Home
/
Cisco
/
AIP SSM-40
/
Installation Manual

Cisco AIP SSM-40, Installation Manual

Share

Page: 187 / 412

Cisco AIP SSM-40 Installation Manual Download Page 187

9-9

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0

OL-18504-01

Chapter 9 Logging In to the Sensor

Logging In to the NME IPS

Logging In to the NME IPS

This section describes how to use the

session

command to log in to the NME IPS, and contains the

following topics:

•

The NME IPS and the session Command, page 9-9

•

Sessioning In to the NME IPS, page 9-10

The NME IPS and the session Command

Because the NME IPS does not have an external console port, console access to the NME IPS is enabled
when you issue the

service-module ids-sensor

slot

/

port

session

command on the router, or when you

initiate a Telnet connection into the router with the slot number corresponding to the NME IPS port
number. The lack of an external console port means that the initial bootup configuration is possible only
through the router.

When you issue the

service-module ids-sensor

slot

/

port

session

command, you create a console session

with the NME IPS, in which you can issue any IPS configuration commands. After completing work in
the session and exiting the IPS CLI, you are returned to the Cisco IOS CLI.

The

session

command starts a reverse Telnet connection using the IP address of the IDS-Sensor

interface. The IDS-Sensor interface is an interface between the NME IPS and the router. You must assign
an IP address to the IDS-Sensor interface before invoking the

session

command. Assigning a routable

IP address can make the IDS-Sensor interface itself vulnerable to attacks, because the NME IPS is
visible on the network through that routable IP address, meaning you can communicate with the
NME IPS outside the router. To counter this vulnerability, assign an unnumbered IP address to the
IDS-Sensor interface. Then the NME IPS IP address is only used locally between the router and the
NME IPS, and is isolated for the purposes of sessioning in to the NME IPS.

Note

Before you install your application software or reimage the module, opening a session brings up the
bootloader. After you install the software, opening a session brings up the application.

Caution

If you session to the module and perform large console transfers, character traffic may be lost unless the
host console interface speed is set to 115200/bps or higher. Use the

show running config

command to

check that the speed is set to 115200/bps.

For More Information

For the procedure for configuring monitoring interfaces for the NME IPS, refer to

Configuring

Monitoring on the Router Interface

.

«
...
185
186
187
188
189
...
»

Summary of Contents for AIP SSM-40

Page 1: ...Inc 170 West Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 527 0883 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7 0 Text Part Number OL 18504 01 ...

Page 2: ...e encouraged to try to correct the interference by using one or more of the following measures Reorient or relocate the receiving antenna Increase the separation between the equipment and receiver Connect the equipment into an outlet on a circuit different from that to which the receiver is connected Consult the dealer or an experienced radio TV technician for help Modifications to this product no...

Page 3: ...fic 1 1 Your Network Topology 1 3 Correctly Deploying the Sensor 1 3 Tuning the IPS 1 3 Sensor Interfaces 1 4 Understanding Sensor Interfaces 1 4 Command and Control Interface 1 5 Sensing Interfaces 1 6 Interface Support 1 6 TCP Reset Interfaces 1 9 Interface Restrictions 1 10 Interface Modes 1 12 Promiscuous Mode 1 12 IPv6 Switches and Lack of VACL Capture 1 13 Inline Interface Pair Mode 1 14 Inl...

Page 4: ...0 Rack Configuration Guidelines 1 30 Electrical Safety Guidelines 1 31 Power Supply Guidelines 1 32 Working in an ESD Environment 1 32 Cable Pinouts 1 33 10 100BaseT and 10 100 1000BaseT Connectors 1 34 Console Port RJ 45 1 35 RJ 45 to DB 9 or DB 25 1 36 C H A P T E R 2 Installing the IPS 4240 and the IPS 4255 2 1 Introducing the IPS 4240 and the IPS 4255 2 1 Front and Back Panel Features 2 2 Spec...

Page 5: ... P T E R 4 Installing the IPS 4270 20 4 1 Introducing the IPS 4270 20 4 2 Supported Interface Cards 4 3 Hardware Bypass 4 5 4GE Bypass Interface Card 4 5 Hardware Bypass Configuration Restrictions 4 6 Hardware Bypass and Link Changes and Drops 4 7 Front and Back Panel Features 4 7 Diagnostic Panel 4 11 Internal Components 4 13 Specifications 4 14 Accessories 4 15 Installing the Rail System Kit 4 1...

Page 6: ...lation and Removal Instructions 5 5 Verifying Installation 5 6 C H A P T E R 6 Installing the AIP SSM 6 1 Specifications 6 1 Memory Specifications 6 2 Hardware and Software Requirements 6 2 Indicators 6 2 Installation and Removal Instructions 6 3 Installing the AIP SSM 6 3 Verifying the Status of the AIP SSM 6 4 Removing the AIP SSM 6 5 C H A P T E R 7 Installing the IDSM2 7 1 Specifications 7 1 S...

Page 7: ...bility With Other IPS Modules 8 3 Restrictions 8 3 Hardware Interfaces 8 4 Installation and Removal Instructions 8 5 Verifying Installation 8 6 C H A P T E R 9 Logging In to the Sensor 9 1 Supported User Roles 9 1 Logging In to the Appliance 9 2 Connecting an Appliance to a Terminal Server 9 3 Logging In to the AIM IPS 9 4 The AIM IPS and the session Command 9 4 Sessioning In to the AIM IPS 9 5 Lo...

Page 8: ...rity Intelligence Operations 11 9 Obtaining a License Key From Cisco com 11 10 Understanding Licensing 11 10 Service Programs for IPS Products 11 11 Obtaining and Installing the License Key Using IDM or IME 11 11 Obtaining and Installing the License Key Using the CLI 11 13 C H A P T E R 12 Upgrading Downgrading and Installing System Images 12 1 Upgrades Downgrades and System Images 12 1 Supported ...

Page 9: ...yst Software 12 28 Installing the IDSM2 System Image for Cisco IOS Software 12 29 Configuring the IDSM2 Maintenance Partition for Catalyst Software 12 31 Configuring the IDSM2 Maintenance Partition for Cisco IOS Software 12 35 Upgrading the IDSM2 Maintenance Partition for Catalyst Software 12 38 Upgrading the IDSM2 Maintenance Partition for Cisco IOS Software 12 39 Installing the NME IPS System Im...

Page 10: ...nterfaces Issues A 22 External Product Interfaces Troubleshooting Tips A 23 Troubleshooting the Appliance A 23 Hardware Bypass and Link Changes and Drops A 24 Troubleshooting Loose Connections A 24 Analysis Engine is Busy A 25 Connecting the IPS 4240 to a Cisco 7200 Series Router A 25 Communication Problems A 26 Cannot Access the Sensor CLI Through Telnet or SSH A 26 Correcting a Misconfigured Acc...

Page 11: ...emote Manager or Sensing Interfaces Cannot Access Sensor A 57 Signatures Not Producing Alerts A 58 Troubleshooting IME A 59 Time Synchronization on IME and the Sensor A 59 Not Supported Error Message A 59 Troubleshooting the IDSM2 A 59 Diagnosing IDSM2 Problems A 60 Minimum Supported IDSM2 Configurations A 61 Switch Commands for Troubleshooting A 61 Status LED Off A 62 Status LED On But the IDSM2 ...

Page 12: ... Command A 74 Displaying Version Information A 74 Statistics Information A 76 Understanding the show statistics Command A 77 Displaying Statistics A 77 Interfaces Information A 87 Understanding the show interfaces Command A 87 Interfaces Command Output A 87 Events Information A 88 Sensor Events A 88 Understanding the show events Command A 89 Displaying Events A 89 Clearing Events A 92 cidDump Scri...

Page 13: ...e page xiii Comply with Local and National Electrical Codes page xiii Organization page xv Conventions page xv Related Documentation page xvi Obtaining Documentation and Submitting a Service Request page xvii Audience This guide is for experienced network security administrators who install and maintain Cisco IPS sensors including the supported IPS appliances and modules Comply with Local and Nati...

Page 14: ...tenza L installazione dell impianto deve essere conforme ai codici elettrici locali e nazionali Advarsel Installasjon av utstyret må samsvare med lokale og nasjonale elektrisitetsforskrifter Aviso A instalação do equipamento tem de estar em conformidade com os códigos eléctricos locais e nacionais Advertencia La instalación del equipo debe cumplir con las normativas de electricidad locales y nacio...

Page 15: ...Installing the IDSM2 Describes how to install the IDSM2 8 Installing the NME IPS Describes how to install the NME IPS 9 Logging In to the Sensor Describes how to log in to the various sensors 10 Initializing the Sensor Describes how to use the setup command to initialize sensors 11 Obtaining Software Describes where to go to get the latest IPS software and describes the naming conventions 12 Upgra...

Page 16: ...stem Release Notes for Cisco Intrusion Prevention System Installing and Using Cisco Intrusion Prevention System Device Manager Installing and Using Cisco Intrusion Prevention System Manager Express Cisco Intrusion Prevention System Command Reference Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface Installling and Removing Interface Cards in Cisco IPS 4260 a...

Page 17: ...umentation submitting a service request and gathering additional information see the monthly What s New in Cisco Product Documentation which also lists all new and revised Cisco technical documentation at http www cisco com en US docs general whatsnew whatsnew html Subscribe to the What s New in Cisco Product Documentation as a Really Simple Syndication RSS feed and set content to be delivered dir...

Page 18: ...xviii Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7 0 OL 18504 01 Preface Contents ...

Page 19: ...age 1 17 IPS Appliances page 1 18 IPS Modules page 1 20 Time Sources and the Sensor page 1 26 Installation Preparation page 1 29 Site and Safety Guidelines page 1 30 Cable Pinouts page 1 33 How the Sensor Functions This section describes how the sensor functions and contains the following topics Capturing Network Traffic page 1 1 Your Network Topology page 1 3 Correctly Deploying the Sensor page 1...

Page 20: ...t TCP resets via the sensing interface Note You should select the TCP reset action only on signatures associated with a TCP based service If selected as an action on non TCP based services no action is taken Additionally TCP resets are not guaranteed to tear down an offending session because of limitations in the TCP protocol Make ACL changes on switches routers and firewalls that the sensor manag...

Page 21: ... the edge of your network in front of a firewall your sensor will produce alerts on every single scan and attempted attack even if they have no significance to your network implementation You will receive hundreds thousands or even millions of alerts in a large enterprise environment that are not really critical or actionable in your environment Analyzing this type of data is time consuming and co...

Page 22: ... provide more information For More Information For a detailed description of risk rating refer to Calculating the Risk Rating For information on Cisco signatures for IDM and IME refer to Defining Signatures and for the CLI refer to Defining Signatures For detailed information on event action overrides for IDM and IME refer to Configuring Event Action Overrides and for the CLI refer to Configuring ...

Page 23: ...y Because the AIM IPS AIP SSM and NME IPS only have one sensing interface you cannot configure a TCP reset interface Because of hardware limitations on the Catalyst switch both of the IDSM2 sensing interfaces are permanently configured to use System0 1 as the TCP reset interface The TCP reset interface that is assigned to a sensing interface has no effect in inline interface or inline VLAN pair mo...

Page 24: ...estored to their default settings when the card is reinstalled However the assignment of promiscuous and inline interfaces to the Analysis Engine is not deleted from the Analysis Engine configuration but is ignored until those cards are reinserted and you create the inline interface pairs again Interface Support Table 1 2 describes the interface support for appliances and modules running Cisco IPS...

Page 25: ... 3 0 0 0 1 0 0 0 2 0 0 0 3 0 1 0 2 0 1 0 3 0 2 0 3 Management0 0 IPS 4255 GigabitEthernet0 0 GigabitEthernet0 1 GigabitEthernet0 2 GigabitEthernet0 3 0 0 0 1 0 0 0 2 0 0 0 3 0 1 0 2 0 1 0 3 0 2 0 3 Management0 0 IPS 4260 GigabitEthernet0 1 N A Management0 0 IPS 4260 4GE BP Slot 1 Slot 2 GigabitEthernet0 1 GigabitEthernet2 0 GigabitEthernet2 1 GigabitEthernet2 2 GigabitEthernet2 3 GigabitEthernet3 ...

Page 26: ...hernet7 0 TenGigabitEthernet7 1 All sensing ports can be paired together Management0 0 Management0 17 NME IPS GigabitEthernet0 1 by ids service module command in the router configuration instead of VLAN pair or inline interface pair GigabitEthernet0 1 by ids service module command in the router configuration instead of VLAN pair or inline interface pair Management0 1 1 To disable hardware bypass p...

Page 27: ...he interface is operating in promiscuous mode the sensor may not be able to send the TCP reset packets over the same sensing interface on which the attack was detected In such cases you can associate the sensing interface with an alternate TCP reset interface and any TCP resets that would otherwise be sent on the sensing interface when it is operating in promiscuous mode are instead sent out on th...

Page 28: ...rface as an alternate TCP reset interface Interface Restrictions The following restrictions apply to configuring interfaces on the sensor Physical Interfaces On modules AIM IPS AIP SSM IDSM2 and NME IPS all backplane interfaces have fixed speed duplex and state settings These settings are protected in the default configuration on all backplane interfaces For nonbackplane FastEthernet interfaces th...

Page 29: ... one sensing interface The order in which you specify the VLANs in an inline VLAN pair is not significant A sensing interface in inline VLAN pair mode can have from 1 to 255 inline VLAN pairs Alternate TCP Reset Interface You can only assign the alternate TCP reset interface to a sensing interface You cannot configure the command and control interface as an alternate TCP reset interface The altern...

Page 30: ... IPv6 Switches and Lack of VACL Capture page 1 13 Inline Interface Pair Mode page 1 14 Inline VLAN Pair Mode page 1 15 VLAN Group Mode page 1 15 Deploying VLAN Groups page 1 16 Promiscuous Mode In promiscuous mode packets do not flow through the sensor The sensor analyzes a copy of the monitored traffic rather than the actual forwarded packet The advantage of operating in promiscuous mode is that ...

Page 31: ...le trunks to one or more sensors Restrict per trunk port which VLANs are allowed to perform monitoring of many VLANs to more than two different sensors or virtual sensors within one IPS The following configuration uses one SPAN session to send all of the traffic on any of the specified VLANs to all of the specified ports Each port configuration only allows a particular VLAN or VLANs to pass Thus y...

Page 32: ...ut it is also analyzing the contents and payload of the packets for more sophisticated embedded attacks Layers 3 to 7 This deeper analysis lets the system identify and stop and or block attacks that would normally pass through a traditional firewall device In inline interface pair mode a packet comes in through the first interface of the pair on the sensor and out the second interface of the pair ...

Page 33: ...t with the ID of the egress VLAN on which the sensor forwards the packet The sensor drops all packets received on any VLANs that are not assigned to inline VLAN pairs Figure 1 4 illustrates inline VLAN pair mode Figure 1 4 Inline VLAN Pair Mode For More Information For a list of restrictions pertaining to IPS sensor interfaces see Interface Restrictions page 1 10 VLAN Group Mode Note You cannot di...

Page 34: ...ative VLAN do not have the 802 1q headers attached The IDSM2 can read the 802 1q headers for all nonnative traffic to determine the VLAN ID for that packet However the IDSM2 does not know which VLAN is configured as the native VLAN for the port in the switch configuration so it does not know what VLAN the native packets are in Therefore you must tell the IDSM2 which VLAN is the native VLAN for tha...

Page 35: ...dules that are supported by Cisco IPS 7 0 The following NRS and IDS appliance models are legacy models and are not supported in this document NRS 2E NRS 2E DM NRS 2FE NRS 2FE DM NRS TR Table 1 4 Supported Sensors Model Name Part Number Optional Interfaces Appliances IPS 4240 IPS 4240 K9 IPS 4240 DC K91 1 The IPS 4240 DC K9 is a NEBS compliant product IPS 4255 IPS 4255 K9 IPS 4260 IPS 4260 K9 IPS 4...

Page 36: ...g the IPS Appliance page 1 18 Appliance Restrictions page 1 19 Connecting an Appliance to a Terminal Server page 1 19 Introducing the IPS Appliance The IPS appliance is a high performance plug and play device The appliance is a component of the IPS a network based real time intrusion prevention system You can use the IPS CLI IDM IME ASDM or CSM to configure the appliance You can configure the appl...

Page 37: ... and how to access them refer to Documentation Roadmap for Cisco Intrusion Prevention System 7 0 For a list of supported appliances see Supported Sensors page 1 17 For a description of each IPS appliance see the following chapters in this document Chapter 2 Installing the IPS 4240 and the IPS 4255 Chapter 3 Installing the IPS 4260 Chapter 4 Installing the IPS 4270 20 Appliance Restrictions The fol...

Page 38: ... terminal sessions are not stopped properly authentication is not performed on the next session that is opened on the serial port Caution Always exit your session and return to a login prompt before terminating the application used to establish the connection Caution If a connection is dropped or terminated by accident you should reestablish the connection and exit normally to prevent unauthorized...

Page 39: ...clear the session The AIM IPS has a backplane interface which means that all management traffic passes through the router interface rather than a dedicated port on the module The AIM IPS does not have an external FastEthernet interface for handling management traffic Management traffic includes all communications between applications such as IDM IME CSM and CS MARS and the servers on the module fo...

Page 40: ...S refer to Configuring the AIM IPS Introducing the AIP SSM The Cisco ASA Advanced Inspection and Prevention Security Services Module AIP SSM is the IPS plug in module in the Cisco ASA 5500 series adaptive security appliance The adaptive security appliance software integrates firewall VPN and intrusion detection and prevention capabilities in a single platform AIP SSM monitors and performs real tim...

Page 41: ...gured and after other firewall policies are applied For example packets that are blocked by an access list are not forwarded to the AIP SSM In promiscuous mode the IPS receives packets over the GigabitEthernet interface examines them for intrusive behavior and generates alerts based on a positive result of the examination In inline mode there is the additional step of sending all packets which did...

Page 42: ...eive IPS traffic refer to Configuring the AIP SSM Introducing the IDSM2 The Cisco Catalyst 6500 Series Intrusion Detection System Services Module IDSM2 is a switching module that performs intrusion prevention in the Catalyst 6500 series switch and 7600 series router You can use the CLI or IDSM to configure the IDSM2 You can configure the IDSM2 for promiscuous or inline mode The IDSM2 performs netw...

Page 43: ... For more information on configuring the IDSM2 to receive IPS traffic refer to Configuring the IDSM2 Introducing the NME IPS Cisco Intrusion Prevention System Network Module NME IPS integrates and brings inline Cisco IPS functionality to Cisco access routers You can install the NME IPS in any one of the network module slots in the 2800 and 3800 series router The NME IPS has its own operating syste...

Page 44: ... source for the sensors and how to correct the time if there is an error It contains the following topics The Sensor and Time Sources page 1 26 Synchronizing IPS Module System Clocks with the Parent Device System Clock page 1 28 Verifying the Sensor is Synchronized with the NTP Server page 1 28 Correcting the Time on the Sensor page 1 29 The Sensor and Time Sources The sensor requires a reliable t...

Page 45: ...the AIM IPS and the NME IPS The time zone and summertime settings are not synchronized between the parent router and the AIM IPS and the NME IPS Note Be sure to set the time zone and summertime settings on both the parent router and the AIM IPS and the NME IPS to ensure that the UTC time settings are correct The local time of the AIM IPS and the NME IPS could be incorrect if the time zone and or s...

Page 46: ...rify the NTP configuration use the show statistics host command to gather sensor statistics The NTP statistics section provides NTP statistics including feedback on sensor synchronization with the NTP server To verify the NTP configuration follow these steps Step 1 Log in to the sensor Step 2 Generate the host statistics sensor show statistics host NTP Statistics remote refid st t when poll reach ...

Page 47: ...14 01 33 UTC which creates the time stamp problem To ensure the integrity of the time stamp on the event records you must clear the event archive of the older events by using the clear events command Note You cannot remove individual events For More Information For the procedure for clearing events refer to Clearing Events from Event Store Installation Preparation To prepare for installing sensors...

Page 48: ...perating temperatures without adequate circulation Make sure that the room in which you operate your system has adequate air circulation Always follow the ESD prevention procedures to avoid damage to equipment Damage from static discharge can cause immediate or intermittent equipment failure Make sure that the chassis top panel is secure The chassis is designed to allow cooling air to flow effecti...

Page 49: ...ermine if the person needs rescue breathing or external cardiac compressions then take appropriate action Use the chassis within its marked electrical ratings and product usage instructions Install the sensor in compliance with local and national electrical codes as listed in Regulatory Compliance and Safety Information for the Cisco Intrusion Prevention System 4200 Series Appliance Sensor The sen...

Page 50: ...ly cords are available make sure you have the correct type for your site Install a UPS for your site Install proper site grounding facilities to guard against damage from lightning or power surges The following applies to a chassis equipped with a DC input power supply Each DC input power supply requires dedicated 15 amp service For DC power cables we recommend a minimum of 14 AWG wire cable The D...

Page 51: ...llow ESD prevention procedures when removing replacing or repairing components Note If you are upgrading a component do not remove the component from the ESD packaging until you are ready to install it Cable Pinouts This section describes pinout information for 10 100 1000BaseT console and RJ 45 to DB 9 ports and the MGMT 10 100 Ethernet port It contains the following topics 10 100BaseT and 10 100...

Page 52: ...er appliances The fiber appliances support 1000Base SX only The 10 100 1000BaseT ports use standard RJ 45 connectors and support MDI and MDI X connectors Ethernet ports normally use MDI connectors and Ethernet ports on a hub normally use MDI X connectors An Ethernet straight through cable is used to connect an MDI to an MDI X port A cross over cable is used to connect an MDI to an MDI port or an M...

Page 53: ...le To identify the RJ 45 cable type hold the two ends of the cable next to each other so that you can see the colored wires inside the ends as shown in Figure 1 14 Figure 1 14 RJ 45 Cable Identification Examine the sequence of colored wires to determine the type of RJ 45 cable as follows Straight through The colored wires are in the same sequence at both ends of the cable Cross over The first far ...

Page 54: ...0 OL 18504 01 Chapter 1 Introducing the Sensor Cable Pinouts RJ 45 to DB 9 or DB 25 Table 1 5 lists the cable pinouts for RJ 45 to DB 9 or DB 25 Table 1 5 Cable Pinouts for RJ 45 to DB 9 or DB 25 Signal RJ 45 Pin DB 9 DB 25 Pin RTS 8 8 DTR 7 6 TxD 6 2 GND 5 5 GND 4 5 RxD 3 3 DSR 2 4 CTS 1 7 ...

Page 55: ...S 4255 page 2 7 Installing the IPS 4240 DC page 2 10 Introducing the IPS 4240 and the IPS 4255 The IPS 4240 and the IPS 4255 deliver high port density in a small form factor They use a compact flash device for storage rather than the hard disk drives used in other sensor models The IPS 4240 and the IPS 4255 do not support redundant power supplies The IPS 4240 replaces the IDS 4235 There are four 1...

Page 56: ...lustrations show the IPS 4240 the IPS 4255 has the same front and back panel features and indicators This section describes the IPS 4240 and the IPS 4255 front and back panel features and indicators Figure 2 1 shows the front view of the IPS 4240 and the IPS 4255 Figure 2 1 IPS 4240 IPS 4255 Front Panel Features Table 2 1 describes the front panel indicators on the IPS 4240 and the IPS 4255 114003...

Page 57: ... back panel indicators 114002 LINK SPD 2 LINK SPD 1 LINK SPD 0 LINK SPD 3 MGMT USB2 USB1 FLASH CONSOLE AUX P O W E R S T A T U S F L A S H Power connector Power switch Indicator light Auxiliary port not used Serial console port External compact flash device not used Compact flash device indicator Status indicator Power indicator GigabitEthernet0 0 USB ports not used Management0 0 114417 USB2 USB1 ...

Page 58: ...ck mountable Expansion One chassis expansion slot not used Power Autoswitching 100V to 240V AC Frequency 47 to 63 Hz single phase Operating current 3 0 A Steady state 150 W Maximum peak 190 W Maximum heat dissipation 648 BTU hr full power usage 65 W Environment Temperature Operating 32 F to 104 F 0 C to 40 C Nonoperating 13 F to 158 F 25 C to 70 C Relative humidity Operating 5 to 95 noncondensing ...

Page 59: ...ther interface is hard coded you must make the connection using a crossover cable Accessories The IPS 4240 and the IPS 4255 accessories kit contains the following DB25 connector DB9 connector Rack mounting kit screws washers and metal bracket RJ45 console cable Two 6 ft Ethernet cables Important Safety Instructions Warning IMPORTANT SAFETY INSTRUCTIONS This warning symbol means danger You are in a...

Page 60: ... follow these steps Step 1 Attach the bracket to the appliance using the supplied screws You can attach the brackets to the holes near the front of the appliance Note The top hole on the left bracket is a banana jack you can use for ESD grounding purposes when you are servicing the system You can use the two threaded holes to mount a ground lug to ground the chassis 114016 Cisco IPS 4240 series In...

Page 61: ...he screws that attach the appliance to the rack and then remove the appliance Installing the IPS 4240 and the IPS 4255 Warning Only trained and qualified personnel should be allowed to install replace or service this equipment Statement 1030 Caution Follow proper safety procedures when performing these steps by reading the safety warnings in Regulatory Compliance and Safety Information for the Cis...

Page 62: ...3 Place the appliance in a rack if you are rack mounting it Step 4 Attach the power cord to the appliance and plug it in to a power source a UPS is recommended Step 5 Connect the cable as shown in Step 6 so that you have either a DB 9 or DB 25 connector on one end as required by the serial port for your computer and the other end is the RJ 45 connector Note Use the console port to connect to a com...

Page 63: ...t0 3 from right to left are sensing ports Management0 0 is the command and control port Caution Management and console ports are privileged administrative ports Connecting them to an untrusted network can create security concerns Step 8 Power on the appliance Step 9 Initialize the appliance Step 10 Upgrade the appliance with the most recent Cisco IPS software You are now ready to configure intrusi...

Page 64: ...ng intrusion prevention on your sensor refer to the following documents Installing and Using Cisco Intrusion Prevention System Device Manager 7 0 Installing and Using Cisco Intrusion Prevention System Manager Express 7 0 Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface 7 0 Installing the IPS 4240 DC The the IPS 4240 DC K9 NEBS compliant model equipped with ...

Page 65: ...comply with the NEC code for ampacity A lug is not supplied with the appliance Step 3 Place the appliance in a rack if you are rack mounting it Step 4 Terminate the DC input wiring on a DC source capable of supplying at least 15 amps A 15 amp circuit breaker is required at the 48 VDC facility power source An easily accessible disconnect device should be incorporated into the facility wiring Step 5...

Page 66: ...ends of the wires for insertion into the power connect lugs on the IPS 4240 DC Step 9 Insert the ground wire into the connector for the earth ground and tighten the screw on the connector Using the same method as for the ground wire connect the negative wire and then the positive wire 1 Negative 5 Negative 2 Positive 6 Positive 3 Ground 7 Ground 4 On Off Switch 148401 4 1 3 2 148405 5 6 7 1 4 3 2 ...

Page 67: ...on prevention on the appliance For More Information DC power guidelines are listed in Regulatory Compliance and Safety Information for the Cisco Intrusion Prevention System 4200 Series Appliance Sensor For more information on working with electrical power and in an ESD environment see Site and Safety Guidelines page 1 30 For the procedure for placing IPS 4250 DC in a rack see Rack Mounting page 2 ...

Page 68: ...2 14 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7 0 OL 18504 01 Chapter 2 Installing the IPS 4240 and the IPS 4255 Installing the IPS 4240 DC ...

Page 69: ...the IPS 4260 page 3 15 Removing and Replacing the Chassis Cover page 3 18 Installing and Removing Interface Cards page 3 20 Installing and Removing the Power Supply page 3 22 Introducing the IPS 4260 Caution The BIOS on the IPS 4260 is specific to the IPS 4260 and must only be upgraded under instructions from Cisco with BIOS files obtained from the Cisco website Installing a non Cisco or third par...

Page 70: ...nline ready It supports both copper and fiber interfaces The 1 Gbps performance is traffic combined from all sensing interfaces The 1 Gbps performance for the IPS 4260 is based on the following conditions 10 000 new TCP connections per second 100 000 HTTP transactions per second Average packet size of 450 bytes System running IPS 6 0 software The IPS 4260 ships with one power supply but it support...

Page 71: ...faces The 2SX card ports require a multi mode fiber cable with an LC connector to connect to the SX interface of the sensor The 2SX interface card does not support hardware bypass Figure 3 2 shows the 2SX interface card Figure 3 2 2SX Interface Card 10GE Interface Card The 10GE interface card part numbers IPS 2X10GE SR INT and IPS 2X10GE SR INT provides two 10000 Base SX fiber interfaces The IPS 4...

Page 72: ... supports hardware bypass only between ports 0 and 1 and between ports 2 and 3 Note To disable hardware bypass pair the interfaces in any other combination for example 2 0 2 2 and 2 1 2 3 Hardware bypass complements the existing software bypass feature in Cisco IPS The following conditions apply to hardware bypass and software bypass When bypass is set to OFF software bypass is not active For each...

Page 73: ...one or more of the hardware bypass configuration restrictions hardware bypass is deactivated on the inline interface and you receive a warning message similar to the following Hardware bypass functionality is not available on Inline interface pair0 Physical interface GigabitEthernet2 0 is capable of performing hardware bypass only when paired with GigabitEthernet2 1 and both interfaces are enabled...

Page 74: ...k to itself The interface card then negotiates both links and traffic resumes There is no built in way to completely avoid link status changes and drops However you can greatly reduce the interruption time in some cases to sub second times by doing the following Make sure you use CAT 5e 6 certified cabling for all connections Make sure the interfaces of the connected devices are configured to matc...

Page 75: ...C power The indicator is off when power is turned off or the power source is disrupted Flash green amber Off when the compact flash device is not being accessed Blinks green when the compact flash device is being accessed Solid amber when a device has failed Status green amber Blinks green while the power up diagnostics are running or the system is booting Solid green when the system has passed po...

Page 76: ...or TAC use System ID indicator Status indicator Table 3 2 Back Panel Indicators Indicator Color Description Left side Green solid Green blinking Physical link Network activity Right side Not lit Green Amber 10 Mbps 100 Mbps 1000 Mbps Table 3 3 Power Supply Indicators Color Description Off No AC power to all power supplies Green solid Output on and ok Green blinking AC present only 5Vsb on power su...

Page 77: ...in 435 3 cm Depth 20 in 508 cm Weight 20 0 lb 9 07 kg Form factor 2 RU standard 19 inch rack mountable Power Autoswitching 100V to 240V AC Frequency 47 to 63 Hz single phase Operating current 8 9 A Steady state 588 W max continuous Maximum peak 657 W Maximum heat dissipation 648 BTU hr Environment Temperature Operating 32 F to 104 F 0 C to 40 C Nonoperating 104 F to 158 F 40 C to 70 C Relative hum...

Page 78: ...in the translated safety warnings that accompanied this device Statement 1071 SAVE THESE INSTRUCTIONS Warning Only trained and qualified personnel should be allowed to install replace or service this equipment Statement 1030 Rack Mounting You can rack mount the IPS 4260 in a 2 or 4 post rack This section describes how to rack mount the IPS 4260 and contains the following topics Installing the IPS ...

Page 79: ... bracket to the chassis with two 8 32x1 4 SEMS screws You can flip the bracket to push the system forward in the rack Step 3 Using the four inner studs install the mounting brackets to the outer rail with four 8 32 KEPS nuts Insert four thread covers over the four outer studs on each side 153315 Cisco IPS 4260 series Intrusion Prevention Sensor POWER STATUS FLASH ID NIC RESET ID 153316 ...

Page 80: ...the two outer rail subassemblies in the rack using eight 10 32x1 2 SEMS screws You can use four bar nuts if necessary Note Adjust the mounting brackets based on rack depth Step 5 Slide the IPS 4260 into the rack making sure the inner rail is aligned with the outer rail 153317 153318 Cisco IPS 4260 series Intrusion Prevention Sensor POWER STATUS FLASH ID NIC RESET ID ...

Page 81: ...the IPS 4260 in a 2 post rack follow these steps Step 1 Attach the inner rail to each side of the chassis with three 8 32x1 4 SEMS screws Step 2 Using the four inner studs install the mounting brackets to the outer rail with four 8 32 KEPS nuts Insert four thread covers over the four outer studs on each side Cisco IPS 4260 series Intrusion Prevention Sensor POWER STATUS FLASH ID NIC RESET ID 15331...

Page 82: ... outer rail subassemblies in the rack using twelve 10 32x1 2 SEMS screws or whatever rack hardware is necessary Note Adjust the mounting brackets based on the rack channel depth Step 4 Slide the IPS 4260 into the rack making sure the inner rail is aligned with the outer rail 153322 153323 Cisco IPS 4260 series Intrusion Prevention Sensor POWER STATUS FLASH ID NIC RESET ID ...

Page 83: ...to the inner rail Installing the IPS 4260 Warning Only trained and qualified personnel should be allowed to install replace or service this equipment Statement 1030 Caution Follow proper safety procedures when performing these steps by reading the safety warnings in Regulatory Compliance and Safety Information for the Cisco Intrusion Prevention System 4200 Series Appliance Sensor 153324 Cisco IPS ...

Page 84: ...4260 in a rack if you are rack mounting it Step 4 Attach the power cord to the IPS 4260 and plug it in to a power source a UPS is recommended Step 5 Connect the cable as shown in Step 6 so that you have either a DB 9 or DB 25 connector on one end as required by the serial port for your computer and the other end is the RJ 45 connector Note Use the console port to connect to a computer to enter con...

Page 85: ...rt GigabitEthernetslot_number port_number through GigabitEthernetslot_number port_number are the additional expansion port slots Caution Management and console ports are privileged administrative ports Connecting them to an untrusted network can create security concerns Step 8 Power on the IPS 4260 Step 9 Initialize the IPS 4260 153309 RJ 45 to DB 9 or DB 25 serial cable null modem Computer serial...

Page 86: ... System Device Manager 7 0 Installing and Using Cisco Intrusion Prevention System Manager Express 7 0 Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface 7 0 Removing and Replacing the Chassis Cover Warning This product relies on the building s installation for short circuit overcurrent protection Ensure that the protective device is rated not greater than 120...

Page 87: ...re the IPS 4260 to be powered off sensor reset powerdown Wait for the power down message before continuing with Step 3 Note You can also power down the IPS 4260 using IDM or IME Step 3 Power off the IPS 4260 Step 4 Remove the power cord and other cables from the IPS 4260 Step 5 If rack mounted remove the IPS 4260 from the rack Step 6 Make sure the IPS 4260 is in an ESD controlled environment Step ...

Page 88: ...e half height slots You can install the optional network interface cards in the two top full height slots slots 2 and 3 The IPS 4260 supports up to two network interface cards Note The IPS 4260 supports only one 10GE fiber interface card which you can install in either of the supported slots slots 2 and 3 Note We recommend that you install the 4GE bypass interface card in slot 2 if you are install...

Page 89: ... cover by pressing on it from inside the chassis If the card is full length use a screw driver to remove the blue thumb screw from the card support at the back of the card carrier Step 11 Carefully align the interface card with the PCI Express connector and alignment grooves for the appropriate slot Apply firm even pressure until the card is fully seated in the connector Step 12 Reinstall the slot...

Page 90: ... Mounting page 3 10 For more information on ESD controlled environments see Working in an ESD Environment page 1 32 For the procedure for removing the chassis cover see Removing and Replacing the Chassis Cover page 3 18 Installing and Removing the Power Supply The IPS 4260 ships with one power supply but you can order it with two power supplies so that you have a redundant power supply To install ...

Page 91: ...60 Installing and Removing the Power Supply Step 5 Squeeze the tabs to remove the filler plate Step 6 Install the power supply Step 7 To remove the power supply push down the green tab and pull out the power supply Step 8 After installing or removing the power supply replace the power cord and other cables Step 9 Power on the IPS 4260 ...

Page 92: ...e for IPS 7 0 OL 18504 01 Chapter 3 Installing the IPS 4260 Installing and Removing the Power Supply For More Information For the IDM procedure for resetting the IPS 4260 refer to Rebooting the Sensor for the IME procedure for resetting the IPS 4260 refer to Rebooting the Sensor ...

Page 93: ...he IPS 4270 20 page 4 2 Supported Interface Cards page 4 3 Hardware Bypass page 4 5 Front and Back Panel Features page 4 7 Diagnostic Panel page 4 11 Internal Components page 4 13 Specifications page 4 14 Accessories page 4 15 Installing the Rail System Kit page 4 15 Installing the IPS 4270 20 page 4 35 Removing and Replacing the Chassis Cover page 4 38 Accessing the Diagnostic Panel page 4 41 Ins...

Page 94: ... are used for management and are called Management0 0 and Management0 1 Management0 1 is reserved for future use Slots 1 and 2 are reserved for future use You can populate slots 3 through 8 with supported network interface cards Slot 9 is populated by a RAID controller card and is not available for use by network interface cards The sensing interfaces are called GigabitEthernet Because of the mult...

Page 95: ... 11 1 For more information on sensor interfaces see Sensor Interfaces page 1 4 For more information on the supported interface cards see Supported Interface Cards page 4 3 For more information on the 4GE bypass interface card see Hardware Bypass page 4 5 For more information about the power supplies see Installing and Removing the Power Supply page 4 44 Supported Interface Cards The IPS 4270 20 su...

Page 96: ...es The 2SX card ports require a multi mode fiber cable with an LC connector to connect to the SX interface of the sensor The 2SX interface card does not support hardware bypass Figure 4 3 shows the 2SX interface card Figure 4 3 2SX Interface Card 10GE Interface Card The 10GE interface card part numbers IPS 2X10GE SR INT and IPS 2X10GE SR INT provides two 10000 Base SX fiber interfaces The IPS 4270...

Page 97: ... supports hardware bypass only between ports 0 and 1 and between ports 2 and 3 Note To disable hardware bypass pair the interfaces in any other combination for example 2 0 2 2 and 2 1 2 3 Hardware bypass complements the existing software bypass feature in Cisco IPS The following conditions apply to hardware bypass and software bypass When bypass is set to OFF software bypass is not active For each...

Page 98: ...e or more of the hardware bypass configuration restrictions hardware bypass is deactivated on the inline interface and you receive a warning message similar to the following Hardware bypass functionality is not available on Inline interface pair0 Physical interface GigabitEthernet2 0 is capable of performing hardware bypass only when paired with GigabitEthernet2 1 and both interfaces are enabled a...

Page 99: ...ages and the interface card interrupts the bypass and reconnects the links back to itself The interface card then negotiates both links and traffic resumes There is no built in way to completely avoid link status changes and drops However you can greatly reduce the interruption time in some cases to sub second times by doing the following Make sure you use CAT 5e 6 certified cabling for all connec...

