Tải bản đầy đủ - 0 (trang)
Chapter 20. IPS Management Using ASDM

Chapter 20. IPS Management Using ASDM

Tải bản đầy đủ - 0trang

AccessingtheIPSDeviceManagementConsole

fromASDM

ASDMisloadedfromCiscoASAandisusedtolaunchtheIPSDevice

ManagementConsoletoconfigure,monitor,andmanagetheAIP-SSM.

ToaccesstheAIP-SSMIPSDeviceManagementConsole,firstlaunchASDM

andconnecttoCiscoASAfromyourlocalworkstation.Whenyoufirstinstall

theAIP-SSMintotheCiscoASAappliance,youmustconfiguretheinitial

settingsusingthesetupcommandviatheCLI.

Note

TheinitializationandinitialsetupoftheAIP-SSMiscoveredin

Chapter14,"ConfiguringandTroubleshootingCiscoIPSSoftware

viaCLI."



Youcanusethesetupcommandtoconfigurebasicsettingssuchasthe

following:

TheAIP-SSMhostname

IPaddressing

AIP-SSMwebserverport

Accesscontrollists

Timesettings

Afteryourunthesetupcommandandsetuptheseparameters,youcanconnect

totheAIP-SSMviaASDM.



ToconfiguretheAIP-SSM,launchASDMandclicktheIPSiconunderthe

Configurationsection,asillustratedinFigure20-1.

Figure20-1.AccessingIPSConfigurationWindow

[Viewfullsizeimage]



AfteryouclicktheIPSicon,ASDMwarnsyouthatitwillmakeaconnectionto

theAIP-SSM.YoucanchoosetoconnecttoitviathemanagementIPaddressor

adifferentaddress.AsshowninFigure20-2,ASDMismakingaconnectionto

10.89.149.226,whichisthemanagementIPaddressoftheAIP-SSM.

Figure20-2.ASDMConnectingtotheAIP-SSM

[Viewfullsizeimage]



YouarepromptedtologintotheAIP-SSM.Youcanusethedefaultuser(cisco)

tologinandaccesstheconfigurationwindows.

ThefollowingsectionsdemonstratehowSecureMe'sIPSadministratoratthe

LosAngeles,CaliforniabranchconfiguresanAIP-SSMonaCiscoASA5520.

Figure20-3showsahigh-leveloverviewofthenetworktopologyattheLos

Angelesbranch.

Figure20-3.SecureMeLosAngelesBranch



TheAIP-SSMmanagementinterfaceisconfiguredwiththeIPaddress

10.89.149.226.Amanagementstation(10.89.149.163)fromwhichASDMis

launchedislocatedinthesamesubnet.



ConfiguringBasicAIP-SSMSettings

ThissectiondemonstrateshowSecureMe'sIPSadministratorusesASDMto

configurebasicsettingsontheAIP-SSM.



Licensing

WhenSecureMe'sIPSadministratorfirstlaunchesASDM,hediscoversthatthe

systemdoesnothaveavalidlicense.Tocorrectthisproblem,theadministrator

choosesCiscoConnectionOnlinetoobtainthelicensedirectlyfrom

Cisco.com,asshowninFigure20-4.

Figure20-4.Licensing

[Viewfullsizeimage]



ASDMsendstheserialnumbertoCiscooveranHTTPconnectiontoobtainthe



licensekey.Thelicensekeyisdisplayedafteritisretrieved.

Optionally,theIPSadministratorcanalsouploadthelicenseinformationfroma

filestoredonhislocalworkstation.



VerifyingNetworkSettings

TheIPSadministratorisinformedthatanewrouterisinstalledinthe

managementsubnet.TheAIP-SSMgatewayinformationneedstobeupdated

withtherouter'sIPaddress(10.89.149.254).Figure20-5showshowtoaddthe

newIPaddressundertheASDMnetworksettings.

Figure20-5.AIP-SSMNetworkSettings

[Viewfullsizeimage]



TheadministratornoticesthatTelnetaccessisenabledontheAIP-SSM.He

proceedsanddisablesit,becauseSSHandASDMaccessisonlyrequiredby

SecureMe'ssecuritypolicy.Underthenetworksettings,youcanmodifyanyof



thefollowingoptions:

HostnameoftheAIP-SSM.

IPaddressofthemanagementinterfaceontheAIP-SSM(thedefaultIP

addressis10.1.9.201).

Networkmask.

Defaultgatewayaddress(thedefaultis10.1.9.1).

TheFTPtimeoutwhenanFTPclientcommunicateswiththeAIP-SSM

(defaultis300seconds).

TheAIP-SSMwebserversecuritylevelandport.Itisstrongly

recommendedthatyouenableTLS/SSL.

WhetherTelnetaccessisenabledordisabled.Itisnotenabledbydefault,

becauseitisnotasecuremethod.



AddingAllowedHosts

TheIPSadministratorwantstoconnecttotheIPSfromhishomeworkstation

whenconnectingusingtheCiscoVPNclient.HeconnectstoaclusterofCisco

ASAappliancesinChicagotogainaccesstotheprivatenetworks.These

appliancesareconfiguredtoalwaysassignhisVPNclientastaticIPaddress

(192.168.75.34).Consequently,headdsthisIPaddressintheAllowedHosts

sectiononASDM,asshowninFigure20-6.

Figure20-6.AllowedHostsSection

[Viewfullsizeimage]



AfternavigatingtotheAllowedHostsoptionundertheSensorSetupsection,the

IPSadministratorclicksAddandaddsthe192.168.75.34IPaddresswitha32bitsubnetmask(255.255.255.255).



ConfiguringNTP

ItisrecommendedthatyouuseanNTPserverastheAIP-SSMtimesource.The

IPSadministratorinLosAngelesinstalledanewNTPserver(10.89.149.207)on

themanagementnetwork.HeconfigurestheNTPserverparametersbychoosing

Configuration>Features>IPS>SensorSetup>Time,asshowninFigure

20-7.

Figure20-7.NTPConfiguration

[Viewfullsizeimage]



TheIPSadministratoraddstheIPaddressoftheNTPserver(10.89.149.207).He

alsoenterstheNTPMD5key(cisco123)andkeyID(1)forNTPauthentication.

TheNTPserverusestheassociatedkeywhentransferringdatatotheAIP-SSM.



AddingUsers

FourdifferenttypesofuserscanbeconfiguredintheAIP-SSM:

Viewers

Operators

Administrators

Service

Note

ThedefinitionofeachaccounttypeisdiscussedinChapter14.



Inthefollowingscenario,theIPSadministratorneedstocreatetheservice

accounttobeabletoenterintotheAIP-SSMservicemode.

Note

TheserviceusercannotlogintoASDM.Thisuserisonlyusedtolog

intotheAIP-SSMservicemode(bashshell)foradministrative

purposes.Theserviceaccountshouldonlybeusedfor

troubleshootingpurposeswiththeassistanceoftheCiscoTechnical

AssistanceCenter(TAC).



TheserviceaccountisaddedasillustratedinFigure20-8.

Figure20-8.AddingUsers

[Viewfullsizeimage]



ThesecurityadministratornavigatestoConfiguration>Features>IPS>

SensorSetup>UsersandclickstheAddbutton.Heentersserviceasthe

usernameandselectsServicefromtheUserRoledrop-downmenu.The

correspondingpasswordisalsoenteredandconfirmed,asshowninFigure20-8.



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Chapter 20. IPS Management Using ASDM

Tải bản đầy đủ ngay(0 tr)

×