Table of Contents
Configuring Devices to MonitorAdding Device Information to Security Monitor
Adding a postoffice Sensor
Importing Communication Settings from postoffice Sensors
Adding a PIX Firewall or Cisco IDS Host Sensor
Adding a Cisco IOS router
Adding Cisco Security Agents
Importing Sensor Information from IDS MC
Viewing Device Configuration Details
Editing a Device Configuration
Deleting a Device Configuration
Configuring RDEP-based Cisco Intrusion Detection System Sensors
Configuring Cisco IDS Host Sensors
Configuring PIX Firewalls
Configuring Cisco IOS routers
Configuring Devices to Monitor
Configuring the devices you want to monitor is a two-step process.
First, you must add the device information to Security Monitor. The device information specifies how Security Monitor receives information from the monitored devices. You can add a device configuration for a device that Security Monitor cannot contact with the communication settings that you specify. This feature allows you to prepare Security Monitor for devices that you plan to deploy on your network.
Second, you must configure the devices to send event data to the Security Monitor server. The configuration includes the type of information that is sent to Security Monitor.
You can verify the configurations by viewing the connection status between Security Monitor and the postoffice and RDEP devices. You can also view information about subsystems of RDEP devices.
Adding Device Information to Security Monitor
You can use Security Monitor to monitor the following devices:
You can use any of several methods to add device information to Security Monitor:
- For all devices, you can enter the communication settings manually.
- For Cisco Intrusion Detection System Sensors running postoffice software, you can import the postoffice settings directly from the device.
- For Cisco Intrusion Detection System Sensors that you have configured in IDS MC, you can import the device settings from IDS MC.
After you add a device configuration in Security Monitor, you can edit the device configuration. When you edit a configuration, you use the same Enter Device Information page that you used to add the device configuration.
You can delete devices by selecting a device and clicking Delete. If you delete a device from Security Monitor, it is not deleted from IDS MC.
For more information about adding devices to Security Monitor, refer to the following:
- Adding an RDEP Sensor
- Adding a postoffice Sensor
- Importing Communication Settings from postoffice Sensors
- Adding a PIX Firewall or Cisco IDS Host Sensor
- Adding a Cisco IOS router
- Adding Cisco Security Agents
- Importing Sensor Information from IDS MC
- Viewing Device Configuration Details
- Editing a Device Configuration
- Deleting a Device Configuration
Adding an RDEP Sensor
RDEP sensors are Cisco Intrusion Detection System Sensors based on version 4.0 or later sensor software. Before you can use Security Monitor to monitor an RDEP sensor, you must add the device configuration.
To add an RDEP sensor configuration, follow these steps:
Step 1 Select the Devices tab.
Step 2 Click Add at the bottom of the Devices page.
The Select Device Type page appears, listing the types of devices Security Monitor can monitor.
Step 3 Click the RDEP IDS radio button, and then click Next.
The Enter Device Information page appears.
Step 4 In the IP Address field, enter the IP address for the device you are adding.
Step 5 If NAT is applied to the address, enter the NAT address in the NAT Address Field. Leave this field blank if NAT is not applied to the device address.
 |
Note The NAT address is the address that is exposed to the Security Monitor server, not the actual address of the device. |
Step 6 In the Device Name field, enter the device name for the device you are adding.
You can use alphanumeric characters and most keyboard characters in the Device Name field. You cannot use spaces, commas, periods, carats (^), vertical bars, parentheses, and pound signs. Security Monitor performs error checking and notifies you if the device name contains special characters that are not allowed.
Step 7 You can enter any comments about the device in the Description field. The text cannot exceed 512 characters.
Step 8 Select the Use Encryption check box if the device uses Transport Layer Security (TLS) encryption. By default, this option is selected.
Step 9 Enter the web server port number used by the RDEP device. The default value is 443.
Step 10 Enter a valid user name for the device in the Username field. The user name should be for an account with administrative privileges on the sensor.
Step 11 Enter the password associated with the specified user name in both the Password and the Confirm Password fields.
Step 12 Select the minimum event level that you want to monitor from the Minimum Event Level list. You can select one of the following levels:
- Informational—Categorizes an event that is the result of standard activity on your network.
- Low—Categorizes the attack as mildly severe. These attacks are shown with a green icon in Event Viewer in Security Monitor.
- Medium—Categorizes the attack as moderately severe. These attacks are shown with a yellow icon in Event Viewer in Security Monitor.
- High—Categorizes the attack as highly severe. These attacks are shown with a red icon in Event Viewer in Security Monitor.
Step 13 To add the device, click Finish.
The page closes, and the device is added to the device list on the Devices page.
Adding a postoffice Sensor
A postoffice sensor is a Cisco Intrusion Detection System sensor based on version 3.x sensor software. Before you can use Security Monitor to monitor a postoffice device, you must add the device configuration to Security Monitor.
Before you perform this procedure, you should collect the following information from your sensor:
To add a device configuration, follow these steps:
Step 1 Select the Devices tab.
Step 2 Click Add at the bottom of the Devices page.
The Select Device Type page appears, listing the types of devices Security Monitor can monitor.
Step 3 Click the PostOffice IDS radio button, and then click Next.
The Enter device Information page appears.
Step 4 In the IP Address field, enter the IP address for the device you are adding.
Step 5 If NAT is applied to the address, enter the NAT address in the NAT Address field. Leave this field blank if NAT is not applied to the device address.
Step 6 In the Device Name field, enter the device name for the device you are adding.
You can use alphanumeric characters and most keyboard characters in the Device Name field. Spaces, commas, periods, carats (^), vertical bars, parentheses, and pound signs are invalid characters. Security Monitor performs error checking and notifies you if the device name contains special characters that are not allowed.
Step 7 You can enter any comment about the device in the Description field. The comment cannot exceed 512 characters.
Step 8 Using the information you gathered from the device, fill in the following fields:
a. Enter the device host ID in the Host ID field.
b. Enter the organization name in the Org Name field.
c. Enter the organization ID in the Org ID field.
Step 9 To add the device, click Finish.
The page closes, and the device is added to the device list on the Devices page.
Importing Communication Settings from postoffice Sensors
With postoffice-based Cisco Intrusion Detection System Sensors (sensors running sensor software version 3.x) you can discover postoffice settings directly from the device. This is accomplished using a Secure Shell (SSH) session.
SSH is a protocol for secure remote login and other secure network services over an insecure network. For more information about SSH, refer to the following:
- Designing Network Security by Merike Kaeo (Indianapolis: Cisco Press, 1999).
- The Secure Shell Working Group (SECSH) of the Internet Engineering Task Force (IETF) http://www.ietf.org/html.charters/secsh-charter.html. SECSH has the goal of updating and standardizing SSH.
Before you can use SSH to discover postoffice settings, you must configure the Security Monitor server with SSH.
Step 1 Create the public and private keys.
You need to configure Security Monitor and the sensor with the appropriate keys to create the SSH session.
For more information, see Using SSH in IDS MC and Security Monitor.
Step 2 Add the sensor information to Security Monitor.
You must add some basic sensor information before performing the discovery.
For more information, see Adding a postoffice Sensor Using Discovery.
Using SSH in IDS MC and Security Monitor
IDS MC, and Security Monitor for some features, supports SSH for secure remote login to a sensor. Neither IDS MC nor Security Monitor manages SSH keys, however. The sensor software provides the SSH server, and IDS MC and Security Monitor provide support for an SSH Windows client—PuTTY—and an SSH Solaris client—OpenSSH.
Documentation for PuTTY is available at http://www.chiark.greenend.org.uk/~sgtatham/putty/docs.html. Documentation for OpenSSH is available at http://www.openssh.org/manual.html.
More information about using public keys for SSH authentication is available at http://www.chiark.greenend.org.uk/~sgtatham/putty/docs.html when using PuTTY (which is used with IDS MC and Security Monitor for Windows 2000) and at http://www.openssh.org/manual.html when using OpenSSH (which is used with IDS MC and Security Monitor for Solaris).
Version 1.0 of IDS MC and Security Monitor for Windows 2000 uses PuTTY 0.51. Version 1.1 of IDS MC and Security Monitor for Windows 2000 uses a customized version of PuTTY 0.53b. IDS MC and Security Monitor 1.1 for Solaris (the first Solaris version) use OpenSSH.
|
Note When using IDS MC or Security Monitor (any version) for Windows 2000, you should not install PuTTY, because the IDS MC and Security Monitor installation program installs a customized version of PuTTY for you. When using IDS MC or Security Monitor (any version) for Solaris, you do not need to download or install OpenSSH, because the installation program installs OpenSSH for you. |
Directions for using SSH keys with PuTTY are available at http://www.chiark.greenend.org.uk/~sgtatham/putty/docs.html. Directions for using SSH keys with OpenSSH are available at http://www.openssh.org/manual.html.
PuTTY's Pageant utility is an SSH authentication agent. We recommend using Pageant to manage your keys in IDS MC for Windows 2000. More information on Pageant is available at http://www.chiark.greenend.org.uk/~sgtatham/putty/docs.html.
Sensor appliances running IDS software versions 3.x and later, and IDSMs running IDS software 3.1(1) and later, have a /usr/nr/.ssh directory. You must create the authorized_keys file (if it does not already exist) and then place that authorized_keys file in the /usr/nr/.ssh directory. Finally, you must place your public key in the authorized_keys file.
To use SSH keys in IDS MC or Security Monitor, follow these steps:
Step 1 To use SSH keys in IDS MC or Security Monitor for Windows 2000, follow these steps:
a. Use PuttyGen to generate your keys. Instructions are available at http://www.chiark.greenend.org.uk/~sgtatham/putty/docs.html.
b. Copy the public key to the sensor's ~.ssh/authorized_keys file.
c. Save the private key. We recommend the name sensorname.key for the private key and we use it in this example.
 |
Caution Guard your private key carefully because of its importance to the security of your network, and back it up to a secure location. |
d. Create a session for the sensor and perform the following steps:
a. At a command line prompt, enter putty.
b. Enter the hostname when prompted.
d. Select System > Saved Sessions.
e. Select sensorname.key (the name of the saved session in this example) from the list box.
Your saved settings appear in the configuration panel.
h. Enter the auto-login username: netrangr.
k. Enter the private key file for authentication: sensorname.key.
You will be prompted for the passphrase that you generated in Step 1a.
Step 2 To use SSH keys in IDS MC or Security Monitor for Solaris, follow these steps:
a. When using a sensor appliance, execute the script ~CSCOpx/MDC/bin/ids/secure_comm. This script is for managing the SSH key pair: Use it for generating, listing, and deleting an SSH key pair.
b. Copy the public key to the sensor's ~.ssh/authorized_keys file.
Adding a postoffice Sensor Using Discovery
Before you can use Security Monitor to monitor a postoffice device, you must add or import the device configuration to Security Monitor. You can import device configurations for sensors that you configured using IDS MC. For more information about importing a device configuration, see Importing Sensor Information from IDS MC.
Before you perform this procedure, you must have configured the public and private keys on Security Monitor and the sensor.
To add a device configuration, follow these steps:
Step 1 Select the Devices tab.
Step 2 Click Add at the bottom of the Devices page.
The Select Device Type page appears, listing the types of devices Security Monitor can monitor.
Step 3 Click the PostOffice IDS radio button, and then click Next.
The Enter Device Information page appears.
Step 4 In the IP Address field, enter the IP address for the device you are adding.
Step 5 If NAT is applied to the address, enter the NAT address in the NAT Address field. Leave this field blank if NAT is not applied to the device address.
Step 6 In the Device Name field, enter the device name for the device you are adding.
You can use alphanumeric characters and most keyboard characters in the Device Name field. Spaces, commas, periods, carats (^), vertical bars, parentheses, and pound signs are invalid characters. Security Monitor performs error checking and notifies you if the device name contains special characters that are not allowed.
