Configuring the IDS Device Manager

Configuring the IDS Device Manager

The IDS Device Manager is probably the easiest management tool to use. The installation is relatively painless and the price is right. It comes installed on the sensor and is free with the purchase of the sensor software. You will see that just about everything you did with the other management applications, you can do with IDM. The only exception to this is that you can only configure one sensor at a time—the one you are logged on to. For most of us though, the graphical interface is familiar territory and easy to maneuver through.

There are four tabs located at the top of the screen just underneath the application name. The tabs are named Device, Configuration, monitoring, and Administration. You'll use these tabs to make any configuration changes, tune signatures, view current and archived logs, and perform other tasks. Note at the very top right-hand side of the screen, buttons for Logout, Apply Changes, Help, NSDB, and About.

The Device Tab

The Device tab allows you to make some basic configuration changes to your sensors. Just under the tab is a menu bar with one option, Sensor Setup. Here, you can make basic sensor modifications, like those done in sysconfig-sensor. You can also configure SSH, set the time, and change passwords (see Figure 4.40).

Click To expand
Figure 4.40: The Device Tab

To make network changes, follow these steps:

  1. Select Network. Figure 4.41 displays these settings, which are similar to those in sysconfig-sensor, with a few added fields.

    Click To expand
    Figure 4.41: Network Settings

  2. Make changes to your sensor configuration in this screen. Ensure your Host ID is unique and your organization name and ID match the rest of your IDS infrastructure.

  3. The PostOffice Port defaults to port 45000. In the Route Up and Route Down Alarm Level boxes, select how you want the two alarms to be displayed in your event viewer. The route going down defaults to high. This is fairly important and should catch your attention. The route coming back up may be less important so it is marked as informational, as shown in Figure 4.42, and may not even be displayed on your event viewer, depending on your configuration.

    Click To expand
    Figure 4.42: The Alarm Level

  4. Select the Heartbeat Interval Multiplier. The Heartbeat is the number of seconds between queries for PostOffice services. Enable or disable TLS/SSL. TLS/SSL is on by default and the port is 443.

  5. Click Allowed Hosts.

  6. On the screen, you can add specific IP addresses or entire networks that can access the sensor (see Figure 4.43). Try to be as specific as possible. Least privilege is a good practice when giving access.

    Click To expand
    Figure 4.43: Allowed Hosts


    		Note

    The idea of least privilege is quite simple in definition but rather difficult when put into practice. It requires that a user be given only the necessary privileges to perform a job. First, the user's job is identified and a minimum set of privileges is associated with the job function, thus allowing the user to perform the job with those privileges and nothing more.

  7. Select Remote Access. In this window, you can specify whether to allow or disallow FTP or Telnet. Make your selection and click OK.

  8. Select SSH | Host Key to generate a new host key.

  9. Click Generate Host Key and the system generates a new key, replacing the old one. The changes take affect once applied. Do not forget to update the fingerprint on remote systems (see Figure 4.44).

    Click To expand
    Figure 4.44: Generating a Host Key

  10. Select Time to modify the system time.

    • Version 3.1 allows you to modify the time, date, and time zone.

    • Version 4.0 provides more granularity allowing changes to time, date, time zone, UTC settings, NTP settings, daylight savings, and the duration of daylight savings.

  11. Select Password if you need to change the passwords for the accounts root or netrangr.

  12. Once you have completed any sensor configurations, select Finished.

The Configuration Tab

In the Configuration tab, you can configure the sensing engines: Communications, Logging, and Blocking. You also have the option to restore default settings in this screen. Take your time and hopefully you wont have to restore defaults. Keep in mind, signature tuning is time-consuming.

The sensing engine configuration is for tuning and enabling/disabling signatures. You can tune all of the signatures, specify the level of traffic, what port is used, even filter certain signatures that you do not want to see. You can also configure IP Fragmentation Reassembly Options (see Figure 4.45).

Click To expand
Figure 4.45: Sensing Engine: Configuration

Notice that the different types of signatures are represented in groups on the screen. They have circles next to them that are either clear, half-filled, or filled. The clear circle means that none of the signatures in that specific group are enabled. The half circle means at least one signature is enabled, while a full circle means that all of the signatures are enabled.

If you want to enable all of the signatures in a certain group, put a check in the box next to the group, and click Enable at the bottom of the screen. To disable all of the signatures in a group, put a check in the box next to the group, and click Disable.

To configure or tune a signature, follow these steps:

  1. Select a signature group. The screen should display all of the signatures in that group. If there is more than a single screen of signatures, scroll to the bottom of the screen and select the signature IDs to move to.

  2. Once you have selected the signature to tune, click the little notepad icon next to the signature name. You should get a screen similar to that shown in Figure 4.46.

    Click To expand
    Figure 4.46: Tuning a Signature

  3. Make the changes necessary to meet the requirements in your security policy. If you move your cursor over the field name, it will tell you what needs to be entered in the field next to the name (see Figure 4.47).

    Click To expand
    Figure 4.47: Signature Fields

  4. Once you have tuned all of your signatures, use the Apply Changes button to have them implemented.

The Remote Hosts screen in the Configuration tab is used to specify hosts that receive events from the sensor. (Refer to Figure 4.48.)

Click To expand
Figure 4.48: Remote Hosts

The Event Logging screen in the Configuration tab is to define at what level an event gets logged, as well as what type of alarms are logged (see Figure 4.49).

Click To expand
Figure 4.49: Event Logging

The Blocking screen is used to configure blocking and shunning. Be extremely cautious when configuring blocking. You do not want to deny access to a customer, client, or business partner (see Figure 4.50).

Click To expand
Figure 4.50: Blocking Configuration

The Restore Defaults screen does exactly what it says. It sets all of your configurations back to factory defaults.

The Monitoring Tab

In the Monitoring tab you have the ability to view logs, interface statistics, and download the event viewer. To view interface statistics, simply click Sensing Interface Statistics. It may take a few moments for the statistics to be displayed. The display resembles Figure 4.51.

Click To expand
Figure 4.51: Sensing Interface Statistics

To view event logs, follow these steps:

  1. Select Logs. Here you can view Error and Command Logs, IP Session Logs, Current and Archived Event Logs, and System Messages.

  2. Choose Current Events. The resulting output should resemble that shown in Figure 4.52.

    Click To expand
    Figure 4.52: Log Output

The full output would look something like this:

3,10000030,2003/06/16,20:30:36,20003/06/16,14:30:36,10008,8,100,OUT,OUT,
   5,2001,0,TCP/IP,192.168.2.5,10.0.0.32,0,0,0.0.0.0,

It's not very easy to read, but that's what the Event Viewer is for. It translates it all into easy-to-read records. We'll discuss the Event Viewer shortly. Table 4.2 describes each field in the .csv log file.

Table 4.2: Log File Field Values

Field Value

Field Type

3

Record Type

10000030

Record ID

2003/06/16

GMT Date Stamp

20:30:36

GMT Time Stamp

2003/06/16

Local Date Stamp

14:30:36

Local Time Stamp

10008

Application ID

8

Host ID

100

Organization ID

OUT

Source Direction

OUT

Destination Direction

5

Alarm Level

2001

Signature ID

0

SubSignature ID

TCP

Protocol

192.168.2.5

Source Address

10.0.0.32

Destination Address

0

Source Port

0

Destination Port

0.0.0.0

Router Address

With this in mind, let's run through downloading the Event Viewer from IDM so we can look at events in a format that's a little easier on the eyes. To download the Event Viewer, follow these steps:

  1. From the Monitoring tab, select IDS Event Viewer from the menu bar. The screen should have a couple of links to choose from (see Figure 4.53).

    Click To expand
    Figure 4.53: The Event Viewer Download Screen

  2. Click the Event Viewer Readme link and review the signature updates and features.

  3. Click the Download the Windows NT/2000 IDS Event Viewer link. This will initiate the download process to your workstation.

  4. If there are signature updates, the link will be highlighted for you to download. Download if necessary.

  5. Close this screen. (We discuss installing and configuring it later.)

The Administration Tab

In the Administration tab, you can configure automatic updates, view system information, run diagnostics on your sensor, set up severity levels for events, and start and stop processes. The two most useful options here are viewing system information and setting up automatic updates. To view the system information, click System Information in the menu bar (see Figure 4.54). This gives you the basic information necessary for troubleshooting. The following information should appear on the screen:

  • Sensor Version

  • Host Name

  • Host ID

  • Organization Name

  • Organization ID

  • PostOffice Port

  • Web Server Port

  • IP Address

  • Netmask

  • Default Route

  • CSIDS Daemon Status—Displays running daemons

  • CSIDS Connection Status—Displays the PostOffice connection status

  • CSIDS Version—Displays daemon versions

  • Administrative Tasks

  • MAC Address

  • Hardware

  • Operating System

  • CPU usage

  • Memory usage (in MB)

  • CSID Logging Disk Space Usage (in MB)

  • TAC

Click To expand
Figure 4.54: System Information

To configure automatic updates, follow these steps (see Figure 4.55):

Click To expand
Figure 4.55: Updates

  1. In the Administration tab, select Update from the menu bar.

  2. Enter the IP address of the FTP server in the FTP Server Field.

  3. Enter the user account that will be used to connect to the FTP server in the Username field.

  4. Enter the password of the user account in the Password field.

  5. Enter the path (location) of the update files. Use a "/" at the beginning of the path.

  6. Select the Disabled check box.

  7. Select the Performed at check box and enter the times to check for updates.

  8. Click OK.

There is also a Diagnostics option in the Administration tab. This is mainly used by the Cisco TAC personnel for troubleshooting. To run the diagnostics from the Administration tab, click Diagnostics, then click Run Diagnostics (see Figure 4.56). A diagnostics report will be displayed on the screen. Once you have run at least one diagnostics report, you will have the option of viewing the last diagnostics report by clicking View Last Report.

Click To expand
Figure 4.56: Diagnostics

Lastly, remember that after you make any changes in IDM, you must always apply the changes. To apply the changes you have made to the sensor, click the Apply Changes button in the upper right-hand corner of the IDM screen. It may take some time, but when the changes are complete you will get a success message. Once you have made all of your configuration changes to IDM and your sensors, click Logout located next to the Apply Changes button