© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Lesson 14 Enterprise Intrusion Detection System Monitoring and Reporting

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Objectives

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Objectives Upon completion of this lesson, you will be able to perform the following tasks: Define features and key concepts of the Security Monitor. Install the Security Monitor and verify its functionality. Monitor IDS devices with the Security Monitor. Administer Security Monitor event rules. Use the reporting features of the Security Monitor. Administer the Security Monitor server. Explain the functionality and benefits of Cisco Threat Response.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Introduction

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS What Is the Security Monitor? The Security Monitor provides event collection, viewing, and reporting capability for network devices.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Security Monitor Features The following are Security Monitor features: Monitors the following devices: –Sensor appliances –IDS Services Modules –IDS Network Modules –Cisco IOS routers –PIX Firewalls –Firewall Services Modules –CSA MC Web-based monitoring platform Custom reporting capability

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Installation

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Installation Requirements Hardware –IBM PC-compatible computer, 1 GHz or faster –Color monitor with at least 800 x 600 resolution and a video card capable of 16-bit color –CD-ROM –100-Mbps or faster network connection Memory1 GB of RAM minimum Virtual memory2 GB minimum Disk drive space –9 GB minimum –NTFS Software –Windows 2000 Professional, Server, or Advanced Server with Service Pack 3 –Sun Java plug-in b24

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Client Access Requirements HardwareIBM PC-compatible computer, 300 MHz or faster Memory256 MB of RAM minimum Disk drive space400 MB of virtual memory Software –Windows 2000 Professional, Server, or Advanced Server with Service Pack 3 –Windows XP Professional Browser –Internet Explorer 6.0 (Service Pack 1) with Microsoft Virtual Machine –Netscape Navigator 4.79

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Installation Overview Common Services is required for the Security Monitor. Common Services provides the CiscoWorks server-based components, software libraries, and software packages developed for the Security Monitor.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Security Monitor Installation

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Verifying System Requirements and Settings During Installation

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Selecting the Syslog Port and Specifying Communication Properties

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Getting Started

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS CiscoWorks Login

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Security Monitor Launch Choose VPN/Security Management > Monitoring Center > Security Monitor.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Security Monitor Interface Path bar TOC Option barTabs Instructions Page Tools Action buttons

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Adding Devices Choose Devices.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Adding Devices (Cont.) Choose Devices and select Add.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Adding Devices (Cont.)

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Importing Devices Choose Devices and select Import.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Monitoring

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Monitoring Connections Choose Monitor > Connections.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Monitoring Statistics Choose Monitor > Statistics.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Monitoring Events Choose Monitor > Events.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Customizing the Event Viewer

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Event Viewer

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Customizing the Event Viewer Customizing the Event Viewer involves the following options: Moving columns Deleting columns Deleting events Collapsing cells Expanding cells Setting the event expansion boundary

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Moving Columns

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Deleting Columns

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Deleting Events from the Grid

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Deleting Events from the Database

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Collapsing Cells

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Saving your Column Settings

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Setting the Event Expansion Boundary

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Reporting

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Generating a Report Choose Reports > Generate Report.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Generating a Report (Cont.)

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Generating a Report (Cont.)

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Viewing Reports Choose Reports > View.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Administration

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Security Monitor Administration

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Database Rules Choose Admin > Database Rules > Add.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Database Rules (Cont.) Choose Admin > Database Rules > Add > Next.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS System Configuration Settings Choose Admin > System Configuration.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Defining Event Viewer Preferences

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Event Notification Event notification is completed by creating event rules. The following tasks are involved in creating an event rule: –Assign a name to the event rule. –Define the event filter criteria. –Assign the event rule action. –Define the event rule threshold and interval. –Activate the event rule.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Event RulesStep 1 Choose Admin > Event Rules > Add.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Event RulesStep 2

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Event RulesStep 3

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Event RulesStep 4

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Event RulesActivation Choose Admin > Event Rules > Activate.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Cisco Threat Response

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Cisco Threat Response Threat Response has the following characteristics: Performs just-in-time analysis of target hosts to assess damage Discriminates between successful and unsuccessful attacks Downgrades inconsequential alerts Escalates critical alerts Aids in remediation of intrusions Focuses exclusively on monitoring your Sensors and providing automated investigations of each attack Requires no prior knowledge of network topologies Requires no remote agents Maintains a synergistic relationship with existing solutions Reduces false positives by up to 95%

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Intrusion Protection without Intelligent Investigation Three Attacks Alarm Manual investigation Alarm Manual investigation Alarm Manual investigation 1. An attacker launches an auto- scanner script to search for a common IIS unicode vulnerability. 2. The Sensor reports a number of detected attacks against hosts in the network. 3. The Event Viewer or the Security Monitor displays several real attack events.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Intrusion Protection with Intelligent Investigation Three attacks Threat Response Linux not vulnerable Win NT vulnerable Operating system not patched Operating system patched Attack traces found Collect evidence Alert security staff Alarm Win NT vulnerable 1. An attacker launches an auto- scanner script to search for a common IIS unicode vulnerability. 2. The Sensor reports a number of detected attacks against hosts in the network. 3. Threat Response does the following: Step 1) Determines whether the attack targets this operating system type Step 2) Patch check Step 3) Copies and secures forensic evidence Step 4) Determines whether there are traces of a successful attack Step 5) Alerts you to a real and confirmed attack System 1System 2System 3

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Threat Response Deployment Threat Response server Sensor Internet Threat Response client Server Alarm filter pane Downgraded alarms Under investigation alarms Critical alarms

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Summary

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Summary The Security Monitor is a component of the CiscoWorks VMS product. The Security Monitor is a web-based tool that provides event collection, viewing, and reporting capabilities for IDS devices. The Security Monitor can monitor the following devices: –Sensor appliances –IDS Services Modules –IDS Network Modules –Cisco IOS routers –PIX Firewalls –Firewall Services Modules –CSA MCs

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Summary (Cont.) To efficiently monitor the events from multiple devices on your network, you can configure the Security Monitor event rules. Event rules enable you to perform one of the following actions when the Security Monitor receives certain events: –Send an notification –Generate an audit (console) message –Execute a script Event Viewer enables you to view the alerts received by your monitored devices in a graphical interface. Security Monitor can generate reports based on the information stored in the Security Monitor database. Threat Response performs just-in-time analysis of target hosts to assess damage while discriminating between successful and unsuccessful attacks.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Lab Exercise

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS sensorP.4 sensorQ Q P.0 Lab Visual Objective Student PC.2 Student PC Router.1.2 Router P Q P Q.0 RTS Web FTP RBB