Re: ASK THE EXPERT- MANAGEMENT FOR IDS AND FIREWALLS

ciscomoderator · ‎07-18-2003

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss Management for IDS and Firewalls with Cisco expert Nadeem Khawaja. Nadeem supports Security related products, including Cisco Secure PIX Firewall, Cisco IOS Firewall, Cisco Secure Access Control Server UNIX & Windows NT and Cisco Secure Introduction Systems. He is a computer graduate and is a double CCIE in Routing & Switching and in Security. Feel free to post any questions relating to Management for IDS and Firewalls. Remember to use the rating system to let Nadeem know if you’ve received an adequate response.

Nadeem might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through August 1. Visit this forum often to view responses to your questions and the questions of other community members.

mike-greene · ‎07-18-2003

Hi Nadeem,

How do I go about install rsa keys for local ssh access on my failover 525's? I am familure with the rsa commands but do I need to configure ssh on the primary, then fail them over and configure ssh on the secondary? Since the keys are in flash, will the primary sync them with the standby?

Thanks in advance...

nkhawaja · ‎07-19-2003

Hi Mike,

Thanks for the question. The RSA keys will not be synced with the secondary. You need to generate RSA keys for each PIX separately. Either you console into each PIX one by one and generate the keys or do the failover procedure as you mentioned above.

Best Regards,

Nadeem Khawaja

CCIE # 9069

CCIE R/S & Security

Cisco Systems,INC.

jmprats · ‎07-21-2003

Hello Nadeem,

what syslog message do I have to enable to view who connects or tries to connect (errors) to my pix to manage it?

And, how can i view the timestamp in the logging buffer?

Thanks

nkhawaja · ‎07-21-2003

Hi,

Thanks for your question. For the telnet/SSH access to PIX, you need to configure logging level to debug.

Below is a sample output for a successfull and unsuccessfull telnet access to PIX. Here you can See that TCP access request message (the initial telnet access request to the PIX) has a message number of 710001. This number corresponds to SYSLOG level. 7xxxxx is debug level.

As an alternate you can also configure AAA Accounting.

pixfirewall(config)# 710001: TCP access requested from 10.21.113.130/1347 to inside:172.16.171.39/telnet

710002: TCP access permitted from 10.21.113.130/1347 to inside:172.16.171.39/telnet

605005: Login permitted from 10.21.113.130/1347 to inside:172.16.171.39/telnet for user ""

611103: User logged out: Uname: enable_1

710001: TCP access requested from 10.21.113.130/1349 to inside:172.16.171.39/telnet

710002: TCP access permitted from 10.21.113.130/1349 to inside:172.16.171.39/telnet

605004: Login denied from 10.21.113.130/1349 to inside:172.16.171.39/telnet foruser ""

611103: User logged out: Uname: enable_1

For getting timestamp in buffer, there is no option available at the moment. In order to get TimeStamp in Syslog Server, you can use the command " logging timestamp".

Hope this answers your question.

Thanks

Nadeem Khawaja

dengqi · ‎07-21-2003

Hi Nadeem,

I'm currently work on a project to deploy IDSM in a cmapus. We have around 10 IDSM and thus we use VMS to manage and monitor IDSM and use Cisco Threat Response to try to reduce the false alarm. I know that CTR is able to filter the alarms from IDMSbut how about alarm displayed in VMS security monitor? For example, if CTR downgrades a alarm from IDSM to lower level, will this alarm also is display as a lower level at VMS security monitor? How CTR and VMS work together so that the false alarm will be reduced from my VMS security monitor console?

Thanks and Regards

Deng Qi

nkhawaja · ‎07-21-2003

Hi Deng,

Thanks for your question.

IDSM is sending alarms to two separate destinations

1-VMS (Security Monitor)

2-CTR

CTR is only filtering out alarms and/or downgrading them to be displayed ONLY in CTR. The acutal alarm level still remains the same on IDSM and hence VMS Security Monitor will see it as it is.

