SPECTRUM Security Manager (SSM) 1.2 Normalizer and Agent Configuration Guide

Transcription

1 Normalizer and Agent Configuration Guide

2 Notice Copyright Notice Copyright 2001 by Aprisma Management Technologies, Inc. All rights reserved worldwide. Use, duplication, or disclosure by the United States government is subject to the restrictions set forth in DFARS (c)(1)(ii) and FAR Copyright 2001 by Intellitactics, Inc. All rights reserved. Liability Disclaimer Aprisma Management Technologies, Inc. ( Aprisma ) reserves the right to make changes in specifications and other information contained in this document without prior notice. In all cases, the reader should contact Aprisma to inquire if any changes have been made. The hardware, firmware, or software described in this manual is subject to change without notice. IN NO EVENT SHALL APRISMA, ITS EMPLOYEES, OFFICERS, DIRECTORS, AGENTS, OR AFFILIATES BE LIABLE FOR ANY INCIDENTAL, INDIRECT, SPECIAL, OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING BUT NOT LIMITED TO LOST PROFITS) ARISING OUT OF OR RELATED TO THIS MANUAL OR THE INFORMATION CONTAINED IN IT, EVEN IF APRISMA HAS BEEN ADVISED OF, HAS KNOWN, OR SHOULD HAVE KNOWN, THE POSSIBILITY OF SUCH DAMAGES. Trademark, Service Mark, and Logo Information SPECTRUM, IMT, and the SPECTRUM IMT/VNM logo are registered trademarks of Aprisma Management Technologies, Inc., or its affiliates. APRISMA, APRISMA MANAGEMENT TECHNOLOGIES, the APRISMA MANAGEMENT TECHNOLOGIES logo, MANAGE WHAT MATTERS, DCM, VNM, SpectroGRAPH, SpectroSERVER, Inductive Modeling Technology, Device Communications Manager, SPECTRUM Security Manager, and Virtual Network Machine are unregistered trademarks of Aprisma Management Technologies, Inc., or its affiliates. For a complete list of Aprisma trademarks, service marks, and trade names, go to: jsnmp Enterprise copyright OutBack Resource Group, Inc. All rights reserved. All referenced trademarks, service marks, and trade names identified in this document, whether registered or unregistered, are the intellectual property of their respective owners. No rights are granted by Aprisma Management Technologies, Inc., to use such marks, whether by implication, estoppel, or otherwise. If you have comments or concerns about trademark or copyright references, please send an to spectrum-docs@aprisma.com; we will do our best to help. Restricted Rights Notice (Applicable to licenses to the United States government only.) This software and/or user documentation is/are provided with RESTRICTED AND LIMITED RIGHTS. Use, duplication, or disclosure by the government is subject to restrictions as set forth in FAR (June 1987) Alternate III(g)(3) (June 1987), FAR (June 1987), or DFARS (c)(1)(ii) (June 1988), and/or in similar or successor clauses in the FAR or DFARS, or in the DOD or NASA FAR Supplement, as applicable. Contractor/manufacturer is Aprisma Management Technologies, Inc. In the event the government seeks to obtain the software pursuant to standard commercial practice, this software agreement, instead of the noted regulatory clauses, shall control the terms of the government's license. Virus Disclaimer Aprisma makes no representations or warranties to the effect that the licensed software is virus-free. Aprisma has tested its software with current virus-checking technologies. However, because no antivirus system is 100-percent effective, we strongly recommend that you write protect the licensed software and verify (with an antivirus system with which you have confidence) that the licensed software, prior to installation, is virus-free. Contact Information Aprisma Management Technologies, Inc., 273 Corporate Drive, Portsmouth, NH USA Phone: U.S. toll-free: Web site: Page 2

3 Contents Notice... 2 Preface... 6 Intended Audience... 6 Text Conventions... 6 Document Feedback... 7 Online Documents... 7 Normalizers and Agents... 8 Explaining What a Normalizer Is... 9 Installing the SSM Normalizer Pack...10 Explaining What an Agent Is...12 SSM s Event2Message Service Explaining What Event2Message Is...14 Installing SSM s Event2Message Service...15 Configuring SSM s Event2Message Service...17 Adding a Remote Host...18 Removing a Remote Host...20 Adding an Event Filter...21 Removing an Event Filter...24 Configuring an Event Filter...25 Setting the Event Type...27 Setting the SSM Data Type...28 Setting the Default Policy...29 CyberCop Monitor...30 Using Tokens...30 Using Templates...31 Page 3

4 Statistics...32 Resetting the Counters...34 Resetting the Counters to the Current Event...34 Checking Service Status...35 Automatically Initializing SSM s Event2Message Service...36 Setting the Default Policy for an Event...37 Starting SSM s Event2Message Service...38 Removing the Event2Message Service...39 McAfee Agent Installing the McAfee Agent for Windows NT...41 Installing the McAfee Agent for Solaris...43 Configuring the McAfee Agent...45 Starting the McAfee Agent for Windows NT...46 Starting the McAfee Agent for Solaris...47 Snort Scanner Explaining What Snort Scanner Is...49 Configuring Snort Scanner to Send SNMP Traps to SSM...50 Verifying That Snort Scanner Sends SNMP Traps...54 Axent Raptor Firewall Explaining What Axent Raptor Firewall Is...56 Configuring Axent Raptor Firewall to Send SNMP Traps...57 Verifying That Axent Raptor Firewall Sends SNMP Traps...61 Check Point Firewall Explaining What Check Point Firewall-1 Is...63 Initializing the Windows NT SNMP Service...64 Configuring the Windows NT SNMP Service...65 Configuring Check Point Firewall Configuring Firewall-1 to Send SNMP Traps to SSM...69 Verifying That SSM Is Connected to Check Point Firewall Configuring Check Point Firewall-1 to Log Events...73 Page 4

5 Cisco Secure PIX Firewall Explaining What Cisco Secure PIX Firewall Is...75 Adding SSM to the PIX Firewall Server Tables...76 Enabling SNMP Traps from Cisco Secure PIX Firewall...77 Configuring Cisco Secure PIX Firewall to Send SNMP Traps...78 McAfee Dr. Solomon NetShield What McAfee Dr. Solomon NetShield Is...80 Installing the Windows NT SNMP Service...81 Configuring the Windows NT SNMP Service...82 Installing the Windows NT Service Pack 6a High Encryption Edition..83 Installing and Configuring McAfee Dr. Solomon NetShield...84 Internet Security Systems (ISS) RealSecure Explaining What Internet Security Systems (ISS) RealSecure Is...86 Configuring ISS RealSecure to Log Events to SSM...87 Configuring ISS RealSecure to Send SMTP Events to SSM...89 Configuring ISS RealSecure to Send SNMP Traps to SSM...91 PENS Dragon System Explaining What PENS Dragon System Is...94 Initializing the PENS Dragon System...95 Verifying That the PENS Dragon System Is Initialized...96 Configuring the PENS Dragon System to Send SNMP Traps to SSM..97 Configuring Dragon Squire to Send SNMP Traps to SSM...98 Solaris Syslog Explaining What Solaris Syslog Is Configuring Solaris Syslog to Log Events Index Page 5

