- Preface
- Getting Started
- Configuring Device Lists
- Configuring Dashboards
- Configuring RSS Feeds
- Using the Startup Wizard
- Setting Up the Sensor
- Configuring Interfaces
- Configuring Policies
- Defining Signatures
- Using the Signature Wizard
- Configuring Event Action Rules
- Configuring Anomaly Detection
- Configuring Global Correlation
- Configuring SSH and Certificates
- Configuring Attack Response Controller for Blocking and Rate Limiting
- Configuring SNMP
- Configuring External Product Interfaces
- Managing the Sensor
- Monitoring the Sensor
- Configuring Event Monitoring
- Configuring and Generating Reports
- Logging In to the Sensor
- Initializing the Sensor
- Obtaining Software
- Upgrading, Downgrading, and Installing System Images
- System Architecture
- Signature Engines
- Troubleshooting
- Open Source License Files
- Glossary
- Index
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.0
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
- Updated:
- April 21, 2009
Chapter: Configuring External Product Interfaces
Configuring External Product Interfaces
This chapter explains how to configure external product interfaces. It contains the following sections:
•
Understanding External Product Interfaces
•External Product Interface Issues
•Configuring CSA MC to Support IPS Interfaces
•Configuring External Product Interfaces
•Troubleshooting External Product Interfaces
Understanding External Product Interfaces
Note In Cisco IPS, you can only add interfaces to the CSA MC.
The external product interface is designed to receive and process information from external security and management products. These external security and management products collect information that can be used to automatically enhance the sensor configuration information. For example, the types of information that can be received from external products include host profiles (the host OS configuration, application configuration, and security posture) and IP addresses that have been identified as causing malicious network activity.
Understanding CSA MC
CSA MC enforces a security policy on network hosts. It has two components:
•Agents that reside on and protect network hosts.
•Management Console (MC)—An application that manages agents. It downloads security policy updates to agents and uploads operational information from agents.
CSA MC receives host posture information from the CSA agents it manages. It also maintains a watch list of IP addresses that it has determined should be quarantined from the network.
CSA MC sends two types of events to the sensor—host posture events and quarantined IP address events.
Host posture events (called imported OS identifications in IPS) contain the following information:
•Unique host ID assigned by CSA MC
•CSA agent status
•Host system hostname
•Set of IP addresses enabled on the host
•CSA software version
•CSA polling status
•CSA test mode status
•NAC posture
For example, when an OS-specific signature fires whose target is running that OS, the attack is highly relevant and the response should be greater. If the target OS is different, then the attack is less relevant and the response may be less critical. The signature attack relevance rating is adjusted for this host.
The quarantined host events (called the watch list in IPS) contain the following information:
•IP address
•Reason for the quarantine
•Protocol associated with a rule violation (TCP, UDP, or ICMP)
•Indicator of whether a rule-based violation was associated with an established session or a UDP packet.
For example, if a signature fires that lists one of these hosts as the attacker, it is presumed to be that much more serious. The risk rating is increased for this host. The magnitude of the increase depends on what caused the host to be quarantined.
The sensor uses the information from these events to determine the risk rating increase based on the information in the event and the risk rating configuration settings for host postures and quarantined IP addresses.
Note The host posture and watch list IP address information is not associated with a virtual sensor, but is treated as global information.
Secure communications between CSA MC and the IPS sensor are maintained through SSL/TLS. The sensor initiates SSL/TLS communications with CSA MC. This communication is mutually authenticated. CSA MC authenticates by providing X.509 certificates. The sensor uses username/password authentication.
Note You can only enable two CSA MC interfaces.
You must add the CSA MC as a trusted host so the sensor can communicate with it. To add the CSA MC as a trusted host, choose
Configuration >
sensor_name
> Sensor Management > Certificates > Trusted Hosts > Add.
For More Information
For the procedure to add a trusted host, see Adding Trusted Hosts.
External Product Interface Issues
When the external product interface receives host posture and quarantine events, the following issues can arise:
•The sensor can store only a certain number of host records.
–If the number of records exceeds 10,000, subsequent records are dropped.
–If the 10,000 limit is reached and then it drops to below 9900, new records are no longer dropped.
•Hosts can change an IP address or appear to use another host IP address, for example, because of DHCP lease expiration or movement in a wireless network.
In the case of an IP address conflict, the sensor presumes the most recent host posture event to be the most accurate.
•A network can include overlapping IP address ranges in different VLANs, but host postures do not include VLAN ID information.
