cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
329
Views
5
Helpful
2
Replies

IDSM2 ONLY management options

msmitha
Level 1
Level 1

We are getting a few IDSM2 blades which would be managed by the security group while the 6500s themselves are managed by the network group. How can we configure the system so that the security group gets all the privileges for managing the IDSM2 while not enough privileges to change switch config? Similarly, the network group has all privileges but for managing the IDSM2. I'm sure there are other organizations which would've faced a similar issue.

I'm told that we can have an appropriate privilege level (enable level) for the security group who manage the IDSM2. This way, they can telnet to the switch, gain enable privileges but not have enough permisssions to modify switch config. It would be helpful if someone can provide a few tips or pointers in the right direction.

1 Accepted Solution

Accepted Solutions

marcabal
Cisco Employee
Cisco Employee

There are 2 primary sets of configuration that must be dealt with when configuring the IDSM2.

1) The switch configuration. The portion of the switch configuration that involves the IDSM2 is:

a) configuring the vlan for the command and control port for the IDSM2

b) configuring the vlans being trunked on the IDSM2 monitoring ports

c) configuring either span or VACL capture to send packets to the IDSM2

d) configuring the time on the switch (byt default the IDSM2 will sync it's time to the switch, but the IDSM2 can also be configured to sync to an NTP server instead)

e) automatic configuration of VACLs by NAC (NetworkAccessController) - this is optional and would actually be configuration of the switch combing from a process on the IDSM2

a,b,c, and d can often be done by the network group. These configurations are often static and do not require day to day changes.

e is optional, and would actually be done directly from the IDSM2

2) The IDSM2 configuration. The IDSM2 configuration is pretty much the same as on standalone appliances. You configure severity actions etc... in the IDSM2 configuration.

The network team rarely ever needs to modify any of the configuration directly on the IDSM2.

Besides the configurations the only other things would be switch commands that control the card.

- Reset, power down etc.. - these are done rarely (resets can be done from the IDSM2 or the switch cli)

- session to the IDSM2 - usually only required for first initialization of the card, after initialization the user can ssh directly to the IDSM2 cli and not have to go through the switch cli (Note: sessioning to the IDSM2 requires a username and password configured directly on the IDSM2 unrelated to any usernames and passwords on the switch)

- Re-imaging of the IDSM2 in case of disaster recovery - standard upgrades are done directly in the IDSM2 cli, but in the case of disaster recovery the IDSM2 must be booted to a maintenance partition by a switch cli commmand - so disaster recovery requires access to the switch cli.

Given the separation of the day to day configuration changes in the switch and IDSM2 configurations many groups elect to simply only allow the network group to have access to the switch cli, and the security group only has access to the IDSM2 cli.

FOr initialization of the IDSM2 configuration and for setting up the switch configuration specific to the IDSM2 the 2 teams simply work together for a day or two to get it all up and running.

Once the IDSM2 is up and running, then it is very infrequent that the security team needs direct access to the switch.

The other alternative is to only allow the security team access to the IDSM2 cli, and then use tacacs+ on the switch to limit the commands available to the security team on the switch cli.

I believe that can use the authentication, and authorization capabilities built into TACACS+ to accomplish this. I have never done it, and am not sure how easy it would be to setup.

For more information on authorization by switch command you can refer to:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_8_1/confg_gd/authent.htm#1021706

If you do this, then the security team needs the authorization to do the items I mentioned above.

View solution in original post

2 Replies 2

marcabal
Cisco Employee
Cisco Employee

There are 2 primary sets of configuration that must be dealt with when configuring the IDSM2.

1) The switch configuration. The portion of the switch configuration that involves the IDSM2 is:

a) configuring the vlan for the command and control port for the IDSM2

b) configuring the vlans being trunked on the IDSM2 monitoring ports

c) configuring either span or VACL capture to send packets to the IDSM2

d) configuring the time on the switch (byt default the IDSM2 will sync it's time to the switch, but the IDSM2 can also be configured to sync to an NTP server instead)

e) automatic configuration of VACLs by NAC (NetworkAccessController) - this is optional and would actually be configuration of the switch combing from a process on the IDSM2

a,b,c, and d can often be done by the network group. These configurations are often static and do not require day to day changes.

e is optional, and would actually be done directly from the IDSM2

2) The IDSM2 configuration. The IDSM2 configuration is pretty much the same as on standalone appliances. You configure severity actions etc... in the IDSM2 configuration.

The network team rarely ever needs to modify any of the configuration directly on the IDSM2.

Besides the configurations the only other things would be switch commands that control the card.

- Reset, power down etc.. - these are done rarely (resets can be done from the IDSM2 or the switch cli)

- session to the IDSM2 - usually only required for first initialization of the card, after initialization the user can ssh directly to the IDSM2 cli and not have to go through the switch cli (Note: sessioning to the IDSM2 requires a username and password configured directly on the IDSM2 unrelated to any usernames and passwords on the switch)

- Re-imaging of the IDSM2 in case of disaster recovery - standard upgrades are done directly in the IDSM2 cli, but in the case of disaster recovery the IDSM2 must be booted to a maintenance partition by a switch cli commmand - so disaster recovery requires access to the switch cli.

Given the separation of the day to day configuration changes in the switch and IDSM2 configurations many groups elect to simply only allow the network group to have access to the switch cli, and the security group only has access to the IDSM2 cli.

FOr initialization of the IDSM2 configuration and for setting up the switch configuration specific to the IDSM2 the 2 teams simply work together for a day or two to get it all up and running.

Once the IDSM2 is up and running, then it is very infrequent that the security team needs direct access to the switch.

The other alternative is to only allow the security team access to the IDSM2 cli, and then use tacacs+ on the switch to limit the commands available to the security team on the switch cli.

I believe that can use the authentication, and authorization capabilities built into TACACS+ to accomplish this. I have never done it, and am not sure how easy it would be to setup.

For more information on authorization by switch command you can refer to:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_8_1/confg_gd/authent.htm#1021706

If you do this, then the security team needs the authorization to do the items I mentioned above.

Excellent! Thanks for giving me just the right info I was looking for.