Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation

Cisco Info Center for Security Monitoring

Release Notes for Cisco Info Center - Security Monitoring, 3.5

Downloads

Table Of Contents

Release Notes for Cisco Info Center - Security Monitoring, 3.5

Contents

Introduction

Cisco Info Center - Security Monitoring, 3.5 Components

Cisco Info Mediator Modules

Related Products

System Requirements

Operating System Requirements

Minimum Configuration

Additional Requirements for Webtop

Additional Requirements for Virtual Operator

Recommended Configuration for Managing Large Networks

Prerequisites for Monitored Products

Cisco Info Center 3.5 Support Matrix

Supported Hardware and Software

Cisco PIX Firewall

Cisco Intrusion Detection System Hardware and Software

IOS Support

Cisco Security Agent Support

Cisco Transport Manager Support

Cisco Element Management Framework Support

Generic SNMP Support

NMS and Cisco Info Center Component Specific Considerations

CNS Notification Engine

SNMP Version

Cisco Info Center Cisco CNS Notification Engine Repeat Count Attribute

Start Cisco CNS Notification Engine Before Starting Cisco Info Center Components

Using the CNS Info Mediator with Cisco CNS Notification Engine

Using the CNS Info Mediator

Using the CNS Info Mediator with the Cisco CNS Configuration Engine

Cisco IDS Postoffice Info Mediator

Properties

Generic SNMP

Policy Manager

Virtual Operator

Webtop

Automations

Do Not Modify the Default Automations

Tools

Severity Mappings

Cisco IOS to Cisco CNS-NOTE to Cisco Info Center Severity Mappings

Installation Notes

Licensing Cisco Info Center - Security Monitoring, 3.5

Upgrade Notes

Implementing FLEXlm Licensing for the Impact Server and Related Components

Limitations and Known Problems

Policy Manager Component Is Not Supported

Impact Server Failover Limitation

Performance Notes

Caveats

Known Issues with Related Products

Related Documentation

Obtaining Documentation

Cisco.com

Documentation CD-ROM

Ordering Documentation

Documentation Feedback

Obtaining Technical Assistance

Cisco TAC Website

Opening a TAC Case

TAC Case Priority Definitions

Obtaining Additional Publications and Information


Release Notes for Cisco Info Center - Security Monitoring, 3.5

November 2003

Contents

These Release Notes contain the following sections:

"Contents"

"Introduction"

"Cisco Info Center - Security Monitoring, 3.5 Components"

"System Requirements"

"Supported Hardware and Software"

"NMS and Cisco Info Center Component Specific Considerations"

"Severity Mappings"

"Installation Notes"

"Upgrade Notes"

"Caveats"

"Limitations and Known Problems"

"Known Issues with Related Products"

"Related Documentation"

"Obtaining Documentation"

"Documentation Feedback"

"Obtaining Technical Assistance"

"Obtaining Additional Publications and Information"

For more detailed information, refer to the Cisco Info Center - Security Monitoring Administration Guide, 3.5 and also to the documentation listed in the "Related Documentation" section.

Introduction

Cisco Info Center is a Service-Level Management (SLM) system that provides a consolidated view of enterprise-wide events and status information. It collects event streams or messages from many different data sources and presents a single, consistent view of the current state of all Cisco Info Center-managed systems. It distributes the event information to the operators and administrators responsible for monitoring service levels.

Cisco Info Center - Security Monitoring, 3.5 is a enhanced version of Cisco Info Center that adds network and data security monitoring to the monitoring provided by the base release of Cisco Info Center. Cisco Info Center - Security Monitoring collects security data from a variety of security hardware devices and software applications and forwards it to the Cisco Info Server in the form of alerts that are displayed on the Cisco Info Center event list.

This information can then be:

assigned to operators

passed to Help Desk systems

logged in a database

replicated on a remote Cisco Info Center - Security Monitoring system

used to trigger automatic responses to certain events.

Cisco Info Center - Security Monitoring allows diverse management platforms, applications, and Internet protocols to be brought together to provide an administrator a single point of monitoring those platforms and applications. Cisco Info Center - Security Monitoring  does not replace the management platforms. It complements them by providing specialized views of security threats, known offenders, and different categories of security events from Cisco hardware and software products.

Cisco Info Center - Security Monitoring tracks the state of events in a high performance distributed database and presents information of interest to specific users through individually configurable filters and views. Cisco Info Center - Security Monitoring automation functions can be used to perform intelligent processing on the current state of managed objects. Cisco Info Center - Security Monitoring can build upon existing management systems or applications and, therefore, uses existing management skills and minimizes deployment time.

Cisco Info Center - Security Monitoring, 3.5 Components

Cisco Info Center - Security Monitoring comprises the following main components:

Cisco Info Server—The core of the Cisco Info Center - Security Monitoring system. An active, main-memory database that stores and manages events. The Cisco Info Server consolidates, associates, and normalizes event data received from Cisco Info Mediators, Cisco Info Gateways, and monitors.

Security Policy Component. This component includes an Impact server as well as related Data Source Adapters (DSAs) and an event broker. The Impact server receives events from the Info Server, enhances them using predefined processing policies and sends enhanced security events back to the Info Server.

Cisco Info Mediators—Applications that act as data acquisition agents. In the Cisco Info Center - Security Monitoring, 3.5 environment, Cisco Info Mediators acquire security-related data from event sources such as Cisco PIX Firewalls, Cisco Intrusion Detection System (IDS) sensors and router modules, Cisco IOS Syslog processes, and a variety of SNMP-enabled devices.

Info Gateways—Software modules that allow the Cisco Info Server to read events from and write events to third party applications and forward alerts between Cisco Info Servers.

Cisco Info Admin Desktops—An integrated graphical suite of tools used by operators. These tools are the starting points for designing filters and customizing views. Cisco Info Admin Desktop information can be viewed from a UNIX/Motif front-end or a Java-driven Web browser. Event information is delivered in a format that allows operators to quickly respond.

Webtop 1.1— Webtop publishes Cisco Info Center - Security Monitoring alerts for viewing in a web browser, and enables certain users to manipulate them using an active event list launched from a web browser.

For instructions on installing the Webtop component, refer to Chapter 5 of the Cisco Info Center Installation and Configuration Guide, "Installing the Webtop Component." For detailed documentation on the Webtop product, go to the Micromuse support site at the following URL:

http://support.micromuse.com/documentation/#Webtop

Virtual Operator—A product that allows the Cisco Info Server to execute resolution scripts that mimic the actions a Network Operations Center (NOC) operator would take to resolve an alert. Scripts or applications supported by the Virtual Operator can be UNIX shell scripts, PERL scripts, or compiled programs written in C or C++.

For instructions on installing Virtual Operator, refer to Chapter 6 of the Cisco Info Center Installation and Configuration Guide, "Installing the Virtual Operator Component." For detailed documentation on the Virtual Operator product, go to the Micromuse support site at the following URL:

http://support.micromuse.com/documentation/#VO

For detailed information on the Cisco Info Center components and how they interoperate, refer to Chapter 1, "Overview," in the Cisco Info Center Installation and Configuration manual.

Cisco Info Mediator Modules

When you purchase Cisco Info Center - Security Monitoring, you purchase licenses for one or more Cisco Info Mediators. The following Cisco Info Mediators have been developed to monitor specific types of Cisco hardware and software:

Cisco RTTrapd Info Mediator—Interfaces with devices monitored by Cisco WAN Manager or the Cisco CNS Notification Engine (CNS-NOTE) product to monitor events from Cisco wide-area switches and/or Syslog events from Cisco IOS devices.

Cisco PIX Firewall Info Mediator—An Info Mediator that monitors Cisco PIX firewalls for security events.

Cisco IDS Postoffice Info Mediator— An Info Mediator that monitors IDS sensors, router modules, and software modules used with Cisco Intrusion Detection System (IDS) 3.x.

Cisco IDS RDEP Info Mediator—An Info Mediator that monitors sensors, router modules, and software modules used with Cisco IDS 4.x.

Cisco CNS Info Mediator— An Info Mediator that receives CNS events from the Cisco CNS Notification Engine product, the Cisco CNS 2100 Configuration Engine product, and the Cisco CNS Performance Engine product, such as router configuration change events detected by the Cisco CNS 2100.

Cisco HP NNM Info Mediator—interfaces with the Hewlett Packard Network Node Manager (NNM) system

Cisco Syslog Info Mediator—acquires event data from the syslogd daemon, the UNIX system message logger, by reading from a FIFO that syslogd has been configured to write messages to

Cisco EMF Info Mediator—interfaces with Cisco EMF-based applications, such as Cisco Connection Manager, Cisco DSL Manager (CDM), and Cisco Media Gateway Node Manager (CMNM). Refer to the "Cisco Element Management Framework Support" section for a detailed list of supported applications.

Cisco Transport Manager Info Mediator—interfaces with the Cisco Transport Manager application to allow monitoring of Cisco optical devices, including the Cisco ONS 15454, ONS 15327, ONS 15600, ONS 15800, ONS 15801, and ONS 15808 optical transport platforms

Cisco MTTrapd Info Mediator—multi threaded Cisco Info Mediator that interfaces with a variety of SNMP-enabled devices and event correlation engines such as CiscoWorks2000 (DFM and VHM) and MWFM. This also includes specific enhancements and fixes recommended by the CERT team. The set of rules also includes the best practices set of rules developed by Micromuse.

The Cisco MTTrapd Info Mediator also processes events transmitted by element managers that support the Northbound Event Interface (NEI) included with the Cisco Element Manager System version 3.2 and higher, such as Cisco Media Gateway Manager (CMGM) 2.0 and Cisco Media Gateway Controller Node Manager 2.3.1 and 2.3.1. The NEI allows element managers to send events encapsulated in SNMP messages to network management systems such as Cisco Info Center.

To enable support for the Cisco Element Manager System, select Cisco Element Manager from the Device Configuration menu during Cisco Info Mediator configuration using the nco_config configuration utility.

Additional Info Mediators that work with a variety of hardware and software can be ordered in addition to Cisco Info Center. For detailed information on the event sources and Cisco Info Mediators used with Cisco Info Center, refer to Chapter 3 in the Cisco Info Center Mediator Reference, 3.6.

Related Products

Cisco Info Center - Security Monitoring can be used with s several related products:

Cisco Info Center 3.5—The basic version of Cisco Info Center, which enables event monitoring in networks that include Cisco hardware and software products. Cisco Info Center 3.5 can be upgraded Cisco Info Center - Security Monitoring.

