Lab 1
MARS Jump Start T rai n i n g
Lab G u i d e S e p te m b e r 2 0 0 8 Version 2.0 Created by T eam
A S T E C
© 2008 Cisco Systems, Inc.
T a b le o f C o n te n ts T a T a T a T a T a T a E x E x
sk sk sk sk sk sk e r e r
1 : 2 : 3: 4: 5: 6 : c is c is M A R S
A c c e s s in g th e D e v ic P re p a n d T e s t th e L a S e t u p I O S I P S ( 2 0 -2 P re p p in g /A d d in g D e A tta c k W e b S e rv e r & C o n fig u rin g A le rts a e 1 : S o lu tio n s S a le M e 2 : S o lu tio n s S a le M L a b L o g ic a l T o p o lo g
M A R S J u mp sta rt L a b G u ide
e s i n L a b ( 5-1 0 m i n ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 b ( 1 0 -1 5 m i n ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 5m in ) ..................................................................................................... 5 v i c e s t o M A R S ( 35-45 m i n ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 t h e n M o n i t o r M i t i g a t e v i a M A R S ( 45 m i n ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 6 n d N o tif ic a tio n s ( 2 0 m in ) ..................................................................... 2 1 o c k In te r v ie w & S o W G e n e r a tio n w ith c u s to m e r r e s p o n s e s ............... 2 7 o c k I n t e r v i e w & S o W G e n e r a t i o n – S E i n t e r v i e w . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 y D i a g r a m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
© 2008 Cisco Systems, Inc.
M A R S J u mp sta rt L a b G u ide
T a s k 1 : A c c e s s in g th e D e v ic e s in L a b
(5-10 m i n )
P u r p o se : T h e p u rp ose of th is ta sk is to V P N into you r p od to ensu re connectiv ity a nd a u th entica tion is w ork ing p rop erl y. S te p 1. G o to h ttp s: //p gY .da x m.net/stu dent, w h ere Y is you r p od set nu mb er to a ccess th e l a b s. T h e l a b p roctor w il l inf orm you of th e p od set nu mb er f or you r l a b s. S te p 2. L ogin a s psYpodx/< p a ssw o r d > w h ere Y is you r p od set nu mb er, a nd X is you r p od nu mb er. Y ou r < p a ssw o r d > w il l b e p rov ided b y th e l a b p roctor. S te p 3. Cl ick th e a p p rop ria te l ink to connect to you r dev ice. NO T E : Al l a u th c h a l l e n g e s a r e u se r n a m e / p a ssw o r d : a d m i n i str a to r /c i sc o 123 U NL E S S o th e r w i se sp e c i f i e d i n l a b d o c ste p s. Yo u m a y w a n t to w r i te th i s d o w n f o r f u tu r e r e f e r e n c e .
© 2008 Cisco Systems, Inc.
3
M A R S J u mp Sta rt L a b G u ide
T a sk 2 : P r e p a n d T e st th e L a b
(10-15 m i n )
P u r p o se : T h e p u rp ose of th is ta sk is to def a u l t th e rou ter a nd f irew a l l ( A SA ) . S te p 1. T est th e remote desk top connectiv ity to U serP C1 , U serP C2, a nd A tta ck P C b y cl ick ing on th e l ink s f rom th e p orta l p a ge. Note: W
i th i n V NC , to s en d c tr l -a l t-d el or en a b l e/ d i s a b l e f u l l s c r een u s e F 8 to op en th e op ti on s tool b a r .
S te p 2. F rom th e desk top of U serP C1 , tel net to 281 1 a .a cme.com to a ccess th e l a b ' s 281 1 rou ter.
a. U s e the 'd el ete / f o r c e / r ec u r s i v e f l a s h: i p s ’ i n P r i v i l e g e d E X E C M o d e ( t h i s m ay b e l e f t o v e r f r o m p r e v i o u s l ab , s o t h i s c o m m an d w i l l r e m o v e i t , an d i t s c o n t e n t s ) . Y o u r r o u t e r m ay o r m ay n o t h av e t h i s f o l d e r l i s t e d i n f l as h . I f i t d o e s n ’t , j u s t m o v e o n t o s t e p 3 . S te p 3. T o do a f ina l test f rom th e rou ter, b e su re you ca n p ing 281 1 a .a cme.com, a sa 551 0.a cme.com, w 2k serv er.a cme.com a s th ese a re th e ma in dev ices u sed in th is l a b . NO T E : If a n y o f th e a b o v e te sts f a i l p l e a se n o ti f y y o u r l a b p r o c to r .
© 2008 Cisco Systems, Inc.
4
a
M A R S J u mp Sta rt L a b G u ide
T a sk 3 : S e tu p IO S IP S
(20-25 m i n )
P u r p o se : T h e 281 1 rou ter in th e l a b h a s a n IO S code l ev el th a t a l l ow s u s to ru n th e IO S IP S f ea tu re set. U se th e f ol l ow ing comma nds to setu p th e rou ter to u se th is f ea tu re set. T h ese IP S settings w il l b e u sed to monitor tra f f ic f rom th e A SA f irew a l l coming inw a rd, tow a rd th e corp ora te netw ork a s w el l a s f rom th e “G u est” V L A N ( V L A N 9) of f of th e rou ter. S te p 1. F rom U serP C1 , tel net to 281 1 a .a cme.com. S te p 2. T h e IP S signa tu res w il l b e u p l oa ded to f l a sh so crea te a directory to store th ese signa tu res u sing th e 'm k d i r i p s ' comma nd in P riv il eged E X E C M ode. Y ou ca n issu e th e 's h o w f l a s h ' comma nd to ensu re th e ip s directory w a s ma de. N ow w e need to conf igu re th e IO S IP S cryp to k ey: S te p 3. F rom th e desk top of U serP C1 op en u p th e “Sof tw a re/IO S IP S” su b f ol der. W ith in th is f ol der is a tex t f il e na med “p u b l ic k ey.tx t”. O p en u p th is f il e a nd cop y th e contents of th is f il e into you r cl ip b oa rd.
NO T E : T h e k e y w a s d o w n l o a d e d f r o m C C O a l o n g w i th th e si g n a tu r e f i l e s. It i s r e q u i r e d to v a l i d a te th e si g n a tu r e f i l e a s i t i s l o a d e d i n to th e r o u te r w i th th e i d c o n f c o m m a n d . S te p 4. A t th e G l ob a l Conf igu ra tion M ode p romp t on th e rou ter p a ste th e cl ip b oa rd contents. T h is w il l a dd th e cryp to k ey u sed b y th e IP S signa tu re f il e. T h e cryp to k ey is u sed to v erif y th e digita l signa tu re f or th e ma ster signa tu re f il e ( sigdef -def a u l t.x ml ) w h ose contents a re signed b y a Cisco p riv a te k ey to gu a ra ntee its a u th enticity a nd integrity a t ev ery rel ea se. T h e sigdef -def a u l t.x ml is u sed b y M A R S. © 2008 Cisco Systems, Inc.
