IDS Device Manager

Area Bar

The Area Bar contains the four major configuration headings that can be selected to configure specific settings for the IDS sensor. Once an area is selected, a list of corresponding Sub-Areas is listed in the Sub-Area Bar.

The areas include the following:

• Device

• Configuration

• Monitoring

• Administration

Sub-Area Bar

The content of the Sub-Area Bar changes depending on the Area that’s selected. The configuration objects that make up the Sub-Area menu are subcategories under the major area. For example, when the Device Area is chosen, the only Sub-Area that can be selected is Sensor Setup, but when the Monitoring area is selected, you can choose from the three Sub-Area categories: Log, Sensing Interfaces Statistics, or IDS Event Viewer. Once a Sub-Area is selected, the Table of Contents (TOC) for that Sub-Area is displayed.

Table of Contents (TOC)

Each Sub-Area selected contains a different Table of Contents (TOC). When an item in the TOC is selected, the content area will display the configuration parameters for the item selected.

Content Area

The Content Area is where the configuration parameters for each configurable setting are displayed. From this area, you can add, change, or delete the existing sensor configuration settings from within the Content Area panel. The Content Area is where the configuration parameters are set.

Path Bar

The Path Bar displays the current path, including the Area, Sub-Area, and the TOC item currently selected. This path shows the menus that were selected to reach the current destination.

Tool Bar

The tool bar has important tools that assist with the configuration and management of the network sensor. The tool bar contains the following tools and links:

• Logout

• Apply Changes

• Help

• NSDB

• About

Apply Changes

The Apply Changes link must be used to save any configuration changes that were made. The changes made to the sensor aren’t applied until the Apply Changes link is selected. If you don’t want to apply or save the changes made, you can click reset to remove all the changes made and return the settings to their previous state. As you can see in Figure 25-6, once the changes have been applied, you might be required to reset the sensor.

Figure 25-6: Apply changes

NSDB

The Network Security Database (NSDB) can be displayed by selecting NSDB from the Tool menu, as seen in Figure 25-7. The NSDB contains specific information regarding the signatures and the types of attacks each signature is used to detect. The NSDB is explained in more detail in the next chapter.

Figure 25-7: Network Security Database

Network Panel (Device | Sensor Setup | Network)

The Network panel can be selected by navigating to Device | Sensor Setup | Network, where Device is the Area, Sensor Setup is the Sub-Area, and Network is the TOC item. Once the Network TOC item is selected, the network panel is displayed in the content area, as seen in Figure 25-8.

Figure 25-8: IDS Device Manager Network panel

The Network panel lists the configuration parameters that were configured during the sensor bootstrap process. From this panel, the common network and PostOffice setting can be modified. Additional settings that can be configured include the following:

• Heartbeat Interval This setting is used to calculate how many attempts the sensor should make to wait for a heartbeat acknowledgement from a remote host before considering the host is down and generating a route-down alarm.

• Route-Up Alarm Level This setting configures the level of alarm to be generated when a route-up event is detected. The default setting is Informational. Possible settings include the following:

  • Informational—Categorizes the event as informational in nature and not a risk to security. These events are shown with a blue icon in the IDS Event Viewer.

  • Low—Categorizes the event as mildly severe. These events are displayed with a yellow icon in the IDS Event Viewer.

  • Medium—Categorizes the event as a moderate risk. These events are displayed with an orange icon in the IDS Event Viewer.

  • Categorizes the event as a high risk. These events are displayed with a red icon in the IDS Event Viewer.

    Note?

    The values (1 to 5) are mapped to these logical names, based on the configuration settings in the severity mapping panel. The names previously used are the default severity mappings configured on each sensor.

• Route-Down Alarm Level This setting configures the level of alarm to be generated when a route-down event is detected. The settings for route-down alarms are the same as previously mentioned for the route-up alarm level. The default setting for this parameter is high.

• Enable TLS/SSL This setting configures the web server to use TLS and SSL.

• Web Server Port This setting configures the port number on which the sensor’s web server will listen for HTTP or HTTPS requests. By default, this parameter is set to 443 for HTTPS communications.

Allowed Hosts (Device | Sensor Setup | Allowed Hosts)

You can configure the allowed hosts during the bootstrapping or from the IDS Device Manager. By default, the sensor only allows access from IP addresses to which the sensor has been configured to allow access. By default, the sensor allows access from any host with an IP address belonging to the 10.0.0.0 /8 network. Before you can connect to the sensor, you must configure the sensor—during bootstrap—to allow the IP address of the host which you’ll use to connect to the sensor. Figure 25-9 illustrates the Allowed Hosts panel.

Figure 25-9: Adding allowed hosts

To allow hosts, you can enter the specific host address or the network address. When adding a network address, you only have to enter the octets that make up the network address. For example, if you want to allow all hosts in the 172.30.0.0 /16 network, you could add the first two octets, such as 172.16. In addition, you can allow all hosts to connect to and manage the sensor by clicking Allow All Hosts.