6 Preface In this section: Intended Audience [Page 6] Text Conventions [Page 6] Document Feedback [Page 7] Online Documents [Page 7] Intended Audience This guide is intended for users of SPECTRUM Security Manager (SSM) with novice, intermediate, or advanced expertise in the application. It provides detailed configuration information about SSM s normalizers and agents in a task-based format that can be employed as a personal reference guide or as part of a training materials package. Text Conventions The following text conventions are used in this document: Element Convention Used Example User-supplied parameter names Courier in angle brackets <>. The user needs to type the password in place of <password>. On-screen text Courier The following line displays: path= /audit User-typed text Courier Type the following path name: C:\ABC\lib\db Cross-references References to SPECTRUM documents (title and number) Functionality enabled by SPECTRUM Alarm Notification Manager (SANM) Underlined and hypertextblue Italic SANM in brackets []. See Document Feedback [Page 7]. SPECTRUM Installation Guide ( ) [SANM] AGE_FIELD_ID Page 6

7 Document Feedback Please send feedback regarding SPECTRUM documents to the following address: Thank you for helping us improve our documentation. Online Documents SPECTRUM documents are available online at: Check this site for the latest updates and additions. Page 7

8 Normalizers and Agents In this section: Explaining What a Normalizer Is [Page 9] Installing the SSM Normalizer Pack [Page 10] Explaining What an Agent Is [Page 12] Page 8

9 Explaining What a Normalizer Is Normalizers are small applications that take a message produced by a network security device (such as Cisco Secure PIX Firewall or PENS Dragon System) and restructure the message into the SSM standard format. Normalizers parse the original message into parts that are useful to SSM. Without a normalizer, SSM might not be able to understand the data your security devices provide. Individual normalizers are installed on the SSM Central Server and Event Concentrators. Each normalizer works with a specific version of a corresponding network device; for example, the Check Point normalizer works with Check Point Firewall-1 version 4.1. Most network devices generate one or more types of data. In this case, you must decide which types of data SSM accepts from each device. Data types include SNMP traps, SMTP s, and syslogs. SSM analyzes and manipulates the information from these normalized events according to instructions stored in its rules. When the incoming event data meets the parameters set in its rules, SSM can also perform actions anything from paging administrators to shutting down key network resources. List of device normalizers: CheckPoint Cisco Pix Dragon ISS RealSecure McAfee AntiVirus NetScreen Raptor Black Ice CyberGuard Network Flight Recorder (NFR) SessionWall Solaris Syslog Sun Screen Page 9

10 Normalizers are used in SSM s SNMP rule, because the type of normalizing that must be performed for SNMP traps is not required for any other rule. Each normalizer is specific to SNMP traps received from a certain computer. The following example of an SSM rule illustrates how normalizers translate individual device data types into SSM types (1) This rule makes SSM examine all incoming device data. If the source IP matches the IP address for one of SSM s supported security devices (e.g., CheckPoint or Raptor), then (2) SSM confirms the data s source by checking its object ID (OID). If the data comes from a supported network device, (3) SSM passes the data through the normalizer associated with that device type. (4) SSM can then perform an action based on the translated data. Installing the SSM Normalizer Pack Before starting SSM, you must install the Normalizer Pack. This pack contains all of the normalizers that SSM might need. You can also add Page 10

11 normalizers at any time. Install the normalizers for any network devices that will send information to SSM on the Central Server. On an Event Concentrator, install only the normalizer that supports the network device installed on that computer. (For instance, the Check Point Firewall-1 normalizer must be installed on any computer that sends Firewall-1 information to SSM). Procedure 1. [Windows NT] Double-click normalizers.exe (on the SSM CD in the Normalizer_Pack folder). The InstallShield application starts. or [Solaris] Run the normaliz.bin file on the SSM CD. The InstallShield application starts. 2. Read the welcome screen; then click a. Next to proceed, or b. Cancel to exit the Installer program. 3. Read and agree to the software license agreement; then click Next. 4. The screen lists all available device normalizers that can be used with SSM. Select the checkboxes for the normalizer(s) you want to install; then click Next. 5. Information about the location, features, and total size of your customized installation appears. Click Next. The InstallShield begins installing your normalizers. Note: If the Replace Existing File dialog box appears, click Yes to All to continue with the Normalizer Pack installation. 6. Click Finish. Page 11

12 Explaining What an Agent Is An agent is a proprietary program that performs an information gathering or processing task in real time. In SSM, agents extract information from network devices that do not normally broadcast event data. The agents send this information to SSM. SSM currently uses three agents: Event2Message McAfee Snort Scanner Although agents may function with normalizers, they are not installed during the SSM Normalizer Pack installation. You must manually install SSM agents on Event Concentrators. The agent you install depends on the type of network device handled by the Concentrator. For instance, if the Concentrator has McAfee Dr. Solomon NetShield installed on it, you must install the McAfee agent on the same computer. Note: Event2Message is an exception, because this agent can be configured to monitor up to 20 remote computers. Page 12

13 SSM s Event2Message Service In this section: Explaining What Event2Message Is [Page 14] Installing SSM s Event2Message Service [Page 15] Adding a Remote Host [Page 18] Configuring an Event Filter [Page 25] Setting the Event Type [Page 27] Setting the SSM Data Type [Page 28] Setting the Default Policy [Page 29] CyberCop Monitor [Page 30] Statistics [Page 32] Checking Service Status [Page 35] Automatically Initializing SSM s Event2Message Service [Page 36] Setting the Default Policy for an Event [Page 37] Starting SSM s Event2Message Service [Page 38] Page 13

14 Explaining What Event2Message Is SSM s Event2Message service is a proprietary application that gathers event logs from Windows NT computers across a network and sends this information in the form of events to SSM. Event logs can contain thousands of events; the Event2Message service determines which events should be sent to SSM, and then translates those events into the standard SSM message format. Event2Message monitors three standard logs: System, Application, and Security. The Event2Message service is capable of gathering logs from remote computers on the same domain. A server with Event2Message can monitor events from up to 20 other computers; if more than 20 computers require monitoring, the load should be shared evenly. For example, if 30 computers are monitored, the Event2Message service must be installed on two computers and each service should monitor 15 computers. The Event2Message service must be initialized on each Windows NT computer that monitors events locally or through a remote host. For the Event2Message service to run properly, you must perform each of the following actions in the order presented: Page 14

