-
Using Management Center for IDS Sensors 1.2
-
Preface
-
Introduction
-
Getting Started with Management Center for IDS Sensors (IDS MC)
-
Managing Sensors with IDS MC
-
Adding Sensors and Sensor Groups
-
Configuring Sensors and Signatures
-
Generating, Approving, and Deploying Sensor Configurations
-
Tuning Sensor Configurations
-
Administering the IDS MC Server
-
Limitations and Restrictions: Moving from the Unix Director or CSPM to IDS MC and Security Monitor
-
Troubleshooting IDS MC
-
Index
-
Table of Contents
Adding Sensors and Sensor GroupsTask List for Adding Sensors and Sensor Groups
Using SSH in IDS MC and Security Monitor
Learn More About SSH Fingerprints
Handling Rejected SSH Fingerprints
Creating Sensor Subgroups
Deleting Sensor Groups
Adding Sensors and Sensor Groups
IDS MC uses a hierarchy of groups and sensors. A group can contain sensors, other groups, or a combination of sensors and groups. When you start IDS MC, you always have at least one active, defined group—the Global group. The IDS MC hierarchy can contain many levels of groups and sensors, just as a folder in Windows 2000 can contain many levels of folders and files. Figure 4-1 illustrates an example of the IDS MC hierarchy.
Figure 4-1 The IDS MC Hierarchy Consisting of the Global Group, Groups, and Sensors
Notice the Global group in Figure 4-1.
The IDS MC hierarchy of groups and sensors enables you to configure more than one sensor at a time by configuring an entire group of sensors. Configuring more than one sensor at a time in this way is possible because a sensor can acquire settings from its parent group. A sensor must, in fact, acquire settings from its parent group if a parent defines those settings as mandatory. A child cannot override the values for such settings.
This chapter explains how to add groups and sensors to your IDS MC hierarchy and to perform other tasks.
Task List for Adding Sensors and Sensor Groups
From the Devices tab, you can add sensors that you want to manage with IDS MC. You can add and delete sensors, and you can add and delete sensor groups. However, you cannot delete the Global group. If you have established settings elsewhere, you can apply them to sensors and groups that you set up from the Devices tab.
For step-by-step procedures on performing a specific task, refer to the corresponding section.
Adding Sensors to a Sensor Group
You can add a sensor to any sensor group, including the Global group.
To add a sensor to a sensor group, follow these steps:
Step 1 Select Devices > Sensor.
Step 2 Click Add.
The Select Group page appears.
Step 3 Select the group you want to add a sensor to.
Step 4 Click Next.
The Enter Sensor Information page appears.
Step 5 Provide the information required by the Enter Sensor Information page:
a. Enter the IP address of the sensor.
b. Enter the NAT address of the sensor, if there is one.
d. To retrieve sensor settings from the sensor, select the Discover Settings check box.
 |
Note If you choose to discover settings, you may have to wait from 30 seconds to several minutes, depending upon the size and complexity of your network and its traffic. |
e. Enter the user ID and password for Secure Shell (SSH) communications between your host and the sensor:
f. If you want to use existing SSH keys, select the check box associated with that option. However, you cannot use SSH keys if you intend to use this sensor as a master blocking sensor.
For more information, see Learn More About the Secure Shell Protocol. Also, see Using SSH in IDS MC and Security Monitor.
|
Note SSH supports two forms of authentication: password and public key. If you have set up a public key between IDS MC and the sensor, you can use that key by selecting the Use Existing SSH keys check box. If you have not set up the key, or if you do not want to use it, leave the Use Existing SSH keys deselected, and IDS MC will use SSH password authentication. |
The Sensor Information page appears as follows in IDS MC 1.0 and in IDS MC 1.1 (and later versions) if the last sensor you added used sensor software version 3.x; a simplified version of this page appears in IDS MC 1.1 (and later versions) if the last sensor you added used sensor software version 4.x.
Step 6 If you are using IDS MC 1.0 or if you are using IDS MC 1.1 (or a later version) and adding a 3.x sensor, provide the following information in the Sensor Information page:
a. Select the version number that you are using from the Version list box. If you have reached this point, the version must be 3.x.
b. Enter a comment (optional).
c. Enter the Host ID (typically the last octet of the IP address of the sensor).
|
Note Use lowercase letters only in the Org Name field; do not use numbers, symbols, spaces, or capital letters. The Host ID and Org Name are case sensitive with respect to how postoffice processes audit events on the local host. Host names and Org Name values are not passed between different postoffice clients; only the Host ID and Org ID values are passed. |
|
Note Within a postoffice domain, no sensor or sensor group can have the same Org ID/Host ID pair as another sensor or sensor group. |
Step 7 If you are using IDS MC 1.1 (or a later version) and you are adding a sensor operating with sensor software 4.x, provide the following information in the Sensor Information page:
a. Select the version number that you are using from the Version list box. The version must be 4.x because you are using IDS MC 1.1 (or a later version).
