|
|
This chapter introduces the NetRanger Director, and includes the following sections:
Events are sent to the Director by a Sensor that detects a security violation. The smid service on the Director interprets this event information and passes it to an application called nrdirmap. nrdirmap is responsible for displaying this information on the Director's maps.
Depending on the severity of an alarm, the Alarm icon displays different colors: red for severe, yellow for moderate, green otherwise. The icons for the application and Sensor that generate the alarm will also be the same color as the most severe alarm generated.
The Top-Level submap (also called the Root submap) is the topmost map of the map hierarchy, and is illustrated in Figure 4-1.
The Collection submap can contain icons for Sensors, Directors, other Collections, and the connections between these entities. Figure 4-2 illustrates a complex Collection submap---it contains a Director icon and other Collections.
The Director automatically generates all the icons on the submaps as events occur---however, you can manually add Collection, Machine, and Application icons. For more information on manually adding machines to the Director, refer to the "Working with Icons" section of "Advanced Director Functions."
Double-clicking a Machine's icon displays the Machine submap, which contains icons for all the applications running on that machine (see Figure 4-3).
Double-clicking an Application icon displays an Application submap, which contains all the Alarms generated by that Application (see Figure 4-4).
This section includes the following topics:
When an alarm is generated and sent to the Director, the Director's nrdirmap functionality interprets the alarm data in order to graphically present it on the user interface. Alarm icons can indicate different types of events, specifically intrusions, context attacks, or errors.
If multiple alarms of the same type (except for timestamp and sequence number) are generated, then the Director displays these alarms as a group called an Alarm Set.
A special type of alarm are OkAlarms, which when displayed in a submap indicate that there are no unresolved alarms for that application.
Intrusion alarms are depicted as lightning bolts, and indicate that some type of unauthorized activity has occurred, whether a policy violation (as logged by a Cisco router), a fragmented packet header, a denial of service attack, and so on.
Intrusion Alarm Sets are depicted with three lightning bolts. Figure 4-5 illustrates Intrusion Alarm and Alarm Set icons.
Context Alarms are depicted as a magnifying glass over a sheet of paper with markings on it. The magnifying glass is a visual reminder that you can view additional alarm information by selecting the alarm icon and clicking Show>Context on the Security menu.
Alarms triggered by the following signatures always become Context Alarms icons:
Context Alarm Sets are depicted as a magnifying glass over two sheets of paper with writing on them. Figure 4-5 illustrates Context Alarm and Alarm Set icons.
There are three types of Error Alarms:
Error Alarms are depicted as a single bomb. Error Alarm Sets are depicted as two bombs. Both Error Alarms and Alarm Sets are illustrated in Figure 4-6.
The Daemon Down Error Alarm indicates that the postofficed service has detected that a daemon or service has stopped.
After an Error Alarm occurs, you must manually delete the icon, regardless of whether postofficed is able to restart the service.
The Daemon Unstartable Error Alarm indicates that postofficed cannot restart a service that was previously down.
After an Error Alarm occurs, you must manually delete the icon, regardless of whether you are able to manually restart the service.
The Route Down Error Alarm is generated each time the postofficed service detects that a connection to another machine is down. These error alarms have a severity level of 5. This type of alarm's "optional data/alarm details" field displays the following information:
HostID.OrgID route route-number down
where HostID and OrgID indicate the Host and Organization ID of the NetRanger host involved in the Route Down Error Alarm, and route-number indicates which route failed.
A different error alarm is generated for each communication route. For example, if the route between sensor-one and sensor-two is down, then the managing Director will receive two error alarms: one indicating that sensor-one is unreachable, and another indicating that sensor-two is unreachable.
Because the postofficed service repeatedly checks to see if a machine is reachable, there is a chance that error alarm sets could consolidate. For example, if sensor-two in the above example remains unreachable, then the error alarm associated with it is displayed as a consolidated error alarm set.
Route Down Error Alarms are automatically deleted if the Director receives an indication that the route is operational.
If an Application has not generated any Alarms or Alarm Sets, then the special OkAlarm is displayed in the Application submap (see Figure 4-7). As the name of this alarm implies, it means that no alarms have been generated by the application.
In most cases, an alarm's label will be the name of the signature that matches the alarm's Signature ID. NetRanger uses the /usr/nr/etc/signatures file to determine a match. However, there are exceptions to this rule:
To start the Director, follow these steps:
Step 1 Log on as user netrangr.
Step 2 To see a status of NetRanger services, type:
nrstatus
Step 3 If no services are running, type:
nrstart
Step 4 To start the Director user interface, type:
ovw &
This section provides information on configuring important Director settings:
There are five global Map-level configuration parameters that can be set. These parameters affects the display of all NetRanger security data, such as icon consolidation into alarm sets and mappings of alarm levels to alarm colors.
To set these global parameters, follow these steps:
Step 1 Click Maps>Describe/Modify on the Map menu.
Step 2 On the dialog box, click NetRanger/Director, and click Configure For This Map.
Step 3 Make entries to the following:
(a) Set the default lowest event severity that generates a marginal icon. For example, setting the default lowest event severity to 3 would create a marginal (yellow) icon if an alarm level 3 is generated.
(b) Set the default lowest event severity that generates a critical icon. For example, setting the default lowest event severity in this case to "4" would create a critical (red) icon if an alarm level 4 is generated.
(c) Set the default number of identical alarms before icon consolidation. For example, setting this number to 5 would create an Alarm Set when the number of identical alarms reached 5 or more.
(d) Enable or disable nrdirmap. nrdirmap should be enabled.
(e) Determine if new security alarms should be shown on the IP Map.
The Network Security Database (NSDB) is an HTML-based encyclopedia of network security information. To access this information from the Director interface, you must set your HTML browser preference.
To set your HTML browser preference, follow these steps:
Step 1 On the Director interface, click Configure on the Security menu.
Step 2 In nrConfigure, click Preferences on the File menu.
Step 3 Type the path to your HTML browser in the Browser Location field, and click OK.
You may need to stop the Director to upgrade NetRanger software, perform maintenance or troubleshooting on the Director workstation, or for other reasons.
To stop the Director, follow these steps:
Step 1 Stop the network management user interface by clicking Exit on the Map menu.
Step 2 As user netrangr, stop the NetRanger background processes by typing:
/usr/nr/bin/nrstop
Step 3 Check the status of the network management background processes by typing:
ovstatus
Step 4 Check the status of the NetRanger background processes by typing:
nrstatus
|
|