You can deploy multiple 4200 Series Sensors and IDSMs on your network to provide complete IDS coverage. Manually monitoring the alarms on each of these sensors is inefficient. The Director platforms provide the management software necessary to configure, log, and display alarms generated by sensors efficiently. Furthermore, a single Director platform can consolidate all the alarms from multiple sensors into a single user-friendly interface.
In particular, this section examines the following:
- Director platform features
- Cisco Secure Policy Manager (CSPM) as a Director platform
- Cisco Secure Intrusion Detection Director
- Director platform feature comparison
Director Platform Features
The Director platform supplies a graphical user interface (GUI) through which you can manage your Cisco Secure IDS. The main features of the Director platform follow:
- Alarm display
- Alarm response
- Sensor configuration
The GUI on the Director platform provides an excellent vehicle to view alarms generated by the various sensors throughout the network. Each alarm displays with a unique color based on the severity of the alarm. You can quickly view all the alarms that are occurring on your network at any time, as well as visually assess their potential damage.
You also can save alarm information in text log files on both the sensor and the Director platform. Logging enables you to easily archive the data, write custom scripts to extract alarm data specific to your site, and monitor attacks using command-line tools, such as the UNIX command tail.
UNIX tail Command
UNIX systems have a tail command, which enables you to display a specified number of lines at the end of a file. By adding the f option to the tail command, you can continually watch the end of a file. This is especially useful when some program is continually adding data to a specific file. With tail f, you can watch as data is added to the file. Starting with Cisco Secure IDS version 220.127.116.11, however, the log files are memory-mapped files. This prevents you from using tail f to view these log files in real time.
Many of the responses to alarms are configured to occur automatically upon detection of certain intrusive actions. The sensors handle these automatic responses. Sometimes, however, an operator wants to take action based on the alarms that she is viewing on the Director platform. In these situations, the operator can initiate a manual IP blocking response. This response can block a single IP address or entire network. The user initiates this manual response directly on the Director platform.
Remote Sensor Configuration
Both Director platforms enable you to centrally manage the configuration of all the remote sensors under their control. With the Cisco Secure IDS Director for UNIX, the Cisco Secure Configuration Management Utility (nrConfigure) enables you to save different remote sensor configurations and apply them as needed. The Cisco Secure Policy Manager (CSPM) supports remote sensor signature templates that can be shared between remote sensors. (Refer to Chapter 12, "Signature and Intrusion Detection Configuration," for more information on signature templates.) Furthermore, if you change a template, it is automatically applied to all remote sensors referencing it.
Cisco Secure Policy Manager as a Director Platform
Cisco Secure Policy Manager is a Windows NT 4.0-based application that provides scalable, comprehensive security policy management for the following:
- Cisco Secure PIX firewalls
- Cisco IOS routers with the IOS Firewall feature
- Cisco IOS routers with the Cisco Secure Integrated VPN software
- IDS sensors
An entire book can be written on CSPM alone. Staying within the scope of this book, however, this chapter addresses only the use of CSPM as a Director platform for Cisco Secure IDS, where it provides a centralized GUI for intrusion detection management across a distributed network.
CSPM enables you to remotely control all of your sensor configurations. You use the Add Sensor Wizard to define sensors in the Network Topology tree (NTT), and you can use the panels on each sensor node to configure device-specific settings. In addition, you can define sensor signature templates and apply those templates to one or more sensors defined in the NTT. (For more information on signature templates, see Chapter 12.)
Network Topology Tree
CSPM must know the location of the objects on your network with which it must interact and communicate. The Network Topology tree is the vehicle with which you describe your physical network topology. The goal of the NTT is to define all the network objects for which you want to define a unique security policy. The extent to which you define your network topology depends on what you want CSPM to do. In your NTT, you define networks, gateways, and some hosts.
For alarm reporting, CSPM provides a GUI to view real-time alarms as the IDS sensors generate them. This real-time alarm view is accessible using the View Sensor Events option on the Tools menu of the GUI client. (For more information on alarm management, see Chapter 8, "Working with CSIDS Alarms in CSPM.")
For instructions on installing CSPM, see Chapter 6, "Cisco Secure Policy Manager Installation."
Cisco Secure Intrusion Detection Director
Cisco Secure IDS Director for UNIX is an HP OpenView application that runs on Solaris or HPUX, which, like CSPM, provides a centralized GUI for intrusion detection management across a distributed network.
It enables you to centrally manage the configuration of all the sensors reporting to it. The Cisco Secure IDS Configuration Management Utility (nrConfigure) allows different configurations to be saved and applied as needed, enabling you to maintain multiple versions of configurations for each device. You might want to establish one configuration to use during work hours and another for use after work hours. Many situations require the use of multiple configurations.
For alarm reporting, the Director for UNIX provides a GUI to view real-time alarms as they are generated by IDS sensors on an HP OpenView submap. (For instructions on installing the Director for UNIX, see Chapter 15.)
Director Platform Feature Comparison
CSPM and the Director for UNIX differ in many ways other than just the operating system on which they run. Table 4-2 shows a feature comparison of the two Director platforms.
Table 4-2 Director Platform Feature Comparison
Director for UNIX
1 through 5
Generate SNMP traps
Both Director platforms display the alarms generated by the sensors. Alarm severity in CSPM has three possible levels: Low, Medium, or High. With the Cisco Secure IDS Director for UNIX, alarm severity is a number between 1 and 5. A severity 1 alarm represents the lowest severity, whereas a severity 5 alarm represents the most severe alarm.
When you deploy multiple sensors on your network, you probably want to manage their configurations from your Director platform. With CSPM, you create signature templates for your sensors. These signature templates can be shared between sensors. Furthermore, if you change a template, it is automatically applied to all sensors referencing it. The Cisco Secure IDS Director for UNIX also enables you to save multiple complete configuration versions for the sensors that can be applied as needed through nrConfigure. (For more information on nrConfigure, see Chapter 16, "The Configuration Management Utility (nrConfigure).")
Each Director platform needs to save the alarms generated by your sensors. The logged alarms in CSPM are saved in a database and as text files in the Director for UNIX.
The Cisco Secure IDS Director for UNIX supports two final features that CSPM does not support:
- Configuration versioning
- Generating SNMP traps for alarms
Configuration versioning tracks multiple versions of each sensor configuration. Every time you change a configuration, the current configuration is saved as a previous version. Therefore, if necessary, you can easily roll back to any of these saved configuration versions. When the Cisco Secure IDS Director for UNIX receives alarms, it can also generate SNMP