Step 7 You can enter any comment about the device in the Description field. The comment cannot exceed 512 characters.
Step 8 To manually define the postoffice settings, enter the host ID, organization name, organization ID, port, and heartbeat for the device.
Step 9 To use SSH, select the Discover PostOffice Settings using SSH check box. Then, enter the user ID and password for SSH communications between Security Monitor and the sensor.
To use existing SSH keys, select the Use Existing SSH Keys check box.
Step 10 To add the device, click Finish.
The page closes, and the device is added to the device list on the Devices page.
Adding a PIX Firewall or Cisco IDS Host Sensor
PIX Firewalls and Cisco IDS Host Sensors use syslog messages to communicate with Security Monitor.
You do not have to add syslog devices because Security Monitor monitors all syslog traffic on the UDP port. However, if you want the syslog device name to appear in reports (instead of the device IP address), add the device configuration to Security Monitor.
|
Note When adding Cisco IDS Host Sensors to Security Monitor, you add the Cisco IDS Host Console, which aggregates the host sensor information and forwards it to Security Monitor. |
To add a device configuration, follow these steps:
Step 1 Select the Devices tab.
Step 2 Click Add at the bottom of the Devices page.
The Select Device Type page appears, listing the types of devices Security Monitor can monitor.
Step 3 Click the PIX or Host IDS radio button, depending upon the type of device being added, and then click Next.
The Enter Device Information page appears.
Step 4 In the IP Address field, enter the IP address for the device you are adding.
Step 5 If NAT is applied to the address, enter the NAT address in the NAT Address field. Leave this field blank if NAT is not applied to the device address.
Step 6 In the Device Name field, enter the device name for the device you are adding.
You can use alphanumeric characters and most keyboard characters in the Device Name field. Spaces, commas, periods, carats (^), vertical bars, parentheses, and pound signs are invalid characters. Security Monitor performs error checking and notifies you if the device name contains special characters that are not allowed.
Step 7 You can enter any comment about the device in the Description field. The comment cannot exceed 512 characters.
Step 8 To add the device, click Finish.
The page closes, and the device is added to the device list on the Devices page.
Adding a Cisco IOS router
Cisco IOS routers can use syslog messages or postoffice to communicate with Security Monitor.
If the Cisco IOS router is using syslog to send event data, you do not have to add the device because Security Monitor monitors all syslog traffic on the UDP port. However, if you want the syslog device name to appear in reports (instead of the device IP address), add the device configuration to Security Monitor.
If you are using postoffice, you should collect the following information from your Cisco IOS router before performing this procedure:
To add a device configuration, follow these steps:
Step 1 Select the Devices tab.
Step 2 Click Add at the bottom of the Devices page.
The Select Device Type page appears, listing the types of devices Security Monitor can monitor.
Step 3 Click the IOS IDS radio button, and then click Next.
The Enter Device Information page appears.
Step 4 In the IP Address field, enter the IP address for the device you are adding.
Step 5 If NAT is applied to the address, enter the NAT address in the NAT Address field. Leave this field blank if NAT is not applied to the device address.
Step 6 In the Device Name field, enter the device name for the device you are adding.
You can use alphanumeric characters and most keyboard characters in the Device Name field. Spaces, commas, periods, carats (^), vertical bars, parentheses, and pound signs are invalid characters. Security Monitor performs error checking and notifies you if the device name contains special characters that are not allowed.
Step 7 You can enter any comment about the device in the Description field. The comment cannot exceed 512 characters.
Step 8 If the Cisco IOS router is configured to use postoffice, select the Uses Postoffice check box and enter the information you gathered from the device:
a. Enter the device host ID in the Host ID field.
b. Enter the organization name in the Org Name field.
c. Enter the organization ID in the Org ID field.
Step 9 To add the device, click Finish.
The page closes, and the device is added to the device list on the Devices page.
Adding Cisco Security Agents
Security Monitor does not receive alarm data directly from the individual Cisco Security Agents. Instead, Security Monitor receives alarm data from the Management Center for Cisco Security Agents (Security Agent MC), which aggregates the Security Agent information and forwards it to Security Monitor. Security Monitor uses a secure HTTP (SSL) session to communicate with the Security Agent MC server.
|
Note You do not have to perform any additional configuration steps on the Security Agent MC server to receive alarms in Security Monitor. All configuration steps are performed on the Security Monitor server. |
You must have a Security Agent MC server administrative account before performing this procedure. Although you can use an existing administrative account, we recommend that you set up an administrative account on the Security Agent MC server specifically for use with Security Monitor.
You need to obtain the following information from your Security Agent MC server to complete this procedure:
To configure Security Monitor to receive alarms from Security Agent MC, follow these steps:
Step 1 Select the Devices tab.
Step 2 Click Add at the bottom of the Devices page.
The Select Device Type page appears, listing the types of devices Security Monitor can monitor.
Step 3 Click the CSAMC radio button in the list of device types, and then click Next.
The Enter Device Information page appears.
Step 4 In the IP Address field, enter the IP address for the device you are adding.
Step 5 If NAT is applied to the address, enter the NAT address in the NAT Address field. Leave this field blank if NAT is not applied to the device address.
Step 6 In the Device Name field, enter the hostname for the Security Agent MC you are adding.
You can use alphanumeric characters and most keyboard characters in the Device Name field. Spaces, commas, periods, carats (^), vertical bars, parentheses, and pound (#) signs are invalid characters. Security Monitor performs error checking and notifies you if the device name contains special characters that are not allowed.
Step 7 You can enter any comment about the device in the Description field. The comment cannot exceed 512 characters.
Step 8 Enter the Security Agent MC server certificate name in the Certificate Common Name field. This is typically the fully qualified host name of the server.
Step 9 Enter the port used by the Security Agent MC server for HTTPS communication in the Web Server Port field. The default value is 443.
Step 10 Enter the username for an administrative account on the Security Agent MC server in the Username field.
Step 11 Enter the password for the administrative account in the Password field. Re-enter the password in the Confirm Password field.
Step 12 Select the minimum event that you want to monitor from the Monitor Event Level list. You can select from the following levels:
- Informational—Categorizes an event that is the result of standard activity on your network. These events are shown with a blue icon in Event Viewer.
- Low—Categorizes the attack as mildly severe. These attacks are shown with a green icon in Event Viewer.
- Medium—Categorizes the attack as moderately severe. These attacks are shown with a yellow icon in Event Viewer.
- High—Categorizes the attack as highly severe. These attacks are shown with a red icon in Event Viewer.
Step 13 To add the device, click Finish.
The page closes, and the Security Agent MC server is added to the device list on the Devices page.
Importing Sensor Information from IDS MC
If you use IDS MC to configure your sensors, you can import the device configurations into Security Monitor from the database.
To import a device configuration, follow these steps:
Step 1 Select Devices.
Step 2 Click Import
The Enter IDS MC Server Information page appears.
Step 3 Enter the IP address or hostname of your IDS MC server in the IP Address/Host Name field.
Step 4 Enter the port number the IDS MC server uses in the Web Server Port field.
|
Note This port number is configured when you install CiscoWorks Common Services. The default is 443. |
Step 5 Enter a username in the Username field. This must be a administrative user account for the specified IDS MC server.
Step 6 Enter a password in the Password field. This must be a valid password for the user account for the specified IDS MC server.
Step 7 Click Next.
The Select Devices page appears. The Select Devices page contains a table that lists the devices discovered from your IDS MC server.
Step 8 Select the check box next to the device that you want to import configurations for. You can select multiple devices. Then, click Next.
 |
Tip You can select all the devices by selecting the check box in the title row of the table. |
The Update NAT Addresses page appears.
Step 9 For each device that you need to update the NAT address for, follow these steps:
Step 10 Click Finish.
The Import Summary page appears and lists the devices you imported.
Step 11 Click OK.
