- out of the box, attach a monitor and keyboard. - Turn the IDS systems on - configure them with IP address etc for you network. You'll need to decide on an OrgID and HostID before hand. - Basically follow the prompts and you should have a working IDS in short order. - default login for IDS systems is netrangr/attack.
Once you have the systems configured and on the network you should have one ethernet interface that is IP addressable and one that is in promiscuous mode. This latter needs to be attached to a network port that sees all the traffic on the network - but I'm sure you knew that. As for the director, I've used both it and CSPM, and while I hate to admit it, being a Unixhead, the CSPM interface is a heckuvalot easier to use than the director, particularly in the way that it presents the alarms. at any rate, once you've got everything running, the /usr/nr/etc directory is where all the config files are, so if you really want to do things the hard way you can go in there and mess about with the configuration of the systems. Basically these systems are stripped down Solaris boxes, so unless you know Solaris, use the CSPM or director for managment. having said that you will have to know some unix to update the systems since you have to download a binary from the cisco web site and install usually by becoming root and typing <filename> -I of course having said all that you'll have to tune the IDS systems so they don't deluge you with alarms. Hope that helps somewhat. PS: Fei asked about shutting the sensor down. If you just want to turn off the sensor processes log in as netranger or get to the /usr/nr/bin directory and type nrstop. nrstart restarts everything and nrstatus shows whats running. As for shutting down the entire sensor you could just do an init 5, since the IDS is just a stripped down Solaris box. Erik Ball wrote: > After a costly network upgrade, the two Cisco NetRanger (IDS-4230) > sensors have yet to be deployed - mainly due to lack of knowledge about > them. (Suddenly, snort is seeming a lot more straight forward, simple, > attractive, etc...compared to the Cisco gear - I keep getting > conflicting info and I am getting confused about what really needs to be > done to set them up). Anyway, its been made my task and I realize that > I am going to probably need training. Before that, I want to get more > familiar with them and play with them on a test network. > > Think of it like this - I am familiar with the concept of IDS, and I > have two sensors and I know where I ultimately want to put them. > However, I know nothing about the Cisco product and I have no idea where > to begin. Any advice you can give starting from that point is most > appreciated. However, the more specific things I want to know relate to > the director - does it need to be setup first? Is the sensor any good > without the director? [Why doesn't Cisco just sell a director appliance > - it says on the software that the Director needs either HP-UX or > Solaris (two OS's that we don't use).] What is the best thing to do in > terms of the director and managing the IDS sensors? Are we really going > to need to budget a server to get the IDS in place? > > The sensors look like a rack mount server - complete with floppy, > CD-ROM and expansion slots. Do you really need to hook up anything > other than power and ethernet? Do you manage them like any other Cisco > device through Telnet, or do you control them with the director? > > Finally, what is the means of updating these things? Thanks a lot - > any helpful words you can give about the Cisco IDS is appreciated. > Erik > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > For Account Management (unsubscribe, get/change password, etc) Please go to: > http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls
