Device Configuration Guide for Cisco Security MARS, Release 6.x - Cisco IPS Modules [Cisco Security Monitoring, Analysis and Response System]

Table Of Contents

Cisco IPS Modules

Enable SDEE on the Cisco IOS Device Running IOS IPS

Add an IPS Module to a Cisco Switch or Cisco ASA

Cisco IPS Modules

MARS can monitor Cisco IPS modules installed in Cisco switches and Cisco ASA appliances. To prepare these modules, you must perform the following tasks:

•Define the base module, either the router, switch, or Cisco ASA, as defined in Chapter 17, "Cisco Routers", Chapter 15, "Cisco Switch Devices", and Cisco Firewall Devices (PIX, ASA, and FWSM), page 19-1.

•Bootstrap the base module to enable SDEE traffic on the Cisco IPS module, to forward events to the MARS Appliance, and to enable MARS to access the SDEE events stored on the modules. Module access enables MARS to retrieve trigger packets and IP log information.

•Add the IPS feature set t the base module previously defined in the web interface.

The following topic also supports the configuration of the Cisco IPS modules:

•Verify that MARS Pulls Events from a Cisco IPS Device, page 4-6

This chapter contains the following topics:

•Enable SDEE on the Cisco IOS Device Running IOS IPS

•Add an IPS Module to a Cisco Switch or Cisco ASA

Enable SDEE on the Cisco IOS Device Running IOS IPS

In addition to enabling either Telnet or SSH for configuration discovery on a Cisco IOS device, you must also ensure that SDEE is enabled on the device that supports the IOS IPS. SDEE is used to publish events to MARS about signatures that have fired.

To enable SDEE protocol on the Cisco IOS device running IOS IPS, perform the following steps:

Step 1 Log in to the Cisco IOS device using the enable password.

Step 2 Enter the following commands to enable MARS to retrieve the events from the IOS device:
Router(config)#ip http secure-server
Router(config)#ip ips notify sdee
Router(config)#ip sdee subscriptions 3
Router(config)#ip sdee events 1000
Router(config)#no ip ips notify log
Note The "no ips notify log" causes the IPS modules to stop sending IPS events over syslog.

Add an IPS Module to a Cisco Switch or Cisco ASA

You can enable in-line IPS functionality and signature detection in multi-purpose Cisco platforms. You can identify an IDS-M2 running in a Cisco Switch or an ASA-SSM running in a Cisco ASA. To represent either of these modules, you must define the settings for the module as part of the base platform, which must be previously defined under Admin > System Setup > Security and Monitor Devices.

To add an IPS module to a Cisco Switch of Cisco ASA, follow these steps:

Step 1 Click Admin > System Setup > Security and Monitor Devices

Step 2 From the list of devices, select the Cisco switch or Cisco ASA to which you want to add the IPS module and click Edit.

Step 3 Click Add Module.

Step 4 Select Cisco IPS 5.xor Cisco IPS 6.x in the Device Type list.

For Cisco switches, you can also add a Cisco IPS 4.0 module. You configure these modules just as you would a standalone sensor. For instructions on configuring these modules, refer Cisco IDS 4.0 and IPS 5.x Sensors, page 2-1.

Figure 9-1 Configure Cisco IPS 5.x or 6.x

Step 5 Enter the hostname of the sensor in the Device Name field.

Step 6 Enter the administrative IP address in the Reporting IP field.

Step 7 The Reporting IP address is the same address as the administrative IP address.

Step 8 In the Login field, enter the username associated with the administrative account that will be used to access the reporting device.

Step 9 In the Password field, enter the password associated with the username specified in the Login field.

Step 10 In the Port field, enter the TCP port on which the webserver running on the sensor listens.

The default HTTPS port is 443.

Note While it is possible to configure HTTP only, MARS requires HTTPS.

Step 11 (Optional) For attack path calculation and mitigation, specify the networks being monitored by the sensor. To manually define the networks, select the Define a Network radio button.

a. Enter the network address in the Network IP field.

b. Enter the corresponding network mask value in the Mask field.

c. Click Add to move the specified network into the Monitored Networks field.

d. Repeat as needed.

Step 12 (Optional) To select the networks that are attached to the device, click the Select a Network radio button.

a. Select a network from in the Select a Network list.

b. Click Add to move the specified network into the Monitored Networks field.

c. Repeat as needed.

Step 13 Click Test Connectivity to verify the configuration.

Step 14 To save your changes, click Submit.

Step 15 To enable MARS to start sessionizing events from this module, click Activate.