Step 8 Click Finish.
The Sensor page appears, updated with a record of the sensor you just added.
Learn More About the Secure Shell Protocol
Secure Shell (SSH) is a protocol for secure remote login and other secure network services over an insecure network. For more information about SSH, see Designing Network Security by Merike Kaeo (Indianapolis: Cisco Press, 1999).
|
Note IDS MC and Security Monitor make SSH available because of the importance of being able to transmit login information (including passwords) in an encrypted form. |
The Secure Shell Working Group (SECSH) of the Internet Engineering Task Force (IETF) has the goal of updating and standardizing SSH. More information is available at http://www.ietf.org/html.charters/secsh-charter.html .
More information about using public keys for SSH authentication is available at http://www.chiark.greenend.org.uk/~sgtatham/putty/docs.html when using PuTTY (which is used with IDS MC and Security Monitor for Windows 2000) and at http://www.openssh.org/manual.html when using OpenSSH (which is used with IDS MC and Security Monitor for Solaris).
Using SSH in IDS MC and Security Monitor
IDS MC, and Security Monitor for some features, supports SSH for secure remote login to a sensor. Neither IDS MC nor Security Monitor manages SSH keys, however. The sensor software provides the SSH server, and IDS MC and Security Monitor provide support for an SSH Windows client—PuTTY—and an SSH Solaris client—OpenSSH.
Documentation for PuTTY is available at http://www.chiark.greenend.org.uk/~sgtatham/putty/docs.html . Documentation for OpenSSH is available at http://www.openssh.org/manual.html .
More information about using public keys for SSH authentication is available at http://www.chiark.greenend.org.uk/~sgtatham/putty/docs.html when using PuTTY (which is used with IDS MC and Security Monitor for Windows 2000) and at http://www.openssh.org/manual.html when using OpenSSH (which is used with IDS MC and Security Monitor for Solaris).
Version 1.0 of IDS MC and Security Monitor for Windows 2000 uses PuTTY 0.51. Version 1.1 of IDS MC and Security Monitor for Windows 2000 uses a customized version of PuTTY 0.53b. IDS MC and Security Monitor 1.1 for Solaris (the first Solaris version) use OpenSSH.
When using IDS MC or Security Monitor (any version) for Windows 2000, you should not install PuTTY, because the IDS MC and Security Monitor installation program installs a customized version of PuTTY for you. When using IDS MC or Security Monitor (any version) for Solaris, you do not need to download or install OpenSSH, because the installation program installs OpenSSH for you.
Directions for using SSH keys with PuTTY are available at http://www.chiark.greenend.org.uk/~sgtatham/putty/docs.html . Directions for using SSH keys with OpenSSH are available at http://www.openssh.org/manual.html .
PuTTY's Pageant utility is an SSH authentication agent. We recommend using Pageant to manage your keys in IDS MC for Windows 2000. More information on Pageant is available at http://www.chiark.greenend.org.uk/~sgtatham/putty/docs.html .
Sensor appliances running IDS software versions 3.x and later, and IDSMs running IDS software 3.1(1) and later, have a /usr/nr/.ssh directory. You must create the authorized_keys file (if it does not already exist) and then place that authorized_keys file in the /usr/nr/.ssh directory. Finally, you must place your public key in the authorized_keys file.
To use SSH keys in IDS MC or Security Monitor, follow these steps:
Step 1 To use SSH keys in IDS MC or Security Monitor for Windows 2000, follow these steps:
a. Use PuttyGen to generate your keys. Instructions are available at http://www.chiark.greenend.org.uk/~sgtatham/putty/docs.html .
b. Copy the public key to the sensor's ~.ssh/authorized_keys file.
c. Save the private key. We recommend the name sensorname.key for the private key and we use it in this example.
 |
Caution Guard your private key carefully because of its importance to the security of your network, and back it up to a secure location. |
d. Create a session for the sensor and perform the following steps:
a. At a command line prompt, enter putty.
b. Enter the hostname when prompted.
d. Select System > Saved Sessions.
e. Select sensorname.key (the name of the saved session in this example) from the list box.
Your saved settings appear in the configuration panel.
h. Enter the auto-login username: netrangr.
k. Enter the private key file for authentication: sensorname.key.
You will be prompted for the passphrase that you generated in Step 1a.
Step 2 To use SSH keys in IDS MC or Security Monitor for Solaris, follow these steps:
a. When using a sensor appliance, execute the script ~CSCOpx/MDC/bin/ids/secure_comm. This script is for managing the SSH key pair: Use it for generating, listing, and deleting an SSH key pair.
b. Copy the public key to the sensor's ~.ssh/authorized_keys file.
Learn More About SSH Fingerprints
SSH fingerprints are described in the following material, which is quoted verbatim from the PuTTY User Manual (http://www.chiark.greenend.org.uk/~sgtatham/putty/docs.html ). PuTTY is copyright 1997-2001 Simon Tatham.
