CHAPTER 1

Introducing IDS Device Manager

This chapter provides information for installing and getting started with IDS Device Manager version 4.0. This chapter contains the following sections: • Advisory, page 1-1 • Introducing IDS Device Manager, page 1-2 • Getting Started, page 1-5

Advisory

This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer, and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute, or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return the enclosed items immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at the following website: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance, contact us by sending email to [email protected].

Installing and Using the Cisco Intrusion Detection System Device Manager and Event Viewer Version 4.0 78-15283-01 1-1 Chapter 1 Introducing IDS Device Manager Introducing IDS Device Manager

Introducing IDS Device Manager

IDS Device Manager is a web-based application that allows you to configure and manage your sensor. The web server for IDS Device Manager resides on the sensor. You can access it through Netscape or Internet Explorer web browsers. The IDS Device Manager user interface consists of a Path Bar, TOC, Options bar, tabs, page, tools, Activity bar, Instructions box, and Object bar. Figure 1-1 illustrates the GUI elements of IDS Device Manager.

Figure 1-1 IDS Device Manager GUI Elements

Figure 1-1 Reference Element Description 1 Path bar Provides a context for the displayed page. Shows tab, option, and then the page you are working on. 2 TOC Displays available suboptions, if required. Select an item from the TOC.

Installing and Using the Cisco Intrusion Detection System Device Manager and Event Viewer Version 4.0 1-2 78-15283-01 Chapter 1 Introducing IDS Device Manager Introducing IDS Device Manager

Figure 1-1 Reference Element Description 3 Options bar Displays the options available for the selected tab. 4 Tabs Provides access to product functionality. Select a tab to access its options. Devices—Displays options for setting up the sensor. Configure—Displays options for configuring intrusion detection on the sensor. Monitoring—Displays options for setting up monitoring on the sensor. Administration—Displays options for administering the sensor. Click a tab to display the available features. 5 Page Displays the area on which you perform application tasks.

Installing and Using the Cisco Intrusion Detection System Device Manager and Event Viewer Version 4.0 78-15283-01 1-3 Chapter 1 Introducing IDS Device Manager Introducing IDS Device Manager

Figure 1-1 Reference Element Description 6 Tools Contains the Logout, Help, NSDB, and About buttons. Logout—Logs the current user out of IDS Device Manager allowing other users to log in without forcing the login. If you have unsaved changes, you are notified and given the option to cancel the operation or continue and discard the changes Help—Opens a new window that displays context-sensitive help for the displayed page. The window also contains buttons that you use to go to the overall help contents, index, and search tool. NSDB—Opens the Network Security Database in a new window. About—Displays the IDS Device Manager version and copyright information in a new window. 7 Instructions box Provides a brief overview of how to use the page. 8 Activity bar Displays a set of changes or additions to devices that must be then be submitted for approval. 9 Object bar Displays the object or objects selected in the Object Selector.

Installing and Using the Cisco Intrusion Detection System Device Manager and Event Viewer Version 4.0 1-4 78-15283-01 Chapter 1 Introducing IDS Device Manager Getting Started

Tools—found in the upper right corner of each page—has the following options: • Logout—Logs the current user out of IDS Device Manager allowing other users to log in without forcing the login. If you have unsaved changes, you are notified and given the option to cancel the operation or continue and discard the changes. • Help—Opens the online help in a new window. • NSDB—Opens the Network Security Database in a new window. • About—Displays the IDS Device Manager version and copyright information in a new window. To configure the sensor, click each of the four tabs —Device, Configuration, Monitoring, and Administration—and work though the configuration of each tab. Menus for each tab appear in the TOC. New configurations do not take affect until you click Apply to Sensor on the page you are configuring. Click Reset to discard current changes and return settings to their previous state for the panel.

