Configuring CSPM

Adding a Network

Adding a network is the first step in defining a topology in CSPM. Without it, you will not be able to add any hosts. This is a logical map and does not necessarily need to be totally accurate, but it does need to be done.

1. You will right mouse-click the Internet icon in the topology map and select New, then Network to create a new network. (Refer to Figure 4.9.)

   
   Figure 4.9: Adding a Network

2. In the Network screen, add the name of the network, the network address, and the subnet mask that will be used. Notice in Figure 4.10, the name of the network can be whatever you want it to be. I recommend you name it something that makes sense to your organization (for instance, out-of-band network, command network, and so on). You have the option of simply identifying a network here without supplying any of the addressing by checking the Unnumbered box at the bottom of the window.

   
   Figure 4.10: Network Parameters

3. Click the IP Address button or right-click the interface icon, select New then IP Address, as shown in Figure 4.11 and enter the IP address that the network will use to access the Internet. This should be your network's Default Gateway. Then click OK.

   
   Figure 4.11: Interface IP Address

   Note

   Since you already defined these IP addresses on the sensor, they do not have to be correct on the topology map. This is for your benefit. The network will still be added to the topology map. This topology map is more or less eye candy for you to know where your components are located in your IDS infrastructure. Since the IP addresses have already been defined on the sensors, they do not have to be correct

You have now defined your network. Now you need to add the CSPM host onto that network. We show how to add a CSPM host to your newly defined network in the next section.

Adding a Host

In order to control a sensor with CSPM, you have to configure CSPM to communicate with the sensor. Configuration parameters are required to manage the sensor. These procedures take you through the specific settings that have to be configured before the sensors can be managed with CSPM. Think PostOffice Protocol while setting up communications between CSPM and the sensors. The postoffice settings will also allow for the distribution of audit event messages.

1. Right-click the network icon you have just defined and select New | Host.

2. The Cisco Secure Policy Manager dialog box (shown in Figure 4.12) should appear, stating that a network object has been detected in the Policy Database. The dialog box will also display the name of the device. If you do not get a screen similar to this, you are not on the correct network.

   
   Figure 4.12: Network Object Detection

3. Click the Yes button to install the CSPM host into the topology map.

4. To verify that the information for the CSPM host is correct, use the General screen, as shown in Figure 4.13. The SMTP Server will usually be your e-mail server in most cases. This should be defined as an object in your topology map also. If there is more than one IP address for your CSPM host, add them here.

   
   Figure 4.13: The Host General Information Tab

5. To configure the postoffice settings on the CSPM host, click the Policy Distribution tab shown in Figure 4.14. Each of the settings in the right pane have to be filled in correctly for CSPM to distribute policy changes. The Network Service field should be set to the PostOffice Protocol.

   
   Figure 4.14: Host Policy Distribution Tab

6. Once you have entered and verified the settings, click OK. The CSPM host icon will show up in the topology map under the network defined earlier.

   Note

   If you modify the postoffice settings, audit events will not be forwarded or received until you save and update the configuration. A sensor must also be defined in order for events to be generated.

After you have added your CSPM host, you will need to define the sensors that you will manage with CSPM. The procedure to define the sensors is similar to adding a host to your topology map. You can either right-click your network icon, click New | Sensor (as shown in Figure 4.15), or right-click your network icon and then click Wizards | Add Sensor. Whichever method you choose, the results will be the same. The wizard just helps take some of the work out of it.

Figure 4.15: Add Sensor

The Identification tab for the sensor needs to be filled in for initial setup. You will enter the Sensor Name, Organization Name, choose the sensor version, verify the IP address, enter the host ID, and organization ID (refer to Figure 4.16). Do not worry about any of the other tabs at this moment. You just want to get the sensor added to your topology map.

Figure 4.16: Sensor Parameters

In Figure 4.17, you see all of the tree structure that has been populated to the left pane of the CSPM screen. Notice under Tools and Services | Sensor Signatures the Default icon. This is the default set of signatures created for your sensors. You may actually have one of these for each sensor, or use only one to push the signatures to all sensors on your network.

Figure 4.17: CSPM Tree Structure

Once you have added all of your sensors and your CSPM host, you can begin configuring and optimizing/tuning the sensors and the sensor signatures. The sensor must be set up to sniff the traffic on the correct interface and log the events. Going through each of the configuration tabs on the sensor, we will configure your sensor.

