|
|
This chapter introduces the NetRanger Director, and includes the following sections:
This section describes the Director's hierarchical map display, and includes the following topics:
Events are sent to the Director by a Sensor that detects a security violation. The smid service on the Director interprets this event information and passes it to an application called nrdirmap. nrdirmap is responsible for displaying this information on the Director's maps.
Depending on the severity of an alarm, the Alarm icon displays different colors: red for severe, yellow for moderate, green otherwise. The icons for the application and Sensor that generate the alarm will also be the same color as the most severe alarm generated.
The Top-Level submap (also called the Root submap) is the topmost map of the map hierarchy, and is illustrated in Figure 4-1.
The Collection submap can contain icons for Sensors, Directors, other Collections, and the connections between these entities. Figure 4-2 illustrates a complex Collection submap---it contains a Director icon and other Collections.
The Director automatically generates all the icons on the submaps as events occur---however, you can manually add Collection, Machine, and Application icons. For more information on manually adding machines to the Director, refer to the "Working with Icons" section of this chapter.
Double-clicking a Machine's icon displays the Machine submap, which contains icons for all the applications running on that machine (see Figure 4-3).
Double-clicking an Application icon displays an Application submap, which contains all the Alarms generated by that Application (see Figure 4-4).
This section includes the following topics:
Alarms can be generated by NetRanger Sensors and by IOS routers running the Intrusion Detection System feature of the IOS Firewall Feature Set, also known as IOS-IDS.
When an alarm is sent to the Director, the Director's nrdirmap functionality interprets the alarm data in order to graphically present it on the user interface. Alarm icons can indicate different types of events, specifically intrusions, context attacks, or errors.
If multiple alarms of the same type (except for timestamp and sequence number) are generated, then the Director displays these alarms as a group called an Alarm Set.
A special type of alarm are OkAlarms, which when displayed in a submap indicate that there are no unresolved alarms for that application.
Intrusion alarms are depicted as lightning bolts, and indicate that some type of unauthorized activity has occurred, whether a policy violation (as logged by a Cisco router), a fragmented packet header, a denial of service attack, and so on.
Intrusion Alarm Sets are depicted with three lightning bolts. Figure 4-5 illustrates both Intrusion Alarm and Alarm Set icons as well as Context Buffer Alarm and Alarm Set icons (see the following section).
Certain alarms have associated context buffers, which contain up to 256 bytes of data in both incoming and outgoing directions. These Context Buffer Alarms are depicted as a magnifying glass over a sheet of paper with writing on it. The magnifying glass is a visual reminder that you can view additional alarm information by selecting the alarm icon and clicking Show>Context Buffer on the Security menu.
Following is a partial list of signatures that trigger Context Buffer Alarms:
For more information on signatures, refer to "The NSDB and Signatures."
Context Buffer Alarm Sets are depicted as a magnifying glass over two sheets of paper with writing on them. Figure 4-5 illustrates Context Buffer Alarm and Alarm Set icons.
This section describes the types of Error Alarms, and includes the following topics:
Error Alarms are depicted as a single bomb. Error Alarm Sets are depicted as two bombs. Both Error Alarms and Alarm Sets are illustrated in Figure 4-6.
The Daemon Down Error Alarm indicates that the postofficed service has detected that a daemon or service has stopped.
After an Error Alarm occurs, you must manually delete the icon, regardless of whether postofficed is able to restart the service.
The Daemon Unstartable Error Alarm indicates that postofficed cannot restart a service that was previously down.
After an Error Alarm occurs, you must manually delete the icon, regardless of whether you are able to manually restart the service.
The Route Down Error Alarm is generated each time the postofficed service detects that a connection to another machine is down. These error alarms have a severity level of 5. This type of alarm's "optional data/alarm details" field displays the following information:
HostID.OrgID route route-number down
where HostID and OrgID indicate the Host and Organization ID of the NetRanger host involved in the Route Down Error Alarm, and route-number indicates which route failed.
A different error alarm is generated for each communication route. For example, if the route between sensor-one and sensor-two is down, then the managing Director will receive two error alarms: one indicating that sensor-one is unreachable, and another indicating that sensor-two is unreachable.
Because the postofficed service repeatedly checks to see if a machine is reachable, there is a chance that error alarm sets could consolidate. For example, if sensor-two in the above example remains unreachable, then the error alarm associated with it is displayed as a consolidated error alarm set.
Route Down Error Alarms are automatically deleted if the Director receives an indication that the route is operational.
If an Application has not generated any Alarms or Alarm Sets, then the special OkAlarm is displayed in the Application submap (see Figure 4-7). As the name of this alarm implies, it means that no alarms have been generated by the application.
In most cases, an alarm's label will be the name of the signature that matches the alarm's Signature ID. NetRanger uses the /usr/nr/etc/signatures file to determine a match. However, there are exceptions to this rule:
To start the Director, follow these steps:
Step 1 Log on as user netrangr.
Step 2 To see a status of NetRanger services, type:
nrstatus
Step 3 If no services are running, type:
nrstart
Step 4 To start the Director user interface, type:
ovw &
This section provides information on configuring important Director settings, and includes the following topics:
There are five global Map-level configuration parameters that can be set. These parameters affects the display of all NetRanger security data, such as icon consolidation into alarm sets and mappings of alarm levels to alarm colors.
To set these global parameters, follow these steps:
Step 1 If your Director machine has HP OpenView 4.x or 5.x, click Maps>Describe/Modify on the Map menu.
If your Director machine has HP OpenView 6.x, click Properties on the Map menu.
Step 2 On the dialog box, click NetRanger/Director, and click Configure For This Map.
Step 3 Make entries to the following:
(a) Set the default lowest event severity that generates a marginal icon. For example, setting the default lowest event severity to 3 would create a marginal (yellow) icon if an alarm level 3 is generated.
(b) Set the default lowest event severity that generates a critical icon. For example, setting the default lowest event severity in this case to "4" would create a critical (red) icon if an alarm level 4 is generated.
(c) Set the default number of identical alarms before icon consolidation. For example, setting this number to 5 would create an Alarm Set when the number of identical alarms reached 5 or more.
(d) Enable or disable nrdirmap. nrdirmap should be enabled.
The Network Security Database (NSDB) is an HTML-based encyclopedia of network security information (see Figure 4-8). To access this information from the Director interface, you must set your HTML browser preference.
To set your HTML browser preference, follow these steps:
Step 1 On the Director interface, click Configure on the Security menu.
Step 2 In nrConfigure, click Preferences on the File menu.
Step 3 Type the path to your HTML browser in the Browser Location field, and click OK.
To configure your color preferences, follow these steps:
Step 1 On the Director interface, click Configure on the Security menu.
Step 2 In nrConfigure, click Preferences on the File menu.
Step 3 Click the System Colors tab.
You can select from three color preferences:
This section describes the following topics:
You can use Collections to group machines into logical units. For example, if you had 25 Sensors in Los Angeles, and 35 Sensors in New York, you could create an "LA Collection" entity and an "NY Collection" entity. You could then add the NY Sensors to the NY Collection, and then add the LA Sensors to the LA Collection. This reduces the number of icons per submap, which makes locating icons and diagnosing problems faster and easier.
The Top-Level Collection on the Root submap is created by nrdirmap. This is the only Collection that can appear on the root submap. You can add other Collections on Collection submaps.
To add a Collection icon, follow these steps:
Step 1 Double-click the Collection's submap on which you want to add the new Collection.
Step 2 Click Add Object on the Edit menu.
Step 3 On the Add Object Palette, click Location. Several icons appear in the window below.
Step 4 Use the middle mouse button to drag the NR Collection icon to the Collection submap.
Step 5 On the Add Object dialog box, click NetRanger/Director on the Object Attributes list.
Step 6 Click Set Object Attributes.
Step 7 On the Add Objects-Set Attributes dialog box, type the name of the Collection in the Collection Name field. This name can be any unique string (for example, "New York," "Building 162," or "10.1.1 Machines").
Step 8 Click Verify and OK.
Step 9 Click Set Selection Name.
Step 10 On the Set Selection Name dialog box, choose the selection name from the list.
Step 11 Click OK.
Step 12 On the Add Object dialog box, click OK.
To manually add a Sensor icon, follow these steps:
Step 1 From the Root submap, double-click the Collection icon to display the Collection submap.
Step 2 Click Add Object on the Edit menu.
The Add Object Palette appears.
Step 3 Click Net Device. Several icons appear in the window below.
Step 4 Use the middle mouse button to drag the Sensor icon to the Collection submap.
Step 5 On the Add Object dialog box, click NetRanger/Director on the Object Attributes list.
Step 6 Click Set Object Attributes.
Step 7 On the Add Object - Set Attributes dialog box, type the name of the Sensor in the Hostname field.
The name entered in this field must match the name contained in the /usr/nr/etc/hosts file.
Step 8 Click Verify and OK.
Step 9 Click Set Selection Name.
Step 10 On the Selection Name dialog box, choose the selection name from the list.
Step 11 Click OK.
Step 12 Click OK on the Add Object dialog box.
The first time it runs, nrdirmap automatically adds a Director icon to the Collection submap. However, it is possible to manually delete a Director icon, and you may want to manually add the Director icon back to the map at a later time. Also, if you ever change the Organization ID or Host ID of a Director, then you must delete the Director icon and add it back with the correct IDs.
To manually add a Director icon, follow these steps:
Step 1 On a Collection submap, click Add Object on the Edit menu.
Step 2 On the Add Object Palette, click Computer.
Step 3 Use the middle mouse button to drag the Director icon to the Collection submap.
Step 4 Click NetRanger/Director on the Object Attributes list.
Step 5 Click Set Object Attributes.
Step 6 After nrdirmap populates the fields, click OK.
To manually add an Application icon, follow these steps:
Step 1 Double-click the Sensor to which you want to add an application.
Step 2 Click Add Object on the Edit menu.
Step 3 On the Add Object Palette, click the NR Application icon. Several icons appear in the window below.
Step 4 Use the middle mouse button to drag the application icon to the Machine submap.
Step 5 On the Add Objects dialog box, click NetRanger/Director on the Object Attributes list.
Step 6 Click Set Object Attributes.
Step 7 Click OK.
Step 8 Click Set Selection Name.
Step 9 Choose the selection name from the list.
Step 10 On the Selection Name dialog box, click OK.
Step 11 On the Add Object dialog box, click OK.
The Application icon turns green, because a green OkAlarm will be created automatically in the submap of the added Application.
Step 1 On the Director interface, click the icon to which you want to display attributes.
Step 2 If your Director machine has HP OpenView 4.x or 5.x, click Describe/Modify Object on the Edit menu.
If your Director machine has HP OpenView 6.x, click Object Properties on the Edit menu.
Step 3 From the Object Description dialog box, click NetRanger/Director on the list of applications.
Step 4 Click View/Modify Object Attributes.
Depending on the icon type, various attributes for the selected object are displayed in a dialog box. Table 4-1 summarizes the attributes by icon type.
| Icon Type | Attribute(s) |
|---|---|
Collection | Collection Name |
Machine | Organization ID, Host ID, Hostname, Point of Contact |
Application | Application Name, Minimum Marginal Status Severity, Minimum Critical Status Severity, Alarm Consolidation Threshold, Organization ID, Host ID, Application ID |
Alarm/Alarm Set | Name, Severity, Source Port, Destination Port, Source Address, Destination Address, Router Address, Date, Is Source Address Protected, Is Destination Address Protected, Details, Signature ID, Subsignature ID, Organization ID, Host ID, Application ID, Instance ID |
Note Attribute names in bold are user-editable. | |
Step 5 Click Cancel to return to the Director interface.
When you want to remove an icon (and its corresponding database object), follow these steps:
Step 1 Click the icon you want to delete.
Step 2 Click Delete>From All Submaps on the Edit menu.
Applications and Machines can not be deleted until all of their alarms have been deleted. This rule forces the user to open the submap containing the alarms and confirm deletion of the alarms. This helps prevent a hacking attempt from going unnoticed.
Once an application or host has had all of its alarms resolved (and deleted), you are free to delete the application or machine.
Collections that have Machine icons cannot be deleted. If you have a Collection that contains many machines, and you want to delete the Collection, you must first open the Collection submap and delete all of the machines. In turn, each machine must have all of its alarms deleted beforehand. Once you have emptied the Collection submap, you can then delete the Collection.
HP OpenView's search utilities can locate icons that match certain criteria. To use the Locate function, follow these steps:
Step 1 If your Director machine has HP OpenView 4.x or 5.x, click Objects on the Locate menu.
If your Director machine has HP OpenView 6.x, click Find>Object on the Edit menu.
Step 2 Choose the type of search you want:
For example, to view the number of unresolved String Matches, you could search by Icon Type, and select the Alarm:Content icon type. To determine how many critical elements you have in your network, you could do a search by Icon Status, and then search for Critical (red) elements. Finally, to search for an alarm from a particular source IP address, you could search by Attribute, and then choose Source IP Address from the list of attributes, and then type in the source IP address you want to find.
You can use the cursor to move icons to different positions on a submap. However, if icons are added to or removed from the submap, the user interface automatically repositions all of the icons on the submap, and your manual positioning is lost.
To prevent this, it is usually best to turn automatic layout off.
To turn off automatic layout, follow these steps:
Step 1 On the Director interface, click Automatic Layout on the View menu.
Step 2 Click off for either the current submap (if you are only repositioning icons on a small number of submaps) or for all submaps (if you reposition icons frequently).
Under some circumstances, you might want to prevent an icon from appearing on a given submap, but you might not want, or be able, to delete the icon. For instance, there could be a machine in a collection that you want to ignore, but you cannot delete it because it has unresolved alarms. Instead of deleting the machine, you can hide it.
To hide an icon, follow these steps:
Step 1 Click the icon on the Director interface.
Step 2 If your Director machine has HP OpenView 4.x or 5.x, click Hide on the Edit menu.
If your Director machine has HP OpenView 6.x, click Hidden Objects>Hide from the View menu.
Choose to hide either on This Submap or on All Submaps.
You may need to stop the Director to upgrade NetRanger software, perform maintenance or troubleshooting on the Director workstation, or for other reasons.
To stop the Director, follow these steps:
Step 1 Stop the network management user interface by clicking Exit on the Map menu.
Step 2 As user netrangr, stop the NetRanger background processes by typing:
/usr/nr/bin/nrstop
Step 3 Check the status of the network management background processes by typing:
ovstatus
Step 4 Check the status of the NetRanger background processes by typing:
nrstatus
Posted: Wed Jul 19 15:19:20 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.