Remote Access (Device | Sensor Setup | Remote Access)

You can allow unsecured access to the sensor via Telnet or FTP. The protocols are considered insecure because they send data in clear text. To enable Telnet or FTP, select the Remote Access item in the TOC and select either protocol by placing a check mark in the corresponding checkbox, as Figure 25-10 shows.

Figure 25-10: Remote Access configuration

SSH Host Keys (Device | Sensor Setup | SSH)

From the SSH TOC panel, you can generate a new or delete an existing host key. Host keys are used by the sensor to connect to PIX firewalls and other hosts. Once the SSH session is open, the sensor can use the connection to perform blocking.

You can configure the sensor to create a new host key by selecting the Generate Host Key link on the Host Key panel. Once the host key is created, apply your configuration settings. With the new key created, you must then update the known host tables on the remote systems with the new key fingerprint. You can delete exiting keys by selecting the Known Hosts TOC item.

Setting the Time (Device | Sensor Setup | Time)

You can configure the time, date, and time zone information from the Time panel.

Changing the Password (Device | Sensor Setup | Password)

The password for the netrangr account can be changed from the Password panel. You needn’t click Apply Changes on the toolbar for this change to take effect.

Adding Remote Hosts (Configuration | Communications | Remote Hosts)

By default, the CIDS sensors publish alarm and event data to the host on the host in which you installed IDS Device Manager. You can change or add additional hosts, allowing the sensor to send the event stream to multiple hosts. You must add the IDS Event Viewer as a remote host if alarms are to be sent to the Event Viewer. When adding a remote host, you can specify the level of alarm that should be sent to the remote host. The Remote Hosts panel is illustrated in Figure 25-11.

Figure 25-11: Remote Hosts panel

Signature Configuration (Configuration | Sensing?Engine?|?Signature Configuration)

As discussed in Chapter 23, the sensor uses signatures to detect network intrusions. A signature specifies the types of network attacks for which you want the sensor to detect and generate alarms. Signatures are arranged in two different ways. Signatures are arranged in six categories based on the type of traffic that’s analyzed. And signatures are also organized into signature groups, based on the signature engine type, as seen in Figure 25-12. Each signature group contains a configuration pane that can be used to configure each specific signature contained in that signature group. From the configuration pane, the signatures can be enable or disabled, the severity can be assigned, and the responsive action can be specified.

Figure 25-12: Signature groups configuration pane

The six categories of signatures are as follows:

• Built-in

• Custom

• TCP Connection

• UDP Connection

• String Matching

• ACL

Built-in signatures are known attack signatures included in the sensor software. The signatures that make up the built-in group can’t be added to, removed, or renamed. You can adjust the built-in signatures by adjusting a number of group signature parameters. Figure 25-13 illustrates the configuration pane for built-in and custom signatures.

Figure 25-13: Configration panel for built-in and custom signatures

Custom signatures are user defined. These signatures can be fine-tuned through signature engine parameters.

TCP connection signatures are user-defined signatures based on the TCP port number of the traffic being monitored. As seen in Figure 25-14, you can use the TCP connection signatures configuration pane to enable or disable a TCP connection signature. You can also configure the severity of the signature, as well as the actions to take when the signature is matched.

Figure 25-14: TCP connection signatures configuration pane

UDP connection signatures are user-defined signatures based on the UDP port number of the traffic being monitored. As seen in Figure 25-15, the UDP connection configuration pane can be used to configure the UDP connection signatures.

Figure 25-15: UPD connection signatures configuration pane

String matching signatures are user-defined signatures that detect malicious activity by analyzing network traffic looking for a specific string match. String-matching signatures can be configured to analyze incoming, outgoing, or bidirectional traffic. Figure 25-16 illustrates the String matching signature configuration pane.

Figure 25-16: String matching signature configuration pane

ACL signatures are user-defined signatures that generate alerts based on policy violations recorded by access devices. To allow a sensor to send alarms based on ACL violations, you must first configure one or more routers to log ACL violations. The routers must then be configured to send syslog messages to the sensor. When the sensor receives a syslog message from the router, the sensor generates an alarm.

By default, the most critical signatures are enabled. Other signatures must be enabled to allow the sensor to monitor network traffic for that specific signature. Enabling and configuring the parameters for each signature is accomplished from the Configuration Area and the Sensing Engine Sub-Area. Signatures are discussed in more detail in the next chapter.

Level of Traffic Logging

From the Configuration Area, you can configure the level of logging the sensor should perform. As seen in Figure 25-17, you can configure the sensor to log the following:

Figure 25-17: Level of logging configuration pane

• None

• TCP connection requests and UDP traffic

• TCP connection requests, SYN-ACK, FIN, RST, and UDP traffic

• TCP SYN-ACK packets from the specified port and UDP traffic

Filter Configuration (Configuration | Sensing Engine | Filters)

You can configure filters to control the behavior of the sensing engine filters. You can configure the sensor to exclude or include signature matches based on the source or destination IP address. Signature filtering is only effective on enabled signatures. You can configure filters based on the IP address or IP address range. Figure 25-18 illustrates the filtering configuration pane.

Figure 25-18: Signature filtering configuration pane

Spam Control (Configuration | Sensing Engine | Spam Control)

You can use your network sensors to monitor the amount of spam entering your network. This feature examines the number of recipients contained in a mail message crossing the network. Figure 25-19 illustrates the spam control configuration pane.

Figure 25-19: Spam control configuration pane

IP Fragmentation Reassembly (Configuration | Sensing?Engine?|?Reassembly Options)

The reassembly options TOC item contained in the Configuration Area can be used to configure IP fragment reassembly parameters. By configuring this configuration pane, you configure the sensor to reassemble all the fragmented packets before they’re compared to the signature database. Figure 25-20 displays the IP fragment reassembly options configuration pane.

Figure 25-20: IP fragmentation reassembly configuration pane

Reassembling IP fragments into the complete datagram consumes sensor resources, such as memory and CPU cycles. Without some additional parameters in place, it would be possible for the sensor to run out of resources by attempting to track and reassemble too many datagram fragments. To prevent this from happening you must configure the following parameters:

• Maximum Partial Datagrams

• Maximum Fragments per Datagram

• Fragmented Datagram Timeout

  Note?

  Cisco recommends you don’t modify these settings unless you thoroughly understand your traffic patterns and the likelihood of receiving fragmented packets over a specified amount.

TCP Session Reassembly (Configuration | Sensing Engine >|Reassembly Options)

You can specify which TCP data streams should be analyzed based on the capability of the sensor to rebuild the entire session. Like IP fragment reassembly settings, these settings ensure that system resources, such as memory and CPU cycles, aren’t reserved for sessions that are no longer active. The TCP reassembly configuration pane is illustrated in Figure 25-21.

Figure 25-21: TCP reassembly configuration pane

Internal Networks (Configuration | Sensing Engine | Internal Networks)

You can specify that specific network IP addresses are internal networks for the purpose of logging and reporting. IP addresses that don’t match a configured IP internal network are considered external addresses. When the sensor generates an alarm, the IP address of both the source and destination are logged as internal (IN) or external (OUT) to help security administrators to identify the origin and destination of suspected attacks.

Data Sources (Configuration | Sensing Engine | Data Sources)

You must configure data sources when using ACL policy violation signatures. Cisco routers publish syslog messages to the sensors, including attempted ACL policy violations. The Cisco routers represent the data sources for ACL policy violation signatures. In the IP Address field, enter the IP address of the interface of the router that will publish syslog data to the sensor or the IP address of a network, if multiple routers from the same network will be sending syslog data to the sensor.

Sensing Properties (Configuration | Sensing?Engine | Sensing Properties)

As shown in Figure 25-22, the Sensing properties configuration panel can be used to configure the following:

• Sensing interface

• Alarm level for traffic flow

• Alarm level for link status

• The amount of time the sensor should store information once a host stops communication

  
  Figure 25-22: Sensing properties configuration panel

Logging (Configuration | Communications | Logging)

The logging Sub-Area can be used to configure specific logging settings on the sensor. The logging Sub-Tab includes four TOC items. TOC items are as follows:

• Event logging

• Exporting event logs

• Automatic IP logging

• IP logging

Exporting Event Logs

The exporting event logs configuration panel can be used to configure the automatic exporting of event logs to an FTP server. These logs can be stored for future examination, if needed. Figure 25-24 illustrates the exporting event logs configuration panel. You must specify the FTP server, directory, user name, and password to allow the sensor to upload event logs.

Figure 25-24: Exporting event logs configuration panel

Blocking (Configuration > > Blocking)

The 4200 series network appliances are the only sensors that support blocking. The IDSM can’t be configured to block IP addresses through device management. The blocking properties configuration panel is illustrated in Figure 25-25.

Figure 25-25: The blocking properties configuration panel

The 4200 series network appliances can be configured to block specific host addresses once a signature is matched. The blocking response is configured within the signature file itself. If a signature is matched and that signature is configured for blocking, the network appliance can configure a perimeter router or firewall to block all packets from that host for a specific number of minutes. To use this feature, you must specify the number of minutes the offending host should be blocked, as well as the Cisco ACL number used on the perimeter device.

Additional parameters used when blocking is enabled are located in the Blocking area Sub-Areas. The following Sub-Areas are used to configure blocking:

• Never Block Addresses

• Blocking Devices

• Master Blocking Sensors

  STUDY TIP?

  Blocking an IP address is also called shunning a host or IP address.

Never Block Addresses

When you enable address blocking, you must specify which addresses should never be blocked. Without this feature, hackers could spoof the address of your event viewer host (for example) and use this address to launch an attack. The sensors, detecting this attack, would then update the ACL on a managed device to block the IP address of your event viewer. If the Event Viewer address is blocked, you could potentially lose communication between your sensors and your Event Viewer host. If communication between the sensors and the Event Viewer host is lost, you won’t receive alarm notifications. Figure 25-26 shows the never block addresses configuration panel.

Figure 25-26: Never block addresses configuration panel

Blocking Devices

The Blocking Devices area lists the devices managed by the sensor. The router must be configured to allow telnet access from the sensor. Figure 25-27 illustrates the Blocking Device Properties window. You can use a single sensor to manage more than one perimeter device, but a perimeter device can’t be managed by more than one sensor. The information that must be configured on this panel to enable the sensors to block IP addresses includes the following:

Figure 25-27: Adding a managed device

• The IP address used for telnet access to the router

• The telnet user name and password

• The enable password

• The perimeter device interface address (configured in the Blocking Device interface TOC)

  STUDY TIP?

  You should understand how to configure a sensor to manage a perimeter device.

  Note?

  If the router to be managed doesn’t have user names configured, leave the Telnet User field blank.

Restore Defaults (Configuration | Restore Defaults)

You can restore the factory defaults of the sensor by clicking Reset Configuration on the restore defaults configuration panel. All configuration settings are restored to factory defaults except

• IP address, subnet mask, default gateway

• Allowed hosts

• Password

• Time

Logs (Monitoring | Log)

The Logs Sub-Area contains links to the logs generated by the sensor. These log files provide a record of all events the sensor has detected and can be used by security administrators while investigating an intrusion. The Logs Sub-Area, as seen in Figure 25-28, includes the following TOC items:

• Events

  • Current

  • Archived

• Message

  • sapd

  • idsupdate

• Archived

  • IP Logs

• Errors

  • Current

  • Archived

    
    Figure 25-28: The Logs Sub-Area

Sensing Interface Statistics (Monitoring | Sensing Statistics)

The sensing interface statistics panel reports the characteristics of the traffic captured by the sensor’s sensing interface, as seen in Figure 25-29.

Figure 25-29: Sensor statistics report

Event Viewer (Monitoring | Event Viewer)

The event viewer Sub-Area contains links to Cisco’s web site detailing technical information and access to the event viewer installation files.

System Information (Administration | System Information)

The system information panel lists configuration and system information for the local sensor. As you can see in Figure 25-30, the system information report includes the following information:

Figure 25-30: System information report

• Sensor Version

• Host Name

• Organization Name

• Organization ID

• PostOffice Port

• Web Server Port

• CIDS Daemon Status

• CIDS Connection Status

• CIDS Version

• IP Address

• Netmask

• Default Route

• MAC Address

• Hardware

• Operating System

• CPU Usage

• Memory Usage

• CIDS Logging Disk Usage

• TAC Link

Update (Administration | Update)

The update configuration panel can be used to update the software installed on the sensor. Updates can be initiated manually or they can be scheduled, as shown in Figure 25-31. When performing an update or configuring an automatic update, you must specify the FTP server address, directory, user name, and password.

Figure 25-31: Scheduled updates

Manual Blocking (Administration | Manual Blocking)

Manual blocking can be initiated from the Administration Area. You can specify the IP address or the network address you want to block and the amount of time the address(s) should remain blocked, as shown in Figure 25-32.

Figure 25-32: Manual blocking configuration panel

Diagnostics (Administration | Diagnostics)

The diagnostics Sub-Area can be used to run a new diagnostics test or to view the report generated when the last diagnostics report was generated.

System Control (Administration | System Control)

The system control panel enables you to perform basic administration of the sensor. This panel allows the administrator to

• Stop and restart IDS processes

• Reboot the sensor

• Power down the sensor

IDM Properties (Administration | System Control)

The IDM properties allow the administrator to customize some configuration settings within the sensor itself. Using the configuration panel in the Sub-Area Severity mapping, you can customize the mapping of severity number (1–5) to the severity names. By default, the mappings are as follows:

• Informational Categorizes the event as informational in nature and not a risk to security. These events are shown with a blue icon in the IDS Event Viewer.

• Low Categorized the event as mildly severe. These events are displayed with a yellow icon in the IDS Event Viewer.

• Medium Categorizes the event as a moderate risk. These events are displayed with an orange icon in the IDS Event Viewer.

• High risk. High-risk events are displayed with a red icon in the IDS Event Viewer.

The second IDM properties TOC item is signature pagination. This configures the number of signatures listed on a single display page when viewing signature groups.