The Properties Tab

The Properties tab allows you to set a few specific parameters to help identify your sensor, define internal and external networks, and also SYSLOG data streams via three subtabs: Identification, Monitoring, and Internal Networks.

1. Select the sensor you are going to configure in the topology map. The first tab is the Properties tab. The Identification tab should already be filled in correctly. Verify the information on this tab is correct. Pay close attention to the Sensor Version. Also, utilize the comments box to enter important information regarding the network segment that is being monitored by this sensor.

2. To monitor SYSLOG data sources, select the Monitoring tab under the Properties tab (see Figure 4.18). The monitoring parameters allow you to add multiple SYSLOG data sources. Click Add and add the IP address and subnet mask for each data source. This is from the interface an IOS router is sending its SYSLOG traffic.

   
   Figure 4.18: The Monitoring Tab

3. Select the Internal Networks tab (see Figure 4.19). In this section, you will define your Internal Protected networks that the sensor is protecting. CSPM uses this to parse the events in the Event Viewer. Any address space that is not identified in this section is considered an external address designated as "OUT." The internal addresses are designated as "IN."

   
   Figure 4.19: The Internal Networks Tab

4. Click Add and add all of your internal address space that this sensor is protecting.

The Sensing Tab

The Sensing tab allows you to configure what signature configuration file the sensor is using, what Packet Capture Device (Interface) it's employing, and how to handle IP Fragment Reassembly.

1. Click the Sensing tab on the sensor you are going to configure (see Figure 4.20).

   
   Figure 4.20: The Sensing Tab

2. In the Active Configuration field, select the Sensor Signature file template the sensor will be using to monitor the network. It is not uncommon to have a different Sensor Signature file template for each sensor. Some signatures may be disabled or tuned differently depending on the positioning on the network.

The Packet Capture device is the interface that is doing the sniffing. Refer to Chapter 3 for help with the different interfaces on a sensor.

Enabling IP Fragment Reassembly causes your sensor to reassemble a fragmented IP packet first, then compare that packet with a signature. This can be a resource hog depending on your network traffic patterns. Unless you are very familiar with the traffic patterns on your network, do not modify the default settings.

The Blocking Tab

Configuring blocking by the sensor on a network can be a difficult topic. Your networking team may not support your efforts to enable blocking because the sensor will automatically log in to a device and modify the configuration for a period of time when suspicious activity is detected. Some security policies make this a prohibited practice and not all sensor models support this feature. At present, only the 4200 series sensors support this configuration option. The Catalyst 6000 IDSM-1 module does not support blocking but the new IDSM-2 module does.

1. Click the Blocking tab on the sensor you are configuring for blocking. Within that tab are three subtabs:

   • Never Block Addresses

   • Blocking Devices

   • Master Blocking Sensor

   There are also two fields, Block Duration and Cisco ACL Number (see Figure 4.21). You will add any addresses that will not be blocked to the list.

   
   Figure 4.21: The Blocking Tab

   The Never Block Address tab lets you specify IP addresses that should never be blocked. This is an important thing to consider when you do business online. If you have clients and customers with trusted business relationships, you may want to enter all of those addresses in this tab. This will prevent them from being blocked inadvertently by a false positive.

   Note

   Hackers can spoof IP addresses of clients, customers, and business partners and trigger alarms that prompt the sensor to block traffic. This can cause a denial of service to your resources.

2. Select the Blocking Devices tab. Here you define the parameters the sensor will use to access a device and modify an ACL. The information needed is

   • The Telnet IP address

   • The Telnet username

   • The Telnet password

   • the enable password

   • The blocking interface

3. You can tell from the list of required information why the network personnel may be reluctant to support this feature. Click Add. See Figure 4.22. Add the information from the preceding list. Repeat as needed. Click OK to continue.

   
   Figure 4.22: Blocking Device Properties

4. Specify the length of time the blocking will last in minutes in the Block Duration field. Also, specify the ACL number that will be modified. Without getting into the different types of ACLs, I will simply list them. Refer to Cisco.com for further information regarding ACLs.

   • Number 1–99  The IP Standard access list

   • Number 100–199  The IP Extended access list

   • Number 1300–1999  The IP Standard access list Expanded range

   • Number 2000–2699  The IP Extended access list Expanded range

   Remember when the block duration has ended that the sensor will log back in to the device and remove the configuration used to block.

