Table of Contents

Security Monitor Overview

Monitoring Center for Security (Security Monitor) is part of the CiscoWorks family of applications. It runs on a CiscoWorks Server and provides a web-based interface for monitoring a variety of Cisco security devices. Additionally, Security Monitor provides the following features:

Version 1.2 of Security Monitor introduces several new features and support for Security Agent MC servers.

Web-Based Interface

Security Monitor provides a web-based interface, which allows remote access to the application. When accessing the CiscoWorks Server over an unsecure network, you can use CiscoWorks Server SSL connectivity to secure the session. Refer to the CiscoWorks Common Services documentation for more information about using SSL to connect to the CiscoWorks Server.

Supported Devices and Monitored Events

You can monitor security events from the following Cisco devices:

	Note   The Message Format column describes the protocol used to send event data to Security Monitor. y operational and configuration information for the specified interface or all interfaces. node-index Displays information about a specific PNNI logical node running on this switch, in the range of 1 to 8.
Syslog
Cisco IOS router with: IOS Firewall Cisco Intrusion Detection System software	IDS subsystem events	Syslog or postoffice (syslog recommended)
PIX Firewall	All firewall and IDS events	Syslog

Real-Time Event Viewer

Security Monitor Event Viewer provides a near real-time view of security events as they occur on your network. Near real-time refers to the slight delay that may occur as events are detected by your network devices and then propagated to your Security Monitor server. In most cases, this delay is negligible.

Event Viewer provides a tabular view of the incoming event data. The data is arranged in a hierarchal tree that allows you to drill down quickly to isolate problems and find trends in the event data. You can sort the view based on the various elements of the data, such as signature name. The ability to drill down and reorder the data provides a basic means to perform real-time event correlation.

Event Viewer also provides access to tools that provide additional security information. You can select groups of events to display as a graph. You can resolve IP addresses within events to hostnames. You can launch the Network Security Database to provide details about a signature. And, for some events, you can display "context" data, such as the traffic that actually triggered the event.

Event Notification

Using Event Rules, you can configure Security Monitor to send e-mail notifications when specific criteria are met. You can also use Event Rules to trigger custom scripts. Security Monitor does not support pager notifications directly; however, you can use pager notifications if you have an e-mail gateway to your paging system.

You can use Event Rules to create simple rules that provide notifications when a single event occurs. However, you gain their main benefit by using logical operators to create complex rules. These operators allow you to correlate the events or conditions that trigger the notification. You can also set thresholds that allow you to specify the number of times the criteria must be met before the notification is triggered. Using thresholds allows you to distinguish between purposeful events and random occurrences.

Event Reporting

Event reporting provides a snapshot view of security events on your network. Report filters, such as dates and event type, allow you to refine the information shown in the report. You can run reports on-demand or schedule them to be run regularly. By default, reports are stored in the database. However, you can export the report to an HTML file or send the report to one or more recipients through e-mail.

Event Correlation

Security Monitor supports basic event correlation through the Event Viewer, Event Rule, and Reporting subsystems.

When you start the Security Monitor Event Viewer with the setting to view "All IDS Alarms", you see the IDS alarms from all monitored devices. Reordering the columns in the Event Viewer provides you with a flexible view of event data, and multiple ways to correlate those events. You can then reorder the columns in the Event Viewer to correlate the events by specific attributes, such as source address, signature name, and so on. For example, by grouping the events in the Event Viewer by source address, signature name, and then by device, you can determine which devices detected a specific event from a specific source.

In the same manner, you can filter the reports to provide you with a correlated, snapshot view of your event data. Filter options include source and destination addresses of the events, device detecting the event, signature the event matched, and so on. These reports can be scheduled or produced on-demand, and can include information from all the monitored devices. They can also be run for a specific range of dates to provide a historical view of the data.

Event Rules provide an even more flexible manner of event correlation by allowing you to create logical relationships between the IDS events produced by all monitored devices, and then to send e-mail notifications or run a custom script based on the relationships that you define.

Note   Security Monitor does not provide correlation of non-IDS syslog events with IDS events using Event Rules.

New Features in Monitoring Center for Security (Security Monitor) Version 1.2

The following new features have been added to Security Monitor version 1.2: