Mars 1
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Mars 1 as PDF for free.
More details
- Words: 21,130
- Pages: 35
Lab 1
MARS Jump Start T rai n i n g
Lab G u i d e S e p te m b e r 2 0 0 8 Version 2.0 Created by T eam
A S T E C
© 2008 Cisco Systems, Inc.
T a b le o f C o n te n ts T a T a T a T a T a T a E x E x
sk sk sk sk sk sk e r e r
1 : 2 : 3: 4: 5: 6 : c is c is M A R S
A c c e s s in g th e D e v ic P re p a n d T e s t th e L a S e t u p I O S I P S ( 2 0 -2 P re p p in g /A d d in g D e A tta c k W e b S e rv e r & C o n fig u rin g A le rts a e 1 : S o lu tio n s S a le M e 2 : S o lu tio n s S a le M L a b L o g ic a l T o p o lo g
M A R S J u mp sta rt L a b G u ide
e s i n L a b ( 5-1 0 m i n ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 b ( 1 0 -1 5 m i n ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 5m in ) ..................................................................................................... 5 v i c e s t o M A R S ( 35-45 m i n ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 t h e n M o n i t o r M i t i g a t e v i a M A R S ( 45 m i n ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 6 n d N o tif ic a tio n s ( 2 0 m in ) ..................................................................... 2 1 o c k In te r v ie w & S o W G e n e r a tio n w ith c u s to m e r r e s p o n s e s ............... 2 7 o c k I n t e r v i e w & S o W G e n e r a t i o n – S E i n t e r v i e w . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 y D i a g r a m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
© 2008 Cisco Systems, Inc.
M A R S J u mp sta rt L a b G u ide
T a s k 1 : A c c e s s in g th e D e v ic e s in L a b
(5-10 m i n )
P u r p o se : T h e p u rp ose of th is ta sk is to V P N into you r p od to ensu re connectiv ity a nd a u th entica tion is w ork ing p rop erl y. S te p 1. G o to h ttp s: //p gY .da x m.net/stu dent, w h ere Y is you r p od set nu mb er to a ccess th e l a b s. T h e l a b p roctor w il l inf orm you of th e p od set nu mb er f or you r l a b s. S te p 2. L ogin a s psYpodx/< p a ssw o r d > w h ere Y is you r p od set nu mb er, a nd X is you r p od nu mb er. Y ou r < p a ssw o r d > w il l b e p rov ided b y th e l a b p roctor. S te p 3. Cl ick th e a p p rop ria te l ink to connect to you r dev ice. NO T E : Al l a u th c h a l l e n g e s a r e u se r n a m e / p a ssw o r d : a d m i n i str a to r /c i sc o 123 U NL E S S o th e r w i se sp e c i f i e d i n l a b d o c ste p s. Yo u m a y w a n t to w r i te th i s d o w n f o r f u tu r e r e f e r e n c e .
© 2008 Cisco Systems, Inc.
3
M A R S J u mp Sta rt L a b G u ide
T a sk 2 : P r e p a n d T e st th e L a b
(10-15 m i n )
P u r p o se : T h e p u rp ose of th is ta sk is to def a u l t th e rou ter a nd f irew a l l ( A SA ) . S te p 1. T est th e remote desk top connectiv ity to U serP C1 , U serP C2, a nd A tta ck P C b y cl ick ing on th e l ink s f rom th e p orta l p a ge. Note: W
i th i n V NC , to s en d c tr l -a l t-d el or en a b l e/ d i s a b l e f u l l s c r een u s e F 8 to op en th e op ti on s tool b a r .
S te p 2. F rom th e desk top of U serP C1 , tel net to 281 1 a .a cme.com to a ccess th e l a b ' s 281 1 rou ter.
a. U s e the 'd el ete / f o r c e / r ec u r s i v e f l a s h: i p s ’ i n P r i v i l e g e d E X E C M o d e ( t h i s m ay b e l e f t o v e r f r o m p r e v i o u s l ab , s o t h i s c o m m an d w i l l r e m o v e i t , an d i t s c o n t e n t s ) . Y o u r r o u t e r m ay o r m ay n o t h av e t h i s f o l d e r l i s t e d i n f l as h . I f i t d o e s n ’t , j u s t m o v e o n t o s t e p 3 . S te p 3. T o do a f ina l test f rom th e rou ter, b e su re you ca n p ing 281 1 a .a cme.com, a sa 551 0.a cme.com, w 2k serv er.a cme.com a s th ese a re th e ma in dev ices u sed in th is l a b . NO T E : If a n y o f th e a b o v e te sts f a i l p l e a se n o ti f y y o u r l a b p r o c to r .
© 2008 Cisco Systems, Inc.
4
a
M A R S J u mp Sta rt L a b G u ide
T a sk 3 : S e tu p IO S IP S
(20-25 m i n )
P u r p o se : T h e 281 1 rou ter in th e l a b h a s a n IO S code l ev el th a t a l l ow s u s to ru n th e IO S IP S f ea tu re set. U se th e f ol l ow ing comma nds to setu p th e rou ter to u se th is f ea tu re set. T h ese IP S settings w il l b e u sed to monitor tra f f ic f rom th e A SA f irew a l l coming inw a rd, tow a rd th e corp ora te netw ork a s w el l a s f rom th e “G u est” V L A N ( V L A N 9) of f of th e rou ter. S te p 1. F rom U serP C1 , tel net to 281 1 a .a cme.com. S te p 2. T h e IP S signa tu res w il l b e u p l oa ded to f l a sh so crea te a directory to store th ese signa tu res u sing th e 'm k d i r i p s ' comma nd in P riv il eged E X E C M ode. Y ou ca n issu e th e 's h o w f l a s h ' comma nd to ensu re th e ip s directory w a s ma de. N ow w e need to conf igu re th e IO S IP S cryp to k ey: S te p 3. F rom th e desk top of U serP C1 op en u p th e “Sof tw a re/IO S IP S” su b f ol der. W ith in th is f ol der is a tex t f il e na med “p u b l ic k ey.tx t”. O p en u p th is f il e a nd cop y th e contents of th is f il e into you r cl ip b oa rd.
NO T E : T h e k e y w a s d o w n l o a d e d f r o m C C O a l o n g w i th th e si g n a tu r e f i l e s. It i s r e q u i r e d to v a l i d a te th e si g n a tu r e f i l e a s i t i s l o a d e d i n to th e r o u te r w i th th e i d c o n f c o m m a n d . S te p 4. A t th e G l ob a l Conf igu ra tion M ode p romp t on th e rou ter p a ste th e cl ip b oa rd contents. T h is w il l a dd th e cryp to k ey u sed b y th e IP S signa tu re f il e. T h e cryp to k ey is u sed to v erif y th e digita l signa tu re f or th e ma ster signa tu re f il e ( sigdef -def a u l t.x ml ) w h ose contents a re signed b y a Cisco p riv a te k ey to gu a ra ntee its a u th enticity a nd integrity a t ev ery rel ea se. T h e sigdef -def a u l t.x ml is u sed b y M A R S. © 2008 Cisco Systems, Inc.
5
M A R S J u mp Sta rt L a b G u ide S te p 5. Sa v e th e ru nning conf igu ra tion of th e rou ter to sta rtu p -conf ig. S te p 6. Issu e th e 'i p i p s n a m e i o s i p s ' comma nd in G l ob a l Conf igu ra tion M ode. T h is w il l crea te a ru l e th a t w il l b e u sed to ena b l e th e IP S f ea tu res on a n interf a ce. S te p 7. Issu e th e 'i p i p s c o n f i g l o c a t i o n f l a s h : i p s ' comma nd in G l ob a l Conf ig M ode to def ine w h ere th e IP S signa tu res w il l b e stored. S te p 8. E na b l e SD E E ev ent notif ica tion. T h is is u sed b y M A R S a nd CSM to l ea rn of th e ev ents a s w el l a s to imp l ement remedia tion. Issu e th e 'i p i p s n o t i f y s d e e ' comma nd in G l ob a l Conf igu ra tion M ode. S te p 9. B y def a u l t, IO S IP S onl y a l l ow s 1 SD E E connection. U se th e 'i p s d e e s u b s c r i p t i o n s 3 ' G l ob a l Conf igu ra tion M ode comma nd to ena b l e th e ma x imu m nu mb er of SD E E connections f or IO S IP S. S te p 10. U se th e comma nd 'i p i p s n o t i f y l o g ' comma nd, in G l ob a l Conf igu ra tion M ode, to ena b l e sysl og f or IP S ev ents. IO S IP S a l so su p p orts th e u se of sysl og to send ev ent notif ica tion. SD E E a nd sysl og ca n b e u sed indep endentl y or ena b l ed a t th e sa me time to send IO S IP S ev ent notif ica tion. Sysl og notif ica tion is ena b l ed b y def a u l t. If l ogging consol e is ena b l ed, you w il l see IP S sysl og messa ges. E nsu re sysl og is on w ith th e 's h o w l o g g i n g ' comma nd f rom P riv il ege E X E C M ode. S te p 11. E na b l e th e H T T P S serv er on th e rou ter f or remote a dministra tiv e a ccess. U se th e 'i p h t t p s e c u r e s e r v e r ' comma nd in G l ob a l Conf igu ra tion M ode to ena b l e th e H T T P S serv er. S te p 12. Conf igu re th e IO S IP S to u se th e def a u l t b a sic signa tu re set. Cisco' s IO S IP S f ea tu re set ru ns resident in th e rou ter if it isn' t in a sep a ra te modu l e. T h is mea ns th a t th e memory a nd CP U of th e rou ter a re a f f ected b y w h ich signa tu res a re b eing monitored. T h eref ore, disa b l e ( retire) a l l signa tu res E X CE P T th e ones th a t a re needed. NO T E : T a k e c a r e to u se e x i t a n d n o t c n tl -z to sa v e i p s c a te g o r y c h a n g e s! ! ! If y o u d o n 't, y o u w i l l h a v e to r e l o a d th e r o u te r W IT H O U T sa v i n g c h a n g e s a n d r e d o th i s ste p . U se th e f ol l ow ing comma nds to setu p th is stru ctu re: # cop y ru nning-conf ig sta rtu p -conf ig # conf igu re termina l ( conf ig) # ip ip s signa tu re-ca tegory ( conf ig-ip s-ca tegory) # ca tegory a l l ( conf ig-ip s-ca tegory-a ction) # retired tru e ( conf ig-ip s-ca tegory-a ction) # ex it ( conf ig-ip s-ca tegory) # ca tegory ios_ ip s b a sic ( conf ig-ip s-ca tegory-a ction) # retired f a l se ( conf ig-ip s-ca tegory-a ction) # ex it ( conf ig-ip s-ca tegory) # ex it D o you w a nt to a ccep t th ese ch a nges? [ conf irm] < P ress E nter>
© 2008 Cisco Systems, Inc.
6
M A R S J u mp Sta rt L a b G u ide C r i ti c a l C h e c k → D id you get th e p romp t to a ccep t th ese ch a nges? If y o u d o n 't g e t th e p r o m p t to c o n f i r m y o u r c h a n g e s y o u w i l l n e e d to r e l o a d th e r o u te r w i th o u t sa v i n g y o u r c h a n g e s! T o conf irm you r ch a nges w ere a ccep ted, typ e ‘sh o w i p i p s c a te g o r y i o s_ i p s b a si c c o n f i g ’ . V erif y you r ou tp u t is “R etire: F a l se”. S te p 13. Since w e a re monitoring tra f f ic incoming f rom th e A SA tow a rd th e corp ora te netw ork , w e need to ena b l e th e IP S ru l es on interf a ce F a stE th ernet 0/0.X5, w h ere X is you r p od nu mb er. T h e ru l e w a s crea ted ea rl ier in step 7. ( conf ig) # interf a ce F a stE th ernet 0/0.X5 ( conf ig-if ) # ip ip s iosip s in S te p 14. N ow ena b l e th e monitoring f or incoming tra f f ic f rom th e “P u b l ic” V L A N . T h e su b interf a ce F a stE th ernet 0/0.X9 is th e P u b l ic V L A N . ( conf ig) # interf a ce F a stE th ernet 0/0.X9 ( conf ig-if ) # ip ip s iosip s in S te p 15. W e a re now rea dy f or th e signa tu re f il e. It is stored on U serP C1 ' s desk top in th e “Sof tw a re/IO S IP S/IO S IP S 5-24-08” su b f ol der. NO T E : B e su r e y o u tf tp u p l o a d th e IO S -S 334.C L I.p k g f i l e f o u n d i n th e “ S o f tw a r e / IO S IP S / IO S IP S 524-08” su b f o l d e r , NO T a n o th e r IP S si g n a tu r e f i l e . a . R u n 3CD Serv er Settings\A Cl ick O K
a emon on U serP C1 . T h is icon a nd set th e U dministra tor\D esk top \Sof tw to sa v e you r ch a nges. Stop
p rogra m is ou r T F p l oa d/D ow nl oa d a re\IO S IP S\IO S IP a nd Sta rt th e T F T P
T P serv er. Sel ect th e Conf igu re T F T P directory to “C: \D ocu ments a nd S 5-24-08\” ( don' t incl u de th e q u otes) . Serv er.
b . A t th e rou ter' s P riv il eged E X E C M ode issu e th e comma nd 't e r m i n a l m o n i t o r ' comma nd to w a tch th e sysl og ev ents a s w e u p l oa d th e signa tu res. c. N ow issu e th e comma nd 'c o p y t f t p : //1 9 2 . 1 6 8 . 4 . 5 0 /I O S -S 3 3 4 -C L I . p k g i d c o n f ' comma nd in P riv il eged E X E C M ode. Y ou w il l see sysl og messa ges sh ow ing th e IO S IP S signa tu res b eing insta l l ed into th e f l a sh : ip s directory. d. A f ter th e .p k g f il e cop ies ov er, u se th e 'd i r f l a s h : i p s ' comma nd to see th e contents of th e f l a sh : ip s directory. S te p 16. U se th e 's h o w i p i p s s i g n a t u r e s c o u n t ' to ensu re you h a v e v ersion S334.0 ( l oca ted a t th e top of th is comma nd' s ou tp u t) a nd th e T ota l Signa tu res sh ou l d b e 2271 ( l oca ted nea r th e end of th is comma nd' s ou tp u t) . S te p 17. Cl ose 3CD a emon once done. NO T E : B y d e f a u l t a l l si g n a tu r e s a r e c o n f i g u r e d to “ Al a r m ” a c ti o n o n l y . T h i s i m p l i e s th a t si g n a tu r e tu n i n g i s n e e d e d to a c ti v e l y b l o c k a tta c k s. L a te r i n th e l a b w e w i l l se t so m e o f th e si g n a tu r e s to b l o c k a tta c k s.
© 2008 Cisco Systems, Inc.
7
M A R S J u mp Sta rt L a b G u ide
T a s k 4 : P r e p p in g /A d d in g D e v ic e s to M A R S
(35-45 m i n )
P u r p o se : T h e p u rp ose of th is l a b is to a dd th e necessa ry conf igu ra tion comma nds to th e rou ter a nd A SA f or connectiv ity w ith M A R S, a nd th en conf igu re th e M A R S b y a dding th e dev ices a nd setting u p some b a sic connecitiv ity. P a rt of th e w a y M A R S commu nica tes w ith dev ices is v ia SN M P so setu p SN M P on ea ch dev ice f or p ol l ing b ef ore a dding it to M A R S. SSH w il l a l so b e conf igu red f or f u l l dev ice discov ery. S te p 1. L og into rou ter 281 1 a a nd issu e th e f ol l ow ing comma nds in G l ob a l Conf igu ra tion M ode: ( conf ( conf ( conf ( conf ( conf ( conf ( conf
ig) ig) ig) ig) ig) ig) ig)
# snmp -serv er commu nity cisco1 23 R O # snmp -serv er l oca tion A CM E D a ta Center # snmp -serv er conta ct R oa d R u nner rru nner@ a cme.com # snmp -serv er tra p -sou rce l oop b a ck 0 # L ogging 1 92.1 68.2.30 # l ine v ty 0 4 # tra nsp ort inp u t ssh
S te p 2. U se th e comma nd 's h o w v e r s i o n ' to see w h a t v ersion of sof tw a re th e rou ter is ru nning. T h is inf orma tion w il l b e u sed du ring w h en a dding th e rou ter to M A R S. S te p 3. F rom U serP C1 op en IE a nd f rom th e h ome p a ge u se th e CS-M A R S l ink to a ccess th e M A R S ma na gement interf a ce. L ogin into M A R S w ith th e u ser/p a ss of p na dmin/cisco1 23 ( p a ssw ord ma y a u tof il l ) . S te p 4. U sing th e menu items a cross th e top of th e M A R S screen cl ick th e AD M IN l ink . S te p 5. In th e “D ev ice Conf igu ra tion a nd D iscov ery Inf orma tion” section cl ick th e S e c u r i ty a n d M o n i to r D e v i c e s l ink .
© 2008 Cisco Systems, Inc.
8
M A R S J u mp Sta rt L a b G u ide S te p 6. N ote th a t th ere a re no dev ices in M A R S yet. Sel ect Ad d ( l oca ted a l ong th e righ t of th e w indow ) to sta rt a dding th e 281 1 rou ter. S te p 7. E nter th e f ol l ow ing inf orma tion a b ou t th e rou ter: D ev ice T yp e: Cisco IO S 1 2.4 D ev ice N a me: 281 1 a .a cme.com A ccess IP : 1 92.1 68.2.1 R ep orting IP : 1 92.1 68.0.1 A ccess T yp e: SSH L ogin: a dministra tor P a ssw ord: cisco1 23 E na b l e P a ssw ord: cisco1 23 SN M P R O Commu nity: cisco1 23 M onitor R esou rce U sa ge: Y es NO T E : If y o u a r e a d d i n g a sw i tc h , u n d e r th e “ D e v i c e T y p e ” , th e r e i s a se l e c ti o n f o r “ C i sc o S w i tc h -IO S ” i n a d d i ti o n to “ C i sc o IO S ” . S te p 8. Cl ick D i sc o v e r . NO T E : T h i s w i l l ta k e so m e ti m e (se v e r a l m i n u te s) p a r ti a l l y b e c a u se M AR S a l so h a s to l o a d a l l o f th e IO S IP S si g n a tu r e s b u t a l so b e c a u se o f th e sh a r i n g r e so u r c e s o n o u r V M S e r v e r . P l e a se b e p a ti e n t. S te p 9. Cl ick O K
once th e discov ery is done.
S te p 10. M A R S f ou nd th a t th e rou ter h a s IO S IP S ru nning so now w e ca n a dd th e IP S inf orma tion into th e dev ice inf orma tion w indow . Scrol l to th e b ottom of th e w indow a nd cl ick Ad d IP S . a . In th e new w indow a dd th e u serna me/p a ssw ord of admin is t r at o r /C i s c o R o c k s . Cl ick T e st C o n n e c ti v i ty to ensu re th is inf orma tion is correct. b . O op s, w e got a n error. Cl ick O K
on th e error.
NO T E : T h e p o i n t o f ste p 11a i s to d e m o n str a te th e a b i l i ty to v i e w d e ta i l s o f e r r o r m e ssa g e s, a n d h o w M AR S d e a l s w i th th i s ty p e o f i ssu e . c. T h ere is now a V iew E rror l ink a l ong th e b ottom of th e screen. Cl ick V i e w E r r o r to see w h a t is w rong. O nce you see w h a t th e error is f ix th e u serna me/p a ssw ord inf orma tion w ith a dministra tor/cisco1 23. d. Cl ick T e st C o n n e c ti v i ty once more a nd w e w il l get a discov ery is done messa ge. Cl ick O K on th a t messa ge. e. F ina l l y cl ick S u b m i t to a dd th e IO S IP S inf orma tion. S te p 11. Cl ick S u b m i t to a dd th e rou ter to M A R S.
© 2008 Cisco Systems, Inc.
9
M A R S J u mp Sta rt L a b G u ide S te p 12. N ow th a t th e rou ter is in M A R S, cl ick th e red Ac ti v a te b u tton in th e top righ t of th e w indow to su b mit th e cu rrent ch a nges to th e M A R S da ta b a se. Cl ose th e a ctiv a tion done w indow to retu rn to M A R S. NO T E : T h i s l a b g u i d e “ D e v i c e Na m e ” f i e l d . o f th e d i sc o v e r y , M AR 2811a .a c m e .c o m , i n th isn o ta b ig d e a l.
w a s d e v e l o p e d u si n g p o Is th i s a p r o b l e m ? Yo u S p u l l e d th e h o stn a m e f e r e a l w o r ld ,y o u w o u ld
d 1. Yo u b e t i t i s! r o m th e c w a n t to f
m In o n ix
a y n o ti c e th i s c a se f i g u r a ti o th e h o stn
a d iffe r e n , i t’ s a r o u n f i l e i n th a m e . F o r
tp o d te r h e r o u th e p
n u m o stn a te r . u r p o
b e r u n m e i ssu S in c e D se o f th
d e r e . NS e la
S te p 13. G o to th e rou ter a nd typ e ‘S h o w i p sd e e su b sc r i p ti o n s’
© 2008 Cisco Systems, Inc.
1 0
th e As p a r t h a s b , th i s
M A R S J u mp Sta rt L a b G u ide S te p 14. T el net to A SA 551 0.a cme.com to setu p connectiv ity to M A R S. H ere a re th e comma nds to b e typ ed into G l ob a l Conf igu ra tion M ode on th e A SA : ( conf ig) # l ogging h ost inside 1 92.1 68.2.30 ( conf ig) # snmp -serv er commu nity cisco1 23 ( conf ig) # snmp -serv er l oca tion A CM E Corp ora te ( conf ig) # snmp -serv er conta ct rru nner@ a cme.com ( conf ig) # snmp -serv er h ost inside 1 92.1 68.2.30 commu nity cisco1 23 ( conf ig) # cryp to k ey genera te rsa modu l u s 1 024 ( conf ig) # ssh 1 92.1 68.0.0 255.255.0.0 inside ( conf ig) # a a a a u th entica tion ssh consol e L O CA L ( L O CA L mu st b e u p p erca se) S te p 15. R etu rn to M A R S. If you need to, retu rn to th e Secu rity a nd M onitoring Inf orma tion p a ge b y cl ick ing on th e AD M IN l ink a nd th en th e S e c u r i ty a n d M o n i to r D e v i c e s l ink . S te p 16. Cl ick Ad d to sta rt th e p rocess of a dding in th e A SA . U se th e f ol l ow ing v a l u es: D ev ice T yp e: Cisco A SA 8.0 D ev ice N a me: a sa 551 0.a cme.com A ccess IP : 1 92.1 68.5.254 R ep orting IP : 1 92.1 68.5.254 A ccess T yp e: SSH , 3D E S L ogin: a dministra tor P a ssw ord: cisco1 23 E na b l e P a ssw ord: cisco1 23 SN M P R O Commu nity: cisco1 23 M onitor R esou rce U sa ge: Y E S S te p 17. Cl ick D i sc o v e r . S te p 18. Cl ick O K
w h en discov ery is done, a nd th en cl ick S u b m i t.
S te p 19. Cl ick th e red Ac ti v a te b u tton to sa v e th e A SA into M A R S' da ta b a se. Cl ose th e a ctiv a tion done w indow to retu rn to M A R S. Y ou sh ou l d now h a v e 2 dev ices a dded into M A R S. NO T E : T h i s l a b g u i d e “ D e v i c e Na m e ” f i e l d . o f th e d i sc o v e r y , M AR a sa 5510.a c m e .c o m , i n th i s i s n o t a b i g d e a l .
© 2008 Cisco Systems, Inc.
w a sd e v Is th i s a S p u lle d th e r e a l
e l o p e d u si n p r o b le m ? th e h o stn a w o r ld ,y o u
g p o d 1. Yo u Yo u b e t i t i s! m e f r o m th e c w o u l d w a n t to
m a y n o ti c e a d i f f e r In th i s c a se , i t’ s a r o n f i g u r a ti o n f i l e i n f i x th e h o stn a m e .
e n tp o d n u m b e r u n o u te r h o stn a m e i ssu th e r o u te r . S i n c e D F o r th e p u r p o se o f
d e r e . NS th e
1 1
th e As p a r t h a s la b ,
M A R S J u mp Sta rt L a b G u ide S te p 20. T “p u l l ” meth don' t a ctiv a th e W indow
h ere a re tw o w a ys to get l ogging inf orma tion f rom a W indow s ma ch ine. In th is l a b w e sh ow th e od a nd in da y 2' s l a b w e sh ow th e “receiv e” meth od. T h ese meth ods a re mu tu a l l y ex cl u siv e so te b oth on th e sa me dev ice w ith in M A R S. W e f irst need to setu p th e W indow s serv er. L ogin into s D C ma ch ine f rom th e Stu dent P orta l p a ge.
Note: W i th i n V NC , to s en d c tr l -a l t-d el or en a b l e/ d i s a b l e f u l l s c r een u s e F 8 to op en th e op ti on s tool b a r .
S te p 21. O p en u p th e “A ctiv e D irectory U sers a nd Comp u ters” l ink l oca ted a t “Sta rt → A dministra tiv e T ool s → A ctiv e D irectory U sers a nd Comp u ters”.
P rogra ms →
S te p 22. Cl ick on “A ction → N ew → U ser” to op en u p th e A dd new u ser p a ge to crea te th e u ser a ccou nt th a t w il l b e u sed b y th e M A R S a p p l ia nce to l og into th is serv er a nd p u l l its secu rity, a p p l ica tion, a nd system ev ent l ogs. a . F il l in th e f ol l ow ing: F irst N a me: M a rs L a st N a me: M a na ger U serna me: ma rs b . Cl ick Ne x t. c. A dd th e p a ssw ord inf orma tion: P a ssw ord: cisco1 23. Ch eck th e b ox nex t to “P a ssw ord nev er ex p ires”. d. Cl ick Ne x t. R ev iew th e u ser' s inf orma tion a nd th en cl ick F i n i sh . S te p 23. R igh t cl ick th e new l y crea ted a ccou nt a nd sel ect “A dd memb ers to a grou p ...”. Sel ect th e A dministra tor grou p a nd cl ick O K . S te p 24. G o to Sta rt → P rogra ms → so th a t th ese ev ents w il l b e a u dited.
A dministra tiv e T ool s →
L oca l Secu rity P ol icy to setu p th e a u dit settings
a . O p en u p th e L oca l P ol icies f ol der. b . Cl ick on th e A u dit P ol icy f ol der.
© 2008 Cisco Systems, Inc.
1 2
M A R S J u mp Sta rt L a b G u ide c. R igh t cl ick ea ch item ( 9 items) in th e righ t h a nd p a ne, sel ect “Secu rity”, a nd th en ch eck th e b ox es nex t to “Su ccess” a nd “F a il u re” to ena b l e a u diting on a l l ev ents. Cl ick O K w h en done f or ea ch item. No te : T h e e f f e c ti v e se tti n g f o r th e a u d i ti n g i s se t to No a u d i ti n g . S te p 25. R etu rn to th e M A R S w indow on U serP C1 to a dd th is serv er a s a monitored dev ice in M A R S. Cl ick on AD M IN, th en S e c u r i ty a n d M o n i to r D e v i c e s ( you ma y a l rea dy b e h ere on retu rn to M A R S) . S te p 26. Cl ick Ad d to sta rt th e p rocess of a dding in th is serv er. a . Sel ect Ad d S W se c u r i ty a p p s o n n e w h o st f rom th e D ev ice T yp e drop dow n menu since M A R S is a l rea dy a w a re of th is serv er. b . F inish f il l ing ou t th e inf orma tion not a l rea dy k now n b y M A R S: D ev ice N a me: w 2k -serv er.a cme.com A ccess IP : 1 92.1 68.3.1 0 R ep orting IP : 1 92.1 68.3.1 0 O p era ting System: W indow s
c. Sel ect th e L ogging Inf o l ink to op en u p a new w indow . F il l ou t th e inf orma tion w ith : W indow s O p era ting System: M icrosof t W indow s 2000 Ch eck th e P u l l b ox
NOTE: Don't check Receive as this isn't configured and checking b oth is not sup p orted.
D oma in N a me: a cme.com H ost l ogin: ma rs H ost p a ssw ord: cisco1 23
© 2008 Cisco Systems, Inc.
1 3
M A R S J u mp Sta rt L a b G u ide
d. Cl ick S u b m i t. e. A dd interf a ce IP a nd ma sk f or eth er0 ( M A R S ma y a l rea dy h a v e th is inf orma tion p op u l a ted) a nd cl ick Ap p l y .
f . W e now need to sp ecif y O S a nd p a tch inf orma tion. Cl ick on th e col u mn h ea ding l a b el ed “V u l nera b il ity A ssessment Inf o” g. F rom th e drop dow n sel ect ANY W Ap p l y .
i n d o w s 2000 S e r v e r (v e r si o n :ANY,p a tc h :ANY) , a nd th en cl ick
h . Cl ick D one.
© 2008 Cisco Systems, Inc.
1 4
M A R S J u mp Sta rt L a b G u ide i. Ch eck to ma k e su re you r “D ev ice D isp l a y” sh ow s th e gra p h ic f or “N ot in cl ou d”. T h e f irst f igu re b el ow sh ow s th e D ev ice D isp l a y in th e cl ou d. Simp l y cl ick th e icon to ch a nge its sta tu s.
Sh ou l d b e…
j . Cl ick Ac ti v a te .
© 2008 Cisco Systems, Inc.
1 5
M A R S J u mp Sta rt L a b G u ide
T a sk 5 : A tta c k W e b S e r v e r & v i a M A R S (45 m i n )
th e n M o n ito r M itig a te
P u r p o se : T h e p u rp ose of th is ta sk is to demonstra te th e monitoring a nd mitiga tion f ea tu res w ith -in M A R S. S te p 1. L ogin into U serP C1 a nd op en u p th e IE l ink to CS-M A R S. S te p 2. M a k e su re th a t in M A R S you a re l ook ing a t th e SU M M A R Y p a ge. S te p 3. F rom th e Stu dent P orta l , l ogin into A tta ck P C a nd op en u p Internet E x p l orer. NO T E : T h e V NC p a ssw o r d i s c i sc o 123. S te p 4. Cl ick th e T e st IIS W e b S e r v e r b ook ma rk to ensu re you h a v e a ccess to th e Intra net W eb Serv er. S te p 5. R etu rn to th e h ome p a ge a nd cl ick th e S i g 5801 D i r e c to r y T r a v e r sa l Atta c k to send a directory tra v ersa l a tta ck . NO T E : Yo u w i l l g e t a p a g e c a n n o t b e d i sp l a y e d m e ssa g e – th i s i s f i n e a s th e a tta c k sh o u l d h a v e r a n i n th e b a c k -g r o u n d . S te p 6. Sw itch ov er to th e M A R S SU M M A R Y w indow . Y ou ma y w a nt to ch a nge th e “P a ge R ef resh R a te” to 1 minu te to sp eed u p th e p a ge u p da tes. W a tch f or th e a tta ck to sh ow u p . ( It ma y ta k e 1 -3 minu tes) .
NO T E : Yo u c o u l d a l so se e th i s a tta c k i n IO S IP S v i a th e r o u te r 's l o c a l l o g o r w a tc h i n g th e sy sl o g m e ssa g e s. S te p 7. O nce you see th e a tta ck , cl ick on th e ‘Incident ID ’ f or th a t a tta ck ( Y ou r Incident ID w il l b e dif f erent th a n th e one in th e gra p h ic b el ow ) .
© 2008 Cisco Systems, Inc.
1 6
M A R S J u mp Sta rt L a b G u ide
S te p 8. Scrol l dow n a nd to th e righ t a nd you ' l l see in th e P a th /M itiga te col u mn. Cl ick on th e R ed Stop Sign to get th e p a th v ector of th e a tta ck .
NO T E : T h i s c a n ta k e a l o n g ti m e to l o a d .
© 2008 Cisco Systems, Inc.
1 7
M A R S J u mp Sta rt L a b G u ide S te p 9. A f ter it l oa ds ch eck ou t th e “F u l l T op ol ogy” op tion to ref resh th e ma p w ith M A R S' tota l top ol ogy a w a reness.
S te p 10. In th e l ef t p a ne a re M A R S' op tions to remedia te a ga inst th is a tta ck . T h e p rima ry op tion M A R S h a s w il l b e l isted j u st u nder th e “Su ggested” h ea ding. If oth er op tions ex ist, M A R S w il l l ist th em u nder th e “A l terna tiv e” h ea ding. Cl ick on th e 2811a -p o d 4.a c m e .c o m l ink to rel oa d th is p a ge w ith th e remedia tion su ggestion da ta l oa ded.
© 2008 Cisco Systems, Inc.
1 8
M A R S J u mp Sta rt L a b G u ide S te p 11. Scrol l to th e b ottom a nd rev iew th e su ggested remedia tion.
NO T E : If th e r e a r e n o AC L s o n th e su g g e ste d i n te r f a c e o f r e m e d i a ti o n , M AR S w i l l g i v e y o u a R e g E x p AC L su g g e sti o n . No ti c e th a t th e P U S H b u tto n i s g r a y e d o u t. If th i s w a s a L a y e r 2 r e m e d i a ti o n th e p u sh b u tto n w o u l d b e o f f e r e d to h a v e M AR S i m m e d i a te l y p u sh th i s su g g e sti o n o u t to th e d e v i c e . S te p 12. A dd th e f ol l ow ing A CL s b el ow to th e rou ter. T h is w a y M A R S w il l h a v e th e a ctu a l A CL na mes to ref erence in f u tu re remedia tion recommenda tions f or th is rou ter: ( conf ( conf ( conf ( conf ( conf ( conf ( conf ( conf
ig) # ip a ccess-l ist ex tended V L A N X5 ! ! ! ( w h ere X is you r p od nu mb er) ! ! ! ig-ex t-na cl ) # p ermit ip a ny a ny ig) # interf a ce F a stE th ernet 0/0.X5 ig-int) # ip a ccess-grou p V L A N X5 in ig) # ip a ccess-l ist ex tended V L A N X9 ! ! ! ( w h ere X is you r p od nu mb er) ! ! ! ig-ex t-na cl ) # p ermit ip a ny a ny ig) # interf a ce F a stE th ernet 0/0.X9 ig-int) # ip a ccess-grou p V L A N X9 in
© 2008 Cisco Systems, Inc.
1 9
M A R S J u mp Sta rt L a b G u ide S te p 13. M A R S w il l p eriodica l l y q u ery its k now n dev ices. H ow ev er, w ith resp ect to time, do a ma nu a l rediscov er of th e rou ter w ith in M A R S. a . G o to th e AD M IN →
S e c u r i ty a n d M o n i to r D e v i c e s p a g e o n M AR S .
b . Ch eck th e b ox nex t to th e 281 1 a .a cme.com rou ter. T h en sel ect E d i t. c. Cl ick D i sc o v e r a nd th en O K
once th e discov ery is done.
NO T E : T h i s ta k e s ti m e . P l e a se b e p a ti e n t. d. Scrol l to th e b ottom of th e p a ge a nd sel ect S u b m i t. e. Cl ick D o n e a nd th en Ac ti v a te . S te p 14. L ogin to U serP C2. E nsu re th e V P N is N O T connected b y a ttemp ting to p ing 1 92.1 68.3.1 0 ( th e interna l IP of th e w eb serv er) . T h a t p ing sh ou l d f a il . S te p 15. L a u nch IE a nd sel ect th e T e st W e b S e r v e r f r o m ru nning.
In te r n e t l ink to v erif y th e w eb serv er is u p a nd
S te p 16. Cl ick H ome in IE a nd now cl ick th e S i g 5326 r o o t.e x e Atta c k l ink to a tta ck th e w eb serv er. S te p 17. Sw itch b a ck to U serP C1 a nd w a tch f or th e ev ent to a p p ea r on th e M A R S su mma ry p a ge. S te p 18. Cl ick on th e ‘Incident ID ’ f or th e resp ectiv e a tta ck . S te p 19. Scrol l dow n to th e b ottom a ga in a nd cl ick th e ‘P a th /M itiga te’ b a dge. S te p 20. Sel ect th e su ggested op tion ( w h ich sh ou l d b e remedia tion on th e A SA ) . Scrol l dow n to see th e su ggested remedia tion op tions. N otice th e dif f erent w a ys to b l ock th is a tta ck er f rom th e A SA . S te p 21. N ow sel ect th e a l terna te op tion a nd scrol l dow n. N otice th a t th e su ggested A CL s a re now ref erencing th e a ctu a l A CL s def ined on th e interf a ce. A ga in notice th a t th e P U SH b u tton is stil l gra yed ou t. H ow ev er, you cou l d cop y a nd p a ste th e recommenda tion into th e rou ter' s G l ob a l Conf igu ra tion M ode to remedia te.
© 2008 Cisco Systems, Inc.
20
M A R S J u mp Sta rt L a b G u ide
T a s k 6 : C o n fig u r in g A le r ts a n d N o tific a tio n s
(20 m i n )
P u r p o se : Instea d of l ook ing a t th e M A R S Su mma ry screen 24/7, l et M A R S a l ert you w h en a n ev ent h a s occu rred th a t req u ires you r a ttention! S te p 1. F rom U serP C1 op en u p IE a nd cl ick th e CS-M A R S l ink to l a u nch th e M A R S ma na gement w indow . S te p 2. Sel ect th e AD M IN menu item a cross th e top . S te p 3. Sel ect th e C o n f i g u r a ti o n In f o r m a ti o n l ink in th e CS-M A R S Setu p f ra me. S te p 4. F il l in th e M a il G a tew a y inf orma tion a s so ( l ea v e oth er def a u l ts a s is) : IP : 1 92.1 68.3.1 0 P ort: 25 E ma il doma in na me: a cme.com E ma il F orma t: ( Sel ect th e ra dio b u tton b y F u l l gra p h ics) S te p 5. Cl ick U p d a te a nd O k . N ow crea te a ru l e a nd a ction th a t, w h en triggered, w il l send a n ema il . S te p 6. F irst w e need to a dd th e u sers b eing ema il ed to M A R S. G o to th e AD M IN p a ge. A l ong th e top , f ind a nd cl ick th e U ser M a na gement L ink . Cl ick Ad d to a dd a new u ser.
© 2008 Cisco Systems, Inc.
21
M A R S J u mp Sta rt L a b G u ide S te p 7. A dd onl y th e f ol l ow ing inf orma tion f or a u ser w h o onl y needs to b e a l erted of a n ev ent occu rring: R ol e: N otif ica tion O nl y F irst N a me: W il ie L a st N a me: Coyote O rga niz a tion: A CM E E ma il : w ecoyote@ a cme.com W ork P h one: 1 23-1 23-1 234 NO T E : L o g i n , P a ssw o r d , a n d R e -e n te r P a ssw o r d f i e l d s a r e n o t r e q u i r e d f o r No ti f i c a ti o n O n l y . S te p 8. Cl ick S u b m i t
S te p 9. A dd th e f ol l ow ing inf orma tion f or a u ser w h o w il l h a v e rea d a nd w rite a ccess to M A R S a nd onl y rea d a ccess to th e A D M IN menu . R ol e: Secu rity A na l yst No te : T h i n k te c h n i c i a n w h o h a s to d o so m e th i n g a b o u t th i s. L ogin: rru nner P a ssw ord: cisco1 23 R e-enter p a ssw ord: cisco1 23 F irst N a me: R oa d L a st N a me: R u nner O rga niz a tion: SO C a t A CM E E ma il : rru nner@ a cme.com S te p 10. Cl ick S u b m i t. S te p 11. N ow a dd a grou p a nd incl u de th ese tw o u sers. a . Cl ick th e Ad d G r o u p b u tton. b . N a me: R ed A l erts G rou p c. Ch eck th e b ox es nex t to “W il ie” a nd “R oa d”. © 2008 Cisco Systems, Inc.
22
M A R S J u mp Sta rt L a b G u ide d. Cl ick th e Ad d b u tton, l oca ted b el ow th e p a ne, to mov e th em ov er to th e l ef t p a ne.
e. Cl ick S u b m i t. S te p 12. N ow w e w a nt to crea te a ru l e th a t triggers on a ny ev ent th a t M A R S considers to b e R E D . a . Cl ick th e R U L E S b u tton f rom th e menu a nd th e sel ect th e Ad d b u tton to a dd a new ru l e. b . R u l e N a me: E ma il on R ed c. D escrip tion: T rigger on a ny red a l ert a nd send ema il to R ed A l erts G rou p d. Cl ick Ne x t. NO T E : In ste a d o f w a l k i n g y o u th r o u g h th e r e d u n d a n t ste p s to se t th e i n d i v i d u a l se a r c h f i e l d s f o r th i s r u l e , u se th e f o l l o w i n g su b -ste p s a s a te m p l a te u n ti l th e K e y w o r d c o l u m n . S te p 13. In th e righ t h a nd p a ne, ch eck th e b ox nex t to A N Y a nd th en u se th e righ t a rrow b u tton, l oca ted b etw een th e tw o p a nes, to mov e th e ch eck ed items to th e l ef t.
© 2008 Cisco Systems, Inc.
23
M A R S J u mp Sta rt L a b G u ide
S te p 14. Scrol l dow n to th e b ottom a nd cl ick Ne x t. S te p 15. R inse, rep ea t. S te p 16. O n th e K eyw ord col u mn j u st cl ick Ne x t.
© 2008 Cisco Systems, Inc.
24
M A R S J u mp Sta rt L a b G u ide S te p 17. O n th e Sev erity col u mn p a ge set th e Sev erity to R E D a nd p u t in a v a l u e of 1 in th e Cou nts f iel d. S te p 18. Cl ick Ne x t. S te p 19. A new screen w il l a sk if you a re done def ining th e ru l e conditions. T a k e a moment a nd rev iew you r ru l e' s col u mns to ensu re th a t A N Y sh ow s u p in a l l th e col u mns a nd Sev erity is R E D a nd Cou nt is 1 . NO T E : Yo u c a n n o t d e l e te a r u l e o n c e i t h a s b e e n c r e a te d b u t y o u c a n i n a c ti v a te th e m . Cl ick Y es to continu e.
S te p 20. T h e conditions f or th e ru l e h a v e now b een set. It is time to set th e a ctions triggered on a ma tch of th is ru l e. a . Scrol l to th e b ottom a nd cl ick a dd to crea te a new a ction. T h is w il l ta k e you th e a ction crea tion w indow . b . N a me: E ma il on R ed c. D escrip tion: E ma il R ed A l ert L ist d. Ch eck th e b ox nex t to E ma il a nd th en cl ick th e Ch a nge R ecip ient l ink nex t to th a t. e. A f a mil ia r screen w il l a p p ea r. U se it to a dd th e R ed A l erts G rou p a nd th en S u b m i t. f.
T h is retu rns you to th e p rev iou s screen. Scrol l dow n a nd cl ick S u b m i t.
g. N ow th a t ou r a ction h a s b een crea ted w e ca n now sel ect it a nd a ssocia te it to th e ru l e. A dd ou r ru l e a nd cl ick Ne x t. h . Since ou r cou nt col u mn w a s set to 1 you ca n ta k e th e def a u l ts on th e T ime R a nge p a ge. A s you ca n see, w e cou l d l imit ou r ru l e b eing triggered to a nu mb er of cou nts w ith in a giv en time f ra me.
© 2008 Cisco Systems, Inc.
25
M A R S J u mp Sta rt L a b G u ide
i.
Cl ick S u b m i t to crea te th is ru l e. D on' t f orget to h it th e Ac ti v a te b u tton.
S te p 21. If you ' d l ik e to rev iew you r ru l e, you ca n f ind it a s th e l a st entry in th e R u l es p a ge ( don' t f orget th ere a re mu l tip l e p a ges) . S te p 22. N ow l et' s trigger a red ev ent to trigger th is ru l e to ema il th e grou p . S te p 23. U se U serP C2 to l a u nch , yet a ga in, th e Sig 5326 a tta ck . S te p 24. R etu rn to th e M A R S Su mma ry p a ge to see th is ev ent. N ote th a t you ' l l see mu l tip l e entries on th e Su mma ry p a ge rel a ted to th is a tta ck ; O ne of w h ich is th e ru l e w e j u st crea ted. S te p 25. U serP C1 h a s a n ema il a ccou nt f or W il ie a nd U serP C2 h a s a n a ccou nt f or R oa d. O p en u p O u tl ook E x p ress on b oth desk top s a nd do a Send a nd R eceiv e. O n U serP C1 , since th e l ink in th e W il ie' s ema il w il l op en a new l ink to M A R S cl ose ou t, you r ex isting M A R S w indow b ef ore cl ick ing on a ny l ink s in th e ema il . If you a ttemp t to l og in w ith th e “N otif ica tion O nl y” a ccou nt you w il l N O T b e a b l e to l og in. H ow ev er, th e Secu rity A na l yst ca n l og in to dea l w ith th is a tta ck .
T h is c o m p le te s th e e x e r c is e s fo r to d a y . N O W
© 2008 Cisco Systems, Inc.
is a G R E A T tim e to c o m p le te th e tr a in in g s u r v e y .
26
M A R S J u mp Sta rt L a b G u ide
E x e r c is e 1 : S o lu tio n s S a le M o c k I n te r v ie w & S o W G e n e r a t io n –w it h a p p r o p r ia t e c u s t o m e r r e s p o n s e s M o c k I n t 1 . C 2. C 3 . A
e r v u s is c M lis t
ie to o h a o f
w A s s u m p t io m e r d e s ir e s c o r e in fr a s t r s e s t a b lis h e d e liv e r a b le s
n s : b e tte u c tu r d c h a in c lu
r v is ib e w it h in o f c d in g P
ilit y C h o m r o d
d u e e c k p m a n u c t,
to h o in t d , S E S e r v
ig h F ir e w o ic e s
fr e q u w a lls r k in g , a n d
e n , J w S
c y o f u n d e t e r m in e d n e t w o r k o u t a g e s . u n ip e r I D P it h N e t w o r k E n g in e e r t o c o n d u c t a s s e s s m e n t , c r e a t e O W .
DATE: C I S C O
P AR TN ER :
C o m p a n y N A d d r e s s :A P r im a r y C o T it le :N e t w P h o n e : e M a il:
a m n y w n ta o r k
e : A c h e r e , c t:J o e E n g in
G EN ER AL C U S TO M ER
m e C o r p U S A y B lo w e e r
I N F O R M ATI O N :
I n d u s t r y V e r t ic a l/ L in e o f B u s in e s s :S e r v ic e s , C a ll C e n t e r o u t s o u r c in g , c u s t o m e r s u p p o r t
P u b lic o r P r iv a t e : P u b lic T o t a l n u m b e r o f E m p lo y e e s :1 ,3 0 0 T o t a l n u m b e r o f E m p lo y e e s o n I T S t a ff:1 5 •
H o w
m a n y fo c u s e d o n s e c u r it y is s u e s ? 2
H o w a r e I T s t a ff s e g m e n t e d , i. e . d o N e t w o r k O p s a n d S e c O p s w o r k t o g e t h e r ? M o s t ly w h e n w e a r e g o in g t h r o u g h a n a u d it , t h e y a lw a y s w a n t r e p o r t s . W h o is r e s p o n s ib le fo r e n s u r in g s e c u r it y p o lic y is e n fo r c e d ?
W
•
N e t w o r k O p s : W e o w n t h e r o u t in g / s w it c h in g a n d fir e w a ll
•
S e c u r it y O p s :n o t s u r e
H AT AR E Y 1) T o f i n 2 ) T o s e 3 ) T o s h
R E G U L A L is t r a b c )
T O e le ) )
O U d t e if o w
R Y v a S o H I S L
R h e w m
TO c a e a a n
P
3 u s e r e b a g e m
N ETW o f r e c e in g h e n t t
O e n a c h a
R K S EC U R I TY C O N C ER N S TO ADDR ES S t u n e x p e c t e d n e t w o r k d o w n t im e k e d t o u r s e c u r it y p r o d u c t s a r e p r o t e c t in g u s
U S I N G
L O G
AN AL Y S I S
AN D C O R R EL ATI O N :
–C O R P O R A T E C O M P L I A N C E n t le g is la t iv e a n d c o r p o r a t e c o m p lia n c e r e q u ir e m e n t s : X P A A A fo r o u r c u s to m e r s
W h o is r e s p o n s ib le fo r in t e r n a l a u d it ? N a n c y S m it h le a d s t h e t e a m W h o is y o u r e x t e r n a l A u d it in g F ir m ? N o t s u r e
© 2008 Cisco Systems, Inc.
27
W h a t a b c W h a t W h a t a b c d
a r e th e r ) L o s t c u ) F a ile d ) F in e s ? a r e y o u r
lo n g t e r m
s t o r a g e r e q u ir e m e n t s ? 3 y e a r s
A u d it o r r e p o r t s a r e r e q u ir e d t o d e m o n s t r a t e a d h e r a n c e t o p o lic y ? )
)
M A R S J u mp Sta rt L a b G u ide
a m i f i c a t i o n s f o r n o n -c o m p l i a n c e ? s to m e r s a u d it s
) )
O P E R A T I O N A 1 ) D o y o u a . 2) D o e s c a . 3 ) D o y o u a . b . 4 ) I s th e r a . 5 ) 6 ) 7 )
D W W
8 )
9 ) 1 0 ) W
W
O s
L I N F O R M A T I O N c u r r e n t ly o u t s o u r c e a n y n e t w o r k o r s e c u r it y o p e r a t io n s ? N o T h is c o u ld lim it t h e a b ilit y t o c o lle c t k e y d a t a ( I P S fo r e x a m p le o m p a n y h a v e a n e -c o m m e r c e p r e s e n c e ? N o T h is c o u ld in d ic a t e m a n d a t e s f o r m o n it o r in g a n d r e p o r t in g . w a n t t o c o lle c t a n d c o r r e la t e W in d o w s S e r v e r L o g s ? Y E S C a n S n a r e b e p la c e d o n t h e s e r v e r ? Y E S W h a t a b o u t c h a n g e m a n a g e m e n t p r o c e s s ? D o n e e i n -h o u s e A p p l i c a t i o n / S o f t w a r e d e v e l o p m e n t ? Y E S D o t h e s e a p p lic a t io n s n e e d t o b e c o lle c t e d / a n a ly z e d / m o n it o r e d w a n t t o in t h e fu t u r e o e s o r g a n iz a t io n m a k e u s e o f N e t flo w c u r r e n t ly ? N O a . C a n w e g e t a c c e s s t o k e y s o u r c e s o f N e t flo w ? Y E S h o is r e s p o n s ib le f o r r e v ie w in g d a t a f r o m F ir e w a ll? T h e N e t S e c T e a m h o is r e s p o n s ib le fo r r e v ie w in g d a t a fr o m I P S ? T h e N e t S e c T e a m a . H o w a r e fa ls e p o s t iv e s r e s o lv e d ? T h e y a r e n o t h e n w a s t h e la s t t im e u s e r s c o m p la in e d a b o u t la c k o f n e t w o r k a v a ila a . W a s t h e n e tw o r k d o w n ? Y e s b . I f s o , fo r h o w lo n g ? 3 h o u r s c . H o w r e s o lv e d ? R e b o o t n a v e r a g e , h o w lo n g d o e s it t a k e t o fin d t h e s o u r c e o f a n e t w o r k o r s o m e t im e s a n h o u r s o m e t im e s w e n e v e r k n o w w h a t h a p p e n e d . h a t t o o ls d o e s t h e h e lp d e s k u s e t o in v e s t ig a t e a n d r e s o lv e n e t w o r k
T O P O L O G Y / 1 ) L is t a a b c d
T O P O G ll o ff ic e s . H Q :D . D a ta C . B r a n c . S O H O
G E N E R A L R E P 1 ) S p e c ify a . b . c . d . e . U P T I M E A N D 1 ) D o y o u a . b . c . 2)
R A P H Y : a n d th e n u a lla s , 4 0 0 e n te r s :D a h o ffic e s :O : ~1 0 0 r e m
)
? N o t a t t h is t im e , b u t w e m ig h t
b ilit y ? L a s t w e e k
e c u r it y p r o b le m ? I t d e p e n d s , o r s e c u r it y p r o b le m s ?
S n if f e r s
m b e r o f e m p lo y e e s in e a c h o ffic e : lla s a n d L o s A n g e le s h io = 1 0 0 , A t la n t a = o t e u s e r s
O R T I N G R E Q U I R t h e t y p e o f r e p o r t F a ile d lo g in s A tta c k s s to p p e d b T o p D e s t in a t io n s T o p S o u r c e s O th e r ? ? S L A ’S h a v e S e r v ic e L e v e F o r C u s to m e r s ? Y F o r P a r tn e r s ? N O F o r V e n d o r s ? N O
1 5 0 , L o s A n g e le s 3 0 0 , L o n d o n =
1 0 0 , J a p a n =
1 0 0
E M E N T S –G e n e r a l M a n a g e m e n t r e p o r ts s M a n a g e m e n t w a n ts to s e e : y F ir e w a ll
l A g r e e m e n t s in p la c e ? E S
C a n y o u q u a n t ify t h e c o s t o f n e t w o r k d o w n t im e ? N O
S e n s it iv e 1 ) D o 2) D o 3 ) H o
D a t a y o u s t o r e e m p lo y e e p e r s o n a l h e a lt h in fo r m a t io n ? Y E S , H R R e c o r d s y o u t r a n s m it , s t o r e , o r p r o c e s s c r e d it c a r d o r p e r s o n a l fin a n c ia l d a t a ? N o t t h a t I ’m w is p r o p r ie t a r y d a t a p r o t e c t e d : N o t s u r e o t h e r t h a n f ir e w a lls
© 2008 Cisco Systems, Inc.
a w a r e o f…
28
4 )
M A R S J u mp Sta rt L a b G u ide
D o y o u s h a r e d a t a o u t s id e t h e o r g a n iz a t io n :Y E S , w it h p a r t n e r s a n d M a r k e t in g c o m p a n ie s
L o g g in g 1 ) D o y o u a . b .W 2) D o y o u 3 ) H o w m 4 ) L is t d e
c u r r e n t ly d e p lo y a W h a t B r a n d / V e r s i h a t is t h e c u r r e n t h a v e a S A N o r N A a n y lo g e n t r ie s p e r v ic e s s e n d in g s y s lo
s o n r e S d g
y s ? te s e a y d a
lo g s K iw i n t io n t u p :N o t a in
e r v e r ? Y e s , f o r F ir w a lls p e fo r t s u c h
r io d f o r lo g f ile s ? 3 y e a r s lo n g t e r m lo g s t o r a g e ? S A N r e a r t b e lo w :
P R O D U C T I N F O R M A T I O N –C u r r e n t ly u s e d p r o d u c t s a n d t o o ls L is t a ll T e c h n o lo g ie s c u r r e n t ly in u s e . U s e N o t e s s e c t io n t o e x p la in lo c a t io n s , H A , e t c .
N e tw o rk a n d S e c u r it y D e v ic e In fo r m a tio n
V e n d o r
M o d e l & V e r s io n #
Q T Y
A n n u a l M a in te n a n c e C o s t
F ir e w a ll
C h e c k p o in t
N G
1 2
T B D
R o u te r
C is c o
3 8 45
2 0
R o u te r
C is c o
2 8 1 1
40
C is c o
6 5 0 9
4
C is c o
3 0 1 5
N o te s : i.e . L o c a tio n s , u s a g e , r e d u n d a n c y , e tc
F ir e w a ll F ir e w a ll
R o u te r S w itc h S w itc h S w itc h S w itc h V P N IP S e c V P N
S S L
A u t h e n t ic a t io n S e rv e r
J u n ip e r C is c o
A C S
A u t h e n t ic a t io n S e rv e r W ir e le s s A P – C o n t r o lle r ? P a c k e t S h a p e r, S n iffe r
P e r ib it
S y s lo g
K iw i
N e tw o rk IP S /ID S
J u n ip e r
© 2008 Cisco Systems, Inc.
ID P
29
M A R S J u mp Sta rt L a b G u ide H O S T IP S W in d o w s S e rv e rs
D e ll
D a ta b a s e s
O r a c le
1 0 g
C r it ic a l A p p lic a tio n s
G 2
C R M
V u ln e r a b ilit y A s s e s s m e n t T o o ls
F o u n d s to n e
C a c h in g N A C M P L S
V e r iz o n
O th e r O th e r
T O P
O F 1 . E 2. M 3 . E d o w n
M I x e a n n g t im
N c u a in
D
S E t iv e g e m e e e r in e , c a n
C L e n g ’t
U R v e t L L e g e
I T l:C e v e v e l t w
Y
a n l: :C o r
C O N C ’t s e e T a k in a n ’t k k d o n
E R N S : w h y w e n e e d t o s p e n d s o m u c h o n S e c u r it y g h e a t fo r s o m a n y n e tw o r k o u t a g e s e e p u p w it h a ll t h e t a s k s , fr o m P a t c h in g s y s t e m s , t o c h a s in g d o w n e .
r o o t c a u s e fo r
DO C U M EN TATI O N : ( p l e a s e p r o v i d e )
1 . 2.
V I S I O N E T W O R K D I A G R A M S E C U R I T Y P O L I C Y ( o p t io n a l)
© 2008 Cisco Systems, Inc.
30
M A R S J u mp Sta rt L a b G u ide
E x e r c is e 2 : S o lu tio n s S a le M o c k I n te r v ie w & G e n e r a t io n –S E in t e r v ie w M o c k I n t 4 . C 5 . C 6 . A
e r v u s is c M lis t
ie to o h a o f
w A s s u m p t io m e r d e s ir e s c o r e in fr a s t r s e s t a b lis h e d e liv e r a b le s
n s : b e tte u c tu r d c h a in c lu
r v is ib e w it h in o f c d in g P
ilit y C h o m r o d
d u e e c k p m a n u c t,
to h o in t d , S E S e r v
ig h F ir e w o ic e s
fr e q u w a lls r k in g , a n d
e n , J w S
S o W
c y o f u n d e t e r m in e d n e t w o r k o u t a g e s . u n ip e r I D P it h N e t w o r k E n g in e e r t o c o n d u c t a s s e s s m e n t , c r e a t e O W .
DATE: C I S C O
P AR TN ER :
C o m p a n y N a m e : A d d r e s s : P r im a r y C o n t a c t : T it le : P h o n e : e M a il: W
H AT AR E Y O U R 4 ) > 5 ) > 6 ) >
TO P
G EN ER AL C U S TO M ER
I n d u s t r y V e r t ic a l:
3
N ETW
O R K
S EC U R I TY
C O N C ER N S
TO
ADDR ES S
U S I N G
L O G
AN AL Y S I S
AN D C O R R EL ATI O N :
I N F O R M ATI O N :
P u b lic o r P r iv a t e : T o t a l n u m b e r o f E m p lo y e e s : T o t a l n u m b e r o f E m p lo y e e s o n I T S t a ff: • H o w
H o w
m a n y fo c u s e d o n s e c u r it y is s u e s ?
a r e I T s t a ff s e g m e n t e d , i. e . d o N e t w o r k O p s a n d S e c O p s w o r k t o g e t h e r ?
W h o is r e s p o n s ib le fo r e n s u r in g s e c u r it y p o lic y is e n fo r c e d ? •
N e tw o r k O p s :
•
S e c u r it y O p s :
R E G U L A T O R Y –C O R P O R A T E C O M P L I A N C E L is t r e le v a n t le g is la t iv e a n d c o r p o r a t e c o m p lia n c e r e q u ir e m e n t s : d ) > e ) > f) > W h o is r e s p o n s ib le fo r in t e r n a l a u d it ? W h o is y o u r e x t e r n a l A u d it in g F ir m ? W h a t a r e t h e r a m i f i c a t i o n s f o r n o n -c o m p l i a n c e ? d ) >
© 2008 Cisco Systems, Inc.
31
e ) > f) > W h a t a r e y o u r lo n g t e r m
M A R S J u mp Sta rt L a b G u ide s t o r a g e r e q u ir e m e n t s ?
W h a t A u d it o r r e p o r t s a r e r e q u ir e d t o d e m o n s t r a t e a d h e r a n c e t o p o lic y ? e ) > f) > g ) > h ) > O P E R A T I O N A L I N F O R M A T I O N 1 1 ) D o y o u c u r r e n t ly o u t s o u r c e a n y n e t w o r k o r s e c u r it y o a . T h is c o u ld lim it t h e a b ilit y t o c o lle c t k e y d a t a 1 2) D o e s c o m p a n y h a v e a n e -c o m m e r c e p r e s e n c e ? a . T h is c o u ld in d ic a t e m a n d a t e s f o r m o n it o r in g a 1 3 ) D o y o u w a n t t o c o lle c t a n d c o r r e la t e W in d o w s S e r v e r a . C a n S n a r e b e p la c e d o n t h e s e r v e r ? b . W h a t a b o u t c h a n g e m a n a g e m e n t p r o c e s s ? 1 4 ) I s t h e r e i n -h o u s e A p p l i c a t i o n / S o f t w a r e d e v e l o p m e n t ? a . D o t h e s e a p p lic a t io n s n e e d t o b e c o lle c t e d / a n 1 5 ) D o e s o r g a n iz a t io n m a k e u s e o f N e t flo w c u r r e n t ly ? a . C a n w e g e t a c c e s s t o k e y s o u r c e s o f N e t flo w ? 1 6 ) W h o is r e s p o n s ib le fo r r e v ie w in g d a t a fr o m F ir e w a ll? 1 7 ) W h o is r e s p o n s ib le fo r r e v ie w in g d a t a fr o m I P S ? a . H o w a r e fa ls e p o s t iv e s r e s o lv e d ? 1 8 ) W h e n w a s t h e la s t t im e u s e r s c o m p la in e d a b o u t la c k a . W a s t h e n e tw o r k d o w n ? b . I f s o , fo r h o w lo n g ? c . H o w r e s o lv e d ? 1 9 ) O n a v e r a g e , h o w lo n g d o e s it t a k e t o fin d t h e s o u r c e 20 ) W h a t t o o l s d o e s t h e h e l p d e s k u s e t o i n v e s t i g a t e a n d T O P O L O G Y / 2) L i s t a a b c d
T O P O G ll o ff ic e s . H Q : . D a ta C . B r a n c . S O H O
G E N E R A L R E P 2) S p e c i f y a . b . c . d . e . U P T I M E A N D 3 ) D o y o u a . b . c . 4 ) S e n s 5 6 7 8
O R T I t h e t > > > > > S L A ’S h a v e F o r C F o r P F o r V
p e r a t io n s ? ( I P S fo r e x a m p le ) n d r e p o r t in g . L o g s ?
a ly z e d / m o n it o r e d ?
o f n e t w o r k a v a ila b ilit y ?
o f a n e t w o r k o r s e c u r it y p r o b le m ? r e s o lv e n e t w o r k o r s e c u r it y p r o b le m s ?
R A P H Y : a n d t h e n u m b e r o f e m p lo y e e s in e a c h o ffic e : e n te r s : h o ffic e s : : N G R E Q U I R E M E N T S –G e n e r a l M a n a g e m e n t r e p o r ts y p e o f r e p o r t s M a n a g e m e n t w a n ts to s e e :
S e r v ic e L e v e l A g r e e m e n t s in p la c e ? u s to m e r s ? a r tn e r s ? e n d o r s ?
C a n y o u q u a n t ify t h e c o s t o f n e t w o r k d o w n t im e ? it iv e D ) D ) H ) D )
D o y o y o w o y
a t o u o u is o u
a
s t tr p r s h
o r e e m a n s m it o p r ie t a a r e d a
p l , s r y ta
o y to d o
e e r e , a ta u ts
p e o r p r id e
r s o n p r o o te c th e
a l h e a lt h in fo r m a t io n ? c e s s c r e d it c a r d o r p e r s o n a l fin a n c ia l d a t a ? te d : o r g a n iz a t io n :
L o g g in g 5 ) D o y o u c u r r e n t ly d e p lo y a s y s lo g s e r v e r ?
© 2008 Cisco Systems, Inc.
32
6 ) 7 ) 8 )
c . d .W D o y o u H o w m L is t d e
W h h a t h a v a n y v ic e s
a t is e lo s
B r a n d / V e r s i th e c u r r e n t a S A N o r N A g e n t r ie s p e r e n d in g s y s lo
o n r e S d g
?
M A R S J u mp Sta rt L a b G u ide
t e n t io n p e r io d f o r lo g file s ? s e t u p fo r lo n g t e r m lo g s t o r a g e ? a y : d a t a in c h a r t b e lo w :
P R O D U C T I N F O R M A T I O N –C u r r e n t ly u s e d p r o d u c t s a n d t o o ls L is t a ll T e c h n o lo g ie s c u r r e n t ly in u s e . U s e N o t e s s e c t io n t o e x p la in lo c a t io n s , H A , e t c .
N e tw o rk a n d S e c u r it y D e v ic e In fo r m a tio n
V e n d o r
M o d e l & V e r s io n #
Q T Y
A n n u a l M a in te n a n c e C o s t
N o te s : i.e . L o c a tio n s , u s a g e , r e d u n d a n c y , e tc
F ir e w a ll F ir e w a ll F ir e w a ll R o u te r R o u te r R o u te r S w itc h S w itc h S w itc h S w itc h V P N IP S e c V P N
S S L
A u t h e n t ic a t io n S e rv e r A u t h e n t ic a t io n S e rv e r W ir e le s s A P – C o n t r o lle r ? P a c k e t S h a p e r, S n iffe r S y s lo g N e tw o rk IP S /ID S H O S T IP S
© 2008 Cisco Systems, Inc.
33
M A R S J u mp Sta rt L a b G u ide
W in d o w s S e rv e rs D a ta b a s e s C r it ic a l A p p lic a tio n s
V u ln e r a b ilit y A s s e s s m e n t T o o ls C a c h in g N A C M P L S O th e r O th e r
T O P
O F M 4 . E x 5 . M a 6 . E n
I N e c u n a g in
D
S E t iv e g e m e e e r in
C L e n g
U R v e t L L e
I T Y C O N C E R N S : l: e v e l: v e l:
DO C U M EN TATI O N : ( p l e a s e p r o v i d e )
3 . 4 .
V I S I O N E T W O R K D I A G R A M S E C U R I T Y P O L I C Y ( o p t io n a l)
© 2008 Cisco Systems, Inc.
34
M A R S J u mp Sta rt L a b G u ide
M A R S L a b L o g ic a l T o p o lo g y D ia g r a m MARS Lab Topology
167 .21.6.0/24 V L A N x6
F i r ew a l l O u t s i d e
.50
User PC 2 W i n 2000 P r o S P 4
.254 o u t s i d e (0) e0/0
e0/1 i n s i d e (100) .254
F i r ew a l l I n s i d e u n t r u s t ed
X-over cable CAS Failover
N A C -C A S In b a n d V P N 4.1.2.1 .10
F i r ew a l l I n s i d e t r u s t ed V L A N x5 192.168.5.0/24
.1 F a 0.0.x5 3550g n et w o r k M a n a g em en t i n t er f a c e
f a 0/0.x1 .1
.250
V L A N x1 N et M g t
2811
f a 0/0.x9
Core Router
f a 0/0.x2 .1
192.168.1.0/24
Bridged
V L A N x8 192.168.5.0/24
.1
f a 0/0.x3 .1
f a 0/0.x4
V L A N x9
.1
.50
A t t a c ker V L A N
192.168.9.0/24
A t t a c k er PC 1 B a c k T ra c k
V L A N x2 S ec u r i t y S er v i c es
192.168.2.0/24
.30
.32 .50
M A R S 4.2.6 (2458)
C S M
3.1.0
C o m m o n S er v i c es 3.0.5
.10
R M E 4.0.5
A u to U p d a te 3.0.5 W i n 2k3
© 2008 Cisco Systems, Inc.
V L A N x3
W i n d o w s S er v er s 192.168.3.0/24
U s er V L A N V L A N x4 192.168.4.0/24
User PC 1 W i n 2000 P r o S P 4
W i n 2k D C D N S D H C P IIS S y s lo g A C S 4.1
35
MARS Jump Start T rai n i n g
Lab G u i d e S e p te m b e r 2 0 0 8 Version 2.0 Created by T eam
A S T E C
© 2008 Cisco Systems, Inc.
T a b le o f C o n te n ts T a T a T a T a T a T a E x E x
sk sk sk sk sk sk e r e r
1 : 2 : 3: 4: 5: 6 : c is c is M A R S
A c c e s s in g th e D e v ic P re p a n d T e s t th e L a S e t u p I O S I P S ( 2 0 -2 P re p p in g /A d d in g D e A tta c k W e b S e rv e r & C o n fig u rin g A le rts a e 1 : S o lu tio n s S a le M e 2 : S o lu tio n s S a le M L a b L o g ic a l T o p o lo g
M A R S J u mp sta rt L a b G u ide
e s i n L a b ( 5-1 0 m i n ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 b ( 1 0 -1 5 m i n ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 5m in ) ..................................................................................................... 5 v i c e s t o M A R S ( 35-45 m i n ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 t h e n M o n i t o r M i t i g a t e v i a M A R S ( 45 m i n ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 6 n d N o tif ic a tio n s ( 2 0 m in ) ..................................................................... 2 1 o c k In te r v ie w & S o W G e n e r a tio n w ith c u s to m e r r e s p o n s e s ............... 2 7 o c k I n t e r v i e w & S o W G e n e r a t i o n – S E i n t e r v i e w . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 y D i a g r a m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
© 2008 Cisco Systems, Inc.
M A R S J u mp sta rt L a b G u ide
T a s k 1 : A c c e s s in g th e D e v ic e s in L a b
(5-10 m i n )
P u r p o se : T h e p u rp ose of th is ta sk is to V P N into you r p od to ensu re connectiv ity a nd a u th entica tion is w ork ing p rop erl y. S te p 1. G o to h ttp s: //p gY .da x m.net/stu dent, w h ere Y is you r p od set nu mb er to a ccess th e l a b s. T h e l a b p roctor w il l inf orm you of th e p od set nu mb er f or you r l a b s. S te p 2. L ogin a s psYpodx/< p a ssw o r d > w h ere Y is you r p od set nu mb er, a nd X is you r p od nu mb er. Y ou r < p a ssw o r d > w il l b e p rov ided b y th e l a b p roctor. S te p 3. Cl ick th e a p p rop ria te l ink to connect to you r dev ice. NO T E : Al l a u th c h a l l e n g e s a r e u se r n a m e / p a ssw o r d : a d m i n i str a to r /c i sc o 123 U NL E S S o th e r w i se sp e c i f i e d i n l a b d o c ste p s. Yo u m a y w a n t to w r i te th i s d o w n f o r f u tu r e r e f e r e n c e .
© 2008 Cisco Systems, Inc.
3
M A R S J u mp Sta rt L a b G u ide
T a sk 2 : P r e p a n d T e st th e L a b
(10-15 m i n )
P u r p o se : T h e p u rp ose of th is ta sk is to def a u l t th e rou ter a nd f irew a l l ( A SA ) . S te p 1. T est th e remote desk top connectiv ity to U serP C1 , U serP C2, a nd A tta ck P C b y cl ick ing on th e l ink s f rom th e p orta l p a ge. Note: W
i th i n V NC , to s en d c tr l -a l t-d el or en a b l e/ d i s a b l e f u l l s c r een u s e F 8 to op en th e op ti on s tool b a r .
S te p 2. F rom th e desk top of U serP C1 , tel net to 281 1 a .a cme.com to a ccess th e l a b ' s 281 1 rou ter.
a. U s e the 'd el ete / f o r c e / r ec u r s i v e f l a s h: i p s ’ i n P r i v i l e g e d E X E C M o d e ( t h i s m ay b e l e f t o v e r f r o m p r e v i o u s l ab , s o t h i s c o m m an d w i l l r e m o v e i t , an d i t s c o n t e n t s ) . Y o u r r o u t e r m ay o r m ay n o t h av e t h i s f o l d e r l i s t e d i n f l as h . I f i t d o e s n ’t , j u s t m o v e o n t o s t e p 3 . S te p 3. T o do a f ina l test f rom th e rou ter, b e su re you ca n p ing 281 1 a .a cme.com, a sa 551 0.a cme.com, w 2k serv er.a cme.com a s th ese a re th e ma in dev ices u sed in th is l a b . NO T E : If a n y o f th e a b o v e te sts f a i l p l e a se n o ti f y y o u r l a b p r o c to r .
© 2008 Cisco Systems, Inc.
4
a
M A R S J u mp Sta rt L a b G u ide
T a sk 3 : S e tu p IO S IP S
(20-25 m i n )
P u r p o se : T h e 281 1 rou ter in th e l a b h a s a n IO S code l ev el th a t a l l ow s u s to ru n th e IO S IP S f ea tu re set. U se th e f ol l ow ing comma nds to setu p th e rou ter to u se th is f ea tu re set. T h ese IP S settings w il l b e u sed to monitor tra f f ic f rom th e A SA f irew a l l coming inw a rd, tow a rd th e corp ora te netw ork a s w el l a s f rom th e “G u est” V L A N ( V L A N 9) of f of th e rou ter. S te p 1. F rom U serP C1 , tel net to 281 1 a .a cme.com. S te p 2. T h e IP S signa tu res w il l b e u p l oa ded to f l a sh so crea te a directory to store th ese signa tu res u sing th e 'm k d i r i p s ' comma nd in P riv il eged E X E C M ode. Y ou ca n issu e th e 's h o w f l a s h ' comma nd to ensu re th e ip s directory w a s ma de. N ow w e need to conf igu re th e IO S IP S cryp to k ey: S te p 3. F rom th e desk top of U serP C1 op en u p th e “Sof tw a re/IO S IP S” su b f ol der. W ith in th is f ol der is a tex t f il e na med “p u b l ic k ey.tx t”. O p en u p th is f il e a nd cop y th e contents of th is f il e into you r cl ip b oa rd.
NO T E : T h e k e y w a s d o w n l o a d e d f r o m C C O a l o n g w i th th e si g n a tu r e f i l e s. It i s r e q u i r e d to v a l i d a te th e si g n a tu r e f i l e a s i t i s l o a d e d i n to th e r o u te r w i th th e i d c o n f c o m m a n d . S te p 4. A t th e G l ob a l Conf igu ra tion M ode p romp t on th e rou ter p a ste th e cl ip b oa rd contents. T h is w il l a dd th e cryp to k ey u sed b y th e IP S signa tu re f il e. T h e cryp to k ey is u sed to v erif y th e digita l signa tu re f or th e ma ster signa tu re f il e ( sigdef -def a u l t.x ml ) w h ose contents a re signed b y a Cisco p riv a te k ey to gu a ra ntee its a u th enticity a nd integrity a t ev ery rel ea se. T h e sigdef -def a u l t.x ml is u sed b y M A R S. © 2008 Cisco Systems, Inc.
5
M A R S J u mp Sta rt L a b G u ide S te p 5. Sa v e th e ru nning conf igu ra tion of th e rou ter to sta rtu p -conf ig. S te p 6. Issu e th e 'i p i p s n a m e i o s i p s ' comma nd in G l ob a l Conf igu ra tion M ode. T h is w il l crea te a ru l e th a t w il l b e u sed to ena b l e th e IP S f ea tu res on a n interf a ce. S te p 7. Issu e th e 'i p i p s c o n f i g l o c a t i o n f l a s h : i p s ' comma nd in G l ob a l Conf ig M ode to def ine w h ere th e IP S signa tu res w il l b e stored. S te p 8. E na b l e SD E E ev ent notif ica tion. T h is is u sed b y M A R S a nd CSM to l ea rn of th e ev ents a s w el l a s to imp l ement remedia tion. Issu e th e 'i p i p s n o t i f y s d e e ' comma nd in G l ob a l Conf igu ra tion M ode. S te p 9. B y def a u l t, IO S IP S onl y a l l ow s 1 SD E E connection. U se th e 'i p s d e e s u b s c r i p t i o n s 3 ' G l ob a l Conf igu ra tion M ode comma nd to ena b l e th e ma x imu m nu mb er of SD E E connections f or IO S IP S. S te p 10. U se th e comma nd 'i p i p s n o t i f y l o g ' comma nd, in G l ob a l Conf igu ra tion M ode, to ena b l e sysl og f or IP S ev ents. IO S IP S a l so su p p orts th e u se of sysl og to send ev ent notif ica tion. SD E E a nd sysl og ca n b e u sed indep endentl y or ena b l ed a t th e sa me time to send IO S IP S ev ent notif ica tion. Sysl og notif ica tion is ena b l ed b y def a u l t. If l ogging consol e is ena b l ed, you w il l see IP S sysl og messa ges. E nsu re sysl og is on w ith th e 's h o w l o g g i n g ' comma nd f rom P riv il ege E X E C M ode. S te p 11. E na b l e th e H T T P S serv er on th e rou ter f or remote a dministra tiv e a ccess. U se th e 'i p h t t p s e c u r e s e r v e r ' comma nd in G l ob a l Conf igu ra tion M ode to ena b l e th e H T T P S serv er. S te p 12. Conf igu re th e IO S IP S to u se th e def a u l t b a sic signa tu re set. Cisco' s IO S IP S f ea tu re set ru ns resident in th e rou ter if it isn' t in a sep a ra te modu l e. T h is mea ns th a t th e memory a nd CP U of th e rou ter a re a f f ected b y w h ich signa tu res a re b eing monitored. T h eref ore, disa b l e ( retire) a l l signa tu res E X CE P T th e ones th a t a re needed. NO T E : T a k e c a r e to u se e x i t a n d n o t c n tl -z to sa v e i p s c a te g o r y c h a n g e s! ! ! If y o u d o n 't, y o u w i l l h a v e to r e l o a d th e r o u te r W IT H O U T sa v i n g c h a n g e s a n d r e d o th i s ste p . U se th e f ol l ow ing comma nds to setu p th is stru ctu re: # cop y ru nning-conf ig sta rtu p -conf ig # conf igu re termina l ( conf ig) # ip ip s signa tu re-ca tegory ( conf ig-ip s-ca tegory) # ca tegory a l l ( conf ig-ip s-ca tegory-a ction) # retired tru e ( conf ig-ip s-ca tegory-a ction) # ex it ( conf ig-ip s-ca tegory) # ca tegory ios_ ip s b a sic ( conf ig-ip s-ca tegory-a ction) # retired f a l se ( conf ig-ip s-ca tegory-a ction) # ex it ( conf ig-ip s-ca tegory) # ex it D o you w a nt to a ccep t th ese ch a nges? [ conf irm] < P ress E nter>
© 2008 Cisco Systems, Inc.
6
M A R S J u mp Sta rt L a b G u ide C r i ti c a l C h e c k → D id you get th e p romp t to a ccep t th ese ch a nges? If y o u d o n 't g e t th e p r o m p t to c o n f i r m y o u r c h a n g e s y o u w i l l n e e d to r e l o a d th e r o u te r w i th o u t sa v i n g y o u r c h a n g e s! T o conf irm you r ch a nges w ere a ccep ted, typ e ‘sh o w i p i p s c a te g o r y i o s_ i p s b a si c c o n f i g ’ . V erif y you r ou tp u t is “R etire: F a l se”. S te p 13. Since w e a re monitoring tra f f ic incoming f rom th e A SA tow a rd th e corp ora te netw ork , w e need to ena b l e th e IP S ru l es on interf a ce F a stE th ernet 0/0.X5, w h ere X is you r p od nu mb er. T h e ru l e w a s crea ted ea rl ier in step 7. ( conf ig) # interf a ce F a stE th ernet 0/0.X5 ( conf ig-if ) # ip ip s iosip s in S te p 14. N ow ena b l e th e monitoring f or incoming tra f f ic f rom th e “P u b l ic” V L A N . T h e su b interf a ce F a stE th ernet 0/0.X9 is th e P u b l ic V L A N . ( conf ig) # interf a ce F a stE th ernet 0/0.X9 ( conf ig-if ) # ip ip s iosip s in S te p 15. W e a re now rea dy f or th e signa tu re f il e. It is stored on U serP C1 ' s desk top in th e “Sof tw a re/IO S IP S/IO S IP S 5-24-08” su b f ol der. NO T E : B e su r e y o u tf tp u p l o a d th e IO S -S 334.C L I.p k g f i l e f o u n d i n th e “ S o f tw a r e / IO S IP S / IO S IP S 524-08” su b f o l d e r , NO T a n o th e r IP S si g n a tu r e f i l e . a . R u n 3CD Serv er Settings\A Cl ick O K
a emon on U serP C1 . T h is icon a nd set th e U dministra tor\D esk top \Sof tw to sa v e you r ch a nges. Stop
p rogra m is ou r T F p l oa d/D ow nl oa d a re\IO S IP S\IO S IP a nd Sta rt th e T F T P
T P serv er. Sel ect th e Conf igu re T F T P directory to “C: \D ocu ments a nd S 5-24-08\” ( don' t incl u de th e q u otes) . Serv er.
b . A t th e rou ter' s P riv il eged E X E C M ode issu e th e comma nd 't e r m i n a l m o n i t o r ' comma nd to w a tch th e sysl og ev ents a s w e u p l oa d th e signa tu res. c. N ow issu e th e comma nd 'c o p y t f t p : //1 9 2 . 1 6 8 . 4 . 5 0 /I O S -S 3 3 4 -C L I . p k g i d c o n f ' comma nd in P riv il eged E X E C M ode. Y ou w il l see sysl og messa ges sh ow ing th e IO S IP S signa tu res b eing insta l l ed into th e f l a sh : ip s directory. d. A f ter th e .p k g f il e cop ies ov er, u se th e 'd i r f l a s h : i p s ' comma nd to see th e contents of th e f l a sh : ip s directory. S te p 16. U se th e 's h o w i p i p s s i g n a t u r e s c o u n t ' to ensu re you h a v e v ersion S334.0 ( l oca ted a t th e top of th is comma nd' s ou tp u t) a nd th e T ota l Signa tu res sh ou l d b e 2271 ( l oca ted nea r th e end of th is comma nd' s ou tp u t) . S te p 17. Cl ose 3CD a emon once done. NO T E : B y d e f a u l t a l l si g n a tu r e s a r e c o n f i g u r e d to “ Al a r m ” a c ti o n o n l y . T h i s i m p l i e s th a t si g n a tu r e tu n i n g i s n e e d e d to a c ti v e l y b l o c k a tta c k s. L a te r i n th e l a b w e w i l l se t so m e o f th e si g n a tu r e s to b l o c k a tta c k s.
© 2008 Cisco Systems, Inc.
7
M A R S J u mp Sta rt L a b G u ide
T a s k 4 : P r e p p in g /A d d in g D e v ic e s to M A R S
(35-45 m i n )
P u r p o se : T h e p u rp ose of th is l a b is to a dd th e necessa ry conf igu ra tion comma nds to th e rou ter a nd A SA f or connectiv ity w ith M A R S, a nd th en conf igu re th e M A R S b y a dding th e dev ices a nd setting u p some b a sic connecitiv ity. P a rt of th e w a y M A R S commu nica tes w ith dev ices is v ia SN M P so setu p SN M P on ea ch dev ice f or p ol l ing b ef ore a dding it to M A R S. SSH w il l a l so b e conf igu red f or f u l l dev ice discov ery. S te p 1. L og into rou ter 281 1 a a nd issu e th e f ol l ow ing comma nds in G l ob a l Conf igu ra tion M ode: ( conf ( conf ( conf ( conf ( conf ( conf ( conf
ig) ig) ig) ig) ig) ig) ig)
# snmp -serv er commu nity cisco1 23 R O # snmp -serv er l oca tion A CM E D a ta Center # snmp -serv er conta ct R oa d R u nner rru nner@ a cme.com # snmp -serv er tra p -sou rce l oop b a ck 0 # L ogging 1 92.1 68.2.30 # l ine v ty 0 4 # tra nsp ort inp u t ssh
S te p 2. U se th e comma nd 's h o w v e r s i o n ' to see w h a t v ersion of sof tw a re th e rou ter is ru nning. T h is inf orma tion w il l b e u sed du ring w h en a dding th e rou ter to M A R S. S te p 3. F rom U serP C1 op en IE a nd f rom th e h ome p a ge u se th e CS-M A R S l ink to a ccess th e M A R S ma na gement interf a ce. L ogin into M A R S w ith th e u ser/p a ss of p na dmin/cisco1 23 ( p a ssw ord ma y a u tof il l ) . S te p 4. U sing th e menu items a cross th e top of th e M A R S screen cl ick th e AD M IN l ink . S te p 5. In th e “D ev ice Conf igu ra tion a nd D iscov ery Inf orma tion” section cl ick th e S e c u r i ty a n d M o n i to r D e v i c e s l ink .
© 2008 Cisco Systems, Inc.
8
M A R S J u mp Sta rt L a b G u ide S te p 6. N ote th a t th ere a re no dev ices in M A R S yet. Sel ect Ad d ( l oca ted a l ong th e righ t of th e w indow ) to sta rt a dding th e 281 1 rou ter. S te p 7. E nter th e f ol l ow ing inf orma tion a b ou t th e rou ter: D ev ice T yp e: Cisco IO S 1 2.4 D ev ice N a me: 281 1 a .a cme.com A ccess IP : 1 92.1 68.2.1 R ep orting IP : 1 92.1 68.0.1 A ccess T yp e: SSH L ogin: a dministra tor P a ssw ord: cisco1 23 E na b l e P a ssw ord: cisco1 23 SN M P R O Commu nity: cisco1 23 M onitor R esou rce U sa ge: Y es NO T E : If y o u a r e a d d i n g a sw i tc h , u n d e r th e “ D e v i c e T y p e ” , th e r e i s a se l e c ti o n f o r “ C i sc o S w i tc h -IO S ” i n a d d i ti o n to “ C i sc o IO S ” . S te p 8. Cl ick D i sc o v e r . NO T E : T h i s w i l l ta k e so m e ti m e (se v e r a l m i n u te s) p a r ti a l l y b e c a u se M AR S a l so h a s to l o a d a l l o f th e IO S IP S si g n a tu r e s b u t a l so b e c a u se o f th e sh a r i n g r e so u r c e s o n o u r V M S e r v e r . P l e a se b e p a ti e n t. S te p 9. Cl ick O K
once th e discov ery is done.
S te p 10. M A R S f ou nd th a t th e rou ter h a s IO S IP S ru nning so now w e ca n a dd th e IP S inf orma tion into th e dev ice inf orma tion w indow . Scrol l to th e b ottom of th e w indow a nd cl ick Ad d IP S . a . In th e new w indow a dd th e u serna me/p a ssw ord of admin is t r at o r /C i s c o R o c k s . Cl ick T e st C o n n e c ti v i ty to ensu re th is inf orma tion is correct. b . O op s, w e got a n error. Cl ick O K
on th e error.
NO T E : T h e p o i n t o f ste p 11a i s to d e m o n str a te th e a b i l i ty to v i e w d e ta i l s o f e r r o r m e ssa g e s, a n d h o w M AR S d e a l s w i th th i s ty p e o f i ssu e . c. T h ere is now a V iew E rror l ink a l ong th e b ottom of th e screen. Cl ick V i e w E r r o r to see w h a t is w rong. O nce you see w h a t th e error is f ix th e u serna me/p a ssw ord inf orma tion w ith a dministra tor/cisco1 23. d. Cl ick T e st C o n n e c ti v i ty once more a nd w e w il l get a discov ery is done messa ge. Cl ick O K on th a t messa ge. e. F ina l l y cl ick S u b m i t to a dd th e IO S IP S inf orma tion. S te p 11. Cl ick S u b m i t to a dd th e rou ter to M A R S.
© 2008 Cisco Systems, Inc.
9
M A R S J u mp Sta rt L a b G u ide S te p 12. N ow th a t th e rou ter is in M A R S, cl ick th e red Ac ti v a te b u tton in th e top righ t of th e w indow to su b mit th e cu rrent ch a nges to th e M A R S da ta b a se. Cl ose th e a ctiv a tion done w indow to retu rn to M A R S. NO T E : T h i s l a b g u i d e “ D e v i c e Na m e ” f i e l d . o f th e d i sc o v e r y , M AR 2811a .a c m e .c o m , i n th isn o ta b ig d e a l.
w a s d e v e l o p e d u si n g p o Is th i s a p r o b l e m ? Yo u S p u l l e d th e h o stn a m e f e r e a l w o r ld ,y o u w o u ld
d 1. Yo u b e t i t i s! r o m th e c w a n t to f
m In o n ix
a y n o ti c e th i s c a se f i g u r a ti o th e h o stn
a d iffe r e n , i t’ s a r o u n f i l e i n th a m e . F o r
tp o d te r h e r o u th e p
n u m o stn a te r . u r p o
b e r u n m e i ssu S in c e D se o f th
d e r e . NS e la
S te p 13. G o to th e rou ter a nd typ e ‘S h o w i p sd e e su b sc r i p ti o n s’
© 2008 Cisco Systems, Inc.
1 0
th e As p a r t h a s b , th i s
M A R S J u mp Sta rt L a b G u ide S te p 14. T el net to A SA 551 0.a cme.com to setu p connectiv ity to M A R S. H ere a re th e comma nds to b e typ ed into G l ob a l Conf igu ra tion M ode on th e A SA : ( conf ig) # l ogging h ost inside 1 92.1 68.2.30 ( conf ig) # snmp -serv er commu nity cisco1 23 ( conf ig) # snmp -serv er l oca tion A CM E Corp ora te ( conf ig) # snmp -serv er conta ct rru nner@ a cme.com ( conf ig) # snmp -serv er h ost inside 1 92.1 68.2.30 commu nity cisco1 23 ( conf ig) # cryp to k ey genera te rsa modu l u s 1 024 ( conf ig) # ssh 1 92.1 68.0.0 255.255.0.0 inside ( conf ig) # a a a a u th entica tion ssh consol e L O CA L ( L O CA L mu st b e u p p erca se) S te p 15. R etu rn to M A R S. If you need to, retu rn to th e Secu rity a nd M onitoring Inf orma tion p a ge b y cl ick ing on th e AD M IN l ink a nd th en th e S e c u r i ty a n d M o n i to r D e v i c e s l ink . S te p 16. Cl ick Ad d to sta rt th e p rocess of a dding in th e A SA . U se th e f ol l ow ing v a l u es: D ev ice T yp e: Cisco A SA 8.0 D ev ice N a me: a sa 551 0.a cme.com A ccess IP : 1 92.1 68.5.254 R ep orting IP : 1 92.1 68.5.254 A ccess T yp e: SSH , 3D E S L ogin: a dministra tor P a ssw ord: cisco1 23 E na b l e P a ssw ord: cisco1 23 SN M P R O Commu nity: cisco1 23 M onitor R esou rce U sa ge: Y E S S te p 17. Cl ick D i sc o v e r . S te p 18. Cl ick O K
w h en discov ery is done, a nd th en cl ick S u b m i t.
S te p 19. Cl ick th e red Ac ti v a te b u tton to sa v e th e A SA into M A R S' da ta b a se. Cl ose th e a ctiv a tion done w indow to retu rn to M A R S. Y ou sh ou l d now h a v e 2 dev ices a dded into M A R S. NO T E : T h i s l a b g u i d e “ D e v i c e Na m e ” f i e l d . o f th e d i sc o v e r y , M AR a sa 5510.a c m e .c o m , i n th i s i s n o t a b i g d e a l .
© 2008 Cisco Systems, Inc.
w a sd e v Is th i s a S p u lle d th e r e a l
e l o p e d u si n p r o b le m ? th e h o stn a w o r ld ,y o u
g p o d 1. Yo u Yo u b e t i t i s! m e f r o m th e c w o u l d w a n t to
m a y n o ti c e a d i f f e r In th i s c a se , i t’ s a r o n f i g u r a ti o n f i l e i n f i x th e h o stn a m e .
e n tp o d n u m b e r u n o u te r h o stn a m e i ssu th e r o u te r . S i n c e D F o r th e p u r p o se o f
d e r e . NS th e
1 1
th e As p a r t h a s la b ,
M A R S J u mp Sta rt L a b G u ide S te p 20. T “p u l l ” meth don' t a ctiv a th e W indow
h ere a re tw o w a ys to get l ogging inf orma tion f rom a W indow s ma ch ine. In th is l a b w e sh ow th e od a nd in da y 2' s l a b w e sh ow th e “receiv e” meth od. T h ese meth ods a re mu tu a l l y ex cl u siv e so te b oth on th e sa me dev ice w ith in M A R S. W e f irst need to setu p th e W indow s serv er. L ogin into s D C ma ch ine f rom th e Stu dent P orta l p a ge.
Note: W i th i n V NC , to s en d c tr l -a l t-d el or en a b l e/ d i s a b l e f u l l s c r een u s e F 8 to op en th e op ti on s tool b a r .
S te p 21. O p en u p th e “A ctiv e D irectory U sers a nd Comp u ters” l ink l oca ted a t “Sta rt → A dministra tiv e T ool s → A ctiv e D irectory U sers a nd Comp u ters”.
P rogra ms →
S te p 22. Cl ick on “A ction → N ew → U ser” to op en u p th e A dd new u ser p a ge to crea te th e u ser a ccou nt th a t w il l b e u sed b y th e M A R S a p p l ia nce to l og into th is serv er a nd p u l l its secu rity, a p p l ica tion, a nd system ev ent l ogs. a . F il l in th e f ol l ow ing: F irst N a me: M a rs L a st N a me: M a na ger U serna me: ma rs b . Cl ick Ne x t. c. A dd th e p a ssw ord inf orma tion: P a ssw ord: cisco1 23. Ch eck th e b ox nex t to “P a ssw ord nev er ex p ires”. d. Cl ick Ne x t. R ev iew th e u ser' s inf orma tion a nd th en cl ick F i n i sh . S te p 23. R igh t cl ick th e new l y crea ted a ccou nt a nd sel ect “A dd memb ers to a grou p ...”. Sel ect th e A dministra tor grou p a nd cl ick O K . S te p 24. G o to Sta rt → P rogra ms → so th a t th ese ev ents w il l b e a u dited.
A dministra tiv e T ool s →
L oca l Secu rity P ol icy to setu p th e a u dit settings
a . O p en u p th e L oca l P ol icies f ol der. b . Cl ick on th e A u dit P ol icy f ol der.
© 2008 Cisco Systems, Inc.
1 2
M A R S J u mp Sta rt L a b G u ide c. R igh t cl ick ea ch item ( 9 items) in th e righ t h a nd p a ne, sel ect “Secu rity”, a nd th en ch eck th e b ox es nex t to “Su ccess” a nd “F a il u re” to ena b l e a u diting on a l l ev ents. Cl ick O K w h en done f or ea ch item. No te : T h e e f f e c ti v e se tti n g f o r th e a u d i ti n g i s se t to No a u d i ti n g . S te p 25. R etu rn to th e M A R S w indow on U serP C1 to a dd th is serv er a s a monitored dev ice in M A R S. Cl ick on AD M IN, th en S e c u r i ty a n d M o n i to r D e v i c e s ( you ma y a l rea dy b e h ere on retu rn to M A R S) . S te p 26. Cl ick Ad d to sta rt th e p rocess of a dding in th is serv er. a . Sel ect Ad d S W se c u r i ty a p p s o n n e w h o st f rom th e D ev ice T yp e drop dow n menu since M A R S is a l rea dy a w a re of th is serv er. b . F inish f il l ing ou t th e inf orma tion not a l rea dy k now n b y M A R S: D ev ice N a me: w 2k -serv er.a cme.com A ccess IP : 1 92.1 68.3.1 0 R ep orting IP : 1 92.1 68.3.1 0 O p era ting System: W indow s
c. Sel ect th e L ogging Inf o l ink to op en u p a new w indow . F il l ou t th e inf orma tion w ith : W indow s O p era ting System: M icrosof t W indow s 2000 Ch eck th e P u l l b ox
NOTE: Don't check Receive as this isn't configured and checking b oth is not sup p orted.
D oma in N a me: a cme.com H ost l ogin: ma rs H ost p a ssw ord: cisco1 23
© 2008 Cisco Systems, Inc.
1 3
M A R S J u mp Sta rt L a b G u ide
d. Cl ick S u b m i t. e. A dd interf a ce IP a nd ma sk f or eth er0 ( M A R S ma y a l rea dy h a v e th is inf orma tion p op u l a ted) a nd cl ick Ap p l y .
f . W e now need to sp ecif y O S a nd p a tch inf orma tion. Cl ick on th e col u mn h ea ding l a b el ed “V u l nera b il ity A ssessment Inf o” g. F rom th e drop dow n sel ect ANY W Ap p l y .
i n d o w s 2000 S e r v e r (v e r si o n :ANY,p a tc h :ANY) , a nd th en cl ick
h . Cl ick D one.
© 2008 Cisco Systems, Inc.
1 4
M A R S J u mp Sta rt L a b G u ide i. Ch eck to ma k e su re you r “D ev ice D isp l a y” sh ow s th e gra p h ic f or “N ot in cl ou d”. T h e f irst f igu re b el ow sh ow s th e D ev ice D isp l a y in th e cl ou d. Simp l y cl ick th e icon to ch a nge its sta tu s.
Sh ou l d b e…
j . Cl ick Ac ti v a te .
© 2008 Cisco Systems, Inc.
1 5
M A R S J u mp Sta rt L a b G u ide
T a sk 5 : A tta c k W e b S e r v e r & v i a M A R S (45 m i n )
th e n M o n ito r M itig a te
P u r p o se : T h e p u rp ose of th is ta sk is to demonstra te th e monitoring a nd mitiga tion f ea tu res w ith -in M A R S. S te p 1. L ogin into U serP C1 a nd op en u p th e IE l ink to CS-M A R S. S te p 2. M a k e su re th a t in M A R S you a re l ook ing a t th e SU M M A R Y p a ge. S te p 3. F rom th e Stu dent P orta l , l ogin into A tta ck P C a nd op en u p Internet E x p l orer. NO T E : T h e V NC p a ssw o r d i s c i sc o 123. S te p 4. Cl ick th e T e st IIS W e b S e r v e r b ook ma rk to ensu re you h a v e a ccess to th e Intra net W eb Serv er. S te p 5. R etu rn to th e h ome p a ge a nd cl ick th e S i g 5801 D i r e c to r y T r a v e r sa l Atta c k to send a directory tra v ersa l a tta ck . NO T E : Yo u w i l l g e t a p a g e c a n n o t b e d i sp l a y e d m e ssa g e – th i s i s f i n e a s th e a tta c k sh o u l d h a v e r a n i n th e b a c k -g r o u n d . S te p 6. Sw itch ov er to th e M A R S SU M M A R Y w indow . Y ou ma y w a nt to ch a nge th e “P a ge R ef resh R a te” to 1 minu te to sp eed u p th e p a ge u p da tes. W a tch f or th e a tta ck to sh ow u p . ( It ma y ta k e 1 -3 minu tes) .
NO T E : Yo u c o u l d a l so se e th i s a tta c k i n IO S IP S v i a th e r o u te r 's l o c a l l o g o r w a tc h i n g th e sy sl o g m e ssa g e s. S te p 7. O nce you see th e a tta ck , cl ick on th e ‘Incident ID ’ f or th a t a tta ck ( Y ou r Incident ID w il l b e dif f erent th a n th e one in th e gra p h ic b el ow ) .
© 2008 Cisco Systems, Inc.
1 6
M A R S J u mp Sta rt L a b G u ide
S te p 8. Scrol l dow n a nd to th e righ t a nd you ' l l see in th e P a th /M itiga te col u mn. Cl ick on th e R ed Stop Sign to get th e p a th v ector of th e a tta ck .
NO T E : T h i s c a n ta k e a l o n g ti m e to l o a d .
© 2008 Cisco Systems, Inc.
1 7
M A R S J u mp Sta rt L a b G u ide S te p 9. A f ter it l oa ds ch eck ou t th e “F u l l T op ol ogy” op tion to ref resh th e ma p w ith M A R S' tota l top ol ogy a w a reness.
S te p 10. In th e l ef t p a ne a re M A R S' op tions to remedia te a ga inst th is a tta ck . T h e p rima ry op tion M A R S h a s w il l b e l isted j u st u nder th e “Su ggested” h ea ding. If oth er op tions ex ist, M A R S w il l l ist th em u nder th e “A l terna tiv e” h ea ding. Cl ick on th e 2811a -p o d 4.a c m e .c o m l ink to rel oa d th is p a ge w ith th e remedia tion su ggestion da ta l oa ded.
© 2008 Cisco Systems, Inc.
1 8
M A R S J u mp Sta rt L a b G u ide S te p 11. Scrol l to th e b ottom a nd rev iew th e su ggested remedia tion.
NO T E : If th e r e a r e n o AC L s o n th e su g g e ste d i n te r f a c e o f r e m e d i a ti o n , M AR S w i l l g i v e y o u a R e g E x p AC L su g g e sti o n . No ti c e th a t th e P U S H b u tto n i s g r a y e d o u t. If th i s w a s a L a y e r 2 r e m e d i a ti o n th e p u sh b u tto n w o u l d b e o f f e r e d to h a v e M AR S i m m e d i a te l y p u sh th i s su g g e sti o n o u t to th e d e v i c e . S te p 12. A dd th e f ol l ow ing A CL s b el ow to th e rou ter. T h is w a y M A R S w il l h a v e th e a ctu a l A CL na mes to ref erence in f u tu re remedia tion recommenda tions f or th is rou ter: ( conf ( conf ( conf ( conf ( conf ( conf ( conf ( conf
ig) # ip a ccess-l ist ex tended V L A N X5 ! ! ! ( w h ere X is you r p od nu mb er) ! ! ! ig-ex t-na cl ) # p ermit ip a ny a ny ig) # interf a ce F a stE th ernet 0/0.X5 ig-int) # ip a ccess-grou p V L A N X5 in ig) # ip a ccess-l ist ex tended V L A N X9 ! ! ! ( w h ere X is you r p od nu mb er) ! ! ! ig-ex t-na cl ) # p ermit ip a ny a ny ig) # interf a ce F a stE th ernet 0/0.X9 ig-int) # ip a ccess-grou p V L A N X9 in
© 2008 Cisco Systems, Inc.
1 9
M A R S J u mp Sta rt L a b G u ide S te p 13. M A R S w il l p eriodica l l y q u ery its k now n dev ices. H ow ev er, w ith resp ect to time, do a ma nu a l rediscov er of th e rou ter w ith in M A R S. a . G o to th e AD M IN →
S e c u r i ty a n d M o n i to r D e v i c e s p a g e o n M AR S .
b . Ch eck th e b ox nex t to th e 281 1 a .a cme.com rou ter. T h en sel ect E d i t. c. Cl ick D i sc o v e r a nd th en O K
once th e discov ery is done.
NO T E : T h i s ta k e s ti m e . P l e a se b e p a ti e n t. d. Scrol l to th e b ottom of th e p a ge a nd sel ect S u b m i t. e. Cl ick D o n e a nd th en Ac ti v a te . S te p 14. L ogin to U serP C2. E nsu re th e V P N is N O T connected b y a ttemp ting to p ing 1 92.1 68.3.1 0 ( th e interna l IP of th e w eb serv er) . T h a t p ing sh ou l d f a il . S te p 15. L a u nch IE a nd sel ect th e T e st W e b S e r v e r f r o m ru nning.
In te r n e t l ink to v erif y th e w eb serv er is u p a nd
S te p 16. Cl ick H ome in IE a nd now cl ick th e S i g 5326 r o o t.e x e Atta c k l ink to a tta ck th e w eb serv er. S te p 17. Sw itch b a ck to U serP C1 a nd w a tch f or th e ev ent to a p p ea r on th e M A R S su mma ry p a ge. S te p 18. Cl ick on th e ‘Incident ID ’ f or th e resp ectiv e a tta ck . S te p 19. Scrol l dow n to th e b ottom a ga in a nd cl ick th e ‘P a th /M itiga te’ b a dge. S te p 20. Sel ect th e su ggested op tion ( w h ich sh ou l d b e remedia tion on th e A SA ) . Scrol l dow n to see th e su ggested remedia tion op tions. N otice th e dif f erent w a ys to b l ock th is a tta ck er f rom th e A SA . S te p 21. N ow sel ect th e a l terna te op tion a nd scrol l dow n. N otice th a t th e su ggested A CL s a re now ref erencing th e a ctu a l A CL s def ined on th e interf a ce. A ga in notice th a t th e P U SH b u tton is stil l gra yed ou t. H ow ev er, you cou l d cop y a nd p a ste th e recommenda tion into th e rou ter' s G l ob a l Conf igu ra tion M ode to remedia te.
© 2008 Cisco Systems, Inc.
20
M A R S J u mp Sta rt L a b G u ide
T a s k 6 : C o n fig u r in g A le r ts a n d N o tific a tio n s
(20 m i n )
P u r p o se : Instea d of l ook ing a t th e M A R S Su mma ry screen 24/7, l et M A R S a l ert you w h en a n ev ent h a s occu rred th a t req u ires you r a ttention! S te p 1. F rom U serP C1 op en u p IE a nd cl ick th e CS-M A R S l ink to l a u nch th e M A R S ma na gement w indow . S te p 2. Sel ect th e AD M IN menu item a cross th e top . S te p 3. Sel ect th e C o n f i g u r a ti o n In f o r m a ti o n l ink in th e CS-M A R S Setu p f ra me. S te p 4. F il l in th e M a il G a tew a y inf orma tion a s so ( l ea v e oth er def a u l ts a s is) : IP : 1 92.1 68.3.1 0 P ort: 25 E ma il doma in na me: a cme.com E ma il F orma t: ( Sel ect th e ra dio b u tton b y F u l l gra p h ics) S te p 5. Cl ick U p d a te a nd O k . N ow crea te a ru l e a nd a ction th a t, w h en triggered, w il l send a n ema il . S te p 6. F irst w e need to a dd th e u sers b eing ema il ed to M A R S. G o to th e AD M IN p a ge. A l ong th e top , f ind a nd cl ick th e U ser M a na gement L ink . Cl ick Ad d to a dd a new u ser.
© 2008 Cisco Systems, Inc.
21
M A R S J u mp Sta rt L a b G u ide S te p 7. A dd onl y th e f ol l ow ing inf orma tion f or a u ser w h o onl y needs to b e a l erted of a n ev ent occu rring: R ol e: N otif ica tion O nl y F irst N a me: W il ie L a st N a me: Coyote O rga niz a tion: A CM E E ma il : w ecoyote@ a cme.com W ork P h one: 1 23-1 23-1 234 NO T E : L o g i n , P a ssw o r d , a n d R e -e n te r P a ssw o r d f i e l d s a r e n o t r e q u i r e d f o r No ti f i c a ti o n O n l y . S te p 8. Cl ick S u b m i t
S te p 9. A dd th e f ol l ow ing inf orma tion f or a u ser w h o w il l h a v e rea d a nd w rite a ccess to M A R S a nd onl y rea d a ccess to th e A D M IN menu . R ol e: Secu rity A na l yst No te : T h i n k te c h n i c i a n w h o h a s to d o so m e th i n g a b o u t th i s. L ogin: rru nner P a ssw ord: cisco1 23 R e-enter p a ssw ord: cisco1 23 F irst N a me: R oa d L a st N a me: R u nner O rga niz a tion: SO C a t A CM E E ma il : rru nner@ a cme.com S te p 10. Cl ick S u b m i t. S te p 11. N ow a dd a grou p a nd incl u de th ese tw o u sers. a . Cl ick th e Ad d G r o u p b u tton. b . N a me: R ed A l erts G rou p c. Ch eck th e b ox es nex t to “W il ie” a nd “R oa d”. © 2008 Cisco Systems, Inc.
22
M A R S J u mp Sta rt L a b G u ide d. Cl ick th e Ad d b u tton, l oca ted b el ow th e p a ne, to mov e th em ov er to th e l ef t p a ne.
e. Cl ick S u b m i t. S te p 12. N ow w e w a nt to crea te a ru l e th a t triggers on a ny ev ent th a t M A R S considers to b e R E D . a . Cl ick th e R U L E S b u tton f rom th e menu a nd th e sel ect th e Ad d b u tton to a dd a new ru l e. b . R u l e N a me: E ma il on R ed c. D escrip tion: T rigger on a ny red a l ert a nd send ema il to R ed A l erts G rou p d. Cl ick Ne x t. NO T E : In ste a d o f w a l k i n g y o u th r o u g h th e r e d u n d a n t ste p s to se t th e i n d i v i d u a l se a r c h f i e l d s f o r th i s r u l e , u se th e f o l l o w i n g su b -ste p s a s a te m p l a te u n ti l th e K e y w o r d c o l u m n . S te p 13. In th e righ t h a nd p a ne, ch eck th e b ox nex t to A N Y a nd th en u se th e righ t a rrow b u tton, l oca ted b etw een th e tw o p a nes, to mov e th e ch eck ed items to th e l ef t.
© 2008 Cisco Systems, Inc.
23
M A R S J u mp Sta rt L a b G u ide
S te p 14. Scrol l dow n to th e b ottom a nd cl ick Ne x t. S te p 15. R inse, rep ea t. S te p 16. O n th e K eyw ord col u mn j u st cl ick Ne x t.
© 2008 Cisco Systems, Inc.
24
M A R S J u mp Sta rt L a b G u ide S te p 17. O n th e Sev erity col u mn p a ge set th e Sev erity to R E D a nd p u t in a v a l u e of 1 in th e Cou nts f iel d. S te p 18. Cl ick Ne x t. S te p 19. A new screen w il l a sk if you a re done def ining th e ru l e conditions. T a k e a moment a nd rev iew you r ru l e' s col u mns to ensu re th a t A N Y sh ow s u p in a l l th e col u mns a nd Sev erity is R E D a nd Cou nt is 1 . NO T E : Yo u c a n n o t d e l e te a r u l e o n c e i t h a s b e e n c r e a te d b u t y o u c a n i n a c ti v a te th e m . Cl ick Y es to continu e.
S te p 20. T h e conditions f or th e ru l e h a v e now b een set. It is time to set th e a ctions triggered on a ma tch of th is ru l e. a . Scrol l to th e b ottom a nd cl ick a dd to crea te a new a ction. T h is w il l ta k e you th e a ction crea tion w indow . b . N a me: E ma il on R ed c. D escrip tion: E ma il R ed A l ert L ist d. Ch eck th e b ox nex t to E ma il a nd th en cl ick th e Ch a nge R ecip ient l ink nex t to th a t. e. A f a mil ia r screen w il l a p p ea r. U se it to a dd th e R ed A l erts G rou p a nd th en S u b m i t. f.
T h is retu rns you to th e p rev iou s screen. Scrol l dow n a nd cl ick S u b m i t.
g. N ow th a t ou r a ction h a s b een crea ted w e ca n now sel ect it a nd a ssocia te it to th e ru l e. A dd ou r ru l e a nd cl ick Ne x t. h . Since ou r cou nt col u mn w a s set to 1 you ca n ta k e th e def a u l ts on th e T ime R a nge p a ge. A s you ca n see, w e cou l d l imit ou r ru l e b eing triggered to a nu mb er of cou nts w ith in a giv en time f ra me.
© 2008 Cisco Systems, Inc.
25
M A R S J u mp Sta rt L a b G u ide
i.
Cl ick S u b m i t to crea te th is ru l e. D on' t f orget to h it th e Ac ti v a te b u tton.
S te p 21. If you ' d l ik e to rev iew you r ru l e, you ca n f ind it a s th e l a st entry in th e R u l es p a ge ( don' t f orget th ere a re mu l tip l e p a ges) . S te p 22. N ow l et' s trigger a red ev ent to trigger th is ru l e to ema il th e grou p . S te p 23. U se U serP C2 to l a u nch , yet a ga in, th e Sig 5326 a tta ck . S te p 24. R etu rn to th e M A R S Su mma ry p a ge to see th is ev ent. N ote th a t you ' l l see mu l tip l e entries on th e Su mma ry p a ge rel a ted to th is a tta ck ; O ne of w h ich is th e ru l e w e j u st crea ted. S te p 25. U serP C1 h a s a n ema il a ccou nt f or W il ie a nd U serP C2 h a s a n a ccou nt f or R oa d. O p en u p O u tl ook E x p ress on b oth desk top s a nd do a Send a nd R eceiv e. O n U serP C1 , since th e l ink in th e W il ie' s ema il w il l op en a new l ink to M A R S cl ose ou t, you r ex isting M A R S w indow b ef ore cl ick ing on a ny l ink s in th e ema il . If you a ttemp t to l og in w ith th e “N otif ica tion O nl y” a ccou nt you w il l N O T b e a b l e to l og in. H ow ev er, th e Secu rity A na l yst ca n l og in to dea l w ith th is a tta ck .
T h is c o m p le te s th e e x e r c is e s fo r to d a y . N O W
© 2008 Cisco Systems, Inc.
is a G R E A T tim e to c o m p le te th e tr a in in g s u r v e y .
26
M A R S J u mp Sta rt L a b G u ide
E x e r c is e 1 : S o lu tio n s S a le M o c k I n te r v ie w & S o W G e n e r a t io n –w it h a p p r o p r ia t e c u s t o m e r r e s p o n s e s M o c k I n t 1 . C 2. C 3 . A
e r v u s is c M lis t
ie to o h a o f
w A s s u m p t io m e r d e s ir e s c o r e in fr a s t r s e s t a b lis h e d e liv e r a b le s
n s : b e tte u c tu r d c h a in c lu
r v is ib e w it h in o f c d in g P
ilit y C h o m r o d
d u e e c k p m a n u c t,
to h o in t d , S E S e r v
ig h F ir e w o ic e s
fr e q u w a lls r k in g , a n d
e n , J w S
c y o f u n d e t e r m in e d n e t w o r k o u t a g e s . u n ip e r I D P it h N e t w o r k E n g in e e r t o c o n d u c t a s s e s s m e n t , c r e a t e O W .
DATE: C I S C O
P AR TN ER :
C o m p a n y N A d d r e s s :A P r im a r y C o T it le :N e t w P h o n e : e M a il:
a m n y w n ta o r k
e : A c h e r e , c t:J o e E n g in
G EN ER AL C U S TO M ER
m e C o r p U S A y B lo w e e r
I N F O R M ATI O N :
I n d u s t r y V e r t ic a l/ L in e o f B u s in e s s :S e r v ic e s , C a ll C e n t e r o u t s o u r c in g , c u s t o m e r s u p p o r t
P u b lic o r P r iv a t e : P u b lic T o t a l n u m b e r o f E m p lo y e e s :1 ,3 0 0 T o t a l n u m b e r o f E m p lo y e e s o n I T S t a ff:1 5 •
H o w
m a n y fo c u s e d o n s e c u r it y is s u e s ? 2
H o w a r e I T s t a ff s e g m e n t e d , i. e . d o N e t w o r k O p s a n d S e c O p s w o r k t o g e t h e r ? M o s t ly w h e n w e a r e g o in g t h r o u g h a n a u d it , t h e y a lw a y s w a n t r e p o r t s . W h o is r e s p o n s ib le fo r e n s u r in g s e c u r it y p o lic y is e n fo r c e d ?
W
•
N e t w o r k O p s : W e o w n t h e r o u t in g / s w it c h in g a n d fir e w a ll
•
S e c u r it y O p s :n o t s u r e
H AT AR E Y 1) T o f i n 2 ) T o s e 3 ) T o s h
R E G U L A L is t r a b c )
T O e le ) )
O U d t e if o w
R Y v a S o H I S L
R h e w m
TO c a e a a n
P
3 u s e r e b a g e m
N ETW o f r e c e in g h e n t t
O e n a c h a
R K S EC U R I TY C O N C ER N S TO ADDR ES S t u n e x p e c t e d n e t w o r k d o w n t im e k e d t o u r s e c u r it y p r o d u c t s a r e p r o t e c t in g u s
U S I N G
L O G
AN AL Y S I S
AN D C O R R EL ATI O N :
–C O R P O R A T E C O M P L I A N C E n t le g is la t iv e a n d c o r p o r a t e c o m p lia n c e r e q u ir e m e n t s : X P A A A fo r o u r c u s to m e r s
W h o is r e s p o n s ib le fo r in t e r n a l a u d it ? N a n c y S m it h le a d s t h e t e a m W h o is y o u r e x t e r n a l A u d it in g F ir m ? N o t s u r e
© 2008 Cisco Systems, Inc.
27
W h a t a b c W h a t W h a t a b c d
a r e th e r ) L o s t c u ) F a ile d ) F in e s ? a r e y o u r
lo n g t e r m
s t o r a g e r e q u ir e m e n t s ? 3 y e a r s
A u d it o r r e p o r t s a r e r e q u ir e d t o d e m o n s t r a t e a d h e r a n c e t o p o lic y ? )
)
M A R S J u mp Sta rt L a b G u ide
a m i f i c a t i o n s f o r n o n -c o m p l i a n c e ? s to m e r s a u d it s
) )
O P E R A T I O N A 1 ) D o y o u a . 2) D o e s c a . 3 ) D o y o u a . b . 4 ) I s th e r a . 5 ) 6 ) 7 )
D W W
8 )
9 ) 1 0 ) W
W
O s
L I N F O R M A T I O N c u r r e n t ly o u t s o u r c e a n y n e t w o r k o r s e c u r it y o p e r a t io n s ? N o T h is c o u ld lim it t h e a b ilit y t o c o lle c t k e y d a t a ( I P S fo r e x a m p le o m p a n y h a v e a n e -c o m m e r c e p r e s e n c e ? N o T h is c o u ld in d ic a t e m a n d a t e s f o r m o n it o r in g a n d r e p o r t in g . w a n t t o c o lle c t a n d c o r r e la t e W in d o w s S e r v e r L o g s ? Y E S C a n S n a r e b e p la c e d o n t h e s e r v e r ? Y E S W h a t a b o u t c h a n g e m a n a g e m e n t p r o c e s s ? D o n e e i n -h o u s e A p p l i c a t i o n / S o f t w a r e d e v e l o p m e n t ? Y E S D o t h e s e a p p lic a t io n s n e e d t o b e c o lle c t e d / a n a ly z e d / m o n it o r e d w a n t t o in t h e fu t u r e o e s o r g a n iz a t io n m a k e u s e o f N e t flo w c u r r e n t ly ? N O a . C a n w e g e t a c c e s s t o k e y s o u r c e s o f N e t flo w ? Y E S h o is r e s p o n s ib le f o r r e v ie w in g d a t a f r o m F ir e w a ll? T h e N e t S e c T e a m h o is r e s p o n s ib le fo r r e v ie w in g d a t a fr o m I P S ? T h e N e t S e c T e a m a . H o w a r e fa ls e p o s t iv e s r e s o lv e d ? T h e y a r e n o t h e n w a s t h e la s t t im e u s e r s c o m p la in e d a b o u t la c k o f n e t w o r k a v a ila a . W a s t h e n e tw o r k d o w n ? Y e s b . I f s o , fo r h o w lo n g ? 3 h o u r s c . H o w r e s o lv e d ? R e b o o t n a v e r a g e , h o w lo n g d o e s it t a k e t o fin d t h e s o u r c e o f a n e t w o r k o r s o m e t im e s a n h o u r s o m e t im e s w e n e v e r k n o w w h a t h a p p e n e d . h a t t o o ls d o e s t h e h e lp d e s k u s e t o in v e s t ig a t e a n d r e s o lv e n e t w o r k
T O P O L O G Y / 1 ) L is t a a b c d
T O P O G ll o ff ic e s . H Q :D . D a ta C . B r a n c . S O H O
G E N E R A L R E P 1 ) S p e c ify a . b . c . d . e . U P T I M E A N D 1 ) D o y o u a . b . c . 2)
R A P H Y : a n d th e n u a lla s , 4 0 0 e n te r s :D a h o ffic e s :O : ~1 0 0 r e m
)
? N o t a t t h is t im e , b u t w e m ig h t
b ilit y ? L a s t w e e k
e c u r it y p r o b le m ? I t d e p e n d s , o r s e c u r it y p r o b le m s ?