5. Access the Master Blocking Sensor tab. Select the sensor name that will act as the Master, then click OK.

   Note

   A Master Blocking sensor needs to be defined if you have multiple entry points into your network. What happens is, if a sensor blocks traffic at a certain entry point router, that sensor tells the Master Blocking Sensor to also block the other entry point(s).

The Logging Tab

By enabling logging on your sensors, you are creating log files for future use. It may be required in your industry to maintain logs for a period of time. By enabling logging, you can have the sensor do the work for you by creating the log and then FTPing it to a location for safe-keeping (see Figure 4.26). To enable logging, follow these steps:

Figure 4.26: Logging

1. Select the Logging tab on the sensor you are configuring.

2. Select Generate audit event log files.

3. Either have the log file saved to the sensor or have it FTP'd to another location. Although not mandatory for logging, you may have a requirement to archive the log files. In this same window, you can point the sensor to an FTP server and have the logs saved off to a logging server for archival and backup purposes. Click OK.

4. Save and update your CSPM configuration.

5. Download the new sensor configuration to the target sensor.

The Advanced tab allows you to configure additional PostOffice features such as Watchdog Properties and Additional Destinations. Watchdog queries the PostOffice services running on the local host and the sensors. If Watchdog detects that a service is not running the parameters defined here, tell the sensor how to treat the situation and how it is reported (see Figure 4.27). To specify additional destinations that the sensor will forward alarms to, use the Additional Destinations subtab (see Figure 4.28).

Figure 4.27: Advanced PostOffice Settings

Figure 4.28: Additional Destinations

The Command tab allows you to update your sensors with updated configuration files (see Figure 4.29). The Approve Now button at the bottom of the screen starts the update process. The Approve Now button is enabled when configuration files are ready to be sent to the sensors. If no changes are available, the button is grayed out.

Figure 4.29: The Command Tab

In the Command Review/Edit pane, you can view Pending Command, Current Configuration, Distribution Status, Generation Status, Prologue, and Epilogue. Select the one you want to view the status of and press the Refresh button in the same pane.

The Poll button located in the upper-right corner of the Command tab checks the status of your sensor. The window above the Poll button shows the current status.

The Control Tab

On the Control tab, you can specify the Policy Distribution Point and the Associated Network Service. There are other options listed in this window but the only ones that are available are these two. The Policy Distribution Point is the device sending updates to the policy. This is the CSPM server that generates and publishes command sets to the selected sensor(s). Remember, you can have multiple CSPM servers in your architecture so it is important to make sure you select the correct one. Follow these steps to select the CSPM server that will generate and publish the commands for your selected sensor:

1. Once you have selected the sensor, you want to specify a CSPM server or click the Control tab in the View pane. The Control tab, as shown in Figure 4.30, appears.

   
   Figure 4.30: The Control Tab

2. Click the drop-down menu to select the CSPM server you will use. Only CSPM servers that have already been defined in the network topology will be displayed.

3. Make sure the Associated Network Service is set to Cisco Post Office. This is the mode in which communication occurs. We are using the PostOffice Protocol.

4. Click OK, then save and update the configuration.

1. Go out to Cisco.com and download the current signature files from the following Web site: www.cisco.com/cgi-bin/tablebuild.pl/ids3-app. This requires you to have a SMARTnet maintenance contract number and a Cisco Connection Online (CCO) account to request software upgrades from CCO.

2. Download the CSPM signature update file(s) needed.

3. Back up your current CSPM topology and database. Export your topology by clicking File | Export to file. Back up your data directory from the CSPM Install Directory.

4. Load the CSPM signature update. Unzip the signature update file to a local folder. Select Signature Update | Update Sensor from the wizards list.

5. Check Load CSPM Sensor Signature Update file.

6. Specify the path to the \html directory from the update file you previously unzipped (see Figure 4.31) and select Next. You do not need to check the box for Generate Updated Signature Configuration Files For The Sensors On Finish unless you intend to update the sensors also.