5
M A R S J u mp Sta rt L a b G u ide S te p 5. Sa v e th e ru nning conf igu ra tion of th e rou ter to sta rtu p -conf ig. S te p 6. Issu e th e 'i p i p s n a m e i o s i p s ' comma nd in G l ob a l Conf igu ra tion M ode. T h is w il l crea te a ru l e th a t w il l b e u sed to ena b l e th e IP S f ea tu res on a n interf a ce. S te p 7. Issu e th e 'i p i p s c o n f i g l o c a t i o n f l a s h : i p s ' comma nd in G l ob a l Conf ig M ode to def ine w h ere th e IP S signa tu res w il l b e stored. S te p 8. E na b l e SD E E ev ent notif ica tion. T h is is u sed b y M A R S a nd CSM to l ea rn of th e ev ents a s w el l a s to imp l ement remedia tion. Issu e th e 'i p i p s n o t i f y s d e e ' comma nd in G l ob a l Conf igu ra tion M ode. S te p 9. B y def a u l t, IO S IP S onl y a l l ow s 1 SD E E connection. U se th e 'i p s d e e s u b s c r i p t i o n s 3 ' G l ob a l Conf igu ra tion M ode comma nd to ena b l e th e ma x imu m nu mb er of SD E E connections f or IO S IP S. S te p 10. U se th e comma nd 'i p i p s n o t i f y l o g ' comma nd, in G l ob a l Conf igu ra tion M ode, to ena b l e sysl og f or IP S ev ents. IO S IP S a l so su p p orts th e u se of sysl og to send ev ent notif ica tion. SD E E a nd sysl og ca n b e u sed indep endentl y or ena b l ed a t th e sa me time to send IO S IP S ev ent notif ica tion. Sysl og notif ica tion is ena b l ed b y def a u l t. If l ogging consol e is ena b l ed, you w il l see IP S sysl og messa ges. E nsu re sysl og is on w ith th e 's h o w l o g g i n g ' comma nd f rom P riv il ege E X E C M ode. S te p 11. E na b l e th e H T T P S serv er on th e rou ter f or remote a dministra tiv e a ccess. U se th e 'i p h t t p s e c u r e s e r v e r ' comma nd in G l ob a l Conf igu ra tion M ode to ena b l e th e H T T P S serv er. S te p 12. Conf igu re th e IO S IP S to u se th e def a u l t b a sic signa tu re set. Cisco' s IO S IP S f ea tu re set ru ns resident in th e rou ter if it isn' t in a sep a ra te modu l e. T h is mea ns th a t th e memory a nd CP U of th e rou ter a re a f f ected b y w h ich signa tu res a re b eing monitored. T h eref ore, disa b l e ( retire) a l l signa tu res E X CE P T th e ones th a t a re needed. NO T E : T a k e c a r e to u se e x i t a n d n o t c n tl -z to sa v e i p s c a te g o r y c h a n g e s! ! ! If y o u d o n 't, y o u w i l l h a v e to r e l o a d th e r o u te r W IT H O U T sa v i n g c h a n g e s a n d r e d o th i s ste p . U se th e f ol l ow ing comma nds to setu p th is stru ctu re: # cop y ru nning-conf ig sta rtu p -conf ig # conf igu re termina l ( conf ig) # ip ip s signa tu re-ca tegory ( conf ig-ip s-ca tegory) # ca tegory a l l ( conf ig-ip s-ca tegory-a ction) # retired tru e ( conf ig-ip s-ca tegory-a ction) # ex it ( conf ig-ip s-ca tegory) # ca tegory ios_ ip s b a sic ( conf ig-ip s-ca tegory-a ction) # retired f a l se ( conf ig-ip s-ca tegory-a ction) # ex it ( conf ig-ip s-ca tegory) # ex it D o you w a nt to a ccep t th ese ch a nges? [ conf irm] < P ress E nter>
© 2008 Cisco Systems, Inc.
6
M A R S J u mp Sta rt L a b G u ide C r i ti c a l C h e c k → D id you get th e p romp t to a ccep t th ese ch a nges? If y o u d o n 't g e t th e p r o m p t to c o n f i r m y o u r c h a n g e s y o u w i l l n e e d to r e l o a d th e r o u te r w i th o u t sa v i n g y o u r c h a n g e s! T o conf irm you r ch a nges w ere a ccep ted, typ e ‘sh o w i p i p s c a te g o r y i o s_ i p s b a si c c o n f i g ’ . V erif y you r ou tp u t is “R etire: F a l se”. S te p 13. Since w e a re monitoring tra f f ic incoming f rom th e A SA tow a rd th e corp ora te netw ork , w e need to ena b l e th e IP S ru l es on interf a ce F a stE th ernet 0/0.X5, w h ere X is you r p od nu mb er. T h e ru l e w a s crea ted ea rl ier in step 7. ( conf ig) # interf a ce F a stE th ernet 0/0.X5 ( conf ig-if ) # ip ip s iosip s in S te p 14. N ow ena b l e th e monitoring f or incoming tra f f ic f rom th e “P u b l ic” V L A N . T h e su b interf a ce F a stE th ernet 0/0.X9 is th e P u b l ic V L A N . ( conf ig) # interf a ce F a stE th ernet 0/0.X9 ( conf ig-if ) # ip ip s iosip s in S te p 15. W e a re now rea dy f or th e signa tu re f il e. It is stored on U serP C1 ' s desk top in th e “Sof tw a re/IO S IP S/IO S IP S 5-24-08” su b f ol der. NO T E : B e su r e y o u tf tp u p l o a d th e IO S -S 334.C L I.p k g f i l e f o u n d i n th e “ S o f tw a r e / IO S IP S / IO S IP S 524-08” su b f o l d e r , NO T a n o th e r IP S si g n a tu r e f i l e . a . R u n 3CD Serv er Settings\A Cl ick O K
a emon on U serP C1 . T h is icon a nd set th e U dministra tor\D esk top \Sof tw to sa v e you r ch a nges. Stop
p rogra m is ou r T F p l oa d/D ow nl oa d a re\IO S IP S\IO S IP a nd Sta rt th e T F T P
T P serv er. Sel ect th e Conf igu re T F T P directory to “C: \D ocu ments a nd S 5-24-08\” ( don' t incl u de th e q u otes) . Serv er.
b . A t th e rou ter' s P riv il eged E X E C M ode issu e th e comma nd 't e r m i n a l m o n i t o r ' comma nd to w a tch th e sysl og ev ents a s w e u p l oa d th e signa tu res. c. N ow issu e th e comma nd 'c o p y t f t p : //1 9 2 . 1 6 8 . 4 . 5 0 /I O S -S 3 3 4 -C L I . p k g i d c o n f ' comma nd in P riv il eged E X E C M ode. Y ou w il l see sysl og messa ges sh ow ing th e IO S IP S signa tu res b eing insta l l ed into th e f l a sh : ip s directory. d. A f ter th e .p k g f il e cop ies ov er, u se th e 'd i r f l a s h : i p s ' comma nd to see th e contents of th e f l a sh : ip s directory. S te p 16. U se th e 's h o w i p i p s s i g n a t u r e s c o u n t ' to ensu re you h a v e v ersion S334.0 ( l oca ted a t th e top of th is comma nd' s ou tp u t) a nd th e T ota l Signa tu res sh ou l d b e 2271 ( l oca ted nea r th e end of th is comma nd' s ou tp u t) . S te p 17. Cl ose 3CD a emon once done. NO T E : B y d e f a u l t a l l si g n a tu r e s a r e c o n f i g u r e d to “ Al a r m ” a c ti o n o n l y . T h i s i m p l i e s th a t si g n a tu r e tu n i n g i s n e e d e d to a c ti v e l y b l o c k a tta c k s. L a te r i n th e l a b w e w i l l se t so m e o f th e si g n a tu r e s to b l o c k a tta c k s.
© 2008 Cisco Systems, Inc.
7
M A R S J u mp Sta rt L a b G u ide
T a s k 4 : P r e p p in g /A d d in g D e v ic e s to M A R S
(35-45 m i n )
P u r p o se : T h e p u rp ose of th is l a b is to a dd th e necessa ry conf igu ra tion comma nds to th e rou ter a nd A SA f or connectiv ity w ith M A R S, a nd th en conf igu re th e M A R S b y a dding th e dev ices a nd setting u p some b a sic connecitiv ity. P a rt of th e w a y M A R S commu nica tes w ith dev ices is v ia SN M P so setu p SN M P on ea ch dev ice f or p ol l ing b ef ore a dding it to M A R S. SSH w il l a l so b e conf igu red f or f u l l dev ice discov ery. S te p 1. L og into rou ter 281 1 a a nd issu e th e f ol l ow ing comma nds in G l ob a l Conf igu ra tion M ode: ( conf ( conf ( conf ( conf ( conf ( conf ( conf
ig) ig) ig) ig) ig) ig) ig)
# snmp -serv er commu nity cisco1 23 R O # snmp -serv er l oca tion A CM E D a ta Center # snmp -serv er conta ct R oa d R u nner rru nner@ a cme.com # snmp -serv er tra p -sou rce l oop b a ck 0 # L ogging 1 92.1 68.2.30 # l ine v ty 0 4 # tra nsp ort inp u t ssh
S te p 2. U se th e comma nd 's h o w v e r s i o n ' to see w h a t v ersion of sof tw a re th e rou ter is ru nning. T h is inf orma tion w il l b e u sed du ring w h en a dding th e rou ter to M A R S. S te p 3. F rom U serP C1 op en IE a nd f rom th e h ome p a ge u se th e CS-M A R S l ink to a ccess th e M A R S ma na gement interf a ce. L ogin into M A R S w ith th e u ser/p a ss of p na dmin/cisco1 23 ( p a ssw ord ma y a u tof il l ) . S te p 4. U sing th e menu items a cross th e top of th e M A R S screen cl ick th e AD M IN l ink . S te p 5. In th e “D ev ice Conf igu ra tion a nd D iscov ery Inf orma tion” section cl ick th e S e c u r i ty a n d M o n i to r D e v i c e s l ink .
© 2008 Cisco Systems, Inc.
8
M A R S J u mp Sta rt L a b G u ide S te p 6. N ote th a t th ere a re no dev ices in M A R S yet. Sel ect Ad d ( l oca ted a l ong th e righ t of th e w indow ) to sta rt a dding th e 281 1 rou ter. S te p 7. E nter th e f ol l ow ing inf orma tion a b ou t th e rou ter: D ev ice T yp e: Cisco IO S 1 2.4 D ev ice N a me: 281 1 a .a cme.com A ccess IP : 1 92.1 68.2.1 R ep orting IP : 1 92.1 68.0.1 A ccess T yp e: SSH L ogin: a dministra tor P a ssw ord: cisco1 23 E na b l e P a ssw ord: cisco1 23 SN M P R O Commu nity: cisco1 23 M onitor R esou rce U sa ge: Y es NO T E : If y o u a r e a d d i n g a sw i tc h , u n d e r th e “ D e v i c e T y p e ” , th e r e i s a se l e c ti o n f o r “ C i sc o S w i tc h -IO S ” i n a d d i ti o n to “ C i sc o IO S ” . S te p 8. Cl ick D i sc o v e r . NO T E : T h i s w i l l ta k e so m e ti m e (se v e r a l m i n u te s) p a r ti a l l y b e c a u se M AR S a l so h a s to l o a d a l l o f th e IO S IP S si g n a tu r e s b u t a l so b e c a u se o f th e sh a r i n g r e so u r c e s o n o u r V M S e r v e r . P l e a se b e p a ti e n t. S te p 9. Cl ick O K
once th e discov ery is done.
S te p 10. M A R S f ou nd th a t th e rou ter h a s IO S IP S ru nning so now w e ca n a dd th e IP S inf orma tion into th e dev ice inf orma tion w indow . Scrol l to th e b ottom of th e w indow a nd cl ick Ad d IP S . a . In th e new w indow a dd th e u serna me/p a ssw ord of admin is t r at o r /C i s c o R o c k s . Cl ick T e st C o n n e c ti v i ty to ensu re th is inf orma tion is correct. b . O op s, w e got a n error. Cl ick O K
on th e error.
NO T E : T h e p o i n t o f ste p 11a i s to d e m o n str a te th e a b i l i ty to v i e w d e ta i l s o f e r r o r m e ssa g e s, a n d h o w M AR S d e a l s w i th th i s ty p e o f i ssu e . c. T h ere is now a V iew E rror l ink a l ong th e b ottom of th e screen. Cl ick V i e w E r r o r to see w h a t is w rong. O nce you see w h a t th e error is f ix th e u serna me/p a ssw ord inf orma tion w ith a dministra tor/cisco1 23. d. Cl ick T e st C o n n e c ti v i ty once more a nd w e w il l get a discov ery is done messa ge. Cl ick O K on th a t messa ge. e. F ina l l y cl ick S u b m i t to a dd th e IO S IP S inf orma tion. S te p 11. Cl ick S u b m i t to a dd th e rou ter to M A R S.
© 2008 Cisco Systems, Inc.
9
M A R S J u mp Sta rt L a b G u ide S te p 12. N ow th a t th e rou ter is in M A R S, cl ick th e red Ac ti v a te b u tton in th e top righ t of th e w indow to su b mit th e cu rrent ch a nges to th e M A R S da ta b a se. Cl ose th e a ctiv a tion done w indow to retu rn to M A R S. NO T E : T h i s l a b g u i d e “ D e v i c e Na m e ” f i e l d . o f th e d i sc o v e r y , M AR 2811a .a c m e .c o m , i n th isn o ta b ig d e a l.
w a s d e v e l o p e d u si n g p o Is th i s a p r o b l e m ? Yo u S p u l l e d th e h o stn a m e f e r e a l w o r ld ,y o u w o u ld
d 1. Yo u b e t i t i s! r o m th e c w a n t to f
m In o n ix
a y n o ti c e th i s c a se f i g u r a ti o th e h o stn
a d iffe r e n , i t’ s a r o u n f i l e i n th a m e . F o r
tp o d te r h e r o u th e p
n u m o stn a te r . u r p o
b e r u n m e i ssu S in c e D se o f th
d e r e . NS e la
S te p 13. G o to th e rou ter a nd typ e ‘S h o w i p sd e e su b sc r i p ti o n s’
© 2008 Cisco Systems, Inc.
1 0
th e As p a r t h a s b , th i s
M A R S J u mp Sta rt L a b G u ide S te p 14. T el net to A SA 551 0.a cme.com to setu p connectiv ity to M A R S. H ere a re th e comma nds to b e typ ed into G l ob a l Conf igu ra tion M ode on th e A SA : ( conf ig) # l ogging h ost inside 1 92.1 68.2.30 ( conf ig) # snmp -serv er commu nity cisco1 23 ( conf ig) # snmp -serv er l oca tion A CM E Corp ora te ( conf ig) # snmp -serv er conta ct rru nner@ a cme.com ( conf ig) # snmp -serv er h ost inside 1 92.1 68.2.30 commu nity cisco1 23 ( conf ig) # cryp to k ey genera te rsa modu l u s 1 024 ( conf ig) # ssh 1 92.1 68.0.0 255.255.0.0 inside ( conf ig) # a a a a u th entica tion ssh consol e L O CA L ( L O CA L mu st b e u p p erca se) S te p 15. R etu rn to M A R S. If you need to, retu rn to th e Secu rity a nd M onitoring Inf orma tion p a ge b y cl ick ing on th e AD M IN l ink a nd th en th e S e c u r i ty a n d M o n i to r D e v i c e s l ink . S te p 16. Cl ick Ad d to sta rt th e p rocess of a dding in th e A SA . U se th e f ol l ow ing v a l u es: D ev ice T yp e: Cisco A SA 8.0 D ev ice N a me: a sa 551 0.a cme.com A ccess IP : 1 92.1 68.5.254 R ep orting IP : 1 92.1 68.5.254 A ccess T yp e: SSH , 3D E S L ogin: a dministra tor P a ssw ord: cisco1 23 E na b l e P a ssw ord: cisco1 23 SN M P R O Commu nity: cisco1 23 M onitor R esou rce U sa ge: Y E S S te p 17. Cl ick D i sc o v e r . S te p 18. Cl ick O K
w h en discov ery is done, a nd th en cl ick S u b m i t.
S te p 19. Cl ick th e red Ac ti v a te b u tton to sa v e th e A SA into M A R S' da ta b a se. Cl ose th e a ctiv a tion done w indow to retu rn to M A R S. Y ou sh ou l d now h a v e 2 dev ices a dded into M A R S. NO T E : T h i s l a b g u i d e “ D e v i c e Na m e ” f i e l d . o f th e d i sc o v e r y , M AR a sa 5510.a c m e .c o m , i n th i s i s n o t a b i g d e a l .
© 2008 Cisco Systems, Inc.
w a sd e v Is th i s a S p u lle d th e r e a l
e l o p e d u si n p r o b le m ? th e h o stn a w o r ld ,y o u
g p o d 1. Yo u Yo u b e t i t i s! m e f r o m th e c w o u l d w a n t to
m a y n o ti c e a d i f f e r In th i s c a se , i t’ s a r o n f i g u r a ti o n f i l e i n f i x th e h o stn a m e .
e n tp o d n u m b e r u n o u te r h o stn a m e i ssu th e r o u te r . S i n c e D F o r th e p u r p o se o f
d e r e . NS th e
1 1
th e As p a r t h a s la b ,
M A R S J u mp Sta rt L a b G u ide S te p 20. T “p u l l ” meth don' t a ctiv a th e W indow
h ere a re tw o w a ys to get l ogging inf orma tion f rom a W indow s ma ch ine. In th is l a b w e sh ow th e od a nd in da y 2' s l a b w e sh ow th e “receiv e” meth od. T h ese meth ods a re mu tu a l l y ex cl u siv e so te b oth on th e sa me dev ice w ith in M A R S. W e f irst need to setu p th e W indow s serv er. L ogin into s D C ma ch ine f rom th e Stu dent P orta l p a ge.
Note: W i th i n V NC , to s en d c tr l -a l t-d el or en a b l e/ d i s a b l e f u l l s c r een u s e F 8 to op en th e op ti on s tool b a r .
S te p 21. O p en u p th e “A ctiv e D irectory U sers a nd Comp u ters” l ink l oca ted a t “Sta rt → A dministra tiv e T ool s → A ctiv e D irectory U sers a nd Comp u ters”.
P rogra ms →
S te p 22. Cl ick on “A ction → N ew → U ser” to op en u p th e A dd new u ser p a ge to crea te th e u ser a ccou nt th a t w il l b e u sed b y th e M A R S a p p l ia nce to l og into th is serv er a nd p u l l its secu rity, a p p l ica tion, a nd system ev ent l ogs. a . F il l in th e f ol l ow ing: F irst N a me: M a rs L a st N a me: M a na ger U serna me: ma rs b . Cl ick Ne x t. c. A dd th e p a ssw ord inf orma tion: P a ssw ord: cisco1 23. Ch eck th e b ox nex t to “P a ssw ord nev er ex p ires”. d. Cl ick Ne x t. R ev iew th e u ser' s inf orma tion a nd th en cl ick F i n i sh . S te p 23. R igh t cl ick th e new l y crea ted a ccou nt a nd sel ect “A dd memb ers to a grou p ...”. Sel ect th e A dministra tor grou p a nd cl ick O K . S te p 24. G o to Sta rt → P rogra ms → so th a t th ese ev ents w il l b e a u dited.
A dministra tiv e T ool s →
L oca l Secu rity P ol icy to setu p th e a u dit settings
a . O p en u p th e L oca l P ol icies f ol der. b . Cl ick on th e A u dit P ol icy f ol der.
© 2008 Cisco Systems, Inc.
1 2
M A R S J u mp Sta rt L a b G u ide c. R igh t cl ick ea ch item ( 9 items) in th e righ t h a nd p a ne, sel ect “Secu rity”, a nd th en ch eck th e b ox es nex t to “Su ccess” a nd “F a il u re” to ena b l e a u diting on a l l ev ents. Cl ick O K w h en done f or ea ch item. No te : T h e e f f e c ti v e se tti n g f o r th e a u d i ti n g i s se t to No a u d i ti n g . S te p 25. R etu rn to th e M A R S w indow on U serP C1 to a dd th is serv er a s a monitored dev ice in M A R S. Cl ick on AD M IN, th en S e c u r i ty a n d M o n i to r D e v i c e s ( you ma y a l rea dy b e h ere on retu rn to M A R S) . S te p 26. Cl ick Ad d to sta rt th e p rocess of a dding in th is serv er. a . Sel ect Ad d S W se c u r i ty a p p s o n n e w h o st f rom th e D ev ice T yp e drop dow n menu since M A R S is a l rea dy a w a re of th is serv er. b . F inish f il l ing ou t th e inf orma tion not a l rea dy k now n b y M A R S: D ev ice N a me: w 2k -serv er.a cme.com A ccess IP : 1 92.1 68.3.1 0 R ep orting IP : 1 92.1 68.3.1 0 O p era ting System: W indow s
c. Sel ect th e L ogging Inf o l ink to op en u p a new w indow . F il l ou t th e inf orma tion w ith : W indow s O p era ting System: M icrosof t W indow s 2000 Ch eck th e P u l l b ox
NOTE: Don't check Receive as this isn't configured and checking b oth is not sup p orted.
D oma in N a me: a cme.com H ost l ogin: ma rs H ost p a ssw ord: cisco1 23
© 2008 Cisco Systems, Inc.
1 3
M A R S J u mp Sta rt L a b G u ide
d. Cl ick S u b m i t. e. A dd interf a ce IP a nd ma sk f or eth er0 ( M A R S ma y a l rea dy h a v e th is inf orma tion p op u l a ted) a nd cl ick Ap p l y .
f . W e now need to sp ecif y O S a nd p a tch inf orma tion. Cl ick on th e col u mn h ea ding l a b el ed “V u l nera b il ity A ssessment Inf o” g. F rom th e drop dow n sel ect ANY W Ap p l y .
i n d o w s 2000 S e r v e r (v e r si o n :ANY,p a tc h :ANY) , a nd th en cl ick
h . Cl ick D one.
© 2008 Cisco Systems, Inc.
1 4
M A R S J u mp Sta rt L a b G u ide i. Ch eck to ma k e su re you r “D ev ice D isp l a y” sh ow s th e gra p h ic f or “N ot in cl ou d”. T h e f irst f igu re b el ow sh ow s th e D ev ice D isp l a y in th e cl ou d. Simp l y cl ick th e icon to ch a nge its sta tu s.
Sh ou l d b e…
j . Cl ick Ac ti v a te .
© 2008 Cisco Systems, Inc.
1 5
M A R S J u mp Sta rt L a b G u ide
T a sk 5 : A tta c k W e b S e r v e r & v i a M A R S (45 m i n )
th e n M o n ito r M itig a te
P u r p o se : T h e p u rp ose of th is ta sk is to demonstra te th e monitoring a nd mitiga tion f ea tu res w ith -in M A R S. S te p 1. L ogin into U serP C1 a nd op en u p th e IE l ink to CS-M A R S. S te p 2. M a k e su re th a t in M A R S you a re l ook ing a t th e SU M M A R Y p a ge. S te p 3. F rom th e Stu dent P orta l , l ogin into A tta ck P C a nd op en u p Internet E x p l orer. NO T E : T h e V NC p a ssw o r d i s c i sc o 123. S te p 4. Cl ick th e T e st IIS W e b S e r v e r b ook ma rk to ensu re you h a v e a ccess to th e Intra net W eb Serv er. S te p 5. R etu rn to th e h ome p a ge a nd cl ick th e S i g 5801 D i r e c to r y T r a v e r sa l Atta c k to send a directory tra v ersa l a tta ck . NO T E : Yo u w i l l g e t a p a g e c a n n o t b e d i sp l a y e d m e ssa g e – th i s i s f i n e a s th e a tta c k sh o u l d h a v e r a n i n th e b a c k -g r o u n d . S te p 6. Sw itch ov er to th e M A R S SU M M A R Y w indow . Y ou ma y w a nt to ch a nge th e “P a ge R ef resh R a te” to 1 minu te to sp eed u p th e p a ge u p da tes. W a tch f or th e a tta ck to sh ow u p . ( It ma y ta k e 1 -3 minu tes) .
NO T E : Yo u c o u l d a l so se e th i s a tta c k i n IO S IP S v i a th e r o u te r 's l o c a l l o g o r w a tc h i n g th e sy sl o g m e ssa g e s. S te p 7. O nce you see th e a tta ck , cl ick on th e ‘Incident ID ’ f or th a t a tta ck ( Y ou r Incident ID w il l b e dif f erent th a n th e one in th e gra p h ic b el ow ) .
© 2008 Cisco Systems, Inc.
1 6
M A R S J u mp Sta rt L a b G u ide
S te p 8. Scrol l dow n a nd to th e righ t a nd you ' l l see in th e P a th /M itiga te col u mn. Cl ick on th e R ed Stop Sign to get th e p a th v ector of th e a tta ck .
NO T E : T h i s c a n ta k e a l o n g ti m e to l o a d .
© 2008 Cisco Systems, Inc.
1 7
M A R S J u mp Sta rt L a b G u ide S te p 9. A f ter it l oa ds ch eck ou t th e “F u l l T op ol ogy” op tion to ref resh th e ma p w ith M A R S' tota l top ol ogy a w a reness.
S te p 10. In th e l ef t p a ne a re M A R S' op tions to remedia te a ga inst th is a tta ck . T h e p rima ry op tion M A R S h a s w il l b e l isted j u st u nder th e “Su ggested” h ea ding. If oth er op tions ex ist, M A R S w il l l ist th em u nder th e “A l terna tiv e” h ea ding. Cl ick on th e 2811a -p o d 4.a c m e .c o m l ink to rel oa d th is p a ge w ith th e remedia tion su ggestion da ta l oa ded.
© 2008 Cisco Systems, Inc.
1 8
M A R S J u mp Sta rt L a b G u ide S te p 11. Scrol l to th e b ottom a nd rev iew th e su ggested remedia tion.
NO T E : If th e r e a r e n o AC L s o n th e su g g e ste d i n te r f a c e o f r e m e d i a ti o n , M AR S w i l l g i v e y o u a R e g E x p AC L su g g e sti o n . No ti c e th a t th e P U S H b u tto n i s g r a y e d o u t. If th i s w a s a L a y e r 2 r e m e d i a ti o n th e p u sh b u tto n w o u l d b e o f f e r e d to h a v e M AR S i m m e d i a te l y p u sh th i s su g g e sti o n o u t to th e d e v i c e . S te p 12. A dd th e f ol l ow ing A CL s b el ow to th e rou ter. T h is w a y M A R S w il l h a v e th e a ctu a l A CL na mes to ref erence in f u tu re remedia tion recommenda tions f or th is rou ter: ( conf ( conf ( conf ( conf ( conf ( conf ( conf ( conf
ig) # ip a ccess-l ist ex tended V L A N X5 ! ! ! ( w h ere X is you r p od nu mb er) ! ! ! ig-ex t-na cl ) # p ermit ip a ny a ny ig) # interf a ce F a stE th ernet 0/0.X5 ig-int) # ip a ccess-grou p V L A N X5 in ig) # ip a ccess-l ist ex tended V L A N X9 ! ! ! ( w h ere X is you r p od nu mb er) ! ! ! ig-ex t-na cl ) # p ermit ip a ny a ny ig) # interf a ce F a stE th ernet 0/0.X9 ig-int) # ip a ccess-grou p V L A N X9 in
© 2008 Cisco Systems, Inc.