S n if f e r s
m b e r o f e m p lo y e e s in e a c h o ffic e : lla s a n d L o s A n g e le s h io = 1 0 0 , A t la n t a = o t e u s e r s
O R T I N G R E Q U I R t h e t y p e o f r e p o r t F a ile d lo g in s A tta c k s s to p p e d b T o p D e s t in a t io n s T o p S o u r c e s O th e r ? ? S L A ’S h a v e S e r v ic e L e v e F o r C u s to m e r s ? Y F o r P a r tn e r s ? N O F o r V e n d o r s ? N O
1 5 0 , L o s A n g e le s 3 0 0 , L o n d o n =
1 0 0 , J a p a n =
1 0 0
E M E N T S –G e n e r a l M a n a g e m e n t r e p o r ts s M a n a g e m e n t w a n ts to s e e : y F ir e w a ll
l A g r e e m e n t s in p la c e ? E S
C a n y o u q u a n t ify t h e c o s t o f n e t w o r k d o w n t im e ? N O
S e n s it iv e 1 ) D o 2) D o 3 ) H o
D a t a y o u s t o r e e m p lo y e e p e r s o n a l h e a lt h in fo r m a t io n ? Y E S , H R R e c o r d s y o u t r a n s m it , s t o r e , o r p r o c e s s c r e d it c a r d o r p e r s o n a l fin a n c ia l d a t a ? N o t t h a t I ’m w is p r o p r ie t a r y d a t a p r o t e c t e d : N o t s u r e o t h e r t h a n f ir e w a lls
© 2008 Cisco Systems, Inc.
a w a r e o f…
28
4 )
M A R S J u mp Sta rt L a b G u ide
D o y o u s h a r e d a t a o u t s id e t h e o r g a n iz a t io n :Y E S , w it h p a r t n e r s a n d M a r k e t in g c o m p a n ie s
L o g g in g 1 ) D o y o u a . b .W 2) D o y o u 3 ) H o w m 4 ) L is t d e
c u r r e n t ly d e p lo y a W h a t B r a n d / V e r s i h a t is t h e c u r r e n t h a v e a S A N o r N A a n y lo g e n t r ie s p e r v ic e s s e n d in g s y s lo
s o n r e S d g
y s ? te s e a y d a
lo g s K iw i n t io n t u p :N o t a in
e r v e r ? Y e s , f o r F ir w a lls p e fo r t s u c h
r io d f o r lo g f ile s ? 3 y e a r s lo n g t e r m lo g s t o r a g e ? S A N r e a r t b e lo w :
P R O D U C T I N F O R M A T I O N –C u r r e n t ly u s e d p r o d u c t s a n d t o o ls L is t a ll T e c h n o lo g ie s c u r r e n t ly in u s e . U s e N o t e s s e c t io n t o e x p la in lo c a t io n s , H A , e t c .
N e tw o rk a n d S e c u r it y D e v ic e In fo r m a tio n
V e n d o r
M o d e l & V e r s io n #
Q T Y
A n n u a l M a in te n a n c e C o s t
F ir e w a ll
C h e c k p o in t
N G
1 2
T B D
R o u te r
C is c o
3 8 45
2 0
R o u te r
C is c o
2 8 1 1
40
C is c o
6 5 0 9
4
C is c o
3 0 1 5
N o te s : i.e . L o c a tio n s , u s a g e , r e d u n d a n c y , e tc
F ir e w a ll F ir e w a ll
R o u te r S w itc h S w itc h S w itc h S w itc h V P N IP S e c V P N
S S L
A u t h e n t ic a t io n S e rv e r
J u n ip e r C is c o
A C S
A u t h e n t ic a t io n S e rv e r W ir e le s s A P – C o n t r o lle r ? P a c k e t S h a p e r, S n iffe r
P e r ib it
S y s lo g
K iw i
N e tw o rk IP S /ID S
J u n ip e r
© 2008 Cisco Systems, Inc.
ID P
29
M A R S J u mp Sta rt L a b G u ide H O S T IP S W in d o w s S e rv e rs
D e ll
D a ta b a s e s
O r a c le
1 0 g
C r it ic a l A p p lic a tio n s
G 2
C R M
V u ln e r a b ilit y A s s e s s m e n t T o o ls
F o u n d s to n e
C a c h in g N A C M P L S
V e r iz o n
O th e r O th e r
T O P
O F 1 . E 2. M 3 . E d o w n
M I x e a n n g t im
N c u a in
D
S E t iv e g e m e e e r in e , c a n
C L e n g ’t
U R v e t L L e g e
I T l:C e v e v e l t w
Y
a n l: :C o r
C O N C ’t s e e T a k in a n ’t k k d o n
E R N S : w h y w e n e e d t o s p e n d s o m u c h o n S e c u r it y g h e a t fo r s o m a n y n e tw o r k o u t a g e s e e p u p w it h a ll t h e t a s k s , fr o m P a t c h in g s y s t e m s , t o c h a s in g d o w n e .
r o o t c a u s e fo r
DO C U M EN TATI O N : ( p l e a s e p r o v i d e )
1 . 2.
V I S I O N E T W O R K D I A G R A M S E C U R I T Y P O L I C Y ( o p t io n a l)
© 2008 Cisco Systems, Inc.
30
M A R S J u mp Sta rt L a b G u ide
E x e r c is e 2 : S o lu tio n s S a le M o c k I n te r v ie w & G e n e r a t io n –S E in t e r v ie w M o c k I n t 4 . C 5 . C 6 . A
e r v u s is c M lis t
ie to o h a o f
w A s s u m p t io m e r d e s ir e s c o r e in fr a s t r s e s t a b lis h e d e liv e r a b le s
n s : b e tte u c tu r d c h a in c lu
r v is ib e w it h in o f c d in g P
ilit y C h o m r o d
d u e e c k p m a n u c t,
to h o in t d , S E S e r v
ig h F ir e w o ic e s
fr e q u w a lls r k in g , a n d
e n , J w S
S o W
c y o f u n d e t e r m in e d n e t w o r k o u t a g e s . u n ip e r I D P it h N e t w o r k E n g in e e r t o c o n d u c t a s s e s s m e n t , c r e a t e O W .
DATE: C I S C O
P AR TN ER :
C o m p a n y N a m e : A d d r e s s : P r im a r y C o n t a c t : T it le : P h o n e : e M a il: W
H AT AR E Y O U R 4 ) > 5 ) > 6 ) >
TO P
G EN ER AL C U S TO M ER
I n d u s t r y V e r t ic a l:
3
N ETW
O R K
S EC U R I TY
C O N C ER N S
TO
ADDR ES S
U S I N G
L O G
AN AL Y S I S
AN D C O R R EL ATI O N :
I N F O R M ATI O N :
P u b lic o r P r iv a t e : T o t a l n u m b e r o f E m p lo y e e s : T o t a l n u m b e r o f E m p lo y e e s o n I T S t a ff: • H o w
H o w
m a n y fo c u s e d o n s e c u r it y is s u e s ?
a r e I T s t a ff s e g m e n t e d , i. e . d o N e t w o r k O p s a n d S e c O p s w o r k t o g e t h e r ?
W h o is r e s p o n s ib le fo r e n s u r in g s e c u r it y p o lic y is e n fo r c e d ? •
N e tw o r k O p s :
•
S e c u r it y O p s :
R E G U L A T O R Y –C O R P O R A T E C O M P L I A N C E L is t r e le v a n t le g is la t iv e a n d c o r p o r a t e c o m p lia n c e r e q u ir e m e n t s : d ) > e ) > f) > W h o is r e s p o n s ib le fo r in t e r n a l a u d it ? W h o is y o u r e x t e r n a l A u d it in g F ir m ? W h a t a r e t h e r a m i f i c a t i o n s f o r n o n -c o m p l i a n c e ? d ) >
© 2008 Cisco Systems, Inc.
31
e ) > f) > W h a t a r e y o u r lo n g t e r m
M A R S J u mp Sta rt L a b G u ide s t o r a g e r e q u ir e m e n t s ?
W h a t A u d it o r r e p o r t s a r e r e q u ir e d t o d e m o n s t r a t e a d h e r a n c e t o p o lic y ? e ) > f) > g ) > h ) > O P E R A T I O N A L I N F O R M A T I O N 1 1 ) D o y o u c u r r e n t ly o u t s o u r c e a n y n e t w o r k o r s e c u r it y o a . T h is c o u ld lim it t h e a b ilit y t o c o lle c t k e y d a t a 1 2) D o e s c o m p a n y h a v e a n e -c o m m e r c e p r e s e n c e ? a . T h is c o u ld in d ic a t e m a n d a t e s f o r m o n it o r in g a 1 3 ) D o y o u w a n t t o c o lle c t a n d c o r r e la t e W in d o w s S e r v e r a . C a n S n a r e b e p la c e d o n t h e s e r v e r ? b . W h a t a b o u t c h a n g e m a n a g e m e n t p r o c e s s ? 1 4 ) I s t h e r e i n -h o u s e A p p l i c a t i o n / S o f t w a r e d e v e l o p m e n t ? a . D o t h e s e a p p lic a t io n s n e e d t o b e c o lle c t e d / a n 1 5 ) D o e s o r g a n iz a t io n m a k e u s e o f N e t flo w c u r r e n t ly ? a . C a n w e g e t a c c e s s t o k e y s o u r c e s o f N e t flo w ? 1 6 ) W h o is r e s p o n s ib le fo r r e v ie w in g d a t a fr o m F ir e w a ll? 1 7 ) W h o is r e s p o n s ib le fo r r e v ie w in g d a t a fr o m I P S ? a . H o w a r e fa ls e p o s t iv e s r e s o lv e d ? 1 8 ) W h e n w a s t h e la s t t im e u s e r s c o m p la in e d a b o u t la c k a . W a s t h e n e tw o r k d o w n ? b . I f s o , fo r h o w lo n g ? c . H o w r e s o lv e d ? 1 9 ) O n a v e r a g e , h o w lo n g d o e s it t a k e t o fin d t h e s o u r c e 20 ) W h a t t o o l s d o e s t h e h e l p d e s k u s e t o i n v e s t i g a t e a n d T O P O L O G Y / 2) L i s t a a b c d
T O P O G ll o ff ic e s . H Q : . D a ta C . B r a n c . S O H O
G E N E R A L R E P 2) S p e c i f y a . b . c . d . e . U P T I M E A N D 3 ) D o y o u a . b . c . 4 ) S e n s 5 6 7 8
O R T I t h e t > > > > > S L A ’S h a v e F o r C F o r P F o r V
p e r a t io n s ? ( I P S fo r e x a m p le ) n d r e p o r t in g . L o g s ?
a ly z e d / m o n it o r e d ?
o f n e t w o r k a v a ila b ilit y ?
o f a n e t w o r k o r s e c u r it y p r o b le m ? r e s o lv e n e t w o r k o r s e c u r it y p r o b le m s ?
R A P H Y : a n d t h e n u m b e r o f e m p lo y e e s in e a c h o ffic e : e n te r s : h o ffic e s : : N G R E Q U I R E M E N T S –G e n e r a l M a n a g e m e n t r e p o r ts y p e o f r e p o r t s M a n a g e m e n t w a n ts to s e e :
S e r v ic e L e v e l A g r e e m e n t s in p la c e ? u s to m e r s ? a r tn e r s ? e n d o r s ?
C a n y o u q u a n t ify t h e c o s t o f n e t w o r k d o w n t im e ? it iv e D ) D ) H ) D )
D o y o y o w o y
a t o u o u is o u
a
s t tr p r s h
o r e e m a n s m it o p r ie t a a r e d a
p l , s r y ta
o y to d o
e e r e , a ta u ts
p e o r p r id e
r s o n p r o o te c th e
a l h e a lt h in fo r m a t io n ? c e s s c r e d it c a r d o r p e r s o n a l fin a n c ia l d a t a ? te d : o r g a n iz a t io n :
L o g g in g 5 ) D o y o u c u r r e n t ly d e p lo y a s y s lo g s e r v e r ?
© 2008 Cisco Systems, Inc.
32
6 ) 7 ) 8 )
c . d .W D o y o u H o w m L is t d e
W h h a t h a v a n y v ic e s
a t is e lo s
B r a n d / V e r s i th e c u r r e n t a S A N o r N A g e n t r ie s p e r e n d in g s y s lo
o n r e S d g
?
M A R S J u mp Sta rt L a b G u ide
t e n t io n p e r io d f o r lo g file s ? s e t u p fo r lo n g t e r m lo g s t o r a g e ? a y : d a t a in c h a r t b e lo w :
P R O D U C T I N F O R M A T I O N –C u r r e n t ly u s e d p r o d u c t s a n d t o o ls L is t a ll T e c h n o lo g ie s c u r r e n t ly in u s e . U s e N o t e s s e c t io n t o e x p la in lo c a t io n s , H A , e t c .
N e tw o rk a n d S e c u r it y D e v ic e In fo r m a tio n
V e n d o r
M o d e l & V e r s io n #
Q T Y
A n n u a l M a in te n a n c e C o s t
N o te s : i.e . L o c a tio n s , u s a g e , r e d u n d a n c y , e tc
F ir e w a ll F ir e w a ll F ir e w a ll R o u te r R o u te r R o u te r S w itc h S w itc h S w itc h S w itc h V P N IP S e c V P N
S S L
A u t h e n t ic a t io n S e rv e r A u t h e n t ic a t io n S e rv e r W ir e le s s A P – C o n t r o lle r ? P a c k e t S h a p e r, S n iffe r S y s lo g N e tw o rk IP S /ID S H O S T IP S
© 2008 Cisco Systems, Inc.
33
M A R S J u mp Sta rt L a b G u ide
W in d o w s S e rv e rs D a ta b a s e s C r it ic a l A p p lic a tio n s
V u ln e r a b ilit y A s s e s s m e n t T o o ls C a c h in g N A C M P L S O th e r O th e r
T O P
O F M 4 . E x 5 . M a 6 . E n
I N e c u n a g in
D
S E t iv e g e m e e e r in
C L e n g
U R v e t L L e
I T Y C O N C E R N S : l: e v e l: v e l:
DO C U M EN TATI O N : ( p l e a s e p r o v i d e )
3 . 4 .
V I S I O N E T W O R K D I A G R A M S E C U R I T Y P O L I C Y ( o p t io n a l)
© 2008 Cisco Systems, Inc.
34
M A R S J u mp Sta rt L a b G u ide
M A R S L a b L o g ic a l T o p o lo g y D ia g r a m MARS Lab Topology
167 .21.6.0/24 V L A N x6
F i r ew a l l O u t s i d e
.50
User PC 2 W i n 2000 P r o S P 4
.254 o u t s i d e (0) e0/0
e0/1 i n s i d e (100) .254
F i r ew a l l I n s i d e u n t r u s t ed
X-over cable CAS Failover
N A C -C A S In b a n d V P N 4.1.2.1 .10
F i r ew a l l I n s i d e t r u s t ed V L A N x5 192.168.5.0/24
.1 F a 0.0.x5 3550g n et w o r k M a n a g em en t i n t er f a c e
f a 0/0.x1 .1
.250
V L A N x1 N et M g t
2811
f a 0/0.x9
Core Router
f a 0/0.x2 .1
192.168.1.0/24
Bridged
V L A N x8 192.168.5.0/24
.1
f a 0/0.x3 .1
f a 0/0.x4
V L A N x9
.1
.50
A t t a c ker V L A N
192.168.9.0/24
A t t a c k er PC 1 B a c k T ra c k
V L A N x2 S ec u r i t y S er v i c es
192.168.2.0/24
.30
.32 .50
M A R S 4.2.6 (2458)
C S M
3.1.0
C o m m o n S er v i c es 3.0.5
.10
R M E 4.0.5
A u to U p d a te 3.0.5 W i n 2k3
© 2008 Cisco Systems, Inc.
V L A N x3
W i n d o w s S er v er s 192.168.3.0/24
U s er V L A N V L A N x4 192.168.4.0/24
User PC 1 W i n 2000 P r o S P 4
W i n 2k D C D N S D H C P IIS S y s lo g A C S 4.1
35
Related Documents
Mars 1
December 2019 17
Mars 1
May 2020 13
Mars
May 2020 34
Mars
November 2019 42
Mars
November 2019 39
Mars
May 2020 24More Documents from "nantha"
Mars 1
December 2019 17
Tim Redmer Accounting
December 2019 7
Shedding The Commodity Mindset
May 2020 9
03. Kings Hot N' Handy
May 2020 11