   
   Figure 4.31: The Update Sensor/Signature Wizard

7. After the process is complete, save your changes by choosing File | Save changes.

8. Exit CSPM and reboot the system.

9. When the system finishes rebooting, start CSPM and log in.

Configuring IPSec

IP Security (IPSec) provides security features such as confidentiality, integrity, and authentication via a protocol suite into IP. CSPM can be used to create encrypted tunnels between devices that support IPSec. IPSec tunnels enable peer-to-peer secure transmission of data over a public, untrusted IP network. In this scenario it is used for communication between CSPM and the sensors. It cannot be used between the sensors and blocking devices. Refer to the IPSec Tunnel Implementation, v2.0, which can be found at the following address: www.cisco.com/en/US/products/sw/ secursw/ps2133/ products_user_guide_book09186a008010703e.html

Before you can configure the IPSec tunnels, the Cisco Secure VPN client must be installed on the CSPM server. Sensors that will be managed by CSPM using IPSec tunnels must be running IDS software version 2.5(1)S0 or later. The CSPM server and all sensors must be defined in the topology. The following steps walk you through configuring IPSec:

1. Verify that the sensor(s) supports IPSec and select the appropriate IPSec tunnel template. Use a manual template for CSPM server-to-sensor tunnels. IKE is not supported by the sensors. Do this for all of the sensors. The IPSec Tunnel Groups branch of the Network Policy tree will be populated with an IPSec tunnel group, which consists of the CSPM server and the sensors that will communicate via the IPSec tunnel.

2. Next, you need to configure Manual Keys for each of the sensors and the CSPM server. You must specify a key for each protocol/stage/transform present for each sensor and the CSPM server in the IPSec tunnel group.

3. Generate the Command Sets. This happens when you save and update the configuration in CSPM. The default for publishing command sets is set to manual. You can set CSPM to publish the command set automatically when you save and update.

   Warning

   You have to disable the setting to automatically update while configuring the IPSec tunnel. If you do not disable the automatic update setting, CSPM will attempt to publish the configuration data to the sensor through the IPSec tunnel before the tunnel configuration is complete on both the CSPM end and the sensor end, generating a publishing error.

4. Two things can happen here. You either have to restart the Cisco Secure VPN Client, or if the VPN Client has been running during the IPSec tunnel configuration, don't do anything. If the VPN Client is running, the tunnel will not be displayed, even though it is still functioning. If this is the case, stop and then restart the VPN Client for it to be displayed.

5. Next, bootstrap the sensor(s) that will be communicating via the IPSec tunnel. Run through the bootstrapping process and select option 9, Secure Communications, to configure the sensor for IPSec. Once the sensor is configured for IPSec, you can send data to CSPM and receive signature updates.

6. After the sensor has been bootstrapped and rebooted, you can then publish the command sets to the sensor from CSPM.

1. Select Tools | View Sensor Events | Database. You also have the option to choose Log Files instead of Database if you need to look at some archived records (refer to Figure 4.32).

   
   Figure 4.32: Event Viewer Database

2. Choose CSIDS Alarms and click OK, as shown in Figure 4.33. Notice you can select certain time frames with a specific start and stop time and date, or have it be continuous.

   
   Figure 4.33: View Database Events

   Note

   If you choose to have the alarms logged while you are looking at the event viewer, depending on the amount of alarms being generated, it may be hard to work with. The event viewer continuously refreshes when alarms are generated.

When the Event Viewer opens, it may take a minute depending on how many records are in the database. The event viewer has a default limit of 100,000 records. If the database receives more than that amount, the viewer will only display the first 100,000. You can change the settings on this to increase the limit, but I would not recommend it. With proper tuning of the signatures and alarms, and regular archiving to reduce the logs to a usable size, you should be able to stay under that amount. The viewing screen should look like Figure 4.34 when it opens.

Figure 4.34: Event Viewer

Even after the initial install activity is completed, alarms are already being generated. Notice the color coating to the left. You can probably ascertain from the colors the importance of the different alarms. CSPM displays alarms in three categories, low: green, medium: yellow, and high: red. The columns are collapsed initially. To expand the alarms for the different signatures, you can either double-click the count or right-click the row you want to expand and select Expand | All Columns. Notice that for the signature Net sweep-echo there is a "+" symbol in the source address column. That tells you there are multiple source addresses for that signature. The expanded view should look like Figure 4.35. Also notice the other alarms are more informational to the administrator and are not associated with intrusion detection signatures. Those can be turned off in the configuration.

Figure 4.35: Event Viewer Expanded View

Other viewing options include expanding one column, collapsing one or all columns, moving and deleting columns, selecting columns to be displayed, and also setting event expansion boundaries.