The Devices page appears. The imported devices now appear in the devices table.
Viewing Device Configuration Details
This procedure provides the basic steps for viewing detailed information about a device configuration. You cannot edit device settings from the View Device page.
To view a device configuration, follow these steps:
Step 1 Select Devices.
Step 2 Click the radio button next to the device that you want to view.
Step 3 Click View.
The View Device page displays information about the selected device.
Step 4 Click OK to return to the Devices page.
Editing a Device Configuration
Editing a device configuration is similar to adding a device configuration. When you edit a configuration, you use the same Enter Device Information page that you used to add the device configuration.
To edit a device configuration, follow these steps:
Step 1 Select the Devices tab.
Step 2 Click the radio button next to the device that you want to edit. Then, click Edit.
The Enter Device Information page appears.
Step 3 Make any necessary changes to the fields that you want to revise.
Step 4 To save your changes, click Finish.
The page closes and the changes you made are saved to the device configuration.
Deleting a Device Configuration
You can delete device configurations of devices that you no longer want to monitor.
|
Note Device configurations that you delete from Security Monitor are not deleted from IDS MC. |
To delete a device configuration, follow these steps:
Step 1 Select the Devices tab.
Step 2 Click the radio button next to the device that you want to delete. Then, click Delete.
The device configuration is deleted from Security Monitor.
Configuring Devices to Send Events to Security Monitor
After specifying the devices you want Security Monitor to monitor, you must configure those devices to send their event data to the Security Monitor server.
Configuring postoffice-based Cisco Intrusion Detection System Sensors
To send event data to a Security Monitor server, you must use IDS MC to identify the Security Monitor server as a remote host on the sensor.
To specify the IDS MC server as a remote host for a sensor, follow these steps:
Step 1 Log in to IDS MC.
Step 2 Select Configuration > Settings.
Step 3 Click the Object Selector handle to open the Object Selector.
Step 4 From the Object Selector, select the sensor you want to configure.
Step 5 From the TOC, select Communications > Remote Hosts.
The Remote Hosts page appears.
Step 6 To add your Security Monitor server, click Add.
The Enter Remote Host page appears.
Step 7 Enter the IP address of your Security Monitor server in the IP Address field.
Step 8 To enable the sensor to send its audit event stream to your Security Monitor server, select the Send Events check box.
Step 9 Select the service from the Service list box. Four services, also called daemons, are available:
Step 10 Select the minimum event level to be sent to the remote host from the Minimum Event Level list box.
You can select one of the following values:
- Info—Categorizes an event that is the result of standard activity on your network.
- Low—Categorizes the attack as mildly severe. These attacks are shown with a green icon in Event Viewer in Security Monitor.
- Medium—Categorizes the attack as moderately severe. These attacks are shown with a yellow icon in Event Viewer in Security Monitor.
- High—Categorizes the attack as highly severe. These attacks are shown with a red icon in Event Viewer in Security Monitor.
Step 11 Enter a comment (optional).
Step 12 Enter the hostname.
Step 13 Enter the host ID, which typically is the last octet of the IP address of your Security Monitor server.
Step 14 Enter the organization name and organization ID.
|
Note Use only lowercase letters to define organization names. Do not include spaces within the organization name. The hostname and organization name are case sensitive with respect to how postoffice processes audit events on the local host. Hostnames and organization names are not passed between postoffice clients; only the Host ID and Org ID values are passed between postoffice clients. |
|
Note Within a postoffice domain, each organization ID/host ID pair must be unique. That is, no sensor, sensor group, or remote host can have the same organization ID/host ID pair as another sensor, sensor group, or remote host. |
Step 15 To modify the interval at which IDS MC verifies that all other postoffice clients with which it communicates are still accessible and available over the network, enter that value in the Heartbeat Timeout field.
To check client availability, IDS MC sends a postoffice packet to each known client and waits for a response packet. If the IDS MC postoffice does not receive a response, it assumes that the route to that client is no longer available, and postoffice issues a route down audit event. The heartbeat value is a whole number that represents how many seconds the postoffice running on IDS MC waits between each check for client availability.