Note Cisco Info Center for Security Monitoring does not work with Cisco Info Center 3.6. It must be installed in a Cisco Info Center 3.5 environment.

Internet Service Monitors— Aa set of components designed to monitor the status and performance of internet services. The information gathered and processed by the monitors is used to determine whether a particular service is performing adequately, to identify problem areas, and to report service performance.

Additional Related Products—For a complete list of related products, refer to the list of related products in the Release Notes for Cisco Info Center, 3.5.

System Requirements

This section provides the hardware, software, and configuration requirements for the
Cisco Info Center - Security Monitoring, 3.5 product.

Operating System Requirements

The Sun system must have Solaris 7 or 8 with Motif 1.2 or the Common Desktop Environment (CDE) installed.

If you need to run the CiscoView application, view the Cisco CNS Notification Engine help page, or view the Cisco Info Center online documentation on CCO, a supported browser is required.

For current browser requirements for the CiscoView application, refer to the documentation for the CiscoWorks2000 component your Cisco Info Center installation will monitor. The documentation for the Device Fault Manager and Voice Health Monitor components of CiscoWorks2000 is listed in the "Related Documentation" section.

Note If you will install the Virtual Operator component, the target host must be running Solaris 8.

Minimum Configuration

This section provides the minimum system requirements for Cisco Info Center - Security Monitoring, 3.5.

Info Server— Sun Blade 150 workstation or Sun Fire V120 server with a minimum of 512 MB RAM, and a 512-MB hard drive

Note This does not include additional NMS or add-on requirements. Please read the Release Notes or installation manual for the NMS you will use with each Cisco Info Mediator to determine the installation requirements for that particular NMS.

Info Mediators—Sun Ultra 2 or higher workstation with a minimum of 64-MB RAM and a minimum 100 MB hard drive, for each Cisco Info Mediator

Info Admin Desktops— Sun workstations with a minimum of 48-MB RAM and a minimum of 75-MB hard drive.

Additional Requirements for Webtop

If you will install the Webtop component, note the following additional requirements:

a full installation of Webtop requires an additional 120 MB of disk space

UNIX hosts or PCs that will monitor events relayed by the Webtop Web server must run one of the following browsers:

Microsoft Internet Explorer 5.x or 6.0

Netscape Navigator 4.7 or 6.0

Note The browser must be configured to accept all cookies.

Additional Requirements for Virtual Operator

If you will install the Virtual Operator component, note the following additional requirements:

must be installed on a host running Solaris 8

requires an additional 55 MB free disk space

requires an additional 80 MB free space in the /tmp directory

Perl 5 must be installed or linked from /bin/perl or /usr/local/bin/perl

the Solaris operating system must be at the level recommended for the Java Runtime Environment 1.3.1, which is bundled with Virtual Operator.

See the Sun Microsystems SunSolve Web page at the following URL for a list of patches that might be required:

http://sunsolve.sun.com

Recommended Configuration for Managing Large Networks

This section indicates the minimum system requirements for a large installation.

Cisco Info Server—Sun Fire 280R or Netra 20 server or higher with a minimum of 1 GB of RAM and a 512-MB hard drive disk storage per Info Mediator

Note This does not include additional NMS or add-on requirements. Please read the Release Notes or installation manual for the NMS you will use with each Cisco Info Mediator to determine the installation requirements for the NMS.

Info Mediators—Sun Ultra 2 or higher workstation with a minimum of 64-MB RAM and a minimum 100 MB hard drive, per Info Mediator

Cisco Info Admin Desktops—Sun workstations with a minimum of 48-MB RAM and 75-MB hard drive.

Prerequisites for Monitored Products

Each application component contained within the Cisco Info Center - Security Monitoring  product architecture has an associated set of prerequisites (for example, Java plug-ins and supported browsers). This information can be obtained from the product documentation at this site:

http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/info_ctr/3_5/index.htm

You can also obtain relevant documentation at this site:

http://support.micromuse.com/documentation/

For component specific issues, it is recommended you obtain and consult these documents.

Cisco Info Center 3.5 Support Matrix

Table 1 Cisco Info Center - Security Monitoring, 3.5 Compatibility Matrix 

Cisco Info Center for Security, 3.5 Component
Required
Solaris
Version
NMS/
Manager
Solaris Version for NMS/
Manager
Can Be Installed Standalone
Can Co-exist with NMS/Manager
Can Co-exist1 with NMS/
Manager
and Cisco Info
Server

Cisco RTTrapd Info Mediator

7, 8

CWM 11.x.x, CWM 12.0.x

Cisco CNS Notification Engine 2.0, 3.0

7

7, 8

yes

yes

yes

yes

yes

yes

Cisco PIX Firewall Info Mediator

7, 8

Cisco PIX firewalls running PIX software 6.3 and previous

not applicable

yes

no

no

Cisco IDS Postoffice Info Mediator

7, 8

Cisco IDS 3.x devices running IDS

not applicable

yes

no

no

Cisco IDS RDEP Info Mediator

7, 8

Cisco IDS 4,x devices running IDS

not applicable

yes

no

no

Cisco Syslog Info Mediator

7, 8

Syslog

7, 8

yes

yes

yes

Cisco Transport Manager Info Mediator

7, 8

7, 8

CTM 3.0

CTM 3.2

8

8

yes

yes

yes

yes

yes

yes

Cisco BTS Softswitch

7, 8

BTS Softswitch 3.5.2 and higher

       

