|
|
This chapter contains information on using the nrConfigure tool for remote management of NetRanger configurations, and consists of the following sections:
The term Configuration Management refers to NetRanger's ability to centrally manage the configuration files of remote Sensors and Directors distributed across an enterprise's network. Configuration management in NetRanger is handled by a Java-based tool called nrConfigure. With nrConfigure, you can not only configure Sensors and Directors but manage each machine's configuration versions. This functionality allows you to keep current as well as past configuration information---at any point, you can "roll back" a Sensor or Director to a previous configuration.
You can use nrConfigure to perform any of the following actions on a remote machine:
Together, these and other functions allow security personnel to manage the security of a network from a centrally located graphical console.
nrConfigure has two main components:
You can access nrConfigure by clicking Configure on the Security menu on the Director interface. This will open nrConfigure's File Management screen.
Right-clicking any host name on the File Management Screen and clicking Open on the File popup menu displays the Configuration Librarian, a listing of that host's configuration files, as illustrated in Figure 6-2.
The Configuration Librarian displays the following information, organized in version folders:
These separate version folders have the following conventions:
Other functions available from the Configuration Librarian include the following:
The rest of this chapter provides detail on using nrConfigure to configure the following:
NetRanger communications is handled by the postofficed service. This service not only provides communication services between NetRanger nodes (i.e., Sensors and Directors), it also allows different services to communicate.
To configure communications, follow these steps:
Step 1 On the Director interface, select the remote machine you want to configure.
Step 2 Click Configure on the Security menu.
The Configuration Librarian opens.
Step 3 In the currently applied version, double-click Communications.
The Communications dialog box opens.
Step 4 Click the General tab (see Figure 6-3).
Step 5 Ensure that the postofficed Error Filename is ../var/errors.postofficed.
This is the file to which NetRanger will log any errors occurring during communication, including messages that alert you that postofficed is having difficulty routing messages to a NetRanger service or host.
Step 6 Ensure that the postofficed Configuration Filename is ../etc/postofficed.conf.
This is the filename that NetRanger uses to control postofficed.
Step 7 You can set the severity level of Error events in the Severity Level of Error Events field.
The default value is 1.
Step 8 You can set the severity level of Command events in the Severity Level of Command Events field.
The default value is 1.
Step 9 Click the Fault Mgmt tab (see Figure 6-4).
Fault Management is a term that refers to NetRanger's ability to constantly verify that NetRanger services are still running, and that tries to restart them if they are not running.
The following provides definitions for the Fault Mgmt tab's data entry fields:
(a) Interval(s)---A time interval, expressed in seconds, that postofficed waits between querying all the NetRanger services.
The default Interval is 30 seconds. You can change the interval by editing the number in the Interval(s) field.
(b) Timeout(s)---A time interval, expressed in seconds, that postofficed waits to get a response from a service before it generates an alarm and tries to restart the service. The Timeout amount must be greater than twice the Interval amount.
The default Timeout is 70 seconds. You can change the interval by editing the number in the Timeout(s) field.
(c) Number of Restarts---The number of times postofficed will unsuccessfully try to restart a service before determining that a serious problem exists.
The default Restart value is 3. You can change the value by editing the number in the Number of Restarts field.
(d) Daemon Down Alarm Level---The severity level of the alarm generated by postofficed when it detects that a service is down.
The default alarm level is 5. You can change the level by editing the number in the Daemon Down Alarm Level field.
(e) Daemon Unstartable Alarm Level---The severity level of the "Daemon Unstartable" alarm issued by postofficed if it has unsuccessfully restarted a service the maximum number of times, or otherwise determines that the service cannot be restarted.
The default alarm level is 5. You can change the level by editing the number in the Daemon Unstartable Alarm Level field.
Step 10 Click OK to close the Communications dialog box.
This section describes the following topics:
NetRanger data management is handled by a process called sapd. sapd collects log files created in the /usr/nr/var directory by another service called loggerd. The rate at which sapd collects log files (which can be either ASCII event logs or binary IP logs), is controlled by user-configurable thresholds.
The main goals of data management are:
To configure data collection and staging, follow these steps:
Step 1 On the Director interface, click the remote machine you want to configure.
Step 2 Click Configure on the Security menu.
The Configuration Librarian opens.
Step 3 In the currently applied version, double-click Data Management.
The Data Management dialog box opens.
Step 4 Click the Logging tab (see Figure 6-5).
Step 5 You can set the maximum log file size (in bytes) in the bytes field.
The default log file size is 300,000 bytes.
Step 6 You can set the maximum log file age (in minutes) in the minutes field.
The default log file age is 240 minutes.
Step 7 You can set an alarm's minimum context level (in other words, alarms below a certain severity will not have context data stored in the logfile) in the Minimum Context Level field.
The default Minimum Context Level is 2.
Step 8 Click the Database tab.
Step 9 You can set up a database account by editing the User and Password fields for User 1.
Step 10 Click OK to close the Data Management dialog box.
The sapd service bases all its actions on triggers. Each trigger consists of a condition and an action. The condition defines when to launch an action.
To create a sample trigger, follow these steps:
Step 1 On the Director interface, click the remote machine you want to configure, and click Configure on the Security menu.
The Configuration Librarian opens.
Step 2 In the currently applied version, double-click Data Management.
The Data Management dialog box opens.
Step 3 Click the Triggers tab (see Figure 6-7).
Step 4 Click Add.
The Add New Trigger dialog box opens.
Step 5 Enter the name of your condition in the Condition Name field.
Step 6 Type /usr/nr/bin in the Condition Directory field.
Step 7 Select the Number of Files checkbox and enter 5 in the field next to the checkbox.
Step 8 Select the Notify checkbox.
Step 9 Click OK to close the Add New Trigger dialog box.
Step 10 Click the Notification tab (see Figure 6-8).
Step 11 Enter a valid e-mail address in the Notify Person # field.
NetRanger sends notifications to this e-mail address when the number of files in /usr/nr/bin reaches 5.
Step 12 Edit the Notify Interval field to change the minimum time between notifications.
The default interval is 60 minutes.
Step 13 Click OK to close the Data Management dialog box.
Device management refers to the Sensor's ability to dynamically reconfigure the filters and access control lists on a router to shun an attacker. This functionality is provided by the managed service. Shunning refers to the Sensor's ability to use a network device to deny entry to a specific network host or an entire network.
There are three major steps toward using a router to shun an attacker:
To configure device management, follow these steps:
Step 1 On the Director interface, click the remote machine you want to configure.
Step 2 Click Configure on the Security menu.
The Configuration Librarian opens.
Step 3 In the currently applied version, double-click Device Management.
The Device Management dialog box opens.
Step 4 Click the Devices tab (see Figure 6-9).
Step 5 Click Add to add a router to managed's list of network devices.
Enter the following information about the router in the fields provided:
(a) IP address
(b) Device name
(c) Password and Enable password
(d) Network Address Translation IP address
Step 6 Click the Interfaces tab (see Figure 6-10).
Step 7 Click Add.
Step 8 Enter the following information for each interface on the managed network device:
(a) IP Address---The IP address assigned to the router interface.
(b) Interface Name---The name of the router interface (e.g., "ethernet0")
(c) Direction---The direction of the network traffic passing through the interface.
(d) Additional Interface/Direction Pairs---Enter the name of any other interface names and traffic directions.
Step 9 Click OK to close the Device Management dialog box.
After you set up device management, you need to set up shunning.
If during the final Sensor configuration, you selected "Shun with Cisco Router" on the Cisco Router Information screen of the Add Host dialog box (see Step 14 of the "Complete the Sensor Configuration" section of "Installation and Configuration") then the Sensor's shunning infrastructure is in place, and all you will need to do is add specific information:
Step 1 From nrConfigure, double click Device Management.
The Device Management dialog box opens.
Step 2 Click the Shunning tab (see Figure 6-11).
Step 3 In the Addresses Never to Shun group, click Add to add entries for the local Director, Sensor, and Router, at the very minimum.
Step 4 In the Shunning Servers group, add an entry for the Sensor that will perform shunning.