Page 100: ...ches and Indicators Indicator Description UID switch and indicator Toggles the system ID indicator which assists with chassis location in a rack Blue Activated Off Deactivated Note The ID switch is activated by a switch on the front of the chassis Internal system health indicator Indicates internal system health Green System on Flashing amber System health degraded Flashing red System health criti...

Page 101: ... switch and indicator Turns power on and off Amber System has AC power and is in standby mode Green System has AC power and is turned on Off System has no AC power Table 4 1 Front Panel Switches and Indicators continued Indicator Description 1 1 2 3 4 5 6 7 8 9 PCI E x4 PCI E x8 PCI E x4 PCI E x8 PCI E x4 PCI X 100 MHz PS2 PS1 UID Reserved for Future Use CONSOLE MGMT0 0 250083 Console port Sensing...

Page 102: ...pply indicators Figure 4 8 Ethernet Port Indicators Table 4 2 describes the Ethernet port indicators 1 2 3 4 PCI E x4 PCI X 100 MHz PS1 Reserved for Future Use CONSOLE MGMT 0 0 250085 Activity indicator Link indicator Power supply indicators Activity indicator Link indicator Table 4 2 Ethernet Port Indicators Indicator Indicator Green Description Activity On or flashing Off Network activity No net...

Page 103: ...eave the IPS 4270 20 powered on Powering off the IPS 4270 20 clears the Diagnostic Panel indicators Figure 4 9 shows the Diagnostic Panel Figure 4 9 Diagnostic Panel Table 4 3 Power Supply Indicators Fail Indicator 1 Amber Power Indicator 2 Green Description Off Off No AC power to any power supply Flashing Off Power supply failure over current On Off No AC power to this power supply Off Flashing A...

Page 104: ...Panel in the IPS 4270 20 chassis see Figure 4 10 on page 4 13 For information on how to access the Diagnostic Panel see Accessing the Diagnostic Panel page 4 41 Table 4 4 Diagnostic Panel Indicators Indicator Component PS1 Power supply primary PS2 Power supply optional CPU BD power fault Processor memory module board I O BD System board NMI System NMI switch Slot X Expansion slot CPU BD interlock ...

Page 105: ... Guide for IPS 7 0 OL 18504 01 Chapter 4 Installing the IPS 4270 20 Internal Components Internal Components Figure 4 10 IPS 4270 20 Internal Components 250249 Cooling fans Sensing interface expansion slots Power supply Power supply Cooling fans Diagnostic panel Cooling fans ...

Page 106: ...ed input current 12A 100 VAC 8A 200 VAC Maximum heat dissipation 3960 BTU hr 100 VAC 5450 BTU hr 200 VAC Power supply output 910 W low line 1300 W high line Environment Temperature Operating 50 to 95 F 10 to 35 C 1 Nonoperating 40 F to 158 F 40 C to 70 C 1 At sea level with an altitude derating of 1 8 F per every 1000 ft 1 0 C per every 3 0m above sea level to a maximum of 10 000 ft 3050 m no dire...

Page 107: ...ing sections Understanding the Rail System Kit page 4 15 Rail System Kit Contents page 4 16 Space and Airflow Requirements page 4 16 Installing the IPS 4270 20 in the Rack page 4 17 Extending the IPS 4270 20 from the Rack page 4 25 Installing the Cable Management Arm page 4 28 Converting the Cable Management Arm page 4 31 Understanding the Rail System Kit This rail system supports a variety of pro...

Page 108: ...Two slide assemblies Two chassis rails Four Velcro straps Six zip ties One cable management arm A package of miscellaneous parts screws and so forth One cable management arm stop bracket Space and Airflow Requirements To allow for servicing and adequate airflow follow these space and airflow requirements when choosing where to place a rack Leave a minimum clearance of 25 in 63 5 cm in front of the...

Page 109: ...f the chassis side rail should be at the back of the IPS 4270 20 The chassis side rail is held in place by the inner latch Step 2 Repeat Step 1 for each chassis side rail Warning To prevent bodily injury when mounting or servicing this unit in a rack you must take special precautions to ensure that the system remains stable The following guidelines are provided to ensure your safety This unit shou...

Page 110: ... IPS 7 0 OL 18504 01 Chapter 4 Installing the IPS 4270 20 Installing the Rail System Kit Step 3 To remove the chassis side rail lift the latch and slide the rail forward 1 2 3 4 5 6 7 8 Cisco IPS 4270 SERIES Intrusion Prevention Sensor UID SY ST EM PW RST AT US MGMT0 MGMT1 1 2 250221 ...

Page 111: ...PS 7 0 OL 18504 01 Chapter 4 Installing the IPS 4270 20 Installing the Rail System Kit Step 4 If you are installing the IPS 4270 20 in a shallow rack one that is less than 28 5 in 72 39 cm remove the screw from the inside of the slide assembly before continuing with Step 5 250207 28 5 ...

Page 112: ...d square hole racks a Line up the studs on the slide assembly with the holes on the inside of the rack and snap in to place b Adjust the slide assembly lengthwise to fit the rack The spring latch locks the slide assembly into position c Repeat for each slide assembly Make sure the slide assemblies line up with each other in the rack d Lift the spring latch to release the slide assembly if you need...

Page 113: ...PS 7 0 OL 18504 01 Chapter 4 Installing the IPS 4270 20 Installing the Rail System Kit For threaded hole racks a Remove the eight round or square hole studs on each slide assembly using a standard screwdriver Note You may need a pair of pliers to hold the retaining nut 250209 1 2 3 2 3 ...

Page 114: ...n Guide for IPS 7 0 OL 18504 01 Chapter 4 Installing the IPS 4270 20 Installing the Rail System Kit b Line up the bracket on the slide assembly with the rack holes install two screws top and bottom on each end of the slide assembly c Repeat for each slide assembly 250210 1 ...

Page 115: ...trusion Prevention System Appliance and Module Installation Guide for IPS 7 0 OL 18504 01 Chapter 4 Installing the IPS 4270 20 Installing the Rail System Kit Step 6 Extend the slide assemblies out of the rack 250211 ...

Page 116: ... or pushing the tab back and carefully push the IPS 4270 20 in to place Caution Keep the IPS 4270 20 parallel to the floor as you slide it into the rails Tilting the IPS 4270 20 up or down can damage the slide rails Step 8 If you are using the cable management arm install it before you connect and route any cables Note You may also need longer cables when the arm is installed an extra length of ar...

Page 117: ...4 35 Extending the IPS 4270 20 from the Rack You can extend the IPS 4270 20 from the rack for service or removal Caution You can only extend the IPS 4270 20 from the rack if the cable management arm is correctly installed with the cables routed through it or if all cables are disconnected from the back of the chassis Otherwise you risk damage to the cables and a possible shock hazard if the power ...

Page 118: ...ach side of the front bezel of the IPS 4270 20 to release it from the rack and extend it on the rack rails until the rail release latches engage Note The release latches lock in to place when the rails are fully extended Step 2 After performing the installation or maintenance procedure slide the IPS 4270 20 in to the rack by pressing the rail release latches 1 2 3 4 5 6 7 8 Cisco IPS 4270 SERIES I...

Page 119: ...g the Rail System Kit Step 3 To completely remove the IPS 4270 20 from the rack disconnect the cables from the back of the IPS 4270 20 push the release tab in the middle of the slide assembly forward and pull the IPS 4270 20 from the rack 1 2 3 4 5 6 7 8 Cisco IPS 4270 SERIES Intrusion Prevention Sensor UID SY ST EM PW RST AT US MGM T0 MGM T1 250223 ...

Page 120: ...nd side of the rack see Converting the Cable Management Arm page 4 31 To install the cable management arm follow these steps Step 1 Align the slide bracket on the cable management arm with the stud on the back of the IPS 4270 20 and align the two studs at the back of the chassis side rail then slide down and lock in to place 1 1 2 3 4 5 6 7 8 9 PCI E x4 PCI E x8 PCI E x4 PCI E x8 PCI E x4 PCI X 10...

Page 121: ...tal tab on the cable management arm in to the slide assembly then lifting the spring pin to lock it in to place Caution Make sure the metal tab is on the outside of the upper part of the cable management arm Note When properly installed the cable management arm is attached to the IPS 4270 20 and the rack rail 1 1 2 3 4 5 6 7 8 9 PCI E x4 PCI E x8 PCI E x4 PCI E x8 PCI E x4 PCI X 100 MHz PS2 PS1 UI...

Page 122: ... cables with the Velcro straps and black tie wraps Note After you route the cables through the cable management arm make sure the cables are not pulled tight when the IPS 4270 20 is fully extended Caution Do not use the straps and zip ties to tie the two parts of the cable management arm together 1 1 2 3 4 5 6 7 8 9 PCI E x4 PCI E x8 PCI E x4 PCI E x8 PCI E x4 PCI X 100 MHz PS2 PS1 UID Reserved fo...

Page 123: ...inserting the stop bracket into the cable management arm bracket Converting the Cable Management Arm Note The cable management arm is designed for ambidextrous use You can convert the cable management arm from a left hand swing to a right hand swing Note Make sure to orient the management arm with the cable trough facing upward 1 1 2 3 4 5 6 7 8 9 PCI E x4 PCI E x8 PCI E x4 PCI E x8 PCI E x4 PCI X...

Page 124: ... Installation Guide for IPS 7 0 OL 18504 01 Chapter 4 Installing the IPS 4270 20 Installing the Rail System Kit To convert the cable management arm swing follow these steps Step 1 Pull up the spring pin and slide the bracket off the cable management arm 250218 ...

Page 125: ...Appliance and Module Installation Guide for IPS 7 0 OL 18504 01 Chapter 4 Installing the IPS 4270 20 Installing the Rail System Kit Step 2 Remove the bottom sliding bracket and flip it over to the top of the bracket aligning the studs 250219 ...

Page 126: ... Chapter 4 Installing the IPS 4270 20 Installing the Rail System Kit Step 3 On the other side of the sliding bracket align the spring pin with the studs and key holes and slide until the pin snaps in to place Note The sliding bracket only fits one way because the hole for the spring pin is offset 250220 ...

Page 127: ...e Statement 1071 SAVE THESE INSTRUCTIONS Warning Only trained and qualified personnel should be allowed to install replace or service this equipment Statement 1030 To install the IPS 4270 20 on the network follow these steps Step 1 Position the IPS 4270 20 on the network Step 2 Install the IPS 4270 20 in a rack if you are rack mounting it Step 3 Connect the cable as shown in Step 4 so that you hav...

Page 128: ...ach the network cables to the following interfaces Management0 0 MGMT0 0 is the command and control port GigabitEthernetslot_number port_number through GigabitEthernetslot_number port_number are the expansion ports Caution Management and console ports are privileged administrative ports Connecting them to an untrusted network can create security concerns Computer serial port DB 9 250084 1 PS1 Rese...

Page 129: ... Safety Guidelines page 1 30 For more information on the best place to position your sensor on the network see Your Network Topology page 1 3 For the procedure for installing the IPS 4270 20 in a rack see Installing the IPS 4270 20 in the Rack page 4 17 For the instructions for setting up a terminal server see Connecting an Appliance to a Terminal Server page 1 19 For the procedure for using the s...

Page 130: ...nternational Statement 1005 Warning This equipment must be grounded Never defeat the ground conductor or operate the equipment in the absence of a suitably installed ground conductor Contact the appropriate electrical inspection authority or an electrician if you are uncertain that suitable grounding is available Statement 1024 Warning Blank faceplates and cover panels serve three important functi...

Page 131: ...ower down the IPS 4270 20 using IDM or IME Step 3 Power off the IPS 4270 20 Step 4 Remove both power cables from the IPS 4270 20 Step 5 Extend the IPS 4270 20 out of the rack if it is rack mounted Step 6 Make sure the IPS 4270 20 is in an ESD controlled environment Step 7 If the locking latch is locked use the T 15 Torx screwdriver located on the back of the chassis to unlock it Turn the locking s...

Page 132: ...stall the IPS 4270 20 in a rack on a desktop or on a table or extend it back in to the rack Step 13 Power on the IPS 4270 20 For More Information For the procedure extending the IPS 4270 20 from the rack see Extending the IPS 4270 20 from the Rack page 4 25 For more information on working in an ESD controlled environment see Working in an ESD Environment page 1 32 For the IDM procedure for powerin...

Page 133: ...e Removing and Replacing the Chassis Cover page 4 38 For the location of the Diagnostic Panel see Figure 4 10 on page 4 13 For information on what internal health information each indicator displays on the Diagnostic Panel see Diagnostic Panel page 4 11 Installing and Removing Interface Cards Caution Follow proper safety procedures when performing these steps by reading the safety warnings in Regu...

Page 134: ...d To install and remove interface cards follow these steps Step 1 Log in to the CLI Step 2 Prepare the IPS 4270 20 to be powered off sensor reset powerdown Wait for the power down message before continuing with Step 3 Note You can also power down the IPS 4270 20 using IDM or IME Step 3 Power off the IPS 4270 20 Step 4 Remove the power cables from the IPS 4270 20 Step 5 If rack mounted extend the I...

Page 135: ...its connector lines up over the socket on the mother board and push the card down in to the socket Press down on the outer edge of the blue tab to lock the card in to place Note To remove full length expansion cards unlock the retaining clip To install full length expansion cards lock the retaining clip Step 10 Replace the chassis cover Step 11 Slide the server back in to the rack by pressing the ...

Page 136: ...warnings in Regulatory Compliance and Safety Information for the Cisco Intrusion Prevention System 4200 Series Appliance Sensor The IPS 4270 20 ships with two hot pluggable power supplies thus providing a redundant power supply configuration You can install or replace either power supply without powering down the IPS 4270 20 as long as one power supply is active and functioning correctly Caution I...

Page 137: ...nstalling the IPS 4270 20 Installing and Removing the Power Supply Step 5 Use the T 15 Torx screwdriver that shipped with the IPS 4270 20 to remove the shipping screw The T 15 Torx screwdriver is located to the right of power supply 1 2 3 4 PCI E x4 PCI X 100 MHz Reserved for Future Use CONSOLE MGMT 0 0 PS1 250118 ...

Page 138: ...ntion System Appliance and Module Installation Guide for IPS 7 0 OL 18504 01 Chapter 4 Installing the IPS 4270 20 Installing and Removing the Power Supply Step 6 Remove the power supply by pulling it away from the chassis 250219 ...

Page 139: ...r IPS 7 0 OL 18504 01 Chapter 4 Installing the IPS 4270 20 Installing and Removing the Power Supply Step 7 Install the power supply Make sure the handle is open and slide the power supply into the bay 1 2 3 4 PCI E x4 PCI X 100 MHz Reserved for Future Use CONSOLE MGMT 0 0 PS1 250119 ...

Page 140: ...tor is green Note Make sure the two power supplies are powered by separate AC power sources so that the IPS 4270 20 is always available Step 10 Power on the IPS 4270 20 For More Information For the IDM procedure for powering down the IPS 4270 20 refer to Rebooting the Sensor for the IME procedure for powering down the IPS 4270 20 refer to Rebooting the Sensor For an illustration of the screwdriver...

Page 141: ...n to provide proper airflow Figure 4 12 shows the fan its connector and its indicator Figure 4 12 Fan Connector and Indicator The fan indicators provide the following information Green Operating normally Amber Failed Off No power To install and remove fans in the IPS 4270 20 follow these steps Step 1 Extend the server from the rack Step 2 Remove the chassis cover Step 3 Identify the failed fan by ...

Page 142: ...icator on each fan is green Note If the front panel internal system health indicator is not green after you install a fan reseat the fan Step 7 Replace the chassis cover Step 8 Slide the IPS 4270 20 back in to the rack by pressing the rail release handles Step 9 Power on the IPS 4270 20 For More Information For the fan locations see Figure 4 10 on page 4 13 For the procedure for extending the IPS ...

Page 143: ...re all cables are properly aligned and securely connected for all external and internal components Remove and check all data and power cables for damage Make sure no cables have bent pins or damaged connectors Make sure each device is properly seated If a device has latches make sure they are completely closed and locked Check any interlock or interconnect indicators that indicate a component is n...

Page 144: ...4 52 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7 0 OL 18504 01 Chapter 4 Installing the IPS 4270 20 Troubleshooting Loose Connections ...

Page 145: ...nteroperability With Other IPS Modules page 5 3 Restrictions page 5 3 Hardware Interfaces page 5 4 Installation and Removal Instructions page 5 5 Verifying Installation page 5 6 Specifications Table 5 1 lists the specifications for the AIM IPS Table 5 1 AIM IPS Specifications Specification Description Dimensions H x W x D 0 85 x 3 25 x 5 25 in 2 16 x 8 26 x 13 34 cm Weight 4 oz 113 41 cg maximum O...

Page 146: ...formation by using the show running config command You need the module slot number to configure the interfaces on the module For More Information For the supported routers and software see Software and Hardware Requirements page 5 2 For more information refer to Setting Up Interfaces on the AIM IPS and the Router Software and Hardware Requirements The router and the AIM IPS have the following soft...

Page 147: ...must remove the more capable module from the router and reboot Disabled modules are reported in the show diag command output The state of the module is reported as present but disabled If the most capable module slot and port do not match the interface ids slot port configuration command the most capable module is disabled with the following warning The module in slot x will be disabled and config...

Page 148: ...r Interfaces Note You need two IP addresses to configure the AIM IPS The AIM IPS has a command and control IP address that you configure through the Cisco IPS CLI You also assign an IP address to the router for its internal interface IDS Sensor 0 x to the AIM IPS This IP address belongs to the router itself and is used for routing traffic to the command and control interface of the AIM IPS It is u...

Page 149: ...and Upgrading Internal Components in Cisco 3800 Series Routers Perform the following tasks after installing the AIM IPS 1 Verify that the AIM IPS is installed properly 2 After you install the AIM IPS you must initialize it 3 After you initialize the AIM IPS you should make sure you have the latest IPS software 4 Configure the AIM IPS to receive IPS Traffic For More Information For the procedure fo...

Page 150: ...IPS for use in troubleshooting with TAC The serial number appears in the PID line for example SN FOC11372M9X To verify the installation of the AIM IPS follow these steps Step 1 Log in to the router Step 2 Enter privileged EXEC mode on the router router enable Step 3 Verify that the AIM IPS is part of the router inventory router show inventory NAME 3825 chassis DESCR 3825 chassis PID CISCO3825 VID ...

Page 151: ...s page 6 2 Hardware and Software Requirements page 6 2 Indicators page 6 2 Installation and Removal Instructions page 6 3 Specifications Table 6 1 lists the specifications for the AIP SSM Table 6 1 AIP SSM Specifications Specification Description Dimensions H x W x D 1 70 x 6 80 x 11 00 inches Weight Minimum 2 50 lb Maximum 3 00 lb1 1 2 70 lb for 45 c heatsink approximately 3 00 lb for the 55c max...

Page 152: ...A 5540 ASA SSM AIP 20 K9 Cisco Adaptive Security Appliance Software 7 0 or later Cisco Intrusion Prevention System Software 5 0 2 or later DES or 3DES enabled Indicators Figure 6 1 shows the AIP SSM indicators Figure 6 1 AIP SSM Indicators Table 6 3 describes the AIP SSM indicators Table 6 2 AIP SSM Memory Specifications Model CPU DRAM ASA SSM AIP 10 K9 2 0 GHz Celeron 1 0 GB ASA SSM AIP 20 K9 2 4...