Cisco Element Management Framework Info Mediator

7, 8

Cisco EMF 3.0.4

Cisco EMF 3.1

Cisco EMF 3.2

7, 8

7, 8

7, 8

 

yes

yes

yes

yes

yes

yes

Cisco MTTrapd Info Mediator

2.6
7, 8

DFM 1.0/1.1

VHM 1.0

MWFM 2.0

Voice Gateways

Gatekeepers

Cisco Element Manager System 3.2 (NEI)

7, 8

7, 8

7, 8

NA

NA

NA


7, 8

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

Cisco CNS Info Mediator

7, 8

Cisco CNS Notification Engine 2.0, 3.0

Cisco CNS Performance Engine 2.0.1

Cisco CNS Configuration Engine

7, 8

8

8

yes

yes

yes

yes

yes

yes

yes

1 Although the Info Server component and the NMS/Manager can co-exist on the same host machine, this is not recommended for reasons of efficiency and to ensure load balancing.


Supported Hardware and Software

Cisco Info Center - Security Monitoring, 3.5 operates with the following hardware and software platforms.

Cisco PIX Firewall

Using the Cisco PIX Firewall Info Mediator, Cisco Info Center - Security Monitoring, 3.5 monitors events from Cisco PIX 500 Series Firewalls that support PIX Firewall software up to release 6.3.

Cisco Intrusion Detection System Hardware and Software

Using the Cisco IDS RDEP Info Mediator or the Cisco IDS Postoffice Info Mediator, Cisco Info Center - Security Monitoring, 3.5 monitors events from the following hardware and software:

Cisco IDS 42xx Series appliances—Sensor devices that run on dedicated hardware platforms designed to work with Cisco IDS.

Cisco IDS Network Module for Cisco Access Routers—Sensor modules that are installed in Cisco 2600, 3600, and 3700 series routers.

Cisco Catalyst 6500 Series Intrusion Detection System (IDSM-2) Services Modules—A hardware module that integrates full IDS capabilities into the Cisco Catalyst Switch.

Cisco Threat Response (CTR)—A software application that works with Cisco IDS 4.x and 3.x sensors and ISS RealSecure to apply predefined policies to process and display network security events.

Note To monitor devices running IDS version 4.x, you must use the Cisco IDS RDEP Info Mediator. To monitor devices running IDS version 3.x, you can use either the Cisco IDS Postoffice Info Mediator or the Cisco IDS RDEP Info Mediator.

IOS Support

Cisco IOS Syslog messages are supported through the Cisco CNS Notification Engine product, the Cisco CNS Configuration Engine product, and the Cisco Syslog Info Mediator.

Monitoring of IOS security events includes:

Cisco IOS Firewall—a software-based firewall that can be added to devices running the Cisco IOS.

Cisco IOS AAA services—Authentication, Authorization, and Accounting (AAA) services provided with the Cisco IOS, such as Remote Access Dial-in User Access (RADIUS) and TACACS+

Cisco IOS VPN. VPN security software running under the Cisco IOS.

Cisco IOS IDS software—Intrusion detection signatures for devices running the Cisco IOS.

Cisco Security Agent Support

Cisco Info Center - Security Monitoring, 3.5 supports monitoring of events from Cisco Security Agent, a network security application that runs on endpoint devices and desktops that report to the Management Center running on CiscoWorks VPN/Security Management Solution (VMS).

Cisco Transport Manager Support

For information on Cisco Transport Manager support, refer to the Release Notes for Cisco Info Center, 3.5.

Cisco Element Management Framework Support

For information on Cisco Element Management Framework support refer to the Release Notes for Cisco Info Center, 3.5.

Generic SNMP Support

Cisco Info Center - Security Monitoring, 3.5 supports monitoring a varied set of hardware devices and software applications through the Cisco MTTrapd Info Mediator: The best practices rules from Micromuse have also been included in Cisco Info Center for customer's convenience.However, they have not been tested by Cisco and will not be supported.

Note The Cisco MTTrapd Info Mediator also includes enhancement and fixes recommended by the CERT team.

NMS and Cisco Info Center Component Specific Considerations

This section presents considerations you should be aware of when installing specific Cisco Info Center components or NSM applications that work with Cisco Info Center.

CNS Notification Engine

Note the following information regarding the use of Cisco Info Center with the Cisco CNS Notification Engine (Cisco CNS-NOTE) product.

SNMP Version

If you plan to use the Cisco CNS Notification Engine product to monitor Syslog events from Cisco IOS devices, Cisco CNS Notification Engine must be installed and running. When you start the Cisco CNS Notification Engine, specify SNMP v1 in the startup command.

Cisco Info Center Cisco CNS Notification Engine Repeat Count Attribute

Note the following differences in how Cisco CNS Notification Engine and Cisco Info Center process repeat count information.

1. When Cisco Info Center receives events from the Cisco CNS Notification Engine, along with the CNS-NOTE Repeat Count attribute, these appear in the "CNS-Note3.0" view in the Cisco Info Center event interface.

2. Cisco Info Center deduplicates instances of the same event received from Cisco CNS Notification Engine during event processing, and each time an event is deduplicated the count attribute is incremented. However, when this occurs, only the latest value of the CNS-NOTE Frequency attribute is retained by Cisco Info Center; therefore any previous values for the event frequency attribute are lost.

