Using the IDS Device Manager
If you need to get up and running fast, Cisco's Web-based Intrusion Detection Device Manager, IDM, is the way to go. IDM is by far the easiest of the three IDS Managers to implement. The Web server process runs on the IDS sensor. This is a clue that each IDS sensor is managed independently from one another. You will need to open a web browser for each IDS sensor that you are managing. There is a tool, IDS Event Viewer, you can download from your IDS sensor that allows you to look at more than one sensor's logs from a single graphical interface.
IDM is compatible with the following browsers:
-
Netscape (version 4.79 or later)
-
Internet Explorer (version 5.5 Service Pack 2 or later)
The browsers can run on an array of operating systems, including:
-
Windows NT 4.0 Service Pack 6
-
Windows 2000 Professional and Server
-
Solaris SPARC version 2.7
-
Note IDM is not supported on IDS Sensor software prior to version 3.0 and is supported through version 4.0. If you are running IDS Sensor software version 2.2.1 you need to download and install the upgrade image from Cisco.com.
How to Configure IDS Device Manager
When you are bootstrapping the IDS sensor using the sysconfig-sensor command, option 6 Communications Infrastructure allows a shortcut. Remember the settings in Figure 3.9? If you are using IDM, you have the option of bypassing all the IDS Manager Host information shown earlier. You'll get a message after you set the Sensor IP Address, as seen in Figure 4.36.
If you do not have a separate Intrusion Detection Device Manager such as the CSPM or Director solutions implemented, you can stop here and select y to let the sensor know you will be using IDM, the Web-based Intrusion Detection Device Manager. When the configuration is written, the cidwebserver is set to start up on boot.
Logging In
Once you have bootstrapped your sensor, you can log in to IDM. To do this, point your browser towards the sensor by simply typing the IP address in the Address bar in the browser using SSL https:ip address. SSL is activated by default. No configuration is required to utilize SSL. The first thing you see is a security alert for the security certificate, as shown in Figure 4.37.
It may sound trivial but best practices say you should always verify certificates. It is wise to view the certificate and make sure you are in fact getting the certificate from your sensor and not from somewhere/someone else.
Verifying the Certificate
IDS version 3.1 contains the Web server that runs the IDS Device Manager. Connecting to the IDS Device Manager is done via an encryption protocol called Transaction Layer Security (TLS). To access the IDS Device Manager, you have to enter the URL that starts with https://ipaddress. The Web browser serves the IDS Device Manager up by using TLS or SSL to negotiate a session with the host. The IDS Device Manager is enabled by default to use TLS/SSL. It can be disabled from IDS Device Manager by selecting Device | Sensor Setup | Network.
The server sends its certificate to the client. The client browser is shipped with a set of trusted Certificate Authority (CA) certificates. The certificate must be validated against the list of CAs, and its URL host name compared with the subject common name.
Follow these steps to verify the certificate:
-
With your browser, enter the sensor IP address and connect to IDM: https://ip address.
-
You get the Security Alert for the certificate.
-
Select View Certificate.
-
The certificate information is shown.
-
Select the Details tab.
-
Locate Thumbprint and select it.
-
You will see the thumbprint in the corresponding field.
-
Leaving the screen open, connect to your sensor with a console port, SSH, or Telnet.
-
Log in as root.
-
Enter the following command: # fingerprint[/usr/nr/idsRoot/etc/cert/mytestca.cer]
-
The MD5 fingerprint is displayed.
-
Compare the SHA-1 fingerprint with the value displayed in the open Certificate thumbprint text field. If the fingerprints match, you have validated your certificates' authenticity. If they do not match, you need to find out why.
-
Select the General tab.
-
Select Install Certificate. The Certificate Import Wizard dialog box appears.
-
Select Next. The Certificate Store dialog box appears.
-
Select the location for your certificates.
-
Select OK to close the Certificate Store dialog box.
-
Select Yes to open the IDS Device Manager.
Once you have validated and installed the certificate, the next dialog box prompts you to log in as shown in Figure 4.38. In order to properly configure and manage your IDS sensors, use netrangr.
Never save the password in the password list. You do not want an unauthorized user gaining access to your IDS sensor management console and modifying any of the settings. With access to the management console, an unauthorized user can make whatever changes to the configuration he wants, potentially disabling the sensors or reconfiguring the sensor so no alarms are issued during their attack. The IDS Device Manager console is shown in Figure 4.39.