The director platforms act as
centralized management stations for the entire CIDS infrastructure. In addition
to displaying alarms, the director platforms are also responsible for manual
intrusion response and sensor configuration. Cisco offers two different director
platforms that can be used to manage your CIDS environment. Cisco Secure Policy
Manager (CSPM) is the director platform of choice for Windows NT, while Cisco
Intrusion Detection Director for UNIX (CIDS Director for UNIX) is for use in
UNIX environments. Each sensor also has a built-in web interface that can be
used to manage and configure the sensor.
Device Manager is an HTTP application installed on each sensor.
This web interface can be used to configure and manage the sensor. The Event Viewer, a standalone application, can be used to
view events and alarms generated by the sensors.
|
STUDY TIP |
The CIDS exam focuses on the Device Manager for the
configuration and management of network sensors. |
Alarm Display
The Event Viewer is a responsible alarm display. Because
manually monitoring all the sensors on the network is impractical, the Event
Viewer provides a centralized management and alarm notification center. The
Event Viewer includes the software necessary to display alarms generated by the
sensors within a GUI interface.
The Event Viewer’s GUI interface displays alarms generated by
the sensors in a unique color based on the severity of the alarm. Security
administrators can quickly view all alarms as they’re reported in real time.
This detail of alarm displaying allows administrators to examine all security
threats quickly across the enterprise.
Manual Intrusion Response
Based on the severity of an alarm, manual and automatic
responses can be taken to prevent further activity. The sensors, not the
directors, handle this automatic response. In many cases, an automatic response
isn’t needed or wanted. Manual intrusion response can be accomplished through
sensor configuration using the IDS Device Manager. Directly from the sensor
platform, the administrator can initiate an IP blocking response, blocking
either the offending IP address or the entire network address of the intrusive
host.
Sensor Configuration
Configurations can be created on the director platform, and
then they can either be pushed to the sensors to update their configuration or
individual sensors can be configured using the IDS Device Manager. The UNIX
version of the director (CIDS Director for UNIX) allows administrators to create
multiple configurations on the Director, and then apply these configurations as
needed to any sensor within the infrastructure. The Windows NT version of the
director (Cisco Secure Policy Manager) allows administrators to create
configuration templates that can be applied to one or more sensors on the
network.
Introduced earlier, Cisco offers two different director platforms,
which are the following:
Cisco Secure Policy Manager (CSPM)
Cisco Secure Policy Manager is a Windows NT 4.0 based
application that can be used to provide security policy management and
enforcement for:
-
Cisco PIX firewalls
-
Cisco IOS routers with the firewall feature set
-
Cisco Secure Integrated virtual private network (VPN)
-
Cisco Intrusion Detection System Sensors
CSPM is a vast application, capable of managing an enterprise’s
entire security infrastructure. Entire books can be written describing all the
features and functions of CSPM, but this chapter only details the features and
functions of CSPM as they relate to the director platform for CIDS.
Sensor Configuration with CSPM
CSPM provides a centralized GUI management platform for the
distributed sensor architecture. Sensors can be added to the Network Topology
Tree (NTT) using the Add Sensor Wizard within CSPM. Once the sensors are added,
CSPM enables security administrators to remotely configure each sensor
individually or as a group. Different configurations can be created and saved as
a template, and these template configurations can then be applied to one or more
sensors within the CIDS infrastructure.
|
Note |
The NTT is a directory containing
objects that represent the network and security infrastructure equipment. Much
like the active directory in Windows 2000, the NTT provides a graphical view of
your network components. The purpose of the NTT is to communicate the locations
of objects installed on the network to CSPM. NTT can then be used to locate,
view, and configure those objects. Infrastructure equipment that should be
defined in the NTT includes networks, gateways, sensors, directors, and
hosts. |
CSPM Event Viewer
The Event Viewer located in CSPM allows security
administrators to view, in real time, all suspected intrusive activity on their
network. The Event Viewer display has two primary panes: the Connection Status
pane and the Grid pane. The Event Viewer can be customized through the use of
configurable grids that permit multiple views and instances. The CSPM Event
Viewer combines the organization of a spreadsheet and the usability of a browser
into a hierarchical collection of audit events called a drillsheet. The drillsheet combines data of similar audit event records into
the single row of a grid, enabling security administrators to detect patterns in
the data.
Cisco Secure Intrusion Detection Director for UNIX
The intrusion detection Director for UNIX is an HP OpenView
application that runs on Sun Solaris or HPUX. Like CSPM, the Director provides a
GUI interface for centralized management across the distributed sensor
architecture.
Sensor Configuration with CIDS Director for UNIX
The Director enables security administrators to create and
save multiple configuration files. Once a configuration is created, it can be
applied to any sensor reporting to the Director platform. The Configuration
Management Utility (nrConfigure) component of the director is used to create and
save configuration files for later use.
CIDS Director Alarm Display
Alarms are recorded and displayed in real time. The Director
for UNIX uses an HP OpenView submap to provide a GUI interface for alarm
viewing.
Comparing the Two Director Platforms
While the overall objective of both platforms is to provide
a centralized management location for all IDS-related activity, CSPM and
Director for UNIX offer different features and use different methods to
accomplish the same goals. Alarm severities in CSPM are low, medium, and high,
while the Director for UNIX has severities of 1 through 5. A severity of 1
represents the lowest severity and 5 represents the highest severity.
CSPM allows security administrators to create configuration
templates that can be applied to one or more sensors. When the template is
updated, all sensors referencing the template are also updated. The CIDS
Director for UNIX allows security administrators to create and save multiple
configurations, and then apply those configurations as needed. The CIDS Director
for UNIX also has a configuration-versioning mechanism that CSPM doesn’t have.
When a configuration is changed within the CIDS Director for UNIX, the current
configuration is saved as a previous version, allowing security administrators
to roll back to a previous version of a configuration. CSPM doesn’t offer this
versioning feature.
A final feature supported in the CIDS Director for UNIX that isn’t
supported in CSPM is SNMP. The CIDS director for UNIX can be configured to
generate SNMP traps once an alarm is received. CSPM doesn’t generate SNMP traps
based on alarms. Table 24-2 shows a feature comparison of the two CIDS
director platforms.
Table 24-2: CSPM and Director for UNIX
Comparison
|
Director Features |
CSPM |
Director for UNIX |
|
Severity Levels |
Low, Medium, High |
1 through 5 |
|
Configuration Templates |
Yes |
No |
|
Configuration Versioning |
No |
Yes |
|
Local Logging |
Database |
Text file |
|
SNMP Traps |
No |
Yes |
Sections
Comments (0 posted)
Syndication
