Using Monitoring Center for Security 2.2 - Getting Started with Security Monitor [CiscoWorks Monitoring Center for Security]

Table Of Contents

Getting Started with Security Monitor

Accessing Security Monitor

Logging In to CiscoWorks

Starting Security Monitor

Roles and Permissions in Security Monitor

Understanding Security Monitor User Interface Elements

Understanding Security Monitor Wizard Elements

Notification Icons

Security Monitor Operational Checklist

Getting Started with Security Monitor

This section describes how to access Monitoring Center for Security (Security Monitor) and introduces both the use of the interface and the use of the application.

This chapter contains the following topics:

•Accessing Security Monitor

•Understanding Security Monitor User Interface Elements

•Understanding Security Monitor Wizard Elements

•Notification Icons

•Security Monitor Operational Checklist

Accessing Security Monitor

To access Security Monitor, you must first log in to the CiscoWorks Server. After you are logged in to the CiscoWorks Server, you can start Security Monitor.

The features and functionality that you can access in Security Monitor are determined by the role assigned to the user account that you used to log in to CiscoWorks. Essentially, a role is a set of permissions for accessing application features.

This section contains the following topics:

•Logging In to CiscoWorks

•Starting Security Monitor

•Roles and Permissions in Security Monitor

Logging In to CiscoWorks

The CiscoWorks Server desktop is the interface for the CiscoWorks VPN/Security Management Solution (VMS) applications, including Security Monitor, Management Center for IPS Sensors (IPS MC), and Firewall MC. For additional information about the CiscoWorks Server desktop, see User Guide for CiscoWorks Common Services 2.2.

Before you log in, make sure that your browser is configured correctly for CiscoWorks. For more information, see Installation and Setup Guide for CiscoWorks Common Services 2.2 (includes CiscoView 5.5) on Windows or Installation and Setup Guide for CiscoWorks Common Services 2.2 (includes CiscoView 5.5) on Solaris.

Tip If you have installed CiscoWorks and are logging in for the first time, you can use the "admin" username with the password you configured during installation. If you did not change the password for the "admin" account during installation, use the default password "admin" (without the quotation marks).

To log in to CiscoWorks, follow these steps:

Step 1 Access the CiscoWorks Server from your web browser.

The CiscoWorks Server login page appears.

Figure 1-1 CiscoWorks2000 Server Login Page

Step 2 Enter your username in the Name field and your password in the Password field.

Step 3 Click Connect, or press Enter.

The CiscoWorks Server navigation menu replaces the Login Manager pane. You are now logged in.

Starting Security Monitor

The CiscoWorks Server desktop contains drawers for the installed applications. The drawers are present in the left pane.

To start Security Monitor, follow these steps:

Step 1 Log in to CiscoWorks Server.

Step 2 From the navigation tree, select VPN/Security Management Solution > Monitoring Center > Security Monitor.

Figure 1-2 Starting Security Monitor

Security Monitor starts in a new browser window.

Roles and Permissions in Security Monitor

The following roles, and associated permissions, are available when you use CiscoWorks authentication. If your CiscoWorks Server uses Cisco Secure Access Control Server (ACS) for authentication, see the "Employing the Cisco Secure ACS with IPS MC" appendix in Using Management Center for IPS Sensors 2.2 for information about available roles and permissions and for instructions on configuring Cisco Secure ACS.

•Help Desk—Using this type of account, you can view any report or alarm but cannot delete reports or alarms and cannot generate reports.

•Approver—In Security Monitor, this role is the same as the Help Desk role.

•Network Operator—Using this type of account, you can view any report or alarm and generate reports. But you cannot delete reports or alarms.

•Network Administrator—Using this type of account, you can view any report or alarm, delete reports and alarms, generate reports, and edit device configurations.

•System Administrator—Using this type of account, you can edit anything in the system, view any report or alarm, delete reports and alarms, generate reports, and import lists (files) and notification scripts.

Understanding Security Monitor User Interface Elements

The Security Monitor interface is divided into tabs. The tabs provide access to main components of the application.

Figure 1-3 shows the Security Monitor GUI elements.

Figure 1-3 Security Monitor GUI Elements

1

Path bar—Provides a context for the displayed page. Shows tab, option, and current page. On the right, shows notification icons.

2

TOC—Displays available suboptions, if available.

3

Options bar—Displays the options available for the selected tab.

4

Tabs—Provide access to product functionality. Click a tab to access its options.

•Devices—Displays options for adding, editing, importing, and deleting monitored devices.

•Configuration—Displays options for defining correlated events and specifying what action to take when the correlated events are detected.

