Setting Up Sensors and Sensor Groups -Configuring & Implementing: Monitoring Connections

Setting Up Sensors and Sensor Groups

Sensors are the "eyes and ears" of the Cisco IDS Management Center. They are placed strategically at the perimeter of the network and near key resources within the enterprise. Each of the sensors deployed in the network have been configured with a unique IP address. The IDS MC uses this IP address to communicate with the sensor. Once these sensors are deployed and assigned IP addresses, they can be configured and managed from within the MC.

Start Sidebar
Configuring & Implementing: Monitoring Connections

A sensor is commonly placed on a connection to monitor traffic between the network to be protected and other networks. In Figure 10.10, a protected enterprise network is comprised of two intranets: the E-Commerce network and the R&D network. Here, sensors have been deployed to monitor four different types of connections. Starting from the upper left, the sensors offer the following protection:

  • Perimeter Protection The most common deployment for a sensor is to be placed between the network to be protected and the Internet. This is known as perimeter protection.

  • Remote Access Protection A dial-in server is used only by employees but may still be vulnerable to external attack. A sensor is placed on the interior side of the dial-in server connection.

  • Intranet Protection While the R&D network is an internal network, it may require a different level of security and hence a sensor is deployed between the two intranets.

  • Extranet Protection A business partner may have similar network security policies but the level of protection may differ. A sensor is deployed between the two extranets.

End Sidebar

Click To expand
Figure 10.10: Monitoring Connections

The IDS MC Hierarchy

The IDS MC maintains a hierarchy of sensors, sensor groups and sensor subgroups. Groups provide the capability of managing multiple sensors performing similar functions. Rather than configuring each sensor individually, the IDS MC allows for the configuration of groups of sensors. This dramatically reduces the administrative burden on security personnel. Figure 10.11 illustrates an example of an IDS MC sensor group hierarchy. At the top of the group hierarchy is the Global group. There can be many levels of groups and sensors under the Global group. Each of the lower-level groups, subgroups, and sensors are added manually.

Click To expand
Figure 10.11: The IDS MC Hierarchy

Creating Sensor Subgroups

A sensor subgroup can be added to any group including the Global group. The following steps can be used to create a sensor subgroup:

  1. From the Management Center for IDS Sensors page (Figure 10.7), select the Devices tab, then choose Sensor Group. The Sensor Group page will appear, as shown in Figure 10.11.

  2. The Sensor Group page displays a tree of multiple levels of sensor groups and sensors. At present, there is a Global group as well as three subgroups: Core, Internet, and VPN. Select the name of the group under which the new subgroup will appear. Click the Create Subgroup button.

  3. The Add Group page appears, as shown in Figure 10.12. Enter the new subgroup's name in the Group Name field. Describe the new group in the Description field. Under settings, select the parent group's settings or copy the settings from a group in the pull-down menu.

    Click To expand
    Figure 10.12: The Add Group Page

  4. Click OK to create the new subgroup.

The Sensor Group page reappears, containing the newly created group. In Figure 10.13, this new group is named Campus.

Click To expand
Figure 10.13: The Sensor Group Page with the New Subgroup

Adding Sensors to a Sensor Group

A sensor can be added to any group including the Global group. To add a sensor to the Global group or a subgroup, use the following procedure:

  1. From the Management Center for IDS Sensors page (Figure 10.9), select the Devices tab, then choose Sensors.

  2. The Sensor page will appear as shown in Figure 10.14. Click the Add button.

    Click To expand
    Figure 10.14: The Sensor Page

  3. The Select Group page will appear, as shown in Figure 10.15. Select the Group to add the sensor to and click Next.

    Click To expand
    Figure 10.15: The Select Sensor Group Page

  4. The Enter Sensor Information page appears, as shown in Figure 10.16. Enter the IP Address of the sensor, the NAT Address of the sensor if one exists, and the Sensor Name. To retrieve sensor settings directly from the sensor, select the Discover Settings check box. Enter the User ID and Password for Secure Shell (SSH) communications. For sensor appliances and IDS modules, the default user ID is cisco. The default password for the account is cisco. It is also possible to authenticate to the IDS sensor using an SSH public/private key pair. To use existing SSH keys, check the Use Existing SSH keys check box. However, do not select this option if the sensor is to be used as a master blocking sensor. Once the information has been entered, click Next to move on to the final step.

    Click To expand
    Figure 10.16: The Enter Sensor Information Page

  5. The Sensor Information page appears, as shown in Figures 10.17 and 10.18. From the Version pull-down menu, select the sensor software version installed on the sensor. Enter a text Comment. For sensors running the IDS sensor software version 3.x, additional information needs to be entered. This information includes the sensor Host ID, which is typically the last octet of the sensor's IP address. Enter the Org Name using only lowercase letters. Enter the Org ID. The default is 100. Within a Postoffice domain, with no sensor or sensor group, the Org ID/Host ID pair must be unique. For Sensor software version 4.x and later, a text comment need only be entered in the Comment field. Click Finish.

    Click To expand
    Figure 10.17: The Sensor Information Page for Sensor OS Version 3.x

    Click To expand
    Figure 10.18: The Sensor Information Page for Sensor OS Version 4.x

  6. The Sensor page reappears, updated with an entry for the new sensor you have added, as shown in Figure 10.19.

    Click To expand
    Figure 10.19: The Updated Sensor Page

Deleting Sensors from a Sensor Group

A sensor can be deleted from any group including the Global group. Use the following steps to delete a sensor from a subgroup:

  1. From the Management Center for IDS Sensors page (Figure 10.9), select the Devices tab and choose Sensors.

  2. The Sensor page appears, as shown in Figure 10.20. Check the box in front of the entry for the sensor to delete. In this case, the sensor to be deleted is call thorin. Click the Delete button.

    Click To expand
    Figure 10.20: The Sensor Page

  3. The Sensor tree page appears, as shown in Figure 10.21. Note that the sensor named thorin has been removed from the tree.

    Click To expand
    Figure 10.21: The Sensor Tree Page

Deleting Sensor Subgroups

As with sensors, sensor subgroups can be deleted from any group including the Global group. Use the following steps to delete a sensor subgroup:

  1. From the Management Center for IDS Sensors page (Figure 10.9), select the Devices tab, and choose Sensor Group.

  2. The Sensor Group page appears, as shown in Figure 10.22. In the tree, select the subgroup to delete and click the Delete button.

    Click To expand
    Figure 10.22: The Select Sensor Group Page