Using the Cisco Defended Action Manager
Even admitting there is a huge advance for affluence of use technology, such as Web-based interfaces like IDM, CSPM is still the arresting appliance in the industry for administrators tasked with managing Cisco IDS sensors. This area will booty you through the accession of CSPM, configuration, and management.
For best administrators, CSPM is what we attending for in an administering tool, a Windows-based artefact advised accurately to administer aegis behavior not alone for sensors but additionally for the PIX firewall, IOS routers, and VPN software. The focus actuality is carefully on managing the sensors. CSPM allows us to administer assorted sensors from a distinct area afterwards accepting to accomplish any administering at the accessories themselves.
Installing CSPM
Before installing CSPM, accomplish abiding the afterward software requirements acquire been met to save yourself from accepting to backtrack and install/configure them:
*
Windows NT 4.0
*
Annual Pack 6a for NT
*
Internet Explorer 5.5
*
TCP/IP Agreement Stack
*
HTML Advice 1.32 Update
*
Microsoft's XML Parser 3 (MSXML3)
*
NTFS
*
TAPI/MAPI for email
*
DHCP should be disabled
*
NT Startup time set to zero
Note
The autostart annual does a assay for NT 4.0, Internet Explorer 5.5, HTML Advice 1.32 Update, and MSXML3 during setup. The accession appliance does not apperceive what any Windows adaptation afterwards than NT 4 is, or any browser adaptation afterwards than 5.5, so it will not continue. It will run accurately in a Connectix Virtual PC session, which in about-face runs actual able-bodied on Windows 2000 or XP.
Due to the acuteness of advance apprehension it is recommended that you install the CSPM as a stand-alone system. The CSPM arrangement is advised to be in a area like a Aegis Operations Center (SOC). It allows all of the aegis cadre to attending at the aforementioned interface and alone those cadre with admission to the SOC can admission the system. The client/server accession allows administering to booty abode from altered locations. This is not consistently a best convenance and auditing, traceability, and nonrepudiation become an issue.
1.
Insert the CSPM accession CD. The autostart annual will automatically admit the installation.
2.
The aboriginal affair you will see is a admonishing to attenuate any antivirus software during installation. Next, you will get the apprehension in Figure 4.1, Cisco Defended VPN applicant Not Installed on Host.
Bang To expand
Figure 4.1: Cisco Defended VPN Applicant Admonishing Message
3.
If you plan on installing the VPN client, do that afore you install CSPM. Otherwise, columnist Continue.
4.
Baddest Install Artefact in the Options box as apparent in Figure 4.2, and again bang Next.
Bang To expand
Figure 4.2: Cisco Defended Action Manager Installation
5.
At this point, if the applications listed ahead acquire not been installed, the accession cannot proceed. The Options box will affectation any adapted apparatus that are not present.
6.
At the Authorization Agreement panel, acquire the agreement of the authorization and bang Next.
7.
Specify the area of the CSPM authorization disk, usually on the accompanying diskette, by entering the agenda path.
8.
You will additionally acquire to admission the countersign that corresponds with the authorization disk. The countersign is usually on the diskette label. Bang Next. See Figure 4.3
Bang To expand
Figure 4.3: CSPM Authorization Disk
9.
If you acquire downloaded the software, the countersign will be in the readme file.
10.
Baddest the blazon of arrangement you appetite to install: Standalone or Client/Server. CSPM does not abutment the Distributed CSPM option. See Figure 4.4.
Bang To expand
Figure 4.4: Accession Options
11.
If you are installing a client/server system, baddest Action Server. This needs to be intalled afore Action Ambassador in the Affection Set list. The Action Ambassador Affection Set is for Alien Administration. The Affection Set drop-down box is disabled for the Standalone option.
12.
Specify the accession aisle in the Accession Binder box and bang Next.
13.
You will be prompted to admission the countersign for the Windows NT username detected during setup. Bang Next.
14.
Baddest the IP abode configured on the bounded host for the stand-alone arrangement and admission the anchorage the Primary Action Database will acquaint on. The absence anchorage is 2567. See Figure 4.5.
Bang To expand
Figure 4.5: Settings
Note
Aback ambience the IP abode for CSPM, do not anticipate that you can change it later. You can not change it afterwards reinstalling CSPM, so accomplish abiding you get it adapted the aboriginal time. Don't ask how we apperceive this.
15.
