Q. What is CiscoWorks Monitoring Center for Security?
A. CiscoWorks Monitoring Center for Security can view events from:
• Cisco® Network Prevention Systems (IPS)
• Cisco® Network Detection Systems (IPS)
• Cisco Switch IDS
• Cisco IOS® routers with Inline Intrusion Prevention System (IPS) functions
• Cisco IDS modules for routers
• Cisco PIX® Firewalls
• Cisco Catalyst® 6500 Series firewall services modules (FWSMs)
• Cisco Management Center for Cisco security agents
• CiscoWorks Monitoring Center for Security servers
CiscoWorks Monitoring Center for Security captures, stores, and provides viewing for these events. Cisco Systems® supplies reporting templates with the product. CiscoWorks Monitoring Center for Security 2.1 is a component of CiscoWorks VPN/Security Management Solution (VMS) 2.3. It is not sold separately.
Q. Will CiscoWorks Monitoring Center for Security work with network intrusion detection (IDS) sensors?
A. Yes. CiscoWorks Monitoring Center for Security will still monitor IDS 4.x sensors as well as IPS 5.0 sensors. CiscoWorks Monitoring Center for Security has dropped support for network intrusion detection (IDS) 3.x sensors.
Q. When upgrading to CiscoWorks Monitoring Center for Security how do I migrate IDS 3.x events?
A. CiscoWorks Monitoring Center for Security no longer supports the receipt of IDS 3.x events from IDS 3.x sensors. If IDS 3.x events exist in the database upon upgrade, users will still be able to view these IDS 3.x events.
Q. Must I transition to IPS 5.0 in order to use IPS 5.0 related features offered by CiscoWorks Monitoring Center for Security?
A. Yes.
Q. What are the new features in CiscoWorks Monitoring Center for Security 2.1?
A. CiscoWorks Monitoring Center for Security 2.1 includes several new features:
• Security Device Event Exchange (SDEE) server that can be used for hierarchical event monitoring for ids data only
• Support for Cisco IOS routers with inline intrusion prevention software
• Support for IPS 5.0, which allows the operator to monitor network IPS sensors that communicate using the Security Device Event Exchange (SDEE), allowing the operator to subscribe to specific IPS event types and better control which events are received
• New Action Types for IPS to include: Deny Attacker, Deny Flow, and Deny Packet
• New Risk Rating for IPS-The risk scaling algorithm is at the heart of increasing the confidence level of the analysis and allows the user to control the "paranoia" level at which they choose to take actions
• Filter Options-The ability to filter on: Severity, Locality, Signature Family, Signature Name, Source/Destination Port, Risk Rating, Alarm Trait, and Sensor Name
• Copy and Past form Event Viewer
• Enhancements in the event viewer include performance improvements for event deletions and an addition of a new interface graphing capability
• Icon bar and console notifications for completion of reports, error situations, and system messaging
• Persistence of the preferred column ordering in the event viewer
• Flexible storage options for reports, including to the database or a file
• Additional reports for firewalls and Cisco security agents
• An increase in the number of active events rules, which help identify critical events and automate responses to them
• The ability to import Cisco IPS Sensor configurations from a remote Management Center for IPS Sensors server
Q. What operating systems are supported?
A. CiscoWorks Monitoring Center for Security 2.1 is available for Windows 2000 and Solaris 8.
Q. Does the software require HP OpenView as a prerequisite?
A. No. The software does not require HP OpenView.
Q. What is additionally required to receive Cisco Security Agent 4.0 events?
A. CiscoWorks Management Center for Cisco Security Agents needs to be installed. This software forwards the events to CiscoWorks Monitoring Center for Security.
Q. How can other systems retrieve events from CiscoWorks Monitoring Center for Security?
A. Systems can retrieve events from an SDEE server, which CiscoWorks Monitoring Center for Security supports.
Q. Can the number of events be limited from specific devices?
A. Event rate limiting is now supported per device for enhanced stability and robustness.
FOR MORE INFORMATION
For more information about the CiscoWorks Management Center for Security, visit http://www.cisco.com/go/vms, contact your local account representative, or send e-mail to ciscoworks@cisco.com.