Getting Started

The following sections describe information that you must know before getting started with IDS Device Manager. • System Requirements, page 1-6 • Installing IDS Device Manager, page 1-6 • Initializing the Sensor, page 1-7 • Connecting and Logging in to IDS Device Manager, page 1-7 • IDS Device Manager and Cookies, page 1-8 • IDS Device Manager and Certificates, page 1-8

Installing and Using the Cisco Intrusion Detection System Device Manager and Event Viewer Version 4.0 78-15283-01 1-5 Chapter 1 Introducing IDS Device Manager Getting Started

System Requirements

The following web browsers are compatible with IDS Device Manager: • Netscape (version 4.79 or later). • Internet Explorer (version 5.5 Service Pack 2 or later).

Note Although other browsers may work with IDS Device Manager 4.0, we only support the listed browsers.

The web browsers run on the following operating systems: • Windows NT 4.0 Service Pack 6. • Windows 2000 Professional and Server. • Solaris SPARC version 2.7. • Solaris SPARC version 2.8.

Installing IDS Device Manager

The IDS Device Manager is part of the version 4.0 sensor. IDS Device Manager is enabled by default to use SSL after you initialize the sensor. For the initialization procedure for setting up the sensor to communicate with the IDS Device Manager, refer to the following documents found at the following websites: • Quick Start Guide for the Cisco Intrusion Detection System Version 4.0 http://www.cisco.com/en/US/partner/products/sw/secursw/ps5052/products _quick_start_list.html • Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.0 http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_installa tion_and_configuration_guide_books_list.html

Installing and Using the Cisco Intrusion Detection System Device Manager and Event Viewer Version 4.0 1-6 78-15283-01 Chapter 1 Introducing IDS Device Manager Getting Started

Initializing the Sensor

To initialize the sensor so that it can communicate with IDS Device Manager, you must configure the communication parameters. To configure these parameters, use the setup command at the CLI on the sensor. For the procedure for initializing the sensor, refer to the following documents found at the following websites: • Quick Start Guide for the Cisco Intrusion Detection System Version 4.0 http://www.cisco.com/en/US/partner/products/sw/secursw/ps5052/products _quick_start_list.html • Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.0 http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_installa tion_and_configuration_guide_books_list.html

Connecting and Logging in to IDS Device Manager

IDS Device Manager allows a single user to log in at a time. To connect and log in to the IDS Device Manager, follow these steps:

Step 1 Open a web browser and enter the sensor IP address (the IDS Device Manager is already installed on the version 4.0 sensor): https://sensor ip address

https://10.1.9.201 is the default address, which you change to reflect your network environment when you initialize the sensor. For the procedure for initializing the sensor, refer to the following documents found at the following websites: • Quick Start Guide for the Cisco Intrusion Detection System Version 4.0 http://www.cisco.com/en/US/partner/products/sw/secursw/ps5052/products _quick_start_list.html • Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.0 http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_installa tion_and_configuration_guide_books_list.html

Installing and Using the Cisco Intrusion Detection System Device Manager and Event Viewer Version 4.0 78-15283-01 1-7 Chapter 1 Introducing IDS Device Manager Getting Started

Step 2 Type your username and password at the prompt.

Note The default username and password are both cisco. You were prompted to change the password during sensor initialization.

IDS Device Manager and Cookies

IDS Device Manager uses cookies to track sessions, which provides a consistent view. IDS Device Manager uses only session cookies (temporary), not stored cookies.

Caution IDS Device Manager does not work if your browser does not accept IDS Device Manager cookies.

If accepting cookies is an issue for you, we recommend that you try the following procedures: • Enable only session cookies, but no stored cookies. Most browsers allow stored and session cookies to be enabled or disabled separately. • Accept only cookies that originate from IDS Device Manager. Most cookie filtering products allow you to filter cookies by originator. • View the IDS Device Manager cookie to verify that no personal information is stored in the cookie. IDS Device Manager cookies contain only a randomly generated value that is used by the web server to bind your request to your session.

IDS Device Manager and Certificates

This section contains these topics: • Explaining Certificates, page 1-9 • Validating the Certificate Fingerprint for Netscape, page 1-10 • Validating the Certificate Fingerprint for Internet Explorer, page 1-12

Installing and Using the Cisco Intrusion Detection System Device Manager and Event Viewer Version 4.0 1-8 78-15283-01 Chapter 1 Introducing IDS Device Manager Getting Started

Explaining Certificates

IDS version 4.0 contains a web server that is running the IDS Device Manager. To provide security, this web server uses an encryption protocol known as Transaction Layer Security (TLS), which is closely related to Secure Socket Layer (SSL) protocol. When you enter a URL into the web browser that starts with https://ipaddress, the web browser responds by using either TLS or SSL protocol to negotiate an encrypted session with the host.