1 9
M A R S J u mp Sta rt L a b G u ide S te p 13. M A R S w il l p eriodica l l y q u ery its k now n dev ices. H ow ev er, w ith resp ect to time, do a ma nu a l rediscov er of th e rou ter w ith in M A R S. a . G o to th e AD M IN →
S e c u r i ty a n d M o n i to r D e v i c e s p a g e o n M AR S .
b . Ch eck th e b ox nex t to th e 281 1 a .a cme.com rou ter. T h en sel ect E d i t. c. Cl ick D i sc o v e r a nd th en O K
once th e discov ery is done.
NO T E : T h i s ta k e s ti m e . P l e a se b e p a ti e n t. d. Scrol l to th e b ottom of th e p a ge a nd sel ect S u b m i t. e. Cl ick D o n e a nd th en Ac ti v a te . S te p 14. L ogin to U serP C2. E nsu re th e V P N is N O T connected b y a ttemp ting to p ing 1 92.1 68.3.1 0 ( th e interna l IP of th e w eb serv er) . T h a t p ing sh ou l d f a il . S te p 15. L a u nch IE a nd sel ect th e T e st W e b S e r v e r f r o m ru nning.
In te r n e t l ink to v erif y th e w eb serv er is u p a nd
S te p 16. Cl ick H ome in IE a nd now cl ick th e S i g 5326 r o o t.e x e Atta c k l ink to a tta ck th e w eb serv er. S te p 17. Sw itch b a ck to U serP C1 a nd w a tch f or th e ev ent to a p p ea r on th e M A R S su mma ry p a ge. S te p 18. Cl ick on th e ‘Incident ID ’ f or th e resp ectiv e a tta ck . S te p 19. Scrol l dow n to th e b ottom a ga in a nd cl ick th e ‘P a th /M itiga te’ b a dge. S te p 20. Sel ect th e su ggested op tion ( w h ich sh ou l d b e remedia tion on th e A SA ) . Scrol l dow n to see th e su ggested remedia tion op tions. N otice th e dif f erent w a ys to b l ock th is a tta ck er f rom th e A SA . S te p 21. N ow sel ect th e a l terna te op tion a nd scrol l dow n. N otice th a t th e su ggested A CL s a re now ref erencing th e a ctu a l A CL s def ined on th e interf a ce. A ga in notice th a t th e P U SH b u tton is stil l gra yed ou t. H ow ev er, you cou l d cop y a nd p a ste th e recommenda tion into th e rou ter' s G l ob a l Conf igu ra tion M ode to remedia te.
© 2008 Cisco Systems, Inc.
20
M A R S J u mp Sta rt L a b G u ide
T a s k 6 : C o n fig u r in g A le r ts a n d N o tific a tio n s
(20 m i n )
P u r p o se : Instea d of l ook ing a t th e M A R S Su mma ry screen 24/7, l et M A R S a l ert you w h en a n ev ent h a s occu rred th a t req u ires you r a ttention! S te p 1. F rom U serP C1 op en u p IE a nd cl ick th e CS-M A R S l ink to l a u nch th e M A R S ma na gement w indow . S te p 2. Sel ect th e AD M IN menu item a cross th e top . S te p 3. Sel ect th e C o n f i g u r a ti o n In f o r m a ti o n l ink in th e CS-M A R S Setu p f ra me. S te p 4. F il l in th e M a il G a tew a y inf orma tion a s so ( l ea v e oth er def a u l ts a s is) : IP : 1 92.1 68.3.1 0 P ort: 25 E ma il doma in na me: a cme.com E ma il F orma t: ( Sel ect th e ra dio b u tton b y F u l l gra p h ics) S te p 5. Cl ick U p d a te a nd O k . N ow crea te a ru l e a nd a ction th a t, w h en triggered, w il l send a n ema il . S te p 6. F irst w e need to a dd th e u sers b eing ema il ed to M A R S. G o to th e AD M IN p a ge. A l ong th e top , f ind a nd cl ick th e U ser M a na gement L ink . Cl ick Ad d to a dd a new u ser.
© 2008 Cisco Systems, Inc.
21
M A R S J u mp Sta rt L a b G u ide S te p 7. A dd onl y th e f ol l ow ing inf orma tion f or a u ser w h o onl y needs to b e a l erted of a n ev ent occu rring: R ol e: N otif ica tion O nl y F irst N a me: W il ie L a st N a me: Coyote O rga niz a tion: A CM E E ma il : w ecoyote@ a cme.com W ork P h one: 1 23-1 23-1 234 NO T E : L o g i n , P a ssw o r d , a n d R e -e n te r P a ssw o r d f i e l d s a r e n o t r e q u i r e d f o r No ti f i c a ti o n O n l y . S te p 8. Cl ick S u b m i t
S te p 9. A dd th e f ol l ow ing inf orma tion f or a u ser w h o w il l h a v e rea d a nd w rite a ccess to M A R S a nd onl y rea d a ccess to th e A D M IN menu . R ol e: Secu rity A na l yst No te : T h i n k te c h n i c i a n w h o h a s to d o so m e th i n g a b o u t th i s. L ogin: rru nner P a ssw ord: cisco1 23 R e-enter p a ssw ord: cisco1 23 F irst N a me: R oa d L a st N a me: R u nner O rga niz a tion: SO C a t A CM E E ma il : rru nner@ a cme.com S te p 10. Cl ick S u b m i t. S te p 11. N ow a dd a grou p a nd incl u de th ese tw o u sers. a . Cl ick th e Ad d G r o u p b u tton. b . N a me: R ed A l erts G rou p c. Ch eck th e b ox es nex t to “W il ie” a nd “R oa d”. © 2008 Cisco Systems, Inc.
22
M A R S J u mp Sta rt L a b G u ide d. Cl ick th e Ad d b u tton, l oca ted b el ow th e p a ne, to mov e th em ov er to th e l ef t p a ne.
e. Cl ick S u b m i t. S te p 12. N ow w e w a nt to crea te a ru l e th a t triggers on a ny ev ent th a t M A R S considers to b e R E D . a . Cl ick th e R U L E S b u tton f rom th e menu a nd th e sel ect th e Ad d b u tton to a dd a new ru l e. b . R u l e N a me: E ma il on R ed c. D escrip tion: T rigger on a ny red a l ert a nd send ema il to R ed A l erts G rou p d. Cl ick Ne x t. NO T E : In ste a d o f w a l k i n g y o u th r o u g h th e r e d u n d a n t ste p s to se t th e i n d i v i d u a l se a r c h f i e l d s f o r th i s r u l e , u se th e f o l l o w i n g su b -ste p s a s a te m p l a te u n ti l th e K e y w o r d c o l u m n . S te p 13. In th e righ t h a nd p a ne, ch eck th e b ox nex t to A N Y a nd th en u se th e righ t a rrow b u tton, l oca ted b etw een th e tw o p a nes, to mov e th e ch eck ed items to th e l ef t.
© 2008 Cisco Systems, Inc.
23
M A R S J u mp Sta rt L a b G u ide
S te p 14. Scrol l dow n to th e b ottom a nd cl ick Ne x t. S te p 15. R inse, rep ea t. S te p 16. O n th e K eyw ord col u mn j u st cl ick Ne x t.
© 2008 Cisco Systems, Inc.
24
M A R S J u mp Sta rt L a b G u ide S te p 17. O n th e Sev erity col u mn p a ge set th e Sev erity to R E D a nd p u t in a v a l u e of 1 in th e Cou nts f iel d. S te p 18. Cl ick Ne x t. S te p 19. A new screen w il l a sk if you a re done def ining th e ru l e conditions. T a k e a moment a nd rev iew you r ru l e' s col u mns to ensu re th a t A N Y sh ow s u p in a l l th e col u mns a nd Sev erity is R E D a nd Cou nt is 1 . NO T E : Yo u c a n n o t d e l e te a r u l e o n c e i t h a s b e e n c r e a te d b u t y o u c a n i n a c ti v a te th e m . Cl ick Y es to continu e.
S te p 20. T h e conditions f or th e ru l e h a v e now b een set. It is time to set th e a ctions triggered on a ma tch of th is ru l e. a . Scrol l to th e b ottom a nd cl ick a dd to crea te a new a ction. T h is w il l ta k e you th e a ction crea tion w indow . b . N a me: E ma il on R ed c. D escrip tion: E ma il R ed A l ert L ist d. Ch eck th e b ox nex t to E ma il a nd th en cl ick th e Ch a nge R ecip ient l ink nex t to th a t. e. A f a mil ia r screen w il l a p p ea r. U se it to a dd th e R ed A l erts G rou p a nd th en S u b m i t. f.
