Tải bản đầy đủ - 0 (trang)
Chapter 14. Configuring and Troubleshooting Cisco IPS Software via CLI

Chapter 14. Configuring and Troubleshooting Cisco IPS Software via CLI

Tải bản đầy đủ - 0trang

CiscoIPSSoftwareArchitecture

TheCiscoIPS5.xsoftwarewasbuiltbasedonitspredecessor,CIDS4.x.The

architectureissimilartothe4.xsoftware,butwithseveralenhancements.This

sectionprovidesacompleteoverviewoftheCIPS5.xarchitecturewhile

highlightingsomeofthesedifferences.

OneofthemajordifferencesofCIPS5.xisthatitusestheSecurityDevice

EventExchange(SDEE)protocolinsteadoftheRemoteDataExchangeProtocol

(RDEP)usedinversions4.x.SDEEisastandardizedIPScommunication

protocoldevelopedbyCiscofortheIDSConsortiumattheInternational

ComputerSecurityAssociation(ICSA).RemoteapplicationssuchasAdaptive

SecurityDeviceManager(ASDM),IPSDeviceManager(IDM),Intrusion

PreventionSystemManagementConsole(IPSMC)andCiscoSecurity

Monitoring,AnalysisandResponseSystem(CS-MARS)canretrieveevents

fromthesensorthroughthisprotocol.

Note

ASDM/IDMIPSconfigurationandtroubleshootingiscoveredin

Chapter19,"FirewallManagementUsingASDM."

CiscoIDSEventViewer(IEV)doesnotsupport5.xevents;however,

itcanstillaccept4.xevents.SDEEisnotbackwardcompatiblewith

RDEP.



AnotherdifferenceofCIPS5.xover4.xisitsabilitytorunIPSoperationsin

inlinemode.

ThemajorcomponentsofCIPS5.xsoftwareincludethefollowing:

MainApp



SensorApp

NetworkAccessController(NAC)

AuthenticationApp

cipsWebserver

LogApp

EventStore

TransactionalServicesforSecurityDeviceEventExchange(SDEE)

CLI

Figure14-1illustratesthemaincomponentsofCIPS5.xincorrelationwiththe

AIP-SSM.

Figure14-1.CIPS5.xArchitectureOverview



MainApp

MainAppisresponsibleforseveralcriticaltasksintheAIP-SSM(aswellasall

otherplatformsthatsupportCIPS5.xsoftware).Thesetasksinclude:

InitializingallCIPScomponentsandapplications

Scheduling,downloading,andinstallingsoftwareupdates

Configuringcommunicationparameters

Managingthesystemclock

Gatheringsystemstatisticsandsoftwareversioninformation

Cleanlyshuttingdown/restartingallCIPSservices

MainAppisinitializedbytheCIPSoperatingsystemandstartstheCIPS

applicationsinthefollowingsequence:

1. Readsandvalidatesdynamicandstaticconfigurations.

2. Synchronizesdynamicconfigurationdatatosystemfiles.

3. CreatesEventStoreandtheIntrusionDetectionApplicationProgramming

Interface(IDAPI)sharedcomponents.

4. Initializesstatuseventsubsystem.

5. LaunchesIPSapplicationsasstatedinthestaticconfiguration.

6. Waitsuntilaninitializationstatuseventfromeachapplicationissent.

7. Generatesanerroreventidentifyingallapplicationsthatdidnotstart,ifall

statuseventsarenotreceivedwithin60seconds.

8. Listensforcontroltransactionrequestsandprocessesthemaccordingly.



MainAppcontrolstheCIPSsoftwareinstallationandupgrades.Italsocontrols

networkcommunicationparameterssuchas:

AIP-SSMhostname

IPaddressinganddefaultgatewayconfigurationfortheAIP-SSM

commandandcontrolinterface

Networkaccesscontrollist

MainAppmanagesthesystemclock(whetherNTPisconfiguredornot)and

collectssystemstatistics.



SensorApp

SensorAppistheapplicationthatisresponsiblefortheanalysisofnetwork

traffic,examiningitforanymaliciouscontent.Thepacketsflowthroughitfrom

theGigabitEthernetnetworkinterfaceontheAIP-SSMwhichisdirectly

connectedtotheCiscoASA'sbackplane.

IftheCiscoASAAIP-SSMconfigurationissetforpromiscuousmode,the

packetsarediscardedafterprocessingbySensorApp.Ifconfiguredforinline

operation,thepacketswilleitherbeforwardedbacktotheCiscoASAor

droppedaccordingtothedefinedpolicy.

SensorApphastwomodulescrucialfortheoperationoftheAIP-SSMorany

otherdevicerunningCIPS5.x:

AnalysisEngineConfigurationModule(VirtualSensor)

AlarmChannelModule(VirtualAlarm)

TheVirtualSensoristheAnalysisEngineConfigurationModule,whichhandles

theAIP-SSMconfiguration.Thismoduleinterpretstheconfigurationandmaps

itintointernalconfigurationobjects.Figure14-2illustratesbothofthese

modules.



Figure14-2.SensorAppVirtualSensorandVirtualAlarm



InCIPS5.x,anewprotocolisintroducedcalledtheIntrusionDetection

Configuration(IDCONF)protocol.Thisframeworkprovidesclean,consistent,

andaccuratesignaturedefinitions.ThisreplacestheoldIDIOMframeworkin

previousversions.Itsupportsmultiplelayersofparameterstoensurethata

signatureisdefinedintermsthatareunderstandableandvalidfortheinspection

engines.TheVirtualAlarmisthealarmchannelmodule,whichisresponsible

forprocessingallsignatureeventsgeneratedbythetrafficinspectorengine.The

primaryfunctionoftheAlarmChannelModuleistogeneratealarmsforeach

eventasitispassed.Eventoralarmfiltersmaybeconfiguredandwillbe

processedbythealarmchannelmodule,asillustratedinFigure14-2.