Page 153: ...tep 2 Locate the grounding strap from the accessory kit and fasten it to your wrist so that it contacts your bare skin Attach the other end to the chassis Step 3 Remove the two screws at the left back end of the chassis and remove the slot cover Note Store the slot cover in a safe place for future use You must install slot covers on all empty slots This prevents EMI which can disrupt other equipme...

Page 154: ...Status of the AIP SSM page 6 4 For the procedure for using the setup command to initialize the AIP SSM see Initializing the Sensor page 10 1 For the procedure for obtaining the latest Cisco IPS software see Obtaining Cisco IPS Software page 11 1 For the procedure for configuring the AIP SSM to receive IPS traffic refer to Configuring the AIP SSM For the procedure for using HTTPS to log in to IDM r...

Page 155: ...e AIP SSM from the adaptive security appliance follow these steps Step 1 Shut down the AIP SSM asa hw module module 1 shutdown Shutdown module in slot 1 confirm Step 2 Press Enter to confirm Step 3 Verify that the AIP SSM is shut down by checking the indicators Step 4 Power off the adaptive security appliance Step 5 Locate the grounding strap from the accessory kit and fasten it to your wrist so t...

Page 156: ... 1 reset Reset module in slot 1 confirm Step 12 Press Enter to confirm Step 13 Check the indicators to see if the AIP SSM is properly installed If the AIP SSM is properly installed the POWER indicator is solid green and the STATUS indicator is flashing green Or you can verify installation using the show module 1command For More Information For more information on ESD see Working in an ESD Environm...

Page 157: ...upported the IDSM2 Configurations page 7 2 Using the TCP Reset Interface page 7 3 Front Panel Features page 7 3 Installation and Removal Instructions page 7 4 Enabling Full Memory Tests page 7 12 Resetting the IDSM2 page 7 13 Powering the IDSM2 Up and Down page 7 15 Specifications Table 7 1 lists the specifications for the IDSM2 Table 7 1 IDSM2 Specifications Specification Description Dimensions H...

Page 158: ...e The following matrix is not intended to recommend any particular version but rather lists the earliest supported versions Table 7 2 lists the minimum supported configurations for the IDSM2 Table 7 2 Minimum Catalyst 6500 Software Version for IDSM2 Feature Support Catalyst IDSM2 Feature Catalyst Software Cisco IOS Software Sup1 Sup2 Sup32 Sup720 Sup1 Sup2 Sup32 Sup720 SPAN 7 5 1 7 5 1 8 4 1 8 1 1...

Page 159: ...ly 1 VLAN and the TCP reset port is automatically set to a trunk port and is not configurable Front Panel Features The IDSM2 has a status indicator and a Shutdown button Figure 7 1 shows the front panel features Figure 7 1 IDSM2 Front Panel Table 7 3 describes the IDSM2 states as indicated by the status indicator To prevent corruption of the IDSM2 you must use the shutdown command to shut it down ...

Page 160: ...it from a Catalyst 6500 series switch For the procedure for removing an IDSM2 from a Catalyst 6500 series switch see Removing the IDSM2 page 7 10 This section contains the following topics Required Tools page 7 4 Slot Assignments page 7 5 Installing the IDSM2 page 7 5 Verifying Installation page 7 9 Removing the IDSM2 page 7 10 Required Tools Note You must have at least one supervisor engine runni...

Page 161: ... empty slots to maintain consistent airflow through the switch chassis Note The IDSM2 works with any supervisor engine using SPAN but the copy capture feature with security VACLs requires that the supervisor engine has the PFC or the MSFC option Installing the IDSM2 To install the IDSM2 in the Catalyst 6500 series switch follow these steps Step 1 Make sure that you take necessary ESD precautions W...

Page 162: ...LI N K 4 LI N K 5 LI N K 6 LI N K 7 LI N K 8 LI N K 9 LI N K 10 LI N K 11 LI N K 12 LI N K 13 LI N K 14 LI N K 15 LI N K 16 LI N K 17 LI N K 18 LI N K 19 LI N K 20 LI N K 21 LI N K 22 LI N K 23 LI N K 24 LI N K 24 PORT 100FX WS X6224 ST AT US 1 LI N K 2 LI N K 3 LI N K 4 LI N K 5 LI N K 6 LI N K 7 LI N K 8 LI N K 9 LI N K 10 LI N K 11 LI N K 12 LI N K 13 LI N K 14 LI N K 15 LI N K 16 LI N K 17 LI ...

Page 163: ...24 LI N K 24 PORT 100FX WS X6224 ST AT US 1 LI N K 2 LI N K 3 LI N K 4 LI N K 5 LI N K 6 LI N K 7 LI N K 8 LI N K 9 LI N K 10 LI N K 11 LI N K 12 LI N K 13 LI N K 14 LI N K 15 LI N K 16 LI N K 17 LI N K 18 LI N K 19 LI N K 20 LI N K 21 LI N K 22 LI N K 23 LI N K 24 LI N K 24 PORT 100FX WS X6224 ST AT US 1 LI N K 2 LI N K 3 LI N K 4 LI N K 5 LI N K 6 LI N K 7 LI N K 8 LI N K 9 LI N K 10 LI N K 11 L...

Page 164: ...figure the IDSM2 for intrusion prevention For More Information For more information on ESD controlled environments see Working in an ESD Environment page 1 32 For the procedure for verifying the IDSM2 installation see Verifying Installation page 7 9 For the procedure for using the setup command to initialize the IDSM2 see Initializing the Sensor page 10 1 For the procedure for configuring the swit...

Page 165: ...hernet WS X6516A GBIC no ok 6 6 8 Intrusion Detection Mod WS SVC IDSM2 yes ok Mod Module Name Serial Num 1 SAD041308AN 15 SAD04120BRB 2 SAD03475400 3 SAD073906RC 4 SAL0751QYN0 6 SAD062004LV Mod MAC Address es Hw Fw Sw 1 00 d0 c0 cc 0e d2 to 00 d0 c0 cc 0e d3 3 1 5 3 1 8 4 1 00 d0 c0 cc 0e d0 to 00 d0 c0 cc 0e d1 00 30 71 34 10 00 to 00 30 71 34 13 ff 15 00 30 7b 91 77 b0 to 00 30 7b 91 77 ef 1 4 1...

Page 166: ...b fcf8 2ca8 to 000b fcf8 2caf 0 101 7 2 1 4 0 0 25 Ok 11 00e0 b0ff 3340 to 00e0 b0ff 3347 0 102 7 2 0 67 5 0 1 Ok 13 0003 feab c850 to 0003 feab c857 4 0 7 2 1 5 0 1 Ok Mod Sub Module Model Serial Hw Status 7 Policy Feature Card 3 WS F6K PFC3BXL SAD083305A1 1 3 Ok 7 MSFC3 Daughterboard WS SUP720 SAD083206JX 2 1 Ok 11 IDS 2 accelerator board WS SVC IDSUPG 2 0 Ok 13 IDS 2 accelerator board WS SVC ID...

Page 167: ... module fails to respond after three reset attempts boot the maintenance partition and perform the instructions for restoring the application partition Step 2 Verify that the IDSM2 shuts down Do not remove the IDSM2 until the status indicator is amber or off Step 3 Use a screwdriver to loosen the installation screws at the left and right sides of the IDSM2 Step 4 Grasp the left and right ejector l...

Page 168: ...edure for powering the IDSM2 up and down see Powering the IDSM2 Up and Down page 7 15 Enabling Full Memory Tests When the IDSM2 initially boots by default it runs a partial memory test You can enable a full memory test in Catalyst software and Cisco IOS software This section describes how to enable memory tests and contains the following topics Catalyst Software page 7 12 Cisco IOS Software page 7...

Page 169: ... router hw module module 9 reset mem test full Device BOOT variable for reset empty Warning Device list is not verified Proceed with reload of module confirm reset issued for module 9 router Step 3 Reset the IDSM2 The full memory test runs Note A full memory test takes more time to complete than a partial memory test Resetting the IDSM2 If for some reason you cannot communicate with the IDSM2 thro...

Page 170: ... may need to reset the IDSM2 more than once If the IDSM2 fails to respond after three reset attempts boot the maintenance partition and perform the instructions for restoring the application partition Cisco IOS Software Use the hw module module slot_number reset hdd 1 cf 1 command in EXEC mode to reset the IDSM2 The reset process takes several minutes The IDSM2 boots into the boot partition you sp...

Page 171: ...llowing sections Catalyst Software page 7 15 Cisco IOS Software page 7 16 Catalyst Software Once you power off the IDSM2 you must power it up through the switch CLI Note The IDSM2 CLI reset powerdown command performs a shut down but does not remove power from the IDSM2 To power the IDSM2 up and down from the switch CLI follow these steps Step 1 Log in to the console Step 2 Enter privileged mode co...

Page 172: ...ough the switch CLI Note The IDSM2 CLI reset powerdown command performs a shut down but does not remove power from the IDSM2 To power the IDSM2 up and down from the switch CLI follow these steps Step 1 Log in to the console Step 2 Enter configure terminal mode router configure terminal Step 3 Power up the IDSM2 router config power enable module module_number Step 4 Power down the IDSM2 router conf...

Page 173: ...2 Interoperability With Other IPS Modules page 8 3 Restrictions page 8 3 Hardware Interfaces page 8 4 Installation and Removal Instructions page 8 5 Verifying Installation page 8 6 Specifications Table 8 1 lists the specifications for the NME IPS Table 8 1 NME IPS Specifications Specification Description Dimensions H x W x D 1 55 x 7 10 x 7 2 in 3 9 x 18 0 x 19 3 cm Weight 1 lb 0 45 kg maximum Ope...

Page 174: ...an get this information by using the show running config command You need the module slot number to configure the interfaces on the module For More Information For the supported routers and software see Software and Hardware Requirements page 8 2 For more information refer to Setting Up Interfaces on the NME IPS and the Router Software and Hardware Requirements The router and the NME IPS have the ...

Page 175: ...must remove the more capable module from the router and reboot Disabled modules are reported in the show diag command output The state of the module is reported as present but disabled If the most capable module slot and port do not match the interface ids slot port configuration command the most capable module is disabled with the following warning The module in slot x will be disabled and config...

Page 176: ...1 shows the router and the NME IPS interfaces used for internal and external communication You can configure the router interfaces through the Cisco IOS CLI and the NME IPS interfaces through the IPS CLI IDM IME or CSM Figure 8 1 NME IPS and Router Interfaces 1 Router interface to external link Configure the standard router settings using the Cisco IOS CLI 2 Router interface to the NME IPS ids sen...

Page 177: ...building or nonexposed wiring or cabling The intrabuilding cable must be shielded and the shield must be grounded at both ends For More Information For the procedure for verifying that the NME IPS is installed properly see Verifying Installation page 8 6 For the procedure for using the setup command to initialize the NME IPS see Initializing the Sensor page 10 1 For more information about obtainin...

Page 178: ...enable Step 3 Verify that the NME IPS is part of the router inventory router show inventory NAME 3845 chassis DESCR 3845 chassis PID CISCO3845 VID V01 SN FTX1002C255 NAME c3845 Motherboard with Gigabit Ethernet on Slot 0 DESCR c3845 Motherb oard with Gigabit Ethernet PID CISCO3845 MB VID V03 SN FOC09514J4Y NAME 4 Port FE Switch on Slot 0 SubSlot 0 DESCR 4 Port FE Switch PID HWIC 4ESW VID V01 SN FO...

Page 179: ...User Roles You can log in with the following user privileges Administrator Operator Viewer Service The service role does not have direct access to the CLI Service account users are logged directly into a bash shell Use this account for support and troubleshooting purposes only Unauthorized modifications are not supported and will require the sensor to be reimaged to guarantee proper operation You ...

Page 180: ...SH and Telnet are available You can log in to the appliance from a console port To log in to the appliance follow these steps Step 1 Connect a console port to the sensor to log in to the appliance Step 2 Enter your username and password at the login prompt Note The default username and password are both cisco You are prompted to change them the first time you log in to the appliance You must first...

Page 181: ...ep 1 Connect to a terminal server using one of the following methods For terminal servers with RJ 45 connections connect a 180 rollover cable from the console port on the appliance to a port on the terminal server For hydra cable assemblies connect a straight through patch cable from the console port on the appliance to a port on the terminal server Step 2 Configure the line and port on the termin...

Page 182: ...n and exiting the IPS CLI you are returned to the Cisco IOS CLI The session command starts a reverse Telnet connection using the IP address of the IDS Sensor interface The IDS Sensor interface is an interface between the AIM IPS and the router You must assign an IP address to the IDS Sensor interface before invoking the session command Assigning a routable IP address can make the IDS Sensor interf...

Page 183: ...password to log in A suspended session leaves you logged in to the CLI When you connect with the session command you can go back to the same CLI without having to provide your username and password Note Telnet clients vary In some cases you may have to press Ctrl 6 x The control character is specified as Ctrl or ASCII value 30 hex 1E Caution If you use the disconnect command to leave the session t...

Page 184: ...r to establish the association between a session the IPS application and the router interfaces you want to monitor Step 5 Disconnect from the router router disconnect Step 6 Press Enter to confirm the disconnection router Closing connection to 10 89 148 196 confirm Enter For More Information For the procedure for using the setup command to initialize the AIM IPS see Advanced Setup for the AIM IPS ...

Page 185: ...roducts does not imply third party authority to import export distribute or use encryption Importers exporters distributors and users are responsible for compliance with U S and local country laws By using this product you agree to comply with applicable laws and regulations If you are unable to comply with U S and local laws return this product immediately A summary of U S laws governing Cisco cr...

Page 186: ... Password NOTICE This product contains cryptographic features and is subject to United States and local country laws governing import export transfer and use Delivery of Cisco cryptographic products does not imply third party authority to import export distribute or use encryption Importers exporters distributors and users are responsible for compliance with U S and local country laws By using thi...

Page 187: ...mand starts a reverse Telnet connection using the IP address of the IDS Sensor interface The IDS Sensor interface is an interface between the NME IPS and the router You must assign an IP address to the IDS Sensor interface before invoking the session command Assigning a routable IP address can make the IDS Sensor interface itself vulnerable to attacks because the NME IPS is visible on the network ...

Page 188: ...suspended session leaves you logged in to the CLI When you connect with the session command you can go back to the same CLI without having to provide your username and password Note Telnet clients vary In some cases you may have to press Ctrl 6 x The control character is specified as Ctrl or ASCII value 30 hex 1E Caution If you use the disconnect command to leave the session the session remains ru...

Page 189: ...you are finished with a session you need to return to the router to establish the association between a session the IPS application and the router interfaces you want to monitor Step 5 Disconnect from the router router disconnect Step 6 Press Enter to confirm the disconnection router Closing connection to 10 89 148 196 confirm Enter For More Information For the procedure for using the setup comman...

Page 190: ...s exporters distributors and users are responsible for compliance with U S and local country laws By using this product you agree to comply with applicable law s and regulations If you are unable to comply with U S and local laws return this product immediately A summary of U S laws governing Cisco cryptographic products may be found at http www cisco com wwl export crypto tool stqrg html If you r...

Page 191: ... with it over the network With the setup command you configure basic sensor settings including the hostname IP interfaces access control lists Global Correlation servers and time settings You can continue using advanced setup in the CLI to enable Telnet configure the Web server and assign and enable virtual sensors and interfaces or you can use the Startup Wizard in IDM or IME Simplified Setup Mod...

Page 192: ...the help text enter at a prompt When you complete your changes the System Configuration Dialog shows you the configuration that you created during the setup session It also asks you if you want to use this configuration If you enter yes the configuration is saved If you enter no the configuration is not saved and the process begins again There is no default for this prompt you must enter either ye...

Page 193: ...ee to participate in the SensorBase Network Cisco will collect aggregated statistics about traffic sent to your IPS This includes summary data on the Cisco IPS network traffic properties and how this traffic was handled by the Cisco appliances We do not collect the data content of traffic or other sensitive business or personal information All data is aggregated and sent via secure HTTP to the Cis...

Page 194: ...ult is sensor Step 5 Specify the IP interface The IP interface is in the form of IP Address Netmask Gateway X X X X nn Y Y Y Y where X X X X specifies the sensor IP address as a 32 bit address written as 4 octets separated by periods nn specifies the number of bits in the netmask and Y Y Y Y specifies the default gateway as a 32 bit address written as 4 octets separated by periods Step 6 Enter yes...

Page 195: ...default is sunday f Specify the time you want to start summertime settings The default is 02 00 00 Note The default recurring summertime parameters are correct for time zones in the United States The default values specify a start time of 2 00 a m on the second Sunday in March and a stop time of 2 00 a m on the first Sunday in November The default summertime offset is 60 minutes g Specify the mont...

Page 196: ...xplains what is involved in participating in the SensorBase Network Step 10 Enter yes to participate in the SensorBase Network The following configuration was entered service host network settings host ip 10 89 143 126 24 10 89 143 254 host name sensor126 telnet option disabled access list 10 0 0 0 8 ftp timeout 300 no login banner text exit dns primary server enabled address 171 68 226 120 exit d...

Page 197: ...ticity of the certificate when using HTTPS to connect to this appliance with a web browser Step 15 Apply the most recent service pack and signature update You are now ready to configure your sensor for intrusion prevention For More Information For the procedure for obtaining the most recent IPS software see Obtaining Cisco IPS Software page 11 1 For the procedure for using HTTPS to log in to IDM r...

Page 198: ...p 3 Enter 3 to access advanced setup Step 4 Specify the Telnet server status The default is disabled Step 5 Specify the web server port The web server port is the TCP port used by the web server 1 to 65535 The default is 443 Note The web server is configured to use TLS SSL encryption by default Setting the port to 80 does not disable the encryption Step 6 Enter yes to modify the interface and virt...

Page 199: ...t of available interfaces Caution The new VLAN pair is not automatically added to a virtual sensor Available Interfaces 1 GigabitEthernet0 0 2 GigabitEthernet0 1 3 GigabitEthernet0 2 4 GigabitEthernet0 3 Option Step 9 Enter 1 to add an inline VLAN pair to GigabitEthernet0 0 for example Inline Vlan Pairs for GigabitEthernet0 0 None Step 10 Enter a subinterface number and description Subinterface Nu...

Page 200: ...el interface editing menu 1 Remove interface configurations 2 Add Modify Inline Vlan Pairs 3 Add Modify Promiscuous Vlan Groups 4 Add Modify Inline Interface Pairs 5 Add Modify Inline Interface Pair Vlan Groups 6 Modify interface default vlan Option Step 17 Press Enter to return to the top level editing menu 1 Edit Interface Configuration 2 Edit Virtual Sensor Configuration 3 Display configuration...

Page 201: ... 3 Display configuration Option Step 24 Enter yes if you want to modify the default threat prevention settings Note The sensor comes with a built in override to add the deny packet event action to high risk rating alerts If you do not want this protection disable automatic threat prevention Virtual sensor newVs is configured to prevent high risk threats in inline mode Risk Rating 90 100 Virtual se...

Page 202: ...ith interface1 GigabitEthernet0 1 interface2 GigabitEthernet0 2 exit exit service analysis engine virtual sensor newVs description Created via setup by user cisco signature definition newSig event action rules rules0 anomaly detection anomaly detection name ad0 operational mode inactive exit physical interface GigabitEthernet0 0 exit virtual sensor vs0 physical interface GigabitEthernet0 0 subinte...

Page 203: ...ention System Sensor Using the Command Line Interface 7 0 Advanced Setup for the AIM IPS To continue with advanced setup for the AIM IPS follow these steps Step 1 Session in to the AIM IPS using an account with administrator privileges router service module ids sensor 0 0 session Trying 10 1 9 1 2322 Open sensor login cisco Password Step 2 Enter the setup command The System Configuration Dialog is...

