Cisco Intrusion Prevention System Device Manager Configuration Guide for IPS 7.1
Configuring External Product Interfaces
Downloads: This chapterpdf (PDF - 152.0KB) The complete bookPDF (PDF - 10.07MB) | Feedback

Configuring External Product Interfaces

Table Of Contents

Configuring External Product Interfaces

Understanding External Product Interfaces

Understanding CSA MC

External Product Interface Issues

Configuring CSA MC to Support IPS Interfaces

Configuring External Product Interfaces

External Product Interfaces Pane

External Product Interfaces Pane Field Definitions

Add and Edit External Product Interface Dialog Boxes Field Definitions

Add and Edit Posture ACL Dialog Boxes Field Definitions

Adding, Editing, and Deleting External Product Interfaces and Posture ACLs

Troubleshooting External Product Interfaces


Configuring External Product Interfaces


This chapter explains how to configure external product interfaces. It contains the following sections:

Understanding External Product Interfaces

Understanding CSA MC

External Product Interface Issues

Configuring CSA MC to Support IPS Interfaces

Configuring External Product Interfaces

Troubleshooting External Product Interfaces

Understanding External Product Interfaces


Note In Cisco IPS, you can only add interfaces to the CSA MC.


The external product interface is designed to receive and process information from external security and management products. These external security and management products collect information that can be used to automatically enhance the sensor configuration information. For example, the types of information that can be received from external products include host profiles (the host OS configuration, application configuration, and security posture) and IP addresses that have been identified as causing malicious network activity.

Understanding CSA MC

The CSA MC enforces a security policy on network hosts. It has two components:

Agents that reside on and protect network hosts.

Management Console (MC)—An application that manages agents. It downloads security policy updates to agents and uploads operational information from agents.

The CSA MC receives host posture information from the CSA agents it manages. It also maintains a watch list of IP addresses that it has determined should be quarantined from the network. The CSA MC sends two types of events to the sensor—host posture events and quarantined IP address events.

Host posture events (called imported OS identifications in IPS) contain the following information:

Unique host ID assigned by the CSA MC

CSA agent status

Host system hostname

Set of IP addresses enabled on the host

CSA software version

CSA polling status

CSA test mode status

NAC posture

For example, when an OS-specific signature fires whose target is running that OS, the attack is highly relevant and the response should be greater. If the target OS is different, then the attack is less relevant and the response may be less critical. The signature attack relevance rating is adjusted for this host.

The quarantined host events (called the watch list in IPS) contain the following information:

IP address

Reason for the quarantine

Protocol associated with a rule violation (TCP, UDP, or ICMP)

Indicator of whether a rule-based violation was associated with an established session or a UDP packet.

For example, if a signature fires that lists one of these hosts as the attacker, it is presumed to be that much more serious. The risk rating is increased for this host. The magnitude of the increase depends on what caused the host to be quarantined.

The sensor uses the information from these events to determine the risk rating increase based on the information in the event and the risk rating configuration settings for host postures and quarantined IP addresses.


Note The host posture and watch list IP address information is not associated with a virtual sensor, but is treated as global information.


Secure communications between the CSA MC and the IPS sensor are maintained through SSL/TLS. The sensor initiates SSL/TLS communications with the CSA MC. This communication is mutually authenticated. The CSA MC authenticates by providing X.509 certificates. The sensor uses username/password authentication.


Note You can only enable two CSA MC interfaces.



Caution You must add the CSA MC as a trusted host so the sensor can communicate with it. To add the CSA MC as a trusted host, choose Configuration > Sensor Management > Certificates > Trusted Hosts > Add.

For More Information

For the procedure to add a trusted host, see Adding Trusted Hosts.

External Product Interface Issues

When the external product interface receives host posture and quarantine events, the following issues can arise:

The sensor can store only a certain number of host records:

If the number of records exceeds 10,000, subsequent records are dropped.

If the 10,000 limit is reached and then it drops to below 9900, new records are no longer dropped.

Hosts can change an IP address or appear to use another host IP address, for example, because of DHCP lease expiration or movement in a wireless network. In the case of an IP address conflict, the sensor presumes the most recent host posture event to be the most accurate.

A network can include overlapping IP address ranges in different VLANs, but host postures do not include VLAN ID information. You can configure the sensor to ignore specified address ranges.

A host can be unreachable from the CSA MC because it is behind a firewall. You can exclude unreachable hosts.

The CSA MC event server allows up to ten open subscriptions by default. You can change this value. You must have an administrative account and password to open subscriptions.