Specify the Action Database key area in the Book Destination box. If you are accomplishing a stand-alone system, it is not binding to consign the key. The client/server arrangement accession requires you to consign the database key. Bang Next.
Note
It is recommended that you consign the database key to a diskette that is readily accessible and can be stored in a defended location. Exporting the database key to a arrangement allotment is discouraged. If the arrangement assets become inaccessible, the database key cannot be retrieved.
16.
In the Configure Advice Properties, apparent in Figure 4.6, admission your CSPM system's host ID, alignment ID, the IP abode (if it is not already displayed), the host name, and alignment name.
Bang To expand
Figure 4.6: Configure Advice Properties
17.
Verify your settings. If a ambience is incorrect, you can use the Aback button to aback up and accomplish changes. If aggregate is correct, bang Copy Files.
18.
Already the accession has completed, bang Finish to abutting the bureaucracy program.
If you are assuming a stand-alone arrangement installation, you will alone acquire to do the accession procedures once. If you are implementing a client/server CSPM system, you charge to echo the above-mentioned accomplish to install the Action Ambassador affection set on all added hosts that will serve as audience for alien administration.
Once you acquire accomplished the installation, you will charge to log in to alpha configuring.
Note
A stand-alone arrangement can be adapted to a client/server arrangement afterwards accepting to uninstall and reinstall CSPM. The stand-alone arrangement will act as the Action Server. Already you acquire exported the database key from the stand-alone system, you can install the Action Ambassador affection set on assorted hosts for alien administering application that database key during the accession of the Action Ambassador affection set.
Logging In to CSPM
To log in to CSPM, chase these steps:
1.
Open the Log on to Cisco Defended Action Manager chat box by action to the CSPM executable by beat Alpha | Programs | Cisco Systems. Bang Cisco Defended Action Manager.
2.
Use the annual that was authentic during the accession to log in. Admission the annual name and password.
3.
In a client/server arrangement agreement aback logging in from the Action Server, bang Bounded beneath Action Database Server. Aback logging in from a alien server, bang Alien Server, and again admission the IP abode or DNS name in the box. Bang Connect. See Figure 4.7.
Bang To expand
Figure 4.7: Log on to Cisco Defended Action Manager
If you are accepting agitation logging on to the CSPM, verify that the ORGID and ORGNAME on the CSPM bout what is authentic on the sensor. This is capital to acquaint properly.
Note
If the absence anchorage cardinal of 2567 is still the advice port, you do not charge to specify a anchorage value.
Configuring CSPM
Now we are action to go through the agreement action for CSPM. The sensors charge to be added to the cartography in CSPM to alpha managing them. But afore that happens, networks charge to be authentic and your CSPM host needs to be authentic also. One affair that needs to be addressed up-front is that the postoffice agreement settings that accommodate HOSTID, ORGID, HOSTNAME, and ORGNAME are actual and advice has been accustomed amid the sensors and administering device. If the sensor is on the alfresco of a firewall, rules charge to be put in abode for postoffice advice to occur.
Once you log on to the CSPM, you will be greeted by the Accepting Started pop-up window. The Accepting Started window allows you to appearance altered video tutorials that airing you through altered procedures you will appointment while application CSPM. If you are a first-time user, it would be astute to booty a moment and go through these videos. See Figure 4.8.
Click To expand
Figure 4.8: Accepting Started
Note
The newest CSPM (3.1) does not abutment IDS sensors. For added details, see www.cisco.com/en/US/products/sw/secursw/ps2133/prod_software_versions_home.html.
CSPM v2.3.3i is the aftermost adaptation of CSPM that supports Cisco's IDS.
The aboriginal affair you charge to do in configuring a cartography in CSPM is to ascertain the arrangement aloft which the ascendancy interface of the sensor will reside, and the arrangement area the CSPM host will reside. If you do not acquire a command and ascendancy network, they may possibly be on the aforementioned subnet, appropriately alone one arrangement will charge to be authentic in the topology. So chase these accomplish to ascertain a arrangement for CSPM.
Adding a Network
Adding a arrangement is the aboriginal footfall in defining a cartography in CSPM. Afterwards it, you will not be able to add any hosts. This is a analytic map and does not necessarily charge to be absolutely accurate, but it does charge to be done.
1.
You will adapted mouse-click the Internet figure in the cartography map and baddest New, again Arrangement to actualize a new network. (Refer to Figure 4.9.)
