Tài Liệu CCNA - Enterprise Intrusion Detection System Monitoring And Reporting

Upon completion of this chapter, you will be able to perform the following tasks: • Define features and key concepts of the Security Monitor.. • Administer Security Monitor event rules

Chapter 16

Upon completion of this chapter, you will be able

to perform the following tasks:

• Define features and key concepts of the Security Monitor.

• Install and verify the Security Monitor functionality.

• Monitor IDS devices with the Security Monitor.

• Administer Security Monitor event rules.

• Use the reporting features of the Security Monitor.

• Administer the Security Monitor server.

Introduction

What Is the Security Monitor?

The Security Monitor provides event

collection, viewing, and reporting

capability for network devices.

Security Monitor Features

The following are the Security Monitor

features:

• Monitors the following devices:

– Sensor appliances – IDS Modules

– IOS Routers – PIX Firewalls

Installation

Installation Requirements

• Hardware

– IBM PC-compatible computer with 800 MHz or faster

– Color monitor capable of viewing 256 colors

– CD-ROM drive – 100 Mbps or faster network connection

• Memory—1 GB of RAM minimum

• Disk drive space

– 12 GB minimum – NTFS

• Software

Client Access Requirements

• Hardware—IBM PC-compatible computer with a 300 MHz or faster

• Memory—256 MB of RAM minimum

• Disk drive space—400 MB virtual memory

• Software

– Windows 98 and NT 4.0

– Windows 2000 Professional with Service Pack 2

– Windows 2000 Server/Advanced Server with Service Pack 2

• Browser

– Internet Explorer 6.0 or later (recommended)

– Netscape Navigator 4.79 or later

Installation Overview

• VMS Common Services is required for the

Security Monitor.

• VMS Common Services provides the

CiscoWorks server-based components, software libraries, and software packages developed for the Security Monitor.

Security Monitor Installation

Component and Database Location

Selection

Database Password

and Syslog Port

Communication Properties

Upgrade Process

Getting Started

CiscoWorks Login

CiscoWorks User

Authorization Roles

• CiscoWorks user authorization roles allow different

privileges within the VMS and the Security Monitor:

– Help Desk—Read-only for the entire system

– Approver—Read-only for the entire system

– Network Operator—Read-only for the rest of the system

and generates reports

– Network Administrator—Configures devices, and

modifies reports and rules

– System Administrator—Performs all operations

• Users can be assigned multiple authorization roles.

CiscoWorks Add User

Choose Server Configuration>Setup>Security>Add Users.

Security Monitor Launch

Choose VPN/Security Management>Management Center>Security Monitor.

Action buttons

Security Monitor Configuration

Security Monitor Configuration

Security Monitor configuration operations are:

• Adding Devices—Security Monitor monitors the following types of

Choose Devices.

RDEP Devices—Add

Choose Devices and Select Add.

RDEP Devices—Add (cont.)

PostOffice Devices—Add

IOS IDS Devices—Add

Choose Devices and Select Import.

Devices—Import (cont.)

Choose Monitor>Connections.

Choose Monitor>Statistics.

Monitor—Statistics (cont.)

Event Notification

• Event notification is completed by creating event rules.

• The following tasks are involved in creating an event rule:

– Assign a name to the event rule.

– Define the event filter criteria.

– Assign the event rule action.

– Define the event rule threshold and interval.

– Activate the event rule.

Event Rules—Step 1

Choose Admin>Event Rules>Add.

Event Rules—Step 2

Event Rules—Step 3

Event Rules—Step 4

Event Rules—Activation

Choose Admin>Event Rules>Activate.

Event Viewer

Event Viewer

Security Monitor—Event Viewer

Choose Monitor>Events.

Event Viewer Options

Configuring the Event Viewer involves understanding the following options:

• Suspending and Resuming New Events

• Changing Display Preferences

• Creating Graphs

• View Option

Event Viewer—Moving Columns

Event Viewer—Deleting Rows and Columns

Choose Monitor>Events>Delete.

Event Viewer—Collapsing Columns

Choose Monitor>Events>Collapse.

Event Viewer—Setting the Event Expansion

Boundary

Event Viewer—Expanding Columns

Choose Monitor>Events>Expand.

Event Viewer—Suspending and Resuming

New Events

Event Viewer—Changing Display

Preferences

Choose Monitor>Events>Preferences.

Event Viewer—Creating Graph

Choose Monitor>Events>Graph.

Event Viewer—View Option

Choose Monitor>Events>View.

Administration and Reporting

Security Monitor Administration

Admin—Database Rules

Choose Admin>Database Rules>Add.

Admin—Database Rules (cont.)

Choose Admin>Database Rules>Add>Next.

Admin—System Configuration Settings

Choose Admin>System Configuration.

Admin—PostOffice Settings

Choose Admin>System Configuration>Postoffice Settings.

Admin—Defining Event Viewer Preferences

Admin—Defining Event Viewer Preferences

(cont.)

Choose Admin>Event Viewer>Your Preferences.

Security Monitor Reports

Choose Reports>Generate.

Reports—Generate (cont.)

Reports—Schedule Report

Reports—View

Choose Reports>View.

Summary

• To efficiently monitor the events from multiple devices on your network, you can

configure Event Rules for Security Monitor.

Summary (cont.)

• Event Rules enables you to perform one of the following

actions when Security Monitor receives certain events:

– Send an email notification

– Generate an audit (console) message

– Execute a script

• Event Viewer enables you to view the alerts received by your

monitored devices in a graphical interface

• Security Monitor can generate reports based on the information stored in the Security Monitor database.

Lab Exercise

idsmP

.6

idsmQ 4

sensorP

.4 sensorQ

.100

172.30.Q.0 172.30.P.0

Lab Visual Objective

.10

172.26.26.0 150

.50

WEB FTP

RBB