CSA data is not virtualized; it is treated globally by the sensor.

Host posture OS and IP addresses are integrated into passive OS fingerprinting storage. You can view them as imported OS profiles.

You cannot see the quarantined hosts.

The sensor must recognize each CSA MC host X.509 certificate. You must add them as a trusted host.

You can configure a maximum of two external product devices.

For More Information

For more information on working with OS maps and identifications, see Adding, Editing, Deleting, and Moving Configured OS Maps and Configuring OS Identifications.

For the procedure for adding trusted hosts, see Adding Trusted Hosts.

Configuring CSA MC to Support IPS Interfaces


Note For more detailed information about host posture events and quarantined IP address events, refer to Using Management Center for Cisco Security Agents 5.1.


You must configure the CSA MC to send host posture events and quarantined IP address events to the sensor. To configure the CSA MC to support IPS interfaces, follow these steps:


Step 1 Choose Events > Status Summary.

Step 2 In the Network Status section, click No beside Host history collection enabled, and then click Enable in the popup window.


Note Host history collection is enabled globally for the system. This feature is disabled by default because the MC log file tends to fill quickly when it is turned on.


Step 3 Choose Systems > Groups to create a new group (with no hosts) to use in conjunction with administrator account you will next create.

Step 4 Choose Maintenance > Administrators > Account Management to create a new CSA MC administrator account to provide IPS access to the MC system.

Step 5 Create a new administrator account with the role of Monitor. This maintains the security of the MC by not allowing this new account to have configure privileges.


Note Remember the username and password for this administrator account because you need them to configure external product interfaces on the sensor.


Step 6 Choose Maintenance > Administrators > Access Control to further limit this administrator account.

Step 7 In the Access Control window, select the administrator you created and select the group you created.


Note When you save this configuration, you further limit the MC access of this new administrator account with the purpose of maintaining security on the CSA MC.



Configuring External Product Interfaces

This section describes the External Product Interfaces pane, and contains the following topics:

External Product Interfaces Pane

External Product Interfaces Pane Field Definitions

Add and Edit External Product Interface Dialog Boxes Field Definitions

Add and Edit Posture ACL Dialog Boxes Field Definitions

Adding, Editing, and Deleting External Product Interfaces and Posture ACLs

External Product Interfaces Pane


Note You must be administrator to add, edit, and delete external product interfaces and posture ACLs.


Use the External Product Interfaces pane to add the interfaces of the CSA MC so that the sensor can receive and process information from the CSA MC.


Caution You must add the external product as a trusted host so the sensor can communicate with it. To add a trusted host, choose Configuration > Sensor Management > Certificates > Trusted Hosts > Add.

External Product Interfaces Pane Field Definitions

The following fields are found in the External Product Interfaces pane:

IP Address—Specifies the IP address of the external product.

Enabled—Indicates whether the external product interface is enabled.

Port—Specifies the port being used for communications.

TLS Used—Indicates whether secure communications are being used.

Username—Specifies the user login name that connects to the CSA MC.

Host Posture Settings—Indicates how host postures received from the CSA MC should be handled:

Enabled—Indicates that receipt of the host postures is enabled. If disabled, the host posture information received from a CSA MC is deleted.

Allow Unreachable—Allows/denies the receipt of host posture information for hosts that are not reachable by the CSA MC.

A host is not reachable if the CSA MC cannot establish a connection with the host on any IP addresses in the host posture. This option is useful in filtering the postures whose IP addresses may not be visible to the IPS or may be duplicated across the network. This filter is most applicable in network topologies where hosts that are not reachable by the CSA MC are also not reachable by the IPS, for example if the IPS and the CSA MC are on the same network segment.

Posture ACLs—Specifies network address ranges for which host postures are allowed or denied. This option provides a mechanism for filtering postures that have IP addresses that may not be visible to the IPS or may be duplicated across the network.

Watch List Settings—Indicates how watch list settings received from the CSA MC should be handled:

Enabled—Indicates that receipt of the watch list is enabled. If disabled, the watch list information received from a CSA MC is deleted.

Manual RR Increase—Indicates by what percentage the manual watch list risk rating should be increased.

Session RR Increase—Indicates by what percentage the session-based watch list risk rating should be increased.

Packet RR Increase—Indicates by what percentage the packet-based watch list risk rating should be increased.