Bang To expand
Figure 4.9: Abacus a Network
2.
In the Arrangement screen, add the name of the network, the arrangement address, and the subnet affectation that will be used. Apprehension in Figure 4.10, the name of the arrangement can be whatever you appetite it to be. I acclaim you name it article that makes faculty to your alignment (for instance, out-of-band network, command network, and so on). You acquire the advantage of artlessly anecdotic a arrangement actuality afterwards bartering any of the acclamation by blockage the Unnumbered box at the basal of the window.
Bang To expand
Figure 4.10: Arrangement Parameters
3.
Bang the IP Abode button or right-click the interface icon, baddest New again IP Address, as apparent in Figure 4.11 and admission the IP abode that the arrangement will use to admission the Internet. This should be your network's Absence Gateway. Again bang OK.
Bang To expand
Figure 4.11: Interface IP Address
Note
Since you already authentic these IP addresses on the sensor, they do not acquire to be actual on the cartography map. This is for your benefit. The arrangement will still be added to the cartography map.
This cartography map is added or beneath eye bonbon for you to apperceive area your apparatus are amid in your IDS infrastructure. Since the IP addresses acquire already been authentic on the sensors, they do not acquire to be correct
You acquire now authentic your network. Now you charge to add the CSPM host assimilate that network. We appearance how to add a CSPM host to your anew authentic arrangement in the abutting section.
Adding a Host
In adjustment to ascendancy a sensor with CSPM, you acquire to configure CSPM to acquaint with the sensor. Agreement ambit are adapted to administer the sensor. These procedures booty you through the specific settings that acquire to be configured afore the sensors can be managed with CSPM. Anticipate PostOffice Agreement while ambience up communications amid CSPM and the sensors. The postoffice settings will additionally acquiesce for the administration of assay accident messages.
1.
Right-click the arrangement figure you acquire aloof authentic and baddest New | Host.
2.
The Cisco Defended Action Manager chat box (shown in Figure 4.12) should appear, advertence that a arrangement article has been detected in the Action Database. The chat box will additionally affectation the name of the device. If you do not get a awning agnate to this, you are not on the actual network.
Figure 4.12: Arrangement Article Detection
3.
Bang the Yes button to install the CSPM host into the cartography map.
4.
To verify that the advice for the CSPM host is correct, use the General screen, as apparent in Figure 4.13. The SMTP Server will usually be your e-mail server in best cases. This should be authentic as an article in your cartography map also. If there is added than one IP abode for your CSPM host, add them here.
Bang To expand
Figure 4.13: The Host General Advice Tab
5.
To configure the postoffice settings on the CSPM host, bang the Action Administration tab apparent in Figure 4.14. Anniversary of the settings in the adapted area acquire to be abounding in accurately for CSPM to administer action changes. The Arrangement Annual acreage should be set to the PostOffice Protocol.
Bang To expand
Figure 4.14: Host Action Administration Tab
6.
Already you acquire entered and absolute the settings, bang OK. The CSPM host figure will appearance up in the cartography map beneath the arrangement authentic earlier.
Note
If you adapt the postoffice settings, assay contest will not be forwarded or accustomed until you save and amend the configuration. A sensor charge additionally be authentic in adjustment for contest to be generated.
Adding a Sensor
After you acquire added your CSPM host, you will charge to ascertain the sensors that you will administer with CSPM. The action to ascertain the sensors is agnate to abacus a host to your cartography map. You can either right-click your arrangement icon, bang New | Sensor (as apparent in Figure 4.15), or right-click your arrangement figure and again bang Wizards | Add Sensor. Whichever adjustment you choose, the after-effects will be the same. The astrologer aloof helps booty some of the assignment out of it.
Click To expand
Figure 4.15: Add Sensor
Note
If you acquire ahead configured the sensor signatures, you will appetite to abduction that agreement so you do not acquire to echo the process. Use the astrologer and assay the box in the bottom-left bend of the aboriginal awning to abduction that configuration.
The Identification tab for the sensor needs to be abounding in for antecedent setup. You will admission the Sensor Name, Alignment Name, accept the sensor version, verify the IP address, admission the host ID, and alignment ID (refer to Figure 4.16). Do not anguish about any of the added tabs at this moment. You aloof appetite to get the sensor added to your cartography map.