Caution The web browser initially rejects the certificate presented by IDS Device Manager because it does not trust the certification authority (CA).

Note IDS Device Manager is enabled by default to use TLS/SSL. You can disable it by selecting Device > Sensor Setup > Network and deselecting TLS/SSL. See Configuring Network Settings, page 2-2 for more information.

The process of negotiating an encrypted session in TLS is called “handshaking,” because it involves a number of coordinated exchanges between client and server. The server sends its certificate to the client. The client performs the following three-part test on this certificate: 1. Is the issuer identified in the certificate trusted? Every web browser ships with a list of trusted third-party CAs. If the issuer identified in the certificate is among the list of CAs trusted by your browser, the first test is passed. 2. Is the date within the range of dates during which the certificate is considered valid? Each certificate contains a Validity field, which is a pair of dates. If the date falls within this range of dates, the second test is passed. 3. Does the common name of the subject identified in the certificate match the URL hostname? The URL hostname is compared with the subject common name. If they match, the third test is passed.

Installing and Using the Cisco Intrusion Detection System Device Manager and Event Viewer Version 4.0 78-15283-01 1-9 Chapter 1 Introducing IDS Device Manager Getting Started

When you direct your web browser to connect with IDS Device Manager, the certificate that is returned fails because the sensor issues its own certificate (the sensor is its own CA) and the sensor is not already in the list of CAs trusted by your browser. When you receive an error message from your browser, you have three options: • Disconnect from the site immediately. • Accept the certificate for the remainder of the web browsing session. • Add the issuer identified in the certificate to the list of trusted CAs of the web browser and trust the certificate until it expires. The most convenient option is to permanently trust the issuer. However, before you add the issuer, use out-of-band methods to examine the fingerprint of the certificate. This prevents you from being victimized by an attacker posing as a sensor. Confirm that the fingerprint of the certificate appearing in your web browser is the same as the one on your sensor.

Caution If you change the organization name or hostname of the sensor, a new certificate is generated the next time the sensor is rebooted. The next time your web browser connects to IDS Device Manager, you will receive the manual override dialog boxes. You must perform the certificate fingerprint validation again for Netscape and Internet Explorer.

Validating the Certificate Fingerprint for Netscape

To use Netscape to validate the certificate fingerprint, follow these steps:

Step 1 Open a web browser and enter the sensor IP address to connect to the IDS Device Manager: https://sensor ip address

The New Site Certificate panel appears.

Installing and Using the Cisco Intrusion Detection System Device Manager and Event Viewer Version 4.0 1-10 78-15283-01 Chapter 1 Introducing IDS Device Manager Getting Started

Figure 1-2 New Site Certificate Panel

Step 2 Click Next, and then click More Info. The View A Certificate panel appears.

Figure 1-3 View A Certificate Panel

Note Leave the View A Certificate panel open.

Step 3 Connect to the sensor in one of the following ways:

Installing and Using the Cisco Intrusion Detection System Device Manager and Event Viewer Version 4.0 78-15283-01 1-11 Chapter 1 Introducing IDS Device Manager Getting Started

• Connect a terminal to the console port of the sensor. • Use a keyboard and monitor directly connected to the sensor. • Telnet to the sensor. • Connect through Secure Shell (SSH). Step 4 Log on as root. Step 5 Enter the following command: # fingerprint[/usr/nr/idsRoot/etc/cert/mytestca.cer] MD5 fingerprint: 24:7D:10:51:F7:3F:EE:20:2F:8C:91:95:19:A1:E0:6B SHA-1 fingerprint: 26:DA:FD:BF:EE:52:53:EF:56:64:F0:5C:30:D6:82:30:61:1D:A0:DD Step 6 Compare the MD5 fingerprint with the value displayed in the View A Certificate panel. You have validated that the certificate that you are about to accept is authentic.