T h is retu rns you to th e p rev iou s screen. Scrol l dow n a nd cl ick S u b m i t.
g. N ow th a t ou r a ction h a s b een crea ted w e ca n now sel ect it a nd a ssocia te it to th e ru l e. A dd ou r ru l e a nd cl ick Ne x t. h . Since ou r cou nt col u mn w a s set to 1 you ca n ta k e th e def a u l ts on th e T ime R a nge p a ge. A s you ca n see, w e cou l d l imit ou r ru l e b eing triggered to a nu mb er of cou nts w ith in a giv en time f ra me.
© 2008 Cisco Systems, Inc.
25
M A R S J u mp Sta rt L a b G u ide
i.
Cl ick S u b m i t to crea te th is ru l e. D on' t f orget to h it th e Ac ti v a te b u tton.
S te p 21. If you ' d l ik e to rev iew you r ru l e, you ca n f ind it a s th e l a st entry in th e R u l es p a ge ( don' t f orget th ere a re mu l tip l e p a ges) . S te p 22. N ow l et' s trigger a red ev ent to trigger th is ru l e to ema il th e grou p . S te p 23. U se U serP C2 to l a u nch , yet a ga in, th e Sig 5326 a tta ck . S te p 24. R etu rn to th e M A R S Su mma ry p a ge to see th is ev ent. N ote th a t you ' l l see mu l tip l e entries on th e Su mma ry p a ge rel a ted to th is a tta ck ; O ne of w h ich is th e ru l e w e j u st crea ted. S te p 25. U serP C1 h a s a n ema il a ccou nt f or W il ie a nd U serP C2 h a s a n a ccou nt f or R oa d. O p en u p O u tl ook E x p ress on b oth desk top s a nd do a Send a nd R eceiv e. O n U serP C1 , since th e l ink in th e W il ie' s ema il w il l op en a new l ink to M A R S cl ose ou t, you r ex isting M A R S w indow b ef ore cl ick ing on a ny l ink s in th e ema il . If you a ttemp t to l og in w ith th e “N otif ica tion O nl y” a ccou nt you w il l N O T b e a b l e to l og in. H ow ev er, th e Secu rity A na l yst ca n l og in to dea l w ith th is a tta ck .
T h is c o m p le te s th e e x e r c is e s fo r to d a y . N O W
© 2008 Cisco Systems, Inc.
is a G R E A T tim e to c o m p le te th e tr a in in g s u r v e y .
26
M A R S J u mp Sta rt L a b G u ide
E x e r c is e 1 : S o lu tio n s S a le M o c k I n te r v ie w & S o W G e n e r a t io n –w it h a p p r o p r ia t e c u s t o m e r r e s p o n s e s M o c k I n t 1 . C 2. C 3 . A
e r v u s is c M lis t
ie to o h a o f
w A s s u m p t io m e r d e s ir e s c o r e in fr a s t r s e s t a b lis h e d e liv e r a b le s
n s : b e tte u c tu r d c h a in c lu
r v is ib e w it h in o f c d in g P
ilit y C h o m r o d
d u e e c k p m a n u c t,
to h o in t d , S E S e r v
ig h F ir e w o ic e s
fr e q u w a lls r k in g , a n d
e n , J w S
c y o f u n d e t e r m in e d n e t w o r k o u t a g e s . u n ip e r I D P it h N e t w o r k E n g in e e r t o c o n d u c t a s s e s s m e n t , c r e a t e O W .
DATE: C I S C O
P AR TN ER :
C o m p a n y N A d d r e s s :A P r im a r y C o T it le :N e t w P h o n e : e M a il:
a m n y w n ta o r k
e : A c h e r e , c t:J o e E n g in
G EN ER AL C U S TO M ER
m e C o r p U S A y B lo w e e r
I N F O R M ATI O N :
I n d u s t r y V e r t ic a l/ L in e o f B u s in e s s :S e r v ic e s , C a ll C e n t e r o u t s o u r c in g , c u s t o m e r s u p p o r t
P u b lic o r P r iv a t e : P u b lic T o t a l n u m b e r o f E m p lo y e e s :1 ,3 0 0 T o t a l n u m b e r o f E m p lo y e e s o n I T S t a ff:1 5 •
H o w
m a n y fo c u s e d o n s e c u r it y is s u e s ? 2
H o w a r e I T s t a ff s e g m e n t e d , i. e . d o N e t w o r k O p s a n d S e c O p s w o r k t o g e t h e r ? M o s t ly w h e n w e a r e g o in g t h r o u g h a n a u d it , t h e y a lw a y s w a n t r e p o r t s . W h o is r e s p o n s ib le fo r e n s u r in g s e c u r it y p o lic y is e n fo r c e d ?
W
•
N e t w o r k O p s : W e o w n t h e r o u t in g / s w it c h in g a n d fir e w a ll
•
S e c u r it y O p s :n o t s u r e
H AT AR E Y 1) T o f i n 2 ) T o s e 3 ) T o s h
R E G U L A L is t r a b c )
T O e le ) )
O U d t e if o w
R Y v a S o H I S L
R h e w m
TO c a e a a n
P
3 u s e r e b a g e m
N ETW o f r e c e in g h e n t t
O e n a c h a
R K S EC U R I TY C O N C ER N S TO ADDR ES S t u n e x p e c t e d n e t w o r k d o w n t im e k e d t o u r s e c u r it y p r o d u c t s a r e p r o t e c t in g u s
U S I N G
L O G
AN AL Y S I S
AN D C O R R EL ATI O N :
–C O R P O R A T E C O M P L I A N C E n t le g is la t iv e a n d c o r p o r a t e c o m p lia n c e r e q u ir e m e n t s : X P A A A fo r o u r c u s to m e r s
W h o is r e s p o n s ib le fo r in t e r n a l a u d it ? N a n c y S m it h le a d s t h e t e a m W h o is y o u r e x t e r n a l A u d it in g F ir m ? N o t s u r e
© 2008 Cisco Systems, Inc.
27
W h a t a b c W h a t W h a t a b c d
a r e th e r ) L o s t c u ) F a ile d ) F in e s ? a r e y o u r
lo n g t e r m
s t o r a g e r e q u ir e m e n t s ? 3 y e a r s
A u d it o r r e p o r t s a r e r e q u ir e d t o d e m o n s t r a t e a d h e r a n c e t o p o lic y ? )
)
M A R S J u mp Sta rt L a b G u ide
a m i f i c a t i o n s f o r n o n -c o m p l i a n c e ? s to m e r s a u d it s
) )
O P E R A T I O N A 1 ) D o y o u a . 2) D o e s c a . 3 ) D o y o u a . b . 4 ) I s th e r a . 5 ) 6 ) 7 )
D W W
8 )
9 ) 1 0 ) W
W
O s
L I N F O R M A T I O N c u r r e n t ly o u t s o u r c e a n y n e t w o r k o r s e c u r it y o p e r a t io n s ? N o T h is c o u ld lim it t h e a b ilit y t o c o lle c t k e y d a t a ( I P S fo r e x a m p le o m p a n y h a v e a n e -c o m m e r c e p r e s e n c e ? N o T h is c o u ld in d ic a t e m a n d a t e s f o r m o n it o r in g a n d r e p o r t in g . w a n t t o c o lle c t a n d c o r r e la t e W in d o w s S e r v e r L o g s ? Y E S C a n S n a r e b e p la c e d o n t h e s e r v e r ? Y E S W h a t a b o u t c h a n g e m a n a g e m e n t p r o c e s s ? D o n e e i n -h o u s e A p p l i c a t i o n / S o f t w a r e d e v e l o p m e n t ? Y E S D o t h e s e a p p lic a t io n s n e e d t o b e c o lle c t e d / a n a ly z e d / m o n it o r e d w a n t t o in t h e fu t u r e o e s o r g a n iz a t io n m a k e u s e o f N e t flo w c u r r e n t ly ? N O a . C a n w e g e t a c c e s s t o k e y s o u r c e s o f N e t flo w ? Y E S h o is r e s p o n s ib le f o r r e v ie w in g d a t a f r o m F ir e w a ll? T h e N e t S e c T e a m h o is r e s p o n s ib le fo r r e v ie w in g d a t a fr o m I P S ? T h e N e t S e c T e a m a . H o w a r e fa ls e p o s t iv e s r e s o lv e d ? T h e y a r e n o t h e n w a s t h e la s t t im e u s e r s c o m p la in e d a b o u t la c k o f n e t w o r k a v a ila a . W a s t h e n e tw o r k d o w n ? Y e s b . I f s o , fo r h o w lo n g ? 3 h o u r s c . H o w r e s o lv e d ? R e b o o t n a v e r a g e , h o w lo n g d o e s it t a k e t o fin d t h e s o u r c e o f a n e t w o r k o r s o m e t im e s a n h o u r s o m e t im e s w e n e v e r k n o w w h a t h a p p e n e d . h a t t o o ls d o e s t h e h e lp d e s k u s e t o in v e s t ig a t e a n d r e s o lv e n e t w o r k
T O P O L O G Y / 1 ) L is t a a b c d
T O P O G ll o ff ic e s . H Q :D . D a ta C . B r a n c . S O H O
G E N E R A L R E P 1 ) S p e c ify a . b . c . d . e . U P T I M E A N D 1 ) D o y o u a . b . c . 2)
R A P H Y : a n d th e n u a lla s , 4 0 0 e n te r s :D a h o ffic e s :O : ~1 0 0 r e m
)
? N o t a t t h is t im e , b u t w e m ig h t
b ilit y ? L a s t w e e k
e c u r it y p r o b le m ? I t d e p e n d s , o r s e c u r it y p r o b le m s ?