15 Installing SSM s Event2Message Service If you intend to use CyberCop, Snort, or NT Eventlog, you must install SSM s Event2Message service. Install Event2Message on the computer that events are being sent to, which is either an Event Concentrator or the Central Server (depending on your network configuration). The browse function must also be activated on the computer that the service will be installed on. Note: Event2Message can only be installed on Windows NT computers. Procedure 1. On the SSM CD, double-click Setup.exe in the Event2Message folder. 2. The Choose Destination Location screen appears. The default C:\Program Files\NT Collector directory is recommended. Click Next. The installation begins. 3. Once the screen displays a success message, click OK. 4. At this point, follow the procedures contained in this section to configure the service for your enterprise network. Page 15

16 5. To complete the installation, click Finish in the InstallShield. 6. Close the Collector Configuration window; the Collector Configuration window appears: Page 16

17 Configuring SSM s Event2Message Service To function properly, configure the Event2Message system settings before starting the service. The Collector Configuration window opens automatically after the installation completes. If not: Go to C:\Program Files\NT Collector\EventLogAgent Configuration; then select Collector Configuration Tool. Procedure 1. In the Collector Configuration window, type the IP address of the Central Server or Event Concentrator in the Concentrator Address field. The default is the loopback address. Note: Any time the IP address of the local host is changed in the Concentrator Address field, the Event2Message service must be stopped and restarted for events to be forwarded. 2. The default Concentrator Port can remain as 9317, unless you have specified a different port for the Central Server or Event Concentrator to receive information. 3. If you select the Pass Unknown Events checkbox, when Event2Message encounters a message for which no filter is defined, the event is forwarded to SSM as an unknown type. 4. The Monitored Hosts Update Interval (secs) field shows the amount of time (in seconds) the system waits before processing a remote host s event logs. Use the spin box to adjust this setting, if necessary. 5. Click Update to ensure that your changes are applied. If you do not click this button, your changes are not saved. Page 17

18 Adding a Remote Host Remote hosts are computers monitored by the Event2Message service. You must be able to browse the network from the computer that Event2Message is installed on to add a remote host. (You cannot type the IP address of a remote host manually.) Note: All remote hosts that are being monitored by the Event2Message service should have the same NT Eventlog configuration. Procedure 1. Select the Remote Host Configuration node. The Registered Hosts pane appears at the right side of the window: Page 18

19 2. In the Domain Computers list box, navigate to the computer you want to monitor; then click the button. 3. The selected computer now appears in the Monitored Computers list box with a checkbox beside it. When the checkbox is selected, the computer is monitored; when it is not selected, the computer is not monitored and an icon appears beside the computer s node under the Remote Host Configuration node. 4. When you select a computer in the Monitored Computers list box, information about the Hostname, IP Address, and Last Update displays. If you want unknown events to pass to the Central Server or Event Concentrator, select the Pass Unknown Events checkbox. 5. Repeat steps 2 through 4 for each computer you want to monitor as a Remote Host. They will appear as nodes under the Remote Host Configuration node: Page 19

20 Removing a Remote Host 1. Select the Remote Host Configuration node. The Registered Hosts pane appears at the right side of the window. 2. In the Monitored Computers list box, select the computer you want to remove; then click the button. 3. A warning dialog box appears. Click Yes. All of the host data is removed. Page 20

21 Adding an Event Filter Event filters control the way events pass to SSM through the Event2Message service. They define events and control whether or not they are normalized and passed through to the SSM Central Server or Event Concentrators. Filters have a.filter file extension and are found in the NTCollector directory on your hard drive. The available filters are: cybercopmonitor.filter security.filter You must add at least one filter before starting the Event2Message service. If you do not add a filter, the Event2Message service fails. Individual filters must be added to the local host and all remote hosts using Event2Message. Make sure all filters installed on the local host (i.e., the monitoring computer) are also installed on each remote host. Page 21

22 Although Snort Scanner requires the Event2Message to send events to SSM, it does not require a filter. Procedure 1. Expand either the Local Host Configuration node or the Remote Host Configuration node; then select the Event Filters node. The Registered Filters pane appears at the right side of the window: 2. Click Install Filter. A file dialog box appears. Select each of the.filters files that you want to install from the C:\Program Files\NT Collector folder; then click Open for each file. Page 22

23 3. The Registered Filters area now lists the installed filters with a checkbox beside each. Select the checkbox beside each filter to activate it. Once a filter is active, a icon appears beside the filter s node; if a filter is inactive, an icon appears. Page 23

24 Removing an Event Filter 1. Select the Event Filters node of the appropriate computer. The Registered Filters pane appears at the right side of the window. 2. Select the filter you want to remove; then click Remove. 3. A warning dialog box appears. Click Yes. Note: When you remove a filter, all of the data for the filter is removed from the system and any configuration changes that you have made are lost. Page 24

25 Configuring an Event Filter You can configure how each installed filter parses the data that is passed through Event2Message using the Event Filters screen. This pane contains two tabs: Source and Event ID. The Source tab displays installed filters. This does not refer to the specific event logs that are monitored. The Source Names list box displays the name of the filter that was selected for the installed filter. For example, security is the Source Name for the Eventlog filter. Page 25

26 The Event IDs tab is used to configure how each event identifier is filtered. The Event ID list box displays all of the installed event filters monitored by Event2Message. If the checkbox beside the event ID is selected, the event filter is active; if the checkbox is not selected, the event filter is not active. When the filter is active, events of this type are normalized and passed on to the SSM Central Server or Event Concentrator; when it is inactive, the event is ignored (even if the Pass Unknown Events checkbox is selected). Procedure 1. In the left corner of the Collector Configuration screen, select an installed filter node (for example, security). The Event Filters screen appears. 2. On the Event ID tab, type the event ID in the Event ID field. 3. Click Add. The new event filter appears in the Event ID list. Note: The new Event ID is not initially listed in numerical order in the list; it is placed at the bottom. Page 26

27 Setting the Event Type You can set which event ID types pass to SSM. There is a checkbox beside each event ID. When selected, the Event ID type passes to SSM only if its default policy is also set to pass. By default, all event ID types are selected. Clearing a checkbox causes the service to ignore the event if the Pass Unknown Events checkbox is selected. Procedure 1. Expand either the Local Host Configuration or the Remote Host Configuration node; then select the Event Filters node. 2. Select an installed filter node (for example, from Event Filters > security). The Event Filters screen appears. 3. Click the Event ID tab. 4. Select the checkbox beside an event type to enable it. or Clear the checkbox to disable an event type. Page 27

28 Setting the SSM Data Type The SSM Type field contains information about the type of an event. This type is sent to the SSM Central Server or Event Concentrator when the event occurs. The Description of Event field contains a description of the event that occurred. It is only for reference and does not effect the performance of Event2Message. Both fields can be edited. Procedure 1. Select a filter in the Event ID list box; then click NSM Data at the bottom of the pane. 2. Type an SSM value in the NSM > Type field. 3. Type a brief description of the event in the Description of Event field. 4. Click Update to save your changes. Page 28

29 Setting the Default Policy The Default Policy tab (at the bottom of the Event Filters pane) lets you specify the default Event2Message policy for the event that is selected in the Event ID list box. If the Default Policy is set to Pass and the event is active, the event is normalized and passed to the SSM Central Server or Event Concentrator once it is encountered. If the event is active and the policy is set to Block, the event is ignored. Procedure 1. Select a filter from the Event ID list box; then select the Default Policy tab. 2. Select either Pass or Block. Note: If the event ID s checkbox is not selected, and the Default Policy is set to Pass, the event is passed to SSM as an unknown event type. Page 29

30 CyberCop Monitor For CyberCop Monitor, even though there are over 400 CyberCop events, there is only one event ID: This event ID does not have either an SSM Type or a Description of Event field. When the appropriate token is selected, a CyberCop identifier is pulled from the event and referenced in the CyberCop template. This template contains CyberCop event IDs, as well as descriptions of the events. It sends information such as username, domain, and threat level to SSM. Using Tokens The CyberCop Monitor filter uses tokens to identify SSM data in an event. Tokens tell Event2Message which part of the event contains the template definition. Tokens must be normalized in a certain order, but this order differs for each event ID. When events occur, the tokens are searched to provide such information as the username and domain of the user who created the event. The list of tokens that are searched in the Event Message field must match the order of the tokens found in the original message. Selecting a token makes the Event2Message service look up the associated ID in the template file. Procedure 1. Select an event ID from the Event ID list box; then click the Tokens tab. 2. Select the checkbox(es) of the token(s) you want to add. Page 30

31 Using Templates Only CyberCop Monitor uses templates. The cmtemplate.ini provides information such as name and type to SSM. Templates must be added to each event ID by selecting either the Select All checkbox or individual checkboxes. If a template is not selected, that event is ignored even if a token is selected. Procedure 1. Select an Event ID; then click the Templates tab. 2. Click the button. The Windows Explorer opens. 3. Navigate to the C:\Program Files\NT Collector directory and select the cmtemplate.ini template. 4. Click OK; then click Update. Page 31

32 Statistics The Statistics screen displays, in graphic form (pie, bar, area, or line), the event types (Security, Application, System) that occurred on the local hosts or remote hosts monitored by Event2Message. You can view the statistics for each monitored computer. It is an excellent troubleshooting tool. The Uptime field in the same status area shows how long the service has been running. The Record Pointer refers to the number of events in the system. This includes events that have not been normalized by Event2Message. Use the Reset Counters button to clear the graphs. All historical data is erased and the Event2Message service is automatically restarted if it is running. Note: This function does not clear the NT Eventlogs; they must be cleared manually. Use the Set to Current button to set the record pointers to the current records for each log. This feature is useful if the Eventlog is extremely large. All historical data is ignored and the counters begin from the current event. The service restarts automatically if it is running. You must clear all of the events in the NT Eventlog; if you clear only one, the Event2Message service may not function properly. Note: For Event2Message to work properly, the NT Eventlog must be set to overwrite existing records when the maximum log size is reached. Page 32

33 Procedure 1. Expand the Local Host Configuration or Remote Host Configuration node. 2. Select the Statistics child node for one of the monitored computers. The Statistics screen appears: 3. In the Chart Type field, choose between Pie, Bar, Area, or Line graphs. The selected graph type appears on the screen. Page 33

34 Resetting the Counters 1. On the Statistics screen, click Reset Counters. 2. The following warning appears: 3. Click Yes to continue, or No to cancel. Resetting the Counters to the Current Event 1. On the Statistics screen, click Set to Current. 2. A warning appears. Click Yes to continue, or No to cancel. Page 34

35 Checking Service Status To check the Event2Message service status, select the Service Status tab in the Main Panel. The Service is currently field lists the status of the Event2Message service. There are three possible values. Stopped The service is installed, but stopped. Started The service is installed and running. Not Installed The service has not been installed. When the service is running, the Start/Stop Service button is labeled Stop Service. Click the button and the Event2Message service stops. When the service is not running, the button is labeled Start Service. Click the button and the Event2Message service starts. If the Event2Message service is not installed, the button is disabled. Page 35

36 Automatically Initializing SSM s Event2Message Service For the Event2Message service to automatically initialize, the computer that it is installed on must be configured and restarted. Procedure 1. Make sure that the Event2Message service is not started. 2. In Windows NT, go to Start > Settings > Control Panel; then double-click Services. 3. Select the Event2Message service; then click Startup. The Service dialog box appears: 4. In the Startup Type section, make sure the Automatic option is selected. 5. In the Log On As section, make sure the System Account option is selected and the Allow Service to Interact with Desktop checkbox is cleared. 6. Click OK to close the Service dialog box. 7. Click Close to close the Services dialog box. Page 36

37 Setting the Default Policy for an Event The Default Policy controls whether or not an event is sent to SSM and normalized into the SSM message format. Events that are blocked are ignored entirely by SSM. There are four states that can be set for events. Normalized Events are passed to SSM. Passed Unknown Events not selected to pass (and therefore do not pass to SSM). Blocked Events selected to be blocked. Ignored Events not selected. Page 37

38 Starting SSM s Event2Message Service The Event2Message service can be started once the configuration process is complete. Procedure 1. In Windows, go to Start > Settings > Control Panel; then doubleclick Services. 2. Select the Event2Message service; then click Start. Page 38

39 Removing the Event2Message Service 1. In Windows, go to Start > Settings > Control Panel; then doubleclick Add/Remove Programs. 2. Select the Event2Message program; then click Remove. The uninstall process begins. Page 39

40 McAfee Agent The McAfee agent gathers information from the McAfee Server. This agent reads the events or records that it takes from the McAfee Database Server, and sends them to the SSM Central Server. The McAfee AntiVirus normalizer then parses these records into a format that SSM can recognize. In this section: Installing the McAfee Agent for Windows NT [Page 41] Installing the McAfee Agent for Solaris [Page 43] Configuring the McAfee Agent [Page 45] Starting the McAfee Agent for Windows NT [Page 46] Page 40

41 Installing the McAfee Agent for Windows NT When installing the McAfee agent, type the epolicy database password, which is saved as plain text in the McAfee.conf file in the McAfee_Agent directory. It is best to create a new user with read-only access to the database; then use the new username and password for the McAfee agent. If you need to change the password, edit the McAfee.conf file. Install the McAfee agent on the same computer that McAfee Dr. Solomon NetShield is installed on. Procedure 1. Double-click McAfee_Agent.exe on the SSM CD in the SSM\agents\mcafee folder. 2. Read the welcome screen. Click Cancel to exit the Installer program. or Click Next to proceed. The following screen appears: Page 41

42 3. Type the name of the McAfee database server, timeout value, username, and password in the appropriate fields; then click Next. 4. Type the IP address of the SSM Central Server or Event Concentrator to which the agent will send events. The default is the loopback address. Click Next. 5. This screen displays the default Directory name: \SSM\agents\mcafee. The default is recommended; you can use the default. or Click Browse to change the destination to an existing folder. 6. A dialog box appears indicating that the directory does not exist. Click Yes to create the directory on your computer. 7. Information about the location, features, and total size of the installation appears. Click Next. The installation begins. 8. Click Finish to complete the installation. Page 42

43 Installing the McAfee Agent for Solaris When installing the McAfee agent, type the epolicy database password, which is saved as plain text in the McAfee.conf file in the McAfee_Agent directory. It is best to create a new user with read-only access to the database; then use the new username and password for the McAfee agent. If you need to change the password, edit the McAfee.conf file. Procedure 1. On the SSM CD, double-click McAfee_Agent.bin in the /SSM/agents/mcafee folder. 2. Read the welcome screen. Click Cancel to exit the Installer program. or Click Next to proceed. The following screen appears: Page 43

44 3. Type the name of the McAfee server, timeout value, username, password, and name of the McAfee database (the default is NaiEvents) in the appropriate fields; then click Next. 4. Type the IP address of the SSM Central Server or Event Concentrator to which the agent will send events. The default is the loopback address. Click Next. 5. This screen displays the default Directory name: /opt/mcafee_agent. The default is recommended; you can use the default. or Click Browse to change the destination to an existing folder. 6. A dialog box appears indicating that the directory does not exist. Click Yes to create the directory on your computer. 7. Information about the location, features, and total size of the installation appears. Click Next. The installation begins. 8. Click Finish to complete the installation. Note: If you want to change any settings after the McAfee agent is installed, follow the procedure on page 45. Page 44

45 Configuring the McAfee Agent 1. Open the Mcafee.conf file in the C:\SSM\agents\mcafee directory using the Notepad application or an equivalent text editor. 2. Change the values for Timeout, ServerName, UserName, Password and Database as needed. Do not change the other values. 3. Save the file and close Notepad (or the other text editor). For more information about configuring the McAfee agent, read the Readme.txt file in the C:\SSM\agents\mcafee directory. Page 45

46 Starting the McAfee Agent for Windows NT Double-click McAfee_Agent.exe in the C:\McAfee_Agent directory. or Go to Start > Programs > Spectrum Security Manager > Agents > McAfee Agent. This opens a command console that displays debugging information if the Debug value in the Mcafee.conf file is set to true. Page 46

47 Starting the McAfee Agent for Solaris Double-click McAfee_Agent.bin in the /opt/mcafee_agent directory. This opens a command console that displays debugging information if the Debug value in the Mcafee.conf file is set to true. Page 47

48 Snort Scanner In this section: Explaining What Snort Scanner Is [Page 49] Configuring Snort Scanner to Send SNMP Traps to SSM [Page 50] Verifying That Snort Scanner Sends SNMP Traps [Page 54] Page 48

49 Explaining What Snort Scanner Is Snort Scanner is a lightweight intrusion detection tool that monitors networks. It can detect a variety of irregular network traffic, including direct and indirect attacks. Currently, version 1.7 is supported for Windows NT. At this time, Snort is not supported for Solaris. Snort functions as an agent. It requires the Windows NT Event2Message service to send SNMP traps to SSM. For details on installing Snort, refer to the Snort Scanner documentation. You must use the Xato Snort Panel to configure Snort. For details on installing Snort Panel, refer to the Xato Snort Panel documentation. Note: Snort Panel is designed for configuring Snort Scanner 1.6. For details on configuring Snort Scanner 1.7 using the Snort Panel, refer to step 3 of the following procedure. Page 49

50 Configuring Snort Scanner to Send SNMP Traps to SSM Procedure 1. Open Xato Snort Panel; then select the Application tab. The following screen appears: 2. In the Snort EXE field, type or browse to the location of the Snort executable file (by default, C:\snort\snort.exe). 3. In the Additional Command-Line Options field, type -v -E. (This allows the Xato Snort Panel to communicate with Snort Scanner 1.7). Page 50

51 4. In the Home Network (-h) field, type the IP address of the host machine (for example, /16). Note: The Classless Inter-Domain Routing (CIDR) format (/#) must be appended to the IP address specified in this field. 5. In the Specify Interface # (-i) field, type the interface number (for example, 1 for the first adapter, 2 for the second adapter, and so forth). This number can be verified by appending -W to the Snort run command (by default, C:\snort\snort.exe -W). 6. Make sure the Disable Promiscuous Mode (-p) checkbox is not selected. 7. Select the Logs & Alerts tab. The following screen appears: Page 51

52 8. In the Logs and Alerts Directory field, type or browse to the location of the Snort log folder (by default, C:\snort\logs). 9. Select the Enable Logging (no -N) checkbox; then select any of the following checkboxes: Include Arp Packets (-a) Include 2nd Layer Heading Info (-e) Include Application Layer (-d) Save Logs in Tcpdump Format (-b) Note: These options are not mandatory, but are recommended for processing log events. 10. Select the Enable Alerts (-A) checkbox, then select the Full option for Alert Style. 11. Select the Rules tab. The following screen appears: Page 52

53 12. Select the Enable Rules (-c) checkbox; then type or browse to the location of the customized Snort rule file (by default, C:\snort\rules\[name of rule file]). Note: You can change this rule file by clicking Edit and using the Notepad application. The rules in this rule file are a customized set made by Aprisma for use with Snort. 13. Click Apply to save these changes. Page 53

54 Verifying That Snort Scanner Sends SNMP Traps Select the Snort Control tab; then click Start Snort. Snort begins sending SNMP traps to SSM. Page 54

55 Axent Raptor Firewall In this section: Explaining What Axent Raptor Firewall Is [Page 56] Configuring Axent Raptor Firewall to Send SNMP Traps [Page 57] Verifying That Axent Raptor Firewall Sends SNMP Traps [Page 61] Page 55

56 Explaining What Axent Raptor Firewall Is Axent Raptor Firewall offers secure perimeter protection for enterprise networks. Raptor Firewall employs application level proxies to validate information at all levels of the protocol stack. SSM currently supports version 6.0 for Windows NT; there is no Solaris support. For more information about installing Raptor Firewall, refer to the Axent Raptor Firewall documentation. You must configure Raptor Firewall to send event data for SSM in the form of SNMP traps. This data is automatically intercepted and translated for SSM by the Raptor normalizer that you installed in the first section of this guide. Page 56

