© 2004, Cisco Systems, Inc. All rights reserved. CSIDS 4.113-1 Lesson 13 Enterprise Intrusion Detection System Management.

Презентация:

Advertisements

Похожие презентации

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 18 Enterprise PIX Firewall Maintenance.

Advertisements

© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Configuring CSA Installing and Configuring CSA MC.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Lesson 12 Cisco Intrusion Detection System Maintenance.

© 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 7-1 © 2002, Cisco Systems, Inc. All rights reserved.

© 2005 Cisco Systems, Inc. All rights reserved. HIPS v Configuring CSA Installing CSA.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Lesson 6 Sensor Management and Monitoring.

© 2005, Cisco Systems, Inc. All rights reserved. IPS v Lesson 4 Using IPS Device Manager.

© 2001, Cisco Systems, Inc. CSIDS Chapter 4 Cisco Secure Policy Manager Installation.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Lesson 7 Using the Intrusion Detection System Device Manager to Configure the Sensor.

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Lesson 17 Configure the Cisco Virtual Private Network 3000 Series Concentrator for LAN-to-LAN.

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Lesson 13 Configure the Cisco Virtual Private Network 3002 Hardware Client for Software.

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Lesson 7 Configure the Cisco VPN Firewall Feature for IPSec Software Client.

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Lesson 19 Introduction to Enterprise PIX Firewall Management.

© 2005 Cisco Systems, Inc. All rights reserved.INTRO v Managing Your Network Environment Managing Cisco Devices.

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Lesson 11 Configure the Cisco Virtual Private Network 3002 Hardware Client for Unit and.

© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Using CSA Analysis Generating Application Deployment Reports.

© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Administering Events and Generating Reports Managing Events.

1 © 2005 Cisco Systems, Inc. All rights reserved. Implementing Intrusion Prevention Systems.

© 2001, Cisco Systems, Inc. CSIDS Chapter 10 IP Blocking Configuration.

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Lesson 15 Configure the Cisco Virtual Private Network 3000 Series Concentrator for LAN-to-LAN.

Транксрипт:

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Lesson 13 Enterprise Intrusion Detection System Management

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Objectives

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Objectives Upon completion of this lesson, you will be able to perform the following tasks: Define features and key concepts of the IDS MC. Describe the IDS MC architecture. Install the IDS MC. Locate the directories in which the IDS MC and its components are installed. Add Sensors and Sensor groups to the IDS MC. Use the IDS MC to tune signatures. Deploy configuration files. Update the IDS MC. Generate and view reports.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Introduction

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS What Is the IDS MC? The IDS MC is a web-based application that centralizes and accelerates the deployment and management of multiple IDS Sensors or IDSMs. IDS MC PC Laptop HTTPS SSH Sensor

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS IDS MC Features Features of the IDS MC Sensor are as follows: Web-based management platform Enterprise management of IDS devices –IDS appliance running Version 3.0(1) S4 or higher –IDSM running Version 3.0(5) S23 or later –IDSM-2 running Version 4.0 or higher –NM-CIDS running Version 4.1 or higher –Up to 300 Sensors Provides the ability to create Sensor groups Provides a mechanism to require approval of configurations Provides the ability to import Sensor configurations Pushes signature and service pack updates to the IDS devices

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Windows Installation

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Server RequirementsWindows Hardware –IBM PC-compatible computer, 1-GHz Pentium CPU or faster –Color monitor with video card capable of viewing 16-bit color –CD-ROM drive –100-Mbps network connection or faster Memory –1 GB of RAM minimum –2 GB of virtual memory minimum Hard drive space –12 GB of free space minimum –NTFS Software –Windows 2000 Professional, Server, or Advanced Server (with Service Pack 3)

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Client Access Requirements Windows HardwareIBM PC-compatible computer, 300 MHz or faster Memory –256 MB of RAM minimum –400 MB virtual memory Operating system –Windows 2000 Professional with Service Pack 3 –Windows 2000 Server with Service Pack 3 –Windows XP, Service Pack 1 with Microsoft Virtual Machine Browser –Internet Explorer 6.0 with Service Pack 1 –Netscape Navigator 4.79

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Installation Overview CiscoWorks Common Services is required for the IDS MC. CiscoWorks Common Services provides the CiscoWorks Server-based components, software libraries, and software packages developed for the IDS MC.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Installation Process

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Installation Process (Cont.)

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Installation Process (Cont.)

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Upgrade Process

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Solaris Installation

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Server RequirementsSolaris Hardware –Sun UltraSPARC 60 with 440 MHz or faster processor –Sun UltraSPARC III (Sun Blade 2000 Workstation or Sun Fire 280R Server) Memory –1 GB of RAM minimum –2 GB of virtual memory System softwareSolaris 2.8

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Client Access RequirementsSolaris HardwareSun SPARCstation or Ultra 10 with a 333-MHz processor with the Solaris 2.8 operating system Memory1 GB of RAM minimum Swap space512 MB BrowserNetscape Navigator 4.76

