Table Of Contents
Getting Started
Installing the MDM
Ensuring Proper Security for the MDM Server
Configuring Firewall Protection
Generating a New Tomcat Certificate
Reusing Your Tomcat Certificate When Upgrading the MDM
Defining Users and User Groups Using Linux
Defining a TACACS+ Server for User Authentication, Authorization, and Accounting Services
Configuring User Profiles on a TACACS+ Server
Restricting User Access to Specific Devices and Zones
Managing Authorization to Specific MDM Commands
Hardening MySQL and User Accounts after Installing the MDM
Preparing to Use SFTP or SCP for Exporting MDM Files
Backing Up Data
Backing Up the Server Configuration
Backing Up and Restoring the MySQL Database
Removing Old Reports to Free Disk Space
Uninstalling the MDM
Performing the State Preserving Removal Operation
Completely Removing all MDM-Related Information
Accessing and Launching the MDM from the Client
Understanding the MDM Browser Window
Navigating the Menu Bars
Understanding Zone Status Icons
Where to Go Next
Getting Started
The Cisco DDoS MultiDevice Manager (MDM) software operates on a Red Hat Linux AS/EL server. This chapter describes how to set up your Linux server and how to install and launch the MDM. Setting up your Linux server requires a knowledge of the Linux environment because some of the setup procedures require the use of Linux commands. See the appropriate Linux manuals for additional command information.
Note 
Before setting up your MDM system, review the MDM system requirements described in the Release Note for the Cisco DDoS MultiDevice Manager for software version 1.5. This release note provides system requirement information for the Linux server as well as the Guard and Detect devices. To obtain a copy of the MDM release note, go to www.cisco.com.
Note This guide refers to the Cisco Traffic Anomaly Detector Module and the Cisco Traffic Anomaly Detector appliance as Detector and the Cisco Anomaly Guard Module and the Cisco Guard appliance as Guard. When referring to both the Detector and the Guard, this guide uses the term device.
This chapter contains the following sections:
•Installing the MDM
•Ensuring Proper Security for the MDM Server
•Preparing to Use SFTP or SCP for Exporting MDM Files
•Backing Up Data
•Removing Old Reports to Free Disk Space
•Uninstalling the MDM
•Accessing and Launching the MDM from the Client
•Understanding the MDM Browser Window
•Where to Go Next
Installing the MDM
Note Before installing the MDM on your Linux server, verify that the server does not contain a previously installed version of the MDM. You must uninstall any existing version of the MDM before beginning the installation process (see the "Uninstalling the MDM" section).
To obtain the latest MDM RPM and install it on your Linux server, follow these steps:
Step 1 Download the latest version of the MDM RPM from the Cisco website (www.cisco.com).
Step 2 Copy the file to your Linux server.
Step 3 Enter the rpm command with the install option:
rpm -ivsh MDM-M.M-X.YY.rpm
where M.M is the MDM major version number and X.YY is the MDM minor version number.
After a successful installation of the MDM software on your server, the following message displays:
Installation Complete! The Cisco Guard and Anomaly Detector Multi Device Manager (MDM) is now successfully installed on your system.
IMPORTANT: Before using the MDM for the first time, please change the default credentials (admin password, MySQL database password and tomcat keystore). Please refer to the user guide for further details.
For information on the security measures that you should have in place to protect your MDM server, see the "Ensuring Proper Security for the MDM Server" section.
Ensuring Proper Security for the MDM Server
This section describes how to provide security on the MDM server.
Caution The MDM relies on the Linux security measures that you put in place for protection of the server. To protect your MDM network, you must have tight security measures on the host server.
This section contains the following topics:
•Configuring Firewall Protection
•Generating a New Tomcat Certificate
•Reusing Your Tomcat Certificate When Upgrading the MDM
•Defining Users and User Groups Using Linux
•Defining a TACACS+ Server for User Authentication, Authorization, and Accounting Services
•Configuring User Profiles on a TACACS+ Server
•Hardening MySQL and User Accounts after Installing the MDM
Configuring Firewall Protection
When configuring the server firewall, note that the MDM relies on the following connections:
•Incoming connections:
–443/TCP for HTTPS requests
–SSH (22/TCP) for conducting a key exchange with the network Detectors and Guards
–Syslog (514/UDP) for receiving syslog events from the network Detectors and Guards
•Outgoing connections:
–Device remote agent (RA) (1334/TCP)
–Network Time Protocol (NTP) (if installed)
–Terminal Access Controller Access Control System (TACACS) (if configured)
Generating a New Tomcat Certificate
The MDM installs a default Tomcat server certificate and corresponding public and private key pair during the software installation. After you install the MDM, generate a new self-signed certificate and corresponding key pair to enable the MDM server to authenticate itself with your site-specific certificate.
The following procedure describes how to use the keytool certificate and key utility to perform the following tasks:
•Define the distinguished name parameters of the new certificate
•Generate a new self-signed certificate and corresponding key pair
•Create a new keystore file for storing the new certificate and key pair
This procedure also describes how to modify the files that enable the MDM to use your new certificate.
To generate a new self-signed certificate and key pair on your MDM server, follow these steps:
Step 1 (Optional) Change to the /Riverhead/usr/local/jakarta-tomact-4.1.31/ssl_key directory. You will place your new keystore file in this directory.
Step 2 Enter the following command to initiate the certificate and key generation process, create a new keystore, and define the distinguished name parameters:
/Riverhead/usr/local/j2sdk1.4.2_01/jre/bin/keytool -genkey -alias tomcat -keystore path/keystore_name -storepass store_password -keypass key_password -validity 3000 -dname "CN=common_name, OU=organizational_unit, O=organization_name, L=location, S=state, C=country"
The keytool keywords and arguments are as follows:
•-genkey—Certificate and key generating flag.
•-alias tomcat—Alias for the keystore file.
•-keystore path/keystore_name—Location and name of your new keystore file.
•-storepass store_password—Password that protects the integrity of the keystore (must be at least six characters).
•-keypass key_password—Password that protects the private key of the generated key pair (must be at least six characters).
•-validity 3000—Number of hours that the certificate is valid.
•-dname "CN=common_name, OU=organization_unit, O=organization_name, L=location, S=state, C=country"—Distinguished name command option. If you do not use this option, you are prompted for the distinguished name parameters. The keywords and arguments are as follows:
–CN=common_name—Name of the person assigned to the certificate
–OU=organizational_unit—Name of the unit within the organization
–O=organization_name—Name of the organization
–L=location—Location (city) of the organization
–S=state—State (or province) where the organization is located
–C=country—Country where the organization is located
Make sure that the distinguished name parameters are set to values that a user who accesses the MDM expects to see displayed.
Step 3 Copy your new keystore file to the /Riverhead/usr/local/jakarta-tomcat-4.1.31/ssl_key/ folder.
Step 4 Open the /Riverhead/usr/local/jakarta-tomcat-4.1.31/conf/server.xml file for editing.
Step 5 In the line Factory className="org.apache.catalina.net.SSLServerSocketFactory", change the keystore name in 'keystoreFile="ssl_key/keystore"' to the name of your new keystore.
Step 6 Change the password defined by the keypass to the password that you defined in Step 2.
Step 7 Enter the /Riverhead/bin/scripts/wbmInit restart command to restart the Tomcat.
Step 8 Log in to the MDM application and view the certificate information to verify that the certificate contains your information. Use one of the following methods to view the certificate information:
•Click View Certificates from the Security Alert window that appears while the MDM is launching.
•After the MDM has finished loading, double-click the padlock icon (located at the bottom of the window).
Reusing Your Tomcat Certificate When Upgrading the MDM
When you upgrade the MDM, your current certificate and corresponding key pair are overwritten with the default MDM certificate and key pair. The following procedure describes how to save your current certificate and key pair files and then reinstall them after you upgrade the MDM.
To reuse your certificate and key pair, follow these steps:
Step 1 Copy the following files to a location (such as a remote server) where they will not be overwritten during the upgrade process:
•/Riverhead/usr/local/jakarta-tomcat-4.1.31/ssl_key/keystore_name, where keystore_name represents the name of the keystore file containing the certificate and key pair files you want to reuse
•/Riverhead/usr/local/jakarta-tomcat-4.1.31/conf/server.xml
Step 2 Upgrade the MDM software.
Step 3 Copy your keystore file to the /Riverhead/usr/local/jakarta-tomcat-4.1.31/ssl_key/ folder.
Step 4 Open the /Riverhead/usr/local/jakarta-tomcat-4.1.31/conf/server.xml file for editing.
Step 5 In the line Factory className="org.apache.catalina.net.SSLServerSocketFactory", change the keystore name in 'keystoreFile="ssl_key/keystore"' to the name of the keystore file you copied in Step 1.
Step 6 Execute the /Riverhead/bin/scripts/wbmInit restart command to restart the Tomcat.
Step 7 Login to the MDM application and view the certificate information to verify that the certificate contains your information. Use one of the following methods to view the certificate information:
•Click View Certificates from the Security Alert window that appears while the MDM is launching.
•After the MDM has finished loading, double-click the padlock icon (located at the bottom of the window).
Defining Users and User Groups Using Linux
The MDM relies upon your regular Linux user and user group accounts for managing access to the server. The MDM software installation process adds the following users and user groups:
•Users:
–mysql
–admin (default password is rhadmin)
•User Groups:
–mysql
–admin_users (group ID 5030)
–config_users (group ID 5020)
–dynamic_users (group ID 5010)
–show_users (group ID 5000)
MDM authentication and authorization relies on the underlying Linux user and user group permissions.
You must associate a locally-defined user with one of the available user groups to receive permission to access the MDM. You can add local users by entering the useradd command and specifying one of the above user groups. The shell may be /bin/false or whatever you would like to use.
Caution Do not delete the users and user groups that the MDM RPM adds during the software installation process. The MDM requires these items to operate.
Defining a TACACS+ Server for User Authentication, Authorization, and Accounting Services
In addition to using Linux user and user group accounts for managing access (see the "Defining Users and User Groups Using Linux" section), you can use a TACACS+ server to perform user authentication, authorization, and accounting (AAA) services to control and monitor user access to the MDM server and MDM operations.
When you use a TACACS+ server to provide AAA services and a user logs on, they are granted the show privilege level and can receive additional privileges by using the Enable function of the MDM. For information on using the Enable function, see the "Understanding the MDM Browser Window" section.
Note When you enable authorization and accounting in the MDM, the following performance issues occur:
•The amount of traffic between the MDM and the TACACS+ server increases significantly.
•MDM response time slows down when there are a high number of concurrent users and defined zones.
To define a TACACS+ server on the MDM, you need to edit the /Riverhead/conf/tacacs.conf file. To assist you in editing this file, the MDM installation includes the template file, /Riverhead/conf/tacacs.conf.template, which contains configuration information related to authentication, authorization, and accounting services.
To use the template file, open the file, make the required edits, and then save the file as tacacs.conf in the /Riverhead/conf/ directory. When editing the contents of this file, be sure to include a space as the delimiter between the keyword and the associated value.
The following configuration example shows the series of TACACS keywords in the tacacs.conf.template file:
Table 2-1 lists the supported TACACS keywords and keyword values.
Table 2-1 Keywords for Adding Users to TACACS
Keyword
|
Value
|
HOST
|
IP address of the TACACS server.
|
KEY
|
Key for the TACACS server.
|
TIMEOUT
|
Timeout value in seconds.
|
FIRSTHIT
|
First hit operation setting:
•0—Disable
•1—Enable
|
LOGINAUTH
|
Login authentication:
•0—Local, TACACS (fallback)
•1—Local
•2—TACACS
•3—TACACS, Local (fallback)
|
ENABAUTH
|
Authentication values. These values are the same as LOGINAUTH.
|
AUTHORIZE
|
Levels for TACACS authorization:
•0—show
•10—dynamic
•20—config
•30—admin
|
LAUTHORIZE
|
Levels for local authorization (may be used for fallback). These values are the same as AUTHORIZE.
|
ACCOUNT
|
Level for TACACS accounting. These values are the same as AUTHORIZE.
|
EXEC
|
TACACS login EXEC authorization:
•0—No EXEC authorization
•1—Do EXEC authorization
|
Configuring User Profiles on a TACACS+ Server
The information in this section is intended for administrators who must configure the MDM user profile information on a TACACS+ server after defining the TACACS+ servers on the MDM (see the "Defining a TACACS+ Server for User Authentication, Authorization, and Accounting Services" section).
