User Guide for Cisco Security MARS Global Controller, Release 5.2.x
Configuring the Global Controller
Download this chapter
Configuring the Global ControllerConfiguring the Global Controller
Download the complete book
User Guide for Cisco Security MARS Global Controller Version 5.2.x (PDF -- entire book)User Guide for Cisco Security MARS Global Controller Version 5.2.x (PDF -- entire book) (PDF - 4 MB)
give_us_feedback

Table Of Contents

Configuring the Global Controller

Adding Local Controllers

Topology Synchronization

Deleting Local Controllers

Importing the Security Certificates

Monitoring Local Controller Events from the Global Controller

Preparing to Add and Discover Devices

Adding Reporting Devices

Manual Configuration

Add a Device Manually

Configuring Supported Devices

L2 Discovery and Mitigation


Configuring the Global Controller

Once you have performed the configuration tasks described in this chapter, a Global Controller administrator can create, edit, or delete user-defined settings and rules on the Global Controller and its monitored Local Controllers. These settings and rules include:

Rules

Reports and queries

User, IP, and service management

To configure the Global Controller, you must perform several tasks before you can monitor the events and incidents reported by Local Controllers:

1. Configure the Global Controller to operate on your network. For more information on installing and configuring the Global Controller to connect to your network, see the Install and Setup Guide for Cisco Security MARS, Release 5.2.x.

2. Divide your network topology into locally controlled zones. For each zone identified, install and configure a Local Controller.

3. Add the reporting and mitigation devices in a zone to the Local Controller that monitors that zone. Also, configure the SNMP read-only community string settings for those devices to enable network discovery.

4. Add the zones to be monitored into Global Controller. Each zone is represented by a single Local Controller. By adding a Local Controller to the Global Controller, you are indicating that the Global Controller should monitor that local zone.

Note You can only add reporting devices to an active Local Controller.

5. Import the security certificate from each Local Controller into the Global Controller and vice versa. Sharing the security certificates among the appliances enables secure communications between a Local Controller and the Global Controller.

6. When a Global Controller and Local controller are separated by a firewall, open the following ports on both the inside and outside interfaces of the firewall to ensure proper operation of the Global Controller:

:

Port
Function

22

Secure Shell (SSH)

443

Hyper Text Transport Protocol with Secure Sockets Layer (HTTPS)

8444

Cisco Proprietary data synchronization with Local Controlle r


This chapter contains the following topics:

Adding Local Controllers

Importing the Security Certificates

Monitoring Local Controller Events from the Global Controller

Preparing to Add and Discover Devices

Adding Reporting Devices

Configuring Supported Devices

L2 Discovery and Mitigation

Adding Local Controllers

Follow these steps to add a Local Controller to the Global Controller:

Step 1 Click ADMIN > System Setup > Local Controller Management to display the Zone Controller Information page, as shown in Figure 2-1.

Figure 2-1 Zone Controller Information Page

Step 2 Click Add.

A pop-up window appears in which you can add a Local Controller to the Global Controller.

Figure 2-2 Local Controller Information Page

Step 3 Enter values for the following settings:

Zone Name. Enter a name for this zone. This name is used to uniquely identify the networks within this zone relative to other zones. For example, many companies use the same private network addresses behind NATed gateways. The zone combined with the network address allows you to reuse the same network address on your private networks.

Zone Description. Enter a description of the zone

LC IP Address. Enter the IP address of the Local Controller that monitors this zone.

Step 4 Click Submit to save the values.

Before the Global Controller can communicate with the Local Controller, you must import the security certificate into the Global Controller. For more information, see Importing the Security Certificates.

Topology Synchronization

For the Global Controller to display a summarized and merged view of topology for its Local Controllers, topology data from all the Local Controllers must be pushed to the Global Controller. When you add a Local Controller to a Global Controller, the topology synchronization process begins and completes automatically.

When synchronized with Local Controllers, the Global Controller contains all the security and monitoring information of the Local Controllers (as displayed on Admin > System Maintenance > Security and Monitor Devices) and can display the combined topological maps of the Local Controllers with the following constraints:

Devices common to Local Controllers are merged in the Global Controller topology. If you have a router listed on different Local Controllers, it only shows up once in topology graphs.

Networks common to Local Controllers are not merged in the Global Controller topology, but are displayed as separate topologies even if they are the same network.

Topo Sync Start/Stop

When you change Local Controller topology or it otherwise becomes out-of-sync, you can re-synchronize the Local Controller and Global Controller by clicking Topo Sync Start/Stop on the Zone Controller Information Page. The Status field reports the current state of the synchronization process. Table 2-1 lists and describes all possible status messages.

An out-of-sync condition can occur when unexpected errors or events (device, software, network, etc.) disrupt communication between the Local and Global Controllers.

Suspend/Resume

The Suspend/Resume button toggles the communication link on and off between the Global Controller and the Local Controller. When suspended, the Local Controller cannot communicate with the Global Controller.

Note Incident, topology, and other information cannot be uploaded to the Global Controller when the Local Controller communication is suspended.

Table 2-1 Local Controller Status Messages on Zone Controller Page

Status Field Values
Description and Action

Active (last checked: (Time_and_Date_last_checked)

The Local Controller is online, connected, and synchronized with the Global Controller.

Suspended

Communications between the Local Controller and the Global Controller have been manually halted with the Suspend/Resume button. To re-establish communication, select the Local Controller and click Suspend/Resume.

Synchronizing (progress)

The Global Controller and Local Controller are comparing and updating their topology information tables.

Deleting in progress

The Global Controller is purging the selected Local Controller configuration and data from its database. If the Global and Local Controllers can communicate, the Local Controller is purging Global Controller configurations to change from monitor to standalone mode.

Not Responding
(last checked: Time_and_Date_last_checked)

The Local Controller cannot be detected on the network. Check network status and connections.

Local Controller is online but is not responding
(last checked: Time_and_Date_last_checked)

The Local Controller can be detected on the network, but does not respond. The problem or delay may clear, the status can return to Active.

Zone has standalone license

The Local Controller model indicated is not supported by the Global Controller.

Global controller license does not allow adding model PNMARS-100 for monitoring

The Local Controller model indicated is not supported by the Global Controller.

Global controller license does not allow adding model PNMARS-100X for monitoring

The Local Controller model indicated is not supported by the Global Controller.

Global controller license does not allow adding model PNMARS-200 for monitoring

The Local Controller model indicated is not supported by the Global Controller.

Zone version is different

The Global and Local Controllers are operating with different software versions. Update one or the other or both as appropriate.

Global license is Local Controller license

Enter the correct Global Controller license in the Global Controller at
Admin > System Maintenence > Set License Key.

Global certificate not in LC or local certificate not on GC

Copy the Global Controller security certificate to the Local Controller, and the Local Controller security certificate to the Global Controller at Admin > System Maintenence > Certificates


Deleting Local Controllers

To delete a Local Controller from the Global Controller and return the Local Controller to Standalone mode, do the following steps:

Step 1 Click ADMIN > System Setup > Local Controller Management, to display the Zone Controller Information page, as shown in Figure 2-3.

Figure 2-3 Zone Controller Information Page

Step 2 Click the checkbox of the Local Controller to delete, and click Delete.

A Yes/No confirmation dialog box appears. Click Yes to remove configuration info and data from the Global and Local Controllers.

If the status of the Local Controller is Not Responding, a Continue/Cancel dialog box appears. Because the Global Controller cannot communicate with the Local Controller, clicking Continue removes only the Local Controller data from the Global Controller. To remove the Global Controller configuration information from the Local Controller, you must execute a pnreset -s CLI command on the Local Controller as explained in the following URL:

http://www.cisco.com/en/US/docs/security/security_management/cs-mars/5.2/installation/guide/apcliref.html#wp1239868

Note If you do not remove the Global Controller configuration from the Local Controller, errors may occur when the Local Controller attempts to contact the Global Controller. Moreover, the Local Controller cannot be added to a Global Controller until it is reset.

The duration of the deletion process varies with the amount of data to be deleted. A duration of many minutes is possible.

Importing the Security Certificates

Security certificates are used for secure communications between a web browser and the Global Controller, as well as between the Global Controller and any Local Controllers that are managed by the Global Controller. Every Global Controller comes with a default certificate which is unique to each Global Controller. However, users could choose to modify the default certificate using the sslcert CLI command. For more information on using the sslcert command, see sslcert, in the Install and Setup Guide for Cisco Security Monitoring, Analysis, and Response System.

Figure 2-4 Changing the Default Security Certificate

If you wish to install the certificate to an Internet Explorer browser, you must do it during the Global Controller login process.

When the Security Alert pop up appears, choose:

Step 1 View Certificate.

Step 2 Install Certificate. Then click Next.

Step 3 Select Automatically Select the Certificate Based on the Type of Certificate. Then click Next.

Step 4 Complete the Certificate Import process by clicking Finish.

Step 5 Select Yes to add the certificate to the Root Store.

Figure 2-5 Global Controller Login Security Alert

The security certificate is used for communication between a Global Controller and any Local Controllers that are managed by the Global Controller.

Although Global Controller and Local Controllers have default security certificates, the Global Controller certificate will need to be exported to all the Local Controllers manually. And all Local Controllers certificates will need to be exported to Global Controller.

To install a Global Controller security certificate on to Local Controllers, follow these steps:

Step 1 From the Global Controller, select Admin > System Maintenance > Certificates.

Step 2 Highlight the certificate, and press Ctrl+C to copy it.

Figure 2-6 Copy the Global Controller Security Certificate

Step 3 Navigate to Local Controller Admin > System Maintenance > Certificates.

Step 4 Paste the Global Controller certificate into the Global Controller Certificate box.

Step 5 Repeat the process for all every Local Controller that the Global Controller is monitoring.

Figure 2-7 Apply the Global Controller Certificate to the Local Controller

To install a Local Controller security certificate on to the Global Controller, follow these steps:

Step 1 From the Local Controller, select Admin > System Maintenance > Certificates.

Step 2 Highlight the certificate and press Ctrl+C to copy it.

Figure 2-8 Copy the Local Controller Security Certificate

Step 3 From the Global Controller, select Admin > System Maintenance > Certificates.

Step 4 Select the specific zone from which this certificate was copied.

Figure 2-9 Select the Appropriate Local Controller

Step 5 Paste the Local Controller certificate to the Global Controller Certificate box.

Step 6 Repeat the process from all Local Controllers that are monitored by this Global Controller.

Figure 2-10 Apply the Local Controller Certificate to the Global Controller

Monitoring Local Controller Events from the Global Controller

The various Local Controllers send summarized information to the Global Controller, which in turn compiles and collates it. There may be a reason you want to suspend, or temporarily hold back, information being sent from one of the Local Controllers. For example, if several of the Local Controller zones are compromised and sending many events at once, you may want to focus on isolating problems on one Local Controller at a time.

If you want to suspend the transmission of information from a Local Controller, follow these instructions:

Step 1 In the Zone Controller Information page, select the Local Controller you want to suspend.

Step 2 Click the Suspend/Resume button.

The Local Controller you selected disappears from the list of active Local Controllers, and its output is buffered until you select it and click Suspend/Resume again.

Follow the same procedure to resume output from the affected Local Controller.

Preparing to Add and Discover Devices

Before configuring the Global Controller to recognize reporting devices, be aware of the levels of operation supported by a Local Controller. To learn more about the levels of operation for the Local Controller s, see Levels of Operation, in the User Guide for Cisco Security MARS Local Controller

Adding Reporting Devices

After you have added the Global Controller's configuration information and rebooted it, you need to configure the third-party devices that report to the Global Controller. All of the event information that passes through these devices is distilled down and sessionized to the information that the Global Controller presents to you. The more information that you can provide for these devices, the clearer the picture you'll get when using the Global Controller.

Note For a list of devices supported by the Global Controller, see the Configuring Supported Devices.

Manual Configuration

In general, you have two choices for adding devices that you want to monitor into your Global Controller. You can create a seed file or you can add each device manually. Seed file support is limited to a few device types; see Configuring Supported Devices.

When manually configuring devices, select the devices that are most interesting to you. Once added, you can come back and edit them as necessary. Manual configuration is also useful when you add or change a single security device on your network. See Configuring Supported Devices for more information about configuring individual devices.

Note Remember that you do not have to add all of the devices configuration information at once. You can start by adding the device's name and its access IP address. You can always return later, when the Global Controller starts to report to you, and provide more details.

Add a Device Manually

Step 1 Click Admin > Security and Monitor Devices > Add.

Figure 2-11 Selecting the Local Controller Zone

Step 2 Select the Local Controller Zone from the pull-down menu. This determines which Local Controller monitors the device. You are then automatically logged into the Local Controller you have selected. A pop-up window appears.

Figure 2-12 Entering the Device on the Local Controller

Step 3 Select the device from the pull-down menu.

Step 4 Enter the information needed to communicate with the device.

Step 5 Click the Submit button.

Newly added devices on the Local Controller are automatically discovered by the Global Controller.

For more information on installing individual devices, see Preparing to Add and Discover Devices.

Configuring Supported Devices

For most of the security and monitoring devices that you have report to Global Controller, set up and configuration is three-part. You need to:

Open communication channels to the device.

Add the appropriate communication information to the Global Controller.

Make sure that firewalls and routers sitting between the Global Controller and the reporting device are configured to let event traffic pass.

For devices that use agents, modules, or sensors, you need to perform a couple of extra steps.

L2 Discovery and Mitigation

For information on L2 device discovery and mitigation, see Layer 2 Discovery and Mitigation, page 2-29 in the User Guide for Cisco Security MARS Local Controller.