NetworkAccessController

NACistheapplicationthatisresponsibleforcommunicatingwiththeCisco

ASAoranyothersupporteddevicewhileshunning(blocking)connectionsifthe

AIP-SSMisconfiguredinpromiscuousmode.

Note

DonotconfusethisapplicationwiththeCiscoNetworkAdmission



Controlindustry-wideinitiativesponsoredbyCiscotoenforce

endpointsecuritypolicycompliancetomitigatedamagefromviruses

andworms.



OneofthefunctionsofCIPSNACistoforwardshunninginformationtoother

IPSdevicesonthenetworktocollectivelycontrolnetworkaccessdevices.IPS

sensingdevicesthatperformthisoperationarereferredtoasmasterblocking

sensors.



AuthenticationApp

AuthenticationApp,asitsnamesuggests,istheprocessthatcontrolsuser

authenticationontheAIP-SSMoranyotherdevicerunningCiscoIPS5.x

software.Additionally,itadministersalltheuseraccounts,privileges,Secure

Shell(SSH)keys,anddigitalcertificates,whilealsocontrollingwhat

authenticationmethodisused.

AuthenticationAppcontrolsauthenticationwhentheuserconnectsviaTelnet,

SSH,asessionthroughASA,ASDM,IDM,orIDSMC.Thisisillustratedin

Figure14-3.

Figure14-3.AuthenticationAppArchitecture



cipsWebserver

TheCIPSwebserver(cipsWebserver)withinAIP-SSMprovidesconfiguration

supportforIDMandprovidessupportforSDEEtransactionssuchas:

Reportingsecurityevents

ReceivingIDCONFtransactions

ProcessingIPlogs

ASDMishostedandcontrolledbytheCiscoASA;however,itlaunchesIDM,

whichusesSDEEtocommunicatewiththeAIP-SSMhostedbytheCIPSweb

server.TheCIPSwebserversupportsHTTP1.0and1.1runningSecureSockets

Layer(SSL)/TransportLayerSecurity(TLS).



LogApp



TheAIP-SSMlogsalert,error,status,anddebugmessagesaswellasIPlogs.

ThesemessagesandIPlogsareaccessiblethroughtheCLIandSDEEclients

suchasIDM,IDSMC,CiscoWorksSecurityMonitor,andCS-MARS.LogApp

sendslogmessageswiththefollowingfivelevelsofseverity:

Debug

Timing

Warning

Error

Fatal

ThesemessagesarewrittentothefollowingfileonAIP-SSMmodule:

/usr/cids/idsRoot/log/main.log.

Note

Toaccessthisfile,youmustbeloggedinwiththeserviceaccount.

Instructionsonhowtocreatetheserviceaccountarediscussedlater

inthischapter,inthe"UserAdministration"section.Thesemessages

aremostlyusedbyCiscoTACengineersfortroubleshooting

purposes.



Example14-1showsasampleoftheinformationstoredinmain.log.

Example14-1.Themain.logFile

-bash-2.05b$moremain.log



01Feb200520:44:49.6430.001cidwebserver[447]Cid/EerrTranspo



sessionTask(10)TLSconnectionexception:handshakeincompl



01Feb200520:45:09.64620.003cidwebserver[4548]tls/WerrWarni

fatalalert:certificate_unknown



EventStore

AllIPSeventsarestoredintheEventStorewithatimestampandaunique

ascendingidentifier.Additionally,CIPSinternalapplicationswritelog,status,

anderroreventsintotheEventStore.

Note

IPSalertsareonlywrittenbytheSensorAppapplication.



TheEventStoreisdesignedtostoreCIPSeventsinacircularfashion.Inother

words,whenitreachestheconfiguredsize,theoldesteventsareoverwrittenby

neweventsandlogmessages.

Note

InCIPS5.xcode,theEventStoreisreducedto30MBfrom4GBin

earliercode.



TransactionSource

SDEEandHTTPremote-controltransactionsarehandledbyaninternal



applicationcalledTransactionSource.IthandlesallTLScommunicationswith

externalmanagementserversandmonitoringsystems.TransactionSource

performsbasicauthenticationtoremotemanagementapplicationsand

monitoringsystems.Whenanapplicationattemptsaremote-controltransaction,

IDAPIredirectsthetransactiontoTransactionSource,asshowninFigure14-4.

Figure14-4.TransactionSourceFunctionality



IntroductiontotheCIPS5.xCommand-Line

Interface

TheCIPS5.xCLIprovidesauserinterfaceforalldirectconnectionstotheAIPSSM(e.g.,Telnet,SSH,andsessionfromtheASA).Thissectioncovers:

HowtologintotheAIP-SSMviatheCLI

CLIcommandmodes

InitialAIP-SSMconfiguration



LoggingIntotheAIP-SSMviatheCLI

YoucanconnecttotheAIP-SSMCLIviatheASAbackplaneusingthesession

command,orbyinitiatinganSSHorTelnetconnectionviatheexternal

managementEthernetport.

Note

TheCiscoASAsessioncommandiscoveredindetailinChapter13,

"IntrusionPreventionSystemIntegration."



Thedefaultusernameisciscoandthedefaultpasswordiscisco.Theuseris

forcedtochangehispasswordafterthefirstlogin.Example14-2showstheuser

ciscosuccessfullyloggingintotheAIP-SSMCLIviatheASAbackplaneusing

thesessioncommand.

Example14-2.LoggingIntotheCLI

Chicago#session1



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Chapter 14. Configuring and Troubleshooting Cisco IPS Software via CLI

Tải bản đầy đủ ngay(0 tr)

×