S n if f e r s
m b e r o f e m p lo y e e s in e a c h o ffic e : lla s a n d L o s A n g e le s h io = 1 0 0 , A t la n t a = o t e u s e r s
O R T I N G R E Q U I R t h e t y p e o f r e p o r t F a ile d lo g in s A tta c k s s to p p e d b T o p D e s t in a t io n s T o p S o u r c e s O th e r ? ? S L A ’S h a v e S e r v ic e L e v e F o r C u s to m e r s ? Y F o r P a r tn e r s ? N O F o r V e n d o r s ? N O
1 5 0 , L o s A n g e le s 3 0 0 , L o n d o n =
1 0 0 , J a p a n =
1 0 0
E M E N T S –G e n e r a l M a n a g e m e n t r e p o r ts s M a n a g e m e n t w a n ts to s e e : y F ir e w a ll
l A g r e e m e n t s in p la c e ? E S
C a n y o u q u a n t ify t h e c o s t o f n e t w o r k d o w n t im e ? N O
S e n s it iv e 1 ) D o 2) D o 3 ) H o
D a t a y o u s t o r e e m p lo y e e p e r s o n a l h e a lt h in fo r m a t io n ? Y E S , H R R e c o r d s y o u t r a n s m it , s t o r e , o r p r o c e s s c r e d it c a r d o r p e r s o n a l fin a n c ia l d a t a ? N o t t h a t I ’m w is p r o p r ie t a r y d a t a p r o t e c t e d : N o t s u r e o t h e r t h a n f ir e w a lls
© 2008 Cisco Systems, Inc.
a w a r e o f…
28
4 )
M A R S J u mp Sta rt L a b G u ide
D o y o u s h a r e d a t a o u t s id e t h e o r g a n iz a t io n :Y E S , w it h p a r t n e r s a n d M a r k e t in g c o m p a n ie s
L o g g in g 1 ) D o y o u a . b .W 2) D o y o u 3 ) H o w m 4 ) L is t d e
c u r r e n t ly d e p lo y a W h a t B r a n d / V e r s i h a t is t h e c u r r e n t h a v e a S A N o r N A a n y lo g e n t r ie s p e r v ic e s s e n d in g s y s lo
s o n r e S d g
y s ? te s e a y d a
lo g s K iw i n t io n t u p :N o t a in
e r v e r ? Y e s , f o r F ir w a lls p e fo r t s u c h
r io d f o r lo g f ile s ? 3 y e a r s lo n g t e r m lo g s t o r a g e ? S A N r e a r t b e lo w :
P R O D U C T I N F O R M A T I O N –C u r r e n t ly u s e d p r o d u c t s a n d t o o ls L is t a ll T e c h n o lo g ie s c u r r e n t ly in u s e . U s e N o t e s s e c t io n t o e x p la in lo c a t io n s , H A , e t c .
N e tw o rk a n d S e c u r it y D e v ic e In fo r m a tio n
V e n d o r
M o d e l & V e r s io n #
Q T Y
A n n u a l M a in te n a n c e C o s t
F ir e w a ll
C h e c k p o in t
N G
1 2
T B D
R o u te r
C is c o
3 8 45
2 0
R o u te r
C is c o
2 8 1 1
40
C is c o
6 5 0 9
4
C is c o
3 0 1 5
N o te s : i.e . L o c a tio n s , u s a g e , r e d u n d a n c y , e tc
F ir e w a ll F ir e w a ll
R o u te r S w itc h S w itc h S w itc h S w itc h V P N IP S e c V P N
S S L
A u t h e n t ic a t io n S e rv e r
J u n ip e r C is c o
A C S
A u t h e n t ic a t io n S e rv e r W ir e le s s A P – C o n t r o lle r ? P a c k e t S h a p e r, S n iffe r
P e r ib it
S y s lo g
K iw i
N e tw o rk IP S /ID S
J u n ip e r
© 2008 Cisco Systems, Inc.
ID P
29
M A R S J u mp Sta rt L a b G u ide H O S T IP S W in d o w s S e rv e rs
D e ll
D a ta b a s e s
O r a c le
1 0 g
C r it ic a l A p p lic a tio n s
G 2
C R M
V u ln e r a b ilit y A s s e s s m e n t T o o ls
F o u n d s to n e
C a c h in g N A C M P L S
V e r iz o n
O th e r O th e r
T O P
O F 1 . E 2. M 3 . E d o w n
M I x e a n n g t im
N c u a in
D
S E t iv e g e m e e e r in e , c a n
C L e n g ’t
U R v e t L L e g e
I T l:C e v e v e l t w
Y
a n l: :C o r
C O N C ’t s e e T a k in a n ’t k k d o n
E R N S : w h y w e n e e d t o s p e n d s o m u c h o n S e c u r it y g h e a t fo r s o m a n y n e tw o r k o u t a g e s e e p u p w it h a ll t h e t a s k s , fr o m P a t c h in g s y s t e m s , t o c h a s in g d o w n e .
r o o t c a u s e fo r
DO C U M EN TATI O N : ( p l e a s e p r o v i d e )
1 . 2.
V I S I O N E T W O R K D I A G R A M S E C U R I T Y P O L I C Y ( o p t io n a l)
© 2008 Cisco Systems, Inc.
30
M A R S J u mp Sta rt L a b G u ide
E x e r c is e 2 : S o lu tio n s S a le M o c k I n te r v ie w & G e n e r a t io n –S E in t e r v ie w M o c k I n t 4 . C 5 . C 6 . A
e r v u s is c M lis t
ie to o h a o f
w A s s u m p t io m e r d e s ir e s c o r e in fr a s t r s e s t a b lis h e d e liv e r a b le s
n s : b e tte u c tu r d c h a in c lu
r v is ib e w it h in o f c d in g P
ilit y C h o m r o d
d u e e c k p m a n u c t,
to h o in t d , S E S e r v
ig h F ir e w o ic e s
fr e q u w a lls r k in g , a n d
e n , J w S
S o W
c y o f u n d e t e r m in e d n e t w o r k o u t a g e s . u n ip e r I D P it h N e t w o r k E n g in e e r t o c o n d u c t a s s e s s m e n t , c r e a t e O W .
DATE: C I S C O
P AR TN ER :
C o m p a n y N a m e : A d d r e s s : P r im a r y C o n t a c t : T it le : P h o n e : e M a il: W
H AT AR E Y O U R 4 ) > 5 ) > 6 ) >
TO P
G EN ER AL C U S TO M ER
I n d u s t r y V e r t ic a l:
3
N ETW
O R K
S EC U R I TY
C O N C ER N S
TO
ADDR ES S
U S I N G
L O G
AN AL Y S I S
AN D C O R R EL ATI O N :
I N F O R M ATI O N :
P u b lic o r P r iv a t e : T o t a l n u m b e r o f E m p lo y e e s : T o t a l n u m b e r o f E m p lo y e e s o n I T S t a ff: • H o w
H o w
m a n y fo c u s e d o n s e c u r it y is s u e s ?
a r e I T s t a ff s e g m e n t e d , i. e . d o N e t w o r k O p s a n d S e c O p s w o r k t o g e t h e r ?
W h o is r e s p o n s ib le fo r e n s u r in g s e c u r it y p o lic y is e n fo r c e d ? •
N e tw o r k O p s :
•
S e c u r it y O p s :
R E G U L A T O R Y –C O R P O R A T E C O M P L I A N C E L is t r e le v a n t le g is la t iv e a n d c o r p o r a t e c o m p lia n c e r e q u ir e m e n t s : d ) > e ) > f) > W h o is r e s p o n s ib le fo r in t e r n a l a u d it ? W h o is y o u r e x t e r n a l A u d it in g F ir m ? W h a t a r e t h e r a m i f i c a t i o n s f o r n o n -c o m p l i a n c e ? d ) >
© 2008 Cisco Systems, Inc.