You can configure the sensor to ignore specified address ranges.
•A host can be unreachable from the CSA MC because it is behind a firewall.
You can exclude unreachable hosts.
•The CSA MC event server allows up to ten open subscriptions by default. You can change this value.
You must have an Administrative account and password to open subscriptions.
•CSA data is not virtualized; it is treated globally by the sensor.
•Host posture OS and IP addresses are integrated into passive OS fingerprinting storage. You can view them as imported OS profiles.
•You cannot see the quarantined hosts.
•The sensor must recognize each CSA MC host X.509 certificate. You must add them as a trusted host.
•You can configure a maximum of two external product devices.
For More Information
•For more information on working with OS maps and identifications, see Adding, Editing, Deleting, and Moving Configured OS Maps and Configuring OS Identifications.
•For the procedure for adding trusted hosts, see Adding Trusted Hosts.
Configuring CSA MC to Support IPS Interfaces
Note For more detailed information about host posture events and quarantined IP address events, refer to Using Management Center for Cisco Security Agents 5.1.
You must configure CSA MC to send host posture events and quarantined IP address events to the sensor.
To configure CSA MC to support IPS interfaces, follow these steps:
Step 1 Choose Events > Status Summary.
Step 2 In the Network Status section, click No beside Host history collection enabled, and then click Enable in the popup window.
Note Host history collection is enabled globally for the system. This feature is disabled by default because the MC log file tends to fill quickly when it is turned on.
Step 3 Choose Systems > Groups to create a group (with no hosts) to use in conjunction with administrator account you will next create.
Step 4 Choose Maintenance > Administrators > Account Management to create a CSA MC administrator account to provide IPS access to the MC system.
Step 5 Create an administrator account with the role of Monitor.
This maintains the security of the MC by not allowing this new account to have Configure privileges.
Remember the username and password for this administrator account because you need them to configure external product interfaces on the sensor.
Step 6 Choose Maintenance > Administrators > Access Control to further limit this administrator account.
Step 7 In the Access Control window, select the administrator you created and select the group you created.
Note When you save this configuration, you further limit the MC access of this new administrator account with the purpose of maintaining security on CSA MC.
Configuring External Product Interfaces
This section describes the External Product Interfaces pane, and contains the following topics:
•External Product Interfaces Pane
•External Product Interfaces Pane Field Definitions
•Add and Edit External Product Interface Dialog Boxes Field Definitions
•Add and Edit Posture ACL Dialog Boxes Field Definitions
•Adding, Editing, and Deleting External Product Interfaces and Posture ACLs
External Product Interfaces Pane
Note You must be administrator to add, edit, and delete external product interfaces and posture ACLs.
Use the External Product Interfaces pane to add the interfaces of CSA MC so that the sensor can receive and process information from CSA MC.
You must add the external product as a trusted host so the sensor can communicate with it. To add a trusted host, choose
Configuration >
sensor_name
> Sensor Management > Certificates > Trusted Hosts > Add.
External Product Interfaces Pane Field Definitions
The following fields are found in the External Product Interfaces pane:
•IP Address—IP address of the external product.
•Enabled—Indicates whether the external product interface is enabled.
•Port—Specifies the port being used for communications.
•TLS Used—Indicates whether secure communications are being used.
•User Name—Indicates the user login name that connects to CSA MC.
•Host Posture Settings—Indicates how host postures received from CSA MC should be handled.
–Enabled—Indicates that receipt of the host postures is enabled. If disabled, the host posture information received from a CSA MC is deleted.
–Allow Unreachable—Allows/denies the receipt of host posture information for hosts that are not reachable by CSA MC.
A host is not reachable if CSA MC cannot establish a connection with the host on any IP addresses in the host posture. This option is useful in filtering the postures whose IP addresses may not be visible to the IPS or may be duplicated across the network. This filter is most applicable in network topologies where hosts that are not reachable by CSA MC are also not reachable by the IPS, for example if the IPS and CSA MC are on the same network segment.
–Posture ACLs—Specifies network address ranges for which host postures are allowed or denied. This option provides a mechanism for filtering postures that have IP addresses that may not be visible to the IPS or may be duplicated across the network.
•Watch List Settings—Indicates how watch list settings received from CSA MC should be handled.
–Enabled—Indicates that receipt of the watch list is enabled. If disabled, the watch list information received from a CSA MC is deleted.
–Manual RR Increase—Indicates by what percentage the manual watch list risk rating should be increased.
–Session RR Increase—Indicates by what percentage the session-based watch list risk rating should be increased.
–Packet RR Increase—Indicates by what percentage the packet-based watch list risk rating should be increased.
•SDEE URL—Indicates the URL on the CSA MC the IPS uses to retrieve information using SDEE communication. You must configure the URL based on the software version of the CSA MC that the IPS is communicating with as follows.
–For CSA MC version 5.0:
/csamc50/sdee-server
–For CSA MC version 5.1:
/csamc51/sdee-server
–For CSA MC version 5.2 and higher:
/csamc/sdee-server (the default value)
Add and Edit External Product Interface Dialog Boxes Field Definitions
The following fields are found in the Add and Edit External Product Interface dialog boxes:
•External Product's IP Address—IP address of the external product.
•Enable receipt of information—Enables the sensor to receive information from the external product interface.
Note If not checked, all host posture and quarantine information from this device is purged from the sensor.
•Communication Settings—Lets you see the SDEE URL and TLS, and lets you change the port.
–SDEE URL—Indicates the URL on the CSA MC the IPS uses to retrieve information using SDEE communication. You must configure the URL based on the software version of the CSA MC that the IPS is communicating with as follows:
For CSA MC version 5.0—/csamc50/sdee-server.
For CSA MC version 5.1—/csamc51/sdee-server.
For CSA MC version 5.2 and higher—/csamc/sdee-server (the default value).
–Port—Specifies the port being used for communications.
–Use TLS—Indicates that secure communications are being used.
You cannot change this value.
•Login Settings—Lets you specify the credentials required to log into CSA MC.
–User Name—Lets you enter the username used to log in to CSA MC.
–Password—Lets you assign a password to the user.
–Confirm Password—Lets you confirm the password.
•Watch List Settings—Lets you configure how watch list settings received from CSA MC should be handled.
–Enable receipt of watch list—Enables/disables the receipt of the watch list information. The watch list information received from a CSA MC is deleted when disabled.
–Manual Watch List RR Increase—Lets you increase the percentage of the manual watch list risk rating.
–Session RR Increase—Lets you increase the percentage of the session-based watch list risk rating.
–Packet RR Increase—Lets you increase the percentage of the packet-based watch list risk rating.
•Host Posture Settings—Indicates how host postures received from CSA MC should be handled.
–Enable receipt of host postures—Enables/disables the receipt of the host posture information. The host posture information received from a CSA MC is deleted when disabled.
–Allow unreachable hosts' postures—Allows/denies the receipt of host posture information for hosts that are not reachable by the CSA MC.
A host is not reachable if the CSA MC cannot establish a connection with the host on any IP addresses in the host's posture. This option is useful in filtering the postures whose IP addresses may not be visible to the IPS or may be duplicated across the network. This filter is most applicable in network topologies where hosts that are not reachable by the CSA MC are also not reachable by the IPS, for example if the IPS and CSA MC are on the same network segment.
–Name—Name of the posture ACL.
–Active—Indicates whether this posture ACL is active.
–Network Address—Network address of the posture ACL.
–Action—Action (deny or permit) the posture ACL will take.
Add and Edit Posture ACL Dialog Boxes Field Definitions
The following fields are found in the Add and Edit Posture ACL dialog boxes:
•Name—Name of the posture ACL.
•Active—Indicates whether this posture ACL is active.
•Network Address—Network address of the posture ACL.
•Action—Action (deny or permit) the posture ACL will take.
Adding, Editing, and Deleting External Product Interfaces and Posture ACLs
In Cisco IPS the only external product interfaces you can add are CSA MC interfaces. Cisco IPS supports two CSA MC interfaces.
Note Make sure you add the external product as a trusted host so the sensor can communicate with it. To add a trusted host, choose Configuration > sensor_name > Sensor Management > Certificates > Trusted Hosts > Add.
To add an external product interface, follow these steps:
Step 1 Log in to IME using an account with administrator privileges.
Step 2 Choose Configuration >sensor_name > Sensor Management > External Product Interfaces, and click Add to add an external product interface.
Step 3 In the External Product's IP Address field, enter the IP address of the external product.
Step 4 Check the Enable receipt of information check box to allow information to be passed from the external product to the sensor.
Step 5 In the Port field, change the default port 443 if needed.
Note Under Communication Settings, you can only change the Port value.
Step 6 Configure the login settings:
a. In the Username field, enter the username of the user who can log in to the external product.
b. In the Password field, enter the password the user will use.
c. In the Confirm Password field, enter the password again.