Page 204: ...n ad0 Event Action Rules rules0 Signature Definitions sig0 1 Edit Interface Configuration 2 Edit Virtual Sensor Configuration 3 Display configuration Option Step 8 Enter 2 to edit the virtual sensor vs0 configuration Virtual Sensor vs0 Anomaly Detection ad0 Event Action Rules rules0 Signature Definitions sig0 No Interfaces to remove Unassigned Monitored 1 GigabitEthernet0 1 Add Interface Step 9 En...

Page 205: ...settings host ip 10 1 9 201 24 10 1 9 1 host name AIM IPS telnet option disabled access list 10 0 0 0 8 access list 64 0 0 0 8 ftp timeout 300 no login banner text exit time zone settings offset 0 standard time zone name UTC exit summertime option disabled ntp option disabled exit service web server port 443 exit service analysis engine virtual sensor vs0 physical interface GigabitEthernet0 1 exit...

Page 206: ... SSM To continue with advanced setup for the AIP SSM follow these steps Step 1 Session in to the AIP SSM using an account with administrator privileges asa session 1 Step 2 Enter the setup command The System Configuration Dialog is displayed Step 3 Enter 3 to access advanced setup Step 4 Specify the Telnet server status You can disable or enable Telnet services The default is disabled Step 5 Speci...

Page 207: ... rules0 Signature Definitions sig0 No Interfaces to remove Unassigned Monitored 1 GigabitEthernet0 1 Add Interface Step 11 Enter 1 to add GigabitEthernet0 1 to virtual sensor vs0 Note With ASA 7 2 and earlier one virtual sensor is supported The virtual sensor to which GigabitEthernet0 1 is assigned is used for monitoring packets coming from the adaptive security appliance We recommend that you ass...

Page 208: ...supported The virtual sensor to which GigabitEthernet0 1 is assigned is used for monitoring packets coming from the adaptive security appliance We recommend that you assign GigabitEthernet0 1 to vs0 but you can assign it to another virtual sensor if you want to Note With ASA 7 2 3 and later with IPS 6 0 multiple virtual sensors are supported The ASA 7 2 3 can direct packets to specific virtual sen...

Page 209: ...st network settings host ip 10 1 9 201 24 10 1 9 1 host name AIP SSM telnet option disabled access list 10 0 0 0 8 access list 64 0 0 0 8 ftp timeout 300 no login banner text exit time zone settings offset 0 standard time zone name UTC exit summertime option disabled ntp option disabled exit service web server port 342 exit service analysis engine virtual sensor newVs description New Sensor signat...

Page 210: ...evention System Manager Express 7 0 Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface 7 0 Advanced Setup for the IDSM2 To continue with advanced setup for the IDSM2 follow these steps Step 1 Session in to the IDSM2 using an account with administrator privileges Catalyst software console enable console enable session module_number Cisco IOS software router se...

Page 211: ... Pair Vlan Groups option When running an inline interface pair the two IDSM2 data ports are configured as access ports or a trunk port carrying only the native VLAN The packets do not have 802 1q headers and cannot be separated by VLAN To monitor multiple VLANs inline use inline VLAN pairs 1 Remove interface configurations 2 Add Modify Inline Vlan Pairs 3 Add Modify Promiscuous Vlan Groups 4 Add M...

Page 212: ...dify Promiscuous Vlan Groups 4 Add Modify Inline Interface Pairs 5 Modify interface default vlan Option Step 11 Press Enter to return to the top level menu 1 Edit Interface Configuration 2 Edit Virtual Sensor Configuration 3 Display configuration Option Step 12 Enter 2 to edit the virtual sensor configuration 1 Remove vs 2 Modify vs0 3 Create new vs Option Step 13 Enter 2 to modify the virtual sen...

Page 213: ...on to high risk rating alerts If you do not want this protection disable automatic threat prevention Virtual sensor vs0 is configured to prevent high risk threats in inline mode Risk Rating 90 100 Do you want to disable automatic threat prevention on all virtual sensors no Step 19 Enter yes to disable automatic threat prevention on all virtual sensors The following configuration was entered servic...

Page 214: ...n and exit setup Step 20 Enter 2 to save the configuration Enter your selection 2 2 Configuration Saved Step 21 Reboot the IDSM2 IDSM2 reset Warning Executing this command will stop all applications and reboot the node Continue with reset Step 22 Enter yes to continue the reboot Step 23 Apply the most recent service pack and signature update You are now ready to configure the IDSM2 for intrusion p...

Page 215: ...ep 6 Enter yes to modify the interface and virtual sensor configuration You may receive a warning that Analysis Engine is initializing and you cannot modify the virtual sensor configuration at this time Press the space bar to receive this menu 0 Go to the command prompt without saving this config 1 Return back to the setup without saving this config 2 Save this configuration and exit setup Enter y...

Page 216: ...vention settings no Step 11 Enter yes if you want to modify the default threat prevention settings Note The sensor comes with a built in override to add the deny packet event action to high risk rating alerts If you do not want this protection disable automatic threat prevention Virtual sensor vs0 is configured to prevent high risk threats in inline mode Risk Rating 90 100 Do you want to disable a...

Page 217: ...the NME IPS NME IPS reset Warning Executing this command will stop all applications and reboot the node Continue with reset Step 15 Enter yes to continue the reboot Step 16 Apply the most recent service pack and signature update You are now ready to configure the NME IPS for intrusion prevention For More Information For the procedure for obtaining the most recent IPS software see Obtaining Cisco I...

Page 218: ...gnature Definition Signature Update S365 0 2008 10 31 Virus Update V1 4 2007 03 02 service interface exit service authentication exit service event action rules rules0 exit service host network settings host ip 172 23 204 84 24 172 23 204 1 host name sensor telnet option enabled access list 0 0 0 0 0 dns primary server enabled address 1 1 1 1 exit dns secondary server enabled address 2 2 2 2 exit ...

Page 219: ...rvice analysis engine exit sensor Note You can also use the more current config command to view your configuration Step 3 Display the self signed X 509 certificate needed by TLS sensor show tls fingerprint MD5 C4 BC F2 92 C2 E2 4D EB 92 0F E4 86 53 6A C6 01 SHA1 64 9B AC DE 21 62 0C D3 57 2E 9B E5 3D 04 8F A7 FD CD 6F 27 Step 4 Write down the certificate fingerprints You need the fingerprints to c...

Page 220: ...10 30 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7 0 OL 18504 01 Chapter 10 Initializing the Sensor Verifying Initialization ...

Page 221: ...IPS sensors voids the warranty Obtaining Cisco IPS Software Note You must be logged in to Cisco com and have an IPS subscription service license to download software You must have a sensor license to apply signature updates You can find major and minor updates service packs signature and signature engine updates system and recovery files firmware upgrades and readmes on the Download Software downl...

Page 222: ...viously filled out the Encryption Software Export Distribution Authorization form and read and accepted the Cisco Systems Inc Encryption Software Usage Handling and Distribution Policy these forms are not displayed again The File Download dialog box appears Step 11 Open the file or save it to your computer Step 12 Follow the instructions in the Readme to install the update Note Major and minor upd...

Page 223: ...ulative following a base version release minor or major Service packs are used for the release of defect fixes with no new enhancements Service packs contain all service pack fixes since the last base version minor or major and the new defect fixes being released Service packs require the minor version The minimum supported version needed to upgrade to the newest service pack is listed in the Read...

Page 224: ...ed you can install signature updates on the new version and the next oldest version for a period of at least six months Signature updates are dependent on a required signature engine version Because of this a req designator lists the signature engine required to support a particular signature update Figure 11 2 illustrates what each part of the IPS software file represents for signature updates Fi...

Page 225: ...mented by one of any major changes to the image installer for example switching from tar to rpm or changing kernels The minor version can be incremented by any one of the following Minor change to the installer for example a user prompt added Repackages require the installer minor version to be incremented by one if the image file must be repackaged to address a defect or problem with the installe...

Page 226: ...version update4 4 Minor versions include new minor version features and or minor version functionality Annually 7 1 1 IPS K9 7 1 1 E3 pkg Note IPS AIM K9 7 1 1 E3 pkg is the minor version update for the AIM IPS IPS NME K 9 7 1 1 E3 pkg is the minor version update for the NME IPS Major version update5 5 Major versions include new major version functionality or new architecture Annually 7 0 1 IPS K9...

Page 227: ...S appliances or modules make sure you put both the 7 0 1 E3 upgrade file IPS K9 7 0 1 E3 pkg the AIM IPS upgrade file IPS AIM K9 7 0 1 E3 pkg and the NME IPS upgrade file IPS NME K9 7 0 1 E3 on the automatic update server so that the AIM IPS and the NME IPS can correctly detect which file Bootloader As needed bl AIM IPS NME IPS pse_aim_x y z bin pse_nm_x y z bin where x y z is the release number M...

Page 228: ...count and password are reset to cisco For More Information For the procedure for accessing downloads on Cisco com see Obtaining Cisco IPS Software page 11 1 For the procedure for using the upgrade command to upgrade the sensor see Upgrading the Sensor page 12 2 For the procedure for configuring automatic upgrades on the sensor see Configuring Automatic Upgrades page 12 6 For the procedure for usin...

Page 229: ...ase and General Information Contains documentation roadmaps and release notes Reference Guides Contains command references and technical references Design Contains design guide and design tech notes Install and Upgrade Contains hardware installation and regulatory guides Configure Contains configuration guides for IPS CLI IDM and IME Troubleshoot and Alerts Contains TAC tech notes and field notice...

Page 230: ...ration sensor_name Sensor Management Licensing or in the CLI use the show version command Valid Cisco com username and password Trial license keys are also available If you cannot get your sensor licensed because of problems with your contract you can obtain a 60 day trial license that supports signature updates that require licensing You can obtain a license key from the Cisco com licensing serve...

Page 231: ...t provides operating system updates access to Cisco com access to TAC and hardware replacement NBD on site When you purchase an ASA 5500 series adaptive security appliance product that ships with the AIP SSM installed or if you purchase to add to your ASA 5500 series adaptive security appliance product you must purchase the Cisco Services for IPS service contract Note Cisco Services for IPS provid...

Page 232: ...IME can access This option is useful if your computer cannot access Cisco com Go to Step 7 Step 4 Click Update License and in the Licensing dialog box click Yes to continue The Status dialog box informs you that the sensor is trying to connect to Cisco com An Information dialog box confirms that the license key has been updated Step 5 Click OK Step 6 Go to www cisco com go license Step 7 Fill in t...

Page 233: ...y filename ftp username location absoluteDirectory filename scp Source or destination URL for the SCP network server The syntax for this prefix is scp username location relativeDirectory filename scp username location absoluteDirectory filename Note If you use FTP or SCP protocol you are prompted for a password If you use SCP protocol you must add the remote host to the SSH known hosts list http S...

Page 234: ... 04 16 Virus Update V1 2 2005 11 24 OS Version 2 4 30 IDS smp bigphys Platform ASA SSM 20 Serial Number P300000220 Sensor up time is 3 days Using 1031888896 out of 2093682688 bytes of available memory 49 usage system is using 17 8M out of 29 0M bytes of available disk space 61 usage application data is using 52 4M out of 166 6M bytes of available disk space 33 usage boot is using 37 8M out of 68 5...

Page 235: ... IDM refer to Defining Known Hosts Keys for IME refer to Defining Known Host Keys and for the CLI refer to Adding Hosts to the SSH Known Hosts List For the procedure for adding a remote host to the trusted hosts list for IDM refer to Adding Trusted Hosts for IME refer to Adding Trusted Hosts and for the CLI refer to Adding TLS Trusted Hosts For more information about obtaining a Cisco Services for...

Page 236: ...11 16 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7 0 OL 18504 01 Chapter 11 Obtaining Software Obtaining a License Key From Cisco com ...

Page 237: ...e from the sensor Caution You cannot use the downgrade command to revert to a previous major or minor version for example from Cisco IPS 7 0 to 6 2 You can only use the downgrade command to downgrade from the latest signature update or signature engine update To revert to 6 2 you must reimage the sensor You can recover the application partition image on your sensor if it becomes unusable Using the...

Page 238: ...TP HTTPS servers are supported for IPS software updates CMS Apache Server Tomcat CMS Apache Server JRun For More Information For the procedure for downloading IPS software updates from Cisco com see Obtaining Cisco IPS Software page 11 1 For the procedure for configuring automatic updates see Configuring Automatic Upgrades page 12 6 Upgrading the Sensor This section explains how to use the upgrade...

Page 239: ...ormation For the procedure for obtaining these files on Cisco com see Obtaining Cisco IPS Software page 11 1 upgrade Command and Options Use the upgrade source url command to apply service pack signature update engine update minor version major version or recovery partition file upgrades The following options apply source url The location of the source file to be copied ftp Source URL for an FTP n...

Page 240: ...When you upgrade the AIM IPS or the NME IPS using manual upgrade you must disable heartbeat reset on the router before installing the upgrade You can reenable heartbeat reset after you complete the upgrade If you do not disable heartbeat reset the upgrade can fail and leave the AIM IPS or the NME IPS in an unknown state which can require a system reimage to recover To upgrade the sensor follow the...

Page 241: ...et Upgrading the Recovery Partition Use the upgrade command to upgrade the recovery partition with the most recent version so that it is ready if you need to recover the application partition on your sensor Note Recovery partition images are generated for major and minor updates and only in rare situations for service packs or signature updates Note The AIM IPS and the NME IPS have unique recovery...

Page 242: ... the procedure for using the recover command see Using the recover Command page 12 12 Configuring Automatic Upgrades This section describes how to configure the sensor to automatically look for upgrades in the upgrade directory It contains the following topics Automatic Upgrades page 12 6 auto upgrade Command and Options page 12 7 Using the auto upgrade Command page 12 8 Automatic Upgrade Examples...

Page 243: ...erver to the SSH known hosts list so the sensor can communicate with it through SSH ip address IP address of the file server password User password for Cisco server authentication schedule option Schedules when Cisco server automatic upgrades occur Calendar scheduling starts upgrades at specific times on specific days Periodic scheduling starts upgrades at specific periodic intervals calendar sche...

Page 244: ...show statistics host command Note To check the status of the last automatic update or the next scheduled automatic update run the show statistics host command and check the Auto Update Statistics section To schedule automatic upgrades follow these steps Step 1 Log in to the CLI using an account with administrator privileges Step 2 Enter automatic upgrade submode sensor configure terminal sensor co...

Page 245: ... hos ena cal days of week sunday sensor config hos ena cal times of day 12 00 00 b For periodic scheduling which starts upgrades at specific periodic intervals sensor config hos ena schedule option periodic schedule sensor config hos ena per interval 24 sensor config hos ena per start time 13 00 00 Step 7 Verify the settings sensor config hos ena show settings enabled schedule option periodic sche...

Page 246: ...eq E3 pkg Cycle 1 installs IPS engine E3 req 5 1 4 pkg New version is 5 1 4 E2 S250 Cycle 2 installs IPS sig S264 req E3 pkg New version is 5 1 4 E2 S264 Case 1 5 1 4 E0 S250 IPS K9 sp 5 1 5 pkg IPS sig S260 minreq 5 0 6 pkg IPS K9 5 1 6 E1 pkg IPS engine E2 req 5 1 6 pkg IPS sig S262 req E2 pkg IPS sig S263 req E2 pkg Cycle 1 installs IPS K9 5 1 6 E1 pkg New version is 5 1 6 E1 S260 Cycle 2 insta...

Page 247: ...or configure terminal Step 3 If there is no recently applied service pack or signature update the downgrade command is not available sensor config downgrade No downgrade available sensor config Case 5 5 1 6 E10 S300 IPS sig S301 req E10 pkg IPS sig S302 req E11 pkg IPS sig S303 req E12 pkg IPS engine E11 req 5 1 6 pkg Cycle 1 installs IPS engine E11 req 5 1 6 pkg New version is 5 1 6 E11 S300 Cycl...

Page 248: ...re you recover the application partition image you can install the most up to date software image Because you can execute the recover application partition command through a Telnet or SSH connection we recommend using this command to recover sensors that are installed at remote locations Note When you reconnect to the sensor after recovery you must log in with the default username and password cis...

Page 249: ...d You cannot use Telnet until you initialize the sensor because Telnet is disabled by default For More Information For a list of supported TFTP servers see Supported TFTP Servers page 12 14 For the procedure for locating software on Cisco com see Obtaining Cisco IPS Software page 11 1 For the procedure for using the setup command see Initializing the Sensor page 10 1 Installing System Images This ...

Page 250: ...ave an extremely low probability of error But TFTP does not offer pipelining so the total transfer time is equal to the number of packets to be transferred times the network average RTT Because of this limitation we recommend that the TFTP server be located on the same LAN segment as the sensor Any network with an RTT less than a 100 milliseconds should provide reliable delivery of the image Some ...

Page 251: ... your session and return to a login prompt before terminating the application used to establish the connection Caution If a connection is dropped or terminated by accident you should reestablish the connection and exit normally to prevent unauthorized access to the appliance Installing the IPS 4240 and IPS 4255 System Images Note This procedure is for the IPS 4240 but is also applicable to the IPS...

Page 252: ...6 Audio 5 02 01 00 8086 1075 Ethernet 11 03 01 00 177D 0003 Encrypt Decrypt 9 03 02 00 8086 1079 Ethernet 9 03 02 01 8086 1079 Ethernet 9 03 03 00 8086 1079 Ethernet 9 03 03 01 8086 1079 Ethernet 9 04 02 00 8086 1209 Ethernet 11 04 03 00 8086 1209 Ethernet 5 Evaluating BIOS Options Launch BIOS Extension to setup ROMMON Cisco Systems ROMMON Version 1 0 5 0 1 Tue Sep 14 12 20 30 PDT 2004 Platform IP...

Page 253: ...e used for the TFTP download Note The default interface used for TFTP downloads is Management0 0 which corresponds to the MGMT interface of the IPS 4240 rommon PORT interface_name Step 6 If necessary assign an IP address for the local port on the IPS 4240 rommon ADDRESS ip_address Note Use the same IP address that is assigned to the IPS 4240 Step 7 If necessary assign the TFTP server IP address ro...

Page 254: ...oad and install the system image rommon tftp Caution To avoid corrupting the system image do not remove power from the IPS 4240 while the system image is being installed Note If the network settings are correct the system downloads and boots the specified image on the IPS 4240 Be sure to use the IPS 4240 image For More Information For a list of supported TFTP servers see Supported TFTP Servers pag...

Page 255: ...fter the platform identification In the example port Management0 0 is being used Note The default port used for TFTP downloads is Management0 0 which corresponds with the command and control MGMT interface of the IPS 4260 Note Ports Management0 0 MGMT and GigabitEthernet0 1 GE 0 1 are labeled on the back of the chassis Step 5 Specify an IP address for the local port on the IPS 4260 rommon address ...

Page 256: ...st of supported TFTP servers see Supported TFTP Servers page 12 14 For the procedure for locating software on Cisco com see Obtaining Cisco IPS Software page 11 1 Installing the IPS 4270 20 System Image You can install the IPS 4270 20 system image by using the ROMMON on the appliance to TFTP the system image onto the compact flash device To install the IPS 4270 20 system image follow these steps S...

Page 257: ...variables have the following definitions Address Local IP address of the IPS 4270 20 Server TFTP server IP address where the application image is stored Gateway Gateway IP address used by the IPS 4270 20 Port Ethernet interface used for the IPS 4270 20 management VLAN VLAN ID number leave as untagged Image System image file path name Config Unused by these platforms Note Not all values are require...

Page 258: ... have any directory names or slashes in the IMAGE specification Windows Example rommon IMAGE system_images IPS 4270_20 K9 sys 1 1 a 7 0 1 E3 img Step 10 Enter set and press Enter to verify the network settings Note You can use the sync command to store these settings in NVRAM so they are maintained across boots Otherwise you must enter this information each time you want to boot an image from ROMM...

Page 259: ...g the heartbeat reset prevents the router from resetting the module during system image installation if the process takes too long Step 3 Session to the AIM IPS router service module IDS Sensor 0 slot_number session Note Use the show configuration include interface IDS Sensor command to determine the AIM IPS slot number Step 4 Suspend the session by pressing Shift Ctrl 6 X You should see the route...

Page 260: ...ngine bootloader upgrade Step 12 Follow the bootloader instructions to install the software choose option 1 and follow the wizard instructions Note In the following example the AIM IPS IP address is 10 1 9 201 The imaging process accesses the AIM IPS image from the router TFTP server at IP address 10 1 9 1 Example Booting from flash please wait Please enter to change boot configuration 11 Services...

Page 261: ...not see this prompt try Ctrl 6 X Step 14 From the router CLI clear the session router service module interface ids sensor 0 slot_number session clear Step 15 Enable the heartbeat reset router service module IDS sensor 0 slot_number heartbeat reset enable For More Information For a list of supported TFTP servers see Supported TFTP Servers page 12 14 For the procedure for obtaining the most recent I...

Page 262: ...overy Partition page 12 5 Reimaging the AIP SSM Using the recover configure boot Command If the AIP SSM suffers a failure and the module application image cannot run you can transfer application images from a TFTP server to the module using the adaptive security appliance CLI The adaptive security appliance can communicate with the module ROMMON application to transfer the image Note Be sure the T...

Page 263: ... the AIP SSM and restarts it Step 9 Periodically check the recovery until it is complete Note The status reads Recovery during recovery and reads Up when reimaging is complete asa show module 1 Mod Card Type Model Serial No 0 ASA 5540 Adaptive Security Appliance ASA5540 P2B00000019 1 ASA 5500 Series Security Services Module 20 ASA SSM 20 P1D000004F4 Mod MAC Address Range Hw Version Fw Version Sw V...

Page 264: ...ware page 12 29 Configuring the IDSM2 Maintenance Partition for Catalyst Software page 12 31 Configuring the IDSM2 Maintenance Partition for Cisco IOS Software page 12 35 Upgrading the IDSM2 Maintenance Partition for Catalyst Software page 12 38 Upgrading the IDSM2 Maintenance Partition for Cisco IOS Software page 12 39 Understanding the IDSM2 System Image If the IDSM2 application partition become...

Page 265: ...tenance partition CLI and return to the switch CLI Step 9 Reboot the IDSM2 to the application partition console enable reset module_number hdd 1 Step 10 When the IDSM2 has rebooted check the software version Step 11 Log in to the application partition CLI and initialize the IDSM2 using the setup command For More Information For a list of supported FTP and HTTP HTTPS servers see Supported FTP and H...

Page 266: ...rver_ip_address directory_path IPS IDSM2 K9 sys 1 1 a 7 0 1 E3 bin gz install Step 9 Specify the FTP server password After the application partition file has been downloaded you are asked if you want to proceed Upgrading will wipe out the contents on the hard disk Do you want to proceed installing it y n Step 10 Enter y to continue When the application partition file has been installed you are ret...

Page 267: ...nsole enable Step 3 Reload the IDSM2 console enable reset module_number cf 1 Step 4 Session to the IDSM2 console session 9 Trying IDS 9 Connected to IDS 9 Escape character is Cisco Maintenance image Note You cannot Telnet or SSH to the IDSM2 maintenance partition You must session to it from the switch CLI Step 5 Log in as user guest and password cisco Note You can change the guest password but we ...

Page 268: ...Specify the hostname guest localhost localdomain ip host hostname Step 9 View the maintenance partition host configuration guest idsm2 localdomain show ip IP address 10 89 149 74 Subnet Mask 255 255 255 128 IP Broadcast 10 255 255 255 DNS Name idsm2 localdomain Default Gateway 10 89 149 126 Nameserver s guest idsm2 localdomain Step 10 Verify the image installed on the application partition guest i...

Page 269: ...rd disk Applying the image this process may take several minutes Performing post install please wait Application image upgrade complete You can boot the image now guest idsm3 localdomain Step 14 Display the upgrade log guest idsm3 localdomain show log upgrade Upgrading the line card on Fri Mar 11 21 21 53 UTC 2005 Downloaded upgrade image ftp jsmith 10 89 146 114 RELEASES Latest 6 2 1 WS SVC IDSM2...

Page 270: ...t idsm2 localdomain ping 10 89 146 114 PING 10 89 146 114 10 89 146 114 from 10 89 149 74 56 84 bytes of data 64 bytes from 10 89 146 114 icmp_seq 0 ttl 254 time 381 usec 64 bytes from 10 89 146 114 icmp_seq 1 ttl 254 time 133 usec 64 bytes from 10 89 146 114 icmp_seq 2 ttl 254 time 129 usec 64 bytes from 10 89 146 114 icmp_seq 3 ttl 254 time 141 usec 64 bytes from 10 89 146 114 icmp_seq 4 ttl 254...

Page 271: ...uest and password cisco Note You can change the guest password but we do not recommend it If you forget the maintenance partition guest password and you cannot log in to the IDSM2 application partition for some reason you will have to RMA the IDSM2 login guest password cisco Maintenance image version 2 1 2 guest idsm2 localdomain Step 4 View the maintenance partition host configuration guest idsm2...

Page 272: ... images Device name Partition Image name Hard disk hdd 1 6 1 1 guest idsm2 localdomain Step 9 Verify the maintenance partition version including the BIOS version guest idsm2 localdomain show version Maintenance image version 2 1 2 mp 2 1 2 bin Thu Nov 18 11 41 36 PST 2004 integ kplus build lx cisco com Line Card Number WS SVC IDSM2 XL Number of Pentium class Processors 2 BIOS Vendor Phoenix Techno...

Page 273: ...XXX Fri Mar 11 21 22 06 2005 exeoff 0000000000031729 Fri Mar 11 21 22 06 2005 image 0000000029323770 Fri Mar 11 21 22 06 2005 T 29323818 E 31729 I 29323770 Fri Mar 11 21 22 07 2005 partition dev hdc1 Fri Mar 11 21 22 07 2005 startIDSAppUpgrade Image tmp cdisk gz Fri Mar 11 21 22 07 2005 startIDSAppUpgrade Device dev hdc1 Fri Mar 11 21 22 07 2005 startIDSAppUpgrade Install type 1 Fri Mar 11 21 22 0...

Page 274: ...guest idsm2 localdomain Step 16 Reset the IDSM2 Note You cannot specify a partition when issuing the reset command from the maintenance partition The IDSM2 boots to whichever partition is specified in the boot device variable If the boot device variable is blank the IDSM2 boots to the application partition guest idsm2 localdomain reset guest idsm2 localdomain Broadcast message from root Fri Mar 11...

Page 275: ...ition for Cisco IOS Software To upgrade the maintenance partition follow these steps Step 1 Download the IDSM2 maintenance partition file c6svc mp 2 1 2 bin gz to the FTP root directory of an FTP server that is accessible from your IDSM2 Step 2 Log in to the switch CLI Step 3 Session in to the application partition CLI router session slot slot_number processor 1 Step 4 Log in to the IDSM2 Step 5 E...

Page 276: ...r Step 2 Disable the heartbeat reset router service module ids sensor 1 0 heartbeat reset disable Note Disabling the heartbeat reset prevents the router from resetting the module during system image installation if the process takes too long Step 3 Session to the NME IPS router service module ids sensor 1 0 session Step 4 Suspend the session by pressing Shift Ctrl 6 X You should see the router pro...

Page 277: ...10 89 148 195 Subnet mask 255 255 255 0 TFTP server 10 89 150 74 Gateway 10 89 148 254 Default boot disk Number cores 2 ServicesEngine boot loader upgrade Cisco Systems Inc Services engine upgrade utility for NM IPS Main menu 1 Download application image and write to USB Drive 2 Download bootloader and write to flash 3 Download minikernel and write to flash r Exit and reset card x Exit Selection 1...

Page 278: ...lling System Images 32 MB received done Step 13 Suspend the session by pressing Shift Ctrl 6 X You should see the router prompt If you do not see this prompt try Ctrl 6 X Step 14 From the router CLI clear the session router service module interface ids sensor 1 0 session clear Step 15 Enable the heartbeat reset router service module IDS sensor 1 0 heartbeat reset enable ...

Page 279: ...Interfaces page A 22 Troubleshooting the Appliance page A 23 Troubleshooting IDM page A 56 Troubleshooting IME page A 59 Troubleshooting the IDSM2 page A 59 Troubleshooting the AIP SSM page A 66 Troubleshooting the AIM IPS and the NME IPS page A 69 Gathering Information page A 70 Bug Toolkit For the most complete and up to date list of caveats use the Bug Toolkit to refer to the caveat release not...

Page 280: ... up a good configuration If your current configuration becomes unusable you can replace it with the backup version Save your backup configuration to a remote system Always back up your configuration before you do a manual upgrade If you have auto upgrades configured make sure you do periodic backups Create a service account A service account is needed for special debug situations directed by TAC C...

Page 281: ...onfiguration Merge the backup configuration into the current configuration sensor copy backup config current config Overwrite the current configuration with the backup configuration sensor copy erase backup config current config Backing Up and Restoring the Configuration File Using a Remote Server Note We recommend copying the current configuration file to a remote server before upgrading Use the ...

Page 282: ...osts list http Source URL for the web server The syntax for this prefix is http username location directory filename https Source URL for the web server The syntax for this prefix is https username location directory filename Note HTTP and HTTPS prompt for a password if a username is required to access the website If you use HTTPS protocol the remote host must be a TLS trusted host Caution Copying...

Page 283: ...n has been restored For More Information For a list of supported HTTP HTTPS servers see Supported FTP and HTTP HTTPS Servers page 12 2 Creating the Service Account Caution Do not make modifications to the sensor through the service account except under the direction of TAC If you use the service account to configure the sensor your configuration is not supported by TAC Adding services to the opera...

Page 284: ...pecify a password when prompted If a service account already exists for this sensor the following error is displayed and no service account is created Error Only one service account may exist Step 5 Exit configuration mode sensor config exit sensor When you use the service account to log in to the CLI you receive this warning WARNING UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED This ac...

Page 285: ...e see Creating and Using a Backup Configuration File page A 3 For the procedures for reimagine a sensor see Chapter 12 Upgrading Downgrading and Installing System Images For the procedure for using the setup command to initialize the sensor see Chapter 10 Initializing the Sensor For more information on obtaining IPS software and how to install it see Obtaining Cisco IPS Software page 11 1 For the ...

Page 286: ...ed to disable the password recovery feature for security reasons Table A 1 lists the password recovery methods according to platform Recovering the Appliance Password This section describes the two ways to recover the password for appliances It contains the following topics Using the GRUB Menu page A 8 Using ROMMON page A 9 Using the GRUB Menu For the 4200 series appliances the password recovery i...

Page 287: ...255 you can use the ROMMON to recover the password To access the ROMMON CLI reboot the sensor from a terminal server or direct connection and interrupt the boot process To recover the password using the ROMMON CLI follow these steps Step 1 Reboot the appliance Step 2 To interrupt the boot process press ESC or Control R terminal server or send a BREAK command direct connection The boot code either ...

Page 288: ...r interface IDS Sensor0 0 router Step 4 Session in to the AIM IPS router service module ids sensor slot port session Example router service module ids sensor 0 0 session Step 5 Press Control shift 6 followed by x to navigate to the router CLI Step 6 Reset the AIM IPS from the router console router service module ids sensor 0 0 reset Step 7 Press Enter to return to the router console Step 8 When pr...

Page 289: ...135L097 1 ASA 5500 Series Security Services Module 40 ASA SSM 40 JAF1214AMRL Mod MAC Address Range Hw Version Fw Version Sw Version 0 001b d5e8 e0c8 to 001b d5e8 e0cc 2 0 1 0 11 2 8 4 3 1 001e f737 205f to 001e f737 205f 1 0 1 0 14 5 7 0 7 E4 Mod SSM Application Name Status SSM Application Version 1 IPS Up 7 0 7 E4 Mod Status Data Plane Status Compatibility 0 Up Sys Not Applicable 1 Up Up Step 2 R...

Page 290: ...this product you agree to comply with applicable laws and regulations If you are unable to comply with U S and local laws return this product immediately A summary of U S laws governing Cisco cryptographic products may be found at http www cisco com wwl export crypto tool stqrg html If you require further assistance please contact us by sending email to export cisco com LICENSE NOTICE There is no ...

Page 291: ...assword recovery image does not remove any configuration it only resets the login account Once you have downloaded the password recovery image file follow the instructions to install the system image file but substitute the password recovery image file for the system image file The IDSM2 should reboot into the primary partition after installing the recovery image file If it does not enter the foll...

Page 292: ... Log in to the CLI with username cisco and password cisco You can then change the password Disabling Password Recovery Caution If you try to recover the password on a sensor on which password recovery is disabled the process proceeds with no errors or warnings however the password is not reset If you cannot log in to the sensor because you have forgotten the password and password recovery is set t...

Page 293: ... recovery allowed defaulted sensor config hos Troubleshooting Password Recovery When you troubleshoot password recovery pay attention to the following You cannot determine whether password recovery has been disabled in the sensor configuration from the ROMMON prompt GRUB menu switch CLI or router CLI If you attempt password recovery it always appears to succeed If it has been disabled the password...

Page 294: ...u can set up NTP during initialization or you can configure NTP through the CLI IDM IME or ASDM The Appliances Use the clock set command to set the time This is the default Configure the appliance to get its time from an NTP time synchronization source The IDSM2 The IDSM2 can automatically synchronize its clock with the switch time This is the default The UTC time is synchronized between the switc...

Page 295: ...urity appliance each time the module boots up and any time the parent chassis clock is set The module clock and parent chassis clock tend to drift apart over time The difference can be as much as several seconds per day To avoid this problem make sure that both the module clock and the parent clock are synchronized to an external NTP server If only the module clock or only the parent chassis clock...

Page 296: ...time incorrectly by specifying 8 00 p m rather than 8 00 a m when you do correct the error the corrected time will be set backwards New events might have times older than old events For example if during the initial setup you configure the sensor as central time with daylight saving time enabled and the local time is 8 04 p m the time is displayed as 20 04 37 CDT and has an offset from UTC of 5 ho...

Page 297: ...ollowing traffic capture requirements The virtual sensor must receive traffic that has 802 1q headers other than traffic on the native VLAN of the capture port The sensor must see both directions of traffic in the same VLAN group in the same virtual sensor for any given sensor The following sensors support virtualization IPS 4240 IPS 4255 IPS 4260 IPS 4270 20 AIP SSM IDSM2 with the exception of VL...

Page 298: ...rator privileges Step 2 Enter analysis engine submode sensor configure terminal sensor config service analysis engine sensor config ana Step 3 Enter the virtual sensor name that contains the anomaly detection policy you want to disable sensor config ana virtual sensor vs0 sensor config ana vir Step 4 Disable anomaly detection operational mode sensor config ana vir anomaly detection sensor config a...

Page 299: ... Licensing for IME refer to Configuring Licensing and for the CLI refer to Installing the License Key Analysis Engine Not Responding Error Message Output from show statistics analysis engine Error getAnalysisEngineStatistics ct sensorApp 424 not responding please check system processes The connect to the specified Io ClientPipe failed Error Message Output from show statistics anomaly detection Err...

Page 300: ...ent records are dropped If the 10 000 limit is reached and then it drops to below 9900 new records are no longer dropped Hosts can change an IP address or appear to use another host IP address for example because of DHCP lease expiration or movement in a wireless network In the case of an IP address conflict the sensor presumes the most recent host posture event to be the most accurate A network c...

Page 301: ...ponse or choose Configuration sensor_name Sensor Monitoring Support Information Statistics in IME and check the Interface state line in the response Make sure you have added the CSA MC IP address to the trusted hosts If you forgot to add it add it wait a few minutes and then check again Confirm subscription login information by opening and closing a subscription on CSA MC using the browser Check E...

Page 302: ...er you can greatly reduce the interruption time in some cases to sub second times by doing the following Make sure you use CAT 5e 6 certified cabling for all connections Make sure the interfaces of the connected devices are configured to match the interfaces of the appliance for speed duplex negotiation auto auto Enable portfast on connected switchports to reduce spanning tree forwarding delays Fo...

Page 303: ...Engine is busy rebuilding regex tables This may take a while The configuration changes failed validation no changes were applied Would you like to return to edit mode to correct the errors yes no No changes were made to the configuration sensor config If you try to get the virtual sensor statistics immediately after you boot a sensor you receive an error message Although the sensor has rebuilt the...

Page 304: ...eived 0 Missed Packet Percentage 0 Current Bypass Mode Auto_off MAC statistics from interface GigabitEthernet0 1 Media Type backplane Missed Packet Percentage 0 Inline Mode Unpaired Pair Status N A Link Status Up Link Speed Auto_1000 Link Duplex Auto_Full Total Packets Received 0 Total Bytes Received 0 Total Multicast Packets Received 0 Total Broadcast Packets Received 0 Total Jumbo Packets Receiv...

Page 305: ...led access list 0 0 0 0 0 ftp timeout 300 no login banner text exit MORE If the management interface detects that another device on the network has the same IP address it does not come up Step 4 Make sure the management port is connected to an active network connection If the management port is not connected to an active network connection the management interface does not come up Step 5 Make sure...

Page 306: ...address changing the access list andenabling and disabling Telnet refer to Configuring Network Settings For the various ways to open a CLI session directly on the sensor see Chapter 9 Logging In to the Sensor Correcting a Misconfigured Access List To correct a misconfigured access list follow these steps Step 1 Log in to the CLI Step 2 View your configuration to see the access list sensor show con...

Page 307: ...ceived 0 Missed Packet Percentage 0 Current Bypass Mode Auto_off MAC statistics from interface GigabitEthernet0 1 Media Type backplane Missed Packet Percentage 0 Inline Mode Unpaired Pair Status N A Link Status Up Link Speed Auto_1000 Link Duplex Auto_Full Total Packets Received 0 Total Bytes Received 0 Total Multicast Packets Received 0 Total Broadcast Packets Received 0 Total Jumbo Packets Recei...

Page 308: ...ing It contains the following topics SensorApp Not Running page A 30 Physical Connectivity SPAN or VACL Port Issue page A 32 Unable to See Alerts page A 33 Sensor Not Seeing Packets page A 35 Cleaning Up a Corrupted SensorApp Configuration page A 37 SensorApp Not Running The sensing process SensorApp should always be running If it is not you do not receive any alerts SensorApp is part of Analysis ...

Page 309: ...e sensorApp appInstanceId 1045 time 2004 02 19 19 34 20 2004 02 19 19 34 20 UTC errorMessage name errUnclassified Generating new Analysis Engine configuration file Note The date and time of the last restart is listed In this example the last restart was on 2 19 2004 at 7 34 Step 4 Make sure you have the latest software updates sensor show version Application Partition Cisco Intrusion Prevention Sy...