You can configure user authorization on a TACACS+ server to restrict user access to specific zones and MDM functions.
Note When you enable TACACS+ accounting, each recorded event is assigned a task identification (task_id) number. For MDM events, the task_id numbering sequence begins at 4000 for each user.
Note All commands listed in this section are case sensitive.
This section contains the following topics:
•Restricting User Access to Specific Devices and Zones
•Managing Authorization to Specific MDM Commands
Restricting User Access to Specific Devices and Zones
You can restrict user access to specific Guard and Detector devices by configuring the TACACS+ server using the ShowDeviceList command and the device_name attribute, where device_name specifies the device that the user has permission to access. You can also customize the MDM portal to limit the zones that a user can view and access by using the ShowZonePortal command and the zone_name attribute, where zone_name specifies zone that the user has permission to access.
Caution The following mandatory commands provide basic MDM navigation and must always be configured to
permit:
ShowNetworkPortal and
ShowZonesList.
Note You cannot restrict the following commands to a specific zone or device name: DeleteZone and DeleteDevices.
To view a TACACS+ configuration example that includes the commands for restricting user access, see the "Managing Authorization to Specific MDM Commands" section.
Managing Authorization to Specific MDM Commands
Every MDM menu item and function button is mapped to a command that allows you to control whether or not a user is authorized to access specific menu items or function buttons.
Table 2-2 displays the MDM commands that you can configure on a TACACS+ server to manage user access to MDM functionality.
Table 2-2 MDM Operations Supported by TACACS+
Privilege Level
|
Function
|
Command
|
Admin
|
Conflict resolution
|
ShowConflictResolution
Caution The conflict resolution screen displays all of the devices and zones that you associate with the MDM. We recommend that you reserve this operation for users with super user rights only.
|
Config
|
MDM
|
AddDevice
|
ConfigDevice
|
DeleteDevice
|
ExchangeCertificate
|
MDM-Zone
|
SynchronizeZone
|
AddDeviceToZone
|
DeleteDeviceFromZone
|
AddRemoteGuard
|
RemoveRemoteGuard
|
Create/Add
|
CreateUserFilter
|
CreateBypassFilter
|
CreateZone
|
CreateZoneTemplate
|
AddZoneIP
|
AddPolicyThreshold
|
AddService
|
Delete
|
DeleteZones
|
DeleteZoneIP
|
DeleteZoneTemplate
|
DeleteReports
|
DeleteUserFilters
|
Config (continued)
|
Delete
(continued)
|
DeleteBypassFilters
|
DeletePacketDump
|
DeleteSnapshot
|
DeletePolicyThreshold
|
RemoveService
|
Accounting for export
|
ExportReports
|
SetGlobalExport
|
SetFtpServer
|
Learning operations
|
StartProtect&Learn
|
StartDetect&Learn
|
StartPolicyConstruction
|
StopPolicyConstruction
|
StartThresholdTuning
|
StopThresholdTuning
|
AcceptPolicyConstruction
|
AcceptThresholdTuning
|
CreateSnapshot
|
DeleteSnapshot
|
RejectResults
|
NoLearningAccept
|
NoLearningReject
|
SavePoliciesRecommendations
|
Accounting for config operations
|
ConfigExtendedFlexFilter
|
ConfigWormSrcIPs
|
ConfigPolices
|
ConfigPolicyTemplate
|
ConfigZone
|
ConfigLearn
|
ConfigPolicy
|
ConfigPolicyGroup
|
ConfigPolicyThreshold
|
ChangePolicyState
|
RecommendationAcceptForever
|
SaveAsZone
|
Dynamic
|
Create/Add/Delete
|
CreateExtendedFlexFilter
|
DeleteExtendedFlexFilter
|
CreateDynamicFilter
|
DeleteAllDynamicFilters
|
DeleteDynamicFilters
|
RecommendationIgnore
|
RecommendationAccept
|
Victim activation
|
protectIP
|
StartProtection
|
StopProtection
|
StartDetection
|
StopDetection
|
ActivateZone
|
Show
|
Change password
|
UserLogin
|
UserLogout
|
Accounting for show
|
ShowNetworkPortal
|
ShowNetworkCounters
|
ShowNetworkLog
|
ShowDevicesList
|
ShowDeviceResources
|
ShowDevice
|
ShowPolicyMatrix
|
ShowRemoteGuards
|
PingDevice
|
ShowZoneList
|
ShowPolicyComparison
|
ShowZonePortal
|
ShowZoneCounters
|
ShowZoneLog
|
ShowAttacksSummary
|
ShowAttackReport
|
ShowAttackDetails
|
ShowZombiesAttacks
|
ShowDropStatistics
|
ShowCaptureAnalysis
|
ShowDynamicFilters
|
ShowDynamicFilterDetails
|
ShowPendingRecommendations
|
ShowSnapshotList
|
ShowGeneralConfiguration
|
ShowUserFilters
|
ShowBypassFilter
|
ShowFlexContentFilters
|
ShowPolicyTemplate
|
ShowPolicies
|
ShowPolicyDetails
|
ShowLearningParams
|
ShowPolicyComparison
|
ShowVersion
|
The following TACACS+ user profile example shows how to permit Customer A access to information relevant to their zones only and deny them access to global information, such as network counters and logs:
•Guard1 only
•Zones A1 and A2 only
•All MDM functions, with the following exceptions:
–Access to the network counters is denied
–Access to the network logs is denied
–Access to the device lists is restricted to Guard1
–Access to the start protection function is restricted to zones A1 and A2
default authentication = file /etc/passwd
accounting file = /var/log/tacacs.log
default authorization = permit
cmd = ShowNetworkCounters {
permit"device_name_Guard1"
Hardening MySQL and User Accounts after Installing the MDM
For security purposes, you should run MySQL in a chroot environment. Describing chrooting mysql in detail is beyond the scope of this guide (see the appropriate Red Hat manuals); however, you must perform a few basic security measures after the MDM installation. The following bulleted items list the basic security measures:
•Change the MySQL root admin account password—By default, the MySQL installation sets up a blank password for the root admin account. The admin account is the default account for the MDM. To prevent unauthorized use of this important account, assign a strong password to the root admin account after installing the MDM software. Change the admin password using the mysql client program.
•Delete all guests and anonymous users—By default, the MySQL installation creates a guest account. Because a guest account introduces an element of network vulnerability, we recommend that you delete all guest accounts. You must delete any anonymous accounts because they create the same security risk. Delete these accounts using the mysql client program.
•Create a new user to manage the MDM back end—Use the mysql client program to create a new user to manage the MDM back-end operations. Set up a strong password for this user and grant full permissions to the user on the "Riverhead" database. After creating this special user account, perform the following steps:
1. Configure the back-end database connection properties—Update the following file with the new username and password information:
/Riverhead/Ofek/rsc/db.properties
2. Enter the service backendInit restart command to restart the back-end service. This action applies the new user account information that you added to the db.properties file.
Preparing to Use SFTP or SCP for Exporting MDM Files
The MDM allows you to export data files from the MDM server using the following protocols:
•File Transfer Protocol (FTP)
•SSH File Transfer Protocol (SFTP)
•Secure Copy Protocol (SCP)
There is no additional setup required if you plan to use FTP to export data files from the MDM server.
To use SFTP or SCP for exporting files, you must perform the following procedure to generate the required SSH keys on the MDM server and place a copy of the public key on the remote server.
Note To use SFTP, you must have an SFTP client installed on your Linux server.
To export MDM files using SFTP or SCP, follow these steps:
Step 1 From the MDM server, check if the SSH key files (id_rsa and id_rsa.pub) already exist in the /root/.ssh directory.
If the files do not exist, proceed to Step 2. If the files already exist, skip to Step 4.
Step 2 Enter the ssh-keygen -t rsa command to generate the SSH keys.
Step 3 Answer the key generation prompts by using the default prompt values. The SSH keys files are generated and put in the /root/.ssh directory.
Step 4 Press Ctrl-C to copy the contents of the id_rsa.pub file to your remote server.
Step 5 Open the /root/.ssh/authorized_keys2 file on your remoter server for editing.
Step 6 Press Ctrl-V to paste the copy of the id_rsa.pub file contents into the file and save. The MDM and remote servers are now configured to support the transfer of files using SFTP or SCP.
Step 7 (Optional) Test the secure connection by using SCP to copy a file from the MDM server to the remote server. This test will force the MDM server to prompt you for the remote server information that it needs to update the known hosts file.
Backing Up Data
To allow a full recovery from an MDM system failure, you should periodically create a backup of the server configuration information and the MDM MySQL database.
This section contains the following topics:
•Backing Up the Server Configuration
•Backing Up and Restoring the MySQL Database
Backing Up the Server Configuration
Linux servers store their configuration information and user and user group account information within the /etc/ directory. The MDM relies upon your regular Linux user and user group accounts for managing access to the server. To allow you to recover the MDM with the current server configuration, you should create a backup of the /etc/ directory.
Backing Up and Restoring the MySQL Database
The MDM uses the MySQL database for storing data. To allow you to recover the MDM with the latest database information, you should periodically create a backup of this database.
To back up the MDM MySQL database, follow these steps:
Step 1 Enter the service wbmInit stop command to stop the Web-Based Manager (WBM) services.
Step 2 Enter the service backendInit stop command to stop the MDM back-end services.
Step 3 Enter the service rhmysql stop command to stop the MySQL database server.
Step 4 Enter the cp -R /Riverhead/usr/local/mysql /backup_path command to create a copy of your database files. backup_path represents the destination path (such as a remoter server) for the database backup.
Step 5 Enter the service rhmysql start command to restart the MySQL database server.
Step 6 Enter the service backendInit start command to restart the MDM back-end services.
Step 7 Enter the service wbmInit start command to restart the WBM services.
To restore your MySQL database on the MDM server, follow these steps:
Step 1 Enter the service wbmInit stop command to stop the WBM services.
Step 2 Enter the service backendInit stop command to stop the MDM back-end services.
Step 3 Enter the service rhmysql stop command to stop the MySQL database server.
Step 4 Enter the cp -R /backup_path /Riverhead/usr/local/mysql command to copy your database files onto the server. backup_path represents the source path of the database backup.
Step 5 Enter the service rhmysql start command to restart the MySQL database server.
Step 6 Enter the service backendInit start command to restart the MDM back-end services.
Step 7 Enter the service wbmInit start command to restart the WBM services.
Removing Old Reports to Free Disk Space
The MDM stores aggregated reports on its hard disk. The report files can be large and can consume a large amount of server disk space. To avoid running out of disk space, you should periodically remove the older files that are no longer needed. If you feel that these files might be useful for future reference, save them to a remote server by using the export report function before removing them from the MDM server (see the "Exporting Zone Attack Reports" section in Chapter 11, "Monitoring Zone and Device Operations").
The report files are located in the /Riverhead/logs/reports/generated directory. Each zone has its own subdirectory within this directory.
Uninstalling the MDM
This section describes two options for uninstalling the MDM software from your Linux server:
•State preserving removal—This procedure does not erase the MDM database, users, user groups, or the encryption keys. Because these items are not erased, you can reinstall the software to recover the MDM to the state it was in before uninstalling the software.
•Complete removal—This procedure, which erases all MDM-related information from the server, consists of performing the state preserving removal operation and manually deleting the remaining MDM data.
This section contains the following topics:
•Performing the State Preserving Removal Operation
•Completely Removing all MDM-Related Information
Performing the State Preserving Removal Operation
To perform the state preserving removal operation, enter the rpm-e MDM-M.M-X.YY command to execute rpm with the uninstall option, where M.M is the major version number of the MDM installed on your Linux server and X.YY is the minor version number.
If you need to retrieve the installed MDM version number, enter the rpm -qa | grep mdm command.
Figure 2-1 contains an example of the state preserving removal operation.
Figure 2-1
State Preserving Removal Operation
Completely Removing all MDM-Related Information
To remove all of the MDM-related information from the server, follow these steps:
Step 1 Perform the state preserving removal operation by entering the rpm -e MDM-M.M-X.YY command to execute rpm with the uninstall option, where M.M is the major version number of the MDM installed on your Linux server and X.YY is the minor version number.
Step 2 Manually delete the remaining data folders by entering the rm -rf /Riverhead/ command.
Step 3 Manually delete the users that you added during installation of the MDM by entering the userdel mysql;userdel admin commands.
Step 4 Manually delete the user groups added during installation of the MDM by entering the groupdel mysql;groupdel admin_users;groupdel config_users;groupdel dynamic_users; groupdel show_users commands.
Figure 2-2 contains an example that shows how to manually delete the MDM-related information from the Linux server.
Figure 2-2
Deleting MDM-Related Information from the Server
Accessing and Launching the MDM from the Client
To access and launch the MDM from the client, follow these steps:
Step 1 From the client, open the Microsoft Internet Explorer browser.
Step 2 Enter the URL for the MDM server. The MDM login screen appears.
Step 3 Enter the default username (admin) and password (rhadmin).
Step 4 Click OK. The Network Summary screen appears.
Understanding the MDM Browser Window
When you access the MDM, the MDM browser window opens and displays the Network Summary screen as shown in Figure 2-3. The MDM browser window contains a list of zones and zone summary information; however, the first time that you launch the MDM, no zone summary or zone information displays.
Figure 2-3
MDM Browser Window with Network Summary Screen
Table 2-3 describes the various areas of the MDM browser window.
Table 2-3 Areas of the MDM Browser Window
Area
|
Description
|
Menu Bar
|
Displays the main menu for the link that is selected in the navigation pane. The MDM displays one of the following two menu bars in this section:
•Network Summary menu—Provides access to the following global network statistical and configuration options:
–Network operating status
–Diagnostic tools (traffic rate counters and event log)
–Device and zone lists
–Conflict resolution tool
To view the Network Summary menu, click Network Summary in the navigation pane.
•Zone menu—Provides access to zone-specific information, configuration options, and diagnostic tools.
To display the zone-specific menu, click a zone that is listed in the navigation pane.
|
Navigation Pane
|
Displays the following links:
•Network Summary Link—Link to the Network Summary screen.
•Zone Links and Status—List of links to the various configured Zone Status screens.
Click a link from the list to display the relevant status information in the work area. The selected navigation area link is highlighted with a white frame.
|
Navigation Path
(not shown in the figure)
|
Located below the zone menu; displays the path to the location of the screen that is displayed in the work area. To navigate to a specific section of the path, click the desired section of the path.
|
Information Area
|
Displays information about the username and privilege level of the current user and provides the following links:
•Home—Returns you to the Network Summary screen
•Enable—Allows you to move between user privilege levels
•Logout—Closes the MDM session and opens the System Login screen
•About—Displays MDM software information, including the software version number and the software licensing agreement
|
Work Area
|
Display and work area for the information that you select.
|
Navigating the Menu Bars
The tables in this section provide a brief description of the options available from the Network Summary and Zone menus. The Level 1, Level 2, and Level 3 headings identify whether the menu option is available from the main menu or from a second or third level drop-down submenu.
Table 2-4 maps and describes the Network Summary menu options.
Table 2-4 Network Summary Menu Options
Level 1
|
Level 2
|
Level 3
|
Description
|
Main
|
Network Summary
|
|
Displays current global attack information.
|
Device List
|
|
Displays and manages the network devices accessible by the MDM.
|
Protect IP
|
|
Activates protection for an IP address when the zone name is unknown.
|
Diagnostics
|
Counters
|
Guards Counters
|
Displays aggregated network Guard counter information.
|
Event Log
|
|
Displays network event log.
|
Attack Reports
|
Export Definitions
|
Exports the attack report to a remote FTP, SFTP, or SCP server.
|
Conflict Resolution
|
|
Displays and manages zone configuration conflicts between the MDM and the devices.
|
Zones
|
Zones List
|
|
Displays and manages zones.
|
Create Zone
|
|
Creates a new zone.
|
Table 2-5 maps and describes the Zone menu options.
Table 2-5 Zone Menu Options
Level 1
|
Level 2
|
Level 3
|
Description
|
Main
|
Summary
|
|
Displays the current zone operating status.
|
Create Zone
|
|
Creates a new zone.
|
Save As...
|
|
Saves a copy of an existing zone to a new zone name.
|
Diagnostics
|
Counters
|
Zone Counters
|
Displays aggregated zone device counter information.
|
Event Log
|
|
Displays the zone event log.
|
Attack Reports
|
Attack Summary
|
Displays zone attack information.
|
HTTP Zombies
|
Displays zone HTTP zombie attack information.
|
Drop Statistics
|
|
Displays statistical information related to the packets dropped by the zone Guards.
|
Activation
|
Protect
|
|
Activates the Protect operation on the zone Guards.
|
Detect
|
|
Activates the Detect operation on the zone Detectors.
|
Deactivate
|
|
Deactivates Detect, Protect, or both operations. Possible display states for this menu option are as follows:
•Deactivate
•Deactivate Detection
•Deactivate Protection
|
Dynamic Filters
|
|
Displays and manages the Dynamic filters produced by the zone devices during an attack.
|
Recommendations
|
|
Displays and manages the Dynamic filter recommendations produced by the zone devices during an attack and while operating in interactive mode.
|
Sync
|
|
Initiates synchronization to update all of the zone devices with the master device zone information.
|
Learning
|
Construct Policies
|
|
Activates the policy construction phase of the learning process.
|
Tune Thresholds
|
|
Activates the threshold tuning phase of the learning process.
|
Deactivate
|
|
When Tune Threshold is activated with Detect or Protect, this option deactivates one or both of the activated operations.
|
Stop Learning
|
|
Stops the current activated phase of the learning process.
|
Accept
|
|
Accepts or rejects the current results of the learning process.
|
Snapshot
|
|
Takes a snapshot (copy) of the current results of the learning process or the current zone configuration.
|
Snapshot List
|
|
Displays and manages existing snapshots.
|
Configuration1
|
General
|
|
Displays and edits the current zone configuration.
|
Filters
|
User Filters
|
Displays and manages the user filters.
|
Bypass Filters
|
Displays and manages the bypass filters.
|
Flex-Content Filters
|
Displays and manages the flex-content filters.
|
Policy Templates
|
View
|
Displays and manages policy templates.
|
Add Service
|
Adds a service to a policy template.
|
Remove Service
|
Removes a service from a policy template
|
Policies
|
View
|
Displays and manages the zone policies.
|
Threshold Matrix
|
Summarizes the policy threshold learning results from the network, allowing you to compare the policy thresholds of the zone devices. This menu option displays only when you have the zone configured so that each device performs the learning process and the policies are excluded from zone configuration synchronization process.
|
Compare Policies
|
Compares the policies of two zone configurations or snapshots.
|
Learning Parameters
|
Displays and manages the zone tuned state, automatic learning parameters, and learning activation extent.
|
Remote Guards
|
|
Manages the remote Guard list associated with a zone Detector (Detector only function).
|
Understanding Zone Status Icons
The MDM uses icons to represent the current status of a zone. The status icons appear in the navigation pane and in the zone status bar. Table 2-6 describes the various zone status icons.
Table 2-6 Zone Status Icons
Icon
|
Type
|
Description
|
(check mark)
|
Synchronization status (1)
|
Zone devices all contain the same zone configuration information.
|
X
|
Synchronization status (2)
|
Zone devices do not all contain the same zone configuration information.
|
!
|
Error
|
Error condition exists. Possible error conditions are as follows:
•Learning under attack—One or more zones devices are performing a phase of the learning process and the zone is under attack.
•Lost sessions (#)—One or more sessions with the zone devices has been lost.
|
|
Inactive
|
Associated device types are inactive (neither Detect nor Protect are activated and the devices are not learning zone traffic).
|
|
Learning
|
Associated device types are active and performing a phase of the learning process (either the policy construction phase or the threshold tuning phase).
|
|
Detect Active
|
Detect function on the zone Detectors is active.
|
|
Protect Active
|
Protect function on the zone Guards is active.
|
|
Recommendation
|
Zone is active, operating in the interactive protect mode, and new protection recommendations are available for the zone.
|
Where to Go Next
After installing the MDM on your Linux server, see Chapter 3, "Managing Devices on the MDM Network," which describes how to prepare and add your devices to the MDM database.