With the next release of VMS, CTR will be integrated with VMS to help avoid false alarms.

Hope this answers your question.

Thanks,

Nadeem Khawaja

dengqi · ‎07-21-2003

Hi Nadeem,

Thanks for your information. Another thing is how about SIMS? Will CTR be able to work with SIMS now or in future? In fact we have VMS, CTR and SIMS now for current IDSM project. But I'm quite confuse about the positioning of these 3 softwares. Can you help to explain Cisco's positioning of these 3 softwares and how can we integrate them together currently and in future.?

Thanks and Regards

Deng Qi

dengqi · ‎07-21-2003

Hi Nadeem,

Another question is: Does Cisco Security Agent support Free BSD 4.2 platform. There is no explict mention on whether Free BSD is supported in CCO website.

Thanks and Regards

Deng Qi

nkhawaja · ‎07-22-2003

Hi Deng,

CSA agent support for FREE BSD platform is not available as of yet.

Thanks

Nadeem Khawaja

nkhawaja · ‎07-21-2003

Hi Deng,

At this moment all these softwares are separate. SIMS is nothing more then a sophisticated SYSLOG server, that has the capability of getting SYSLOG messages from various devices. I don't think SIMS will be integrated with VMS product. It can be only CTR.

Thanks,

Nadeem Khawaja

ishah · ‎07-25-2003

Hi Deng,

From my take on your scenario is as follows

VMS (IDS-MC) is used for configuration management, CTR collects to events from the Sensor and can forward SNMP into SIMS for aggregation and correlation.

CTR will be integrated into SecMon but it is not there today.

You can send events to both SecMon and CTR but that is just doubling the traffic. What you are really waiting for is outbound RDEP in CTR so it can send onto SecMon.

mcklair · ‎07-21-2003

Hi Nadeem,

I've installed CSPM3.1 to manage my PIX. However, I'm having problem in generating reports for Detailed Network Traffic, Most Access Website, Most FTP site, etc. It keeps giving me this error:

PIX: Detailed audit event records for network service events are not available for the selected device. Verify that the event disposition settings are set to log, or log and notify, for events under the Service Statistics category in the Configure Logging and Notifications panel and that the device-specific log settings for this device are not set to generate debug-level syslog messages.

PIX: Audit event records do not exist for the specified time range. Either no audit events occurred within this time range, you have specified an invalid time range, or Cisco Secure Policy Manager was not operational during this time range. Verify the Start Time and/or End Time values specified for this report and contact your system administrator to determine whether Cisco Secure Policy Manager was operational during this time range.

By default, the setting for event disposition are already set to log when CSPM is installed. I've also set the PIX to send debug level syslog to the CSPM. Although I can see that my CSPM server has received the syslog, somehow my CSPM just cannot capture any audit events from the syslog. Is there a directory which stored the PIX syslog and is there a setting that will direct the CSPM to point to that directory for audit events capturing?

Appreciate your help.

Thanks

Mcklair

nkhawaja · ‎07-22-2003

Hi Mcklair,

Thanks for your question. This reporting errors has always been an issue. At this time what seems to be the problem is that CSPM Syslog parser is not able to recognize the Syslog messages being sent by PIX.

There is a problem with PIX 6.2 or later codes.

Are you using PIX 6.2 or newer code?

Unfortunately CSPM SYSLOG doesn't support PIXes that are running 6.2.2. In 6.2 they changed the syslog

messaging for URL information and FTP which is what is used to generate the reports that you are

trying to get. Right now even 3.1 doesn't support 6.2 syslogs.

In order for this to work you would have to considering down grading your PIX to a version that is supported.

Thanks

Nadeem Khawaja

mcklair · ‎07-29-2003

Hi Nadeem,

thanks for the update. Just a quick check, is Cisco working on any patches or PIX OS upgrade to solve this syslogs issue?

Thanks

Mcklair