SDEE URL—Indicates the URL on the CSA MC the IPS uses to retrieve information using SDEE communication. You must configure the URL based on the software version of the CSA MC that the IPS is communicating with as follows:

For the CSA MC version 5.0, use /csamc50/sdee-server.

For the CSA MC version 5.1, use /csamc51/sdee-server.

For the CSA MC version 5.2 and later, use /csamc/sdee-server (the default value).

Add and Edit External Product Interface Dialog Boxes Field Definitions

The following fields are found in the Add and Edit External Product Interface dialog boxes:

External Product's IP Address—Specifies the IP address of the external product.

Enable receipt of information—Enables the sensor to receive information from the external product interface.


Note If not checked, all host posture and quarantine information from this device is purged from the sensor.


Communication Settings—Lets you see the SDEE URL and TLS, and lets you change the port:

SDEE URL—Specifies the URL on the CSA MC the IPS uses to retrieve information using SDEE communication. You must configure the URL based on the software version of the CSA MC that the IPS is communicating with. For the CSA MC version 5.0, use /csamc50/sdee-server. For the CSA MC version 5.1, use /csamc51/sdee-server. For the CSA MC version 5.2 and later, use /csamc/sdee-server (the default value).

Port—Specifies the port being used for communications.

Use TLS—Indicates that secure communications are being used. You cannot change this value.

Login Settings—Lets you specify the credentials required to log in to the CSA MC:

Username—Lets you enter the username used to log in to the CSA MC.

Password—Lets you assign a password to the user.

Confirm Password—Lets you confirm the password.

Watch List Settings—Lets you configure how watch list settings received from the CSA MC should be handled:

Enable receipt of watch list—Enables/disables the receipt of the watch list information. The watch list information received from a CSA MC is deleted when disabled.

Manual Watch List RR Increase—Lets you increase the percentage of the manual watch list risk rating.

Session-based Watch List RR Increase—Lets you increase the percentage of the session-based watch list risk rating.

Packet-based Watch List RR Increase—Lets you increase the percentage of the packet-based watch list risk rating.

Host Posture Settings—Specifies how host postures received from the CSA MC should be handled:

Enable receipt of host postures—Enables/disables the receipt of the host posture information. The host posture information received from a CSA MC is deleted when disabled.

Allow unreachable hosts' postures—Allows/denies the receipt of host posture information for hosts that are not reachable by the CSA MC. A host is not reachable if the CSA MC cannot establish a connection with the host on any IP addresses in the host's posture. This option is useful in filtering the postures whose IP addresses may not be visible to the IPS or may be duplicated across the network. This filter is most applicable in network topologies where hosts that are not reachable by the CSA MC are also not reachable by the IPS, for example if the IPS and the CSA MC are on the same network segment.

Permitted and Denied Host Posture Addresses—Lets you add host posture ACLs that will be permitted or denied:

Name—Specifies the name of the posture ACL.

Active—Indicates whether this posture ACL is active.

IP Address—Specifies the IP address of the posture ACL.

Network Mask—Specifies the network mask of the posture ACL.

Action—Specifies the action (deny or permit) the posture ACL will take.

Add and Edit Posture ACL Dialog Boxes Field Definitions

The following fields are found in the Add and Edit Posture ACL dialog boxes:

Name—Specifies the name of the posture ACL.

Active—Specifies whether this posture ACL is active.

IP Address—Specifies the IP address of the posture ACL.

Network Mask—Specifies the network mask of the posture ACL.

Action—Specifies the action (deny or permit) the posture ACL will take.

Adding, Editing, and Deleting External Product Interfaces and Posture ACLs


Caution In Cisco IPS the only external product interfaces you can add are CSA MC interfaces. Cisco IPS supports two CSA MC interfaces.


Note Make sure you add the external product as a trusted host so the sensor can communicate with it. To add a trusted host, choose Configuration > Sensor Management > Certificates > Trusted Hosts > Add.


To add an external product interface, follow these steps:


Step 1 Log in to the IDM using an account with administrator privileges.

Step 2 Choose Configuration >Sensor Management > External Product Interfaces, and click Add to add an external product interface.

Step 3 In the External Product's IP Address field, enter the IP address of the external product.

Step 4 Check the Enable receipt of information check box to allow information to be passed from the external product to the sensor.

Step 5 In the Port field, change the default port 443 if needed.


Note Under Communication Settings, you can only change the Port value.


Step 6 Configure the login settings:

a. In the Username field, enter the username of the user who can log in to the external product.

b. In the Password field, enter the password the user will use.

c. In the Confirm Password field, enter the password again.


Note Steps 7 through 15 are optional. If you do not perform Steps 7 though 15, the default values are used receive all of the CSA MC information with no filters applied.


Step 7 (Optional) Configure the watch list settings:

a. Check the Enable receipt of watch list check box to allow the watch list information to be passed from the external product to the sensor.


Note If you do not check the Enable receipt of watch list check box, the watch list information received from a CSA MC is deleted.


b. In the Manual Watch List RR Increase field, you can change the percentage from the default of 25. The valid range is 0 to 35.

c. In the Session-based Watch List RR increase field, you can change the percentage from the default of 25. The valid range is 0 to 35.

d. In the Packet-based Watch List RR Increase field, you can change the percentage from the default of 10. The valid range is 0 to 35.

Step 8 (Optional) Check the Enable receipt of host postures check box to allow the host posture information to be passed from the external product to the sensor.


Note If you do not check the Enable receipt of host postures check box, the host posture information received from a CSA MC is deleted.


Step 9 (Optional) Check the Allow unreachable hosts' postures check box to allow the host posture information from unreachable hosts to be passed from the external product to the sensor.


Note A host is not reachable if the CSA MC cannot establish a connection with the host on any of the IP addresses in the host posture. This option is useful in filtering the postures whose IP addresses may not be visible to the IPS or may be duplicated across the network. This filter is most applicable in network topologies where hosts that are not reachable by the CSA MC are also not reachable by the IPS, for example if the IPS and the CSA MC are on the same network segment.


Step 10 (Optional) To add a posture ACL, click Add.


Note Posture ACLs are network address ranges for which host postures are allowed or denied. Use posture ACLs to filter postures that have IP addresses that may not be visible to the IPS or may be duplicated across the network.


Step 11 (Optional) In the Name field, enter a name for the posture ACL.

Step 12 (Optional) In the Active field, click the Yes radio button to make the posture ACL active.

Step 13 (Optional) In the IP Address field, enter the IP address the posture ACL will use.

Step 14 (Optional) In the Network Mask field, enter the network mask the posture ACL will use.

Step 15 (Optional) In the Action drop-down list, choose the action (Deny or Permit) the posture ACL will take.


Tip To undo your changes and close the Add Posture ACL dialog box, click Cancel.


Step 16 (Optional) Click OK. The new posture ACL appears in the Host Posture Setting list in the Add External Product Interface dialog box. You can use the Move Up and Move Down buttons to reorder the posture ACLs that you create.

Step 17 To edit an existing posture ACL, select it, and click Edit.

Step 18 Edit the IP Address, Network Mask, and Action fields or change the active state to inactive by clicking the No radio button.


Tip To discard your changes and close the Edit Posture ACL dialog box, click Cancel.


Step 19 Click OK. The edited posture ACL appears in the Host Posture Setting list in the Add External Product Interface dialog box.

Step 20 To delete a posture ACL from the list, select it, and click Delete. The posture ACL no longer appears in the Host Posture Setting list in the Add External Product Interface dialog box.

Step 21 Click OK. The external product interface now appears in the Management Center for Cisco Security Agents list in the External Product Interfaces pane.


Tip To discard your changes and close the Add External Product Interface dialog box, click Cancel.


Step 22 To edit the external product interface, select it, and click Edit.

Step 23 Make any changes needed to the fields in the dialog box.


Tip To discard your changes and close the Edit External Product Interface dialog box, click Cancel.


Step 24 Click OK. The edited external product interface appears in the Management Center for Cisco Security Agents list in the External Product Interfaces pane.

Step 25 To delete an external product interface, select it, and click Delete. The external product interface no longer appears in the Management Center for Cisco Security Agents list in the External Product Interfaces pane.


Tip To discard your changes, click Reset.


Step 26 Click Apply to apply your changes and save the revised configuration.


Troubleshooting External Product Interfaces

To troubleshoot external product interfaces, check the following:

Make sure the interface is active by checking the output from the show statistics external-product-interface command in the CLI, or choose Monitoring > Sensor Monitoring > Support Information > Statistics in the IDM and check the Interface state line in the response.

Make sure you have added the CSA MC IP address to the trusted hosts. If you forgot to add it, add it, wait a few minutes and then check again.

Confirm subscription login information by opening and closing a subscription on the CSA MC using the browser.

Check the Event Store for the CSA MC subscription errors.

For More Information

For the procedure for adding trusted hosts, see Adding Trusted Hosts.

For the procedure for displaying events, see Monitoring Events.