Using Monitoring Center for Security 2.2 - Configuring Devices to Monitor [CiscoWorks Monitoring Center for Security]

Table Of Contents

Configuring Devices to Monitor

Adding Device Information to Security Monitor

Adding an RDEP/SDEE Sensor

Adding a PIX Firewall

Adding a Cisco IOS router using Syslog

Adding an SDEE Cisco IOS router

Adding Security Agent MCs

Adding a Remote Security Monitor Server

Importing Sensor Information from IPS MC

Viewing Device Contact Settings

Editing Device Contact Settings

Deleting Device Contact Settings

Configuring Devices to Send Events to Security Monitor

Configuring RDEP-based Cisco Intrusion Prevention System Sensors

Configuring PIX Firewalls at the Console

Configuring Cisco IOS routers

Configuring Devices to Monitor

Configuring the devices you want to monitor is a three-step process:

1. Add the device information to Monitoring Center for Security (Security Monitor). The device information specifies how Security Monitor receives information from the monitored devices. You can add a device configuration for a device that Security Monitor cannot contact with the communication settings that you specify. This feature allows you to prepare Security Monitor for devices that you plan to deploy on your network.

2. Configure the devices to send event data to the Security Monitor server. The configuration includes the type of information that is sent to Security Monitor.

3. To verify the configurations, view the connection status between Security Monitor and each RDEP/SDEE device. You can also view information about subsystems of each RDEP/SDEE device.

This chapter contains the following topics:

•Adding Device Information to Security Monitor

•Configuring Devices to Send Events to Security Monitor

Adding Device Information to Security Monitor

You can use Security Monitor to monitor the following devices:

•Cisco Intrusion Prevention System Sensors

•Cisco IOS IDS/IPS Devices

•PIX Firewalls

•Security Agent MC

•Remote Security Monitor Servers

You can use the following methods to add device information to Security Monitor:

•For all devices, you can enter the communication settings manually.

•For Cisco Intrusion Prevention System Sensors that you configured in Management Center for IPS Sensors (IPS MC), you can import the device settings from IPS MC.

After you add device contact settings in Security Monitor, you can edit or delete the device settings. If you delete a device from Security Monitor, it is not deleted from IPS MC.

This section contains the following topics:

•Adding an RDEP/SDEE Sensor

•Adding a PIX Firewall

•Adding a Cisco IOS router using Syslog

•Adding an SDEE Cisco IOS router

•Adding Security Agent MCs

•Adding a Remote Security Monitor Server

•Importing Sensor Information from IPS MC

•Viewing Device Contact Settings

•Editing Device Contact Settings

•Deleting Device Contact Settings

Adding an RDEP/SDEE Sensor

RDEP/SDEE sensors are Cisco Intrusion Prevention System Sensors based on sensor software versions 4.0 and later. Before you can use Security Monitor to monitor an RDEP/SDEE sensor, you must add the device configuration.

To add an RDEP/SDEE sensor configuration, follow these steps:

Step 1 Select the Devices tab.

Step 2 Click Add at the bottom of the Devices page.

The Add Device window appears.

Step 3 Select Cisco IDS/IPS from the Device Type list.

Step 4 Enter the IP address for the device you are adding in the IP Address field.

Step 5 If NAT is applied to the address, enter the NAT address in the NAT Address field. Leave this field blank if NAT is not applied to the device address.

Note The NAT address is the address that is exposed to the Security Monitor server, not the actual address of the device.

Step 6 Enter the device name for the device you are adding in the Device Name field.

You can use up to 64 alphanumeric characters and most keyboard characters in the Device Name field. You cannot use spaces, commas, periods, carats (^), vertical bars, parentheses, and pound signs. Security Monitor performs error checking and notifies you if the device name contains special characters that are not allowed.

Step 7 You can enter any comments about the device in the Description field. The text cannot exceed 512 characters.

Step 8 Select the Use Encryption check box if the device uses Transport Layer Security (TLS) encryption. By default, this option is selected.

Step 9 Enter the web server port number used by the RDEP/SDEE device. The default value is 443.

Step 10 Enter a valid user name for the device in the Username field. The user name should be for an account with administrative privileges on the sensor.

Step 11 Enter the password associated with the specified user name in the Password field.

Step 12 Select the minimum event level that you want to monitor from the Minimum Event Level list. You can select one of the following levels:

•Informational—Categorizes an event that is the result of standard activity on your network.

•Low—Categorizes the attack as mildly severe. These attacks are shown with a green icon in Event Viewer in Security Monitor.

•Medium—Categorizes the attack as moderately severe. These attacks are shown with a yellow icon in Event Viewer in Security Monitor.

•High—Categorizes the attack as highly severe. These attacks are shown with a red icon in Event Viewer in Security Monitor.

Step 13 Select the Collect Error Events check box to enable error event (evError) collection.

Step 14 Select the Enable Flow Control check box to enable throttling.

Note Throttling allows Security Monitor to slow the collection of event data when the system is overloaded. RDEP, SDEE, and Security Agent MC devices have local event storages capabilities, so Security Monitor can retrieve delayed event data from them after the system recovers.

Step 15 To add the device, click OK.

The window closes, and the device is added to the device list on the Devices page.

Adding a PIX Firewall

PIX Firewalls use syslog messages to communicate with Security Monitor.

You do not have to add syslog devices because Security Monitor monitors all syslog traffic on the UDP port. However, if you want the syslog device name to appear in reports (instead of the device IP address), add the device configuration to Security Monitor.

To add a device configuration, follow these steps:

Step 1 Select the Devices tab.

Step 2 Click Add at the bottom of the Devices page.

The Add Device window appears.

Step 3 Select Cisco PIX/FWSM from the Device Type list.

Step 4 Enter the IP address in the IP Address field.

Step 5 If NAT is applied to the address, enter the NAT address in the NAT Address field. Leave this field blank if NAT is not applied to the device address.

Step 6 Enter the device name in the Device Name field.

You can use up to 64 alphanumeric characters and most keyboard characters in the Device Name field. Spaces, commas, periods, carats (^), vertical bars, parentheses, and pound signs are invalid characters. Security Monitor performs error checking and notifies you if the device name contains special characters that are not allowed.

Step 7 You can enter any comment about the device in the Description field. The comment cannot exceed 512 characters.

Step 8 To add the device, click OK.

The window closes, and the device is added to the device list on the Devices page.

Adding a Cisco IOS router using Syslog

Cisco IOS routers can use syslog messages or SDEE to communicate with Security Monitor. If you are using SDEE, see Adding an SDEE Cisco IOS router.

If the Cisco IOS router is using syslog to send event data, you do not have to add the device because Security Monitor monitors all syslog traffic on the UDP port. However, if you want the syslog device name to appear in reports (instead of the device IP address), add the device configuration to Security Monitor.

To add a device configuration, follow these steps:

Step 1 Select the Devices tab.

Step 2 Click Add at the bottom of the Devices page.

The Add Device window appears.

Step 3 Select Cisco IOS IDS/IPS from the Device Type list.

Step 4 In the IP Address field, enter the IP address for the device you are adding.

Step 5 If NAT is applied to the address, enter the NAT address in the NAT Address field. Leave this field blank if NAT is not applied to the device address.

Step 6 In the Device Name field, enter the device name for the device you are adding.

You can use up to 64 alphanumeric characters and most keyboard characters in the Device Name field. Spaces, commas, periods, carats (^), vertical bars, parentheses, and pound signs are invalid characters. Security Monitor performs error checking and notifies you if the device name contains special characters that are not allowed.

Step 7 You can enter any comment about the device in the Description field. The comment cannot exceed 512 characters.

Step 8 Select Syslog from the Protocol list.

Step 9 To add the device, click OK.

The window closes, and the device is added to the device list on the Devices page.

Adding an SDEE Cisco IOS router

Cisco IOS routers can use syslog messages or SDEE to communicate with Security Monitor. If you are using syslog messages, see Adding a Cisco IOS router using Syslog.

To add a device configuration, follow these steps:

Step 1 Select the Devices tab.

Step 2 Click Add at the bottom of the Devices page.

The Add Device window appears.

Step 3 Select Cisco IOS IDS/IPS from the Device Type list.

Step 4 In the IP Address field, enter the IP address for the device you are adding.

Step 5 If NAT is applied to the address, enter the NAT address in the NAT Address field. Leave this field blank if NAT is not applied to the device address.

Step 6 In the Device Name field, enter the device name for the device you are adding.

You can use up to 64 alphanumeric characters and most keyboard characters in the Device Name field. Spaces, commas, periods, carats (^), vertical bars, parentheses, and pound signs are invalid characters. Security Monitor performs error checking and notifies you if the device name contains special characters that are not allowed.

Step 7 You can enter any comment about the device in the Description field. The comment cannot exceed 512 characters.

Step 8 Select RDEP/SDEE from the Protocol list.

Step 9 Select the Use Encryption check box if the device uses Transport Layer Security (TLS) encryption. By default, this option is selected.

Step 10 Enter the web server port number used by the RDEP device. The default value is 443.

Step 11 Enter a valid user name for the device in the Username field. The user name should be for an account with administrative privileges.

Step 12 Enter the password associated with the specified user name in the Password field.

Step 13 Select the minimum event level that you want to monitor from the Minimum Event Level list. You can select one of the following levels:

•Informational—Categorizes an event that is the result of standard activity on your network.

•Low—Categorizes the attack as mildly severe. These attacks are shown with a green icon in Event Viewer in Security Monitor.

•Medium—Categorizes the attack as moderately severe. These attacks are shown with a yellow icon in Event Viewer in Security Monitor.

•High—Categorizes the attack as highly severe. These attacks are shown with a red icon in Event Viewer in Security Monitor.

Step 14 Select the Collect Error Events check box to enable error event (evError) collection.

Step 15 Select the Enable Flow Control check box to enable throttling.

Note Throttling allows Security Monitor to slow the collection of event data when the system is overloaded. SDEE devices have local event storages capabilities, so Security Monitor can retrieve delayed event data from them after the system recovers.

Caution Throttling may not function as expected for IOS IPS devices if you do not increase the maximum buffer size (max-events), which is the maximum number of events that the device can store. The default maximum buffer size for an IOS IPS device is 100 events. However, you can configure the maximum buffer size to be from 10 to 1000 events. If you do not increase the maximum buffer size, the events in the buffer may be overwritten before Security Monitor receives them.

Step 16 To add the device, click OK.

The window closes, and the device is added to the device list on the Devices page.

Adding Security Agent MCs

Security Monitor does not receive alarm data directly from the individual Cisco Security Agents. Instead, Security Monitor receives alarm data from the Management Center for Cisco Security Agents (Security Agent MC), which aggregates the Security Agent information and forwards it to Security Monitor. Security Monitor uses an HTTPS session to communicate with the Security Agent MC server.

Note You do not have to perform any additional configuration steps on the Security Agent MC server to receive alarms in Security Monitor. All configuration steps are performed on the Security Monitor server.

Before You Begin

You must have a Security Agent MC server administrative account before you perform this procedure. Although you can use an existing administrative account, we recommend that you set up an administrative account on the Security Agent MC server specifically for use with Security Monitor.

You must obtain the following information from your Security Agent MC server to complete this procedure:

•The "Issued To" name of the certificate used for the SSL connection to the Security Agent MC server. This is typically the hostname of the server.

•An administrative account username.

•The password for the selected administrative account.

To configure Security Monitor to receive alarms from Security Agent MC, follow these steps:

Step 1 Select the Devices tab.

Step 2 Click Add at the bottom of the Devices page.

The Add Device window appears.

Step 3 Select Cisco Security Agent MC from the Device Type list.

Step 4 Enter the IP address for the device you are adding in the IP Address field.

Step 5 If NAT is applied to the address, enter the NAT address in the NAT Address field. Leave this field blank if NAT is not applied to the device address.

Step 6 Enter the hostname for the Security Agent MC you are adding in the Device Name field.

You can use up to 64 alphanumeric characters and most keyboard characters in the Device Name field. Spaces, commas, periods, carats (^), vertical bars, parentheses, and pound (#) signs are invalid characters. Security Monitor performs error checking and notifies you if the device name contains special characters that are not allowed.

Step 7 You can enter any comment about the device in the Description field. The comment cannot exceed 512 characters.

Step 8 Enter the Security Agent MC server certificate name in the Certificate Common Name field. This is typically the fully qualified host name of the server.

Step 9 Enter the port used by the Security Agent MC server for HTTPS communication in the Web Server Port field. The default value is 443.

Step 10 Enter the username for an administrative account on the Security Agent MC server in the Username field.

Step 11 Enter the password associated with the specified username in the Password field.

Step 12 Select the minimum event level that you want to monitor from the Monitor Event Level list. You can select from the following levels:

•Informational—Categorizes an event that is the result of standard activity on your network. These events are shown with a blue icon in Event Viewer.

•Low—Categorizes the attack as mildly severe. These attacks are shown with a green icon in Event Viewer.

•Medium—Categorizes the attack as moderately severe. These attacks are shown with a yellow icon in Event Viewer.

•High—Categorizes the attack as highly severe. These attacks are shown with a red icon in Event Viewer.

The default is Medium.

Step 13 Select the Enable Flow Control check box to enable throttling.

Note Throttling allows Security Monitor to slow the collection of event data when the system is overloaded. Security Agent MC devices have local event storages capabilities, so Security Monitor can retrieve delayed event data from them after the system recovers.

Step 14 To add the device, click OK.

The window closes, and the Security Agent MC server is added to the device list on the Devices page.

Adding a Remote Security Monitor Server

You can forward network IDS/IPS events from one Security Monitor server to another by adding a Remote Security Monitor Server device to the upstream (collecting) Security Monitor server. The Security Monitor servers must be arranged hierarchically. Security Monitor servers arranged in a circular flow may cause performance degradation.

Figure 1-1 Recommended Security Monitor Server Configuration

To add a remote Security Monitor server configuration, follow these steps:

Step 1 Select the Devices tab.

Step 2 Click Add at the bottom of the Devices page.

The Add Device window appears.

Step 3 Select Remote Cisco Security Monitor from the Device Type list.

Step 4 Enter the IP address for the device you are adding in the IP Address field.

Caution You must ensure that any remote Security Monitor you add is arranged in a manner that prevents a circular flow of information. That is, multiple Security Monitors must be arranged hierarchically. For more information see Figure 1-1.

Step 5 If NAT is applied to the address, enter the NAT address in the NAT Address field. Leave this field blank if NAT is not applied to the device address.

Note The NAT address is the address that is exposed to the Security Monitor server, not the actual address of the device.

Step 6 Enter the device name for the device you are adding in the Device Name field.

You can use up to 64 alphanumeric characters and most keyboard characters in the Device Name field. You cannot use spaces, commas, periods, carats (^), vertical bars, parentheses, and pound signs. Security Monitor performs error checking and notifies you if the device name contains special characters that are not allowed.

Step 7 You can enter any comments about the device in the Description field. The text cannot exceed 512 characters.

Step 8 Enter the certificate common name used for hostname verification in the Certificate Common Name field.

Step 9 Enter the web server port number used by the remote Security Monitor server. The default value is 443.

Step 10 Enter a valid username for the remote Security Monitor server in the Username field. The user name should be for an account with administrative privileges.

Step 11 Enter the password associated with the specified username in the Password field.

Step 12 Select the minimum event level that you want forwarded from the remote Security Monitor from the Minimum Event Level list. You can select one of the following levels:

•Informational—Categorizes an event that is the result of standard activity on your network.

•Low—Categorizes the attack as mildly severe. These attacks are shown with a green icon in Event Viewer in Security Monitor.

•Medium—Categorizes the attack as moderately severe. These attacks are shown with a yellow icon in Event Viewer in Security Monitor.

•High—Categorizes the attack as highly severe. These attacks are shown with a red icon in Event Viewer in Security Monitor.

Step 13 Select the Collect Error Events check box to enable error event (evError) collection.

Note Downstream Security Monitor servers will receive locally generated error events. Error events received from downstream devices will not be received.

Step 14 Select the Enable Flow Control check box to enable throttling.

Note Throttling allows Security Monitor to slow the collection of event data when the system is overloaded. RDEP, SDEE and Security Agent MC devices have local event storages capabilities, so Security Monitor can retrieve delayed event data from them after the system recovers.

Step 15 To add the remote Security Monitor server, click OK.

The window closes, and the remote Security Monitor server is added to the device list on the Devices page.

Importing Sensor Information from IPS MC

If you use IPS MC to configure your sensors, you can import the device configurations into Security Monitor from IPS MC.

To import a device configuration, follow these steps:

Step 1 Select Devices.

The Devices page appears.

Step 2 Click Import

The Enter IPS MC Server Information page appears.

Step 3 Enter the IP address or hostname of your IPS MC server in the IP Address/Host Name field.

Step 4 Enter the port number the IPS MC server uses in the Web Server Port field.

Note This port number is configured when you install CiscoWorks Common Services. The default is 443.

Step 5 Enter a username in the Username field. This must be an administrative account for the specified IPS MC server.

Step 6 Enter the password associated with the specified username in the Password field.

Step 7 Click Next.

The Select Devices page appears. The Select Devices page contains a table that lists the devices discovered from your IPS MC server.

Step 8 Select the check box next to each device for which you want to import the configuration. You can select multiple devices. Then, click Next.

Tip You can select all the devices by selecting the check box in the title row of the table.

The Update NAT Addresses page appears.

Step 9 For each device that you need to update the NAT address for, follow these steps:

a. Click the NAT Address cell to the right of the device.

b. Enter a new NAT address.

Step 10 Click Finish.

The Import Results Summary page appears and lists the devices you imported.

Step 11 Click Close.

The Devices page appears. The imported devices now appear in the devices table.

Viewing Device Contact Settings

This procedure provides the basic steps for viewing detailed information about device contact settings. You cannot edit device settings from the View Device page.

To view the contact settings of a device, follow these steps:

Step 1 Select Devices.

The Devices page appears.

Step 2 Click the hyperlink of the device name in the Name column.

The View Device window displays information about the selected device.

Step 3 Click Close to return to the Devices page.

Editing Device Contact Settings

Editing device contact settings is similar to adding a device. When you edit contact settings, you use the same Enter Device Information page that you used to add the device.

To edit a device contact settings, follow these steps:

Step 1 Select the Devices tab.

Step 2 Click the check box next to the device that you want to edit. Then, click Edit.

The Enter Device Information page appears.

Step 3 Make any necessary changes to the fields that you want to revise.

Step 4 To save your changes, click OK.

The page closes and the changes you made are saved.

Deleting Device Contact Settings

You can delete contact settings of devices that you no longer want to monitor.

Note Device contact settings that you delete from Security Monitor are not deleted from IPS MC.

To delete device contact settings, follow these steps:

Step 1 Select the Devices tab.

Step 2 Click the check box next to the device that you want to delete. Then, click Delete.

The device contact settings are deleted from Security Monitor.

Note You cannot recover deleted device contact settings.

Configuring Devices to Send Events to Security Monitor

After specifying the devices you want Security Monitor to monitor, you must configure those devices to send their event data to the Security Monitor server.

This section contains the following topics:

•Configuring RDEP-based Cisco Intrusion Prevention System Sensors

•Configuring PIX Firewalls at the Console

•Configuring Cisco IOS routers

Configuring RDEP-based Cisco Intrusion Prevention System Sensors

To allow a Security Monitor server to retrieve event data from an RDEP device, you must identify the Security Monitor server as an allowed host on the sensor.

To specify Security Monitor as an allowed host on the sensor, follow these steps:

Step 1 Log in to IPS MC.

Step 2 Select Configuration > Settings.

Step 3 Click the Object Selector handle to open the Object Selector.

Step 4 From the Object Selector, select the sensor you want to configure.

Step 5 From the TOC, select Communications > Allowed Hosts.

The Allowed Hosts page appears.

Step 6 To add an allowed host, click Add.

The Enter Allowed Host page appears.

Step 7 Enter the IP address of the allowed host in the IP Address field. This address must be the NAT address if NAT is being performed.

Step 8 Enter the network mask for the IP address in the Net Mask field.

Step 9 Click OK.

The Allowed Hosts page appears, showing the host that you just added.

Step 10 You must generate and deploy the configuration before your changes take place.

Configuring PIX Firewalls at the Console

This procedure provides the basic steps for configuring a PIX Firewall to forward syslog messages to Security Monitor. You should refer to your PIX Firewall documentation for more detailed information about configuring syslog messages.

Additionally, if you are managing your PIX Firewalls with Management Center for Firewalls (Firewall MC), you can use Firewall MC to perform this configuration.

To configure a PIX Firewall from the console to forward syslog messages to Security Monitor, follow these steps:

Step 1 Open a console or terminal session to the PIX Firewall.

Step 2 Enter the global configuration mode:

a. Enter enable.

b. If the enable prompt is password protected, enter the enable password.

c. Enter configure terminal.

Step 3 Specify your Security Monitor server as the host to receive the syslog messages with the logging host command:
logging host 
interface 
  
host_IP_addr 
 [protocol:port] 
•interface—The interface on the PIX Firewall on which the Security Monitor server resides.

•host_IP_addr—The IP address of the Security Monitor server.

•protocol:port—The protocol used to carry the syslog messages followed by the destination port number. This setting is optional. If left off, the PIX Firewall uses the default of UDP:514.

Note You cannot use TCP to send syslog messages to Security Monitor.

Step 4 Set the logging level using the logging trap command.
logging trap level 
The following levels are available:

•0—emergencies—System unusable messages

•1—alerts—Take immediate action

•2—critical—Critical condition

•3—errors—Error message

•4—warnings—Warning message

•5—notifications—Normal but significant condition

•6—informational—Information message

•7—debugging—Debug messages and log FTP commands and WWW URLs

Note The logging level that you specify includes the messages of the levels above it (those with a lower numerical value). For example, setting the logging level to 2 causes messages of level 0, 1, or 2 to be sent.

Step 5 Enter logging on to start forwarding messages.

Note In the event that Security Monitor is offline, PIX Firewall stores up to 100 messages in its memory. Subsequent messages that arrive overwrite the buffer starting from the first line.

The PIX Firewall starts forwarding messages to your Security Monitor server.

Configuring Cisco IOS routers

This procedure provides the basic steps for configuring a Cisco IOS router to forward syslog messages to Security Monitor. You should refer to your Cisco IOS router documentation for detailed information about configuring syslog messages.

When the Cisco IOS router is configured with IDS or firewall software, the IDS and firewall messages are included with the standard syslog messages; you do not need to configure those messages separately.

Additionally, if you are managing your Cisco IOS routers with Router MC, you can use Router MC to perform this configuration.

To configure a PIX Firewall to forward syslog messages to Security Monitor, follow these steps:

Step 1 Open a console or terminal session to the Cisco IOS router.

Step 2 Enter the global configuration mode:

a. Enter enable.

b. If the enable prompt is password protected, enter the enable password.

c. Enter configure terminal.

Step 3 Use the logging command to specify your Security Monitor server as the host to receive the syslog messages:
logging host_name 
Replace host_name with the name of your Security Monitor server.

Step 4 Set the logging level using the logging trap command.
logging trap level 
The following levels are available:

•0—emergencies—System unusable messages

•1—alerts—Take immediate action

•2—critical—Critical condition

•3—errors—Error message

•4—warnings—Warning message

•5—notifications—Normal but significant condition

•6—informational—Information message

•7—debugging—Debug messages and log FTP commands and WWW URLs

Note The logging level that you specify includes the messages of the levels above it (those with a lower numerical value). For example, setting the logging level to 2 causes messages of level 0, 1, or 2 to be sent.

Step 5 Enter logging on to start forwarding messages.

The Cisco IOS router starts forwarding messages to your Security Monitor server.

	Using Monitoring Center for Security 2.2
	Configuring Devices to Monitor
Using Monitoring Center for Security 2.2 Preface Security Monitor Overview Getting Started with Security Monitor Configuring Devices to Monitor Monitoring Device Status and Notifications Using the Event Viewer Defining Notifications Defining and Viewing Reports Configuring the System Configuration Settings Maintaining the Database Using Command-Line Utilities	Download this chapter Configuring Devices to Monitor Download the complete book Using Monitoring Center for Security 2.2 (Whole Book PDF) (PDF - 2 MB) Table Of Contents Configuring Devices to Monitor Adding Device Information to Security Monitor Adding an RDEP/SDEE Sensor Adding a PIX Firewall Adding a Cisco IOS router using Syslog Adding an SDEE Cisco IOS router Adding Security Agent MCs Adding a Remote Security Monitor Server Importing Sensor Information from IPS MC Viewing Device Contact Settings Editing Device Contact Settings Deleting Device Contact Settings Configuring Devices to Send Events to Security Monitor Configuring RDEP-based Cisco Intrusion Prevention System Sensors Configuring PIX Firewalls at the Console Configuring Cisco IOS routers Configuring Devices to Monitor Configuring the devices you want to monitor is a three-step process: 1. Add the device information to Monitoring Center for Security (Security Monitor). The device information specifies how Security Monitor receives information from the monitored devices. You can add a device configuration for a device that Security Monitor cannot contact with the communication settings that you specify. This feature allows you to prepare Security Monitor for devices that you plan to deploy on your network. 2. Configure the devices to send event data to the Security Monitor server. The configuration includes the type of information that is sent to Security Monitor. 3. To verify the configurations, view the connection status between Security Monitor and each RDEP/SDEE device. You can also view information about subsystems of each RDEP/SDEE device. This chapter contains the following topics: •Adding Device Information to Security Monitor •Configuring Devices to Send Events to Security Monitor Adding Device Information to Security Monitor You can use Security Monitor to monitor the following devices: •Cisco Intrusion Prevention System Sensors •Cisco IOS IDS/IPS Devices •PIX Firewalls •Security Agent MC •Remote Security Monitor Servers You can use the following methods to add device information to Security Monitor: •For all devices, you can enter the communication settings manually. •For Cisco Intrusion Prevention System Sensors that you configured in Management Center for IPS Sensors (IPS MC), you can import the device settings from IPS MC. After you add device contact settings in Security Monitor, you can edit or delete the device settings. If you delete a device from Security Monitor, it is not deleted from IPS MC. This section contains the following topics: •Adding an RDEP/SDEE Sensor •Adding a PIX Firewall •Adding a Cisco IOS router using Syslog •Adding an SDEE Cisco IOS router •Adding Security Agent MCs •Adding a Remote Security Monitor Server •Importing Sensor Information from IPS MC •Viewing Device Contact Settings •Editing Device Contact Settings •Deleting Device Contact Settings Adding an RDEP/SDEE Sensor RDEP/SDEE sensors are Cisco Intrusion Prevention System Sensors based on sensor software versions 4.0 and later. Before you can use Security Monitor to monitor an RDEP/SDEE sensor, you must add the device configuration. To add an RDEP/SDEE sensor configuration, follow these steps: Step 1 Select the Devices tab. Step 2 Click Add at the bottom of the Devices page. The Add Device window appears. Step 3 Select Cisco IDS/IPS from the Device Type list. Step 4 Enter the IP address for the device you are adding in the IP Address field. Step 5 If NAT is applied to the address, enter the NAT address in the NAT Address field. Leave this field blank if NAT is not applied to the device address. Note The NAT address is the address that is exposed to the Security Monitor server, not the actual address of the device. Step 6 Enter the device name for the device you are adding in the Device Name field. You can use up to 64 alphanumeric characters and most keyboard characters in the Device Name field. You cannot use spaces, commas, periods, carats (^), vertical bars, parentheses, and pound signs. Security Monitor performs error checking and notifies you if the device name contains special characters that are not allowed. Step 7 You can enter any comments about the device in the Description field. The text cannot exceed 512 characters. Step 8 Select the Use Encryption check box if the device uses Transport Layer Security (TLS) encryption. By default, this option is selected. Step 9 Enter the web server port number used by the RDEP/SDEE device. The default value is 443. Step 10 Enter a valid user name for the device in the Username field. The user name should be for an account with administrative privileges on the sensor. Step 11 Enter the password associated with the specified user name in the Password field. Step 12 Select the minimum event level that you want to monitor from the Minimum Event Level list. You can select one of the following levels: •Informational—Categorizes an event that is the result of standard activity on your network. •Low—Categorizes the attack as mildly severe. These attacks are shown with a green icon in Event Viewer in Security Monitor. •Medium—Categorizes the attack as moderately severe. These attacks are shown with a yellow icon in Event Viewer in Security Monitor. •High—Categorizes the attack as highly severe. These attacks are shown with a red icon in Event Viewer in Security Monitor. Step 13 Select the Collect Error Events check box to enable error event (evError) collection. Step 14 Select the Enable Flow Control check box to enable throttling. Note Throttling allows Security Monitor to slow the collection of event data when the system is overloaded. RDEP, SDEE, and Security Agent MC devices have local event storages capabilities, so Security Monitor can retrieve delayed event data from them after the system recovers. Step 15 To add the device, click OK. The window closes, and the device is added to the device list on the Devices page. Adding a PIX Firewall PIX Firewalls use syslog messages to communicate with Security Monitor. You do not have to add syslog devices because Security Monitor monitors all syslog traffic on the UDP port. However, if you want the syslog device name to appear in reports (instead of the device IP address), add the device configuration to Security Monitor. To add a device configuration, follow these steps: Step 1 Select the Devices tab. Step 2 Click Add at the bottom of the Devices page. The Add Device window appears. Step 3 Select Cisco PIX/FWSM from the Device Type list. Step 4 Enter the IP address in the IP Address field. Step 5 If NAT is applied to the address, enter the NAT address in the NAT Address field. Leave this field blank if NAT is not applied to the device address. Step 6 Enter the device name in the Device Name field. You can use up to 64 alphanumeric characters and most keyboard characters in the Device Name field. Spaces, commas, periods, carats (^), vertical bars, parentheses, and pound signs are invalid characters. Security Monitor performs error checking and notifies you if the device name contains special characters that are not allowed. Step 7 You can enter any comment about the device in the Description field. The comment cannot exceed 512 characters. Step 8 To add the device, click OK. The window closes, and the device is added to the device list on the Devices page. Adding a Cisco IOS router using Syslog Cisco IOS routers can use syslog messages or SDEE to communicate with Security Monitor. If you are using SDEE, see Adding an SDEE Cisco IOS router. If the Cisco IOS router is using syslog to send event data, you do not have to add the device because Security Monitor monitors all syslog traffic on the UDP port. However, if you want the syslog device name to appear in reports (instead of the device IP address), add the device configuration to Security Monitor. To add a device configuration, follow these steps: Step 1 Select the Devices tab. Step 2 Click Add at the bottom of the Devices page. The Add Device window appears. Step 3 Select Cisco IOS IDS/IPS from the Device Type list. Step 4 In the IP Address field, enter the IP address for the device you are adding. Step 5 If NAT is applied to the address, enter the NAT address in the NAT Address field. Leave this field blank if NAT is not applied to the device address. Step 6 In the Device Name field, enter the device name for the device you are adding. You can use up to 64 alphanumeric characters and most keyboard characters in the Device Name field. Spaces, commas, periods, carats (^), vertical bars, parentheses, and pound signs are invalid characters. Security Monitor performs error checking and notifies you if the device name contains special characters that are not allowed. Step 7 You can enter any comment about the device in the Description field. The comment cannot exceed 512 characters. Step 8 Select Syslog from the Protocol list. Step 9 To add the device, click OK. The window closes, and the device is added to the device list on the Devices page. Adding an SDEE Cisco IOS router Cisco IOS routers can use syslog messages or SDEE to communicate with Security Monitor. If you are using syslog messages, see Adding a Cisco IOS router using Syslog. To add a device configuration, follow these steps: Step 1 Select the Devices tab. Step 2 Click Add at the bottom of the Devices page. The Add Device window appears. Step 3 Select Cisco IOS IDS/IPS from the Device Type list. Step 4 In the IP Address field, enter the IP address for the device you are adding. Step 5 If NAT is applied to the address, enter the NAT address in the NAT Address field. Leave this field blank if NAT is not applied to the device address. Step 6 In the Device Name field, enter the device name for the device you are adding. You can use up to 64 alphanumeric characters and most keyboard characters in the Device Name field. Spaces, commas, periods, carats (^), vertical bars, parentheses, and pound signs are invalid characters. Security Monitor performs error checking and notifies you if the device name contains special characters that are not allowed. Step 7 You can enter any comment about the device in the Description field. The comment cannot exceed 512 characters. Step 8 Select RDEP/SDEE from the Protocol list. Step 9 Select the Use Encryption check box if the device uses Transport Layer Security (TLS) encryption. By default, this option is selected. Step 10 Enter the web server port number used by the RDEP device. The default value is 443. Step 11 Enter a valid user name for the device in the Username field. The user name should be for an account with administrative privileges. Step 12 Enter the password associated with the specified user name in the Password field. Step 13 Select the minimum event level that you want to monitor from the Minimum Event Level list. You can select one of the following levels: •Informational—Categorizes an event that is the result of standard activity on your network. •Low—Categorizes the attack as mildly severe. These attacks are shown with a green icon in Event Viewer in Security Monitor. •Medium—Categorizes the attack as moderately severe. These attacks are shown with a yellow icon in Event Viewer in Security Monitor. •High—Categorizes the attack as highly severe. These attacks are shown with a red icon in Event Viewer in Security Monitor. Step 14 Select the Collect Error Events check box to enable error event (evError) collection. Step 15 Select the Enable Flow Control check box to enable throttling. Note Throttling allows Security Monitor to slow the collection of event data when the system is overloaded. SDEE devices have local event storages capabilities, so Security Monitor can retrieve delayed event data from them after the system recovers. Caution Throttling may not function as expected for IOS IPS devices if you do not increase the maximum buffer size (`max-events`), which is the maximum number of events that the device can store. The default maximum buffer size for an IOS IPS device is 100 events. However, you can configure the maximum buffer size to be from 10 to 1000 events. If you do not increase the maximum buffer size, the events in the buffer may be overwritten before Security Monitor receives them. Step 16 To add the device, click OK. The window closes, and the device is added to the device list on the Devices page. Adding Security Agent MCs Security Monitor does not receive alarm data directly from the individual Cisco Security Agents. Instead, Security Monitor receives alarm data from the Management Center for Cisco Security Agents (Security Agent MC), which aggregates the Security Agent information and forwards it to Security Monitor. Security Monitor uses an HTTPS session to communicate with the Security Agent MC server. Note You do not have to perform any additional configuration steps on the Security Agent MC server to receive alarms in Security Monitor. All configuration steps are performed on the Security Monitor server. Before You Begin You must have a Security Agent MC server administrative account before you perform this procedure. Although you can use an existing administrative account, we recommend that you set up an administrative account on the Security Agent MC server specifically for use with Security Monitor. You must obtain the following information from your Security Agent MC server to complete this procedure: •The "Issued To" name of the certificate used for the SSL connection to the Security Agent MC server. This is typically the hostname of the server. •An administrative account username. •The password for the selected administrative account. To configure Security Monitor to receive alarms from Security Agent MC, follow these steps: Step 1 Select the Devices tab. Step 2 Click Add at the bottom of the Devices page. The Add Device window appears. Step 3 Select Cisco Security Agent MC from the Device Type list. Step 4 Enter the IP address for the device you are adding in the IP Address field. Step 5 If NAT is applied to the address, enter the NAT address in the NAT Address field. Leave this field blank if NAT is not applied to the device address. Step 6 Enter the hostname for the Security Agent MC you are adding in the Device Name field. You can use up to 64 alphanumeric characters and most keyboard characters in the Device Name field. Spaces, commas, periods, carats (^), vertical bars, parentheses, and pound (#) signs are invalid characters. Security Monitor performs error checking and notifies you if the device name contains special characters that are not allowed. Step 7 You can enter any comment about the device in the Description field. The comment cannot exceed 512 characters. Step 8 Enter the Security Agent MC server certificate name in the Certificate Common Name field. This is typically the fully qualified host name of the server. Step 9 Enter the port used by the Security Agent MC server for HTTPS communication in the Web Server Port field. The default value is 443. Step 10 Enter the username for an administrative account on the Security Agent MC server in the Username field. Step 11 Enter the password associated with the specified username in the Password field. Step 12 Select the minimum event level that you want to monitor from the Monitor Event Level list. You can select from the following levels: •Informational—Categorizes an event that is the result of standard activity on your network. These events are shown with a blue icon in Event Viewer. •Low—Categorizes the attack as mildly severe. These attacks are shown with a green icon in Event Viewer. •Medium—Categorizes the attack as moderately severe. These attacks are shown with a yellow icon in Event Viewer. •High—Categorizes the attack as highly severe. These attacks are shown with a red icon in Event Viewer. The default is Medium. Step 13 Select the Enable Flow Control check box to enable throttling. Note Throttling allows Security Monitor to slow the collection of event data when the system is overloaded. Security Agent MC devices have local event storages capabilities, so Security Monitor can retrieve delayed event data from them after the system recovers. Step 14 To add the device, click OK. The window closes, and the Security Agent MC server is added to the device list on the Devices page. Adding a Remote Security Monitor Server You can forward network IDS/IPS events from one Security Monitor server to another by adding a Remote Security Monitor Server device to the upstream (collecting) Security Monitor server. The Security Monitor servers must be arranged hierarchically. Security Monitor servers arranged in a circular flow may cause performance degradation. Figure 1-1 Recommended Security Monitor Server Configuration To add a remote Security Monitor server configuration, follow these steps: Step 1 Select the Devices tab. Step 2 Click Add at the bottom of the Devices page. The Add Device window appears. Step 3 Select Remote Cisco Security Monitor from the Device Type list. Step 4 Enter the IP address for the device you are adding in the IP Address field. Caution You must ensure that any remote Security Monitor you add is arranged in a manner that prevents a circular flow of information. That is, multiple Security Monitors must be arranged hierarchically. For more information see Figure 1-1. Step 5 If NAT is applied to the address, enter the NAT address in the NAT Address field. Leave this field blank if NAT is not applied to the device address. Note The NAT address is the address that is exposed to the Security Monitor server, not the actual address of the device. Step 6 Enter the device name for the device you are adding in the Device Name field. You can use up to 64 alphanumeric characters and most keyboard characters in the Device Name field. You cannot use spaces, commas, periods, carats (^), vertical bars, parentheses, and pound signs. Security Monitor performs error checking and notifies you if the device name contains special characters that are not allowed. Step 7 You can enter any comments about the device in the Description field. The text cannot exceed 512 characters. Step 8 Enter the certificate common name used for hostname verification in the Certificate Common Name field. Step 9 Enter the web server port number used by the remote Security Monitor server. The default value is 443. Step 10 Enter a valid username for the remote Security Monitor server in the Username field. The user name should be for an account with administrative privileges. Step 11 Enter the password associated with the specified username in the Password field. Step 12 Select the minimum event level that you want forwarded from the remote Security Monitor from the Minimum Event Level list. You can select one of the following levels: •Informational—Categorizes an event that is the result of standard activity on your network. •Low—Categorizes the attack as mildly severe. These attacks are shown with a green icon in Event Viewer in Security Monitor. •Medium—Categorizes the attack as moderately severe. These attacks are shown with a yellow icon in Event Viewer in Security Monitor. •High—Categorizes the attack as highly severe. These attacks are shown with a red icon in Event Viewer in Security Monitor. Step 13 Select the Collect Error Events check box to enable error event (evError) collection. Note Downstream Security Monitor servers will receive locally generated error events. Error events received from downstream devices will not be received. Step 14 Select the Enable Flow Control check box to enable throttling. Note Throttling allows Security Monitor to slow the collection of event data when the system is overloaded. RDEP, SDEE and Security Agent MC devices have local event storages capabilities, so Security Monitor can retrieve delayed event data from them after the system recovers. Step 15 To add the remote Security Monitor server, click OK. The window closes, and the remote Security Monitor server is added to the device list on the Devices page. Importing Sensor Information from IPS MC If you use IPS MC to configure your sensors, you can import the device configurations into Security Monitor from IPS MC. To import a device configuration, follow these steps: Step 1 Select Devices. The Devices page appears. Step 2 Click Import The Enter IPS MC Server Information page appears. Step 3 Enter the IP address or hostname of your IPS MC server in the IP Address/Host Name field. Step 4 Enter the port number the IPS MC server uses in the Web Server Port field. Note This port number is configured when you install CiscoWorks Common Services. The default is 443. Step 5 Enter a username in the Username field. This must be an administrative account for the specified IPS MC server. Step 6 Enter the password associated with the specified username in the Password field. Step 7 Click Next. The Select Devices page appears. The Select Devices page contains a table that lists the devices discovered from your IPS MC server. Step 8 Select the check box next to each device for which you want to import the configuration. You can select multiple devices. Then, click Next. Tip You can select all the devices by selecting the check box in the title row of the table. The Update NAT Addresses page appears. Step 9 For each device that you need to update the NAT address for, follow these steps: a. Click the NAT Address cell to the right of the device. b. Enter a new NAT address. Step 10 Click Finish. The Import Results Summary page appears and lists the devices you imported. Step 11 Click Close. The Devices page appears. The imported devices now appear in the devices table. Viewing Device Contact Settings This procedure provides the basic steps for viewing detailed information about device contact settings. You cannot edit device settings from the View Device page. To view the contact settings of a device, follow these steps: Step 1 Select Devices. The Devices page appears. Step 2 Click the hyperlink of the device name in the Name column. The View Device window displays information about the selected device. Step 3 Click Close to return to the Devices page. Editing Device Contact Settings Editing device contact settings is similar to adding a device. When you edit contact settings, you use the same Enter Device Information page that you used to add the device. To edit a device contact settings, follow these steps: Step 1 Select the Devices tab. Step 2 Click the check box next to the device that you want to edit. Then, click Edit. The Enter Device Information page appears. Step 3 Make any necessary changes to the fields that you want to revise. Step 4 To save your changes, click OK. The page closes and the changes you made are saved. Deleting Device Contact Settings You can delete contact settings of devices that you no longer want to monitor. Note Device contact settings that you delete from Security Monitor are not deleted from IPS MC. To delete device contact settings, follow these steps: Step 1 Select the Devices tab. Step 2 Click the check box next to the device that you want to delete. Then, click Delete. The device contact settings are deleted from Security Monitor. Note You cannot recover deleted device contact settings. Configuring Devices to Send Events to Security Monitor After specifying the devices you want Security Monitor to monitor, you must configure those devices to send their event data to the Security Monitor server. This section contains the following topics: •Configuring RDEP-based Cisco Intrusion Prevention System Sensors •Configuring PIX Firewalls at the Console •Configuring Cisco IOS routers Configuring RDEP-based Cisco Intrusion Prevention System Sensors To allow a Security Monitor server to retrieve event data from an RDEP device, you must identify the Security Monitor server as an allowed host on the sensor. To specify Security Monitor as an allowed host on the sensor, follow these steps: Step 1 Log in to IPS MC. Step 2 Select Configuration > Settings. Step 3 Click the Object Selector handle to open the Object Selector. Step 4 From the Object Selector, select the sensor you want to configure. Step 5 From the TOC, select Communications > Allowed Hosts. The Allowed Hosts page appears. Step 6 To add an allowed host, click Add. The Enter Allowed Host page appears. Step 7 Enter the IP address of the allowed host in the IP Address field. This address must be the NAT address if NAT is being performed. Step 8 Enter the network mask for the IP address in the Net Mask field. Step 9 Click OK. The Allowed Hosts page appears, showing the host that you just added. Step 10 You must generate and deploy the configuration before your changes take place. Configuring PIX Firewalls at the Console This procedure provides the basic steps for configuring a PIX Firewall to forward syslog messages to Security Monitor. You should refer to your PIX Firewall documentation for more detailed information about configuring syslog messages. Additionally, if you are managing your PIX Firewalls with Management Center for Firewalls (Firewall MC), you can use Firewall MC to perform this configuration. To configure a PIX Firewall from the console to forward syslog messages to Security Monitor, follow these steps: Step 1 Open a console or terminal session to the PIX Firewall. Step 2 Enter the global configuration mode: a. Enter enable. b. If the enable prompt is password protected, enter the enable password. c. Enter configure terminal. Step 3 Specify your Security Monitor server as the host to receive the syslog messages with the logging host command: logging host interface host_IP_addr [protocol:port] •interface—The interface on the PIX Firewall on which the Security Monitor server resides. •host_IP_addr—The IP address of the Security Monitor server. •protocol:port—The protocol used to carry the syslog messages followed by the destination port number. This setting is optional. If left off, the PIX Firewall uses the default of UDP:514. Note You cannot use TCP to send syslog messages to Security Monitor. Step 4 Set the logging level using the logging trap command. logging trap level The following levels are available: •0—emergencies—System unusable messages •1—alerts—Take immediate action •2—critical—Critical condition •3—errors—Error message •4—warnings—Warning message •5—notifications—Normal but significant condition •6—informational—Information message •7—debugging—Debug messages and log FTP commands and WWW URLs Note The logging level that you specify includes the messages of the levels above it (those with a lower numerical value). For example, setting the logging level to 2 causes messages of level 0, 1, or 2 to be sent. Step 5 Enter logging on to start forwarding messages. Note In the event that Security Monitor is offline, PIX Firewall stores up to 100 messages in its memory. Subsequent messages that arrive overwrite the buffer starting from the first line. The PIX Firewall starts forwarding messages to your Security Monitor server. Configuring Cisco IOS routers This procedure provides the basic steps for configuring a Cisco IOS router to forward syslog messages to Security Monitor. You should refer to your Cisco IOS router documentation for detailed information about configuring syslog messages. When the Cisco IOS router is configured with IDS or firewall software, the IDS and firewall messages are included with the standard syslog messages; you do not need to configure those messages separately. Additionally, if you are managing your Cisco IOS routers with Router MC, you can use Router MC to perform this configuration. To configure a PIX Firewall to forward syslog messages to Security Monitor, follow these steps: Step 1 Open a console or terminal session to the Cisco IOS router. Step 2 Enter the global configuration mode: a. Enter enable. b. If the enable prompt is password protected, enter the enable password. c. Enter configure terminal. Step 3 Use the logging command to specify your Security Monitor server as the host to receive the syslog messages: logging host_name Replace host_name with the name of your Security Monitor server. Step 4 Set the logging level using the logging trap command. logging trap level The following levels are available: •0—emergencies—System unusable messages •1—alerts—Take immediate action •2—critical—Critical condition •3—errors—Error message •4—warnings—Warning message •5—notifications—Normal but significant condition •6—informational—Information message •7—debugging—Debug messages and log FTP commands and WWW URLs Note The logging level that you specify includes the messages of the levels above it (those with a lower numerical value). For example, setting the logging level to 2 causes messages of level 0, 1, or 2 to be sent. Step 5 Enter logging on to start forwarding messages. The Cisco IOS router starts forwarding messages to your Security Monitor server.
	© 1992-2009 Cisco Systems, Inc. All rights reserved. Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks of Cisco Systems, Inc.