Configuring the IDS Device Manager

The Device tab allows you to make some basic configuration changes to your sensors. Just under the tab is a menu bar with one option, Sensor Setup. Here, you can make basic sensor modifications, like those done in sysconfig-sensor. You can also configure SSH, set the time, and change passwords (see Figure 4.40).

Figure 4.40: The Device Tab

To make network changes, follow these steps:

1. Select Network. Figure 4.41 displays these settings, which are similar to those in sysconfig-sensor, with a few added fields.

   
   Figure 4.41: Network Settings

2. Make changes to your sensor configuration in this screen. Ensure your Host ID is unique and your organization name and ID match the rest of your IDS infrastructure.

3. The PostOffice Port defaults to port 45000. In the Route Up and Route Down Alarm Level boxes, select how you want the two alarms to be displayed in your event viewer. The route going down defaults to high. This is fairly important and should catch your attention. The route coming back up may be less important so it is marked as informational, as shown in Figure 4.42, and may not even be displayed on your event viewer, depending on your configuration.

   
   Figure 4.42: The Alarm Level

4. Select the Heartbeat Interval Multiplier. The Heartbeat is the number of seconds between queries for PostOffice services. Enable or disable TLS/SSL. TLS/SSL is on by default and the port is 443.

5. Click Allowed Hosts.

6. On the screen, you can add specific IP addresses or entire networks that can access the sensor (see Figure 4.43). Try to be as specific as possible. Least privilege is a good practice when giving access.

   
   Figure 4.43: Allowed Hosts

   Note

   The idea of least privilege is quite simple in definition but rather difficult when put into practice. It requires that a user be given only the necessary privileges to perform a job. First, the user's job is identified and a minimum set of privileges is associated with the job function, thus allowing the user to perform the job with those privileges and nothing more.

7. Select Remote Access. In this window, you can specify whether to allow or disallow FTP or Telnet. Make your selection and click OK.

8. Select SSH | Host Key to generate a new host key.

9. Click Generate Host Key and the system generates a new key, replacing the old one. The changes take affect once applied. Do not forget to update the fingerprint on remote systems (see Figure 4.44).

   
   Figure 4.44: Generating a Host Key

10. Select Time to modify the system time.

    • Version 3.1 allows you to modify the time, date, and time zone.

    • Version 4.0 provides more granularity allowing changes to time, date, time zone, UTC settings, NTP settings, daylight savings, and the duration of daylight savings.

11. Select Password if you need to change the passwords for the accounts root or netrangr.

12. Once you have completed any sensor configurations, select Finished.

The Configuration Tab

In the Configuration tab, you can configure the sensing engines: Communications, Logging, and Blocking. You also have the option to restore default settings in this screen. Take your time and hopefully you wont have to restore defaults. Keep in mind, signature tuning is time-consuming.

The sensing engine configuration is for tuning and enabling/disabling signatures. You can tune all of the signatures, specify the level of traffic, what port is used, even filter certain signatures that you do not want to see. You can also configure IP Fragmentation Reassembly Options (see Figure 4.45).

Figure 4.45: Sensing Engine: Configuration

Notice that the different types of signatures are represented in groups on the screen. They have circles next to them that are either clear, half-filled, or filled. The clear circle means that none of the signatures in that specific group are enabled. The half circle means at least one signature is enabled, while a full circle means that all of the signatures are enabled.

If you want to enable all of the signatures in a certain group, put a check in the box next to the group, and click Enable at the bottom of the screen. To disable all of the signatures in a group, put a check in the box next to the group, and click Disable.

To configure or tune a signature, follow these steps:

1. Select a signature group. The screen should display all of the signatures in that group. If there is more than a single screen of signatures, scroll to the bottom of the screen and select the signature IDs to move to.

2. Once you have selected the signature to tune, click the little notepad icon next to the signature name. You should get a screen similar to that shown in Figure 4.46.

   
   Figure 4.46: Tuning a Signature

3. Make the changes necessary to meet the requirements in your security policy. If you move your cursor over the field name, it will tell you what needs to be entered in the field next to the name (see Figure 4.47).

   
   Figure 4.47: Signature Fields

4. Once you have tuned all of your signatures, use the Apply Changes button to have them implemented.

The Remote Hosts screen in the Configuration tab is used to specify hosts that receive events from the sensor. (Refer to Figure 4.48.)