Start Cisco CNS Notification Engine Before Starting Cisco Info Center Components

If you are using Cisco Info Center - Security Monitoring with the Cisco CNS Notification Engine product, make sure to start the Cisco CNS Notification Engine before starting the Cisco Info Center components.

Using the CNS Info Mediator with Cisco CNS Notification Engine

Note the points itemized in the following section— "Using the CNS Info Mediator"—if you are using the CNS Info Mediator with Cisco CNS Notification Engine.

Using the CNS Info Mediator

If you are using the CNS Info Mediator (nco_p_cns):

the TIBCO Rendezvous daemon (rvd or rvrd) must be installed and running

the TIBCO Info Mediator must run on the same machine as the Cisco CNS Notification Engine product or the Cisco CNS Performance Engine product, or must run on a host that has the TIBCO Rendezvous daemon installed on it.

when prompted for the notifier name used with the Cisco TIBCO Info Mediator, enter the notifier name for which the Cisco CNS Notification Engine application or the Cisco CNS Performance Engine application is configured, for example, cisco.mgmt.das.

Using the CNS Info Mediator with the Cisco CNS Configuration Engine

If you will use the CNS Info Mediator with the Cisco CNS 2100 Intelligence Engine and the Cisco CNS Configuration Engine, you must do the following:

Deploy one or more CNS 2100 Intelligence Engine series devices on your network.

Configure routers to send configuration change events to the CNS Configuration Engine software.

For information on these tasks, refer to chapter 3, "Preliminary Installation Steps," in the Cisco Info Center - Security Monitoring Administration Guide, 3.5.

Cisco IDS Postoffice Info Mediator

If you will use the Cisco IDS Postoffice Info Mediator with Cisco Info Center - Security Monitoring, 3.5, then you must install and configure the Cisco IDS SDK on the host where this Info Mediator is installed.

If you have an existing installation of the IDS SDK, then you can use this installation.

If you do not have an existing installation of the IDS SDK, then you must install and configure it. To assist you in the installation, a script that installs and configures the IDS SDK is included in the Cisco Info Center - Security Monitoring distribution.

This script is named csidsDfInstall, and is located in the following directory:

/opt/Omnibus/secure

For detailed information, refer to the "Installing the IDS SDK" section in chapter 3 of the Cisco Info Center - Security Monitoring Administration Guide, 3.5, "Preliminary Installation Steps."

Properties

If the rules and properties need to be customized, the variable $OMNIHOME cannot be used within them. You must instead specify the actual and complete path.

Generic SNMP

The Cisco MTTrapd Info Mediator is used with the Cisco Info Center bind to SNMP port 162. If you want to install them on the same host, you must configure them to use different SNMP ports.

For information on configuring VHM to forward events to Cisco Info Center, refer to the "Enabling VHM to Send Event Notifications to NMSs" section in the Installing and Setting Up Voice Health Monitor on Windows 2000 manual.

Note To monitor events coming in from the Device Fault Manager (DFM) application through the Voice Health Monitor (VHM) application, you must configure both the DFM and the VHM trap notifier to send traps to Cisco Info Center.

Policy Manager

Warning Cisco Info Center - Security Monitoring cannot be installed and used in conjunction with the Policy Manager component of Cisco Info Center 3.x. For more information, refer to the "Policy Manager Component Is Not Supported" section.

Virtual Operator

Note the following points if you are installing the Virtual Operator component.

Virtual Operator can only run on a Solaris 8 platform

A Cisco Info Server must be installed on the Virtual Operator host.

If you do not select the Cisco Info Server component when the Virtual Operator component is selected, the installation utility automatically selects it and installs it.

Virtual Operator requires an additional 55 MB of free disk space

Virtual Operator requires an additional 80 MB of free space in the /tmp directory

Perl 5 must be installed or linked from /bin/perl or /usr/local/bin/perl

Your Solaris operating system must be at the level recommended for the Java Runtime Environment 1.3.1, which is bundled with Virtual Operator

See the Sun Microsystems SunSolv Web page at the following URL for a list of patches that might be required:

http://sunsolve.sun.com

Virtual Operator requires two types of license:

a Virtual Operator engine license

a Virtual Operator resolution scripts license.

Each resolution scripts license allows you to run up to 20 resolution scripts.

Note For detailed information on Virtual Operator licensing and installation, refer to Chapter 6 of the Cisco Info Center Installation and Configuration Guide, 3.5 "Installing the Virtual Operator Component."

Webtop

If you are installing the Webtop component, note the following points.

A full installation of Webtop requires an additional 120 MB of disk space

UNIX hosts or PCs that will monitor events relayed by the Webtop web server must run one of the following browsers:

Internet Explorer 5.x or 6.0

Netscape Navigator 4.7 or 6.0

during Webtop installation, you must select the Webtop component and at least one additional Cisco Info Server component, such as the Cisco Info Server component, Cisco Info Mediators components, or the Desktop component

If you log into Webtop as InfoAdmin, you will start with the default Cisco Info Center view. If you log in as another user, you will not get the default Cisco Info Center view.

For more detailed instructions on installing Webtop, refer to Chapter 5 of the Cisco Info Center Installation and Configuration Guide, "Installing the Webtop Component."

Automations

Do Not Modify the Default Automations

Do not modify the default set of Cisco Info Center automations provided with the initial installation. If you want to customize an automation, first rename the automation (make sure not to use a name already in use), then implement your changes. Alternatively, you can turn off the default automations, copy them to a new name, edit them, and then save them under a new name.