Note Steps 7 through 15 are optional. If you do not perform Steps 7 though 15, the default values are used receive all the CSA MC information with no filters applied.
Step 7 (Optional) Configure the watch list settings:
a. Check the Enable receipt of watch list check box to allow the watch list information to be passed from the external product to the sensor.
Note If you do not check the Enable receipt of watch list check box, the watch list information received from a CSA MC is deleted.
b. In the Manual Watch List RR Increase field, you can change the percentage from the default of 25.
The valid range is 0 to 35.
c. In the Session-based Watch List RR increase field, you can change the percentage from the default of 25.
The valid range is 0 to 35.
d. In the Packet-based Watch List RR Increase field, you can change the percentage from the default of 10.
The valid range is 0 to 35.
Step 8 (Optional) Check the Enable receipt of host postures check box to allow the host posture information to be passed from the external product to the sensor.
Note If you do not check the Enable receipt of host postures check box, the host posture information received from a CSA MC is deleted.
Step 9 (Optional) Check the Allow unreachable hosts' postures check box to allow the host posture information from unreachable hosts to be passed from the external product to the sensor.
Note A host is not reachable if CSA MC cannot establish a connection with the host on any of the IP addresses in the host posture. This option is useful in filtering the postures whose IP addresses may not be visible to the IPS or may be duplicated across the network. This filter is most applicable in network topologies where hosts that are not reachable by CSA MC are also not reachable by the IPS, for example if the IPS and CSA MC are on the same network segment.
Step 10 (Optional) To add a posture ACL, click Add.
Note Posture ACLs are network address ranges for which host postures are allowed or denied. Use posture ACLs to filter postures that have IP addresses that may not be visible to the IPS or may be duplicated across the network.
Step 11 (Optional) In the Name field, enter a name for the posture ACL.
Step 12 (Optional) In the Active field, click the Yes radio button to make the posture ACL active.
Step 13 (Optional) In the Network Address field, enter the network address the posture ACL will use.
Step 14 (Optional) In the Action drop-down list, choose the action (Deny or Permit) the posture ACL will take.
Tip To discard your changes and close the Add Posture ACL dialog box, click Cancel.
Step 15 (Optional) Click OK.
The new posture ACL appears in the Host Posture Setting list in the Add External Product Interface dialog box.
You can use the Move Up and Move Down buttons to reorder the posture ACLs that you create.
Step 16 To edit an existing posture ACL, select it, and click Edit.
Step 17 Edit the Network Address and Action fields or change the active state to inactive by clicking the No radio button.
Tip To discard your changes and close the Edit Posture ACL dialog box, click Cancel.
Step 18 Click OK.
The edited posture ACL appears in the Host Posture Setting list in the Add External Product Interface dialog box.
Step 19 To delete a posture ACL from the list, select it, and click Delete.
The posture ACL no longer appears in the Host Posture Setting list in the Add External Product Interface dialog box.
Step 20 Click OK.
Tip To discard your changes and close the Add External Product Interface dialog box, click Cancel.
The external product interface now appears in the Management Center for Cisco Security Agents list in the External Product Interfaces pane.
Step 21 To edit the external product interface, select it, and click Edit.
Step 22 Make any changes needed to the fields in the dialog box.
Tip To discard your changes and close the Edit External Product Interface dialog box, click Cancel.
Step 23 Click OK.
The edited external product interface appears in the Management Center for Cisco Security Agents list in the External Product Interfaces pane.
Step 24 To delete an external product interface, select it, and click Delete.
The external product interface no longer appears in the Management Center for Cisco Security Agents list in the External Product Interfaces pane.
Tip To discard your changes, click Reset.
Step 25 Click Apply to apply your changes and save the revised configuration.
Troubleshooting External Product Interfaces
To troubleshoot external product interfaces, check the following:
•Make sure the interface is active by checking the output from the show statistics external-product-interface command in the CLI, or choose Configuration > sensor_name > Sensor Monitoring > Support Information > Statistics in IME and check the Interface state line in the response.
•Make sure you have added the CSA MC IP address to the trusted hosts. If you forgot to add it, add it, wait a few minutes and then check again.
•Confirm subscription login information by opening and closing a subscription on CSA MC using the browser.
•Check Event Store for CSA MC subscription errors.
For More Information
•For the procedure for adding trusted hosts, see Adding Trusted Hosts.
•For the procedure for displaying events, see Monitoring Events.
Feedback