Page 310: ...ensor is connected properly follow these steps Step 1 Log in to the CLI Step 2 Make sure the interfaces are up and that the packet count is increasing sensor show interfaces Interface Statistics Total Packets Received 0 Total Bytes Received 0 Missed Packet Percentage 0 Current Bypass Mode Auto_off MAC statistics from interface GigabitEthernet0 1 Media Type backplane Missed Packet Percentage 0 Inli...

Page 311: ...he Cisco switch Refer to your switch documentation for the procedure Step 5 Verify again that the interfaces are up and that the packet count is increasing sensor show interfaces For More Information For the procedure for properly installing the sensing interface on your sensor refer to the chapter on your appliance in this document For the procedure for connecting SPAN and VACL capture ports on t...

Page 312: ...g engine normalizer Signature engine sensor config sig sig engine normalizer sensor config sig sig nor event action produce alert sensor config sig sig nor show settings normalizer event action produce alert default produce alert deny connection inline edit default sigs only sensor Step 4 Make sure the sensor is seeing packets sensor show interfaces FastEthernet0 1 MAC statistics from interface Fa...

Page 313: ...twork you could have the interfaces set up incorrectly If the sensor is not seeing packets follow these steps Step 1 Log in to the CLI Step 2 Make sure the interfaces are up and receiving packets sensor show interfaces GigabitEthernet0 1 MAC statistics from interface GigabitEthernet0 1 Media Type backplane Missed Packet Percentage 0 Inline Mode Unpaired Pair Status N A Link Status Down Link Speed ...

Page 314: ...packets sensor show interfaces MAC statistics from interface GigabitEthernet0 1 Media Type TX Missed Packet Percentage 0 Inline Mode Unpaired Pair Status N A Link Status Up Link Speed Auto_100 Link Duplex Auto_Full Total Packets Received 3 Total Bytes Received 900 Total Multicast Packets Received 3 Total Broadcast Packets Received 0 Total Jumbo Packets Received 0 Total Undersize Packets Received 0...

Page 315: ... usr cids idsRoot var virtualSensor pmz Step 6 Exit the service account Step 7 Log in to the sensor CLI Step 8 Start the IPS services sensor cids start Step 9 Log in to an account with administrator privileges Step 10 Reboot the sensor sensor reset Warning Executing this command will stop all applications and reboot the node Continue with reset yes yes Request Succeeded sensor For More Information...

Page 316: ... that the master blocking sensor is properly configured For More Information For the procedure to verify that ARC is running see Verifying ARC is Running page A 38 For the procedure to verify that ARC is connecting see Verifying ARC Connections are Active page A 39 For the procedure to verify that the Event Action is set to Block Host see Blocking Not Occurring for a Signature page A 44 For the pr...

Page 317: ...rationApp B BEAU_2009_APR_18_08_00_7_0_1 Release 2009 04 18T08 05 25 0500 Running CLI B BEAU_2009_APR_18_08_00_7_0_1 Release 2009 04 18T08 05 25 0500 Upgrade History IPS K9 7 0 1 E3 08 00 00 UTC Sat Apr 18 2009 Recovery Partition Version 1 1 7 0 1 E3 Host Certificate Valid from 16 Apr 2009 to 17 Apr 2011 sensor Step 3 If MainApp displays Not Running ARC has failed Contact the TAC For More Informat...

Page 318: ...7 03 02 OS Version 2 4 30 IDS smp bigphys Platform IPS4270 20 K9 Serial Number USE716N39B Licensed expires 01 May 2009 UTC Sensor up time is 3 days Using 1888964608 out of 4029321216 bytes of available memory 46 usage system is using 16 5M out of 38 5M bytes of available disk space 43 usage application data is using 44 4M out of 166 8M bytes of available disk space 28 usage boot is using 40 6M out...

Page 319: ...vice Access Issues page A 41 For the procedure for verifying the interfaces and directions for each network device see Verifying the Interfaces and Directions on the Network Device page A 43 For the procedure for enabling SSH see Enabling SSH Connections to the Network Device page A 43 Device Access Issues ARC may not be able to access the devices it is managing Make sure the you have the correct ...

Page 320: ...1 ip address 10 89 147 54 communication telnet default ssh 3des nat address 0 0 0 0 defaulted profile name r7200 block interfaces min 0 max 100 current 1 interface name fa0 0 direction in pre acl name defaulted post acl name defaulted firewall devices min 0 max 250 current 0 sensor config net Step 3 Manually connect to the device to make sure you have used the correct username password and enable ...

Page 321: ...to a bogus host follow these steps Step 1 Enter ARC general submode sensor configure terminal sensor config service network access sensor config net general Step 2 Start the manual block of the bogus host IP address sensor config net gen block hosts 10 16 0 0 Step 3 Exit general submode sensor config net gen exit sensor config net exit Apply Changes yes Step 4 Press Enter to apply the changes or t...

Page 322: ...tion submode sensor configure terminal sensor config service signature definition sig0 sensor config sig Step 3 Make sure the event action is set to block the host Note If you want to receive alerts you must always add produce alert any time you configure the event actions sensor config sig signatures 1300 0 sensor config sig sig engine normalizer sensor config sig sig nor event action produce ale...

Page 323: ...er blocking sensor entries are in the statistics sensor show statistics network access Current Configuration AllowSensorShun false ShunMaxEntries 250 MasterBlockingSensor SensorIp 10 89 149 46 SensorPort 443 UseTls 1 State ShunEnable true ShunnedAddr Host IP 122 122 122 44 ShunMinutes 60 MinutesRemaining 59 Step 3 If the master blocking sensor does not show up in the statistics you need to add it ...

Page 324: ...orwarding sensor is configured as a TLS host sensor configure terminal sensor config tls trust ip master_blocking_sensor_ip_address For More Information For the procedure to configure the sensor to be a master blocking sensor refer to Configuring the Sensor to be a Master Blocking Sensor Logging This section describes debug logging and contains the following topics Understanding Debug Logging page...

Page 325: ...it the service account Step 6 Log in to the CLI as administrator Step 7 Enter master control submode sensor configure terminal sensor config service logger sensor config log master control Step 8 To enable debug logging for all zones sensor config log mas enable debug true sensor config log mas show settings master control enable debug true default false individual zone control false defaulted sen...

Page 326: ...ing defaulted protected entry zone name csi severity warning defaulted protected entry zone name ctlTransSource severity warning defaulted protected entry zone name intfc severity warning defaulted protected entry zone name nac severity warning defaulted protected entry zone name sensorApp severity warning defaulted protected entry zone name tls severity warning defaulted sensor config log Step 12...

Page 327: ...lted protected entry zone name intfc severity warning defaulted protected entry zone name nac severity warning defaulted protected entry zone name sensorApp severity warning defaulted protected entry zone name tls severity warning defaulted sensor config log Step 13 Turn on debugging for a particular zone sensor config log zone control nac severity debug sensor config log show settings master cont...

Page 328: ...ne name nac severity debug default warning protected entry zone name sensorApp severity warning defaulted protected entry zone name tls severity warning defaulted sensor config log Step 14 Exit the logger submode sensor config log exit Apply Changes yes Step 15 Press Enter to apply changes or type no to discard them For More Information For a list of what each zone name refers to see Zone Names pa...

Page 329: ...local timemode utc logApp enabled true FIFO parameters fifoName logAppFifo fifoSizeInK 240 logApp zone and drain parameters zoneAndDrainName logApp fileName main log fileMaxSizeInK 500 zone Cid cmgr Card Manager service zone1 cplane Control Plane zone2 csi CIDS Servlet Interface3 ctlTransSource Outbound control transactions zone intfc Interface zone nac ARC zone rep Reputation zone sched Automatic...

Page 330: ...ou enable debug severity on one zone at a time TCP Reset Not Occurring for a Signature Note TCP Resets are not supported over MPLS links or the following tunnels GRE IPv4 in IPv4 IPv6 in IPv4 or IPv4 in IPv6 If you do not have the event action set to reset the TCP reset does not occur for a specific signature To troubleshoot a reset not occurring for a specific signature follow these steps Step 1 ...

Page 331: ...y OUT 172 16 171 19 port 32771 victim addr locality OUT 172 16 171 13 port 23 actions tcpResetSent true Step 6 Make sure the switch is allowing incoming TCP reset packet from the sensor Refer to your switch documentation for more information Step 7 Make sure the resets are being sent root tcpdump i eth0 src host 172 16 171 19 tcpdump WARNING eth0 no IPv4 address assigned tcpdump listening on eth0 ...

Page 332: ...his time After the upgrade add the interfaces back to the virtual sensor vs0 using the setup command Or you can use the system image file to reimage the sensor directly to the version you want You can reimage a sensor because the reimage process does not check to see if Analysis Engine is running Caution Reimaging using the system image file restores all configuration defaults For More Information...

Page 333: ...te try the following Determine which IPS software version your sensor has Make sure the passwords are configured for automatic update Make sure they match the same passwords used for manual update Make sure that the filenames in the FTP server are exactly what you see on Downloads on Cisco com This includes capitalization Some Windows FTP servers allow access to the file with the incorrect capital...

Page 334: ...are page 11 1 Troubleshooting IDM Note These procedures also apply to the IPS section of ASDM This section contains troubleshooting procedures for IDM It contains the following topics Cannot Launch IDM Loading Java Applet Failed page A 56 Cannot Launch IDM Analysis Engine Busy page A 57 IDM Remote Manager or Sensing Interfaces Cannot Access Sensor page A 57 Signatures Not Producing Alerts page A 5...

Page 335: ...ete the temp files and clear the history in the browser Cannot Launch IDM Analysis Engine Busy Error Message Error connecting to sensor Failed to load sensor errNotAvailable Analysis Engine is busy Exiting IDM Possible Cause This condition can occur if the Analysis Engine in the sensor is busy getting ready to perform a task and so does not respond to IDM Recommended Action Wait for a while and tr...

Page 336: ...g Telnet on the sensor and configuring the web server refer to Changing Network Settings Signatures Not Producing Alerts Caution You cannot add other actions each time you configure the event actions You are actually replacing the list of event actions every time you configure it so make sure you choose Produce Alert every time you configure event actions If you are not seeing any alerts when sign...

Page 337: ...bout problems with synchronization Recommended Action Change the time settings on the sensor or IME local server In most cases the time change is required for the sensor because it is configured with the incorrect or default time For More Information For more information on time and the sensor see Time Sources and the Sensor page A 16 For the procedure for changing the time on the sensor see Corre...

Page 338: ...le is ok but if you log in to the Service account and try to execute commands you see that the problem exists The 4 1 4 service pack alleviates this problem but if you reimage the IDSM2 with the 4 1 4 application partition image you must apply the 4 1 4b patch For more information refer to CSCef12198 SensorApp either crashes or takes 99 of the CPU when IP logging is enabled for stream based signat...

Page 339: ...rity acl Catalyst software show intrusion detection module Cisco IOS software show monitor Cisco IOS software Table A 3 Minimum Catalyst 6500 Software Version for IDSM2 Feature Support Catalyst IDSM2 Feature Catalyst Software Cisco IOS Software Sup1 Sup2 Sup32 Sup720 Sup1 Sup2 Sup32 Sup720 SPAN 7 5 1 7 5 1 8 4 1 8 1 1 12 1 19 E1 12 1 19 E1 12 2 18 SXF1 12 2 18 SXF1 12 2 14 SX1 VACL capture1 1 Requ...

Page 340: ...or WS X6K SUP1A 2GE yes ok 15 1 1 Multilayer Switch Feature WS F6K MSFC no ok 2 2 48 10 100BaseTX Ethernet WS X6248 RJ 45 no ok 3 3 48 10 100 1000BaseT Ethernet WS X6548 GE TX no ok 4 4 16 1000BaseX Ethernet WS X6516A GBIC no ok 6 6 8 Intrusion Detection Mod WS SVC IDSM2 yes ok Mod Module Name Serial Num 1 SAD041308AN 15 SAD04120BRB 2 SAD03475400 3 SAD073906RC 4 SAL0751QYN0 6 SAD062004LV Mod MAC A...

Page 341: ...0d 29f6 7a80 to 000d 29f6 7aaf 5 0 7 2 1 8 5 0 46 ROC Ok 5 0003 fead 651a to 0003 fead 6521 4 0 7 2 1 5 0 1 1 Ok 6 000d ed23 1658 to 000d ed23 1667 1 0 7 2 1 8 5 0 46 ROC Ok 7 0011 21a1 1398 to 0011 21a1 139b 4 0 8 1 3 12 2 PIKESPE Ok 9 000d 29c1 41bc to 000d 29c1 41bc 1 3 Unknown Unknown PwrDown 11 00e0 b0ff 3340 to 00e0 b0ff 3347 0 102 7 2 0 67 5 0 1 1 Ok 13 0003 feab c850 to 0003 feab c857 4 0 ...

Page 342: ...re the IDSM2 is firmly connected in the switch Step 7 If the hdd status reads fail you must reimage the application partition For More Information For the procedure for reimaging the application partition see Recovering the Application Partition page 12 12 Cannot Communicate With the IDSM2 Command and Control Port If you cannot communicate with the IDSM2 command and control port the command and co...

Page 343: ...ule 5 management port Switchport Enabled Administrative Mode dynamic desirable Operational Mode static access Administrative Trunking Encapsulation negotiate Operational Trunking Encapsulation native Negotiation of Trunking On Access Mode VLAN 1 default Trunking Native Mode VLAN 1 default Trunking VLANs Enabled ALL Pruning VLANs Enabled 2 1001 Vlans allowed on trunk 1 Vlans allowed and active in m...

Page 344: ...For more information about the IDSM2 and TCP reset refer to Configuring the IDSM2 Connecting a Serial Cable to the IDSM2 You can connect a serial cable directly to the serial console port on the IDSM2 This lets you bypass the switch and module network interfaces To connect a serial cable to the IDSM2 follow these steps Step 1 Locate the two RJ 45 ports on the IDSM2 You can find them approximately ...

Page 345: ...le 1 reset The module in slot 1 should be shut down before resetting it or loss of configuration may occur Reset module in slot 1 confirm Reset issued for module in slot 1 asa config show module Mod Card Type Model Serial No 0 ASA 5520 Adaptive Security Appliance ASA5520 P2A00000014 1 ASA 5500 Series Security Services Module 10 ASA SSM 10 P2A0000067U Mod MAC Address Range Hw Version Fw Version Sw ...

Page 346: ... 10 PST 2005 Slot 1 141 Platform ASA SSM 10 Slot 1 142 GigabitEthernet0 0 Slot 1 143 Link is UP Slot 1 144 MAC Address 000b fcf8 0176 Slot 1 145 ROMMON Variable Settings Slot 1 146 ADDRESS 10 89 150 227 Slot 1 147 SERVER 10 89 146 1 Slot 1 148 GATEWAY 10 89 149 254 Slot 1 149 PORT GigabitEthernet0 0 Slot 1 150 VLAN untagged Slot 1 151 IMAGE IPS SSM K9 sys 1 1 a 5 1 0 1 img Slot 1 152 CONFIG Slot 1...

Page 347: ...a special path in the Normalizer that only reassembles fragments and puts packets in the right order for the TCP stream The Normalizer does not do any of the normalization that is done on an inline IPS appliance because that causes problems in the way the ASA handles the packets For More Information For detailed information about the Normalizer engine refer to Normalizer Engine Troubleshooting the...

Page 348: ...how tech support command to gather all the information of the sensor or you can use the other individual commands listed in this section for specific information This section describes how to use CLI commands to obtain information about your sensor contains the following topics Health and Network Security Information page A 70 Tech Support Information page A 71 Version Information page A 74 Statis...

Page 349: ...tech support Command Note Always run the show tech support command before contacting TAC The show tech support command captures all status and configuration information on the sensor and includes the current configuration version information and cidDump information The output can be large over 1 MB You can transfer the output to a remote system For More Information For the procedure for copying th...

Page 350: ... URL for FTP network server The syntax for this prefix is ftp username location relativeDirectory filename or ftp username location absoluteDirectory filename scp Destination URL for the SCP network server The syntax for this prefix is scp username location relativeDirectory filename or scp username location absoluteDirectory filename For example to send the tech support output to the file absolut...

Page 351: ..._APR_07_08_00_7_0_0_118 Release 2009 04 07T0 8 05 05 0500 Running CLI B BEAU_2009_APR_07_08_00_7_0_0_118 Release 2009 04 07T0 8 05 05 0500 Upgrade History IPS K9 7 0 E3 21 41 28 UTC Mon Feb 22 2010 Recovery Partition Version 1 1 7 0 1 E3 Host Certificate Valid from 08 Apr 2009 to 09 Apr 2011 Output from show interfaces Interface Statistics Total Packets Received 0 Total Bytes Received 0 Missed Pac...

Page 352: ...ere a failure is occurring It gives the following information Which applications are running Versions of the applications Disk and memory usage Upgrade history of the applications Note To get the same information from IDM choose Monitoring Sensor Monitoring Support Information Diagnostics Report To get the same information from IME choose Configuration sensor_name Sensor Monitoring Support Informa...

Page 353: ...g AnalysisEngine B BEAU_2009_APR_07_08_00_7_0_0_118 Release 2009 04 07T0 8 05 05 0500 Running CollaborationApp B BEAU_2009_APR_07_08_00_7_0_0_118 Release 2009 04 07T0 8 05 05 0500 Running CLI B BEAU_2009_APR_07_08_00_7_0_0_118 Release 2009 04 07T0 8 05 05 0500 Upgrade History IPS K9 7 0 1 E3 21 41 28 UTC Mon Feb 22 2010 Recovery Partition Version 1 1 7 0 1 E3 Host Certificate Valid from 08 Apr 200...

Page 354: ...ature definition sig0 exit service ssh known hosts exit service trusted certificates exit service web server exit service anomaly detection ad0 exit service external product interface exit service health monitor exit service global correlation exit service analysis engine exit sensor Statistics Information The show statistics command is useful for examining the state of the sensor services This se...

Page 355: ...ics Use the show statistics analysis engine anomaly detection authentication denied attackers event server event store external product interface global correlation host logger network access notification os identification sdee server transaction server virtual sensor web server clear command to display statistics for each sensor application Use the show statistics anomaly detection denied attacke...

Page 356: ...ams currently in the closing state 0 TCP streams currently in the system 0 TCP Packets currently queued for reassembly 0 The Signature Database Statistics Total nodes active 0 TCP nodes keyed on both IP addresses and both ports 0 UDP nodes keyed on both IP addresses and both ports 0 IP nodes keyed on both IP addresses 0 Statistics for Signature Events Number of SigEvents since reset 0 Statistics f...

Page 357: ...or each Statistics for Virtual Sensor vs1 Denied Attackers with percent denied and hit count for each Denied Attackers with percent denied and hit count for each sensor Step 6 Display the statistics for Event Server sensor show statistics event server General openSubscriptions 0 blockedSubscriptions 0 Subscriptions sensor Step 7 Display the statistics for Event Store sensor show statistics event s...

Page 358: ...http www cisco com go license sensor Step 9 Display the statistics for the host sensor show statistics host General Statistics Last Change To Host Config UTC 16 11 05 Thu Feb 10 2008 Command Control Port Device FastEthernet0 0 Network Statistics fe0_0 Link encap Ethernet HWaddr 00 0B 46 53 06 AA inet addr 10 89 149 185 Bcast 10 89 149 255 Mask 255 255 255 128 UP BROADCAST RUNNING MULTICAST MTU 150...