Tools

Note When you delete a tool, you must delete the menu on which the tool occurs, the menu item, and the tool before re-inserting the tool.

Severity Mappings

Cisco IOS to Cisco CNS-NOTE to Cisco Info Center Severity Mappings

When IOS Facility messages are read by the CNS-NOTE application, their severity is interpreted by CNS-NOTE and assigned to a perceived severity level. In turn, when the events are sent from CNS-NOTe to Cisco Info Center, they are assigned a severity level and are displayed on event lists in a particular cover.

Table 2 shows the severity mappings from Cisco IOS messages to Cisco CNS-NOTE messages and then to Cisco Info Center events

.

Table 2 Cisco IOS to Cisco CNS-NOTE to Cisco Info Center Severity Mappings

IOS Severity
Cisco CNS-NOTE Perceived Severity
Cisco Info Center Severity
Color

0

7

5

Critical (Red)

1

6

5

Critical (Red)

2

6

5

Critical (Red)

3

5

4

Major (Amber)

4

4

3

Minor (Yellow)

5

3

2

Warning (Blue)

6

2

1

Indeterminate (Purple)

 

1 - Other Severity

1

Indeterminate (Purple)

 

0

1

Indeterminate (Purple)

 

1000

0

Clear (Green)


Installation Notes

Cisco Info Center - Security Monitoring is installed using the SINSTALL installation script.

Refer to the Cisco Info Center - Security Monitoring Administration Guide, 3.5 for installation instructions.

For an overview of installation, refer to chapter 2, "Installation Overview."

For a list of preliminary tasks to be performed before installing Cisco Info Center - Security Monitoring, refer to chapter 3, "Preliminary Installation Steps."

For instruction on performing a new installation (where there is no existing version of Cisco Info Center), refer to chapter 4, "Performing a New Installation."

For instructions on upgrading an existing installation of Cisco Info Center to Cisco Info Center - Security Monitoring, refer to chapter 5, "Upgrade Installation."

Licensing Cisco Info Center - Security Monitoring, 3.5

Cisco Info Center - Security Monitoring, 3.5 uses two types of licensing, Elan based licensing and FLEXlm-based licensing.

The following components are licensed using a FLEXlm license server and require feature codes:

The Impact Server

The two object brokers used with the Impact server

The Data Source Adapter (DSA) used with the Impact server

The Webtop component

The following components are licensed using an Elan-based license server and Elan license keys:

The Cisco Info Server core components (Info Server, Info Mediators, Info Gateways, and Info Desktops)

The Virtual Operator component

For detailed information on obtaining, installing, and using licenses for the, refer to the section in chapter 4 of the Cisco Info Center - Security Monitoring Administration Guide, 3.5: "Licensing Cisco Info Center - Security Monitoring, 3.5."

Note If you do not have a FLEXlm license server in your installation, you must install one during Cisco Info Center - Security Monitoring, 3.5 installation and request feature codes for the FLEXlm-based components. However, if you have an existing FLEXlm license server, you can use the existing license server by requesting feature codes for the components that require FLEXlm licensing and adding them to the license file for the existing license server.

Upgrade Notes

When you run the Cisco Info Center - Security Monitoring installation utility (SINSTALL) you can upgrade from the Cisco Info Center 3.4.1 or 3.5 release to Cisco Info Center - Security Monitoring, 3.5.

Before upgrading, make sure to:

Make a backup copy of any rules files that you have customized

If you have customized any of the default Cisco Info Center automations, rename the automations before upgrading.

For detailed upgrade instructions, refer to Chapter 5 of the Cisco Info Center - Security Monitoring Administration Guide, 3.5, "Upgrade Installation."

The upgrade utility will prompt you to add any new release 3.5 components that you might want to install (except for the Policy Manager component).

Implementing FLEXlm Licensing for the Impact Server and Related Components

When you install Cisco Info Center - Security Monitoring, 3.5, you must install the Security Policy component (selectable from the Component Selection Menu). Selecting the Security Policy component installs an Impact Server, two object brokers, and a data source adapter (DSA). Each of these components requires a FLEXlm license in order to run.

If you have an existing FLEXlm license server (either on the Cisco Info Center - Security Monitoring host or on another host) you can use the existing FLEXlm license server. However, if you do not have an existing FLEXlm license server, you must install it on either the current host or on another host where you will install other instances of the product.

Note The core components of Cisco Info Center - Security Monitoring, 3.5 (the Info Server, Info Mediators, Info Gateways, and Info Desktop components), use Elan-based licensing.

For detailed instructions on implementing FLEXlm- and Elan-based licensing when performing a new installation, refer to the "Licensing Cisco Info Center - Security Monitoring" section in chapter 4 of the Cisco Info Center - Security Monitoring Administration Guide, 3.5, "Performing a New Installation."

For information on implementing licensing when performing an upgrade from Cisco Info Center, 3.5, refer to the "Licensing Cisco Info Center - Security Monitoring" section in chapter 5 of the Cisco Info Center - Security Monitoring Administration Guide, 3.5, "Upgrade Installation."

Limitations and Known Problems

This section describes limitations and known problems with the Cisco Info Center - Security Monitoring, 3.5 release.

