Your Preferences.
60
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-60 Security Monitor Reports
61
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-61 Reports—Generate Choose Reports>Generate.
62
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-62 Reports—Generate (cont.)
63
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-63 Reports—Schedule Report
64
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-64 Reports—View Choose Reports>View.
65
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-65 Summary
66
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-66 Summary Security Monitor is a component of the Virtual Private Network (VPN)/Security Management Solution (VMS) product. The Security Monitor is a web-based tool that provides event collection, viewing, and reporting capabilities for IDS devices. The Security Monitor can monitor the following devices: –Appliance Sensors –IDS Modules –Router Modules –IOS Routers –PIX Firewalls To efficiently monitor the events from multiple devices on your network, you can configure Event Rules for Security Monitor.
67
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-67 Summary (cont.) Event Rules enables you to perform one of the following actions when Security Monitor receives certain events: –Send an email notification –Generate an audit (console) message –Execute a script Event Viewer enables you to view the alerts received by your monitored devices in a graphical interface. Security Monitor can generate reports based on the information stored in the Security Monitor database.
68
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-68 Lab Exercise
69
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—16-69.6 idsmP.6 idsmQ.4 sensorP.4 sensorQ.100 172.30.Q.0 172.30.P.0 Lab Visual Objective STUDENT PC.2 STUDENT PC ROUTER.1.2 ROUTER.1 REMOTE: 10.1.P.12 LOCAL: 10.0.P.12 REMOTE: 10.1.Q.12 LOCAL: 10.0.Q.12 10.0.P.0 10.0.Q.0 RTS.100 Pods 1–5 Pods 6–10.10 WEB FTP SMTP POP WEB FTP SMTP POP.10 172.26.26.0.150.50 WEB FTP RBB
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.