How to
Configure IDS Device Manager
When you are bootstrapping the IDS sensor using the sysconfig-sensor command, option 6 Communications
Infrastructure allows a shortcut. Remember the settings in Figure 3.9? If you are using IDM, you
have the option of bypassing all the IDS Manager Host
information shown earlier. You'll get a message after you set the Sensor IP
Address, as seen in Figure 4.36.
If you do not have a separate Intrusion
Detection Device Manager such as the CSPM or Director solutions implemented,
you can stop here and select y to let the sensor know you will
be using IDM, the Web-based Intrusion Detection Device
Manager. When the configuration is written, the cidwebserver is set to start up on boot.
Logging In
Once you have bootstrapped your sensor, you can log in to
IDM. To do this, point your browser towards the sensor by simply typing the IP
address in the Address bar in the browser using SSL https:ip
address. SSL is activated by default. No configuration is required to
utilize SSL. The first thing you see is a security alert for the security
certificate, as shown in Figure 4.37.
It may sound trivial but best practices say you should always
verify certificates. It is wise to view the certificate and make sure you are in
fact getting the certificate from your sensor and not from somewhere/someone
else.
Verifying the Certificate
IDS version 3.1 contains the Web server that runs the IDS
Device Manager. Connecting to the IDS Device Manager is done via an encryption
protocol called Transaction Layer Security (TLS). To access the IDS Device
Manager, you have to enter the URL that starts with https://ipaddress. The Web
browser serves the IDS Device Manager up by using TLS or SSL to negotiate a
session with the host. The IDS Device Manager is enabled by default to use
TLS/SSL. It can be disabled from IDS Device Manager by selecting Device | Sensor Setup | Network.
The server sends its certificate to the client. The client browser
is shipped with a set of trusted Certificate Authority (CA) certificates. The
certificate must be validated against the list of CAs, and its URL host name
compared with the subject common name.
Follow these steps to verify the certificate:
-
With your browser, enter the sensor IP address and connect
to IDM: https://ip address.
-
You get the Security Alert for the certificate.
-
Select View Certificate.
-
The certificate information is shown.
-
Select the Details tab.
-
Locate Thumbprint and select it.
-
You will see the thumbprint in the corresponding field.
-
Leaving the screen open, connect to your sensor with a
console port, SSH, or Telnet.
-
Log in as root.
-
Enter the following command: # fingerprint[/usr/nr/idsRoot/etc/cert/mytestca.cer]
-
The MD5 fingerprint is displayed.
-
Compare the SHA-1 fingerprint with the value displayed in
the open Certificate thumbprint text field. If the fingerprints match, you have
validated your certificates' authenticity. If they do not match, you need to
find out why.
-
Select the General tab.
-
Select Install Certificate. The
Certificate Import Wizard dialog box appears.
-
Select Next. The Certificate Store dialog
box appears.
-
Select the location for your certificates.
-
Select OK to close the Certificate Store
dialog box.
-
Select Yes to open the IDS Device
Manager.
Once you have validated and installed the certificate, the next
dialog box prompts you to log in as shown in Figure 4.38. In order to
properly configure and manage your IDS sensors, use netrangr.
Never save the password in the password list. You do not want an
unauthorized user gaining access to your IDS sensor management console and
modifying any of the settings. With access to the management console, an
unauthorized user can make whatever changes to the configuration he wants,
potentially disabling the sensors or reconfiguring the sensor so no alarms are
issued during their attack. The IDS Device Manager console is shown in Figure
4.39.
Sections
Comments (0 posted)
Syndication
