I've just installed and configured CTR 2.0, i dont understand why it is so slow, even 5 minutes between one two clicks.
It is "running" on a PC with these features:
Win 2000 Pro SP3 english with all patches applied and IE 6 SP1.
CPU P4 2GHz.
RAM 512 MB.
CPU occupation 2-5%
the client system is a P4 1.8GHz 256MB.
despite this configuration , applets takes a lot of time to initialize and start and when started are very very very very slow!
What can i do?
With the same client i was accessing ciscoVSM too, now is not possible anymore, because CTR and VSM uses different JRE, so i've uninstalled JRE 1.3.1 and 1.4.1 and reinstalled the last.
is there an upgrade for VSM to use JRE 1.4.1?
thanks for you answer
You are correct tha VMS and CTR uses two different JRE's, however it should not matter for the client. You can have both of the JRE's installed on the same client and you should be able to access both VMS and CTR.
As far as the slowness... Are you using DNS? I think CTR and the client is having a hard time resolving the host names.
If you are not using DNS, a workaround would be to edit your C:\WINNT\system32\drivers\etc\hosts file on your client system and enter the IP and SystemName of your CTR box.
Let me know if this helps
Thanks for your answer,
I did the corrections and everything works fine.
infact the workstation is in management vlan without dns.
The Jre can coexist on the same machine, i had to disable on jre 1.4 properties the flag that set it as default runtime env for IE.
Now only a question, this workstation is not in the domain and can access the internet only inserting proxy authentication, but nothing in CTR is available to do this, what can i do? can you insert this feature in the next release?
I am glad to help out.
As far as your other question... Is the workstation your talking about CTR?
If it is then lets discuss the placement of CTR. Normally CTR should be placed on the same network segment it is protecting. If this is the case then you shouldn't need to proxy.
As long as you have configured your security devices to send alerts to CTR, then CTR will investigate the targeted machine.
Can you fill me in on how to run 2 jre versions on one device> I am attempting to run 1.4.1 on XP so I can access MC and CTR but it blows up my machine!
How can you configure them to exist simultaneously?
Thanks in advance
You cannot have 2 vesrions of JRE in the same device. But you may look into the possibility to install VMWARE and then install OS on the fly. Then you can have 2 vesrions of JRE.
I know this is contradictive to the previous post, but I have and still run multiple versions of JRE's on my system especially dealing with VMS and CTR.
Although you can not run VMS and CTR on the same machine because of multiple reasons, you can access CTR as a client from a VMS machine.
They both use two different JRE versions. I believe that VMS uses JRE 1.3.1 and I know that CTR uses JRE 1.4.1_02.
This quote is from java.sun.com - "So that multiple JRE versions may be deployed in the same environment, every new or patch release of Java Plug-in uniquely identifies registry keys, CLSID, MIME type and other resources. "
Here is the link to help you out.
I am not sure why your JRE's are blowing up. This link should help.
This is good information. Appreciate your post. So, when you go to Add/Remove Programs, does it show you that you are having both of versions running.
Yes it shows both versions.
I now have both versions running without error (so far) but I had to tweak it to get it to run.
Here's what I did:
My OS is XP
JRE Versions installed =Standard Edition v1.3.1 for IDS MC/SECMON
SE v1.4.1_02 for Cisco Threat Response
They install to separate directories and have their own registry keys. The problem with ie errors that I saw before was due to CACHING (I'll show you how I disabled caching below)
In Start:Control Panel you will see Java Plug-in (for 1.4.1 but it won't show the version) and Java Plug-In 1.3.1(shows the version)
I opened the Java Plug-in and chose Show Console (for troubleshooting-not necessary though) and Show Exception Dialog Box from the BASIC tab.
Next in Advanced tab I chose Use Java Plug in as default.
Under Browser tab UNCHECK MS Internet Explorer! (key point)
Under Cache I left caching enabled as an experiment but chose CLEAR cache before starting up my IDS MC.
Then I closed the Java plug-in and from Control Panel opened the Java 1.3.1 plug-in configurator
I checked all options under BASIC tab.
(just for diagnostic purposes-I dont think it necessary to make it work)
Under ADVANCED Tab I chose the JRE 1.3 in C:programfiles/jre/1.31 as DEFAULT.
Under CACHE I chose Clear JAR Cache (just to be safe)
and exited the configurator.
I made sure to close IE after closing the MC or CTR before launching the next application and it seems to be working without smoke coming out :-)
unlike before- ack
I tried it several times successfully. Finally I got bold enough to try opening the MC while I had the CTR open and...drum-roll please...
"debug error - Abnormal program termination"
Well, at least it works one application at a time...one day maybe :-)
I appreciate the stimulating ideas. It made me brave enough to try it and , well, so far , so good.
I hope you have similar results.
The CTR is in the same vlan of the sensors, that vlan is protected by firewall and there are many different segment in our network.
the point is:
How many CTR i have to install? one per segment?
what are the ports to open on the firewall, to let ctr investigate machines on other segments?
and then the ctr need to access the cisco web site to make autoupdate, but the only way that the machine can do this is configuring a proxy user and password and the ctr software doesn't have these feature, how can the ctr do the autoupdate if not directly connected to Internet?
Thanks for your answer
Thanks for your continuing interest in CTR and your questions have several possible answers.
If CTR is located on the same vlan as your sensors, and that vlan is behind a firewall from the segments you are protecting, then the firewall needs to allow nmap scans for OS Fingerprinting and TCP ports 139,138 and UDP ports 137,138 for Level 2 analysis. I know this is not the answer youre looking for and I also know that you will not open up your firewall to allow this traffic.
If you want to keep CTR in the vlan then put in another NIC in your CTR box and connect it to the segment you are protecting. I have done this several times.
You can also move CTR to the protected segment. Now CTR is separated from your IDS sensors or RealSecure event collectors by a firewall. You must open the following ports on your firewall.
Cisco Secure IDS 3.x
Cisco Secure IDS 4.x
Uses RDEP/TCP 443
TCP 443 and TCP 3306 (if the browser and Threat Response system are separated by a firewall)
If you have several segments protected by several firewalls then you could have a CTR server per segment.
As for your autoupdate, you can configure IE on your CTR box under Tools / Internet Options / Connections / LAN Settings. There you can enter your proxy settings.
If this does not work you can download the executable updates from CCO.
I hope this helps, and let me know if you have further questions.