"If you are using SSH to connect to a server for the first time, you will probably see a message [similar to the following]:
"The server's host key is not cached in the registry. You have no guarantee that the server is the computer you think it is.
"The server's key fingerprint is: ssh-rsa 1024 7b:e5:6f:a7:f4:f9:81:62:5c:e3:1f:bf:8b:57:6c:5a
"If you trust this host, hit Yes to add the key to PuTTY's cache and carry on connecting.
"If you want to carry on connecting just once, without adding the key to the cache, hit No.
"If you do not trust this host, hit Cancel to abandon the connection.
"This is a feature of the SSH protocol. It is designed to protect you against a network attack known as spoofing: secretly redirecting your connection to a different computer, so that you send your password to the wrong machine. Using this technique, an attacker would be able to learn the password that guards your login account, and could then log in as . . . you and use the account for [his or her] own purposes.
"To prevent this attack, each server has a unique identifying code, called a host key. These keys are created in a way that prevents one server from forging another server's key. So if you connect to a server and it sends you a different host key from the one you were expecting, PuTTY can warn you that the server may have been switched and that a spoofing attack might be in progress.
"PuTTY records the host key for each server you connect to, in the Windows Registry. Every time you connect to a server, it checks that the host key presented by the server is the same host key [that was presented] the last time you connected. If it is not, you will see a warning, and you will have the chance to abandon your connection before you type any private information (such as a password) into it."
Handling Rejected SSH Fingerprints
Several situations can cause an SSH fingerprint to be rejected during the authentication process.
When an SSH fingerprint is rejected, you may see one of the following messages:
The IDS MC audit log will contain one of the following messages:
sensorname refers to the name of the affected sensor.
|
Caution A rejected SSH fingerprint can indicate a spoofing attack on your network. Benign causes of a rejected SSH fingerprint include a change in a device on your network, such as a network card or an IP address. You can accept the rejected fingerprint, but the security of your network depends on your doing so only after you establish that the rejection is due to benign causes. |
To accept a rejected SSH fingerprint, follow these steps:
Step 1 Run the following command:
C:\plink -ssh userid@ipAddress
the userid is usually netrangr for sensor appliances and ciscoids for IDSMs.
ipAddress is the IP address to the sensor.
You will see something similar to the following:
WARNING -POTENTIAL SECURITY BREACH! The server's host key does not match the one PuTTY has cached in the registry. This means that either the server administrator has changed the host key, or you have actually connected to another computer pretending to be the server. The new key fingerprint is: 1024 2a:c5:3f:aa:d4:59:82:1d:83:65:58:a1:4e:59:06:bf. If you were expecting this change and trust the new key, enter "y" to update PuTTY's cache and continue connecting. If you want to carry on connecting but without updating the cache, enter "n". If you want to abandon the connection completely, press Return to cancel. Pressing Return is the ONLY guaranteed safe choice. Update cached key? (y/n, Return cancels connection) Connection abandoned.
Step 2 Enter y.
Step 3 Enter the password of the sensor when prompted.
Step 4 Terminate the session by entering exit.
Step 5 Verify that the fingerprint was accepted by running the command again (Steps 1, 3, and 4).
This time you should not get the warning message and update cached key prompt.
Step 6 Verify that you can communicate normally with your sensor by using IDS MC.
Deleting Sensors from a Sensor Group
You can delete a sensor from any sensor group, including the Global group.
To delete a sensor from a sensor group, follow these steps:
Step 1 Select Devices > Sensor.
Step 2 In the tree, select the sensor that you want to delete.
|
Caution If you choose to delete a sensor, IDS MC does not ask you to confirm your choice. |
Step 3 Click Delete.
The Sensor page appears, updated to show that the sensor was deleted.
Creating Sensor Subgroups
You can add a subgroup to any sensor group, including the Global group.
To create a sensor subgroup, follow these steps:
Step 1 Select Devices > Sensor Group.
The Sensor Group page appears.
Step 2 In the tree, select the name of the sensor group that you want to add a subgroup to.
Step 3 Click Create Subgroup.
Step 4 In the Group Name field, enter the name of the subgroup you want to add. Next, select the Default (use parent values) radio button, or select the Copy settings from group radio button and select the name of the group from the associated list box.
Step 5 Click OK.
The Sensor Group page appears, showing the sensor subgroup that you just added.
Deleting Sensor Groups
You can delete a subgroup from any sensor group, including the Global group.
To delete a sensor group, follow these steps:
Step 1 Select Devices > Sensor Group.
The Sensor Group page appears.
Step 2 In the tree, select the group that you want to delete.
|
Caution If you choose to delete a sensor group, IDS MC does not ask you to confirm your choice. |
Step 3 Click Delete.
The Sensor group page appears again, showing the parent of the group you just deleted.