Step 16 To specify a postoffice port other than the default, enter the new value in the Postoffice Port field.
Step 17 To discard your changes and close the Enter Remote Host page, click Cancel.
Step 18 To save your changes and close the Enter Remote Host page, click OK.
The Remote Hosts page appears, showing the remote host that you just added.
Step 19 You must generate and deploy the configuration before your changes take place.
Configuring RDEP-based Cisco Intrusion Detection System Sensors
To allow a Security Monitor server to retrieve event data from an RDEP device, you must identify the Security Monitor server as an allowed host on the sensor.
To specify Security Monitor as an allowed host on the sensor, follow these steps:
Step 1 Log in to IDS MC.
Step 2 Select Configuration > Settings.
Step 3 Click the Object Selector handle to open the Object Selector.
Step 4 From the Object Selector, select the sensor you want to configure.
Step 5 From the TOC, select Allowed Hosts.
The Allowed Hosts page appears.
Step 6 To add an allowed host, click Add.
The Enter Allowed Host page appears.
Step 7 Enter the IP address of the allowed host in the IP Address field. This address must be the NAT address if NAT is being performed.
Step 8 Enter the network mask for the IP address in the Net Mask field.
Step 9 Click OK.
The Allowed Hosts page appears, showing the host that you just added.
Step 10 You must generate and deploy the configuration before your changes take place.
Configuring Cisco IDS Host Sensors
You must install MCIntegrator.exe on the Cisco IDS Host Console to receive event data from Cisco IDS Host Sensors.
|
Note Cisco IDS Host Sensors (agents) do not send event data directly to Security Monitor. Instead, they forward the event data to the Cisco IDS Host Console that is associated with those agents. The Cisco IDS Host Console then forwards the event data to Security Monitor. |
Before you perform this procedure, you must:
Know the UDP port used by Security Monitor to receive syslog data (the default is 514).
To configure Cisco IDS Host Sensors to work with Security Monitor, follow these steps:
Step 1 Copy
MCIntegrator.exe from the Products/Integrator/ directory of your Cisco IDS Host Console CD-ROM to your Cisco IDS Host Console server.Step 2 Double-click MCIntegrator.exe.
The installation program begins. A warning message reminds you to change the state of the agent on the Console host to "Warning Mode" before continuing.
Step 3 Click OK.
Step 4 Click Next.
Step 5 Enter the IP address of your Security Monitor server in the Server IP field.
Step 6 Enter the UDP port number used by Security Monitor to receive syslog messages. The default is 514.
Step 7 Click Next.
A message informs you that MCIntegrator is now available.
Step 8 Click OK.
The Setup Complete screen appears.
Step 9 Deselect the Yes, I would like to view the Readme file check box if you do not want to view the readme file after closing the installation application.
Step 10 Click Finish.
The installation application closes. If you elected to view the Readme file, it opens in your default text editor.
Configuring PIX Firewalls
This procedure provides the basic steps for configuring a PIX Firewall to forward syslog messages to Security Monitor. You should refer to your PIX Firewall documentation for more detailed information about configuring syslog messages.
Additionally, if you are managing your PIX Firewalls with Management Center for Firewalls (Firewall MC), you can use Firewall MC to perform this configuration.
To configure a PIX Firewall to forward syslog messages to Security Monitor, follow these steps:
Step 1 Open a console or terminal session to the PIX Firewall.
Step 2 Enter the global configuration mode:
Step 3 Specify your Security Monitor server as the host to receive the syslog messages with the logging host command:
- interface—The interface on the PIX Firewall on which the Security Monitor server resides.
- host_IP_addr—The IP address of the Security Monitor server.
- protocol:port—The protocol used to carry the syslog messages followed by the destination port number. This setting is optional. If left off, the PIX Firewall uses the default of UDP:514.
Step 4 Set the logging level using the logging trap command.
