© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Lesson 7 Using the Intrusion Detection System Device Manager to Configure the Sensor

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Objectives

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Objectives Upon completion of this lesson, you will be able to perform the following tasks: Configure network settings. Add allowed hosts. Set the time. Add users. Configure interfaces. Restore default settings. Configure SSH communications. Configure TLS and SSL communications. Configure the events display. View Sensor statistics. View diagnostics. View system information.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Configuring Basic Sensor Settings

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Configuring Network Settings Sensor Setup Host Name IP Address Netmask Default Route Enable TLS/SSL Web Server Port Use Default Ports Network Apply to Sensor Reset Device tab

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Configuring Allowed Hosts Device Tab Sensor Setup Allowed Hosts Select All Deselect All Add Edit Delete Reset

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS IP Address Configuring Allowed Hosts (Cont.) Netmask Apply to Sensor Reset Cancel

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Setting the Time Time Settings Standard Timezone NTP Server Daylight Savings Time Daylight Savings Time Duration Apply Time to Sensor Apply Settings to Sensor Refresh Reset

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Creating User Accounts Device Tab Sensor Setup Users Select All Deselect All Add Edit Delete Reset

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Creating User Accounts (Cont.) User Name Password Password Again User Role Apply to Sensor Cancel Reset

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Sensor Interface Overview Command and control interface Monitoring interface 4215 Sensor int0 int2 int1 The figure illustrates the following Sensor interface characteristics: There is only one command and control interface per Sensor. You can configure up to five monitoring interfaces depending on the type of Sensor. Multiple monitoring interfaces enable simultaneous protection of up to five different network subnets. All monitoring interfaces use the same configuration.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Configuring the Interfaces Device Tab Sensing Engine Interface Groups Select All Deselect All Edit Enable Disable Reset Group Number Virtual Sensor Alarm Channel Sensing Interfaces Enabled

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Configuring the Interfaces (Cont.) Group Number Virtual Sensor Alarm Channel Sensing Interfaces Apply to Sensor CancelReset

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Configuring the Interfaces (Cont.) Select All Deselect All Enable Disable Reset

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Restoring the Default Settings Configuration Tab Restore Defaults Apply to Sensor

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Configuring SSH Communications

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS SSH Communications CLI SSH client SSH server SSH client SSH server IDS MC SSH The client key, SSH authorized key, enables the client to connect without password authentication. The server key, SSH host key, is used by the Sensor to prove its identity to the client.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Defining SSH Authorized Keys Device Tab Sensor Setup Authorized Keys Select All Deselect All AddEdit Delete Reset

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Defining SSH Authorized Keys (Cont.) ID Key Modulus Length Public Exponent Public Modulus Apply to Sensor Cancel Reset

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Generating an SSH Host Key Device Tab Sensor Setup Generate Key Apply to Sensor

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Generating an SSH Host Key (Cont.) Apply to Sensor Reset

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Configuring TLS Communications

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS TLS/SSL Communications TLS and SSL use a process called handshaking that involves a number of coordinated exchanges between a client and server. A trusted host certificate is used by the server to verify the identity of a connecting client. A server certificate, host certificate, is used by the server to prove its identity to the client. IDM HTTPS (TLS/SSL) Security Monitor IEV HTTPS (TLS/SSL) HTTPS (TLS/SSL) IDS MC HTTPS (TLS/SSL)

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Generating the Server Certificate Device Tab Sensor Setup Generate Host Certificate Apply to Sensor

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Viewing the Server Certificate Server Certificate

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Adding Trusted Host Certificates Device Tab Sensor Setup Trusted Hosts Select All Deselect All Add Delete Reset

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Adding Trusted Host Certificates (Cont.) IP Address Apply to Sensor Cancel Reset

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Adding Trusted Host Certificates (Cont.) Select All Deselect All Add Delete Reset

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Configuring Monitoring

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Configuring the Events Display Monitoring Tabs Events Show Alerts Show Error Events Show Log Events Show Network Access Controller Events Show Status Events Start Time Start Date End Time End Date Past Hours Apply to Sensor Reset

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Viewing Sensor Statistics Monitoring Tab Statistics

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Viewing Diagnostics and System Information

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Viewing Diagnostics Administration Tab Support Diagnostics Run Diagnostics

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Viewing Diagnostics (Cont.) View Results

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Viewing Diagnostics (Cont.)

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Viewing System Information Administration Tab Support System Information

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Summary

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Summary You can use IDM to edit the settings configured via the setup commands interactive prompts. You can use IDM to define the time, time zone, and daylight saving time for the Sensor. You can use IDM to create and remove users from the local Sensor. You can configure up to five monitoring interfaces depending on the type of Sensor you have. All monitoring interfaces use the same configuration. An interface group provides a way to group monitoring interfaces into one logical virtualSensor. A monitoring interface must be part of Group 0 and must be enabled. You can use RSA authentication rather than passwords to log in to the Sensor over SSH.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Summary (Cont.) You can use IDM to define the public keys used by clients to log in to the Sensor with RSA authentication. The Sensor uses its SSH host key to prove its identity to SSH clients. You can use IDM to generate a new SSH host key for the Sensor. The server certificate, host certificate, is used by the Sensor to prove its identity to the client. A trusted host certificate is used by the Sensor to verify the identity of a connecting host. You can use IDM to generate a new server certificate and to add certificates of trusted hosts. From the IDM Monitoring tab, you can view Sensor statistics and configure how events will be displayed. From the IDM Administration tab, you can obtain diagnostics and system information for troubleshooting.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Lab Exercise

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS sensorP.4 sensorQ Q P.0 Lab Visual Objective Student PC.2 Student PC Router.1.2 Router P Q P Q.0 RTS Web FTP RBB