RECORD ALL SUSPICIOUS ACTIVITY. TAKE FURTHER ADVICE FROM LAWENFORCE...

6. Record all suspicious activity. Take further advice from law

enforcement on the next steps to take. Review the outcome in a

meeting with the working party. Update any procedural documen-

tation as required.

Q: Would a firewall or other security product interfere with the IDS?

A: In short, not if the system is configured correctly. Sensors should be

made aware of NetSonar scans for example; this prevents unnecessary

auditing. Likewise, a firewall should not be configured to restrict the

IDS from performing its function properly. Because this is a detection

system we would expect it to pick up all intrusions including other

legitimate operations from security products.

Q: What is Signature Analysis?

A: Signatures are identifiable attack patterns, either strings within data or

more complex events. The signature can be defined as an event or pro-

cess with a resulting outcome. Systems that are compromised can be

monitored to identify what types of attacks are in progress. The anal-

ysis portion involves pattern matching against a database. For further

details, have a look at https://traloihay.net

iaabu/netrangr/nr220/nr220ug/sigs.htm.

https://traloihay.net

Chapter 8

Network Security

Management

Solutions in this chapter:

■

PIX Firewall Manager

■

CiscoWorks 2000 ACL Manager

■

Cisco Secure Policy Manager

■

Cisco Secure ACS

Introduction

The goal of network security management is to control access to network

resources according to your business requirements and policies. With the

appropriate authorization and authentication, access to sensitive informa-

tion can be controlled; only people with the appropriate access codes will

have access.

With an ever-increasing number of devices on your network that are

used to secure your network resources against intruders, you need an

uncomplicated and straight-forward way to control and manage your net-

work security policy. The Cisco applications covered in this chapter let you

manage the security devices on your network effectively.

PIX Firewall Manager

When you need to administer a large network, you will have one or more

firewalls on the border of your network, connecting either to the Internet or

to a customer’s company with whom you need to communicate. The fire-

walls installed on your network will play an important role in protecting

against intruders from outside your network. It is critical that you manage

them effectively and efficiently.

Cisco has developed PIX Firewall Manager for their PIX Firewall product

range to do just this. The rules for accessing your network are defined at a

central point and can be distributed to multiple firewalls on the border of

your network.

PIX Firewall Manager Overview

When you have one or more PIX Firewalls installed on your network pro-

tecting the resources inside your network against potential intrusion from

outside, you can use PIX Firewall Manager to administer and manage the

PIX Firewall device security policy. PIX Firewall Manager can manage one

or more PIX Firewalls from any host with a Graphical User Interface (GUI).

The most basic use of PIX Firewall Manager is to add, remove, and change

the security policy and rules for all communication between your network

and the outside world.

PIX Firewall Manager, or PFM, can be installed on a Microsoft Windows

NT Server or Workstation and includes two components:

■

Management Server

■

Management Client

After the installation of the PFM software on your server is complete,

the new service added to the Windows NT server called PIX Firewall

Manager Server is started automatically. This service is used for the

Management Server component and runs in the background. It handles all

requests from the Management Client and sends the requests to the

selected PIX Firewall. All the responses for the requests are redirected back

to the Management Client.

NOTE

There is no shortcut created on the desktop or task bar to control the PIX

Firewall Manager Server. You can start and stop this service only within

the Services application in the Control Panel.

The Management Client component is an extra Java applet that is

installed with the PFM software. You use this applet from any host on the

network that has an Internet browser installed and that is Java 1.02 com-

pliant. This makes it very easy to manage your PIX Firewalls from any PC

on the network; just make sure that you pick a good, nonguessable pass-

word to log on to the Management Server and that the client is well pro-

tected.

When using your Internet browser to connect to the Management

Client on the PFM server, you are able to set custom alarms for specific

events that happen on the specified PIX Firewall that will alert you if any

potential problems occur. PIX Firewall Manager Server includes a SYSLOG

server. The PIX Firewalls in your network can be configured to use PFM as

the logging server. In PFM, the SYSLOG notification settings can be

changed to inform you of the necessary or most useful method. You can

also generate reports based on the usage and view the SYSLOG messages

of the specified PIX Firewall.

You can change the common configuration, using the corresponding

tab in PFM, on your PIX Firewall using the same GUI of the Management

Client. This common configuration allows you to configure all the authenti-

cation and authorization settings on the PIX Firewall including Remote

Authentication Dial-In User Service (RADIUS) and Terminal Access

Controller Access Control System Plus (TACACS+) configuration. You can

also change or manage all Telnet session connections to the PIX Firewall

allowing specific access and closing unwanted active sessions.

If you have a new PIX Firewall to configure, you can use PIX Firewall

Setup Wizard or a terminal connection using CLI to configure the PIX

Firewall for the first time. You need the console cable to connect to the

Firewall console port and to the host COM port for the initial configuration

of the PIX.

PIX Firewall Manager Benefits

All of Cisco’s equipment can be managed via a Telnet connection to the

device, using a normal Telnet client. This interface, or configurations

mode, is called a Command Line Interface (CLI), and you can use com-

mands specific to the device to add, remove, and change the configuration

file. The CLI may sometimes be required to access commands not available

on the PIX Firewall Manager software. Overall, PFM has the most com-

monly used configuration and settings used on the PIX Firewall.

When you use PFM to manage PIX Firewalls on your network, you will

be able to connect to the Management Client from anywhere on your net-

work. With this connection, you will use the Management Server to relay

requests and responses to and from any PIX Firewall on your network.

This means that you always have one central point to manage all PIX

Firewall policies.

Conversely, if you use the CLI to manage and configure your PIX

Firewalls, you will always connect to the specific IP address of the PIX

Firewall to alter the configuration. This could become very time-consuming

if your policy for the network security changes and you needed to imple-

ment this change on all the PIX Firewalls in your administrative domain

and your network.

When you are using the alarms to notify you when a possible intrusion

occurs, the PFM can be used as a central point for all notifications config-

ured in all the PIX Firewalls on the network. If you need to implement this

kind of policy, it would take you more than half the time to set specific

alerts with PFM than it would with the CLI.

The customized alarms configured in PFM will allow you to set specific

SYSLOG message-received thresholds based on time. If a specific SYSLOG

message is received in more than the set threshold in one minute, it will

generate a notification as configured in the notification configuration

tab of PFM.

In general, PFM is used for centralized administration of all your PIX

Firewalls on the network, and, with the easy-to-use GUI of the

Management Client Java applet running on the Internet browser, you can

change all the common configuration settings on the managed PIX

Firewalls with ease—no commands to remember and no mistypes. The

Management Client Java applet can be used from any host that is com-

pliant with the Management Client requirements (discussed later in this

chapter). This allows you to use any operating system that meets the

requirements to manage your PIX Firewalls.

Supported PIX Firewall IOS Version Versus PIX

Firewall Manager Version

Cisco has released quite a few versions of PIX Firewall IOS running on the

PIX Firewall device and of PIX Firewall Manager running on the Windows

NT server. The idea behind all these releases is to fix problems reported or

detected by Cisco and to add new functionality. The PFM software will also

be upgraded as new versions of the PIX Firewall IOS becomes available,

including bug fixes for PFM itself.

The most recent versions of PFM will be compatible with most of the

new PIX Firewall IOS versions available. Table 8.1 shows that the latest

PFM software will not support some of the older PIX Firewall versions. Use

Table 8.1 as a reference when installing your licensed copy on your

Windows NT server; check to see if your PIX Firewall IOS version will be

compatible with PFM.

Table 8.1 PIX Firewall IOS Version Supported by PIX Firewall Manager Version

PIX Firewall Manager Version PIX Firewall IOS Version