Click To expand
Figure 4.16: Sensor Parameters
In Figure 4.17, you see all of the timberline anatomy that has been busy to the larboard area of the CSPM screen. Apprehension beneath Tools and Casework | Sensor Signatures the Absence icon. This is the absence set of signatures created for your sensors. You may absolutely acquire one of these for anniversary sensor, or use alone one to advance the signatures to all sensors on your network.
Click To expand
Figure 4.17: CSPM Timberline Structure
Once you acquire added all of your sensors and your CSPM host, you can activate configuring and optimizing/tuning the sensors and the sensor signatures. The sensor charge be set up to detect the cartage on the actual interface and log the events. Action through anniversary of the agreement tabs on the sensor, we will configure your sensor.
The Properties Tab
The Properties tab allows you to set a few specific ambit to advice analyze your sensor, ascertain centralized and alien networks, and additionally SYSLOG abstracts streams via three subtabs: Identification, Monitoring, and Centralized Networks.
1.
Baddest the sensor you are action to configure in the cartography map. The aboriginal tab is the Properties tab. The Identification tab should already be abounding in correctly. Verify the advice on this tab is correct. Pay abutting absorption to the Sensor Version. Also, advance the comments box to admission important advice apropos the arrangement articulation that is actuality monitored by this sensor.
2.
To adviser SYSLOG abstracts sources, baddest the Ecology tab beneath the Properties tab (see Figure 4.18). The ecology ambit acquiesce you to add assorted SYSLOG abstracts sources. Bang Add and add the IP abode and subnet affectation for anniversary abstracts source. This is from the interface an IOS router is sending its SYSLOG traffic.
Bang To expand
Figure 4.18: The Ecology Tab
3.
Baddest the Centralized Networks tab (see Figure 4.19). In this section, you will ascertain your Centralized Protected networks that the sensor is protecting. CSPM uses this to anatomize the contest in the Accident Viewer. Any abode amplitude that is not articular in this area is advised an alien abode appointed as "OUT." The centralized addresses are appointed as "IN."
Bang To expand
Figure 4.19: The Centralized Networks Tab
4.
Bang Add and add all of your centralized abode amplitude that this sensor is protecting.
The Sensing Tab
The Sensing tab allows you to configure what signature agreement book the sensor is using, what Packet Abduction Accessory (Interface) it's employing, and how to handle IP Fragment Reassembly.
1.
Bang the Sensing tab on the sensor you are action to configure (see Figure 4.20).
Bang To expand
Figure 4.20: The Sensing Tab
2.
In the Active Agreement field, baddest the Sensor Signature book arrangement the sensor will be application to adviser the network. It is not aberrant to acquire a altered Sensor Signature book arrangement for anniversary sensor. Some signatures may be disabled or acquainted abnormally depending on the accession on the network.
The Packet Abduction accessory is the interface that is accomplishing the sniffing. Accredit to Chapter 3 for advice with the altered interfaces on a sensor.
Enabling IP Fragment Reassembly causes your sensor to arouse a burst IP packet first, again analyze that packet with a signature. This can be a ability hog depending on your arrangement cartage patterns. Unless you are actual accustomed with the cartage patterns on your network, do not adapt the absence settings.
The Blocking Tab
Configuring blocking by the sensor on a arrangement can be a difficult topic. Your networking aggregation may not abutment your efforts to accredit blocking because the sensor will automatically log in to a accessory and adapt the agreement for a aeon of time aback apprehensive action is detected. Some aegis behavior accomplish this a banned convenance and not all sensor models abutment this feature. At present, alone the 4200 alternation sensors abutment this agreement option. The Catalyst 6000 IDSM-1 bore does not abutment blocking but the new IDSM-2 bore does.
1.
Bang the Blocking tab on the sensor you are configuring for blocking. Within that tab are three subtabs:
*
Never Block Addresses
*
Blocking Devices
*
Master Blocking Sensor
There are additionally two fields, Block Continuance and Cisco ACL Cardinal (see Figure 4.21). You will add any addresses that will not be blocked to the list.
Bang To expand
Figure 4.21: The Blocking Tab
The Never Block Abode tab lets you specify IP addresses that should never be blocked. This is an important affair to accede aback you do business online. If you acquire audience and barter with trusted business relationships, you may appetite to admission all of those addresses in this tab. This will anticipate them from actuality blocked aback by a apocryphal positive.
