We recently got a 4215 with the 4FE card in it. I need to monitor several networks for alarms, DoS attacks,...
The problem is I am having a very hard time finding any documentation that explains the basics of the device and configuration. I have read the "Basic CLI setup" document, and run through the initial setup wizard thing, but am still very confused. Does it work out of the box, or do I have to activate alarms on it?
I want to be notified via email when there is an alarm, but I don't see anywhere in the IDS setup to place this type of info. Or even how to setup the interfaces to monitor network traffic.
I have seen references to many other applications like IEV, which took me 3 hours to figure out what it was and download. Nothing in the manuals I've read say anything about this. And it did not come with my IDS unit. I got a trial version of Threat Response, but am not sure how this ties in with the IDS unit.
Documents that would be handy:
Document explaining how the IEV, Threat Response and any other software ties in with the IDS unit. I was under the impression the IDS unit would work out of the box, but it appears that I need these other applications to actually get the unit to do anything. Am I wrong?
Document explaining how to set the system up:
Does it work right out of the box, or do I have to activate alarms on it? I have set the interfaces to be active, but have yet to see any alarm type activity. (this just may be a good thing) Yes I have the ports connected to a SPAN port on the VLANS on my 2924 switch.
If anyone has good links to these types of docs, that would be great. Or if you know how it all works, a quick explanation would be great.
Now, if you already have a management software, you have to perform an initial configuration on your IDS and then register it on the management center. In order to send e-mail messages you need to configure your server and then your monitoring options. All these on your management software.The initial bootstraping depend upon the version on your sendor.
Out of the box you can manaeg your sensor via either the CLI or through the web interface commonly reffered to as IDM. You can also download off of CCO (assuming you have a smartnet contract) a free monitoring SW called IEV. This will allow you access to the basics to configure and monitor your sensor.
For advanced services like report generation and e-mail notification of events you will need to purchase the VMS package.
I reccomend before purchasing more SW though that you familiarize yourself with the sensor and how it works with the free management and monitoring tools that are available. They are designed specifically for small deployments of 1-5 sensors.
The sesnor does come configured to begin detecting intrusions right out of the box once you have configured the interfaces through the cli.
Thanks for the info. The boss seems to believe he read that out of the box it will generate reports and send email alerts. I showed him the reports it generates, but those are not anything useful to a client that wants to know how many times they have been attacked. They all want big colorful bar graphs... I guess those make more sense ;)
Your boss may have been told about the next release of Cisco Threat Response. It should be out soon. This is a limited version of VMS that will provide some of those capabilities (am also waiting for an alerting tool). As to reports and graphs etc, I am exporting from the Event Viewer and bringing them into a spreadsheet.
Your initial question may have even been more basic. My experience with many Cisco products is a lack of concise guides and "how to" literature. There is some basic documentation but not of significant help to those unfamiliar with intrusion detection systems. I'd recommend you query books for the subject in general, then correlate that information to Cisco specific issues.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...