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Installation Overview CiscoWorks Common Services is required for the IDS MC. CiscoWorks Common Services provides the CiscoWorks Server-based components, software libraries, and software packages developed for the IDS MC.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Installation Process SETUPDIR=/cdrom/idsmc ====================================================================== Started : Wed Dec 11 17:01:19 CST 2002 ====================================================================== ===============- Software Install Tool Started. -===================== ===- Welcome to the IDS Management Center and Security Monitor 1.0 Setup program. ====================================================================== INFO: This server architecture is 32-bit compatible. INFO: /tmp directory has 777 permissions. INFO: /etc/hosts is readable by all. INFO: OS major is 5 and OS minor is 8 INFO: OS major or minor patch version not set. INFO: Checking group entry casusers..... INFO: Group created for installable packages is casusers. INFO: Checking user entry casuser..... INFO: casuser for installable packages exists. INFO: No user added to the system. INFO: Warning - No PRMOPT_INSTALL_TYPE section in TOC-file. INFO: Warning - No installation default mode set.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Installation Process (Cont.) 1) IDS Management Center 2) Security Monitor 3) All of the Above (IDS Management Center + Security Monitor) Select one of the items using its number or enter q to quit [q] 1 INFO: You entered 1 as the option Loading properties from info files, working... Making a list of dependencies, working... Making a list of dependencies for CSCOids, working... Making a list of dependencies for CSCOnsdb, working... Making a list of dependencies for CSCOossh, working... Making a list of dependencies, working... INFO: performing prerequisite: /cdrom/idsmc /info/idscom/prerequisite INFO: performing prerequisite: CSCOids: /cdrom/idsmc /packages/CSCOids/ Enter IDS MC/Security Monitor Database Password: Confirm Password : INFO: Password Encryption is Successful. Enter IDS MC/Security Monitor Database Location : [/opt/CSCOpx/MDC/Sybase/Db/IDS] Entered value is /opt/CSCOpx/MDC/Sybase/Db/IDS Creating file /tmp/cscotmp/idsinstall.properties.....

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Installation Process (Cont.) ====================================================================== Finished: Wed Dec 11 17:13:19 CST 2002 ====================================================================== ===============- Software Install Tool Completed. -===================== ======================================================================

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Architecture

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS IDS MC Architecture Overview User IDS MC CiscoWorks Common Services Data store SSH IDS device HTTPS

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS IDS MC Directories IDS MC home directory \Apache\Sybase\Tomcat\etc\ids \updates

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Getting Started with the IDS MC

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS CiscoWorks Login

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS CiscoWorks User Authorization Roles CiscoWorks user authorization roles allow for different privileges within the IDS MC: Help DeskRead-only privileges for the entire system. ApproverRead-only privileges for the rest of the system, and ability to approve configurations. Network OperatorRead-only privileges for the rest of the system, and ability to deploy configurations. Network AdministratorRead-only privileges for the rest of the system, and ability to edit devices and device groups. System AdministratorAll operations may be performed by the system administrator.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS CiscoWorks Add User Choose Server Configuration > Setup > Security > Add Users.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS IDS MC Launch Choose VPN/Security Management > Management Center > IDS Sensors.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Understanding the IDS MC Interface Page Path bar Object bar Object Selector handle TOCOption barTabsTool bar

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Sensors and Sensor Groups

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Hierarchy of Groups and Sensors

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Adding a Sensor Choose Devices > Sensor.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Adding a Sensor (Cont.)

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Adding a Sensor (Cont.)

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Adding a Sensor (Cont.)

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Adding a Sensor Group Choose Devices > Sensor Group.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Adding a Sensor Group (Cont.)

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Using the IDS MC to Configure the Sensor

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Configuring Allowed Hosts Choose Configuration > Settings > Communications > Allowed Hosts.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Configuring Allowed Hosts (Cont.)

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Tuning Signatures Choose Configuration > Settings > Signatures.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Tuning Signatures (Cont.)

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Tuning Signatures (Cont.)

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Tuning Signatures (Cont.)

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS IDS MC Workflow

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Workflow Workflow contains the following options: GenerateAllows you to generate configuration files for Sensors Approve(Optional.) Allows you to manage configuration files proposed for deployment DeployAllows you to submit new deployment jobs and manage deployment jobs

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Saving Configuration Changes Choose Configuration > Pending.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Generating a Configuration File Choose Deployment > Generate.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Generating a Configuration File (Cont.)

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Approving a Configuration File (Optional.) Choose Admin > System Configuration > Configuration File Management.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Approving a Configuration File (Cont.)

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Deploying a Configuration File Choose Deployment > Deploy > Submit.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Deploying a Configuration File (Cont.)

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Deploying a Configuration File (Cont.)

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Pending Deployments Choose Deployment > Deploy > Pending.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Updating the IDS MC

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS IDS MC Updates The IDS MC must operate with the same software and signature version as the Sensors it manages. When you update the Sensor, you must also update the IDS MC. A compressed (.zip) update file must be used to upgrade the IDS MC. To update the IDS MC, the update file must reside on the IDS MC server at X:\Program Files\CSCOpx\MDC\etc\ids\updates.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Applying an Update Choose Configuration > Updates > Update Network IDS Signatures.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Applying an Update (Cont.)

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Reporting

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Report Generation Choose Reports > Generate.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Report Generation (Cont.)

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Report Generation (Cont.)

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Viewing Reports

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Summary

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Summary The IDS MC provides a web-based interface for configuring and managing multiple IDS Sensors. The IDS MC can be installed on Windows-based and Solaris-based servers. The IDS MC allows the grouping of Sensors into Sensor groups for ease of management and configuration.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Summary (Cont.) For the IDS MC to understand the software installed on the Sensor, it must operate with the same software and signature version as the Sensors it manages. Therefore, if you apply a service pack or signature update to a Sensor managed by the IDS MC, you must also update the IDS MC. The IDS MC provides a mechanism for controlling the approval and deployment of Sensor configuration files. The IDS MCs reporting capability provides a method for determining the status of configuration deployment.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Lab Exercise

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS sensorP.4 sensorQ Q P.0 Lab Visual Objective Student PC.2 Student PC Router.1.2 Router P Q P Q.0 RTS Web FTP RBB