57 Configuring Axent Raptor Firewall to Send SNMP Traps 1. Open the Raptor Management Console and connect to the local host. 2. Once connected, expand the Monitoring Controls folder and select Notifications. The following list of notifications appears in the right pane of the window: Page 57

58 3. Right-click Notifications; then select New > Notification from the shortcut menu. The following dialog box appears: 4. On the General tab, select SNMP V1 from the Action drop-down list. Note: The name of the third tab in this dialog box is replaced with SNMP v1. Page 58

59 5. On the Severity tab, select the appropriate checkboxes: The appropriate responses are sent. For example, if you select Error, all errors traps received are forwarded to SSM. Page 59

60 6. Click the SNMP v1 tab. The following screen appears: 7. In the Host field, type the IP address of the SSM Central Server that you want to receive the SNMP traps. Note: The default Port can remain as 162, unless you have specified a different port for SSM to receive information. 8. In the Community field, type public. 9. Click OK. Page 60

61 Verifying That Axent Raptor Firewall Sends SNMP Traps Check the right pane of the Raptor Management Console. The new notification should appear in this pane. Note: You must save the new settings to activate the new notification. The Raptor Firewall computer is now ready to send SNMP traps to SSM. Before SSM can receive SNMP traps, you must adjust SSM s configuration. For more information about configuring the SNMP rule graph to receive SNMP traps from Raptor Firewall, refer to the SPECTRUM Security Manager (SSM) 1.2 Administrator Guide ( ). Page 61

62 Check Point Firewall-1 Make sure the Windows NT SNMP service is running before installing Firewall-1. If Firewall-1 is installed when the service isn t running, SNMP traps cannot be configured from Firewall-1. To ensure that SSM receives SNMP traps from Firewall-1 properly, uninstall Firewall-1; then complete the procedures in this section in sequential order to configure Firewall-1 to work with SSM. In this section: Explaining What Check Point Firewall-1 Is [Page 63] Initializing the Windows NT SNMP Service [Page 64] Configuring the Windows NT SNMP Service [Page 65] Configuring Check Point Firewall-1 [Page 66] Verifying That SSM Is Connected to Check Point Firewall-1 [Page 72] Configuring Check Point Firewall-1 to Log Events [Page 73] Page 62

63 Explaining What Check Point Firewall-1 Is Check Point Firewall-1 is a security platform designed to protect large networks with multiple Internet access points. Firewall-1 scans all the access ports across a network and enforces a single, centralized Enterprise Security Policy. SSM currently supports Firewall-1 version 4.1 for Windows NT; there is no Solaris support. For information about installing Firewall-1, refer to the Check Point Firewall-1 documentation. SSM has the ability to log Firewall-1 information in two different forms: SNMP traps SMTP Page 63

64 Initializing the Windows NT SNMP Service You must initialize and configure the SNMP service on the computer that you intend to use as your firewall. This enables SSM to receive the SNMP traps from Firewall-1. Note: Complete the following procedures before installing Firewall-1; otherwise, Firewall-1 cannot send its SNMP traps to SSM. Procedure 1. Go to Start > Settings > Control Panel; then double-click Services. 2. Find SNMP in the Service list and verify that its status reads Started. 3. If the Status field is blank, this service is not started. Select it; then click Start. Page 64

65 Configuring the Windows NT SNMP Service Once the SNMP service is installed, you must configure it to send SNMP traps to SSM. Procedure 1. Go to Start > Settings > Control Panel; then double-click Network. 2. Select the Services tab. Find the SNMP service in the Network Services list, right-click SNMP Service and select Properties from the shortcut menu. The Microsoft SNMP Properties dialog box appears. 3. Type the Contact name and Location in the fields provided. 4. Select the Traps tab. For the Community Name, either select an option (for example, public) from the drop-down list, or type a new name. Click Add. 5. Under the Trap Destination box, click Add. Type the IP address of the SSM computer to which SNMP traps are sent; then click Add. 6. Select the Security tab; then select the Send Authentication Trap checkbox. 7. In the Accepted Community Names box, add or edit the read/write permissions for the community name specified in step Select the Accept SNMP Packets from Any Host option; then click OK. 9. Click Close to close the network window. Note: You must complete the above procedure correctly before installing and configuring Firewall-1. Page 65

66 Configuring Check Point Firewall-1 After you have configured the SNMP service, install and configure Firewall-1. The following procedure assumes you have Firewall-1 installed on your system. For information about installing Firewall-1, refer to the Check Point Firewall-1 documentation. Procedure 1. Start the Check Point Policy Editor. 2. At the Login screen, type your username, password, and the management server s IP address. 3. The Check Point Policy Editor appears: Page 66

67 4. Select Network Objects from the Manage menu. The Network Objects dialog box appears: 5. From the Existing Objects list, select the Firewall-1 computer name (for example, FIREWLL1); then click Edit. The Workstation Properties dialog box appears: Page 67

68 6. Select the SNMP tab. The following information appears: 7. Complete the contact information by either typing a location and address in the fields provided, or clicking Get to display the default information. 8. Click Set; then click OK to return to the Network Objects dialog box. Click Close. The new contact information is set. Page 68

69 Configuring Firewall-1 to Send SNMP Traps to SSM 1. Start the Check Point Policy Editor. At the Login screen, type your username, password, and the management server s IP address. 2. The Check Point Policy Editor appears: Page 69

70 3. Select Properties from the Policy menu. The Properties Setup dialog box appears: Page 70

71 4. Select the Log and Alert tab. The following information appears: 5. In the Mail Alert Command field, type: sendmail - s Firewall -t [IP address of the mail server] -f FIREWLL1. This command allows the message you specify to be delivered to the mail server. This message is very important because it alerts you of any potentially harmful situations tracked by Firewall-1. The above command contains the following three variables: s = the subject of the message t = the SMTP Server IP address f = the computer name you specified earlier (for example, FIREWLL1) 6. In the SNMP Trap Alert Command field, type snmp_trap [IP address of the SSM Central Server]. 7. Click OK and accept all other defaults. The system properties are saved. Page 71

72 Verifying That SSM Is Connected to Check Point Firewall-1 It is good practice to verify that SSM and Check Point Firewall-1 are connected and functioning properly. Procedure 1. Open the Check Point Log Viewer. A login screen appears. 2. Type your username, password, and the name of the Management Server to which you want to connect. 3. Click OK. The Check Point Log Viewer appears. 4. Select Active from the toolbar drop-down list for a list of active connections: Page 72

