Device Configuration Guide for Cisco Security MARS, Release 6.x - Cisco Incident Controller Server [Cisco Security Monitoring, Analysis and Response System]

Table Of Contents

Cisco Incident Control Server

Configure Cisco ICS to Send Syslogs to MARS

Add the Cisco ICS Device to MARS

Define Rules and Reports for Cisco ICS Events

Cisco Incident Control Server

The Cisco Incident Control Server (Cisco ICS) enables extended protection across Cisco IOS routers, switches, and IPS devices. In coordination with Trend Micro's incident control solutions, Cisco ICS prevents the spread of day-zero outbreaks in three ways:

•First, Cisco ICS issues temporary ACLs to those Cisco mitigation devices that can block such traffic, typically using a protocol and port pair block. This temporary block is referred to as an Outbreak Prevention ACL (OPACL).

•Second, as soon as a signature is available, Cisco ICS updates all Cisco IPS and IDS devices running on your network with the signature required to detect and prevent the specific threat. This signature is referred to as an Outbreak Prevention Signature (OPSig).

•Third, Cisco ICS can manage supporting products (sold seperately), such as Tend Micros's Damage Cleanup Services (DCS), which cleans infected hosts by removing trojans and other malware.

To complete the Cisco ICS communication settings, you must perform two tasks: configure Cisco ICS to send syslog messages to the MARS Appliance, and add the Cisco ICS management server to the MARS web interface as a reporting device.

This chapter contains the following topics:

•Configure Cisco ICS to Send Syslogs to MARS

•Add the Cisco ICS Device to MARS

•Define Rules and Reports for Cisco ICS Events

Configure Cisco ICS to Send Syslogs to MARS

Cisco ICS publishes syslog messages to MARS. To configure Cisco ICS, you simply define a syslog server with the IP address of the MARS Appliance. You do not need to enable any special logs, and you cannot tune the messages that are sent to MARS. The Cisco ICS events for which syslog messages are geneerated have been selected to provide the most benefit to your Security Threat Mitigation (STM) system.

To prepare Cisco ICS to publish events to MARS, follow these steps:

Step 1 Log in to the Cisco ICS Management Console.

Step 2 Click Global Settings > Syslog Servers.

Step 3 Click Add.

Step 4 In the IP Address field, enter the address of the MARS Appliance to which the Cisco ICS will publish syslog messages.

Step 5 Click Save.

Cisco ICS now publishes syslog message to MARS. For MARS to be aware of this device, you must add the Cisco ICS device as a software application running on a host and you must click Activate in the web interface.

Add the Cisco ICS Device to MARS

Before MARS can being processing the syslog messages as Cisco ICS messages, you must define the Cisco ICS management server as an software application running on a host. After Cisco ICS is defined as a reporting device, MARS can process any inspection rules that you have defined using Cisco ICS event types.

To add a Cisco ICS server to MARS, follow these steps:

Step 1 Click Admin > Security and Monitor Devices > Add.

Step 2 From the Device Type list, select Add SW Security apps on a new host.

You can also select Add SW Security apps on an existing host if you have already defined the host within MARS, perhaps as part of the Management > IP Management settings or if you are running another application on the host, such as Microsoft Internet Information Services.

Step 3 In the Device Name field, enter the hostname of the server.

Step 4 In the Reporting IP field, enter the IP address of the interface in Cisco ICS server from which the syslog messages will originate.

Step 5 Under Enter interface information, enter the interface name, IP address, and netmask value of the interface in Cisco ICS server from which the syslog messages will originate.

This address is the same value as the Reporting IP address.

Step 6 Cclick Apply.

Step 7 Click Next to move the Reporting Applications tab.

Step 8 In the Select Application field, select Cisco ICS 1.x , then click Add.

Step 9 Click Select to add the Cisco ICS application to this host.

Step 10 Click Done to save the changes.

Step 11 To activate the device, click Activate.

Define Rules and Reports for Cisco ICS Events

From Cisco ICS, MARS receives syslog messages that allow it to identify outbreaks, successful OPACL and OPSig deployments, and failed attempts to deploy. MARS stays abreast of when the OPACLs and OPSigs fire on Cisco IPS devices. MARS also monitors the Cisco ICS server for system issues, such as database failures.