Figure 4.48: Remote Hosts

The Event Logging screen in the Configuration tab is to define at what level an event gets logged, as well as what type of alarms are logged (see Figure 4.49).

Figure 4.49: Event Logging

The Blocking screen is used to configure blocking and shunning. Be extremely cautious when configuring blocking. You do not want to deny access to a customer, client, or business partner (see Figure 4.50).

Figure 4.50: Blocking Configuration

The Restore Defaults screen does exactly what it says. It sets all of your configurations back to factory defaults.

The Monitoring Tab

In the Monitoring tab you have the ability to view logs, interface statistics, and download the event viewer. To view interface statistics, simply click Sensing Interface Statistics. It may take a few moments for the statistics to be displayed. The display resembles Figure 4.51.

Figure 4.51: Sensing Interface Statistics

To view event logs, follow these steps:

1. Select Logs. Here you can view Error and Command Logs, IP Session Logs, Current and Archived Event Logs, and System Messages.

2. Choose Current Events. The resulting output should resemble that shown in Figure 4.52.

   
   Figure 4.52: Log Output

The full output would look something like this:

3,10000030,2003/06/16,20:30:36,20003/06/16,14:30:36,10008,8,100,OUT,OUT,
    5,2001,0,TCP/IP,192.168.2.5,10.0.0.32,0,0,0.0.0.0,

It's not very easy to read, but that's what the Event Viewer is for. It translates it all into easy-to-read records. We'll discuss the Event Viewer shortly. Table 4.2 describes each field in the .csv log file.

1. From the Monitoring tab, select IDS Event Viewer from the menu bar. The screen should have a couple of links to choose from (see Figure 4.53).

   
   Figure 4.53: The Event Viewer Download Screen

2. Click the Event Viewer Readme link and review the signature updates and features.

3. Click the Download the Windows NT/2000 IDS Event Viewer link. This will initiate the download process to your workstation.

4. If there are signature updates, the link will be highlighted for you to download. Download if necessary.

5. Close this screen. (We discuss installing and configuring it later.)

The Administration Tab

In the Administration tab, you can configure automatic updates, view system information, run diagnostics on your sensor, set up severity levels for events, and start and stop processes. The two most useful options here are viewing system information and setting up automatic updates. To view the system information, click System Information in the menu bar (see Figure 4.54). This gives you the basic information necessary for troubleshooting. The following information should appear on the screen:

• Sensor Version

• Host Name

• Host ID

• Organization Name

• Organization ID

• PostOffice Port

• Web Server Port

• IP Address

• Netmask

• Default Route

• CSIDS Daemon Status—Displays running daemons

• CSIDS Connection Status—Displays the PostOffice connection status

• CSIDS Version—Displays daemon versions

• Administrative Tasks

• MAC Address

• Hardware

• Operating System

• CPU usage

• Memory usage (in MB)

• CSID Logging Disk Space Usage (in MB)

• TAC

Figure 4.54: System Information

To configure automatic updates, follow these steps (see Figure 4.55):

Figure 4.55: Updates

1. In the Administration tab, select Update from the menu bar.

2. Enter the IP address of the FTP server in the FTP Server Field.

3. Enter the user account that will be used to connect to the FTP server in the Username field.

4. Enter the password of the user account in the Password field.

5. Enter the path (location) of the update files. Use a "/" at the beginning of the path.

6. Select the Disabled check box.

7. Select the Performed at check box and enter the times to check for updates.

8. Click OK.

There is also a Diagnostics option in the Administration tab. This is mainly used by the Cisco TAC personnel for troubleshooting. To run the diagnostics from the Administration tab, click Diagnostics, then click Run Diagnostics (see Figure 4.56). A diagnostics report will be displayed on the screen. Once you have run at least one diagnostics report, you will have the option of viewing the last diagnostics report by clicking View Last Report.

Figure 4.56: Diagnostics

Lastly, remember that after you make any changes in IDM, you must always apply the changes. To apply the changes you have made to the sensor, click the Apply Changes button in the upper right-hand corner of the IDM screen. It may take some time, but when the changes are complete you will get a success message. Once you have made all of your configuration changes to IDM and your sensors, click Logout located next to the Apply Changes button.