•Monitor—Displays options for monitoring device status and using Event Viewer.

•Reports—Displays options for generating, scheduling, and viewing reports.

•Admin—Displays options for administering system configuration, database maintenance, and Event Viewer preferences.

5

Tools—Contains the Close, Help, and About buttons.

•Close—Closes Security Monitor.

•Help—Opens a new window that displays context-sensitive help for the displayed page. The window also contains buttons that you use to go to the overall help contents, index, and search tool.

•About—Displays the version of the application.

6

Notifications bar—Displays notification icons for various system events. For more information on Notification Icons, see Notification Icons.

7

Instructions box—Provides a brief overview of how to use the page.

8

Action buttons—Initiate actions or commands for this page. Buttons that do not work on a particular page are dimmed.

Understanding Security Monitor Wizard Elements

Complex tasks in Security Monitor use wizards to guide you through the steps. Wizards typically contain multiple pages. Each page that appears depends upon the choices selected on the previous page. Figure 1-4 shows the wizard elements.

Figure 1-4 Security Monitor Wizard Elements

1

Wizard steps—Displays an ordered list of steps. Ellipses (...) mean the following steps depend on which option you select.

2

Wizard page—The area in which you work. Displays various elements including:

•Table—List of items and their components.

•Checkboxes—Controls to activate table elements.

•Fields—Areas in which you enter values.

•Instructions box—A brief overview of how to use the page.

3

Action buttons—Initiate actions or commands for this page. Buttons that are not active for a particular page or context are dimmed (greyed out). Some of the action buttons you may see in a wizard include:

•Back—Returns you to the previous page of the wizard.

•Next—Opens the next page of the wizard.

•Finish—Completes the wizard

•Cancel—Closes the wizard without making any changes.

Notification Icons

Some system events trigger notifications. These notifications are represented by various icons that appear right-justified in the Path Bar. For more information about the Path bar and other GUI elements, see Understanding Security Monitor User Interface Elements.

There are two types of notifications:

•User Notifications—Notifications that are directed to a specific user. The icon disappears after that user views the referenced page.

– Console Notification—Indicates that a console notification has been delivered that the logged-in user has not yet viewed. Select this icon to open the Monitor > Notifications page.

– Report Ready—Indicates that a report generated by this user is complete. Select this icon to open the Completed Reports page.

•Broadcast Notifications—Notifications that are directed to all logged-in users. The icon appears until the condition that triggered the notification is no longer present.

– Report Running—Indicates a report is being generated. Select this icon to open the Reports > Definitions page.

– Pruning—Indicates that the database is being pruned. Select this icon to open the Admin > Data Management > Database > Pruning Status page.

– Throttling—Indicates that the rate of flow of events from at least one monitored device is being limited. Select this icon to open the Monitor > Connections page.

– File Monitor Alarm—Indicates that the file monitor process has detected a file that is larger than its size warning limit. Select this icon to open the Admin > Data Management > Files page.

Security Monitor Operational Checklist

The following checklist provides a basic workflow for using Security Monitor. Each step contains a high-level task to perform and then refers you to detailed procedures for accomplishing that particular task.

Step 1 Configure the Security Monitor System as you need to operate.

A Security Monitor administrator must first set up the basic system configuration elements. These elements vary according to your installation and purposes, but typically include user setup and permissions, event viewer preferences, and database settings.

For more information, see the following references:

1. Roles and Permissions in Security Monitor

2. Chapter 1, "Configuring the System Configuration Settings"

3. Defining Event Viewer Preferences, page 1-41

4. Chapter 1, "Maintaining the Database"

Step 2 Define notifications using Event Rules.

Event Rules allow you to define specific events or conditions and to send an e-mail notification or run a script when those events or conditions are met.

For more information, see Chapter 1, "Defining Notifications."

Step 3 Define alarm and audit reports.

Audit reports provide information about the server and application. Alarm reports provide information about monitored events.

For more information, see Chapter 1, "Defining and Viewing Reports."

Step 4 Define the devices you will monitor.

You must define the devices that you want to monitor, and then configure those devices to send security events to Security Monitor.

For more information, see Chapter 1, "Configuring Devices to Monitor."

Step 5 View the events received by Security Monitor.

After you have defined the devices that you want to monitor, and configured those devices to send security information to Security Monitor, you can immediately use Event Viewer to see the events being sent to Security Monitor.

For more information, see Chapter 1, "Using the Event Viewer."

Step 6 Maintain the server.

Update the IDS signatures to keep your system current.

For more information, see Updating Signatures, page 1-13.