Policy Manager Component Is Not Supported

You cannot upgrade an existing installation of Cisco Info Center, 3.5 that includes the Policy Manager component to Cisco Info Center - Security Monitoring, 3.5 and retain the Policy Manager components. If you do this, the Policy Manager component, Impact Server, and associated components will be deleted (CSCin54962).

Impact Server Failover Limitation

If you install the Cisco Info Center - Security Monitoring, 3.5 core components and the Security Policy component on one host and then install only the Security Policy Components (Impact server and associated modules) on a second host, the configuration script will not prompt you for failover information. Therefore, to enable Impact server failover, you must configure Impact failover manually.

For information on configuring Impact failover, refer to the "Configuring Failover" section of chapter 2 of the Netcool/Impact Administration Guide.

You can access this document at the following URL:

http://support.micromuse.com/documentation/books/im22ag.pdf

Note Login to the Micromuse support site requires a user ID and a password. If you do not have a login to the Micromuse support site, please contact the Cisco Technical Assistance Center (TAC). For information on contacting TAC, refer to the "Opening a TAC Case" section.

Performance Notes

Threat events are calculated after the security events are received by the Info Server. A large burst of security events might result in a delay in threat event calculation.

Performance testing for 10,000 security events that would generate 1,000 threat events resulted in no detectable delay with the security events, but the last threat event generated was delayed by less then 3 minutes from the last security event captured.

Note also that with the default configuration for the MTTrapd Info Mediator, the Info Mediator performs host name resolution on each incoming event. This can result in slow performance.

To eliminate this problem, use a text editor to edit the $OMNIHOME/probes/solaris2/mttrapd.props file.Make the following changes:

1. Remove the comment character (#) from the line that reads # NoNameResolution : 0.

2. Change the 0 to 1 (NoNameResolution : 1).

3. Save your changes and then restart the MTTrapd Info Mediator.

Caveats

This section contains information about open Distributed Defect Tracking System (DDTS) bugs.

CSCec25074. The Cisco CNS Info Mediator does not identify individual command line interface (CLI) commands when router configuration events come in. Each new event based on a CLI command overwrites the previous event.

CSCin60502. When the Security_Policy component is installed standalone on a server, the configuration utility does not prompt for failover information for the Impact Server. This prevents the user from configuring Impact failover.

Workaround:

Manually configure Impact failover on the second host. For information on manual configuration of Impact failover refer to the "Impact Server Failover Limitation" section.

CSCin60504. When switching between the primary and backup Info Servers, the security monitoring tools work inconsistently. For example, when threat events are generated, associated events are sometimes lost on either the primary or the backup Info Server.

CSCin60505. When the Info Server component is installed on one host and the Security_Policy and Info Server components are installed on a second host, failover configuration does not work; therefore, when the primary Info Server is brought down, processing policies do not work on the secondary host and no threat events are generated.

Workaround:

Manually configure Impact failover on the second host. For information on manual configuration of Impact failover refer to the "Impact Server Failover Limitation" section.

CSCec17612. With PIX Firewall Version 6.3 (1) software, the Cisco PIX Firewall Info Mediator is unable to parse some syslog messages.

CSCin54328. When MTTrapd threat events that have generated a threat event are cleared from the Event List, the corresponding threat event is not cleared.

CSCin54962. Upgrade installation of Cisco Info Center - Security Monitoring, 3.5 removes the Policy Manager component if it was installed on the Cisco Info Center, 3.5 platform.

CSCin62999. The Webtop interface to Cisco Info Center - Security Monitoring, 3.5 does not support several security tools that are supported with the UNIX Info Desktops, such as the associated threat events tool and the change score tool.

CSCin63000. When the Cisco CNS probe is installed and run, a warning message appears continuously in the log file.

CSCin60499. If an Info Mediator has been configured for failover operation and is later reconfigured without failover configuration, the failover information in the Info Mediator properties file is retained.

Known Issues with Related Products

Each application contained within the Cisco Info Center - Security Monitoring product architecture has an associated set of Release Notes containing product-specific issues. This information can be obtained from the Micromuse Support site:

http://support.micromuse.com/documentation/

Related Documentation

The Cisco Info Center - Security Monitoring product has an associated set of documentation that can be obtained from Cisco Systems at this site:

http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/info_ctr/cic_sm35/index.htm

You can also obtain relevant documentation at this site:

http://support.micromuse.com/documentation/

For component-specific information, it is strongly recommended that you obtain and consult these documents. Issues such as licensing, connectivity and integration, and product specific features are described in the respective guides for each application.

This section describes the manuals in the Cisco Info Center - Security Monitoring documentation set and how to obtain access to them. The online versions of the Cisco Info Center - Security Monitoring documentation can be found on the Cisco Documentation CD, as well as on the Cisco Connection Online (CCO) at the following URL (unless otherwise noted):

http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/info_ctr/3_5/index.htm.

Documentation Guide for Cisco Info Center, - Security Monitoring, 3.5 (Part Number: 78-15969-01). This document is available in hard and soft copy. It is available on CCO at:

http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/info_ctr/cic_sm35/docguide/
docguide.htm.

Release Notes for Cisco Info Center - Security Monitoring, 3.5 (this document). This document is available on CCO at:

http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/info_ctr/cic_sm35/relnote/relnote.htm.

Cisco Info Center - Security Monitoring Administration Guide, 3.5, (Part Number: OL-1778-03). This document is available on CCO at:

http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/info_ctr/cic_sm35/admin/index.htm.