73 Configuring Check Point Firewall-1 to Log Events You can configure the Check Point Firewall-1 policy to log SMTP events and SNMP traps. Procedure 1. Open the Check Point Policy Editor. 2. Select the rule that you want to edit; then right-click the Track column. 3. Select either Mail or SNMPTrap from the shortcut menu. Your selection appears in the cell, and Firewall-1 logs events accordingly. Page 73

74 Cisco Secure PIX Firewall There are three steps to configure PIX Firewall to work with SSM. Read this section and complete the procedures in sequential order. In this section: Explaining What Cisco Secure PIX Firewall Is [Page 75] Adding SSM to the PIX Firewall Server Tables [Page 76] Enabling SNMP Traps from Cisco Secure PIX Firewall [Page 77] Configuring Cisco Secure PIX Firewall to Send SNMP Traps [Page 78] Page 74

75 Explaining What Cisco Secure PIX Firewall Is Cisco Secure PIX Firewall enforces secure access between an internal network and Internet, extranet, or intranet links. PIX Firewall can track various forms of data, but SSM currently accepts only SNMP traps from it. SSM supports PIX Firewall version 5.3 for Windows NT; there is no Solaris support. For information about installing PIX Firewall, refer to the Cisco Secure PIX Firewall documentation. You must add a reverse DNS entry for SSM to the PIX Firewall host tables, so SSM can collect PIX Firewall SNMP traps. Otherwise, SSM performance suffers greatly and loses data. Page 75

76 Adding SSM to the PIX Firewall Server Tables Adding SSM to the PIX Firewall server tables allows SSM to collect SNMP traps from the device. Procedure 1. Log in to the PIX Firewall computer. 2. At the command line prompt, type configure terminal; then press Enter. This command lets you edit the current configuration of PIX Firewall. 3. At the next prompt, type snmp-server host [address of SSM computer]; then press Enter. This command adds the IP address of the SSM computer to which you want SNMP traps sent. With PIX Firewall you can specify a maximum of five SNMP listeners in a host table. The following message is generated if you try to add the SSM IP address to a full table: cannot add [IP address specified] (host table is full). 4. To see a list of all SNMP listeners, type show snmp-server. If the table is full, remove one of the IP addresses so you can add the SSM computer to the PIX Firewall host table. 5. To remove an IP address from the host table, type no snmp-server [computer name]. Repeat step 3 to add the SSM computer to the host table. Page 76

77 Enabling SNMP Traps from Cisco Secure PIX Firewall Next, if PIX Firewall is not configured to enable SNMP traps, you must configure PIX Firewall. Procedure 1. Log in to the PIX Firewall computer. 2. At the command line prompt, type configure terminal; then press Enter. This command lets you edit the current configuration of PIX Firewall. 3. At the prompt, type snmp-server enable traps. Page 77

78 Configuring Cisco Secure PIX Firewall to Send SNMP Traps Next, you must decide which levels of SNMP information to send to SSM; however, the configuration of those levels is beyond the scope of this document. For more information about configuring these levels, refer to the Cisco Secure PIX Firewall documentation. Once the PIX Firewall computer is ready to send SNMP traps to SSM, you must adjust SSM s configuration to receive them. For information about configuring the SNMP rule to receive SNMP traps from PIX Firewall, refer to the Administrator Guide ( ). Page 78

79 McAfee Dr. Solomon NetShield To have McAfee Dr. Solomon NetShield send SNMP traps to SSM correctly, you must install the following applications on the NetShield computer in the order presented. Windows NT Server 4.0 Windows NT SNMP service Windows NT 4.0 Service Pack 6a (High Encryption Edition) McAfee Dr. Solomon NetShield NT 4.5 McAfee agent In this section: What McAfee Dr. Solomon NetShield Is [Page 80] Installing the Windows NT SNMP Service [Page 81] Configuring the Windows NT SNMP Service [Page 82] Installing the Windows NT Service Pack 6a High Encryption Edition [Page 83] Installing and Configuring McAfee Dr. Solomon NetShield [Page 84] Page 79

80 What McAfee Dr. Solomon NetShield Is McAfee Dr. Solomon NetShield provides an advanced virus detection system. NetShield sends events to NetShield s Epolicy Orchestrator, which enters them into the McAfee database. SSM uses the McAfee agent (provided on the SSM CD) to extract events from the Epolicy Orchestrator, and then converts the events to the SSM standard format using a normalizer. Currently, SSM supports version 4.03 for Windows NT; it is not supported for Solaris. For information about installing NetShield, refer to the McAfee Dr. Solomon NetShield documentation. For information about installing the McAfee agent, refer to page 40. Note: You must install the SNMP service on the NetShield computer before installing the Service Pack or NetShield. If the SNMP service is already installed, make sure the service is stopped before installing the Service Pack. Page 80

81 Installing the Windows NT SNMP Service 1. Right-click Network Neighborhood; then select Properties from the shortcut menu. 2. Select the Services tab; then click Add. 3. Select SNMP Service from the Select Network Service dialog box. 4. Click OK. 5. Insert your Windows NT 4.0 Server CD, if prompted. 6. Restart the computer. Page 81

82 Configuring the Windows NT SNMP Service 1. Right-click Network Neighborhood; then select Properties from the shortcut menu. 2. Select the Services tab. 3. Select SNMP Service from the Services list; then click Properties. 4. Select the Agent tab. Ensure that the following checkboxes are selected: Physical Applications Datalink/Subnetwork Internet End-to-End 5. Select the Traps tab. In the Community field, type public. 6. In the Destination section, click Add. 7. In the dialog box that appears, type the IP address of the SSM computer that you want to receive NetShield SNMP traps. 8. Select the Security tab. Ensure that the public community has both read and write permissions enabled, and that the Accept SNMP Packets from any host option is selected. 9. Click OK to save your changes. 10. Click OK to close the Network Properties window. 11. Restart your computer. Page 82

83 Installing the Windows NT Service Pack 6a High Encryption Edition Do not install the Service Pack until the SNMP service is installed on the computer. If you already have the Service Pack installed, you must reinstall it after installing and configuring the SNMP service. You can download the Service Pack from the following Web site: Page 83

84 Installing and Configuring McAfee Dr. Solomon NetShield Ensure that the SNMP service has been initialized. For instructions on initializing the SNMP service, go to page 64. Procedure 1. Install NetShield. Make sure the Windows NT Server Edition is installed; this version includes the Alert Manager utility. 2. Once NetShield is installed, start the Alert Manager utility. 3. On the SNMP tab, click Test. A dialog box opens, confirming that you have sent a test message. The message is sent to SSM. You are now ready to install the McAfee agent. For information about installing the McAfee agent, go to page 40. Once you have installed the McAfee agent, you can begin sending SNMP traps from NetShield to SSM. However, SSM must be configured before it can receive any NetShield SNMP traps. For more information about configuring SSM for NetShield, refer to the SPECTRUM Security Manager (SSM) 1.2 Administrator Guide ( ). Page 84