	Device Configuration Guide for Cisco Security MARS, Release 6.x
	Cisco IPS Modules
Device Configuration Guide for Cisco Security MARS, Release 6.x Preface Part 1: Concepts Configuring Reporting and Mitigation Devices in MARS Part 2: Intrusion Detection and Prevention (Network based) Cisco IPS Devices (4.x and 5.x) NetScreen IDP Devices and Servers Cisco IPS 6.x Devices and Virtual Sensors Enterasys Dragon Devices Snort Devices McAfee Intrushield Symantec ManHunt Cisco IPS Modules IBM SiteProtector Devices IBM RealSecure Devices Part 3: Vulnerability Assessment Qualys QualysGuard Devices eEye REM Devices McAfee Foundstone Part 4: Switches Cisco Switches Extreme Switches Part 5: Routers Cisco Routers Routers (Generic) Part 6: Firewalls Cisco Firewall Devices Cisco ASA, Version 8.1.X and 8.2.X and NetFlow Check Point Devices NetScreen ScreenOS Devices Part 7: Network Access Control Cisco NAC Appliance Part 8: Virtual Private Network Gateways Cisco VPN 3000 Concentrator Part 9: WLAN Controller Cisco Wireless LAN Controller Part 10: AAA Servers Cisco Secure ACS Devices Part 11: Intrusion Detection and Prevention (Host based) Cisco Security Agent Entercept Devices Part 12: Virus Protection Symantec AntiVirus McAfee EPO Management Devices Cisco Incident Controller Server Part 13: Content Management Cisco CSC SSM Part 14: Database Applications Oracle Database Applications Part 15: Web Servers Web Server Devices Part 16: Web Proxies Network Appliance NetCache Generic Part 17: Host Nodes Generic, Solaris, Linux, and Windows Application Hosts Index	Download this chapter Cisco IPS Modules Download the complete book Device Configuration Guide for Cisco Security MARS Release 6.x (PDF - 5 MB) Table Of Contents Cisco IPS Modules Enable SDEE on the Cisco IOS Device Running IOS IPS Add an IPS Module to a Cisco Switch or Cisco ASA Cisco IPS Modules MARS can monitor Cisco IPS modules installed in Cisco switches and Cisco ASA appliances. To prepare these modules, you must perform the following tasks: •Define the base module, either the router, switch, or Cisco ASA, as defined in Chapter 17, "Cisco Routers", Chapter 15, "Cisco Switch Devices", and Cisco Firewall Devices (PIX, ASA, and FWSM), page 19-1. •Bootstrap the base module to enable SDEE traffic on the Cisco IPS module, to forward events to the MARS Appliance, and to enable MARS to access the SDEE events stored on the modules. Module access enables MARS to retrieve trigger packets and IP log information. •Add the IPS feature set t the base module previously defined in the web interface. The following topic also supports the configuration of the Cisco IPS modules: •Verify that MARS Pulls Events from a Cisco IPS Device, page 4-6 This chapter contains the following topics: •Enable SDEE on the Cisco IOS Device Running IOS IPS •Add an IPS Module to a Cisco Switch or Cisco ASA Enable SDEE on the Cisco IOS Device Running IOS IPS In addition to enabling either Telnet or SSH for configuration discovery on a Cisco IOS device, you must also ensure that SDEE is enabled on the device that supports the IOS IPS. SDEE is used to publish events to MARS about signatures that have fired. To enable SDEE protocol on the Cisco IOS device running IOS IPS, perform the following steps: Step 1 Log in to the Cisco IOS device using the enable password. Step 2 Enter the following commands to enable MARS to retrieve the events from the IOS device: Router(config)#ip http secure-server Router(config)#ip ips notify sdee Router(config)#ip sdee subscriptions 3 Router(config)#ip sdee events 1000 Router(config)#no ip ips notify log Note The "no ips notify log" causes the IPS modules to stop sending IPS events over syslog. Add an IPS Module to a Cisco Switch or Cisco ASA You can enable in-line IPS functionality and signature detection in multi-purpose Cisco platforms. You can identify an IDS-M2 running in a Cisco Switch or an ASA-SSM running in a Cisco ASA. To represent either of these modules, you must define the settings for the module as part of the base platform, which must be previously defined under Admin > System Setup > Security and Monitor Devices. To add an IPS module to a Cisco Switch of Cisco ASA, follow these steps: Step 1 Click Admin > System Setup > Security and Monitor Devices Step 2 From the list of devices, select the Cisco switch or Cisco ASA to which you want to add the IPS module and click Edit. Step 3 Click Add Module. Step 4 Select Cisco IPS 5.xor Cisco IPS 6.x in the Device Type list. For Cisco switches, you can also add a Cisco IPS 4.0 module. You configure these modules just as you would a standalone sensor. For instructions on configuring these modules, refer Cisco IDS 4.0 and IPS 5.x Sensors, page 2-1. Figure 9-1 Configure Cisco IPS 5.x or 6.x Step 5 Enter the hostname of the sensor in the Device Name field. Step 6 Enter the administrative IP address in the Reporting IP field. Step 7 The Reporting IP address is the same address as the administrative IP address. Step 8 In the Login field, enter the username associated with the administrative account that will be used to access the reporting device. Step 9 In the Password field, enter the password associated with the username specified in the Login field. Step 10 In the Port field, enter the TCP port on which the webserver running on the sensor listens. The default HTTPS port is 443. Note While it is possible to configure HTTP only, MARS requires HTTPS. Step 11 (Optional) For attack path calculation and mitigation, specify the networks being monitored by the sensor. To manually define the networks, select the Define a Network radio button. a. Enter the network address in the Network IP field. b. Enter the corresponding network mask value in the Mask field. c. Click Add to move the specified network into the Monitored Networks field. d. Repeat as needed. Step 12 (Optional) To select the networks that are attached to the device, click the Select a Network radio button. a. Select a network from in the Select a Network list. b. Click Add to move the specified network into the Monitored Networks field. c. Repeat as needed. Step 13 Click Test Connectivity to verify the configuration. Step 14 To save your changes, click Submit. Step 15 To enable MARS to start sessionizing events from this module, click Activate.
	© 1992-2009 Cisco Systems, Inc. All rights reserved. Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks of Cisco Systems, Inc.