Release Notes for Cisco Info Center, Release 3.5. (Part Number: OL-4089-01). This document is available on CCO at:

http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/info_ctr/3_5/rnotes/index.htm

Cisco Info Center Installation and Configuration Guide, 3.5 (Part Number: OL-4088-01). This document is available on CCO at:

http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/info_ctr/3_5/install/index.htm.

Cisco Info Center User Guide, 3.5 (Part Number: OL-4816-01). This document is available on CCO at:

http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/info_ctr/3_5/user_gd/index.htm.

Cisco Info Center Administrator Reference, 3.5 (Part Number: OL-1962-03).

This document is available on CCO at:

http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/info_ctr/3_5/admin/index.htm

Cisco Info Center Mediator and Gateway Reference, 3.5(Part Number: OL-1963-03). This document is available on CCO at:

http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/info_ctr/3_5/medgw/index.htm.

Obtaining Documentation

Cisco provides several ways to obtain documentation, technical assistance, and other technical resources. These sections explain how to obtain technical information from Cisco Systems.

Cisco.com

You can access the most current Cisco documentation on the World Wide Web at this URL:

http://www.cisco.com/univercd/home/home.htm

You can access the Cisco website at this URL:

http://www.cisco.com

International Cisco websites can be accessed from this URL:

http://www.cisco.com/public/countries_languages.shtml

Documentation CD-ROM

Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which may have shipped with your product. The Documentation CD-ROM is updated regularly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual or quarterly subscription.

Registered Cisco.com users can order a single Documentation CD-ROM (product number DOC-CONDOCCD=) through the Cisco Ordering tool:

http://www.cisco.com/en/US/partner/ordering/ordering_place_order_ordering_tool_launch.html

All users can order annual or quarterly subscriptions through the online Subscription Store:

http://www.cisco.com/go/subscription

Click Subscriptions & Promotional Materials in the left navigation bar.

Ordering Documentation

You can find instructions for ordering documentation at this URL:

http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm

You can order Cisco documentation in these ways:

Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Networking Products MarketPlace:

http://www.cisco.com/en/US/partner/ordering/index.shtml

Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387).

Documentation Feedback

You can submit e-mail comments about technical documentation to bug-doc@cisco.com.

You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address:

Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883

We appreciate your comments.

Obtaining Technical Assistance

For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, the Cisco Technical Assistance Center (TAC) provides 24-hour-a-day, award-winning technical support services, online and over the phone. Cisco.com features the Cisco TAC website as an online starting point for technical assistance. If you do not hold a valid Cisco service contract, please contact your reseller.

Cisco TAC Website

The Cisco TAC website (http://www.cisco.com/tac) provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The Cisco TAC website is available 24 hours a day, 365 days a year.

Accessing all the tools on the Cisco TAC website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a login ID or password, register at this URL:

http://tools.cisco.com/RPF/register/register.do

Opening a TAC Case

Using the online TAC Case Open Tool (http://www.cisco.com/tac/caseopen) is the fastest way to open P3 and P4 cases. (P3 and P4 cases are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Case Open Tool automatically recommends resources for an immediate solution. If your issue is not resolved using the recommended resources, your case will be assigned to a Cisco TAC engineer.

For P1 or P2 cases (P1 and P2 cases are those in which your production network is down or severely degraded) or if you do not have Internet access, contact Cisco TAC by telephone. Cisco TAC engineers are assigned immediately to P1 and P2 cases to help keep your business operations running smoothly.

To open a case by telephone, use one of the following numbers:

Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553-2447

For a complete listing of Cisco TAC contacts, go to this URL:

http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml

TAC Case Priority Definitions

To ensure that all cases are reported in a standard format, Cisco has established case priority definitions.

Priority 1 (P1)—Your network is "down" or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.

Priority 2 (P2)—Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.

Priority 3 (P3)—Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.

Priority 4 (P4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.

Obtaining Additional Publications and Information

Information about Cisco products, technologies, and network solutions is available from various online and printed sources.

The Cisco Product Catalog describes the networking products offered by Cisco Systems, as well as ordering and customer support services. Access the Cisco Product Catalog at this URL:

http://www.cisco.com/en/US/products/products_catalog_links_launch.html

Cisco Press publishes a wide range of general networking, training and certification titles. Both new and experienced user will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press online at this URL:

http://www.ciscopress.com

Packet magazine is the Cisco quarterly publication that provides the latest networking trends, technology breakthroughs, and Cisco products and solutions to help industry professionals get the most from their networking investment. Included are networking deployment and troubleshooting tips, configuration examples, customer case studies, tutorials and training, certification information, and links to numerous in-depth online resources. You can access Packet magazine at this URL:

http://www.cisco.com/packet

iQ Magazine is the Cisco bimonthly publication that delivers the latest information about Internet business strategies for executives. You can access iQ Magazine at this URL:

http://www.cisco.com/go/iqmagazine

Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL:

http://www.cisco.com/en/US/about/ac123/ac147/about_cisco_the_internet_protocol_journal.html

Training—Cisco offers world-class networking training. Current offerings in network training are listed at this URL:

http://www.cisco.com/en/US/learning/index.html

Copyright © 2003 Cisco Systems, Inc. All rights reserved.

Printed in the USA on recycled paper containing 10% postconsumer waste.