Page 359: ...ritten to the event store by severity Fatal Severity 0 Error Severity 64 Warning Severity 35 TOTAL 99 The number of log messages written to the message log by severity Fatal Severity 0 Error Severity 64 Warning Severity 24 Timing Severity 311 Debug Severity 31522 Unknown Severity 7 TOTAL 31928 sensor Step 11 Display the statistics for ARC sensor show statistics network access Current Configuration...

Page 360: ... 507 InterfacePostBlock Post_Acl_Test State BlockEnable true NetDevice IP 10 89 150 171 AclSupport Does not use ACLs Version 6 3 State Active Firewall type PIX NetDevice IP 10 89 150 219 AclSupport Does not use ACLs Version 7 0 State Active Firewall type ASA NetDevice IP 10 89 150 250 AclSupport Does not use ACLs Version 2 2 State Active Firewall type FWSM NetDevice IP 10 89 150 158 AclSupport use...

Page 361: ... the statistics for the transaction server sensor show statistics transaction server General totalControlTransactions 35 failedControlTransactions 0 sensor Step 16 Display the statistics for a virtual sensor sensor show statistics virtual sensor vs0 Statistics for Virtual Sensor vs0 Name of current Signature Definition instance sig0 Name of current Event Action Rules instance rules0 List of interf...

Page 362: ...rate of nodes per second for each time since reset Nodes per second 0 TCP nodes keyed on both IP addresses and both ports per second 0 UDP nodes keyed on both IP addresses and both ports per second 0 IP nodes keyed on both IP addresses per second 0 The number of root nodes forced to expire because of memory constraint TCP nodes keyed on both IP addresses and both ports 0 Packets dropped because th...

Page 363: ...Consumed by Event Count 0 Number of FireOnce First Alerts 0 Number of FireOnce Intermediate Alerts 0 Number of Summary First Alerts 0 Number of Summary Intermediate Alerts 0 Number of Regular Summary Final Alerts 0 Number of Global Summary Final Alerts 0 Number of Active SigEventDataNodes 0 Number of Alerts Output for further processing 0 SigEvent Action Override Stage Statistics Number of Alerts ...

Page 364: ...tatistics web server listener 443 number of server session requests handled 61 number of server session requests rejected 0 total HTTP requests handled 35 maximum number of session objects allowed 40 number of idle allocated session objects 10 number of busy allocated session objects 0 crypto library version 6 0 3 sensor Step 18 Clear the statistics for an application for example the logging appli...

Page 365: ...derstanding the show interfaces Command You can learn the following information from the show interfaces command Whether the interface is up or down Whether or not packets are being seen and on which interfaces Whether or not packets are being dropped by SensorApp Whether or not there are errors being reported by the interfaces that can result in packet drops The show interfaces command displays s...

Page 366: ...thernet0 0 Media Type TX Link Status Up Link Speed Auto_100 Link Duplex Auto_Full Total Packets Received 2211296 Total Bytes Received 157577635 Total Multicast Packets Received 20 Total Receive Errors 0 Total Receive FIFO Overruns 0 Total Packets Transmitted 239723 Total Bytes Transmitted 107213390 Total Transmit Errors 0 Total Transmit FIFO Overruns 0 sensor Events Information You can use the sho...

Page 367: ...t rating max rr error warning error fatal NAC status hh mm ss month day year past hh mm ss command to display events from Event Store Events are displayed beginning at the start time If you do not specify a start time events are displayed beginning at the current time If you do not specify an event type all events are displayed Note Events are displayed as a live feed To cancel the request press C...

Page 368: ...dor Cisco originator hostId sensor2 appName cidwebserver appInstanceId 12075 time 2008 01 07 04 41 45 2008 01 07 04 41 45 UTC errorMessage name errWarning received fatal alert certificate_unknown evError eventId 1041472274774840148 severity error vendor Cisco originator hostId sensor2 appName cidwebserver appInstanceId 351 time 2008 01 07 04 41 45 2008 01 07 04 41 45 UTC errorMessage name errTrans...

Page 369: ...5 59 2008 03 02 14 15 59 UTC signature description Nachi Worm ICMP Echo Request id 2156 version S54 subsigId 0 sigDetails Nachi ICMP interfaceGroup vlan 0 participants attacker addr locality OUT 10 89 228 202 target addr locality OUT 10 89 150 185 riskRatingValue 70 interface fe0_1 protocol icmp evIdsAlert eventId 1109695939102805308 severity medium vendor Cisco originator MORE Step 6 Display even...

Page 370: ... Service account by logging in as root and running usr cids idsRoot bin cidDump The path of the cidDump file is usr cids idsRoot htdocs private cidDump html cidDump is a script that captures a large amount of information including the IPS processes list log files OS information directory listings package information and configuration files To run the cidDump script follow these steps Step 1 Log in...

Page 371: ...le cidDump html the show tech support command output and cores to the ftp sj server To upload and access files on the Cisco FTP site follow these steps Step 1 Log in to ftp sj cisco com as anonymous Step 2 Change to the incoming directory Step 3 Use the put command to upload the files Make sure to use the binary transfer type Step 4 To access uploaded files log in to an ECS supported host Step 5 C...

Page 372: ...A 94 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7 0 OL 18504 01 Chapter A Troubleshooting Gathering Information ...

Page 373: ...nd data and outbound data Only one ACL per direction can be active at a time ACLs are identified by number or by name ACLs can be standard enhanced or extended You can configure the sensor to manage ACLs action The response of the sensor to an event An action only happens if the event is not filtered Examples include TCP reset block host block connection IP logging and capturing the alert trigger ...

Page 374: ...n Programming Interface The means by which an application program talks to communications software Standardized APIs allow application programs to be developed independently of the underlying method of communication Computer application programs run a set of standard software interrupts calls and data formats to initiate contact with other devices for example network services mainframe communicati...

Page 375: ... severity rating ASR A weight associated with the severity of a successful exploit of the vulnerability The attack severity rating is derived from the alert severity parameter informational low medium or high of the signature The attack severity rating is configured per signature and indicates how dangerous the event detected is authentication Process of verifying that a user has permission to use...

Page 376: ...orses or back doors under a common command and control infrastructure Bpdu Bridge Protocol Data Unit Spanning Tree Protocol hello packet that is sent out at configurable inter vals to exchange information among bridges in the network bypass mode Mode that lets packets continue to flow through the sensor even if the sensor fails Bypass mode is only applicable to inline paired interfaces C CA certif...

Page 377: ...tion block ARC blocks traffic from a given source IP address to a given destination IP address and destination port console A terminal or laptop computer used to monitor and control the sensor console port An RJ45 or DB9 serial port on the sensor that is used to connect to a console device control interface When ARC opens a Telnet or SSH session with a network device it uses one of the routing int...

Page 378: ... the user to network interface The DCE provides a physical connection to the network forwards traffic and provides a clocking signal used to synchronize data transmission between DCE and DTE devices Modems and interface cards are examples of DCE DCOM Distributed Component Object Model Protocol that enables software components to communicate directly over a network Developed by Microsoft and previo...

Page 379: ...support many signatures in a certain category Each engine has parameters that can be used to create signatures or tune existing signatures enterprise network Large and diverse network connecting most major points in a company or other organization Differs from a WAN in that it is privately owned and maintained escaped expression Used in regular expression A character can be represented as its hexa...

Page 380: ...cannot support the original size of the packet Fragment Reassembly Processor A processor in the IPS Reassembles fragmented IP datagrams It is also responsible for normalization of IP fragments when the sensor is in inline mode FTP File Transfer Protocol Application protocol part of the TCP IP protocol stack used for transferring files between network nodes FTP is defined in RFC 959 FTP server File...

Page 381: ...Capability for data transmission in only one direction at a time between a sending station and a receiving station BSC is an example of a half duplex protocol handshake Sequence of messages exchanged between two or more network devices to ensure transmission synchronization hardware bypass A specialized interface card that pairs physical interfaces so that when a software error is detected a bypas...

Page 382: ...igurations for up to 300 sensors IME IPS Manager Express A network management application that provides system health monitoring events monitoring reporting and configuration for up to ten sensors inline mode All packets entering or leaving the network must pass through the sensor inline interface A pair of physical interfaces configured so that the sensor forwards all traffic received on one inte...

Page 383: ...rs J Java Web Start Java Web Start provides a platform independent secure and robust deployment technology It enables developers to deploy full featured applications to you by making the applications available on a standard web server With any web browser you can launch the applications and be confident you always have the most recent version JNLP Java Network Launching Protocol Defined in an XML ...

Page 384: ...by manufacturing to image sensors master blocking sensor A remote sensor that controls one or more devices Blocking forwarding sensors send blocking requests to the master blocking sensor and the master blocking sensor executes the blocking requests MD5 Message Digest 5 A one way hashing algorithm that produces a 128 bit hash Both MD5 and Secure Hash Algorithm SHA are variations on MD4 and strengt...

Page 385: ...ve Address Translation A network device can present an IP address to the outside networks that is different from the actual IP address of a host NBD Next Business Day The arrival of replacement hardware according to Cisco service contracts Neighborhood Discovery Protocol for IPv6 IPv6 nodes on the same link use Neighbor Discovery to discover each other s presence to determine each other s link lay...

Page 386: ...apable of synchronizing distributed clocks within milliseconds over long time periods NTP server Network Timing Protocol server A server that uses NTP NTP is a protocol built on top of TCP that ensures accurate local time keeping with reference to radio and atomic clocks located on the Internet This protocol is capable of synchronizing distributed clocks within milliseconds over long time periods ...

Page 387: ...DI information that consists of the PID the VID and the SN of your sensor PEP provides hardware version and serial number visibility through electronic query product labels and shipping items PER packed encoding rules Instead of using a generic style of encoding that encodes all types in a uniform way PER specializes the encoding based on the date type to generate much more compact representations...

Page 388: ...t interfaces and uses 802 2 SNAP encapsulation for messages reassembly The putting back together of an IP datagram at the destination after it has been fragmented either at the source or at an intermediate node recovery package An IPS package file that includes the full application image and installer used for recovery on sensors regex See regular expression regular expression A mechanism by which...

Page 389: ... packet until acknowledgement of the receipt RU rack unit A rack is measured in rack units An RU is equal to 44 mm or 1 75 inches S SCP Switch Configuration Protocol Cisco control protocol that runs directly over the Ethernet SCEP Simple Certificate Enrollment Protocol The Cisco Systems PKI communication protocol that leverages existing technology by using PKCS 7 and PKCS 10 SCEP is the evolution ...

Page 390: ...ckets from any existing connection It is used by ARC when blocking with a PIX Firewall Signature Analysis Processor A processor in the IPS Dispatches packets to the inspectors that are not stream based and that are configured for interest in the packet in process signature A signature distills network information and compares it against a rule set that indicates typical intrusion activity signatur...

Page 391: ...es use of the services of the subnetwork and performs three key functions data transfer connection management and QoS selection sniffing interface See sensing interface SNMP Simple Network Management Protocol Network management protocol used almost exclusively in TCP IP networks SNMP provides a means to monitor and control network devices and to manage configurations statistics collection performa...

Page 392: ... hard disk drive is less impacted switch Network device that filters forwards and floods frames based on the destination address of each frame The switch operates at the data link layer of the OSI model SYN flood Denial of Service attack that sends a host more TCP SYN packets request to synchronize sequence numbers used when opening a connection than the protocol implementation can handle system i...

Page 393: ...me and password threat rating TR A threat rating is a value between 0 and 100 that represents a numerical decrease of the risk rating of an attack based on the response action that depicts the threat of an alert on the monitored network three way handshake Process whereby two protocol entities synchronize during connection establishment threshold A value either upper or lower bound that defines th...

Page 394: ...UDLD UniDirectional Link Detection Cisco proprietary protocol that allows devices connected through fiber optic or copper Ethernet cables connected to LAN ports to monitor the physical configuration of the cables and detect when a unidirectional link exists When a unidirectional link is detected UDLD shuts down the affected LAN port and sends an alert since unidirectional links can cause a variety...

Page 395: ...ted on a number of different LAN segments Because VLANs are based on logical instead of physical connections they are extremely flexible VTP VLAN Trunking Protocol Cisco Layer 2 messaging protocol that manages the addition deletion and renaming of VLANs on a network wide basis VMS CiscoWorks VPN Security Management Solution A suite of network security applications that combines web based tools for...

Page 396: ...ive network or from a capture file on disk You can interactively browse the capture data viewing summary and detail information for each packet Wireshark has several powerful features including a rich display filter language and the ability to view the reconstructed stream of a TCP session For more information see http www wireshark org worm A computer program that can run independently can propag...

Page 397: ...pliance AIP SSM 1 22 described 1 22 AIM IPS branch router illustration 1 21 described 1 20 illustration 1 22 initializing 10 13 installing module 5 5 system image 12 23 interfaces described 5 4 logging in 9 5 removing module 5 5 restrictions 5 3 session command 9 5 sessioning 9 4 9 5 setup command 10 13 software requirements 5 2 specifications 5 1 time sources 1 27 AIP SSM described 1 22 indicator...

Page 398: ...occurring for signature A 44 device access issues A 41 enabling SSH A 43 inactive state A 39 misconfigured master blocking sensor A 45 troubleshooting A 38 verifying device interfaces A 43 verifying status A 38 ASDM resetting passwords A 12 asymmetric traffic disabling anomaly detection A 20 attack responses for TCP resets 1 2 authenticated NTP 1 26 A 16 automatic setup 10 1 automatic updates trou...

Page 399: ... password command A 10 A 13 command and control interface described 1 5 Ethernet 1 2 list 1 5 commands auto upgrade option 12 6 clear events 1 29 A 18 A 92 clear password A 10 A 13 copy backup config A 3 copy current config A 3 copy license key 11 13 debug module boot A 68 downgrade 12 11 hw module module 1 reset A 67 hw module module slot_number password reset A 11 session 9 5 9 10 setup 10 1 10 ...

Page 400: ...aly detection A 20 password recovery A 14 disaster recovery A 6 displaying events A 90 health status A 70 password recovery setting A 15 statistics A 77 tech support information A 72 version A 74 downgrade command 12 11 downgrading sensors 12 11 downloading software 11 1 duplicate IP addresses A 29 E electrical safety guidelines 1 31 enabling debug logging A 47 full memory tests Catalyst software ...

Page 401: ...configuration restrictions 3 5 4 6 fail over 3 5 4 6 IPS 4260 3 4 IPS 4270 20 4 5 link status changes and drops 3 6 4 7 A 24 proper configuration 3 6 4 7 A 24 supported configurations 3 4 4 5 with software bypass 3 4 4 5 HTTP HTTPS servers 12 2 hw module module 1 reset command A 67 hw module module slot_number password reset command A 11 I IDM Analysis Engine is busy A 57 will not load A 56 IDS ap...

Page 402: ...fying installation 7 9 IDSM unsupported models 1 18 IME time synchronization problems A 59 initializing AIM IPS 10 13 AIP SSM 10 16 appliances 10 8 IDSM2 10 20 NME IPS 10 25 sensors 10 1 10 4 user roles 10 1 verifying 10 28 inline interface pair mode configuration restrictions 1 11 described 1 14 inline VLAN pair mode configuration restrictions 1 11 described 1 15 supported sensors 1 15 installati...

Page 403: ...ces 1 17 modules 1 17 tuning 1 3 IPS 4240 accessories 2 5 back panel illustration 2 3 indicators 2 3 described 2 1 features 2 2 front panel illustration 2 2 indicators 2 2 installation 2 8 installing DC power supply 2 10 system image 12 15 password recovery A 9 rack mounting 2 6 reimaging 12 15 specifications 2 4 IPS 4240 DC described 2 10 installing 2 11 IPS 4255 accessories 2 5 back panel illust...

Page 404: ...g cable management arm 4 32 described 4 1 4 2 Diagnostic Panel accessing 4 41 described 4 11 illustration 4 11 Ethernet port indicators described 4 10 illustration 4 10 expansion card slots 4 41 extending from a rack 4 25 fan connector and indicator illustration 4 49 fan indicators 4 49 fans 4 49 features 4 7 front panel indicators 4 8 switches 4 8 front view illustration 4 7 hardware bypass 4 5 h...

Page 405: ...11 10 Licensing pane configuring 11 12 described 11 10 limitations for concurrent CLI sessions 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 1 logging in AIM IPS 9 5 AIP SSM 9 6 appliances 9 2 IDSM2 9 8 NME IPS 9 10 sensors SSH 9 11 Telnet 9 11 service role 9 2 terminal servers 1 19 9 3 12 14 user role 9 1 loose connections on sensors 4 51 A 24 M maintenance partition configuring IDSM2 Catalyst software 12 31 IDS...

Page 406: ... obtaining cryptographic account 11 2 IPS software 11 1 P password recovery AIM IPS A 10 AIP SSM A 10 appliances A 8 CLI A 14 described A 8 disabling A 14 GRUB menu A 8 IDSM2 A 13 IPS 4240 A 9 IPS 4255 A 9 IPS 4260 A 9 IPS 4270 20 A 9 NME IPS A 13 platforms A 8 ROMMON A 9 troubleshooting A 15 verifying A 15 patch releases described 11 3 performance IPS 4270 20 4 2 PFC described 7 5 physical connec...

Page 407: ...rack depth 4 16 rack hole types illustration 4 15 round holes 4 15 square holes 4 15 threaded holes 4 15 rail system kit cable management arm 4 28 4 31 contents 4 16 IPS 4270 20 4 15 required tools 4 16 recover command 12 12 recovering AIP SSM A 68 application partition image 12 12 recovery partition upgrade 12 5 reimaging AIP SSM 12 26 appliances 12 12 described 12 1 IDSM2 12 28 IPS 4240 12 15 IP...

Page 408: ...erfaces described 1 6 interface cards 1 6 modes 1 6 sensors access problems A 26 application partition image 12 12 asymmetric traffic and disabling anomaly detection A 20 capturing traffic 1 1 comprehensive deployment 1 1 Comprehensive Deployment Solutions illustration 1 1 corrupted SensorApp configuration A 37 disaster recovery A 6 downgrading 12 11 electrical guidelines 1 31 IDS mode 1 1 incorre...

Page 409: ...d A 89 show health command A 70 show interfaces command A 87 show inventory command 5 6 8 6 show settings command A 15 show statistics command A 77 show statistics virtual sensor command A 25 A 77 show tech support command A 71 show version command A 74 signature engine update files described 11 5 signatures and TCP reset A 52 signature update files described 11 4 site guidelines for sensor instal...

Page 410: ...ot occurring A 52 signature actions 1 2 terminal server setup 1 19 9 3 12 14 testing fail over 3 5 4 6 TFTP servers recommended UNIX 12 14 Windows 12 14 RTT 12 14 time correction on the sensor 1 29 A 18 sensor 1 26 sensors A 16 synchronization for IPS modules 1 28 A 17 time sources AIM IPS 1 27 AIP SSM 1 27 A 17 appliances 1 27 A 16 IDSM2 1 27 A 16 NME IPS 1 27 trial license key 11 10 troubleshoot...

Page 411: ...r loose connections 4 51 A 24 sensor not seeing packets A 35 sensor software upgrade A 55 service account A 5 show events command A 88 show interfaces command A 87 show statistics command A 76 A 77 show tech support command A 71 A 72 show version command A 74 software upgrades A 53 SPAN port issue A 32 upgrading A 54 verifying Analysis Engine is running A 21 verifying ARC status A 38 tuning IPS 1 ...

Page 412: ... Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7 0 OL 18504 01 VLAN groups 802 1q encapsulation 1 16 configuration restrictions 1 11 deploying 1 16 described 1 15 switches 1 16 ...

Reviews:

No comments

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands