Using Monitoring Center for Security 2.2 - Configuring the System Configuration Settings [CiscoWorks Monitoring Center for Security]

Table Of Contents

Configuring the System Configuration Settings

File Management Configuration

Redirecting IP Log Files Away from the Database Disk

Redirecting Archive Files Away from the Database Disk

Redirecting Backup Files Away from the Database Disk

E-Mail Configuration

Specifying an Email Server

Verifying E-Mail Connectivity

Syslog Settings

Configuring Syslog Settings on a Windows Server

Changing the Syslog Listening Port on a Windows Server

Forwarding Syslog Messages on a Windows Server

Configuring Syslog Settings on a Solaris Server

Changing the Syslog Message File on a Solaris Server

Purging the Syslog Message File on a Solaris Server

About the RxSyslogConf Utility

Enabling DNS Resolution

Updating Signatures

Determining the Availability of New Signature Files and Downloading Them

Downloading Signature Updates Automatically

Updating Your Sensor Software Versions and Signature Release Levels

Configuring the System Configuration Settings

You can set the following default system configuration settings:

•IP Log Archive Location—Specifies the IP Log archive location.

•Email Server—Specifies the e-mail server that Monitoring Center for Security (Security Monitor) uses for event notifications.

•SYSLOG Settings—Specifies the port that Security Monitor uses to monitor syslog messages. You can also specify the port to which syslog messages are forwarded.

•DNS settings for Firewall Reports and IP Log/Trigger Packet—Specifies whether DNS resolution is enabled or disabled while generating Firewall reports and decoding IP logs and trigger packets.

•Prune Archive Location—Specifies the location where the pruning archive files are stored.

•Automatic Signature Download/Update—Specifies the settings for the Automatic Signature Download process.

•Local File Signature Update—Allows you to update the IDS signatures from a file on the Security Monitor server.

Note Sensors are not, and cannot be, updated through Security Monitor.

This chapter contains the following topics:

•File Management Configuration

•E-Mail Configuration

•Syslog Settings

•Enabling DNS Resolution

•Updating Signatures

File Management Configuration

Security Monitor receives data from a variety of devices and stores that data in a database at the user-specified location. Security Monitor captures and stores data flowing into its receiver process at high rates (approximately 100 events per second) for a sustained period and at even higher rates (up to 500 events per second) for periods of up to five minutes. Over time, receiving events at either rate can create performance issues because both disk space requirements and query time increase with the amount of data stored. Additionally, performing tasks such as database compaction and backup can require up to twice the size of the database in free disk space.

Note The capacity referenced above applies only to IDS events. The number of events per second that can be received from all sources will vary depending on the number of IDS events and other types of events being received and should fall in the range of 50-100 events per second for a sustained period and 200-500 events per second for periods up to five minutes.

To help maintain adequate disk space for proper operation and maintenance, you should redirect the backup and archive files away from the database disk.

This section contains the following topics:

•Redirecting IP Log Files Away from the Database Disk

•Redirecting Archive Files Away from the Database Disk

•Redirecting Backup Files Away from the Database Disk

Redirecting IP Log Files Away from the Database Disk

The default IP Log file storage directory points to the same disk where the database files are located. You should redirect the files away from this disk to maintain adequate disk space for proper system operation. You can specify a mounted network drive to redirect the archive files to a different computer.

To change the root directory location for the IP Log files, follow these steps:

Step 1 Select Admin > System Configuration > IP Log Settings.

The IP Log Settings page appears. By default, the IP Log archive location is set to <NMSRoot>\MDC\secmon\iplogs.

Step 2 To redirect the IP Log files to another location, enter the new path in the Enter IP Log archive location field. You must provide the full path to the archive location, for example, d:\iplogs.

Step 3 Click Apply.

Redirecting Archive Files Away from the Database Disk

After installation, the default archive file storage directory always points to the same disk where the database files are located. You should redirect the files away from this disk. You can specify a mounted network drive to redirect the archive files to a different computer.

Note This change will affect pruning scripts that are run from the command line and pruning scripts that are run as part of a database rule.

To change the root directory location for the archive files, follow these steps:

Step 1 Select Admin > System Configuration > Prune Archive Location.

The Prune Archive Location page appears. By default, the prune archive location is set to <NMSRoot>\MDC\secmon\AlertPruneData.

Step 2 To redirect the archive files to another location, type the new path in the Pruning Archive location field. You must provide the full path to the archive location, for example, d:\ArchiveData.

Step 3 Click Apply.

Redirecting Backup Files Away from the Database Disk

The VMS/Security Management Solution backup feature copies the databases and select files of the installed management and monitoring centers to a time-stamped directory, which is located on the installation disk by default. Regularly scheduled backups can quickly consume a large amount of disk space, adversely affecting the performance of the installed management and monitoring centers. You can prevent this problem by moving the default location of the backups to a separate local disk or to a mounted network drive.

To move the default destination for the backups, follow these steps:

Step 1 From the CiscoWorks Server Desktop, select VPN/Security Management Solution > Administration > Common Services > Preferences.

The Administrative Preferences page appears.

Step 2 Type a new path in the Backup Directory field. You should point the path to another local disk or to a mounted network drive.

Step 3 Click Apply.

A confirmation dialog appears.

Step 4 Click Yes to confirm the change, and then click OK to return to the Administrative Preferences page.

E-Mail Configuration

Security Monitor uses SMTP to send e-mail reports and notifications. Before you can send these notifications, you must designate a e-mail server and then verify that the mail messages are being processed by that server.

Step 1 Designate your e-mail server.

You need to specify the e-mail server that you will use to receive and forward the e-mail messages generated by Management Center for IPS Sensors (IPS MC) and Security Monitor.

For more information, see Specifying an Email Server.

Step 2 Verify connectivity to your mail server.

After specifying your e-mail server, you should verify that you have connectivity to the server and that the e-mail is being forwarded.

For more information, see Verifying E-Mail Connectivity.

Specifying an Email Server

You can specify the default email server that Security Monitor uses for event notifications and reports. By default, Security Monitor uses notifier.<vms_server_name> as the from address for messages. You can specify a different sender address to use for messages in the Sender Address field. Whether or not a domain name is appended to the messages depends upon your mail server configuration.

To specify email server settings, follow these steps:

Step 1 Select Admin > System Configuration.

Step 2 Select Email Server from the TOC.

The Email Server page appears.

Step 3 Enter your email server in the Server Name field. You can enter either an IP address or a domain name.

Step 4 If you would like Security Monitor to use a specific email address as the sender for messages, enter the address in the Sender Address field. If you do not specify an address, Security Monitor uses notifier.<vms_server_name> as the from address.

Step 5 Click Apply to save your changes.

The email server you specify will be used to send event notifications and reports. The messages will be from the sender address you specified or notifier.<vms_server_name> if you did not specify an address.

Verifying E-Mail Connectivity

Security Monitor provides the blat utility for you to verify that your mail server can receive and forward e-mail messages generated by Security Monitor.

Before You Begin

Before using the blat utility, verify that you have network connectivity between your VMS server and your mail server. You can verify network connectivity using the ping and traceroute utilities. From the command line on your VMS server, ping your mail server. If the ping fails, use traceroute to discover where the packets are being blocked.

To use blat, follow these steps:

Step 1 Open a command prompt on your Security Monitor server.

Step 2 Type blat - -t <your_e-mail_addr> -f me -server <email.example.com>, where <your_e-mail_addr> is your e-mail address and <email.example.com> is the hostname or IP address of your e-mail server.

Step 3 Press Enter.

You may receive the message Failed to open registry key for Blat. Ignore this message.

Step 4 Type some text, press Control+Shift+Z, and then press ENTER.

The blat utility sends an SMTP message to the specified address using the designated mail server. If you do not receive the e-mail message in a reasonable amount of time, you should do the following:

•Verify that you typed the blat command correctly. Enter blat with no parameters at the command prompt to see more information about the blat utility.

•Verify the network connectivity between the VMS server and the mail server.

•Verify that your mail server is receiving the message and forwarding it. Note that the e-mail message does not contain a fully-formed "From" address. Make sure your mail server does not have a mail server or SPAM filter that discards messages without fully-formed "From" addresses.

Syslog Settings

The options shown on the SYSLOG Settings page depend upon the platform your Security Monitor is running on. This is because Security Monitor for Windows and Security Monitor for Solaris differ in how they handle syslog messages:

•Security Monitor for Windows contains a syslog message receiver. You can configure the listening port and syslog message forwarding for that receiver using the web-based interface.

•Security Monitor for Solaris uses the Solaris syslog daemon to receive syslog messages. You need to use a command line utility to configure the syslog settings.

If you are unsure about the type of server you are using, simply look at the SYSLOG Settings page. The SYSLOG Settings page on Security Monitor for Windows contains editable fields. The SYSLOG Settings page on Security Monitor for Solaris does not; it contains the message "Use the utility /opt/CSCOpx/MDC/bin/ids/RxSyslogConf for syslog settings in solaris."

Note Security Monitor does not support TCP-based syslog monitoring.

This section contains the following topics:

•Configuring Syslog Settings on a Windows Server

•Configuring Syslog Settings on a Solaris Server

Configuring Syslog Settings on a Windows Server

The SYSLOG Settings page contains options for changing the listening port of the syslog message receiver. It also contains the options for forwarding syslog messages.

Figure 1-1 Syslog Settings

For more information about configuring syslog options, refer to the following topics:

This section contains the following topics:

•Changing the Syslog Listening Port on a Windows Server

•Forwarding Syslog Messages on a Windows Server

Changing the Syslog Listening Port on a Windows Server

By default, Security Monitor uses UDP port 514 for monitoring syslog messages.

You can change the default listening port to avoid conflicts with other syslog monitoring software that may be installed on the server. After you change the listening port, verify that any devices already configured to forward syslog messages to Security Monitor are using the correct port.

To change the syslog listening port, follow these steps:

Step 1 Select Admin > System Configuration.

Step 2 Select SYSLOG Settings from the TOC.

The SYSLOG Settings page appears.

Step 3 Enter the port number in the Listen on UDP Port field.

Step 4 To save your changes, click Apply.

Security Monitor uses the UDP port you specified to monitor syslog messages.

Forwarding Syslog Messages on a Windows Server

Security Monitor can forward syslog messages to another port on the same server or to another syslog server.

To forward syslog messages, follow these steps:

Step 1 Select Admin > System Configuration.

Step 2 Select SYSLOG Settings from the TOC.

The SYSLOG Settings page appears.

Step 3 Select the Forward Syslog Messages check box.

Step 4 Enter the hostname or IP address of the target syslog server in the IP Address/Host Name field.

Note If a hostname is entered, it must resolve to an IP address when you apply the changes. If it does not, the system prompts you to correct the information. During syslog message forwarding, if the hostname cannot be resolved, an error message is logged in the Audit Log.

If you want to forward the syslog messages to another port on the same server, enter localhost in the IP Address/Host Name field.

Step 5 Enter the target UDP port number in the Port field.

Step 6 To save your changes, click Apply.

All syslog messages are forwarded to the specified syslog server.

Configuring Syslog Settings on a Solaris Server

On Solaris, Security Monitor uses the syslog daemon, syslogd, to collect syslog messages. These messages are then recorded in a syslog message file. Security Monitor then reads the events from the message file.

You cannot use Security Monitor for Solaris to change the syslog listening port number (port 514) or to forward syslog messages. However, you can change the syslog message file used by syslogd and Security Monitor, and you can manage the size of the message file by manually pruning the syslog messages from the file.

Note The Solaris syslog daemon can forward syslog messages to remote hosts. To learn how to forward syslog messages on a Solaris server, refer to your Solaris syslogd documentation. You cannot change the syslog listening port on the supported Solaris servers.

You cannot configure these settings through the web interface. You must use the command-line utility RxSyslogConf to manage your syslog settings.

This section contains the following topics:

•Changing the Syslog Message File on a Solaris Server

•Purging the Syslog Message File on a Solaris Server

•About the RxSyslogConf Utility

Changing the Syslog Message File on a Solaris Server

You can use the RxSyslogConf utility to change the name of the syslog message file used by syslogd and Security Monitor. By default, syslog messages are saved to and read from the /var/log/syslog_receiver.log file. You use a different file at a different location, such as another drive, if you need to conserve local drive space.

When you change the syslog message file, you are actually pointing syslogd and Security Monitor to a different file (and creating that file if it does not already exist). The old syslog message file remains and contains the syslog data previously received.

Note When you change the syslog message file, syslog services are temporarily disabled.

To change the syslog message file, follow these steps:

Step 1 Open a command prompt on the server.

Step 2 Log in as root.

Step 3 Enter RxSyslogConf -c</path/filename>, where </path/filename> is the full path and filename of the new message file. There is no space between the -c and the path and filename. For example:

RxSyslogConf -c/my_logs/syslogs/my_syslogs.log

When the command has finished, the message "syslog service starting" appears. All incoming syslog messages are stored in and read from the new message file.

Purging the Syslog Message File on a Solaris Server

Security Monitor automatically purges your syslog message file whenever it reaches 16 MB. However, you may need to manually purge the file to temporarily free some disk space.

Note When you purge the syslog message file, syslog services are temporarily disabled.

To manually purge the syslog log file, follow these steps:

Step 1 Open a command prompt on the server.

Step 2 Log in as root.

Step 3 Enter RxSyslogConf -p.

When the command has finished, the message "syslog service starting" appears. All syslog messages are removed from the message file.

About the RxSyslogConf Utility

The RxSyslogConf utility, provided with the Solaris version of Security Monitor, is used to manipulate the syslog message file. You can use the utility to change the syslog message file used by syslogd and Security Monitor, or you can use it to manually remove all syslog messages from the file. This utility is located in the /opt/CSCOpx/MDC/bin/ids/ directory.

You need root permissions to run the RxSyslogConf utility.

Command Syntax
RxSyslogConf [-c</path/filename>] [-p]
Command Options

-c</path/filename>

Changes the file used by syslogd to store incoming syslog messages. Running this command also configures Security Monitor to retrieve the syslog messages from the new log file. When you change the syslog message file, then old syslog message file remains in the original location.

You must include the full path and file name when using this option.

Note Do not put a space between the -c switch and the path

-p

Purges the syslog log file. Any messages that have not been retrieved by Security Monitor are read into the Security Monitor database before they are removed from the log file.

Examples

•To change the syslog message file to my_syslogs.log located in the /my_logs/syslogs/ directory, enter the following command:
RxSyslogConf -c/my_logs/syslogs/my_syslogs.log
•To change the name of the log file in the previous example to my_new_syslogs.log, enter the following command:
RxSyslogConf -c/my_logs/syslogs/my_new_syslogs.log
•To purge the log file, enter the following command:
RxSyslogConf -p
Enabling DNS Resolution

You can enable DNS resolution when Security Monitor generates Firewall reports and decodes IP log and trigger packets.

To enable DNS resolution, follow these steps:

Step 1 Select Admin > System Configuration > DNS Settings.

The DNS Settings page appears.

Step 2 To enable DNS resolution when Security Monitor generates Firewall reports, select the Enable DNS resolution while generating Firewall Reports check box.

Step 3 To enable DNS resolution when Security Monitor decodes IP log and trigger packets, select the Enable DNS resolution while decoding IP Log and Trigger Packet check box.

Step 4 Click Apply.

The settings you specified are saved.

Updating Signatures

Cisco Systems periodically releases updates of sensor signature versions and recommends that you check for and perform regular updates of the sensor signatures.

Note When using IPS MC, you can update the server and any sensors that you select. When using Security Monitor, you can use the information contained in this section to update the Security Monitor server but not the sensors; sensors are not (and cannot be) updated through Security Monitor.

You should understand the numbering system used for sensor software versions and signature release levels. For example:

•4.1(4)S117—A 4.x sensor appliance or switch module or network module is operating with sensor software version 4.1, service pack 4, signature release level 117.

•5.0(0.20)S135.0—A 5.x sensor appliance is operating with sensor software version 5.0, service pack 0.20, signature release level 135.0.

•S117—An IOS IPS device is operating with signature release level 117.

You should also understand the update files:

•Cisco releases its periodic updates of sensor software versions and signature release levels for its IDS sensors in the form of update files that are compressed (.zip). Security Monitor works with these compressed files directly; you should not extract anything from them.

•There are four types of update files:

–Major update files—In major update files, "maj" is contained in the filename.

–Minor update files—In minor update files, "min" is used in the filename.

–Service pack update files—In service pack update files, the letters "sp" precede the version number. When these update files are applied, they change the version number of a sensor. Service pack update files contain executable code; they affect the actual micro-engine software on the sensor.

Service pack update files are not available for IOS IPS devices; instead, you should install Cisco IOS updates as required.

–Signature update files—Signature update filenames contain the letters "sig" before the version number for 4.x devices. Signature update files contain newly released signatures but not executable code. Signature update files contain signature updates for IOS IPS devices.

•By inspecting the name of an update file, you can identify the device type (sensor appliance or IDSM), type of update (service pack or signature), version number, and signature release level. For example, the file IDS-K9-sp-4.1-4-S91.zip has the following characteristics:

–IDS-K9—Applies to a sensor appliance.

–sp—Contains a service pack update. Service pack updates include signature updates.

–4.1—Applies to sensor software version 4.1.

–4—Applies to Service Pack 4.

–S91—Contains signature release level 91.

–zip—The file is compressed but should not be extracted.

•Update files are applied in different ways:

–Service pack update files must be applied individually and sequentially. For 4.x devices, service pack update files can move major and minor version numbers. But for 5.x devices, service pack update files change the service pack number.

–Signature update files do not need to be applied individually because they are cumulative. That is, a given revision level contains all signatures from previous levels. Signature update files can be applied only to sensors operating with the same version number, or with the same version number plus service pack designation. Signature update files can be applied only to sensors that are not already operating at that file's signature revision level.

This section contains the following topics:

•Determining the Availability of New Signature Files and Downloading Them

•Downloading Signature Updates Automatically

•Updating Your Sensor Software Versions and Signature Release Levels

Determining the Availability of New Signature Files and Downloading Them

We recommend that you regularly check the Cisco Systems Software Center (Downloads) for updates of sensor software versions and signature release levels.

Tip You can subscribe to the Cisco IDS Active Update Notification to receive emails informing you of the most recent update files.

Update files are explained in detail in Updating Signatures. Each update file has a readme file associated with it to provide additional details.

To determine the availability of new signature files, follow these steps:

Step 1 If you are not already registered and authorized for Cisco Secure IDS Strong Crypto software, register with Cisco.com at http://www.cisco.com and log in.

Step 2 Navigate to www.cisco.com > [log in] > Technical Support > Downloads > CiscoWorks Software > VPN/Security Management Solution > Management Center for IDS Sensors > IPS MC Application Files.)

Tip Use this download location for both IPS MC and Security Monitor.

Step 3 Click the name of an update file to download it.

If you are not already authorized to download Cisco Secure IDS Strong Crypto Software, you are prompted to submit an application. The approval process typically takes a few hours.

The Software Download page appears.

Step 4 Download the update file to ~CSCOpx/mdc/etc/ids/updates on the server.

Note Do not change the name of the update file. Also, do not extract (unzip) or otherwise perform operations on the update file.

Downloading Signature Updates Automatically

Cisco Systems periodically releases updates of sensor software versions and signature release levels for all types of its Cisco Intrusion Prevention System sensors—sensor appliances, IDS modules, network modules, and IOS IPS devices. Cisco Systems recommends that you check for and perform regular updates of sensor software versions and signature release levels on sensors that you have deployed. This also applies to your IPS MC and Security Monitor servers. Using this procedure, you can download signature updates automatically.

To download signature updates automatically, follow these steps:

Step 1 Select Admin > System Configuration.

Step 2 In the TOC, select Automatic Signature Download.

The Automatic Signature Download page appears.

Step 3 Select the radio button corresponding to the location that you want to download from:

•Cisco.com

The Cisco.com download option requires that you understand the following information: Normally, for security reasons, your network operation center does not have direct access to the Internet. This means that IPS MC and Security Monitor servers in your NOC cannot connect to Cisco.com unless you use a proxy server. The Automatic Signature Download page allows you to specify the IP address, port, username and password for a proxy server. You must point to a server that provides access to the Internet and to Cisco.com.

Tip The proxy server sits between the IPS MC and Security Monitor servers and the Internet. HTTP traffic sent between the IPS MC and Security Monitor servers and Cisco.com must pass through it.

•Local Server

The Local Server download option has a caveat: The Apache server specified as the local server must include the mod_autoindexing module.

Note You should not reference an IPS MC or Security Monitor Solaris server as the local host because it is missing this module.

Note If you select the Local Server download option, all files with the extension of .zip are downloaded, even if they are not valid signature update files.

Step 4 Enter the CCO username and CCO password that are to be used as credentials for downloading the signature update file.

Tip To import the Cisco.com credentials that are associated with your CiscoWorks username, click Import My Ciscoworks CCO Login. Doing so retrieves the Cisco.com username, password, and e-mail address from the CiscoWorks database for the logged-in user.

Step 5 If you want to check for available downloads daily, select the Check every day at (HH:mm:ss) check box and enter a time in 24-hour format.

Step 6 Select the radio button corresponding to how you want to configure the server connection: Check and Download or Check only.

Step 7 Review the Last Checked at and Last time downloaded fields to determine when IPS MC last checked for, and when it last downloaded, available downloads.

Step 8 Complete the Proxy Server area:

a. If you want to use a proxy server, select the Enable check box and proceed Step B. Otherwise, skip to Step 9.

b. In the Address field, enter the IP address to the proxy server.

c. In the Port field, enter the port that IPS MC uses to connect to the proxy server.

d. In the User Name field, enter a username that is valid on the proxy server.

e. In the Password field, enter the password corresponding to the username entered in the previous step.

Step 9 To save your changes, click Apply.

Step 10 To check for available downloads immediately, click Check Now.

Updating Your Sensor Software Versions and Signature Release Levels

Cisco Systems periodically releases updates of sensor signature versions and recommends that you check for and perform regular updates of the sensor signatures. Check the Cisco Systems Software Center (Downloads) regularly to determine if a new signature update file is available. For more information, see Determining the Availability of New Signature Files and Downloading Them.

To update your sensor software version and signature release level, follow these steps:

Step 1 In Security Monitor, select Admin > System Configuration.

Step 2 From the TOC, select Local File Signature Update.

The Update Network IDS Signatures page appears. All update files, if any, that have been downloaded to ~CSCOpx/mdc/etc/ids/updates on the server where you have installed Security Monitor are listed in the Update File list.

Step 3 Select an update file from the Update File list, and then click Apply.

The Update Summary page appears. It states that the update file will be applied to Security Monitor.

Step 4 Click Continue.

The server where you installed Security Monitor is updated. The update process is performed by a separate thread, so the Update Network IDS Signatures page appears again almost immediately.