85 Internet Security Systems (ISS) RealSecure To communicate with SSM, you must configure RealSecure to send events (such as SNMP traps and SMTP s) to the SSM Central Server. Read this section and complete the procedures in sequential order: Note: Once the procedures are complete, make sure RealSecure saved the policy properly. In this section: Explaining What Internet Security Systems (ISS) RealSecure Is [Page 86] Configuring ISS RealSecure to Log Events to SSM [Page 87] Configuring ISS RealSecure to Send SMTP Events to SSM [Page 89] Configuring ISS RealSecure to Send SNMP Traps to SSM [Page 91] Page 85

86 Explaining What Internet Security Systems (ISS) RealSecure Is Internet Security Systems (ISS) RealSecure is an automated, real-time, intrusion detection and response system. RealSecure sensor modules monitor an enterprise network from a variety of points. These modules monitor a range of items and activities, including raw traffic flow on key network segments, log files of critical servers, and kernel-level auditing. RealSecure searches for patterns that could indicate an attack and can respond automatically to stop the attack and prevent damage or loss. SSM currently supports RealSecure version 5 for Windows NT; it is not supported in Solaris. For information about installing RealSecure, refer to the Internet Security Systems RealSecure documentation. Page 86

87 Configuring ISS RealSecure to Log Events to SSM RealSecure cannot send SMTP events or SNMP traps to SSM until you provide it with the SSM IP address and other connection information. Procedure 1. Start the RealSecure application. The RealSecure window opens. 2. In the Sensor window, right-click the localhost sensor and select Responses from the shortcut menu. The Sensor Responses dialog box appears. 3. Click the localhost sensor to expand it. 4. If you want to send SMTP events to SSM, select from the localhost list. The tab appears: 5. Type the IP address of the SSM Central Server in the Gateway field. 6. Type the SSM account (preferably your Windows NT username) that is to be monitored in the Account field. Page 87

88 7. If you want to send SNMP traps to SSM, select SNMP from the localhost list. The SNMP tab appears: 8. Type the IP address of the SSM Central Server in the Manager field. 9. Type the name of the community (for example, public) in the Community field. 10. Click OK to apply these changes to the localhost sensor. Page 88

89 Configuring ISS RealSecure to Send SMTP Events to SSM Once you have configured RealSecure with the SSM Central Server IP address (and other relevant connection information), you can edit your RealSecure policy to send specific SMTP events to SSM. Procedure 1. Start the RealSecure application. The RealSecure window opens. 2. In the Sensor window, right-click the localhost sensor; then select Properties from the shortcut menu. The Network Sensor Properties dialog box appears: 3. Select the policy you want to edit; then click Customize. The Policy Editor window appears. Page 89

90 4. On the Security Events tab, expand the Security Events folder to list all of the available event types. The following list appears: 5. Select the SMTP event type so RealSecure sends SMTP events to SSM. 6. In the right-hand pane, select the Enabled checkbox of each specific SMTP event that you want SSM to receive. 7. Click on the corresponding field under the Response column for each event you enabled. Selecting the checkbox under Response Type forms an event for SSM. 8. Click Save. 9. In the Sensor window, right-click the localhost sensor; then select Properties from the shortcut menu. The Network Sensor Properties dialog box appears. 10. Select the policy you modified; then click Apply to Sensor. The policy is enforced within the system. RealSecure sends the information to the SSM Central Server using SMTP events when an attempted intrusion is detected. Page 90

91 Configuring ISS RealSecure to Send SNMP Traps to SSM Once you have configured RealSecure with the SSM Central Server IP address (and other relevant connection information), you can edit your RealSecure policy to send specific SNMP traps to SSM. Procedure 1. Start the RealSecure application. The RealSecure window opens. 2. In the Sensor window, right-click the localhost sensor; then select Properties from the shortcut menu. The Network Sensor Properties dialog box appears: 3. Select the policy you want to edit; then click Customize. The Policy Editor window appears. Page 91

92 4. On the Security Events tab, expand the Security Events folder to list all of the available event types. The following list appears: 5. Select the SNMP event type so RealSecure sends SNMP traps to SSM. 6. In the right-hand pane, select the Enabled checkbox of each specific SNMP trap that you want SSM to receive. 7. Click on the corresponding field under the Response column for each event you enabled. Selecting the SNMP checkbox under Response Type forms an SNMP trap for SSM. 8. Click Save. 9. In the Sensor window, right-click the localhost sensor; then select Properties from the shortcut menu. The Network Sensor Properties dialog box appears. 10. Select the policy you modified; then click Apply to Sensor. The policy is enforced within the system. RealSecure sends the information to the SSM Central Server using SNMP traps when an attempted intrusion is detected. Page 92

93 PENS Dragon System To communicate with SSM, you must configure Dragon Sensor and Dragon Squire to send SNMP traps to the SSM Central Server. To enable this functionality, read this section and complete the procedures in sequential order. In this section: Explaining What PENS Dragon System Is [Page 94] Initializing the PENS Dragon System [Page 95] Verifying That the PENS Dragon System Is Initialized [Page 96] Configuring the PENS Dragon System to Send SNMP Traps to SSM [Page 97] Page 93

94 Explaining What PENS Dragon System Is PENS Dragon System is a UNIX-based intrusion detection system. This system includes three interconnected products. Dragon Sensor A network IDS that monitors network packets for evidence of abuse and can receive security information from routers and firewalls through SNMP traps. Dragon Squire A host-based IDS that monitors key system files for evidence of abuse and can receive security information from routers and firewalls through SNMP traps. Dragon Server A server that manages data from both IDSs and provides real time, forensic, Web-based interfaces for event analysis. For information about installing Dragon, refer to the PENS Dragon System documentation. Currently, SSM supports PENS Dragon System version 4.2 for Solaris; it is not supported for Windows NT. Page 94

95 Initializing the PENS Dragon System You must initialize each product within the system separately. To initialize Dragon, type the following commands on the command line. Procedure 1. Dragon Sensor: # cd /usr/dragon #./dragon #./driderc 2. Dragon Squire: # cd /usr/dsquire #./dsquire #./driderc 3. Dragon Server: # cd /usr/drider #./driders Page 95

96 Verifying That the PENS Dragon System Is Initialized 1. Open your Web browser; then type the following URL path: The Dragon Server 1.4 home page appears: 2. Click Sensor Configuration in the left frame. The icon should appear in the right frame, indicating that Dragon Sensor is initialized. 3. Click Squire Configuration in the left frame. The icon should appear in the right frame, indicating that Dragon Squire is initialized. Page 96