Step 5 Click OK to close the Device Management dialog box.
If during the final Sensor configuration, you selected not to use a Cisco router for shunning, you will need to check whether managed is enabled on the Sensor before setting up shunning:
Step 1 From nrConfigure, double-click Daemons.
The Daemons dialog box opens.
Step 2 Ensure that managed is set to "Yes" and click OK to close the Daemons dialog box.
Refer to the "Configuring Intrusion Detection" section of this chapter for more information.
This section describes the following topics:
In previous versions of NetRanger, no facilities existed to read data on network packets that a Cisco router denied. From a security perspective, knowing about policy violations is just as important as detecting malicious activity that passes through a router.
With Version 2.2.0 of NetRanger, the router's syslogd service can be configured to send information to a Sensor regarding denied network traffic. The Sensor can then forward this data to the Director, which can then display a Policy Violation alarm.
For more information on configuring ACLs, refer to the "IP Commands" chapter of the Access and Communication Servers Command Reference.
There are two kinds of ACLs that can be configured to work with NetRanger:
To configure and monitor user-defined ACLs, follow these guidelines:
1. Manually configure the router to communicate with the Sensor.
2. Manually configure the ACLs to log policy violations.
3. Configure the Sensor to accept syslogd traffic from the router.
To manually configure the router to communicate with the Sensor, follow these steps:
Step 1 Log on to the router and enter enable mode by typing en and the enable password.
Step 2 Enter configuration mode by typing:
conf t
Step 3 Type the following commands:
logging sensor_ip_address logging trap info
where sensor_ip_address is the IP address of the Sensor's command and control interface.
Step 4 Exit configuration mode by pressing Ctrl+Z.
Step 5 To make the changes permanent on the router, type:
wr mem
To manually configure the ACLs to log policy violations, follow these steps:
Step 1 Set the user-defined ACLs on each router to send policy violation information by adding the text string "log" to the end of each line that defines a deny rule. For example:
access-list 199 deny tcp host 10.1.1.1 any log
This rule denies TCP traffic between host 10.1.1.1 and "any" other host. The string "log" at the end of the deny rule ensures that the policy violation is logged.
Step 2 To make the changes permanent on the router, type:
wr mem
To configure the Sensor to accept syslogd traffic from the router, follow these steps:
Step 1 On the Director interface, click the Sensor's icon and click Configure on the Security menu.
The Configuration Librarian opens.
Step 2 In the currently applied version, double-click Intrusion Detection.
The Intrusion Detection dialog box opens.
Step 3 Click the Data Sources tab.
Step 4 In the Data Sources field, ensure that the IP address and netmask of the router sending the syslog information is present.
If not, click Add and then input the IP address and subnet mask.
Step 5 Click the Profile tab.
Step 6 Ensure that Setup Method is set to Manual Configuration.
Step 7 Click Modify Sensor.
Step 8 Scroll down to the "Security Violations" signature and click Expand.
The Policy Violations dialog box opens.
Step 9 Click Add to add the name of the Cisco ACL that sends syslog data to the Sensor.
Step 10 Choose an action from the list in response to the policy violation alarm, and enter the alarm's severity level for each destination.
Step 11 Repeat Steps 9 and 10 for each ACL added.
Step 12 Click OK to close the Policy Violations dialog box.
Step 13 Click OK to close the General Signatures dialog box.
Step 14 Click OK to close the Intrusion Detection dialog box.
Step 15 To apply policy violation logging, select the transient configuration version and click Apply.
Configuring NetRanger-defined ACLs is similar to configuring user-defined ACLs, except that you can use NetRanger's utilities to ease setup and monitoring. Also, NetRanger-defined ACLs are created and updated by the managed service.
To configure and monitor NetRanger-defined ACLs, follow these guidelines:
1. Configure the router to communicate with the Sensor.
2. Configure the NetRanger-defined ACLs to log policy violations.
3. Configure the Sensor to accept syslogd traffic from the router.
To configure the router to communicate with the Sensor, follow these steps:
Step 1 On the Director interface, select the Sensor that is to receive the policy violation information from the router.
Step 2 Click Network Device on the Security menu.