Caution If the fingerprints do not match, you need to determine why. Make sure you are connected to the correct IP address for the sensor. If you are connected to the correct IP address and the fingerprints do not match, this could indicate that your sensor may have been compromised.

Step 7 Click OK to close the View A Certificate panel. Step 8 Click Next and click the Accept this certificate forever (until it expires) radio button. Step 9 Click Next twice, and then click Finish.

Validating the Certificate Fingerprint for Internet Explorer

To use Internet Explorer to validate the certificate fingerprint, follow these steps:

Step 1 Open a web browser and enter the sensor IP address to connect the IDS Device Manager: https://sensor ip address

The Security Alert panel appears.

Installing and Using the Cisco Intrusion Detection System Device Manager and Event Viewer Version 4.0 1-12 78-15283-01 Chapter 1 Introducing IDS Device Manager Getting Started

Figure 1-4 Security Alert Panel

Step 2 Click View Certificate. The Certificate panel appears.

Figure 1-5 Certificate Panel

Step 3 Click the Details tab. Step 4 Scroll down the list to find Thumbprint and select it.

Installing and Using the Cisco Intrusion Detection System Device Manager and Event Viewer Version 4.0 78-15283-01 1-13 Chapter 1 Introducing IDS Device Manager Getting Started

Figure 1-6 Certificate Panel

You can see the thumbprint in the text field.

Note Leave the Certificate panel open.

Step 5 Connect to the sensor in one of the following ways: • Connect a terminal to the console port of the sensor. • Use a keyboard and monitor directly connected to the sensor.

Installing and Using the Cisco Intrusion Detection System Device Manager and Event Viewer Version 4.0 1-14 78-15283-01 Chapter 1 Introducing IDS Device Manager Getting Started

• Telnet to the sensor. • Connect through SSH. Step 6 Log on as root. Step 7 Enter the following command: # fingerprint[/usr/nr/idsRoot/etc/cert/mytestca.cer] MD5 fingerprint: 24:7D:10:51:F7:3F:EE:20:2F:8C:91:95:19:A1:E0:6B SHA-1 fingerprint: 26:DA:FD:BF:EE:52:53:EF:56:64:F0:5C:30:D6:82:30:61:1D:A0:DD Step 8 Compare the SHA-1 fingerprint with the value displayed in the open Certificate thumbprint text field. You have validated that the certificate that you are about to accept is authentic.

Caution If the fingerprints do not match, you need to determine why. Make sure you are connected to the correct IP address for the sensor. If you are connected to the correct IP address and the fingerprints do not match, this could indicate that your sensor may have been compromised.

Step 9 Click the General tab. Step 10 Click Install Certificate. The Certificate Import Wizard appears.

Figure 1-7 Certificate Import Wizard

Step 11 Click Next. The Certificate Store dialog box appears.

Installing and Using the Cisco Intrusion Detection System Device Manager and Event Viewer Version 4.0 78-15283-01 1-15 Chapter 1 Introducing IDS Device Manager Getting Started

Figure 1-8 Certificate Store Dialog Box

Step 12 Select Place all certificates in the following store, and then click Browse. The Select Certificate Store dialog box appears.

Figure 1-9 Select Certificate Store Dialog Box

Step 13 Click Trusted Root Certification Authorities, and then click OK. Step 14 Click Next, and then click Finish. The Root Certificate Store dialog box appears.

Installing and Using the Cisco Intrusion Detection System Device Manager and Event Viewer Version 4.0 1-16 78-15283-01 Chapter 1 Introducing IDS Device Manager Getting Started

Figure 1-10 Root Certificate Store Dialog Box

Step 15 Click Yes, and then click OK. Step 16 Click OK to close the Certificate dialog box. Step 17 Click Yes to open IDS Device Manager.

Installing and Using the Cisco Intrusion Detection System Device Manager and Event Viewer Version 4.0 78-15283-01 1-17 Chapter 1 Introducing IDS Device Manager Getting Started

Installing and Using the Cisco Intrusion Detection System Device Manager and Event Viewer Version 4.0 1-18 78-15283-01