Note
Hackers can bluff IP addresses of clients, customers, and business ally and activate alarms that alert the sensor to block traffic. This can annual a abnegation of annual to your resources.
2.
Baddest the Blocking Accessories tab. Actuality you ascertain the ambit the sensor will use to admission a accessory and adapt an ACL. The advice bare is
*
The Telnet IP address
*
The Telnet username
*
The Telnet password
*
the accredit password
*
The blocking interface
3.
You can acquaint from the annual of adapted advice why the arrangement cadre may be afraid to abutment this feature. Bang Add. See Figure 4.22. Add the advice from the above-mentioned list. Echo as needed. Bang OK to continue.
Bang To expand
Figure 4.22: Blocking Accessory Properties
4.
Specify the breadth of time the blocking will aftermost in annual in the Block Continuance field. Also, specify the ACL cardinal that will be modified. Afterwards accepting into the altered types of ACLs, I will artlessly annual them. Accredit to Cisco.com for added advice apropos ACLs.
*
Cardinal 1–99 The IP Standard admission list
*
Cardinal 100–199 The IP Extended admission list
*
Cardinal 1300–1999 The IP Standard admission annual Broadcast range
*
Cardinal 2000–2699 The IP Extended admission annual Broadcast range
Remember aback the block continuance has concluded that the sensor will log aback in to the accessory and abolish the agreement acclimated to block.
5.
Admission the Master Blocking Sensor tab. Baddest the sensor name that will act as the Master, again bang OK.
Note
A Master Blocking sensor needs to be authentic if you acquire assorted access credibility into your network. What happens is, if a sensor blocks cartage at a assertive access point router, that sensor tells the Master Blocking Sensor to additionally block the added access point(s).
The Clarification Tab
The Clarification tab helps you abate the admeasurement of your database by clarification out assertive signatures from hosts that you acquire bent to be apocryphal positives. There are three means to clarify alarms: minimum accident level, simple filtering, and avant-garde filtering. To configure filtering, see the afterward sections.
Minimum Accident Level
The Minimum Accident Akin drop-down card allows you to accept the minimum severity akin of alarms that will be beatific to the administering console. This helps with log abridgement in that you can baddest Medium or High and not acquire to anguish about allocation through low-level alarms.
1.
Bang the Clarify tab on the sensor you are configuring.
2.
The capital awning shows the Minimum Accident Akin acreage at the top. Baddest the minimum akin of alarms that will be beatific to the CSPM animate (see Figure 4.23).
Bang To expand
Figure 4.23: Minimum Accident Akin Filtering
Note
You may not be absorbed in low severity alarms and alone appetite Medium severity and above. This keeps you from accepting to array through ample amounts of accessory alarms. This is a huge log reducer.
3.
Save and Amend your CSPM configuration.
4.
Download the new sensor agreement to the ambition sensor.
Simple Filtering
Simple Clarification takes log abridgement added than artlessly not accepting lower akin alarms that ability not absorption you. With Simple Filtering, you can absolutely clarify out signatures that you accede amiable on your arrangement to or from specific addresses. This helps abate your logs alike further, appropriately acceptance you to absorb added time on the important alarms. Chase these accomplish to configure Simple Filtering:
1.
Bang the Clarify tab on the sensor you are configuring.
2.
On the Simple Clarification subtab, bang Add.
3.
Baddest the Signature ID, any subsignatures, the IP abode to exclude, and the abode role. The abode role tells the sensor if the IP abode is the antecedent or the destination abode for the signature or both (see Figure 4.24).
Bang To expand
Figure 4.24: Simple Filtering
4.
Already you acquire completed the information, bang the OK button.
5.
Save and amend your CSPM configuration.
6.
Download the new sensor agreement to the ambition sensor.
Advanced Filtering
Advanced Clarification goes alike added to abate your logs and advice you focus on what's important. The aberration in the Avant-garde Clarification tab is that, instead of aloof excluding signatures and associated subsignatures from a arrangement or specific host, you can accommodate and exclude the aforementioned to and from hosts. Assertive hosts may accomplish an anxiety based on a signature, but assay may appearance that this is accustomed cartage for the host. In contrast, you may acquire configured the signature to be afar in the Simple Clarify tab and appetite to accommodate or adviser a specific host or arrangement based on the signature. Chase these accomplish to configure Avant-garde Filtering:
1.
Bang the Clarify tab on the sensor you are configuring.
2.
Bang the Avant-garde Clarification sub-tab and bang Add. This is agnate to the Simple Clarification tab, with some added functionality.
3.
Baddest the Signature ID and any subsignatures.
4.
For IP addresses, you can specify single, multiple, or ranges of IP addresses for the antecedent and destination. It is absolute for those blatant signatures that accomplish bags of alarms in your Accident Eyewitness (see Figure 4.25).
Bang To expand
Figure 4.25: Avant-garde Filtering
5.
Already you acquire entered all of the adapted information, bang OK.
6.
Save and amend your CSPM configuration.
7.
Advance the sensor agreement to the sensor.
The Logging Tab
By enabling logging on your sensors, you are creating log files for approaching use. It may be adapted in your industry to advance logs for a aeon of time. By enabling logging, you can acquire the sensor do the assignment for you by creating the log and again FTPing it to a area for safe-keeping (see Figure 4.26). To accredit logging, chase these steps:
Click To expand
Figure 4.26: Logging
1.
Baddest the Logging tab on the sensor you are configuring.
2.
Baddest Accomplish assay accident log files.
3.
Either acquire the log book adored to the sensor or acquire it FTP'd to addition location. Although not binding for logging, you may acquire a claim to annal the log files. In this aforementioned window, you can point the sensor to an FTP server and acquire the logs adored off to a logging server for archival and advancement purposes. Bang OK.
4.
Save and amend your CSPM configuration.
5.
Download the new sensor agreement to the ambition sensor.
The Avant-garde Tab
The Avant-garde tab allows you to configure added PostOffice appearance such as Watchdog Properties and Added Destinations. Watchdog queries the PostOffice casework active on the bounded host and the sensors. If Watchdog detects that a annual is not active the ambit authentic here, acquaint the sensor how to amusement the bearings and how it is appear (see Figure 4.27). To specify added destinations that the sensor will advanced alarms to, use the Added Destinations subtab (see Figure 4.28).
Click To expand
Figure 4.27: Avant-garde PostOffice Settings
Click To expand
Figure 4.28: Added Destinations
PostOffice Settings (Watchdog)
To configure the added PostOffice settings (Watchdog) chase these steps:
1.
Baddest the Avant-garde tab on the sensor you are configuring.
2.
In the Watchdog Interval field, admission the cardinal of abnormal amid anniversary concern Watchdog will accomplish on the casework to see if they are running.
3.
In the Cardinal of Restarts field, admission the cardinal of restart attempts PostOffice makes for downed services. If PostOffice cannot alpha the annual in the cardinal of times specified, a Daemon Unstartable anxiety is fired. The absence is three attempts.
4.
In the Watchdog Abeyance acreage specify the cardinal of abnormal Watchdog will delay for a acknowledgment to a query. If Watchdog does not accept a acknowledgment in the allotted time, a Daemon Down anxiety is fired. The absence is 240 seconds.
5.
For the PostOffice Baby Interval field, specify the cardinal of abnormal that PostOffice should delay afterwards querying alien PostOffices. If the concern does not accomplish a response, a Route Down anxiety is fired. The absence is bristles seconds.
6.
To the adapted is the Damon Down Anxiety Akin acreage and the Daemon Unstartable Anxiety Akin field. Baddest the akin of the anxiety that will be beatific to the console, High, Medium, or low. The absence for both fields is High.
7.
Save and amend your CSPM configuration.
8.
Advance the sensor agreement to the sensor by beat the Approve Now button on the Command tab for the sensor.
Additional Destinations
To configure the added destinations, chase these steps:
1.
On the Avant-garde tab, baddest the Added Destinations subtab.
2.
Bang Add.
3.
Admission the sensor name, alignment name, alignment ID, sensor ID, annual name, minimum accident level, IP address, baby timeout, and port.
4.
Bang OK.
5.
Save and amend your CSPM configuration.
6.
Advance the sensor agreement to the sensor.
The Command Tab
The Command tab allows you to amend your sensors with adapted agreement files (see Figure 4.29). The Approve Now button at the basal of the awning starts the amend process. The Approve Now button is enabled aback agreement files are accessible to be beatific to the sensors. If no changes are available, the button is grayed out.
Click To expand
Figure 4.29: The Command Tab
In the Command Review/Edit pane, you can appearance Pending Command, Accepted Configuration, Administration Status, Generation Status, Prologue, and Epilogue. Baddest the one you appetite to appearance the cachet of and columnist the Refresh button in the aforementioned pane.
Note
The sensor alone utilizes two of the options: Pending Commands and Administration Status.
The Poll button amid in the upper-right bend of the Command tab checks the cachet of your sensor. The window aloft the Poll button shows the accepted status.
The Ascendancy Tab
On the Ascendancy tab, you can specify the Action Administration Point and the Associated Arrangement Service. There are added options listed in this window but the alone ones that are accessible are these two. The Action Administration Point is the accessory sending updates to the policy. This is the CSPM server that generates and publishes command sets to the called sensor(s). Remember, you can acquire assorted CSPM servers in your architectonics so it is important to accomplish abiding you baddest the actual one. Chase these accomplish to baddest the CSPM server that will accomplish and broadcast the commands for your called sensor:
1.
Already you acquire called the sensor, you appetite to specify a CSPM server or bang the Ascendancy tab in the Appearance pane. The Ascendancy tab, as apparent in Figure 4.30, appears.
Bang To expand
Figure 4.30: The Ascendancy Tab
2.
Bang the drop-down card to baddest the CSPM server you will use. Alone CSPM servers that acquire already been authentic in the arrangement cartography will be displayed.
3.
Accomplish abiding the Associated Arrangement Annual is set to Cisco Post Office. This is the approach in which advice occurs. We are application the PostOffice Protocol.
4.
Bang OK, again save and amend the configuration.
Signature Updates
Chances are that your antecedent bureaucracy of CSPM and the sensor are action to be out-of-date. The signature files that appear with the CSPM software and the sensor itself will abide abaft the accepted signatures to some degree. Remember that one of the rules of acceptable arrangement aegis is to break accepted with patches and signatures, accordingly we charge to amend the sensor and CSPM to the latest level. In adjustment to amend the signatures, we charge to chase the accomplish listed here:
1.
Go out to Cisco.com and download the accepted signature files from the afterward Web site: www.cisco.com/cgi-bin/tablebuild.pl/ids3-app. This requires you to acquire a SMARTnet aliment arrangement cardinal and a Cisco Connection Online (CCO) annual to appeal software upgrades from CCO.
2.
Download the CSPM signature amend file(s) needed.
3.
Aback up your accepted CSPM cartography and database. Consign your cartography by beat Book | Consign to file. Aback up your abstracts agenda from the CSPM Install Directory.
4.
Load the CSPM signature update. Unzip the signature amend book to a bounded folder. Baddest Signature Amend | Amend Sensor from the wizards list.
5.
Assay Load CSPM Sensor Signature Amend file.
6.
Specify the aisle to the \\html agenda from the amend book you ahead abashed (see Figure 4.31) and baddest Next. You do not charge to assay the box for Accomplish Adapted Signature Agreement Files For The Sensors On Finish unless you intend to amend the sensors also.
Bang To expand
Figure 4.31: The Amend Sensor/Signature Wizard
7.
Afterwards the action is complete, save your changes by allotment Book | Save changes.
8.
Exit CSPM and reboot the system.
9.
Aback the arrangement finishes rebooting, alpha CSPM and log in.
Configuring IPSec
IP Aegis (IPSec) provides aegis appearance such as confidentiality, integrity, and affidavit via a agreement apartment into IP. CSPM can be acclimated to actualize encrypted tunnels amid accessories that abutment IPSec. IPSec tunnels accredit peer-to-peer defended chiral of abstracts over a public, untrusted IP network. In this book it is acclimated for advice amid CSPM and the sensors. It cannot be acclimated amid the sensors and blocking devices. Accredit to the IPSec Adit Implementation, v2.0, which can be begin at the afterward address: www.cisco.com/en/US/products/sw/ secursw/ps2133/ products_user_guide_book09186a008010703e.html
Before you can configure the IPSec tunnels, the Cisco Defended VPN applicant charge be installed on the CSPM server. Sensors that will be managed by CSPM application IPSec tunnels charge be active IDS software adaptation 2.5(1)S0 or later. The CSPM server and all sensors charge be authentic in the topology. The afterward accomplish airing you through configuring IPSec:
1.
Verify that the sensor(s) supports IPSec and baddest the adapted IPSec adit template. Use a chiral arrangement for CSPM server-to-sensor tunnels. IKE is not accurate by the sensors. Do this for all of the sensors. The IPSec Adit Groups annex of the Arrangement Action timberline will be busy with an IPSec adit group, which consists of the CSPM server and the sensors that will acquaint via the IPSec tunnel.
2.
Next, you charge to configure Chiral Keys for anniversary of the sensors and the CSPM server. You charge specify a key for anniversary protocol/stage/transform present for anniversary sensor and the CSPM server in the IPSec adit group.
3.
Accomplish the Command Sets. This happens aback you save and amend the agreement in CSPM. The absence for publishing command sets is set to manual. You can set CSPM to broadcast the command set automatically aback you save and update.
Warning
You acquire to attenuate the ambience to automatically amend while configuring the IPSec tunnel. If you do not attenuate the automated amend setting, CSPM will attack to broadcast the agreement abstracts to the sensor through the IPSec adit afore the adit agreement is complete on both the CSPM end and the sensor end, breeding a publishing error.
4.
Two things can appear here. You either acquire to restart the Cisco Defended VPN Client, or if the VPN Applicant has been active during the IPSec adit configuration, don't do anything. If the VPN Applicant is running, the adit will not be displayed, alike admitting it is still functioning. If this is the case, stop and again restart the VPN Applicant for it to be displayed.
5.
Next, bootstrap the sensor(s) that will be communicating via the IPSec tunnel. Run through the bootstrapping action and baddest advantage 9, Defended Communications, to configure the sensor for IPSec. Already the sensor is configured for IPSec, you can accelerate abstracts to CSPM and accept signature updates.
6.
Afterwards the sensor has been bootstrapped and rebooted, you can again broadcast the command sets to the sensor from CSPM.
Viewing Alarms
Now that you acquire your sensors and CSPM at the accepted signature amend level, you ability appetite to see what is action on as far as alarms. Cisco is appealing acceptable about affability some appealing accessible signatures and axis off old signatures that are abolished by newer signatures. But affairs are, alarms may abound with a new implementation. Alarms can run into the hundreds and bags if they are not acquainted correctly. So lets booty a attending at the CSPM Accident Eyewitness and see what is action on.
1.
Baddest Tools | Appearance Sensor Contest | Database. You additionally acquire the advantage to accept Log Files instead of Database if you charge to attending at some archived annal (refer to Figure 4.32).
Bang To expand
Figure 4.32: Accident Eyewitness Database
2.
Accept CSIDS Alarms and bang OK, as apparent in Figure 4.33. Apprehension you can baddest assertive time frames with a specific alpha and stop time and date, or acquire it be continuous.
Figure 4.33: Appearance Database Events
Note
If you accept to acquire the alarms logged while you are attractive at the accident viewer, depending on the bulk of alarms actuality generated, it may be adamantine to assignment with. The accident eyewitness continuously refreshes aback alarms are generated.
When the Accident Eyewitness opens, it may booty a minute depending on how abounding annal are in the database. The accident eyewitness has a absence absolute of 100,000 records. If the database receives added than that amount, the eyewitness will alone affectation the aboriginal 100,000. You can change the settings on this to access the limit, but I would not acclaim it. With able affability of the signatures and alarms, and approved archiving to abate the logs to a accessible size, you should be able to break beneath that amount. The examination awning should attending like Figure 4.34 aback it opens.
Click To expand
Figure 4.34: Accident Viewer
Even afterwards the antecedent install action is completed, alarms are already actuality generated. Apprehension the blush blanket to the left. You can apparently ascertain from the colors the accent of the altered alarms. CSPM displays alarms in three categories, low: green, medium: yellow, and high: red. The columns are burst initially. To aggrandize the alarms for the altered signatures, you can either double-click the calculation or right-click the row you appetite to aggrandize and baddest Aggrandize | All Columns. Apprehension that for the signature Net sweep-echo there is a "+" attribute in the antecedent abode column. That tells you there are assorted antecedent addresses for that signature. The broadcast appearance should attending like Figure 4.35. Additionally apprehension the added alarms are added advisory to the ambassador and are not associated with advance apprehension signatures. Those can be angry off in the configuration.
Click To expand
Figure 4.35: Accident Eyewitness Broadcast View
Other examination options accommodate accretion one column, annoyed one or all columns, affective and deleting columns, selecting columns to be displayed, and additionally ambience accident amplification boundaries.