Solved: IPS Sensor - Event Notification via Email?

h-schupp · ‎02-08-2008

Good day all.

I have been asked to re-create some functionality that was lost after the customer upgraded from VMS to CSM but without CS-MARS or any other event monitor. The user had the system set to generate an email when an event was fired. It apparently was noisy in the begining but after tuning was not a bad solution. No one knows how it was originally set up but I can only assume it was the method described in the Cisco document at: http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps4077/products_configuration_example09186a00801fc770.shtml#fivesensor

Now, however, since the CSM does not recieve event data is it possible to recreate this 'notification' process?

The are using CSM 3.02 and the Sensors are still at 5.14. The Sensors will be updated to 5.17 later today. I will then either be upgrading the customer to the latest revisions and service packs for CSM or rolling them back to VMS depending on whether I can get the notifications to work with CSM.

NOTE: They are ordering a CS-MARS appliance with the belief that it will resolve the issue but as last word it will be several months at least before they could get it in. I am concerned that CS-MARS will NOT give them back this functionality. Can anyone confirm/deny?

Lastly - Since CSM does not include a Security Monitor like VMS did, and CS-MARS does not really recreate that sort of view or management of the events - what solution(s) are there to replicate the Security Monitor functionality? Is there? Is CS-MARS the new bully on the block?

marcabal · ‎02-08-2008

Since customer is staying at a 5.1(x) version then you have 3 options:

1) downgrade to VMS and continue using Security Monitor

2) Stay with CSM and purchase CS-MARS for the event monitoring. CS-MARS should provide email notification capability.

3) Stay with CSM and install and use IEV 5.2(1).

IEV 5.2(1) can either be installed on a separate machine from CSM as a standalone utility:

http://www.cisco.com/cgi-bin/tablebuild.pl/ips-ev

IEV 5.2(1) contains the new feature for email notification for alerts.

OR IEV 5.2(1) can be installed as part of the CSM installation (I know it is in CSM 3.1, but not sure about earlier CSM versions).

Here is some documentation on running IEV 5.2(1) within the CSM framework:

http://www.cisco.com/en/US/partner/docs/security/security_management/cisco_security_manager/security_manager/3.1/user/guide/monidiag.html#wp1203768

NOTE: IEV 5.2(1) is targeted for use in networks with 5 or less sensors. When running with 5 or more sensors then CS-MARS would be the recommened veiwer.

When the user later upgrades to version 6.x, then option 1 (downgrading to VMS) is no longer an option and either option 2 or 3 would be required.

View solution in original post

marcabal · ‎02-08-2008

Since customer is staying at a 5.1(x) version then you have 3 options:

1) downgrade to VMS and continue using Security Monitor

2) Stay with CSM and purchase CS-MARS for the event monitoring. CS-MARS should provide email notification capability.

3) Stay with CSM and install and use IEV 5.2(1).

IEV 5.2(1) can either be installed on a separate machine from CSM as a standalone utility:

http://www.cisco.com/cgi-bin/tablebuild.pl/ips-ev

IEV 5.2(1) contains the new feature for email notification for alerts.

OR IEV 5.2(1) can be installed as part of the CSM installation (I know it is in CSM 3.1, but not sure about earlier CSM versions).

Here is some documentation on running IEV 5.2(1) within the CSM framework:

http://www.cisco.com/en/US/partner/docs/security/security_management/cisco_security_manager/security_manager/3.1/user/guide/monidiag.html#wp1203768

NOTE: IEV 5.2(1) is targeted for use in networks with 5 or less sensors. When running with 5 or more sensors then CS-MARS would be the recommened veiwer.

When the user later upgrades to version 6.x, then option 1 (downgrading to VMS) is no longer an option and either option 2 or 3 would be required.

rhermes · ‎02-11-2008

marcabal

I understood that the RDEP/SDEE from sensors running 6.0 was backward compatible with VMS and that you could at least get event collection and reports generation (including emailing of those reports) between 6.0 and VMS.

I know you can't manage the sensors with VMS (changing settings, etc) but I thought you could still feed the events into VMS. Am I wrong?

marcabal · ‎02-11-2008

You are correct that VMS can monitor (but not confgiure) a 6.0 sensor.

The VMS is able to connect to the 6.0 sensor and ask for events in the older 4.x style RDEP format for the events.

(NOTE: SDEE is not backwards compatible with VMS, but the sensor has a separate server that VSM can connect to and the sensor dynamically converts the SDEE events into the older V4.x RDEP format.)

The assumption in my previous post was that they specifically wanted to be able to configure with VMS. In which case they can not configure a V6.0 sensor with VMS.

h-schupp · ‎02-11-2008

Marcoa -

Thanks very much! I knew about IEV but I didn't know about IEV being included in CSM now. It looks like it was included starting with CSM 3.1. Still, the IEV solution fails for my customer due to the 5 sensor limit.

The customers are staying at 5.1(x) for the time being so the downgrade to VMS is still looking to be the most viable at the moment. Once they have purchased the CS-MARS devices (and I have tested them on their test system) and have them running I will be able to upgrade them to CSM again. But that is looking to be 3 to 4 months away and the loss of the notifications process cannot be left until then. Thanks again for your recommendations and support.

Hank Schupp