Step 6 You should now be at the Sensor Setup area of the Device tab as show in the figure below: 1 Figure 4: Device Manager “Sensor Setup” Page Step 7 Under TOC on the left side of the
Trang 1Lab 3 Exercise—Cisco IDS Appliance Configuration
Objectives
In this lab exercise you will complete the following tasks:
n Verify the network configuration of the IDS appliance
n Add an address to the list of hosts allowed remote access to the IDS appliance
n Log IP traffic from a specific address
n Monitor IDS appliance statistics
n Monitor IDS appliance events
Visual Objective
The figure below displays the lab topology you will use to complete this lab exercise:
Figure 1: Lab Network Topology
Passwords
Trang 2• IDS appliance username/password: The default account name and password are
cisco However, the password for the cisco user should have been changed to emmapeel in Lab 1
• PC client: The username is Administrator and the password is cisco
• VNC password: When you connect to the PC, use a password of cisco at the VNC
screen
Task 1—Access the Remote Pod and Login to the PC
Access the remote lab environment via a web browser and an Internet connection You will login to the lab pod environment, access the appropriate device console(s), and login to the actual device(s) used in the lab
Step 1 Access your lab pod using the Internet Explorer web browser If you need help,
review the Accessing the Remote Lab Equipment section of the IDS 4.0 Roadshow Lab 1 lab guide (Figure-2)
Step 2 Access the PC by first clicking on the green oval labeled PC Desktop If you need
help, review the instructions starting with the After a Successful Login section of the IDS 4.0 Roadshow Lab 1 lab guide (Figure-3)
Step 4 You may need to login to the PC itself If so, click on Send Ctrl-Alt-Del near the top
of the window Login as Administrator with password cisco
Figure 2: Example PC Desktop
Trang 3Task 2—Verify the Network Configuration of the IDS Appliance
To do this lab, the IDS appliance should be configured as per Lab 1 (Cisco Intrusion Detection System (IDS) Appliance Initial Configuration) and Lab 2 (Cisco IDS Appliance Software Upgrade and Cisco IDS Event Viewer)
You should be logged into the PC Verify that your PC is able to ping the IDS appliance and that the IDS Device Manager (IDM) is available using the PC’s web browser
Step 1 Launch Internet Explorer on the PC by double clicking its icon on the PC desktop or
by selecting it from the Start->Programs->Internet Explorer menu
Step 3 Login to the IDS Device Manager as the cisco user using the password that was
configured in Lab 1 (the instructions said to use emmapeel)
(arrow 1 in the figure below) on the area bar The Sensor Setup sub-area bar is
displayed Your IDS Device Manager window should look like the one below:
1
2
Figure 3: IDS Device Manager Device Tab
Trang 4Step 6 You should now be at the Sensor Setup area of the Device tab as show in the figure
below:
1
Figure 4: Device Manager “Sensor Setup” Page
Step 7 Under TOC on the left side of the page, select Network (arrow 1 in the figure above)
A list of IDS appliance network settings is displayed as shown in the figure below:
Figure 5: IDS Appliance Network Settings
Trang 5Step 8 Verify the IDS appliance is configured with the values listed in the following table If
necessary, modify your IDS appliance to use these settings:
IDS Appliance Settings Parameter Value Description
IDS appliance
appliance
appliance
routing purposes, if needed
between web browsers and servers
Port 443 is the default HTTPS port
settings If no changes were made, go to the next Task
Step 10 If you made any changes, they must be saved Click on Apply to Sensor to save and
apply the IDS appliance network settings You may see a dialog box with the
following message: “The applied change required a system reset It is recommended that you reboot the system now.” Click OK to reboot the IDS
appliance with your changes
Step 11 The System Control page will display, asking you if you really want to reset the IDS
appliance Click Apply to Sensor and give the IDS appliance a few minutes to reboot
Continue on to the next Task
Task 3—Add an Address to the List of Allowed Hosts
This task involves adding network addresses of those hosts and networks that are allowed remote management access to the IDS appliance This task is just for practice; the address is just made up Complete the following steps to add an address to the list
of allowed hosts:
Step 1 Click on the Device tab in the area bar The Device sub-area bar is displayed
displayed Your screen should look like the figure below:
Trang 6Figure 6: IDS Appliance “Allowed Hosts”
Step 5 Enter 192.168.1.0 in the IP Address field
Step 7 Your screen should look like the figure below:
Trang 7Step 8 Click Apply to Sensor to save the allowed network you just added
like the figure below:
Figure 8: “Allowed Hosts” with New Network Added
Task 4—Log Traffic from a Specific Address
This task involves configuring the IDS appliance to log all IP traffic from a specific IP address, regardless if an attack has been launched Complete the following steps to log
IP traffic from a specific address:
Step 1 Click on the Administration tab in the area bar The Administration sub-area bar is
displayed
displayed Your screen should resemble the figure below:
Trang 8Figure 9: IP Logging Configuration Page
Note Log files are already present in the figure above Your IDS appliance probably won’t
have any existing log files at this point
Step 4 At the Adding page, enter the IP address of the Hack Server 10.1.1.6 Leave the Log
For fields blank Your screen should look like the figure below:
Figure 10: Adding an IP Address to Log
Trang 9Step 5 Click Apply to Sensor to save the IP logging settings Notice that the last entry in the
list (item 5) has a status of added This denotes a logging process that has been
created but is not yet active Your screen should resemble the figure below:
Figure 11: An IP Address has been Added
started (A different logfile (item 7) is shown for this example):
Trang 10Step 7 Place the cursor over the More arrow for a particular log entry to see information
about the status of a logging process The figure below shows the status for the
logging process 137854311 (item 7) (The page needs to be refreshed to see changes):
Figure 13: Viewing Information for a Logging Process
Step 8 Stop a logging process by selecting its Log ID and clicking on Stop The logging
process for 137854311 (item 7) is being stopped in the figure below:
Figure 14: Stopping a Logging Process
Trang 11Step 9 The figure below shows that logging process 137854311 (item 7) has a Status of
completed Notice that the number of Packets Captured is 15283 compared to 3767
in an earlier screenshot:
Figure 15: Information about a Completed Logging Process
Step 10 To examine the contents of a logfile, click on the appropriate Log ID The figure
below shows the hyperlink for 137854311 (item 7) being selected:
Figure 16: Clicking a Hyperlink to an IDS Appliance Logfile
Trang 12Step 11 Clicking on a Log ID hyperlink will start the download process of the logfile from the
IDS appliance to the PC You can save the logfile to disk or view it directly The figure below shows an example where the logfile will be viewed without saving it first:
Figure 17: Viewing a Logfile without Saving First
Note The IP log is automatically overwritten when the IDS appliance uses up its allocated
space for IP logging
Task 5—Monitor the IDS Appliance Statistics
This task involves monitoring the IDS appliance statistics using IDM Complete the following steps:
Step 1 Click on the Monitoring tab in the IDM area bar The Monitoring sub-area bar is
displayed Select Statistics from the sub-area bar The Statistics page is displayed
Your screen should look like the figure below.:
Trang 13Figure 18: The Statistics Page
Step 2 Statistics can be found relating to the web server, transactions, network access,
logging, hosts, event store, analysis engine, and authentication Take a few minutes to look this page over There is a lot of information available here
Task 6—Monitor the IDS Appliance Events
This task involves monitoring the IDS appliance events using IDM Complete the following steps:
Step 1 Click on the Monitoring tab in the IDM area bar The Monitoring sub-area bar is
displayed Select Events from the sub-area bar The Events page is displayed Your
screen should look like the figure below:
Trang 14Figure 19: The Events Display Page
Step 2 Fill in Filters (No Selection Displays All) fields using the following information:
Fatal
Step 3 Your screen should look like the figure below:
Trang 15Figure 20: The Completed Events Display Filters Page
Step 4 Click on Apply to Sensor If everything is working properly you should see a page
containing a number of events Your screen should resemble the figure below:
Figure 21: Events Gathered using the Events Display Filter
Step 5 Take a few minutes to look through the information gathered
You have completed this lab if you have verified the network configuration of the IDS appliance, added an address to the list of allowed hosts, configured logging,