Chapter 16
Enterprise Intrusion Detection System Monitoring and Reporting
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-1
Objectives
Upon completion of this chapter, you will be able
to perform the following tasks:
• Define features and key concepts of the Security Monitor.
• Install and verify the Security Monitor functionality.
• Monitor IDS devices with the Security Monitor.
• Administer Security Monitor event rules.
• Use the reporting features of the Security Monitor.
• Administer the Security Monitor server.
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-2
Introduction
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-3
What Is the Security Monitor?
The Security Monitor provides event
collection, viewing, and reporting
capability for network devices.
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-4
Security Monitor Features
The following are the Security Monitor
features:
• Monitors the following devices:
– Sensor appliances
– IDS Modules
– IOS Routers
– PIX Firewalls
• Web-based monitoring platform
• Custom reporting capability
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-5
Installation
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-6
Installation Requirements
• Hardware
– IBM PC-compatible computer with 800 MHz or faster
– Color monitor capable of viewing 256 colors
– CD-ROM drive
– 100 Mbps or faster network connection
• Memory—1 GB of RAM minimum
• Disk drive space
– 12 GB minimum
– NTFS
• Software
– Windows 2000 Server with Service Pack 2
– ODBC Driver Manager 3.510 or later
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-7
Client Access Requirements
• Hardware—IBM PC-compatible computer with a 300 MHz or
faster
• Memory—256 MB of RAM minimum
• Disk drive space—400 MB virtual memory
• Software
– Windows 98 and NT 4.0
– Windows 2000 Professional with Service Pack 2
– Windows 2000 Server/Advanced Server with Service Pack 2
• Browser
– Internet Explorer 6.0 or later (recommended)
– Netscape Navigator 4.79 or later
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-8
Installation Overview
• VMS Common Services is required for the
Security Monitor.
• VMS Common Services provides the
CiscoWorks server-based components, software
libraries, and software packages developed for
the Security Monitor.
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-9
Security Monitor Installation
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-10
Component and Database Location
Selection
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-11
Database Password
and Syslog Port
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-12
Communication Properties
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-13
Upgrade Process
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-14
Getting Started
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-15
CiscoWorks Login
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-16
CiscoWorks User
Authorization Roles
• CiscoWorks user authorization roles allow different
privileges within the VMS and the Security Monitor:
– Help Desk—Read-only for the entire system
– Approver—Read-only for the entire system
– Network Operator—Read-only for the rest of the
system and generates reports
– Network Administrator—Configures devices, and
modifies reports and rules
– System Administrator—Performs all operations
• Users can be assigned multiple authorization roles.
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-17
CiscoWorks Add User
Choose Server Configuration>Setup>Security>Add Users.
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-18
Security Monitor Launch
Choose VPN/Security Management>Management Center>Security Monitor.
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-19
Understanding the
Security Monitor Interface
Path bar
Option bar
Tabs
Tools
TOC
Action buttons
© 2003, Cisco Systems, Inc. All rights reserved.
Page
Instructions
CSIDS 4.0—16-20
Security Monitor Configuration
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-21
Security Monitor Configuration
Security Monitor configuration operations are:
• Adding Devices—Security Monitor monitors the following types of
devices:
– RDEP IDS
– PostOffice IDS
– IOS IDS
– Host IDS
– PIX
• Monitoring Devices—Information monitored falls into the following three
categories:
– Connections
– Statistics
– Events
• Event Notification—Tasks involved to configure notification are as follows:
– Adding Event Rules
– Activating Event Rules
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-22
Devices—Add
Choose Devices.
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-23
RDEP Devices—Add
Choose Devices and Select Add.
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-24
RDEP Devices—Add (cont.)
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—16-25