Скачать презентацию
Идет загрузка презентации. Пожалуйста, подождите
1
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Lesson 6 Sensor Management and Monitoring
2
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Objectives Upon completion of this lesson, you will be able to perform the following tasks: Explain the features and benefits of IDM and IEV. Identify the requirements for IDM and IEV. Install the IEV software and configure it to monitor IDS devices. Describe the NSDB.
3
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS IDS Device Manager Overview
4
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS IDS Device Manager Web-based device configuration tool Software installed on the Sensor by default For small-scale Sensor deployments
5
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS IDM Features and Benefits Web-based embedded architecture Secure communication (TLS/SSL) Task-based GUI Signature grouping Signature customization Sensor system administration
6
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS IDM Client Requirements Supported web browsers –Netscape NavigatorVersion 4.79 or higher –Internet ExplorerVersion 5.5 Service Pack 2 or higher Supported client operating systems –Windows NT 4.0 Service Pack 6 –Windows 2000 Professional and Server –Solaris SPARC version 2.7 –Solaris SPARC version 2.8
7
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS IDS Manager Interface Path bar Table of contents Area bar Subarea bar Toolbar Content area Information window
8
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Online IDM Help
9
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS IDS Event Viewer Overview
10
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS IDS Event Viewer Windows NT or Windows 2000 Download from Cisco.com Provides event monitoring for up to five Sensors
11
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS IEV Features and Benefits Downloadable from Cisco.com to an appropriate host Event monitoring for IDS devices Customizable event views Scalable event storage database NSDB
12
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS IEV Requirements The IEV can be installed on a Windows NT or Windows 2000 system that meets or exceeds the following minimum hardware requirements: Pentium III, 800 MHz or greater 256 MB RAM 500 MB of free hard drive space available
13
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS IDS Event Viewer Installation
14
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Getting Started Complete the following tasks to start using the IEV: 1. Download the IEV software from Cisco.com. 2. Install the IEV software on the host. 3. Reboot the IEV host to start IDS services. 4. Add IDS devices that the IEV will monitor.
15
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS IEV Installation
16
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Add IDS Devices Choose File > New > Devices.
17
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS IDS Event Viewer Views
18
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS IEV Views Overview The initial view provides an aggregate view of alarm data. Views are grouped by signature name, source address, destination address, Sensor identity, and severity levels. Each view can have a different data source. The level of alarm detail is customizable. A graph view displays alarm data in either an area format or a bar graph format.
19
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS IEV Default Views IEV has the following default views: Destination Address Group Sensor Name Group Severity Level Group Sig Name Group Source Address Group
20
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Navigating Views
21
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Whole Details
22
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Alarm Information
23
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Alarm Context Data
24
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Viewing the Trigger Packet
25
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Realtime Dashboard
26
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS IDS Event Viewer Filters
27
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Filter Overview Filters are applied to a view. Events that match the filter criteria for exclusion are not displayed in a view. Events that match the filter criteria for inclusion are displayed in the view. Filter criteria is based on the following: –Severity –Source address –Destination address –Signature name –Sensor name –Time –Event status
28
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Filter PropertiesBy Severity Select the alarm severity levels to add to the filter: Informational Low Medium High
29
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Filter PropertiesBy Source Address Add unique IP addresses. Add a range of IP addresses: –Start address –End address
30
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Filter PropertiesBy Destination Address Add unique IP addresses. Add a range of IP addresses: –Start address –End address
31
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Filter PropertiesBy Signature Name Select a signature category or specific signatures to add in the filter.
32
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Filter PropertiesBy Sensor Name Select a Sensor to apply to the filter.
33
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Filter PropertiesBy Time Add an alarm time period to apply to the filter: Start date and time End date and time
34
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Filter PropertiesBy Status Choose the status of alarms to include in the filter: New Acknowledged Assigned Closed Deleted
35
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Network Security Database
36
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS NSDB Signature Index
37
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Signature Information
38
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Related Vulnerability Information
39
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS User Notes
40
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Summary
41
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Summary IDM is a web-based, embedded technology that enables remote administration of Sensor appliances. IEV is a Windows application that monitors IDS devices. IEV enables you to view and manage alarm feeds from up to five Sensors. The NSDB is a tool in IDM and IEV that contains IDS signature and vulnerability information.
42
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Lab Exercise
43
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS sensorP sensorQ Q P.0 Lab Visual Objective Student PC.2 Student PC Router.1.2 Router P Q P Q.0 RTS WEB FTP RBB
Еще похожие презентации в нашем архиве:
