© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Lesson 6 Sensor Management and Monitoring
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Objectives Upon completion of this lesson, you will be able to perform the following tasks: Explain the features and benefits of IDM and IEV. Identify the requirements for IDM and IEV. Install the IEV software and configure it to monitor IDS devices. Describe the NSDB.
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS IDS Device Manager Overview
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS IDS Device Manager Web-based device configuration tool Software installed on the Sensor by default For small-scale Sensor deployments
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS IDM Features and Benefits Web-based embedded architecture Secure communication (TLS/SSL) Task-based GUI Signature grouping Signature customization Sensor system administration
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS IDM Client Requirements Supported web browsers –Netscape NavigatorVersion 4.79 or higher –Internet ExplorerVersion 5.5 Service Pack 2 or higher Supported client operating systems –Windows NT 4.0 Service Pack 6 –Windows 2000 Professional and Server –Solaris SPARC version 2.7 –Solaris SPARC version 2.8
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS IDS Manager Interface Path bar Table of contents Area bar Subarea bar Toolbar Content area Information window
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Online IDM Help
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS IDS Event Viewer Overview
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS IDS Event Viewer Windows NT or Windows 2000 Download from Cisco.com Provides event monitoring for up to five Sensors
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS IEV Features and Benefits Downloadable from Cisco.com to an appropriate host Event monitoring for IDS devices Customizable event views Scalable event storage database NSDB
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS IEV Requirements The IEV can be installed on a Windows NT or Windows 2000 system that meets or exceeds the following minimum hardware requirements: Pentium III, 800 MHz or greater 256 MB RAM 500 MB of free hard drive space available
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS IDS Event Viewer Installation
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Getting Started Complete the following tasks to start using the IEV: 1. Download the IEV software from Cisco.com. 2. Install the IEV software on the host. 3. Reboot the IEV host to start IDS services. 4. Add IDS devices that the IEV will monitor.
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS IEV Installation
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Add IDS Devices Choose File > New > Devices.
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS IDS Event Viewer Views
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS IEV Views Overview The initial view provides an aggregate view of alarm data. Views are grouped by signature name, source address, destination address, Sensor identity, and severity levels. Each view can have a different data source. The level of alarm detail is customizable. A graph view displays alarm data in either an area format or a bar graph format.
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS IEV Default Views IEV has the following default views: Destination Address Group Sensor Name Group Severity Level Group Sig Name Group Source Address Group
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Navigating Views
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Whole Details
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Alarm Information
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Alarm Context Data
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Viewing the Trigger Packet
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Realtime Dashboard
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS IDS Event Viewer Filters
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Filter Overview Filters are applied to a view. Events that match the filter criteria for exclusion are not displayed in a view. Events that match the filter criteria for inclusion are displayed in the view. Filter criteria is based on the following: –Severity –Source address –Destination address –Signature name –Sensor name –Time –Event status
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Filter PropertiesBy Severity Select the alarm severity levels to add to the filter: Informational Low Medium High
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Filter PropertiesBy Source Address Add unique IP addresses. Add a range of IP addresses: –Start address –End address
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Filter PropertiesBy Destination Address Add unique IP addresses. Add a range of IP addresses: –Start address –End address
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Filter PropertiesBy Signature Name Select a signature category or specific signatures to add in the filter.
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Filter PropertiesBy Sensor Name Select a Sensor to apply to the filter.
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Filter PropertiesBy Time Add an alarm time period to apply to the filter: Start date and time End date and time
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Filter PropertiesBy Status Choose the status of alarms to include in the filter: New Acknowledged Assigned Closed Deleted
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Network Security Database
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS NSDB Signature Index
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Signature Information
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Related Vulnerability Information
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS User Notes
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Summary
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Summary IDM is a web-based, embedded technology that enables remote administration of Sensor appliances. IEV is a Windows application that monitors IDS devices. IEV enables you to view and manage alarm feeds from up to five Sensors. The NSDB is a tool in IDM and IEV that contains IDS signature and vulnerability information.
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Lab Exercise
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS sensorP sensorQ Q P.0 Lab Visual Objective Student PC.2 Student PC Router.1.2 Router P Q P Q.0 RTS WEB FTP RBB