The Network Device Utility window opens.
Step 3 To command the router to send policy violation information to the Sensor, choose option 5.
Step 4 When prompted, enter the Sensor's IP address, and type y to confirm.
Step 5 Read the information and press Enter when prompted.
Step 6 Choose option 9 to exit the Network Device Utility.
To configure the NetRanger-defined ACLs to log policy violations temporarily, follow these steps:
Step 1 On the Director interface, select the Sensor that is to receive the policy violations from the router.
Step 2 Click Advanced>ACL Syslogs>Enable on the Security menu.
To disable ACL logging, click Advanced>ACL Syslogs>Disable on the Security menu.
To configure the NetRanger-defined ACLs to log policy violations even after the Sensor restarts/reboots, follow these steps:
Step 1 On the Director interface, click the Sensor that is to receive the policy violations from the router.
Step 2 Click Configure on the Security menu.
The Configuration Librarian opens.
Step 3 In the currently applied version, double-click Device Management.
The Device Management dialog box opens.
Step 4 Click the General tab.
Step 5 Click Enable ACL Logging.
Step 6 Click OK.
Step 7 Highlight the transient version and click Apply.
To configure the Sensor to accept syslogd traffic from the router, follow these steps:
Step 1 On the Director interface, select the Sensor that is to receive the policy violations from the router.
Step 2 Click Configure on the Security menu.
The Configuration Librarian opens.
Step 3 In the currently applied version, double-click Device Management.
The Device Management dialog box opens.
Step 4 Click the Shunning tab.
Step 5 Make note of the entry under Cisco ACL Number (for example, the entry might be "199").
Step 6 Click OK.
Step 7 In the newly created version folder in the Configuration Librarian, double-click Intrusion Detection.
The Intrusion Detection dialog box opens.
Step 8 Click the Data Sources tab.
Step 9 In the Data Sources group, ensure that the IP address and netmask of router sending the syslog information is present.
If not, click Add and then input the IP address and subnet mask.
Step 10 Click the Profile tab.
Step 11 Ensure that Setup Method is set to Manual Configuration.
Step 12 Click Modify Sensor.
Step 13 Scroll down to the "Security Violations" signature and click Expand.
The Policy Violations dialog box opens.
Step 14 Click Add to add the number of the Cisco ACL from Step 5.
Step 15 Choose an action from the list in response to the policy violation alarm, and enter the alarm's severity level for each destination.
Step 16 Click Add to add an ACL whose number is one less than the ACL added in Step 14.
Step 17 Repeat Steps 14 through 16 for each ACL added.
Step 18 Click OK to close the Policy Violations dialog box.
Step 19 Click OK to close the General Signatures dialog box.
Step 20 Click OK to close the Intrusion Detection dialog box.
Step 21 To apply policy violation logging, click the transient configuration version and click Apply.
"Director forwarding" refers to a Director's ability to forward all Errors and Alarms it receives to another Director. The Director Forwarding dialog box allows a user to configure the Director to forward traffic directly; in the past, users had to configure each Sensor to forward traffic to more than one Director, if desired.
To forward information to a secondary Director, follow these steps:
Step 1 On the Director interface, click a Director icon and click Configure on the Security menu.
The Configuration Librarian opens.
Step 2 In the currently applied version, double-click Director Forwarding.
The Director Forwarding dialog box opens.
Step 3 Click the Forwarding tab (see Figure 6-12).
An entry should exist for the primary Director.
Step 4 To add a Director to the list of entries, click Add.
Enter the following information about each Director:
(a) Host---Select the Director's host name from the drop-down list.
(b) Service---Select the Director service you want data forwarded to.
Select loggerd if you want the Director to receive a duplicate copy of a Sensor's log files. Select smid if you want the Director to receive duplicate alarms generated by the Sensor.
(c) Minimum Level---Enter the minimum alarm level for alarm data sent to the Director.
(d) Commands---Select Yes if you want commands sent to the Director. Otherwise, select No.
(e) Errors---Select Yes if you want errors sent to the Director. Otherwise, select No.
(f) Alarms---Select Yes if you want alarms sent to the Director. Otherwise, select No.
(g) IP Logs---Select Yes if you IP logs sent to the Director. Otherwise, select No.
Step 5 Click OK to close the Director Forwarding dialog box.
Event processing is managed by the eventd service. eventd processes alarms sent to it and executes user-defined actions. It is generally intended to accommodate batch or background processes, such as e-mail notification, SNMP trap generation, or other user-defined processes.
The following steps are necessary for setting up event processing:
To configure the event processing infrastructure, follow these steps:
Step 1 On the Director interface, click the machine icon whose eventd process you want to enable.
Step 2 Click Configure on the Security menu.
The Configuration Librarian opens.
Step 3 In the currently applied version, double-click Event Processing.
The Event Processing dialog box opens.
Step 4 Click the Applications tab (see Figure 6-13).
Step 5 Click Add to add rows to the listing, and click Delete to delete rows from the listing.
Each row has three columns:
(a) Script ID---The ID number is autogenerated by nrConfigure.
(b) Severity Level---Enter an alarm severity level here. eventd executes the script you specify for each event whose severity level is greater than or equal to this severity level, provided that the events meet the timing thresholds that you set (see Step 6 below).
(c) Script Name---Enter the full path and name of the script you want to execute (for example, /usr/nr/myscript). If you want to set up e-mail notification, enter /usr/nr/bin/eventd/event in this field. To generate SNMP traps, enter /usr/nr/bin/nrSnmpTrap in this field.
Step 6 Click the Timing tab.
This tab controls how often eventd executes an action when an event is received.
Step 7 Enter the following information in the appropriate fields:
(a) Consolidation Interval(s)---The number of seconds in the interval during which eventd collects events.
(b) Alarm Count Thresholds---The number of events that must be received in the specified interval to force the execution of an action. This field can contain one or more integer values separated by commas or spaces.
For example, an entry of "1, 5, 100" would execute an action the first, fifth, and hundredth time an event occurred during the specified interval.
Step 8 Click OK to close the Event Processing dialog box.
Step 9 On the current transient version of code, double-click Daemons.
The Daemons dialog box opens.
Step 10 Enable nr.eventd by changing its status to Yes.
Step 11 Click OK to close the Daemons dialog box.
After configuring and enabling eventd, you must tell an event source (a Sensor or Director) to send notifications to eventd. The procedure for configuring Sensors and Directors differs.
To configure a NetRanger Sensor to send event notifications to eventd, follow these steps:
Step 1 After following the instructions for configuring the event processing infrastructure, double-click Destinations in nrConfigure's currently applied version.
The Destinations dialog box opens.
Step 2 Click Add.
Step 3 Add the following information in each of the fields:
(a) Host---Enter the Sensor's host name.
(b) Application---Enter eventd.
(c) Severity Level---Enter a minimum severity level to send.
(d) Event Type---Choose either IP Logs, Errors, Commands, or Alarms from the field's pull-down menu.
Step 4 Click OK to close the Destinations dialog box.
To configure a NetRanger Director to send event notifications to eventd, follow these steps:
Step 1 On the Director interface, click a Director icon and click Configure on the Security menu.
Step 2 In the currently applied version on nrConfigure, double-click Director Forwarding.
The Director Forwarding dialog box opens.
Step 3 Click the Forwarding tab. (An entry should exist for the primary Director.)
Step 4 Click Add.
Step 5 Enter the following information about each Director:
(a) Host---Select the Director's host name from the drop-down list.
(b) Service---Select eventd.
(c) Minimum Level---Enter a minimum severity level to send.
(d) Commands---Select Yes if you want commands sent to the Director. Otherwise, select No.
(e) Errors---Select Yes if you want errors sent to the Director. Otherwise, select No.
(f) Alarms---Select Yes if you want alarms sent to the Director. Otherwise, select No.
(g) IP Logs---Select Yes if you want IP logs sent to the Director. Otherwise, select No.
Step 6 Click OK to close the Director Forwarding dialog box.