31
e ) > f) > W h a t a r e y o u r lo n g t e r m
M A R S J u mp Sta rt L a b G u ide s t o r a g e r e q u ir e m e n t s ?
W h a t A u d it o r r e p o r t s a r e r e q u ir e d t o d e m o n s t r a t e a d h e r a n c e t o p o lic y ? e ) > f) > g ) > h ) > O P E R A T I O N A L I N F O R M A T I O N 1 1 ) D o y o u c u r r e n t ly o u t s o u r c e a n y n e t w o r k o r s e c u r it y o a . T h is c o u ld lim it t h e a b ilit y t o c o lle c t k e y d a t a 1 2) D o e s c o m p a n y h a v e a n e -c o m m e r c e p r e s e n c e ? a . T h is c o u ld in d ic a t e m a n d a t e s f o r m o n it o r in g a 1 3 ) D o y o u w a n t t o c o lle c t a n d c o r r e la t e W in d o w s S e r v e r a . C a n S n a r e b e p la c e d o n t h e s e r v e r ? b . W h a t a b o u t c h a n g e m a n a g e m e n t p r o c e s s ? 1 4 ) I s t h e r e i n -h o u s e A p p l i c a t i o n / S o f t w a r e d e v e l o p m e n t ? a . D o t h e s e a p p lic a t io n s n e e d t o b e c o lle c t e d / a n 1 5 ) D o e s o r g a n iz a t io n m a k e u s e o f N e t flo w c u r r e n t ly ? a . C a n w e g e t a c c e s s t o k e y s o u r c e s o f N e t flo w ? 1 6 ) W h o is r e s p o n s ib le fo r r e v ie w in g d a t a fr o m F ir e w a ll? 1 7 ) W h o is r e s p o n s ib le fo r r e v ie w in g d a t a fr o m I P S ? a . H o w a r e fa ls e p o s t iv e s r e s o lv e d ? 1 8 ) W h e n w a s t h e la s t t im e u s e r s c o m p la in e d a b o u t la c k a . W a s t h e n e tw o r k d o w n ? b . I f s o , fo r h o w lo n g ? c . H o w r e s o lv e d ? 1 9 ) O n a v e r a g e , h o w lo n g d o e s it t a k e t o fin d t h e s o u r c e 20 ) W h a t t o o l s d o e s t h e h e l p d e s k u s e t o i n v e s t i g a t e a n d T O P O L O G Y / 2) L i s t a a b c d
T O P O G ll o ff ic e s . H Q : . D a ta C . B r a n c . S O H O
G E N E R A L R E P 2) S p e c i f y a . b . c . d . e . U P T I M E A N D 3 ) D o y o u a . b . c . 4 ) S e n s 5 6 7 8
O R T I t h e t > > > > > S L A ’S h a v e F o r C F o r P F o r V
p e r a t io n s ? ( I P S fo r e x a m p le ) n d r e p o r t in g . L o g s ?
a ly z e d / m o n it o r e d ?
o f n e t w o r k a v a ila b ilit y ?
o f a n e t w o r k o r s e c u r it y p r o b le m ? r e s o lv e n e t w o r k o r s e c u r it y p r o b le m s ?
R A P H Y : a n d t h e n u m b e r o f e m p lo y e e s in e a c h o ffic e : e n te r s : h o ffic e s : : N G R E Q U I R E M E N T S –G e n e r a l M a n a g e m e n t r e p o r ts y p e o f r e p o r t s M a n a g e m e n t w a n ts to s e e :
S e r v ic e L e v e l A g r e e m e n t s in p la c e ? u s to m e r s ? a r tn e r s ? e n d o r s ?
C a n y o u q u a n t ify t h e c o s t o f n e t w o r k d o w n t im e ? it iv e D ) D ) H ) D )
D o y o y o w o y
a t o u o u is o u
a
s t tr p r s h
o r e e m a n s m it o p r ie t a a r e d a
p l , s r y ta
o y to d o
e e r e , a ta u ts
p e o r p r id e
r s o n p r o o te c th e
a l h e a lt h in fo r m a t io n ? c e s s c r e d it c a r d o r p e r s o n a l fin a n c ia l d a t a ? te d : o r g a n iz a t io n :
L o g g in g 5 ) D o y o u c u r r e n t ly d e p lo y a s y s lo g s e r v e r ?
© 2008 Cisco Systems, Inc.
32
6 ) 7 ) 8 )
c . d .W D o y o u H o w m L is t d e
W h h a t h a v a n y v ic e s
a t is e lo s
B r a n d / V e r s i th e c u r r e n t a S A N o r N A g e n t r ie s p e r e n d in g s y s lo
o n r e S d g
?
M A R S J u mp Sta rt L a b G u ide
t e n t io n p e r io d f o r lo g file s ? s e t u p fo r lo n g t e r m lo g s t o r a g e ? a y : d a t a in c h a r t b e lo w :
P R O D U C T I N F O R M A T I O N –C u r r e n t ly u s e d p r o d u c t s a n d t o o ls L is t a ll T e c h n o lo g ie s c u r r e n t ly in u s e . U s e N o t e s s e c t io n t o e x p la in lo c a t io n s , H A , e t c .
N e tw o rk a n d S e c u r it y D e v ic e In fo r m a tio n
V e n d o r
M o d e l & V e r s io n #
Q T Y
A n n u a l M a in te n a n c e C o s t
N o te s : i.e . L o c a tio n s , u s a g e , r e d u n d a n c y , e tc
F ir e w a ll F ir e w a ll F ir e w a ll R o u te r R o u te r R o u te r S w itc h S w itc h S w itc h S w itc h V P N IP S e c V P N
S S L
A u t h e n t ic a t io n S e rv e r A u t h e n t ic a t io n S e rv e r W ir e le s s A P – C o n t r o lle r ? P a c k e t S h a p e r, S n iffe r S y s lo g N e tw o rk IP S /ID S H O S T IP S
© 2008 Cisco Systems, Inc.
33
M A R S J u mp Sta rt L a b G u ide
W in d o w s S e rv e rs D a ta b a s e s C r it ic a l A p p lic a tio n s
V u ln e r a b ilit y A s s e s s m e n t T o o ls C a c h in g N A C M P L S O th e r O th e r
T O P
O F M 4 . E x 5 . M a 6 . E n
I N e c u n a g in
D
S E t iv e g e m e e e r in
C L e n g
U R v e t L L e
I T Y C O N C E R N S : l: e v e l: v e l:
DO C U M EN TATI O N : ( p l e a s e p r o v i d e )
3 . 4 .
V I S I O N E T W O R K D I A G R A M S E C U R I T Y P O L I C Y ( o p t io n a l)
© 2008 Cisco Systems, Inc.
34
M A R S J u mp Sta rt L a b G u ide
M A R S L a b L o g ic a l T o p o lo g y D ia g r a m MARS Lab Topology
167 .21.6.0/24 V L A N x6
F i r ew a l l O u t s i d e
.50
User PC 2 W i n 2000 P r o S P 4
.254 o u t s i d e (0) e0/0
e0/1 i n s i d e (100) .254
F i r ew a l l I n s i d e u n t r u s t ed
X-over cable CAS Failover
N A C -C A S In b a n d V P N 4.1.2.1 .10
F i r ew a l l I n s i d e t r u s t ed V L A N x5 192.168.5.0/24
.1 F a 0.0.x5 3550g n et w o r k M a n a g em en t i n t er f a c e
f a 0/0.x1 .1
.250
V L A N x1 N et M g t
2811
f a 0/0.x9
Core Router
f a 0/0.x2 .1
192.168.1.0/24
Bridged
V L A N x8 192.168.5.0/24
.1
f a 0/0.x3 .1
f a 0/0.x4
V L A N x9
.1
.50
A t t a c ker V L A N
192.168.9.0/24
A t t a c k er PC 1 B a c k T ra c k
V L A N x2 S ec u r i t y S er v i c es
192.168.2.0/24
.30
.32 .50
M A R S 4.2.6 (2458)
C S M
3.1.0
C o m m o n S er v i c es 3.0.5
.10
R M E 4.0.5
A u to U p d a te 3.0.5 W i n 2k3
© 2008 Cisco Systems, Inc.
V L A N x3
W i n d o w s S er v er s 192.168.3.0/24
U s er V L A N V L A N x4 192.168.4.0/24
User PC 1 W i n 2000 P r o S P 4
W i n 2k D C D N S D H C P IIS S y s lo g A C S 4.1
35