The following levels are available:
|
Note The logging level that you specify includes the messages of the levels above it (those with a lower numerical value). For example, setting the logging level to 2 causes messages of level 0, 1, or 2 to be sent. |
Step 5 Enter logging on to start forwarding messages.
|
Note In the event that Security Monitor is offline, PIX Firewall stores up to 100 messages in its memory. Subsequent messages that arrive overwrite the buffer starting from the first line. |
The PIX Firewall starts forwarding messages to your Security Monitor server.
Configuring Cisco IOS routers
This procedure provides the basic steps for configuring a Cisco IOS router to forward syslog messages to Security Monitor. You should refer to your Cisco IOS router documentation for detailed information about configuring syslog messages.
When the Cisco IOS router is configured with IDS or firewall software, the IDS and firewall messages are included with the standard syslog messages; you do not need to configure those messages separately.
Additionally, if you are managing your Cisco IOS routers with Router MC, you can use Router MC to perform this configuration.
To configure a PIX Firewall to forward syslog messages to Security Monitor, follow these steps:
Step 1 Open a console or terminal session to the Cisco IOS router.
Step 2 Enter the global configuration mode:
Step 3 Use the logging command to specify your Security Monitor server as the host to receive the syslog messages:
Replace host_name with the name of your Security Monitor server.
Step 4 Set the logging level using the logging trap command.
The following levels are available:
|
Note The logging level that you specify includes the messages of the levels above it (those with a lower numerical value). For example, setting the logging level to 2 causes messages of level 0, 1, or 2 to be sent. |
Step 5 Enter logging on to start forwarding messages.
The Cisco IOS router starts forwarding messages to your Security Monitor server.
Displaying Monitored Device Status
You can use Security Monitor to verify the connection between your postoffice and RDEP devices and the Security Monitor server. Additionally, for RDEP devices, you can view information about the various subsystems of the device. Refer to the following topics for more information:
Monitoring Device Connection Status
You can view the connection status of the postoffice devices, RDEP devices, and Security Agent MC servers that you are monitoring with Security Monitor. You cannot monitor the connection status of devices using syslog messages to send alarm data to Security Monitor.
Each connection type has a specific set of status messages.
Devices using postoffice to communicate with Security Monitor show one of two statuses: "Connected" or "Not Connected".
Devices using RDEP to communicate with Security Monitor and Security Agent MC servers can show the following one of the following statuses:
Additionally, RDEP and Security Agent MC server connections may show one of the following transitional states:
A connection status of "Not Connected" can indicate one of the following conditions:
- The device has been added to Security Monitor, but is not yet configured to send event data. Configure the device to forward event data to Security Monitor. This condition is commonly seen when you configure Security Monitor for a device that you plan to deploy later in your network.
- The device has been misconfigured. Make sure that the communication settings on the device are correct and that the events are being sent to the correct IP address, protocol, and port number.
- Security Monitor has been misconfigured. Make sure that the communication settings in Security Monitor match those on the device and that any credentials (such as administrative account name and password) have been entered in Security Monitor correctly. Verify that NAT settings have been configured properly.
- Network connectivity between the device and Security Monitor has been lost. Try pinging the device from the Security Monitor server. CiscoWorks contains several diagnostic tools, including ping and traceroute, in the Server Configuration > Diagnostics > Connectivity Tools folder.
To display the status of the postoffice devices, follow these steps:
Step 1 Select Monitor > Connections.
The Connections page appears, listing each device configured in Security Monitor. The device name, type, and connection status appear in a table.
Step 2 To update the display, click Refresh.
The device list and connection status for each is updated.
Viewing RDEP Device Statistics
You can view a statistical report about various components of an RDEP device. The report is not updated in real time; it displays a snapshot of the device component at the time the report was run.
To display statistics for an RDEP device, follow these steps:
Step 1 Select Monitor > Statistics.
The Statistics page appears. All RDEP devices that you have added to Security Monitor are listed.
Step 2 Select the device for which you want to view statistics.
Step 3 Select the RDEP device component from Display Options list. You can select statistics from the following components:
Step 4 Click View.
The report appears in a new browser window.