These events assist MARS in providing an accurate, holistic assessment of your network. OPACL and OPSig matching events provide five-tuple correlation, which MARS uses to perform attack path analysis and verify the containment of threats. You can uses the events to define inspection rules that help you perform manual mitigation on devices that cannot use OPACLs and OPSigs.

For example, an inspection rule could be written to match the OPACL event. Your mitigation team can respond by investigating the OPACL that was pushed to the reporting device, from which they can determine the five tuple (source address and port, destination address and port and network service). Using that information, they could push equivalent ACLs to devices not managed by Cisco ICS.

When defining inspection rules or reports, you can access the list of Cisco ICS-specific events by entering Cisco ICS in theDescription / CVE: field and clicking Search on the Management > Event Management page of the web interface.

There are four predefined system inspection rules for Cisco ICS:

•New Malware Discovered

•New Malware Prevention Deployed

•New Malware Prevention Deployment Failed

•New Malware Traffic Match

In addition, there are five predefined reports:

•Activity: New Malware Discovered - All Events

•Activity: New Malware Prevention Deployment Failure - All Events

•Activity: New Malware Prevention Deployment Success - All Events

•Activity: New Malware Traffic Match - All Events

•Activity: New Malware Traffic Match - Top Sources

	Device Configuration Guide for Cisco Security MARS, Release 6.x
	Cisco Incident Controller Server
Device Configuration Guide for Cisco Security MARS, Release 6.x Preface Part 1: Concepts Configuring Reporting and Mitigation Devices in MARS Part 2: Intrusion Detection and Prevention (Network based) Cisco IPS Devices (4.x and 5.x) NetScreen IDP Devices and Servers Cisco IPS 6.x Devices and Virtual Sensors Enterasys Dragon Devices Snort Devices McAfee Intrushield Symantec ManHunt Cisco IPS Modules IBM SiteProtector Devices IBM RealSecure Devices Part 3: Vulnerability Assessment Qualys QualysGuard Devices eEye REM Devices McAfee Foundstone Part 4: Switches Cisco Switches Extreme Switches Part 5: Routers Cisco Routers Routers (Generic) Part 6: Firewalls Cisco Firewall Devices Cisco ASA, Version 8.1.X and 8.2.X and NetFlow Check Point Devices NetScreen ScreenOS Devices Part 7: Network Access Control Cisco NAC Appliance Part 8: Virtual Private Network Gateways Cisco VPN 3000 Concentrator Part 9: WLAN Controller Cisco Wireless LAN Controller Part 10: AAA Servers Cisco Secure ACS Devices Part 11: Intrusion Detection and Prevention (Host based) Cisco Security Agent Entercept Devices Part 12: Virus Protection Symantec AntiVirus McAfee EPO Management Devices Cisco Incident Controller Server Part 13: Content Management Cisco CSC SSM Part 14: Database Applications Oracle Database Applications Part 15: Web Servers Web Server Devices Part 16: Web Proxies Network Appliance NetCache Generic Part 17: Host Nodes Generic, Solaris, Linux, and Windows Application Hosts Index	Download this chapter Cisco Incident Controller Server Download the complete book Device Configuration Guide for Cisco Security MARS Release 6.x (PDF - 5 MB) Table Of Contents Cisco Incident Control Server Configure Cisco ICS to Send Syslogs to MARS Add the Cisco ICS Device to MARS Define Rules and Reports for Cisco ICS Events Cisco Incident Control Server The Cisco Incident Control Server (Cisco ICS) enables extended protection across Cisco IOS routers, switches, and IPS devices. In coordination with Trend Micro's incident control solutions, Cisco ICS prevents the spread of day-zero outbreaks in three ways: •First, Cisco ICS issues temporary ACLs to those Cisco mitigation devices that can block such traffic, typically using a protocol and port pair block. This temporary block is referred to as an Outbreak Prevention ACL (OPACL). •Second, as soon as a signature is available, Cisco ICS updates all Cisco IPS and IDS devices running on your network with the signature required to detect and prevent the specific threat. This signature is referred to as an Outbreak Prevention Signature (OPSig). •Third, Cisco ICS can manage supporting products (sold seperately), such as Tend Micros's Damage Cleanup Services (DCS), which cleans infected hosts by removing trojans and other malware. To complete the Cisco ICS communication settings, you must perform two tasks: configure Cisco ICS to send syslog messages to the MARS Appliance, and add the Cisco ICS management server to the MARS web interface as a reporting device. This chapter contains the following topics: •Configure Cisco ICS to Send Syslogs to MARS •Add the Cisco ICS Device to MARS •Define Rules and Reports for Cisco ICS Events Configure Cisco ICS to Send Syslogs to MARS Cisco ICS publishes syslog messages to MARS. To configure Cisco ICS, you simply define a syslog server with the IP address of the MARS Appliance. You do not need to enable any special logs, and you cannot tune the messages that are sent to MARS. The Cisco ICS events for which syslog messages are geneerated have been selected to provide the most benefit to your Security Threat Mitigation (STM) system. To prepare Cisco ICS to publish events to MARS, follow these steps: Step 1 Log in to the Cisco ICS Management Console. Step 2 Click Global Settings > Syslog Servers. Step 3 Click Add. Step 4 In the IP Address field, enter the address of the MARS Appliance to which the Cisco ICS will publish syslog messages. Step 5 Click Save. Cisco ICS now publishes syslog message to MARS. For MARS to be aware of this device, you must add the Cisco ICS device as a software application running on a host and you must click Activate in the web interface. Add the Cisco ICS Device to MARS Before MARS can being processing the syslog messages as Cisco ICS messages, you must define the Cisco ICS management server as an software application running on a host. After Cisco ICS is defined as a reporting device, MARS can process any inspection rules that you have defined using Cisco ICS event types. To add a Cisco ICS server to MARS, follow these steps: Step 1 Click Admin > Security and Monitor Devices > Add. Step 2 From the Device Type list, select Add SW Security apps on a new host. You can also select Add SW Security apps on an existing host if you have already defined the host within MARS, perhaps as part of the Management > IP Management settings or if you are running another application on the host, such as Microsoft Internet Information Services. Step 3 In the Device Name field, enter the hostname of the server. Step 4 In the Reporting IP field, enter the IP address of the interface in Cisco ICS server from which the syslog messages will originate. Step 5 Under Enter interface information, enter the interface name, IP address, and netmask value of the interface in Cisco ICS server from which the syslog messages will originate. This address is the same value as the Reporting IP address. Step 6 Cclick Apply. Step 7 Click Next to move the Reporting Applications tab. Step 8 In the Select Application field, select Cisco ICS 1.x , then click Add. Step 9 Click Select to add the Cisco ICS application to this host. Step 10 Click Done to save the changes. Step 11 To activate the device, click Activate. Define Rules and Reports for Cisco ICS Events From Cisco ICS, MARS receives syslog messages that allow it to identify outbreaks, successful OPACL and OPSig deployments, and failed attempts to deploy. MARS stays abreast of when the OPACLs and OPSigs fire on Cisco IPS devices. MARS also monitors the Cisco ICS server for system issues, such as database failures. These events assist MARS in providing an accurate, holistic assessment of your network. OPACL and OPSig matching events provide five-tuple correlation, which MARS uses to perform attack path analysis and verify the containment of threats. You can uses the events to define inspection rules that help you perform manual mitigation on devices that cannot use OPACLs and OPSigs. For example, an inspection rule could be written to match the OPACL event. Your mitigation team can respond by investigating the OPACL that was pushed to the reporting device, from which they can determine the five tuple (source address and port, destination address and port and network service). Using that information, they could push equivalent ACLs to devices not managed by Cisco ICS. When defining inspection rules or reports, you can access the list of Cisco ICS-specific events by entering Cisco ICS in theDescription / CVE: field and clicking Search on the Management > Event Management page of the web interface. There are four predefined system inspection rules for Cisco ICS: •New Malware Discovered •New Malware Prevention Deployed •New Malware Prevention Deployment Failed •New Malware Traffic Match In addition, there are five predefined reports: •Activity: New Malware Discovered - All Events •Activity: New Malware Prevention Deployment Failure - All Events •Activity: New Malware Prevention Deployment Success - All Events •Activity: New Malware Traffic Match - All Events •Activity: New Malware Traffic Match - Top Sources
	© 1992-2009 Cisco Systems, Inc. All rights reserved. Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks of Cisco Systems, Inc.