 |
Previous Next Sheriff CSMâ„¢
Configuring Sheriff NIDS
Sheriff CSM comes with Sheriff NIDS already enabled, but you need to perform the steps below in order to monitor network traffic.-
Enable one or more interfaces for monitoring
- Add monitored networks
-
Using SPAN or mirror ports, configure your network devices to send traffic to the monitoring interface.
Important: AT&T Cybersecurity recommends that you send packets untagged through the SPAN/mirror port. This is because VLAN trunking is currently not supported. Therefore, Bridge Protocol Data Units (BPDUs) or packets sent through the other Layer 2 protocols are dropped. The Layer 2 protocols include, but are not limited to, Cisco Discovery Protocol (CDP), Dynamic Trunking Protocol (DTP), Link Aggregation Control Protocol (LACP), Port Aggregation Protocol (PAgP), Spanning Tree Protocol (STP), and VLAN Trunk Protocol (VTP).
Enable a Network Interface for Monitoring
If you have a Sheriff CSM All-in-One and you have not completed the initial configuration, you can enable the interface for NIDS monitoring by using the Getting Started Wizard. See Configuring Network Interfaces. Otherwise, you can configure the network interface by using the web UI (recommended) or the Sheriff Setup menu.
-
Go to Configuration > Deployment > Components > Sheriff Center.
- Double-click the instance you want to configure.
-
Click Sensor (Deputy) Configuration.
-
Click Detection.
-
In the Listening Interfaces area, click the plus (+) sign next to the interface you want to add.
-
Click Apply Changes.
-
Connect to the Sheriff Console through SSH and use your credentials to log in.
The Sheriff Setup menu displays.
-
Select Configure Sensor.
- Select Configure Network Monitoring.
-
Use the keyboard arrow keys to move to the interface, select the interface by pressing the spacebar, and then press Enter (<OK>).
- Press <Back> until you are on the Sheriff Setup menu again. Select Apply all Changes.
-
Press <Yes> to confirm.
Sheriff CSM applies the changes and restarts all the services, which may take several minutes.
Add Monitored Networks
By default, Sheriff CSM monitors all RFC 1918 private networks (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16). Therefore, you do not need to take any further actions if your network uses private IP addresses. However, if you want to monitor a network with public IP addresses, you have to add the network to the list of monitored networks. You can add a network for NIDS monitoring by using the web UI (recommended) or the Sheriff Setup menu.-
Go to Configuration > Deployment > Components > Sheriff Center.
-
Double-click the appliance you want to configure.
-
Click Sensor Configuration.
- Click Detection.
-
In Monitored Networks, type the network address and click Add.
-
Click Apply Changes.
- Connect to the Sheriff Console through SSH and use your credentials to log in.
-
The Sheriff Setup menu displays.
-
Select Configure Sensor.
- Select Network CIDRs.
-
Type the network addresses you want to monitor, separating with a comma, and then press Enter (<OK>).
- Press <Back> until you are on the Sheriff Setup menu again. Select Apply all Changes.
-
Press <Yes> to confirm.
Sheriff CSM applies the changes and restarts all the services, which may take several minutes.