This section describes the following topics:
Intrusion Detection is handled by the packetd and sensord services. packetd normally operates from a Sensor working in stand-alone mode (in other words, without a packet filter). sensord normally operates from a Sensor working with a packet filter that is forwarding copies of network packets to it.
You have two choices for setting up intrusion detection on a Sensor:
To set up a profile-based configuration, follow these steps:
Step 1 On the Director interface, click the remote machine you want to configure.
Step 2 Click Configure on the Security menu.
The Configuration Librarian opens.
Step 3 In the currently applied version, double-click Intrusion Detection.
The Intrusion Detection dialog box opens.
Step 4 Click the Profile tab. Perform the following actions:
(a) Select Profile-based Configuration.
(b) Under Response, select either Relaxed, Moderate, or Strong.
(c) Under Signatures to Disable, you can disable individual signatures by selecting their check boxes.
Step 5 View your settings in the General Signatures dialog box by clicking View Sensor under Setup Method.
Step 6 Click OK to save your changes and close the Signatures dialog box.
Step 7 Click OK to close the Intrusion Detection dialog box.
To set up a manual configuration, follow these steps:
Step 1 On the Director interface, click the remote machine you want to configure.
Step 2 Click Configure on the Security menu.
The Configuration Librarian opens.
Step 3 In the currently applied version, double-click Intrusion Detection.
The Intrusion Detection dialog box opens.
Step 4 Click the Profile tab (see Figure 6-15).
Step 5 Click Modify Sensor.
The General Signatures dialog box opens (see Figure 6-16).
Step 6 You can configure the action a Sensor takes when a signature detects misuse by clicking any Action field and choosing one of the following options from the drop-down list:
(a) None---Take no action.
(b) Shun---Shun the host.
(c) Log---Log the event.
(d) Shun & Log---Shun the host and log the event.
(e) TCP Reset---Close the TCP connection, but leave other connections alone.
(f) TCP Reset & Shun---Reset the TCP connection and shun the host.
(g) TCP Reset & Log---Reset the TCP connection and log the event.
(h) TCP Reset, Shun & Log---Reset the TCP connection, shun the host, and log the event.
For each Sensor and Director in your Organization, you can edit the Severity Level.
To find out more information about a signature, click its name in the listing and click NSDB. This will provide access to the NSDB through your HTML Browser.
Step 7 Click OK to save your changes and close the General Signatures dialog box.
Step 8 Click OK to close the Intrusion Detection dialog box.
The Intrusion Detection dialog box also allows you to set up protected networks, name data sources for the Sensor, and exclude addresses.
Step 1 On the Director interface, click the remote machine you want to configure, and click Configure on the Security menu.
The Configuration Librarian opens.
Step 2 In the currently applied version, double-click Intrusion Detection.
The Intrusion Detection dialog box opens.
Step 3 Click the Protected Networks tab (see Figure 6-17).
Step 4 Click Add to enter the address and netmask of the network protected by the Sensor.
Step 5 To set up IP logging, click the IP Logging Addresses tab, then click Add to add addresses and networks you want NetRanger to IP log.
iplog.Source_IP_Address.
Step 6 Click the Data Sources tab (see Figure 6-18).
Step 7 Click the Excluded Addresses tab (see Figure 6-19).
Step 8 Click Add to enter information about specific signatures, subsignatures and source network host addresses that you want the Sensor to ignore. For example, you may want to ignore certain traffic in a protected network.
Step 9 Click the Excluded Networks tab (see Figure 6-20).
Step 10 Click Add to enter information about specific signatures, subsignatures, and source network addresses that you want the Sensor to ignore.
Step 11 Click the General tab.
Step 12 To change the number of minutes that a Sensor automatically shuns a host, edit the Minutes of Automatic Shunning field.
Step 13 To change the number of minutes that a Sensor automatically logs IP traffic, edit the Minutes of Automatic IP Logging field
Step 14 Click OK to close the Intrusion Detection dialog box.
The NetRanger system files contain the information needed for NetRanger communication. You can access individual components by right-clicking them in the Configuration Librarian and clicking Open on the File popup menu.
Posted: Wed Mar 24 09:42:19 PST 1999
Copyright 1989-1999©Cisco Systems Inc.