Cisco IDS-4230-FE - Intrusion Detection Sys Fast Ethernet Sensor Installation And Configuration Manual Download Page 349 | Manualshive

Page: 349 / 450

background image

A-23

Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1

78-15597-02

Appendix A Intrusion Detection System Architecture

System Components

For Catalyst switches it is a blocking interface VLAN number. Do not use these
names for preblock and postblock ACLs.

For Catalyst 6000 VACLs, you can specify a preblock and postblock VACL and
only the interface is specified (direction is not used in VLANs).

For PIX Firewalls, you cannot use preblock or postblock ACLS because the PIX
Firewall uses a different API for blocking. Instead you must create ACLs directly
on the PIX Firewall. See

Blocking with the PIX Firewall, page A-25

, for more

information.

Maintaining State Across Restarts

When the blocked host list or blocked network list changes, the new lists (with
starting timestamps) are written to a local file (nac.shun.txt) that is maintained by
NAC. When NAC starts, this file is used to determine if any block updates should
occur at the controlled network devices. Any unexpired blocks found in the file
are applied to the network devices at startup. When NAC shuts down, no special
actions on the ACLs are taken even if outstanding blocks are in effect. The
nac.shun.txt file is accurate only if the system time is not changed while NAC is
not running.

Caution

Do not make manual changes to the nac.shun.txt file.

The following scenarios demonstrate how NAC maintains state across restarts.

Scenario 1

There are two blocks in effect when NAC stops and one of them expires before
NAC restarts. When NAC restarts, it first reads the nac.shun.txt file. It then reads
the preblock and postblock ACLs or VACLs. The active ACL or VACL is built in
the following order:

1.

The allow sensor_ ip_address command (unless the allow sensor shun
command has been configured)

2.

Preblock ACL

3.

The always block command entries from the configuration

4.

Unexpired blocks from nac.shun.txt

5.

Postblock ACL

«
...
347
348
349
350
351
...
»

Summary of Contents for IDS-4230-FE - Intrusion Detection Sys Fast Ethernet Sensor

Page 1: ... San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 526 4100 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4 1 Customer Order Number DOC 7815597 Text Part Number 78 15597 02 ...

Page 2: ...difying the equipment without Cisco s written authorization may result in the equipment no longer complying with FCC requirements for Class A or Class B digital devices In that event your right to use the equipment may be limited by FCC regulations and you may be required to correct any interference to radio or television communications at your own expense You can determine whether your equipment ...

Page 3: ...n Enterprise Solver EtherChannel EtherFast EtherSwitch Fast Step FormShare GigaDrive GigaStack HomeLink Internet Quotient IOS IP TV iQ Expertise the iQ logo iQ Net Readiness Scorecard LightStream Linksys MeetingPlace MGX the Networkers logo Networking Academy Network Registrar Packet PIX Post Routing Pre Routing ProConnect RateMUX ScriptShare SlideCast SMARTnet StrataView Plus SwitchProbe TeleRout...

Page 4: ......

Page 5: ...dback xx Obtaining Technical Assistance xxi Cisco Technical Support Website xxi Submitting a Service Request xxii Definitions of Service Request Severity xxii Obtaining Additional Publications and Information xxiii C H A P T E R 1 Introducing the Sensor 1 1 Appliances 1 1 Introducing the Appliance 1 2 How the Appliance Functions 1 3 Your Network Topology 1 4 Placing an Appliance on Your Network 1 ...

Page 6: ...Installation Preparation 1 20 Working in an ESD Environment 1 21 C H A P T E R 2 Installing the IDS 4210 2 1 Front Panel Features and Indicators 2 1 Upgrading the Memory 2 3 Installing the IDS 4210 2 5 Installing the Accessories 2 8 Accessories Package Contents 2 8 Installing and Removing the Bezel 2 9 Installing Center Mount Brackets 2 9 Installing Front Mount Brackets 2 11 C H A P T E R 3 Instal...

Page 7: ...lacing the Compact Flash Device 3 23 Removing and Installing the 4FE Card 3 25 Removing the 4FE Card 3 25 Installing the 4FE Card 3 27 C H A P T E R 4 Installing the IDS 4220 and IDS 4230 4 1 Front and Back Panel Features 4 2 Recommended Keyboards and Monitors 4 4 Upgrading the IDS 4220 E and IDS 4230 FE to 4 x Software 4 5 Installing the IDS 4220 and IDS 4230 4 6 C H A P T E R 5 Installing the ID...

Page 8: ...ve 5 21 Replacing the SCSI Hard Disk Drive 5 22 Four Post Rack Installation 5 23 Recommended Tools and Supplies 5 23 Rack Kit Contents 5 23 Installing the Slide Assemblies 5 24 Installing the Appliance in the Rack 5 26 Installing the Cable Management Arm 5 28 Routing the Cables 5 32 Two Post Rack Installation 5 34 Recommended Tools and Supplies 5 35 Rack Kit Contents 5 35 Marking the Rack 5 35 Ins...

Page 9: ...nstalling the NM CIDS Offline 7 7 Installing an NM CIDS Using OIR Support 7 10 Removing the NM CIDS 7 11 Removing the NM CIDS Offline 7 12 Removing the NM CIDS Using OIR Support 7 13 Blank Network Module Panels 7 14 C H A P T E R 8 Installing the IDSM 2 8 1 Specifications 8 1 Software and Hardware Requirements 8 2 Supported IDSM 2 Configurations 8 3 Using the TCP Reset Interface 8 4 Front Panel De...

Page 10: ...Using the CLI 10 1 Sensor Initial Configuration Tasks 10 2 Initializing the Sensor 10 2 Assigning and Enabling the Sensing Interface 10 9 Sensing Interfaces 10 11 Creating the Service Account 10 12 Logging in to the Sensor 10 14 Changing a Password 10 15 Adding a User 10 16 Removing a User 10 17 Adding Trusted Hosts 10 18 Adding Known Hosts to the SSH Known Hosts List 10 19 Configuring the Sensor ...

Page 11: ... Logging for a Specific Signature 10 53 Disabling IP Logging 10 55 Copying IP Log Files to Be Viewed 10 56 Configuring Blocking 10 57 Understanding Blocking 10 57 Before Configuring Blocking 10 59 Supported Blocking Devices 10 59 Configuring Blocking Properties 10 60 Configuring Addresses Never to Block 10 65 Configuring Logical Devices 10 66 Configuring Blocking Devices 10 67 Configuring the Sens...

Page 12: ...0 Using SPAN for Capturing IDS Traffic 10 90 Configuring VACLS to Capture IDS Traffic 10 92 Using the mls ip ids Command for Capturing IDS Traffic 10 96 Miscellaneous Tasks 10 98 Enabling a Full Memory Test 10 99 Resetting the IDSM 2 10 101 Catalyst Software Commands 10 103 Cisco IOS Software Commands 10 106 Reimaging Appliances and Modules 10 110 Reimaging the Appliance 10 110 Recovering the Appl...

Page 13: ...A 8 SensorApp A 11 AuthenticationApp A 12 Authenticating Users A 12 Configuring Authentication on the Sensor A 13 Managing TLS and SSH Trust Relationships A 14 LogApp A 15 NAC A 16 About NAC A 17 NAC Controlled Devices A 19 NAC Features A 19 ACLs and VACLs A 22 Maintaining State Across Restarts A 23 Connection Based and Unconditional Blocking A 24 Blocking with the PIX Firewall A 25 Blocking with ...

Page 14: ...reventive Maintenance B 1 Disaster Recovery B 2 Troubleshooting the 4200 Series Appliance B 4 Communication B 4 Cannot Access the Sensor Through the IDM or Telnet and or SSH B 5 IDM Cannot Access the Sensor B 7 Access List Misconfiguration B 10 Duplicate IP Address Shuts Interface Down B 10 SensorApp and Alerting B 11 Sensing Process Not Running B 11 Physical Connectivity SPAN or VACL Port Issue B...

Page 15: ...essages to SysLog B 31 NTP B 33 Verifying that the Sensor is Synchronized with the NTP Server B 34 NTP Server Connectivity Problem B 35 NTP Reconfiguration Defect B 35 TCP Reset B 37 Reset Not Occurring for a Signature B 37 Using the TCP Reset Interface B 39 Software Upgrade B 39 IDS 4235 and IDS 4250 Hang During A Software Upgrade B 40 Which Updates to Apply and in Which Order B 40 Issues With Au...

Page 16: ...t Command Output B 55 show version Command B 56 show version Command B 57 Displaying the Current Version B 57 show configuration more current config Command B 60 show statistics Command B 61 show statistics Command B 61 Displaying Statistics B 62 show statistics Command Output B 63 show interfaces Command B 64 show interfaces Command B 64 show interfaces Command Output B 65 show events Command B 6...

Page 17: ...ns the following topics Audience page xvii Conventions page xviii Related Documentation page xix Obtaining Documentation page xix Documentation Feedback page xx Obtaining Technical Assistance page xxi Obtaining Additional Publications and Information page xxiii Audience This guide is intended for audiences who need to do the following Install appliances and modules Secure their network with sensor...

Page 18: ...pment damage or loss of data Warning This warning symbol means danger You are in a situation that could cause bodily injury To see translations of the warnings that in this publication refer to the Regulatory Compliance and Safety Information document that accompanied this device Item Convention Commands and keywords boldface font Variables for which you supply values italic font Displayed session...

Page 19: ...usion Detection System 4200 Series Appliance Sensor Installing and Using the Cisco Intrusion Detection System Device Manager and Event Viewer Version 4 1 Cisco Intrusion Detection System Command Reference Version 4 1 Release Notes for Cisco Intrusion Detection System Version 4 1 Refer to the Cisco Intrusion Detection System IDS Hardware and Software Version 4 1 Documentation Guide for information ...

Page 20: ... users Cisco direct customers can order Cisco product documentation from the Ordering tool http www cisco com en US partner ordering index shtml Nonregistered Cisco com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters California USA at 408 526 7208 or elsewhere in North America by calling 1 800 553 NETS 6387 Documentation Feedback...

Page 21: ...is URL http www cisco com techsupport Access to all tools on the Cisco Technical Support Website requires a Cisco com user ID and password If you have a valid service contract but do not have a user ID or password you can register at this URL http tools cisco com RPF register register do Note Use the Cisco Product Identification CPI tool to locate your product serial number before submitting a web...

Page 22: ...h your production network is down or severely degraded Cisco TAC engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly To open a service request by telephone use one of the following numbers Asia Pacific 61 2 8446 7411 Australia 1 800 805 227 EMEA 32 2 704 55 55 USA 1 800 553 2447 For a complete list of Cisco TAC contacts go to this...

Page 23: ... the networking products offered by Cisco Systems as well as ordering and customer support services Access the Cisco Product Catalog at this URL http cisco com univercd cc td doc pcat Cisco Press publishes a wide range of general networking training and certification titles Both new and experienced users will benefit from these publications For current Cisco Press titles and other information go t...

Page 24: ...s make sound technology investment decisions You can access iQ Magazine at this URL http www cisco com go iqmagazine Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing developing and operating public and private internets and intranets You can access the Internet Protocol Journal at this URL http www cisco com ipj World c...

Page 25: ...nsors page 1 16 for a complete list of supported sensors and their model numbers This chapter contains the following topics Appliances page 1 1 Modules page 1 12 Supported Sensors page 1 16 Setting the Time on Sensors page 1 18 Installation Preparation page 1 20 Working in an ESD Environment page 1 21 Appliances This section describes the appliance and contains the following topics Introducing the...

Page 26: ... captures and analyzes network traffic These responses include logging the event forwarding the event to the IDS manager performing a TCP reset generating an IP log capturing the alert trigger packet and or reconfiguring a router After being installed at key points in the network the appliance monitors and performs real time analysis of network traffic by looking for anomalies and misuse based on ...

Page 27: ...ace is always Ethernet This interface has an assigned IP address which allows it to communicate with the IDS manager workstation or network devices typically a Cisco router Because this interface is visible on the network you should use encryption to maintain data privacy Secure Shell SSH is used to protect the Command Line Interface CLI and the Transaction Layer Security Secure Sockets Layer TLS ...

Page 28: ...ds it can monitor Your Network Topology Before you deploy and configure your appliances you should understand the following about your network The size and complexity of your network Connections between your network and other networks and the Internet The amount and type of network traffic on your network This knowledge will help you determine how many appliances are required the hardware configur...

Page 29: ...nnection there is no guarantee that the network of a partner is adequately protected Consequently an outsider may enter your network through this type of connection These extranet connections may have firewalls as well In location three the appliance is monitoring the network side of a remote access server Although this connection may be only for employee use it could be vulnerable to external att...

Page 30: ...a given monitored network segment There are always operational trade offs when going through this process The end result should be a rough idea of the number of appliances required to protect the desired network Placing an Appliance on Your Network You can place an appliance in front of or behind a firewall Each position has benefits and drawbacks Placing an appliance in front of a firewall allows...

Page 31: ... Figure 1 2 Appliance in Front of a Firewall Placing an appliance behind a firewall allows it to monitor internal traffic but it cannot monitor any policy violations that the firewall rejects see Figure 1 3 on page 1 8 Hostile network ISP router Outermost router Protected network Management host IDS Appliance Monitoring interface Control interface 97331 Firewall ...

Page 32: ...s For the appliance to effectively defend a network with a router and firewall configuration you must do the following Enable SSH services on the router if available otherwise enable Telnet Add the router to the device management list of the appliance via the IDS manager Hostile network ISP router Outermost router Management network Protected net Appliance Monitoring interface Control interface 97...

Page 33: ...ng The appliance captures packets between the Cisco router and the firewall and can dynamically update the ACLs of the Cisco router to deny unauthorized activity Note You can also configure the appliance to manage a PIX Firewall instead of the Cisco router Appliance Restrictions The following restrictions apply to using and operating the appliance The appliance is not a general purpose workstation...

Page 34: ...t the M A S H adapter part number 29 4077 01 to COM1 on the appliance and For RJ 45 connections connect a 180 rollover cable from the M A S H adapter to a port on the terminal server For hydra cable assemblies connect a straight through patch cable from the M A S H adapter to a port on the terminal server Step 2 Configure the line port on the terminal server as follows a In enable mode type the fo...

Page 35: ...splayed on the local keyboard monitor Note There is only one console port on an IDS 4215 IPS 4240 and IPS 4255 therefore the display serial and no display serial commands do not apply to those platforms Step 3 Be sure to properly close a terminal session to avoid unauthorized access to the appliance If a terminal session is not stopped properly that is if it does not receive an exit 0 signal from ...

Page 36: ...Cisco Intrusion Detection System Network Module The Cisco Intrusion Detection System Network Module NM CIDS integrates the Cisco IDS functionality into a branch office router With the NM CIDS you can implement full featured IDS at your remote branch offices You can install the NM CIDS in any one of the network module slots on the Cisco 2600 3600 and 3700 series routers The NM CIDS can monitor up t...

Page 37: ...ntrol and state information for bringing up and shutting down the NM CIDS and to exchange version and status information The NM CIDS processes packets that are forwarded from selected interfaces on the router to the IDS interface on the NM CIDS The NM CIDS analyzes the captured packets and compares them against a rule set of typical intrusion activity called signatures If the captured packets matc...

Page 38: ... IDS requires a reliable time source All the events alerts must have the correct time stamp otherwise you cannot correctly analyze the logs after an attack You cannot manually set the time on the NM CIDS The NM CIDS gets its time from the Cisco router in which it is installed Routers do not have a battery so they cannot preserve a time setting when they are powered off You must set the router s cl...

Page 39: ... IDSM 2 searches for patterns of misuse by examining either the data portion and or the header portion of network packets Content based attacks contain potentially malicious data in the packet payload whereas context based attacks contain potentially malicious data in the packet headers You can configure the IDSM 2 to generate an alert when it detects potential attacks Additionally you can configu...

Page 40: ...oftware see Obtaining Cisco IDS Software page 9 1 Caution Installing the most recent Cisco IDS software version 4 1 on unsupported sensors may yield unpredictable results We do not support software installed on unsupported platforms Table 1 1 Supported Sensors Model Name Part Number Optional Interfaces Appliances IDS 4210 IDS 4210 IDS 4210 K9 IDS 4210 NFR IDS 4215 IDS 4215 K9 IDS 4215 4FE K9 IDS 4...

Page 41: ... INT installed at the factory The following IDS appliance models are legacy models and are not supported in this document NRS 2E NRS 2E DM NRS 2FE NRS 2FE DM NRS TR NRS TR DM NRS SFDDI NRS SFDDI DM NRS DFDDI NRS DFDDI DM IDS 4220 TR IDS 4230 SFDDI IDS 4230 DFDDI IPS 4255 IPS 4255 K9 Network Modules NM CIDS NM CIDS K9 Services Modules IDSM 2 WS SVC IDSM2 K9 Table 1 1 Supported Sensors continued Mod...

Page 42: ...the time zones and summer time settings See Initializing the Sensor page 10 2 for more information Here is a summary of ways to set the time on sensors For appliances Use the clock set command to set the time This is the default Refer to Cisco Intrusion Detection System Command Reference Version 4 1 for information on the clock set command Use Network Timing Protocol NTP You can configure your app...

Page 43: ...s do not match between the IDSM 2 and the switch Use NTP You can configure your IDSM 2 to get its time from an NTP time synchronization source See Configuring a Cisco Router to be an NTP Server page 10 22 You will need the NTP server IP address the NTP key ID and the NTP key value You can configure the IDSM 2 to use NTP during initialization or you can set up NTP later See Configuring the Sensor t...

Page 44: ...tialization or you can set up NTP later See Configuring the Sensor to Use an NTP Server as its Time Source page 10 21 for more information Note We recommend that you use an NTP time synchronization source Installation Preparation To prepare for installing sensors follow these steps Step 1 Review the safety precautions outlined in the Regulatory Compliance and Safety Information for the Cisco Intru...

Page 45: ...n a grounded static dissipative work surface for example an ESD workbench or static dissipative mat To remove and replace components in a sensor follow these steps Step 1 Remove all static generating items from your work area Step 2 Use a static dissipative work surface and wrist strap Note Disposable wrist straps typically those included with an upgrade part are designed for one time use Step 3 A...

Page 46: ... using a grounding cable and alligator clip Caution Always follow ESD prevention procedures when removing replacing or repairing components Note If you are upgrading a component do not remove the component from the ESD packaging until you are ready to install it DO NOT INSTALL INTERFACE CARDS WITH POWER APPLIED CONSOLE 10 100 ETHERNET 0 0 Link FDX FDX 100 Mbps Link 100 Mbps FAILOVER 10 100 ETHERNE...

Page 47: ...210 before July 2003 you must upgrade the memory to 256 MB to install Cisco IDS 4 1 See Upgrading the Memory page 2 3 for more information If you purchase an IDS 4210 during July it comes from the factory with the memory upgrade and version 4 1 installed This chapter contains the following sections Front Panel Features and Indicators page 2 1 Upgrading the Memory page 2 3 Installing the IDS 4210 p...

Page 48: ...ivity link indicator 2 1 Table 2 1 Front Panel Indicators Indicator Color Function Power Green Lights up when the system is connected to an AC power source blinks when the system is in sleep mode System fault Amber Blinks during system startup or when a system fault is detected Hard disk drive activity Green Blinks when hard disk drive activity occurs LAN1 activity link Amber Lights up when the LA...

Page 49: ...umber IDS 4210 MEM U for a total of 512 MB For the IDS 4220 E sensor you insert two additional 128 MB DIMMs Part number IDS 4220 MEM U for a total of 512 MB Note Do not install an unsupported DIMM Doing so nullifies your warranty Caution Be sure to read the safety warnings in the Regulatory Compliance and Safety Information for the Cisco Intrusion Detection System 4200 Series Appliance Sensor and ...

Page 50: ...e screws spaced evenly across the front cover Step 7 Locate the DIMM sockets and select an empty DIMM socket next to the existing DIMM Note On IDS 4210 sensors the existing DIMM is installed in socket 0 The angled position of the DIMM sockets make installing an additional DIMM in socket 1 difficult if a DIMM occupies socket 0 Therefore you should first remove the existing DIMM from socket 0 place ...

Page 51: ...sor and ensure the new memory total is correct Note If the memory total does not reflect the added DIMMs repeat Steps 1 through 4 to ensure the DIMMs are seated correctly in the socket Installing the IDS 4210 Warning Only trained and qualified personnel should be allowed to install replace or service this equipment Statement 1030 Caution Be sure to read the safety warnings in the Regulatory Compli...

Page 52: ...arily and then powers off leaving the Network Interface Card NIC link lights lit This is normal behavior Press the power switch to boot the system into operation Step 3 Use the dual serial communication cable PN 72 1847 01 included in the accessory kit to attach a laptop to the COM1 port of the IDS appliance see Table 2 2 for a list of the terminal settings or connect a keyboard and monitor to the...

Page 53: ...r setting up a terminal server Step 4 Attach the network cables int0 is the sensing port int1 is the command and control port Step 5 Upgrade the memory on the appliance See Upgrading the Memory page 2 3 for the procedure Caution You must upgrade the memory on the IDS 4210 to a minimum of 512 MB before you can install the most recent Cisco IDS software version Step 6 Power on the appliance Step 7 I...

Page 54: ...nstalling the Accessories You can install a bezel and center or front mounting brackets for your IDS 4210 This section contains the following topics Accessories Package Contents page 2 8 Installing and Removing the Bezel page 2 9 Installing Center Mount Brackets page 2 9 Installing Front Mount Brackets page 2 11 Accessories Package Contents The following items are shipped in the accessories packag...

Page 55: ...the IDS 4210 follow these steps Step 1 To insert the bezel on the appliance follow these steps a Align the bottom tabs on the bezel with the slots on the appliance b Align the side tabs on the bezel with the slots on the appliance c Press the bezel into the appliance Step 2 To remove the bezel from the appliance press the side tabs and pull Installing Center Mount Brackets You need the following t...

Page 56: ...ount Brackets Step 4 Secure the bracket to the appliance chassis using two screws see Figure 2 2 Step 5 Repeat Step 4 to install the remaining bracket on the other side of the appliance Step 6 Lift the appliance into position between the two posts with the hole in the mounting bracket aligned one hole above the mark you made in the two posts see Figure 2 2 50623 LINK CONS ETHERNET 0 ETHERNET 1 SCS...

Page 57: ...ght posts see Figure 2 2 on page 2 10 Installing Front Mount Brackets Make sure you have the following supplies found in the front mount bracket assembly kit and tools to install the front mount brackets in a two post open frame relay rack Two chassis support brackets Two rack mounting brackets Six screws 2 Phillips screwdriver Note The front mount bracket assembly is not intended for use as a sli...

Page 58: ...ackets included in this kit are rated for 50 pounds of load per pair of brackets for general use for 10 000 cycles of opening and closing Higher cycles or frequency will lower the load rating The chassis support brackets are meant to support the weight of only one appliance 55150 LINK CONS ETHERNET 0 ETHERNET 1 SCSI LVD ONLY 100Mbps LINK 100Mbps DRIVE 0 DRIVE 0 DRIVE 1 DRIVE 1 0 1 2 3 Pan head Phi...

Page 59: ...rical outlet Step 2 Use the screws provided to attach one chassis support bracket to each side of the appliance Use three screws on each side Step 3 Use the screws provided with the rack to attach the rack mounting brackets to the rack Step 4 Slide the chassis support brackets on the appliance into the rack mounting brackets attached to the rack Step 5 Use the bolts provided with the rack to faste...

Page 60: ...Chapter 2 Installing the IDS 4210 Installing the Accessories 2 14 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4 1 78 15597 02 ...

Page 61: ...based on the following conditions aggregation of traffic from all five monitoring interfaces 800 new TCP connections per second 800 HTTP transactions per second average packet size of 445 bytes system running Cisco IDS 4 1 sensor software The monitoring interfaces and the command and control interface are all 10 100BASE TX This chapter describes the IDS 4215 and how to install it It also describes...

Page 62: ...ures and indicators Figure 3 1 shows the front view of the IDS 4215 Figure 3 1 IDS 4215 Front Panel Features Table 3 1 describes the front panel indicators on the IDS 4215 POWER ACT NETWORK CISCO IDS 4215 Intrusion Detection Sensor 87925 Table 3 1 Front Panel Indicators Indicator Description POWER Lights up when power supply is running ACT Lights up when the unit has completed power up self test a...

Page 63: ...15 Table 3 2 lists the back panel indicators 87926 USB CONSOLE 10 100 ETHERNET 0 10 100 ETHERNET 1 Empty PCI slot int0 int1 Off on Power connector int2 int5 int4 int3 Console USB unused 119585 USB CONSOLE 10 100 ETHERNET 0 10 100 ETHERNET 1 100Mbps ACT LINK 100Mbps ACT LINK Indicators Indicators Table 3 2 Back Panel Indicators Indicator Description Built in Ethernet 100 Mbps Lights up when the por...

Page 64: ... are being received 100 Mbps Lights up when the port is running in 100 Mbps mode off when the port is running in 10 Mbps mode Table 3 2 Back Panel Indicators continued Indicator Description Table 3 3 IDS 4215 Specifications Dimensions and Weight Height 1 72 in 4 37 cm Width 16 8 in 42 72 cm Depth 11 8 in 29 97 cm Weight 11 5 lb 4 11 kg Form factor 1 RU standard 19 inch rack mountable Expansion Two...

Page 65: ...cal circuitry and be familiar with standard practices for preventing accidents Use the statement number provided at the end of each warning to locate its translation in the translated safety warnings that accompanied this device Statement 1071 SAVE THESE INSTRUCTIONS Environment Temperature Operating 41 F to 104 F 5 C to 40 C Nonoperating 13 F to 158 F 25 C to 70 C Relative humidity Operating 5 to...

Page 66: ...eplace or service this equipment Statement 1030 The IDS 4215 accessories kit contains the following DB25 connector DB9 connector Rubber mounting feet Rack mounting kit screws washers and metal bracket RJ45 console cable 6 ft Ethernet cable Surface Mounting If you are not rack mounting the IDS 4215 you must attach the rubber feet to the bottom of the IDS 4215 as shown in Figure 3 4 on page 3 7 The ...

Page 67: ...eet allow proper airflow around the IDS 4215 and they also absorb vibration so that the hard disk drive is less impacted Rack Mounting Warning To prevent bodily injury when mounting or servicing this unit in a rack you must take special precautions to ensure that the system remains stable The following guidelines are provided to ensure your safety This unit should be mounted at the bottom of the r...

Page 68: ...il after you have installed the 4FE card Note You must remove the chassis cover of the IDS 4215 to properly install or remove the 4FE card See Removing and Replacing the Chassis Cover page 3 12 for information on how to remove and replace the chassis cover See Installing the 4FE Card page 3 27 for information on installing the 4FE card in the IDS 4215 To rack mount the IDS 4215 follow these steps ...

Page 69: ...Only trained and qualified personnel should be allowed to install replace or service this equipment Statement 1030 Caution Be sure to read the safety warnings in the Regulatory Compliance and Safety Information for the Cisco Intrusion Detection System 4200 Series Appliance Sensor and follow proper safety procedures when performing these steps 104186 POWER ACT NETWORK CISCO IDS 4215 Intrusion Detec...

Page 70: ... it into a power source a UPS is recommended Step 3 Connect the cable so that you have either a DB 9 or DB 25 connector on one end as required by the serial port for your computer and the other end is the RJ 45 connector Note Use the console port to connect to a computer to enter configuration commands Locate the serial cable from the accessory kit The serial cable assembly consists of a 180 rollo...

Page 71: ...or to the console port and connect the other end to the serial port connector on your computer Step 5 Attach the network cables int0 is the sensing port int1 is the command and control port int2 through int5 are the optional sensing ports available if you have the 4FE card installed Step 6 Power on the appliance Step 7 Initialize your appliance See Initializing the Sensor page 10 2 for the procedu...

Page 72: ...unded Never defeat the ground conductor or operate the equipment in the absence of a suitably installed ground conductor Contact the appropriate electrical inspection authority or an electrician if you are uncertain that suitable grounding is available Statement 1024 Warning Blank faceplates and cover panels serve three important functions they prevent exposure to hazardous voltages and currents i...

Page 73: ...e 3 13 Replacing the Chassis Cover page 3 15 Removing the Chassis Cover Note Removing the appliance chassis cover does not affect your Cisco warranty Upgrading the appliance does not require any special tools and does not create any radio frequency leaks To remove the chassis cover follow these steps Step 1 Log in to the CLI Step 2 Prepare the appliance to be powered off sensor reset powerdown Wai...

Page 74: ... 15597 02 Step 7 With the front of the unit facing you push the top panel back one inch Step 8 Pull the top panel up and put it in a safe place 24305 DO NOT INSTALL INTERFACE CARDS WITH POWER APPLIED CONSOLE 10 100 ETHERNET 0 0 Link FDX FDX 100 Mbps Link 100 Mbps FAILOVER 10 100 ETHERNET 0 0 PIX 515 Top panel screws 4 POWER ACT NETWORK 104180 CISCO IDS 4215 Intrusion Detection Sensor ...

Page 75: ... the chassis cover installed The chassis cover protects the internal components prevents electrical shorts and provides proper air flow for cooling the electronic components To replace the chassis cover follow these steps Step 1 Place the chassis on a secure surface with the front panel facing you Step 2 Hold the top panel so the tabs at the rear of the top panel are aligned with the chassis botto...

Page 76: ... chassis making sure that the top panel side tabs fit under the chassis side panels Step 4 Slide the top panel toward the front making sure that the top panel tabs fit under the chassis back panel and the back panel tabs fit under the top panel Step 5 Fasten the top panel with the screws you set aside earlier 104182 POWER ACT NETWORK CISCO IDS 4215 Intrusion Detection Sensor POWER ACT NETWORK 1041...

Page 77: ...rained and qualified personnel should be allowed to install replace or service this equipment Statement 1030 Caution Only use the replacement IDE hard disk drive from Cisco We cannot guarantee that other hard disk drives will operate properly with the IDS Caution Be sure to read the safety warnings in the Regulatory Compliance and Safety Information for the Cisco Intrusion Detection System 4200 Se...

Page 78: ...disk drive from the IDS 4215 follow these steps Step 1 Log in to the CLI Step 2 Prepare the appliance to be powered off sensor reset powerdown Wait for the power down message before continuing with Step 3 Note You can also power down the sensor using IDM or IDS MC Step 3 Power off the appliance Step 4 Remove the power cord and other cables from the appliance Step 5 Place the appliance in an ESD co...

Page 79: ...15597 02 Chapter 3 Installing the IDS 4215 Removing and Replacing the IDE Hard Disk Drive Step 8 Grasp the hard disk drive and pull straight backwards until it is free of the riser card connector Do not lift or wiggle the hard disk drive side to side until it is completely free of the connector 87927 Hard drive ...

Page 80: ...d disk drive in the IDS 4215 follow these steps Step 1 Place the appliance in an ESD controlled environment See Working in an ESD Environment page 1 21 for more information Step 2 Align the hard disk drive connector with the two guide pins on the riser card Step 3 Push the hard disk drive straight into the riser card connector Do not lift or wiggle the hard disk drive side to side Push carefully u...

Page 81: ...re to read the safety warnings in the Regulatory Compliance and Safety Information for the Cisco Intrusion Detection System 4200 Series Appliance Sensor and follow proper safety procedures when removing and replacing the compact flash This section describes how to remove and replace the compact flash device in the IDS 4215 This section contains the following topics Removing the Compact Flash Devic...

Page 82: ...appliance Step 4 Remove the power cord and other cables from the appliance Step 5 Place the appliance in an ESD controlled environment See Working in an ESD Environment page 1 21 for more information Step 6 Remove the chassis cover See Removing the Chassis Cover page 3 13 for the procedure Step 7 Remove the hard disk drive See Removing the Hard Disk Drive page 3 18 for the procedure Step 8 Grasp t...

Page 83: ...placing the Compact Flash Device Replacing the Compact Flash Device To replace the compact flash device in the IDS 4215 follow these steps Step 1 Place the appliance in an ESD controlled environment See Working in an ESD Environment page 1 21 for more information Step 2 Align the compact flash device with the connector on the riser card 87928 Compact Flash memory card ...

Page 84: ...tion and Configuration Guide Version 4 1 78 15597 02 Step 3 Press until the compact flash device is fully seated in the connector Step 4 Replace the hard disk drive See Replacing the Hard Disk Drive page 3 20 for the procedure Step 5 Replace the chassis cover See Replacing the Chassis Cover page 3 15 for the procedure 87962 Compact Flash memory card ...

Page 85: ...ocedures when installing and removing the 4FE card You can order the IDS 4215 with the 4FE card already installed or you can upgrade your IDS 4215 with the 4FE card to have four additional interfaces This section contains the following topics Removing the 4FE Card page 3 25 Installing the 4FE Card page 3 27 Removing the 4FE Card To remove the 4FE card follow these steps Step 1 Log in to the CLI St...

Page 86: ... See Removing the Chassis Cover page 3 13 for the procedure Step 7 Loosen the single captive screw that holds the 4FE card s connecting flange to the back cover plate Step 8 Loosen the two captive screws from the back cover on the left and put the back cover aside Step 9 Grasp the 4FE card and pull it out of the slot and through the cage opening Step 10 Replace the lower slot cover from the back c...

Page 87: ...IDS 4215 Removing and Installing the 4FE Card Step 12 Replace the chassis cover See Replacing the Chassis Cover page 3 15 for the procedure Installing the 4FE Card We recommend that you install the 4FE card in the bottom slot We do not support installation of the 4FE card in the top slot Note Only one 4FE card is supported on the IDS 4215 87949 ...

Page 88: ...own message before continuing with Step 2 Step 2 Power off the appliance Step 3 Remove the power cord and other cables from the appliance Step 4 Place the appliance in an ESD controlled environment See Working in an ESD Environment page 1 21 for more information Step 5 Remove the chassis cover See Removing the Chassis Cover page 3 13 for the procedure Step 6 Loosen the two captive screws from the ...

Page 89: ... the 4FE Card Note When you insert a 4FE card in the slot the end of the card s connector extends past the end of the slot This does not affect the use or operation of the card Step 8 Remove the lower slot cover from the back cover plate Step 9 Attach the back cover plate making sure that the connecting flange on the 4FE card goes through the slot on the back cover plate 61904 ...

Page 90: ...e single captive screw to hold the 4FE card s connecting flange to the back cover plate and tighten the captive screws to attach the back cover plate to the appliance Step 11 Replace the chassis cover See Replacing the Chassis Cover page 3 15 for the procedure You will need to assign the new interfaces int2 int3 int4 and int5 See Assigning and Enabling the Sensing Interface page 10 9 for the proce...

Page 91: ...ecent Cisco IDS software version See Upgrading the Memory page 2 3 for more information Note If you are upgrading an IDS 4220 E or IDS 4230 FE appliance to 4 x software you must swap the command and control interface cable with the sensing interface cable before you upgrade the software See Upgrading the IDS 4220 E and IDS 4230 FE to 4 x Software page 4 5 for more information This chapter contains...

Page 92: ...the appearance of the front panel indicators on the IDS 4220 and IDS 4230 Figure 4 2 on page 4 3 shows the back panel features the onboard NIC and the SMC9432FTX network card indicators of the IDS 4220 and IDS 4230 97356 Power switch Reset switch Power indicator Hard drive indicator Cisco 4220 POWER RESET Table 4 1 Front Panel Indicators Indicator Color Status Power Green Lights up when system is ...

Page 93: ...ing port indicators for the IDS 4220 and 4230 The SMC9432FTX network card includes four status indicators 87952 Transmit Receive Valid Link SMC9432TX Onboard NIC Table 4 2 On board NIC Indicators Indicator Color Status Orange Lights up when there is a 100 Mbps connection off when there is a 10 Mbps network connection Green Lights up when linked to the network and there is no network traffic blinks...

Page 94: ... a serial cable to connect to the appliance s console port The following keyboards and monitors have been tested with the IDS 4220 and IDS 4230 Keyboards KeyTronic E03601QUS201 C KeyTronic LT DESIGNER Monitors MaxTech XT 7800 Dell D1025HT Table 4 3 SMC NIC Indicators Indicator Color Status LNK Green Lights up to indicate a valid 10BASE T 100BASE TX or 100BASE FX link off when power is off or conne...

Page 95: ... and IDS 4230 FE to 4 x Software If you are upgrading an IDS 4220 E or IDS 4230 FE appliance to 4 x software you must swap the command and control interface cable with the sensing interface cable before you upgrade the software For IDS software 4 x the former command and control interface is now the sensing interface as shown in Figure 4 3 Figure 4 3 IDS 4220 E and IDS 4230 FE Interface Cables Cau...

Page 96: ...ure for upgrading your IDS 4220 and IDS 4230 to version 4 x software If you have already swapped the cables and upgraded to 4 0 see Obtaining Cisco IDS Software page 9 1 for the procedure for obtaining the 4 1 software Installing the IDS 4220 and IDS 4230 Warning Only trained and qualified personnel should be allowed to install replace or service this equipment Statement 1030 Caution Be sure to re...

Page 97: ...uded in the accessory kit rather than a keyboard and monitor because some keyboards and monitors are incompatible with the appliance See Recommended Keyboards and Monitors page 4 4 for a list of compatible monitors and keyboards Note You can use a 180 rollover or straight through patch cable to connect the appliance to a port on a terminal server with RJ 45 or hydra cable assembly connections Use ...

Page 98: ... memory on the IDS 4220 to a minimum of 512 MB before you can install the most recent Cisco IDS software version Step 6 Power on the appliance Step 7 Initialize your appliance See Initializing the Sensor page 10 2 for the procedure Step 8 Upgrade your appliance to the most recent Cisco IDS software See Obtaining Cisco IDS Software page 9 1 for the procedure Step 9 Assign the interfaces See Assigni...

Page 99: ...PCI cards Note The 250 Mbps performance for the IDS 4235 is based on the following conditions 2500 new TCP connections per second 2500 HTTP transactions per second average packet size of 445 bytes system running Cisco IDS 4 1 sensor software The Cisco IDS 4250 supports a 500 Mbps speed and can be used to protect gigabit subnets and traffic traversing switches that are being used to aggregate traff...

Page 100: ... Mbps performance for the IDS 4250 XL is based on the following conditions 5000 new TCP connections per second 5000 HTTP transactions per second average packet size of 595 bytes system running Cisco IDS 4 1 sensor software This chapter describes the IDS 4235 and IDS 4250 and how to install them It also describes the accessories and how to install them This chapter contains the following sections F...

Page 101: ... appliance in a rack When you push one of these buttons the blue system status indicator on the front and back blinks until you push one of the buttons again The front panel also has a video connector for connecting a monitor and a PS 2 connector for connecting a keyboard Table 5 1 on page 5 4 describes the appearance of the front panel indicators for the IDS 4235 and IDS 4250 1 2 Not used 87958 1...

Page 102: ...ors LED Indicator Icon Description Blue and amber system status indicator The blue system status indicator lights up during normal system operation The amber system status indicator flashes when the system needs attention due to a problem with power supplies fans system temperature or hard drives 1 1 If the system is connected to AC power and an error has been detected the amber system status indi...

Page 103: ...e 5 6 lists the IDS 4235 and IDS 4250 specifications 83724 Command and Control interface int1 Sensing interface int0 Main power Redundant power optional PCI expansion card slots Sensing interface 4250 SX int2 4250 XL int2 int3 4250 4FE int2 int3 int4 int5 SCSI interface unused System status indicator blue and amber Serial connector Com1 Video connector Keyboard connector Mouse connector unused Sys...

Page 104: ...le remove the hard disk drive and insert the replacement hard disk drive See Removing and Replacing the SCSI Hard Disk Drive page 5 20 for the procedure The replacement hard disk drive is shipped blank from the factory You must reimage it See Reimaging the Appliance page 10 110 for the procedure Table 5 2 IDS 4235 and IDS 4250 Specifications Dimensions and Weight Height 1 67 in 4 24 cm Width 17 6 ...

Page 105: ...it If your version is A01 A02 or A03 you must upgrade the BIOS to version A04 To create and boot the IDS 4235 or IDS 4250 BIOS upgrade diskette follow these steps Step 1 Copy BIOS_A04 exe to a Windows system You can find the file in the BIOS directory on the recovery upgrade CD or you can download it from Cisco com See Obtaining Cisco IDS Software page 9 1 for the procedure for downloading IDS sof...

Page 106: ... The IDS 4250 XL has a TCP reset interface INT0 The IDS 4250 XL has a specific TCP reset interface because it cannot send TCP resets on its monitoring ports If you have reset problems with the IDS 4250 XL try the following Make sure the TCP reset interface of the IDS 4250 XL int0 is connected to the same switch as the sensing ports int2 and int3 of the XL card If the sensing ports are access ports...

Page 107: ...y procedures when performing these steps To install the IDS 4235 and IDS 4250 on your network follow these steps Step 1 Position the appliance on the network See Placing an Appliance on Your Network page 1 6 for information on the best places to position an appliance Step 2 Attach the power cord to the appliance and plug it in to a power source a UPS is recommended Step 3 Use the dual serial commu...

Page 108: ...h RJ 45 or hydra cable assembly connections Use a M A S H adapter part number 29 4077 02 to connect the appropriate cable to a port on the terminal server See Setting Up a Terminal Server page 1 9 for the instructions for setting up a terminal server Step 4 Attach the network cables int0 is the sensing port int1 is the command and control port int2 is the optional SX fiber NIC sensing port int2 an...

Page 109: ...g Cisco IDS Software page 9 1 for the procedure Step 8 Assign the interfaces See Assigning and Enabling the Sensing Interface page 10 9 for the procedure You are now ready to configure intrusion detection on your appliance Installing the Accessories This section describes the contents of the IDS 4235 and the IDS 4250 accessories package and how to install the accessories This section contains thes...

Page 110: ...S 4250 bezel Power cable Network patch cable Dual serial communication cable Serial extension adapter M A S H adapter Documentation and software Cisco IDS recovery upgrade CD Cisco Documentation CD Cisco Intrusion Detection System IDS Hardware and Software Version 4 1 Documentation Guide Regulatory Compliance and Safety Information for the Cisco Intrusion Detection System 4200 Series Appliance Sen...

Page 111: ...side tab on the bezel with the slot on the appliance mounting tab b Press the left side of the bezel into place on the appliance Step 2 To remove the bezel press the left side tab and pull Installing the Power Supply You can install a second redundant power supply and power supply cooling fan part number IDS PWR in your appliance Caution Be sure to read the safety warnings in the Regulatory Compli...

Page 112: ...he chassis b Press the chassis release button to release the left side of the cover c Lift the left side of the cover using the tab at the back of the appliance d Lift the right side of the cover using the tab at the back of the appliance Step 7 Place the new power supply cooling fan in the back of the power supply bay see Figure 5 4 on page 5 15 Note Ensure that the finger guard on the fan faces ...

Page 113: ...Accessories Warning The connectors on the Power Distribution Board PDB contain high voltages Do not remove the metal cover from the PDB or touch the connectors on the PDB or power supplies Step 10 Slide the power supply toward the PDB until the power supply edge connector is fully seated in the PDB connector see Figure 5 4 Figure 5 4 Power Supply and Power Supply Cooling Fan 78106 ...

Page 114: ...sensing interface part number IDS 4250 SX INT You can install the SX card in the upper PCI slot on the IDS 4250 series appliances XL card accelerated 1000BASE SX interface with MTRJ part number IDS XL INT You can install the XL card in the upper PCI slot in the IDS 4250 series appliances The XL card accelerates the performance of the IDS 4250 up to 1 Gbps You can use an MTRJ cable part number CAB ...

Page 115: ...ower PCI slot The IDS 4235 supports only the 4FE card in the lower PCI slot To install the PCI card follow these steps Step 1 Log in to the CLI Step 2 Prepare the appliance to be powered off sensor reset powerdown Wait for the power down message before continuing with Step 3 Note You can also power down the sensor from IDM or IDS MC Step 3 Power off the appliance Step 4 Remove the power cord and o...

Page 116: ... 4250 supports only one of the following cards in a PCI slot the SX card upper PCI slot the XL card upper PCI slot or the 4FE card lower PCI slot The IDS 4235 supports only the 4FE card in the lower PCI slot Step 9 Check the back of the chassis to be sure the card is flush with the PCI slot and then return the PCI slot release to its original position to lock the PCI slot card in place Step 10 Clo...

Page 117: ... ports are connected Disconnect the fiber ports before you boot up the appliance After the appliance starts for the first time the firmware version is upgraded and the problem is not seen again Note You will not experience this problem if you order the IDS 4250 XL with the XL card already installed because the appliance is rebooted at the factory To allow the appliance to reboot after installing t...

Page 118: ... a spare drive part number IDS SCSI apply your configuration and ship the drive to a remote site The administrator at the remote site can then install the configured drive Caution Be sure to read the safety warnings in the Regulatory Compliance and Safety Information for the Cisco Intrusion Detection System 4200 Series Appliance Sensor and follow proper safety procedures when removing and replacin...

Page 119: ...ins these topics Removing the SCSI Hard Disk Drive page 5 21 Replacing the SCSI Hard Disk Drive page 5 22 Removing the SCSI Hard Disk Drive To remove the SCSI hard disk drive follow these steps Step 1 Log in to the CLI Step 2 Prepare the appliance to be powered off sensor reset powerdown Wait for the power down message before continuing with Step 3 Note You can also power down the sensor from IDM ...

Page 120: ...er down message before continuing with Step 3 Note You can also power down the sensor from IDM or IDS MC Step 3 Power off the appliance by pressing the power button Step 4 Remove the front bezel See Installing and Removing the Bezel page 5 12 for the procedure Step 5 Open the hard disk drive handle Step 6 Insert the hard disk drive into the drive bay Step 7 Close the hard disk drive handle to lock...

Page 121: ...is section contains these topics Recommended Tools and Supplies page 5 23 Rack Kit Contents page 5 23 Installing the Slide Assemblies page 5 24 Installing the Appliance in the Rack page 5 26 Installing the Cable Management Arm page 5 28 Routing the Cables page 5 32 Recommended Tools and Supplies You need these tools and supplies to install the appliance in a four post rack cabinet 2 Phillips screw...

Page 122: ...oles marked with a horizontal line on some rack cabinets Step 3 Place a mark 44 mm 1 75 inches above the original mark you made or count up three holes and mark the rack s front vertical rails to indicate where the appliance s upper edge will be located on the vertical rails Note Mark 1 RU 44 mm or 1 75 inches of vertical space for each appliance you install in the rack Step 4 At the front of the ...

Page 123: ...de Version 4 1 78 15597 02 Chapter 5 Installing the IDS 4235 and IDS 4250 Installing the Accessories Figure 5 6 Slide Assemblies Step 6 At the back of the cabinet pull back on the mounting bracket flange until the mounting holes align with their respective holes on the back vertical rail 78109 ...

Page 124: ...nent out of the rack at a time To install the appliance in the rack follow these steps Step 1 Pull the two slide assemblies out of the rack until they lock in the fully extended position Caution Because of the size and weight of the appliance never attempt to install the appliance in the slide assemblies by yourself Step 2 Remove the appliance front bezel by pressing the left side tab and pulling ...

Page 125: ... Installing the IDS 4235 and IDS 4250 Installing the Accessories The appliance release latch moves forward and then snaps back as the shoulder screw passes into the front slot Note Use the appliance release latch when you want to remove the appliance from the slide assemblies Figure 5 7 Installing the Appliance in the Rack 78110 ...

Page 126: ... rack cabinet as viewed from the back Tip If you are installing several appliances in the rack consider installing the cable management arms on alternating sides of the rack for ease in cable routing To install the cable management arm follow these steps Step 1 Facing the back of the rack cabinet locate the latch on the end of the right slide assembly that you secured to the back vertical rail Ste...

Page 127: ...lock prevents the backward travel of the cable management arm and supports the weight of the arm with its load of installed cables Note The two post rack kit has two stop blocks one for right side mounting and one for left side mounting You can only install the proper stop block Figure 5 8 Cable Management Arm Step 5 Install the status indicator cable plug into its connector see Figure 5 9 on page...

Page 128: ...utton on the front of the forward part of the arm and lifting the wire over the top of a similar round button on the back part of the arm The wire cover swings open to enable cables to be routed within the arm Step 7 Route the status indicator end of the cable assembly through the cable management arm and install the indicator in its slot at the back end of the cable management arm see Figure 5 9 ...

Page 129: ...commodate power cords with a bend radius of up to 19 millimeters 0 75 inch use only the power cords provided with the appliance Step 9 Install a tie wrap through the slot on the strain relief tab see Figure 5 10 Step 10 Bend the power cords back beside the power receptacle housing and form a tight loop Install the strain relief tie wrap loosely around the looped power cord see Figure 5 10 Figure 5...

Page 130: ...to their respective connectors on the appliance back panel For details on the cable connections see Installing the IDS 4235 and IDS 4250 page 5 9 Step 2 Route the power and I O cables through the cable management arm using four loosely secured releaseable tie wraps two in the middle and on each end of the cable management arm Note Do not fully tighten the tie wraps at this time see Figure 5 11 on ...

Page 131: ...ront vertical rail b Slide the appliance forward to the fully extended position c Route the cables along the cable management arm making any adjustments to the cable slack at the hinge positions and secure the cables to the cable management arm with the releaseable tie wraps and the wire covers over the cable management arm Note As you pull the appliance out to its farthest extension the slide ass...

Page 132: ...arning Because of the size and weight of the rack cabinet doors never attempt to remove or install them by yourself Two Post Rack Installation You can install the two post rack part number IDS RAIL 2 in a center mount or flush mount configuration The two post kit incorporates slide assemblies that enable the appliance to be pulled out of the rack for servicing You must properly secure the two post...

Page 133: ...ppliance in a two post open frame relay rack 2 Phillips screwdriver 11 32 inch wrench or nut driver if changing bracket to flush mount configuration Masking tape or felt tip pen to mark the mounting holes Rack Kit Contents The two post rack kit includes One pair of slide assemblies two post One cable management arm One status indicator cable assembly Two stop blocks Eight 12 24 x 0 5 inch pan head...

Page 134: ...e Each 1 RU 44 mm or 1 75 inches of vertical space on a rack with universal hole spacing has three holes with center to center spacing between the holes beginning at the top of a 1 RU space of 15 9 mm 15 9 mm and 12 7 mm 0 625 inches 0 625 inches and 0 5 inches Installing the Slide Assemblies in the Rack You can install the slide assemblies in a two post open frame relay rack having either univers...

Page 135: ...lide assembly and push the back bracket toward the back of the slide assembly see Figure 5 12 on page 5 38 Step 2 Position the right slide assembly in the two post rack at the location you marked push the back bracket forward against the vertical two post rack and secure the front and rear center mounting brackets to the rack with two 12 24 x 0 5 inch pan head Phillips screws Figure 5 12 on page 5...

Page 136: ...4235 and IDS 4250 Installing the Accessories 5 38 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4 1 78 15597 02 Figure 5 12 Slide Assemblies for Center Mount Configuration 78105 ...

Page 137: ... 11 32 inch wrench or nut driver remove two 12 24 x 0 5 inch pan head Phillips screws two nuts and two shoulder washers from each front center bracket see Figure 5 13 on page 5 40 Step 3 Remove the front bracket from both slide assemblies Step 4 Place the bracket from one slide assembly onto the threaded studs on the opposite slide assembly with the bracket turned 180 degrees so that the mounting ...

Page 138: ... location you marked adjust the extended rear bracket tightly against the back of the vertical two post rack and secure it to the two post rail with two 12 24 x 0 5 inch pan head Phillips screws see Figure 5 14 on page 5 41 Step 9 Secure the front bracket on the slide assembly to the two post rail with two 12 24 x 0 5 inch pan head Phillips screws see Figure 5 14 on page 5 41 Step 10 Repeat Steps ...

Page 139: ...m Appliance and Module Installation and Configuration Guide Version 4 1 78 15597 02 Chapter 5 Installing the IDS 4235 and IDS 4250 Installing the Accessories Figure 5 14 Installing the Slide Assemblies for Flush Mount Configuration 78108 ...

Page 140: ...Chapter 5 Installing the IDS 4235 and IDS 4250 Installing the Accessories 5 42 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4 1 78 15597 02 ...

Page 141: ...nd is inline ready It replaces the IDS 4235 There are four 10 100 1000 copper sniffing interfaces Note The 250 Mbps performance for the IPS 4240 is based on the following conditions 2500 new TCP connections per second 2500 HTTP transactions per second average packet size of 445 bytes system running Cisco IDS 4 1 sensor software The 250 Mbps performance is traffic combined from all four sniffing in...

Page 142: ...om all four sniffing interfaces Note The IPS 4240 and the IPS 4255 do not support redundant power supplies This chapter describes the IPS 4240 and the IPS 4255 and how to install them It also describes the accessories and how to install them This chapter contains the following topics Front and Back Panel Features page 6 2 Specifications page 6 5 Accessories page 6 6 Rack Mounting page 6 7 Installi...

Page 143: ...e IPS 4240 114003 PWR STATUS FLASH Cisco IPS 4240 series Intrusion Prevention Sensor Power Flash Status Table 6 1 Front Panel Indicators Indicator Description Power Off indicates no power Green when the power supply is running Status Blinks green while the power up diagnostics are running or the system is booting Green when the system has passed power up diagnostics Amber when the power up diagnos...

Page 144: ...thernet ports which have two indicators per port Figure 6 3 Ethernet Port Indicators 114002 LINK SPD 3 LINK SPD 2 LINK SPD 1 LINK SPD 0 MGMT USB2 USB1 FLASH CONSOLE AUX P O W E R S T A T U S F L A S H Power connector Power switch Indicator light Auxiliary port not used Serial console port External compact flash device not used Compact flash device indicator Status indicator Power indicator Sensing...

Page 145: ...t side Green solid Green blinking Physical link Network activity Right side Not lit Green Amber 10 Mbps 100 Mbps 1000 Mbps Table 6 3 IPS 4240 IPS 4255 Specifications Dimensions and Weight Height 1 72 in 4 3688 cm Width 17 25 in 43 815 cm Depth 14 5 in 36 83 cm Weight 11 5 lb 4 11 kg Form factor 1 RU standard 19 inch rack mountable Expansion One chassis expansion slot not used Power Autoswitching 1...

Page 146: ...f each warning to locate its translation in the translated safety warnings that accompanied this device Statement 1071 SAVE THESE INSTRUCTIONS Warning Only trained and qualified personnel should be allowed to install replace or service this equipment Statement 1030 Environment Temperature Operating 32 F to 104 F 0 C to 40 C Nonoperating 13 F to 158 F 25 C to 70 C Relative humidity Operating 5 to 9...

Page 147: ...it contains the following DB25 connector DB9 connector Rack mounting kit screws washers and metal bracket RJ45 console cable Two 6 ft Ethernet cables Rack Mounting To rack mount the IPS 4240 IPS 4255 follow these steps Step 1 Attach the bracket to the appliance using the supplied screws You can attach the brackets to the holes near the front of the appliance 114016 Cisco IPS 4240 series Intrusion ...

Page 148: ...jack you can use for ESD grounding purposes when you are servicing the system You can use the two threaded holes to mount a ground lug to ground the chassis Step 2 Use the supplied screws to attach the appliance to the equipment rack Step 3 To remove the appliance from the rack remove the screws that attach the appliance to the rack and then remove the appliance 114017 PWR STATUS FLASH Cisco ASA 4...

Page 149: ...these steps Step 1 Position the appliance on the network See Placing an Appliance on Your Network page 1 6 for information on the best places to position an appliance Step 2 Place the appliance in a rack if you are rack mounting it See Rack Mounting page 6 7 for the procedure Step 3 Attach the power cord to the appliance and plug it in to a power source a UPS is recommended Step 4 Connect the cabl...

Page 150: ... cable assembly connections Connect the appropriate cable from the console port on the appliance to a port on the terminal server See Setting Up a Terminal Server page 1 9 for the instructions for setting up a terminal server Step 5 Connect the RJ 45 connector to the console port and connect the other end to the DB 9 or DB 25 connector on your computer Step 6 Attach the network cables 114418 RJ 45...

Page 151: ...e Step 8 Initialize your appliance See Initializing the Sensor page 10 2 for the procedure Step 9 Upgrade your appliance with the most recent Cisco IDS software See Obtaining Cisco IDS Software page 9 1 for the procedure Step 10 Assign the interfaces See Assigning and Enabling the Sensing Interface page 10 9 for the procedure Note The interfaces are disabled by default You are now ready to configu...

Page 152: ...hapter 6 Installing the IPS 4240 and IPS 4255 Installing the IPS 4240 and IPS 4255 6 12 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4 1 78 15597 02 ...

Page 153: ...he NM CIDS is referred to as the Cisco IDS network module This chapter contains the following sections Specifications page 7 1 Software and Hardware Requirements page 7 2 Front Panel Features page 7 5 Installation and Removal Instructions page 7 6 Specifications Table 7 1 lists the specifications for the NM CIDS Table 7 1 NM CIDS Specifications Specification Description Dimensions H x W x D 1 55 x...

Page 154: ...runs in the Cisco IOS with the IDS that runs on the NM CIDS The NM CIDS runs Cisco IDS version 4 1 Because performance can be reduced and duplicate alarms can be generated we recommend that you do not run Cisco IOS IDS and Cisco IDS 4 1 simultaneously The NM CIDS supports the following feature sets IOS IP FW IDS IOS IP FW IDS PLUS IPSEC 56 IOS IP FW IDS PLUS IPSEC 3DES IOS IP IPX AT DEC FW IDS PLU...

Page 155: ...s only support one NM CIDS per chassis Table 7 3 lists the hardware specifications for the NM CIDS Table 7 2 Supported and Unsupported Platforms Router NM CIDS Cisco 2600 series No Cisco 2600XM series Yes Cisco 2691 Yes Cisco 3620 No Cisco 3631 No Cisco 3640 Cisco 3640A No Cisco 3660 Yes Cisco 3725 Yes Cisco 3745 Yes Table 7 3 Hardware Requirements Feature Description Processor 500 Mhz Intel Mobil...

Page 156: ... duplex interface between the router and the module Back to back UART which provides console access from router side Console access to the module from the router External FE interface which provides a command and control interface Figure 7 1 shows the hardware architecture of the NM CIDS Figure 7 1 NM CIDS Hardware Architecture 119517 Router Controlled by IOS Controlled by IDS Console Router CPU M...

Page 157: ...router side fast ethernet interface is known as interface IDS Sensor This interface name appears in the show interface and show controller commands You must assign the IP address to the interface to get console access to the IDS NM CIDS EN PWR FastEthernet 0 DISK LINK ACT 97349 DISK PWR EN LINK ACT Table 7 4 Status Indicators Indicator Description ACT Activity on the fast ethernet connection DISK ...

Page 158: ... turn OFF electrical power and disconnect network cables before you insert the NM CIDS into a chassis slot or remove the NM CIDS from a chassis slot Cisco 3660 and Cisco 3700 series routers allow you to replace network modules without switching off the router or affecting the operation of other interfaces Online insertion and removal OIR provides uninterrupted operation to network users maintains ...

Page 159: ...contains the following topics Installing the NM CIDS Offline page 7 7 Installing an NM CIDS Using OIR Support page 7 10 Installing the NM CIDS Offline You can install the NM CIDS in the chassis either before or after mounting the router whichever is more convenient Warning Only trained and qualified personnel should be allowed to install or replace this equipment To see translations of the warning...

Page 160: ...aker to the OFF position and tape the switch handle of the circuit breaker in the OFF position Step 3 Using either a 1 Phillips screwdriver or a small flat blade screwdriver remove the blank filler panel from the chassis slot where you plan to install the NM CIDS Save the blank panel for future use Step 4 Align the NM CIDS with the guides in the chassis and slide it gently into the slot Step 5 Pus...

Page 161: ...mmand and control port to a hub or switch Step 9 Check that the NM CIDS indicators light up and that the Active Ready indicators on the front panel also light up Step 10 Initialize the NM CIDS See Initializing the Sensor page 10 2 for the procedure Step 11 Upgrade your NM CIDS to the latest Cisco IDS software See Obtaining Cisco IDS Software page 9 1 for the procedure Step 12 Assign the interfaces...

Page 162: ...rtion of the NM CIDS Step 2 Push the NM CIDS into place until you feel its edge connector mate securely with the connector on the backplane Step 3 Tighten the two captive screws on the faceplate Step 4 Connect the command and control port to a hub or switch 18031 VCC OK SYSTEM FDX LINK 100Mbps FDX 1 0 LINK 100Mbps ETH 0 ETH 3 ETHERNET 4E ETH 2 ETH 1 1 2 3 ACT LINK 0 VOICE 2V V0 V1 EN HIGH SPEED SE...

Page 163: ... for the procedure Step 7 Upgrade your NM CIDS to the latest Cisco IDS software See Obtaining Cisco IDS Software page 9 1 for the procedure Step 8 Assign the interfaces See Assigning and Enabling the Sensing Interface page 10 9 for the procedure You are now ready to configure intrusion detection on your NM CIDS Removing the NM CIDS This section contains the following topics Removing the NM CIDS Of...

Page 164: ...2 SERVICEMODULE 5 SHUTDOWN2 Service module IDS Sensor1 0 shutdown complete Step 2 Turn OFF electrical power to the router To channel ESD voltages to ground do not unplug the power cable Step 3 Unplug the command and control network interface cable from the NM CIDS Step 4 Loosen the two captive screws holding the NM CIDS in the chassis slot Step 5 Slide the NM CIDS out of the slot Note Either insta...

Page 165: ...r 0 shutdown Trying 10 10 10 1 2129 Open Wait for the shutdown message before continuing with Step 2 SERVICEMODULE 5 SHUTDOWN2 Service module IDS Sensor1 0 shutdown complete Step 2 Unplug the command and control network interface cable from the NM CIDS Step 3 Loosen the two captive screws holding the NM CIDS in the chassis slot Step 4 Slide the NM CIDS out of the slot 18031 VCC OK SYSTEM FDX LINK ...

Page 166: ...placement NM CIDS see Installing an NM CIDS Using OIR Support page 7 10 for the procedure or install a blank panel see Blank Network Module Panels page 7 14 for the procedure Blank Network Module Panels If the router is not fully configured with network modules make sure that blank panels fill the unoccupied chassis slots to provide proper airflow as shown in Figure 7 4 Figure 7 4 Blank Network Mo...

Page 167: ...ns the following sections Specifications page 8 1 Software and Hardware Requirements page 8 2 Supported IDSM 2 Configurations page 8 3 Front Panel Description page 8 4 Installation and Removal Instructions page 8 5 Specifications Table 8 1 lists the specifications for the IDSM 2 Table 8 1 IDSM 2 Specifications Specification Description Dimensions H x W x D 1 18 x 15 51 x 16 34 in 30 x 394 x 415 mm...

Page 168: ... later with supervisor engine 2 with MSFC2 or PFC2 Cisco IOS software release 12 2 14 SY with supervisor engine 2 with MSFC2 Cisco IOS software release 12 1 19 E or later with supervisor engine 2 with MSFC2 Cisco IOS software release 12 1 19 E1 or later with supervisor engine 1a with MSFC2 Cisco IOS software release 12 2 14 SX1 with supervisor engine 720 Cisco IDS software release 4 0 or later Any...

Page 169: ...1 Supervisor 1A with PFC1 or MSFC1 X X X1 1 VACL blocking by the IDSM 2 is supported on Catalyst software and not on Cisco IOS for this configuration X 7 5 1 2 2 Cisco IOS is supported on Supervisor 1A with PFC1 or MSFC1 however the IDSM 2 is not supported on this configuration Supervisor 1A PFC2 or MSFC2 X X X3 3 VACL blocking by the IDSM 2 is supported on Catalyst software and not on Cisco IOS f...

Page 170: ... VLAN the sensing ports and reset port all must have the same native VLAN and the reset port must trunk all the VLANs being trunked by both the sensing ports Front Panel Description The IDSM 2 see Figure 8 1 has a status indicator and a Shutdown button Figure 8 1 IDSM 2 Front Panel Status Indicator Table 8 3 describes the IDSM 2 states as indicated by the status indicator INTRUSION DETECTION MODUL...

Page 171: ...ing through a shutdown procedure can corrupt the application partition on your module and result in data loss Installation and Removal Instructions All Catalyst 6500 series switches support hot swapping which lets you install remove replace and rearrange modules without turning off the system power to the switch When the system detects that a module has been installed or removed it runs diagnostic...

Page 172: ...handle the IDSM 2 always use a wrist strap or other grounding device to prevent serious damage from electrostatic discharge ESD See Working in an ESD Environment page 1 21 for more information Warning Only trained and qualified personnel should be allowed to install replace or service this equipment Statement 1030 Slot Assignments The Catalyst 6006 and 6506 switch chassis each have six slots The C...

Page 173: ...2 in the Catalyst 6500 series switch follow these steps Step 1 Make sure that you take necessary ESD precautions Warning During this procedure wear grounding wrist straps to avoid ESD damage to the card Do not touch the backplane with your hand or any metal tool or you could shock yourself See Working in an ESD Environment page 1 21 for more information Step 2 Choose a slot for the IDSM 2 Note You...

Page 174: ... R M G M T RESET CONSOLE Switch Load 100 1 DTE DCE PCMCIA EJECT PORT 1 LI NK PORT 2 LI NK 8 PORT GIGABIT ETHERNET WS X6408 1 L IN K S T A T U S 2 3 4 5 6 7 8 L IN K L IN K L IN K L IN K L IN K L IN K L IN K 8 PORT GIGABIT ETHERNET WS X6408 1 L IN K S T A T U S 2 3 4 5 6 7 8 L IN K L IN K L IN K L IN K L IN K L IN K L IN K 8 PORT GIGABIT ETHERNET WS X6408 1 L IN K S T A T U S 2 3 4 5 6 7 8 L IN K L...

Page 175: ... GIGABIT ETHERNET WS X6408 1 L IN K S T A T U S 2 3 4 5 6 7 8 L IN K L IN K L IN K L IN K L IN K L IN K L IN K 8 PORT GIGABIT ETHERNET WS X6408 1 L IN K S T A T U S 2 3 4 5 6 7 8 L IN K L IN K L IN K L IN K L IN K L IN K L IN K 8 PORT GIGABIT ETHERNET WS X6408 1 L IN K S T A T U S 2 3 4 5 6 7 8 L IN K L IN K L IN K L IN K L IN K L IN K L IN K 24 PORT 100FX WS X6224 STATUS 24 PORT 100FX WS X6224 24...

Page 176: ...to halt and subsequently crash Note If you perform a hot swap the console displays the message Module x has been inserted This message does not appear however if you are connected to the Catalyst 6500 series switch through a Telnet session Step 9 Use a screwdriver to tighten the installation screws on the left and right ends of the IDSM 2 Step 10 Verify that you have correctly installed the IDSM 2...

Page 177: ...See Copying IDS Traffic page 10 90 for the procedure You are now ready to configure the IDSM 2 for intrusion detection Verifying the IDSM 2 Installation Verify that the switch acknowledges the new IDSM 2 and has brought it online To verify the installation follow these steps Step 1 Log in to the console Step 2 For Catalyst software verify that the IDSM 2 is online by typing the following cat6k ena...

Page 178: ...Sub Hw Sub Sw 1 L3 Switching Engine II WS F6K PFC2 SAD044302BP 1 0 9 IDS 2 accelerator board WS SVC IDSUPG 2 0 console enable Step 3 For Cisco IOS software verify that the IDSM 2 is online by typing the following Router show module Mod Ports Card Type Model Serial No 1 2 Catalyst 6000 supervisor 2 Active WS X6K SUP2 2GE SAD060300AR 2 48 SFM capable 48 port 10 100 1000mb RJ45 WS X6548 GE TX SAD0748...

Page 179: ...e online See Enabling a Full Memory Test page 10 99 for information on enabling a full memory test after verifying the IDSM 2 installation Removing the IDSM 2 This procedure describes how to remove the IDSM 2 from the Catalyst 6500 series switch Warning Only trained and qualified personnel should be allowed to install replace or service this equipment Statement 1030 Caution Before removing the IDS...

Page 180: ... If the IDSM 2 is removed from the switch chassis without first being shut down or the chassis loses power you may need to reset the IDSM 2 more than once See Resetting the IDSM 2 page 10 101 for the procedure If the module fails to respond after three reset attempts boot the maintenance partition and perform the instructions for restoring the application partition See Reimaging the IDSM 2 page 10...

Page 181: ... floor Step 7 Place the IDSM 2 on an antistatic mat or antistatic foam Step 8 If the slot is to remain empty install a filler plate part number 800 00292 01 to keep dust out of the chassis and to maintain proper airflow through the module compartment Warning Blank faceplates and cover panels serve three important functions they prevent exposure to hazardous voltages and currents inside the chassis...

Page 182: ...Chapter 8 Installing the IDSM 2 Installation and Removal Instructions 8 16 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4 1 78 15597 02 ...

Page 183: ...he Recovery Upgrade CD with the Appliance page 9 9 Applying for a Cisco com Account with Cryptographic Access page 9 11 IDS Bulletin page 9 12 Obtaining Cisco IDS Software You can find IDS Event Viewer signature updates service pack updates BIOS upgrades Readmes and other software updates at Downloads on Cisco com Note You must be logged into Cisco com to access Downloads Periodic signature update...

Page 184: ...Under Cisco Secure Software click Cisco Intrusion Detection System IDS Step 6 On the Software Center Downloads page locate your sensor and then under Version 4 x click the applicable software link for example Latest Service Pack Minor and Major Updates For BIOS upgrades click Firmware Step 7 On the Software Download page click the file you need To sort by Filename Release Date or Size select the o...

Page 185: ...les recovery files and application files are unique per platform IDS Software Versioning This section describes how to interpret IDS software versioning This section contains the following topics IDS Software Image Naming Conventions page 9 3 4 x Software Release Examples page 9 6 IDS Software Image Naming Conventions When you download IDS software images from Cisco com you should understand the v...

Page 186: ...ersion upgrades contain all previous minor features service pack fixes and signature updates since the last major version and the new minor features being released Service packs are cumulative following a base version release minor or major Service packs are used for the release of defect fixes with no new enhancements Service packs contain all service pack fixes and signature updates since the la...

Page 187: ...disk drive partition on appliances that contains a full IDS application image to be used for recovery Application partition image file IDSM 2 and NM CIDS An application partition image file is a full IDS application image that can be used to reimage the application partition of the IDSM 2 and the NM CIDS Application partition image files are released when new major or minor version upgrades are re...

Page 188: ...4 x Software Release Examples Table 9 1 lists platform independent IDS 4 x software release examples Refer to Readmes that accompany the software files for detailed instructions on how to install the files See Obtaining Cisco IDS Software page 9 1 for instructions on how to access these files on Cisco com Table 9 1 Platform Independent Release Examples Release Target Frequency Identifier Supported...

Page 189: ...ion image2 2 The application partition image includes the full image for the application partition Semi annually a IDSM 2 NM CIDS WS SVC IDSM2 K9 a 4 0 1 S29 bin gz NM CIDS K9 a 4 1 1 S29 bin gz Maintenance partition image3 Annually mp IDSM 2 only mp 2 1 1 bin gz Full image for recovery partition IDS IPS appliances only 4 Semi annually r IDS 4210 IDS 4220 IDS 4230 IDS 4235 IDS 4250 IDS 4215 IPS 42...

Page 190: ...r sensor polls for updates Refer to Installing and Using the Cisco Intrusion Detection System Device Manager and Event Viewer Version 4 1 for the procedure for configuring Auto Update through IDS Device Manager 3 The maintenance partition image includes the full image for the maintenance partition The file is platform specific If you have to recover the IDSM 2 from the maintenance partition the ap...

Page 191: ...tion Image page 10 111 for the procedure For the IPS appliances use the ROMMON to restore the system image See Installing the IDS 4215 System Image page 10 113 and Installing the IPS 4240 and IPS 4255 System Image page 10 116 for the procedures For NM CIDS use the bootloader See Reimaging the NM CIDS Application Partition page 10 119 for the procedure For IDSM 2 use the recover command See Reimagi...

Page 192: ... may take a while d Click View Results The results are displayed in a report e To save the diagnostics report select Menu Save As in your browser Step 2 Insert the recovery upgrade CD into the CD ROM drive Step 3 Power off the appliance and then power it back on The boot menu appears which lists important notices and boot options IDS 4220 4230 customers Sniffing and Command and Control interfaces ...

Page 193: ... The default username and password are both cisco Step 6 You are prompted to change the default password Note Passwords must be at least eight characters long and be strong that is not be a dictionary word After you change the password the sensor prompt appears Step 7 Type the setup command to initialize the appliance See Initializing the Sensor page 10 2 for the procedure Step 8 Install the most ...

Page 194: ...Log in with your Cisco com account The Encryption Software Export Distribution Authorization Form page appears Step 4 Select your software from the list box and click Submit The Encryption Software Export Distribution Authorization Form appears Step 5 Review and complete the Encryption Software Export Distribution Authorization form and click Submit The Cisco Encryption Software Crypto Access Gran...

Page 195: ...e Surname box e Type the name of your organization in the Organization box f Select your country from the menu g Type your e mail address in the E mail box Step 3 Select the check box if you would like to receive further information about Cisco products and offerings by e mail Step 4 Select the e mail format you prefer from the menu Step 5 Fill in the optional information if desired a Select your ...

Page 196: ...Chapter 9 Obtaining Software IDS Bulletin 9 14 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4 1 78 15597 02 ...

Page 197: ...nter for IDS Sensors to configure your sensor refer to the documentation on Cisco com Refer to the Cisco Intrusion Detection System IDS Hardware and Software Version 4 1 Documentation Guide that shipped with your sensor for information on how to access IDS documentation Note When procedures apply to all IDS sensors the term sensor is used When a procedure applies to a specific appliance or module ...

Page 198: ...g a Password page 10 15 Adding a User page 10 16 Removing a User page 10 17 Adding Trusted Hosts page 10 18 Adding Known Hosts to the SSH Known Hosts List page 10 19 Configuring the Sensor to Use an NTP Server as its Time Source page 10 21 Configuring a Cisco Router to be an NTP Server page 10 22 Initializing the Sensor After you have installed the sensors on your network you must initialize them ...

Page 199: ...cessor 1 b Session in to the NM CIDS by typing the following Router service module IDS Sensor slot_number port_number session c Log in to the appliance by using a serial connection or with a monitor and keyboard Note You cannot use a monitor and keyboard with the IDS 4215 the IPS 4240 or the IPS 4255 Step 2 You are prompted to change the default password Passwords must be at least eight characters...

Page 200: ...t any point you may enter a question mark for help User ctrl c to abort configuration dialog at any prompt Default settings are in square brackets Current Configuration networkParams ipAddress 10 89 146 110 netmask 255 255 255 0 defaultGateway 10 89 146 254 hostname sensor telnetOption disabled accessList ipAddress 10 0 0 0 netmask 255 0 0 0 exit timeParams summerTimeParams active selection none e...

Page 201: ...5 0 Step 9 Specify the default gateway The default gateway is the default router IP address for the sensor The default is 10 1 9 1 Step 10 Specify the Telnet server status You can disable or enable Telnet services The default is disabled Step 11 Specify the web server port The web server port is the TCP port used by the web server 1 to 65535 The default is 443 Note If you change the web server por...

Page 202: ...ecurring date or disable to specify how you want to configure summertime settings The default is recurring d If you typed recurring type the month you want to start summertime settings The default is apr Valid entries are jan feb mar apr may jun jul aug sep oct nov and dec e Specify the week you want to start summertime settings The default is first Valid entries are first second third fourth fift...

Page 203: ... k Specify the time you want summertime settings to end The default is 02 00 00 l Specify the DST zone The zone name is a character string up to 128 characters long m Specify the summertime offset The default is 60 Specify the summertime offset from UTC in minutes negative numbers represent time zones west of the Prime Meridian n Type yes to modify the system time zone o Specify the standard time ...

Page 204: ...h reboot yes Step 17 Type yes to reboot the sensor Step 18 Display the self signed X 509 certificate needed by TLS by typing the following command sensor show tls fingerprint MD5 C1 9F DE 2A 7D D9 9A EE C9 19 76 D8 0F 96 8D EC SHA1 DC 06 71 57 90 C7 2A E4 6E FE 22 78 B0 33 0F 5A F2 4A 13 59 Step 19 Write down the certificate fingerprints You will need these to check the authenticity of the certifi...

Page 205: ...to interface group 0 Note If the XL card is present only the XL interfaces are added to interface group 0 If the XL card is not present all Ethernet 100 1000 interfaces except the command and control interface are added to interface group 0 By default all interfaces the sensor detects and adds to interface group 0 are disabled You need to use the IDS CLI or other IDS manager to enable the appropri...

Page 206: ... CLI using an account with administrator privileges Step 2 Enter configuration mode sensor configure terminal Step 3 To add an interface to or remove an interface from interface group 0 follow these steps a Enter interface group configuration mode for interface group 0 sensor config interface group 0 b Remove an interface sensor config ifg no sensing interface name Where name is the logical name o...

Page 207: ...ere name is the logical name of the sensing interface such as int0 b Enable the interface sensor config ifs no shutdown c Verify the interface is enabled sensor config ifs exit sensor config exit sensor show interface d Disable the interface sensor configure terminal sensor config interface sensing name sensor config ifs shutdown e Exit sensing interface configuration mode sensor config ifs exit s...

Page 208: ...except under the direction of TAC If you use the service account to configure the sensor your configuration is not supported by TAC Adding services to the operating system through the service account affects proper performance and functioning of the other IDS services TAC does not support a sensor on which additional services have been added Table 10 1 Sensing Interfaces IDS Platform Sensing Inter...

Page 209: ...umeric characters You can also use an underscore _ or dash in the username Step 4 Specify a password when prompted If a service account already exists for this sensor the following error is displayed and no service account is created Error Only one service account allowed in UserAccount document Step 5 Exit configuration mode sensor config exit sensor When you use the service account to log in to ...

Page 210: ...r ip_address telnet ip_address b SSH Telnet or console log in to the IDSM 2 For Catalyst Software ssh ip_address session slot_number telnet ip_address session slot_number Console enable session slot_number For Cisco IOS software ssh ip_address session slot_number processor 1 telnet ip_address session slot_number processor 1 Router session slot slot_number processor processor_number c SSH or Telnet...

Page 211: ...ord command updates the password on the local sensor You can also use this command to change the password for an existing user or to reset the password for a locked account To change the password follow these steps Step 1 To change the password for another user or reset the password for a locked account follow these steps a Log in to the CLI using an account with administrator privileges b Enter c...

Page 212: ...m of this command to remove a user from the system The username command provides username and password authentication for login purposes only You cannot use this command to remove a user who is logged into the system If you do not specify a password the system prompts you for one Use the password command to change the password for existing users Use the privilege command to change the privilege fo...

Page 213: ...ege level of administrator and the password testpassword type the following command sensor config username tester privilege administrator Enter Login Password Re enter Login Password Note If you do not specify a privilege level for the user the user is assigned the default viewer privilege Step 4 Verify that the user has been added a Exit configuration mode sensor config exit b View a list of all ...

Page 214: ...f all user accounts is displayed The user you removed no longer appears in the list Adding Trusted Hosts You can identify hosts trusted hosts that are allowed to connect to the sensor To add a trusted host follow these steps Step 1 Log in to the CLI using an account with administrator or operator privileges Step 2 Enter configuration mode sensor configure terminal Step 3 Enter Service host mode se...

Page 215: ...changes the sensor config prompt is displayed Adding Known Hosts to the SSH Known Hosts List You must add hosts to the SSH known hosts list so that the sensor can recognize the hosts that it can communicate with through SSH These hosts are SSH servers that the sensor needs to connect to for upgrades and file copying and other hosts such as Cisco routers PIX Firewalls and Catalyst switches To add a...

Page 216: ...5415793 7058485203995572114631296604552161309712601068614812749969593513740598 3313931548849883023021829223533351526538605891636519449978428745836278 83277460138506084043415861927 MD5 49 3F FD 62 26 58 94 A3 E9 88 EF 92 5F 52 6E 7B Bubble Babble xebiz vykyk fekuh rukuh cabaz paret gosym serum korus fypop huxyx Step 6 To remove an entry type the following command sensor config no ssh host key ip_ad...

Page 217: ...NTP server as its time source Note You must obtain the NTP server IP address NTP server key ID and the key value from the NTP server See Configuring a Cisco Router to be an NTP Server page 10 22 for more information To configure the sensor to use an NTP server as its time source follow these steps Step 1 Log in to the CLI using an account with administrator privileges Step 2 Enter configuration mo...

Page 218: ...y value The key value is text numeric or character This is the key value that you already set up on the NTP server See Step 3 of Configuring a Cisco Router to be an NTP Server page 10 22 For example sensor config Host tim ntp keyValue attack Step 8 Exit NTP configuration mode sensor config Host tim ntp exit sensor config Host tim exit sensor config Host exit Step 9 Save the changes by typing yes A...

Page 219: ...outer configure terminal Step 3 Create the key ID and key value router config ntp authentication key key ID md5 key value The key ID can be a number between 1 and 65535 The key value is text numeric or character It is later encrypted For example router config ntp authentication key 100 attack Note The sensor only supports MD5 keys Note Keys may already exist on the router Use the show running conf...

Page 220: ...ose Sensor Administrative Tasks This section describes the administrative tasks for the sensor This section contains the following topics Displaying the Current Version and Configuration Information page 10 24 Creating and Using a Backup Configuration File page 10 28 Displaying and Clearing Events page 10 28 Rebooting or Powering Down the Appliance page 10 30 Displaying Tech Support Information pa...

Page 221: ...M out of 15G bytes of available disk space 5 usage MainApp 2003_Oct_10_11 16 Release 2003 10 10T11 01 13 0500 Running AnalysisEngine 2003_Oct_10_11 16 Release 2003 10 10T11 01 13 0500 Running Authentication 2003_Oct_10_11 16 Release 2003 10 10T11 01 13 0500 Running Logger 2003_Oct_10_11 16 Release 2003 10 10T11 01 13 0500 Running NetworkAccess 2003_Oct_10_11 16 Release 2003 10 10T11 01 13 0500 Run...

Page 222: ...ay_09_06 00 Release 2003 05 09T06 09 22 0500 Running Authentication 2003_May_09_06 00 Release 2003 05 09T06 09 22 0500 Running Logger 2003_May_09_06 00 Release 2003 05 09T06 09 22 0500 Running NetworkAccess 2003_May_09_06 00 Release 2003 05 09T06 09 22 0500 Running TransactionSource 2003_May_09_06 00 Release 2003 05 09T06 09 22 0500 Running WebServer 2003_May_09_06 00 Release 2003 05 09T06 09 22 0...

Page 223: ...0 0 netmask 255 255 0 0 accessList ipAddress 10 16 0 0 netmask 255 255 0 0 accessList ipAddress 10 89 149 31 netmask 255 255 255 255 exit optionalAutoUpgrade active selection none exit timeParams timeParams summerTimeParams active selection recurringParams recurringParams summerTimeZoneName CST exit exit ntpServers ipAddress 10 89 147 99 keyId 2 keyValue test exit exit exit service Logger masterCo...

Page 224: ...to the CLI using an account with administrator privileges Step 2 Save the current configuration sensor copy current config backup config The current configuration is saved in a backup file Step 3 Display the backup configuration file sensor more backup config The backup configuration file is displayed Step 4 You can either merge the backup configuration with the current configuration or you can ov...

Page 225: ...vents follow these steps Step 1 Log in to the CLI Step 2 Display new events sensor show events Use the regular expression include shunInfo to view the shun information including source address for the event New events are displayed as they occur Step 3 Display events from a specific time sensor show events hh mm month day year For example show events 14 00 September 2 2002 displays all events sinc...

Page 226: ...unning on the appliance and reboots it If the powerdown option is included the appliance is powered off if possible or left in a state where the power can be turned off after the applications are stopped Shutdown stopping the applications begins immediately after the command is executed Because shutdown may take a little time you can continue to access CLI commands access is not denied but access ...

Page 227: ...red off it will be left in a state that is safe to manually power down Continue with reset b Type yes to continue the reset Broadcast message from root Sat May 15 05 25 09 1993 A system reboot has been requested The reboot may not start for 90 seconds Request Succeeded sensor Broadcast message from root Sat May 15 05 25 12 1993 The system is going down for reboot NOW You are prompted to turn off t...

Page 228: ...ppears on the screen one page at a time Press the space bar to view the next page or press Ctrl C to return to the prompt Step 4 To send the output in HTML format to a file follow these steps a Type the following command followed by a valid destination sensor show tech support destination url You can specify the following destination types ftp Destination URL for File Transfer Protocol FTP network...

Page 229: ...tication statistics EventServer Display event server statistics EventStore Display event store statistics Host Display host statistics Logger Display logger statistics NetworkAccess Display network access controller statistics TransactionServer Display transaction server statistics TransactionSource Display transaction source statistics WebServer Display web server statistics Note The clear option...

Page 230: ...h 0 Step 4 Clear the statistics Note The clear option is not available for Host or NetworkAccess statistics sensor show statistics EventStore clear Event store statistics General information about the event store The current number of open subscriptions 0 The number of events lost by subscriptions and queries 0 The number of queries issued 0 The number of times the circular buffer has wrapped 0 Nu...

Page 231: ... 10 39 Configuring Virtual Sensor System Variables page 10 42 Tuning Signature Engines page 10 45 Configuring Alarm Channel System Variables The tune alarm channel command enables you to configure system variables for the alarm aggregation process The items and menus in this configuration depend on the contents of the configuration file and are built dynamically based on the configuration retrieve...

Page 232: ... group s IP address space You could then use this variable on the Event Filters page to set up the filter to ignore all Windows based attacks for USER ADDR1 To configure alarm channel system variables follow these steps Step 1 Log in to the CLI using an account with administrator or operator privileges Step 2 Enter configuration mode sensor configure terminal Step 3 Enter alarm channel configurati...

Page 233: ...e sensor config acc exit sensor config Configuring Alarm Channel Event Filters The tune alarm channel command allows you to configure event filters for the aggregation process The items and menus in this configuration depend on the contents of the configuration file and are built dynamically based on the configuration retrieved when the command is executed The modifications made in this mode and a...

Page 234: ...Addrs ipaddress Exception true false The following options apply to the command SIGID Signature IDs of events to which this filter should be applied You can use a list 2001 2004 or a range 2001 2004 an asterisk for all signatures or one of the SIG variables if you defined them If you use a variable you must use a dollar sign SIG1 in front of the variable See Configuring Alarm Channel System Variab...

Page 235: ...r the filters are displayed Step 8 Exit event filter submode sensor config acc virtualAlarm eve exit sensor config acc virtualAlarm exit Apply Changes yes Step 9 Type yes to apply the changes The Processing config message is displayed Step 10 Exit the alarm channel configuration mode sensor config acc exit sensor cofig Viewing Signature Engine Parameters You can display settings for individual sig...

Page 236: ...and DataLength exit Exit service configuration mode FLOOD HOST ICMP Icmp Floods directed at a single host FLOOD HOST UDP UDP Floods directed at a single host FLOOD NET Multi protocol floods directed at a network segment Ip Addresses are wildcarded for this inspection FragmentReassembly Fragment Reassembly configuration tokens IPLog Virtual Sensor IP log configuration tokens OTHER This engine is us...

Page 237: ...cker to many victims SWEEP HOST TCP TCP based Host Sweeps from a single attacker to multiple victims SWEEP MULTI UDP and TCP combined port sweeps SWEEP OTHER TCP Odd sweeps scans such as nmap fingerprint scans SWEEP PORT TCP Detects port sweeps between two nodes SWEEP PORT UDP Detects UDP connections to multiple destination ports between two nodes systemVariables User modifiable system variables T...

Page 238: ...ControlData 468 defaulted MaxTTL MinHits Mode 6 defaulted Protocol UDP defaulted ResetAfterIdle 15 defaulted SigComment SigName NTPd readvar overflow protected SigStringInfo SigVersion S37 defaulted StorageKey AaBb defaulted SummaryKey AaBb defaulted ThrottleInterval 15 defaulted WantFrag isInvalidDataPacket isNonNtpTraffic Step 8 Press the spacebar to page through all the settings Press Ctrl C to...

Page 239: ...on mode sensor config service virtual sensor configuration virtualSensor Step 4 Enter tune micro engines submode sensor config vsc tune micro engines Step 5 Enter system variable submode sensor config vsc virtualSensor systemVariables Step 6 View the current system variable settings sensor config vsc virtualSensor sys show settings systemVariables WEBPORTS 80 3128 8000 8010 8080 8888 24326 default...

Page 240: ...resses IPReassembleMaxFrags You can define the total number of fragments you want the system to queue You can define a number between 1000 and 50 000 The default is 10 000 Step 8 View your changes sensor config vsc virtualSensor sys show settings The settings for the system variables are displayed In the example above the settings for the IPReassembleMaxFrags variable appear as IPReassembleMaxFrag...

Page 241: ...must set the capturePacket parameter to true for that signature Note Refer to the IDS Event Viewer documentation for more information on viewing the captured packet The tune micro engines command enables you to configure standard signatures and create custom signatures for the sensor micro engines The items and menus in this configuration depend upon the contents of the configuration file and are ...

Page 242: ...ing command sensor config vsc virtualSensor ATOMIC UDP Step 6 View the signature settings sensor config vsc virtualSensor ATO show settings A summary of the signatures and settings is displayed sensor config vsc virtualSensor ATO show settings ATOMIC UDP version 4 0 protected signatures min 0 max 1000 current 13 SIGID 9019 protected SubSig 0 protected AlarmDelayTimer AlarmInterval AlarmSeverity in...

Page 243: ...20 protected SubSig 0 protected AlarmDelayTimer AlarmInterval AlarmSeverity informational defaulted AlarmThrottle FireOnce defaulted AlarmTraits CapturePacket False defaulted ChokeThreshold 100 defaulted DstIpAddr DstIpMask DstPort 47262 defaulted Enabled False defaulted EventAction FlipAddr MaxInspectLength MaxTTL MinHits MinUDPLength Protocol UDP defaulted ResetAfterIdle 15 defaulted ShortUDPLen...

Page 244: ...y of this alert reported in the alarm AlarmThrottle Technique used to limit alarm firings FireAll sends all alarms FireOnce sends the firstalarm then deletes the inspector Summarize sends an IntervalSummary alarm GlobalSummarize sends a GlobalSummary alarm AlarmTraits User defined traits further describing this signature CapturePacket Set to True to include the offending packet in the alarm ChokeT...

Page 245: ...r Length show Display system settings and or history information SigComment USER NOTES miscellaneous information about this signature SigStringInfo Extra information included in the alarm message SigVersion Signature update version of signature SrcIpAddr IP address or network to match on the IP packet s source address Must be used with SrcIpMask SrcIpMask IP netmask used with SrcIpAddr to match on...

Page 246: ...TO sig default dstport The port value is returned to the default value and settings for the destination port parameter appear as DstPort 2140 defaulted Step 12 Exit tuning mode for this signature sensor config vsc virtualSensor ATO sig exit sensor config vsc virtualSensor ATO exit sensor config vsc virtualSensor exit Apply Changes yes Step 13 Type yes to apply the changes The Processing config mes...

Page 247: ...section contains the following topics Manual IP Logging for a Specific IP Address page 10 51 Automatic IP Logging for a Specific Signature page 10 53 Disabling IP Logging page 10 55 Copying IP Log Files to Be Viewed page 10 56 Manual IP Logging for a Specific IP Address You can log IP packets manually for a specific IP address To stop logging IP packets for a specific IP address see Disabling IP L...

Page 248: ...the duration to 5 minutes and the number of packets to 1000 the sensor stops logging after the 1000th packet is captured even if only 2 minutes have passed Example sensor iplog 0 10 16 0 0 duration 5 Logging started for group 0 IP address 10 16 0 0 Log ID 137857506 Warning IP Logging will affect system performance The example shows the sensor logging all IP packets for 5 minutes to and from the IP...

Page 249: ...eyword see Step 8 To copy and view an IP log file see Copying IP Log Files to Be Viewed page 10 56 To automatically log IP packets for a specific signature follow these steps Step 1 Log in to the CLI using an account with administrator or operator privileges Step 2 Enter configuration mode sensor configure terminal Step 3 Enter virtual sensor configuration mode sensor config service virtual sensor...

Page 250: ...lSensor ATO sig EventAction log Note If in Step 7 you saw other actions set for EventAction you can combine these with the log action by placing the between the actions for example log shunHost Do not use spaces between and the actions Note To return any value to the default setting type the keyword default before the parameter name For example to remove IP logging from this signature type the fol...

Page 251: ...s and subsignatures Disabling IP Logging You can disable one or all IP logging sessions To disable one or all IP logging sessions follow these steps Step 1 Log in to the CLI using an account with administrator or operator privileges Step 2 To disable a particular IP logging session a Find the log ID of the session you want to disable by using the iplog status command sensor iplog status Log ID 137...

Page 252: ...ress 10 16 0 0 Group 0 Status completed Start Time 1070363599443768000 End Time 1070363892909384000 Bytes Captured 30650 Packets Captured 263 Step 3 Copy the IP log to your FTP or SCP server sensor copy iplog 137857506 ftp root 10 16 0 0 user iplog1 Password Connected to 10 16 0 0 10 16 0 0 220 linux machine com FTP server Version wu 2 6 0 1 Mon Feb 28 10 30 36 EST 2000 ready ftp user username roo...

Page 253: ...ctions page 10 75 How to Set up Manual Blocking and How to Unblock page 10 76 Understanding Blocking NAC the blocking application on the sensor starts and stops blocks on routers switches and PIX firewalls NAC blocks the IP address on the devices it is managing It sends the same block to all the devices it is managing including any other master blocking sensors NAC monitors the time for the block ...

Page 254: ... following information for NAC to manage a device Login user ID Login password Enable password not needed if the user has enable privileges Interfaces to be managed for example ethernet0 vlan100 Any existing ACL information you want applied at the beginning Pre ACL or end Post ACL of the ACL that will be created Note This does not apply to a PIX Firewall because the PIX Firewall does not use ACLs ...

Page 255: ...ons types Telnet or SSH needed to log in to each device You need to know the interface names on the devices You need to know the names of the pre ACL and post ACLs if needed You need to understand which interfaces should and should not be blocked You do not want to accidentally shut down an entire network Supported Blocking Devices The NAC service supports up to 250 devices in any combination The ...

Page 256: ...n 6 0 or later shun command 501 506E 515E 525 535 required You configure blocking using either ACLs VACLS or the shun command All PIX Firewall models support the shun command Configuring Blocking Properties You can change the default blocking properties through the CLI It is best to use the default properties but if you need to change them use these procedures This section contains the following t...

Page 257: ...g the blocking device To allow the sensor to block itself follow these steps Step 1 Log in to the CLI using an account with administrator privileges Step 2 Enter configuration mode sensor configure terminal Step 3 Enter network access mode sensor config service networkAccess Step 4 Enter general submode sensor config NetworkAccess general Step 5 Configure the sensor to block itself sensor config N...

Page 258: ... could cause the device and or NAC to crash To disable blocking follow these steps Step 1 Log in to the CLI using an account with administrator privileges Step 2 Enter configuration mode sensor configure terminal Step 3 Enter network access mode sensor config service networkAccess Step 4 Enter general submode sensor config NetworkAccess general Step 5 Disable blocking on the sensor sensor config N...

Page 259: ...entries If the maximum is reached new blocks will not occur until existing blocks time out and are removed To change the maximum block entries follow these steps Step 1 Log in to the CLI using an account with administrator privileges Step 2 Enter configuration mode sensor configure terminal Step 3 Enter network access mode sensor config service networkAccess Step 4 Enter general submode sensor con...

Page 260: ...default block time follow these steps Step 1 Log in to the CLI using an account with administrator privileges Step 2 Enter configuration mode sensor configure terminal Step 3 Enter virtual sensor configuration mode sensor config service virtual sensor configuration virtualSensor Step 4 Enter tuning submode sensor config vsc tune Step 5 Enter the shun event submode sensor config vsc VirtualSensor s...

Page 261: ...ected behavior appears to be an attack Such a device should never be blocked and trusted internal networks should never be blocked You can specify a single host or an entire network If you specify a netmask this is the netmask of the network that should never be blocked If no netmask is specified only the IP address you specify will never be blocked To set up addresses never to be blocked by block...

Page 262: ...n exit sensor config NetworkAccess exit Apply Changes yes Step 7 Type yes to apply changes Configuring Logical Devices You must set up logical devices for the other hardware that the senor will manage The logical devices contain userid password and enable password information For example routers that all share the same passwords and usernames can be under one logical device name Caution You MUST h...

Page 263: ...assword Enter password Re enter password Type none if there is no password Step 7 Specify the enable password for the user sensor config NetworkAccess shu enable password Enter enable password Re enter enable password Type none if there is no enable password Step 8 Exit shun device configuration submode sensor config NetworkAccess shu exit sensor config NetworkAccess exit Apply Changes yes Step 9 ...

Page 264: ...applies it to the interface NAC then reverses the process on the next cycle Caution A single sensor can manage multiple devices but you cannot use multiple sensors to control a single device In this case use a master blocking sensor See Configuring the Sensor to be a Master Blocking Sensor page 10 73 for more information This section contains the following topics Configuring the Sensor to Manage a...

Page 265: ... method used to access the sensor sensor config NetworkAccess rou communication telnet ssh des ssh 3des If unspecified SSH 3DES is used Note If you are using DES or 3DES you must use the command ssh host key ip_address to accept the key or NAC cannot connect to the device Step 7 Specify the sensor s NAT address sensor config NetworkAccess rou nat address nat_address Note This changes the IP addres...

Page 266: ... manage a Catalyst 6500 series switch follow these steps Step 1 Log in to the CLI using an account with administrator privileges Step 2 Enter configuration mode sensor configure terminal Step 3 Enter network access mode sensor config service networkAccess Set the IP address for the router controlled by NAC sensor config NetworkAccess cat6k devices ip address ip_address Step 4 Type the logical devi...

Page 267: ...t line of the ACL from the sensor s address to the NAT address Step 7 Specify the VLAN number sensor config NetworkAccess cat shun interfaces vlan vlan_number Step 8 Add the preShun ACL name optional sensor config NetworkAccess cat shu pre acl name pre_shun_acl_name Step 9 Add the postShun ACL name optional sensor config NetworkAccess cat shu post acl name post_shun_acl_name Step 10 Exit shun devi...

Page 268: ...fig NetworkAccess pix devices ip address ip_address Step 5 Type the logical device name that you created in Configuring Logical Devices page 10 66 sensor config NetworkAccess pix shun device cfg logical_device_name NAC accepts anything you type It does not check to see if the logical device exists Step 6 Designate the method used to access the sensor sensor config NetworkAccess pix communication t...

Page 269: ...n forward blocking requests to a specified master blocking sensor MBS which controls one or more devices The MBS is the NAC running on a sensor that controls blocking on one or more devices on behalf of one or more other sensors The NAC on an MBS controls blocking on devices at the request of the NACs running on other sensors On the blocking forwarding sensor identify which remote host serves as t...

Page 270: ...rint Sensors provide only self signed certificates instead of certificates signed by a recognized certificate authority You can verify the MBS host sensor s certificate by logging in to the host sensor and typing the show tls fingerprint command to see that the host certificate s fingerprints match Step 4 Accept the certificates for all MBS hosts that the NAC will connect with Step 5 Enter network...

Page 271: ...ls trusted host ip address mbs_ip_address Step 12 Exit master blocking sensor submode sensor config NetworkAccess gen mas exit sensor config NetworkAccess gen exit sensor config NetworkAccess exit sensor config exit Apply Changes yes Step 13 Type yes to apply changes Obtaining a List of Blocked Hosts and Connections You can obtain a list of blocked hosts and blocked connections by using the show s...

Page 272: ...16 0 ShunMinutes 10 MinutesRemaining 10 The last two Host entries indicate which hosts are being blocked and how long the blocks are How to Set up Manual Blocking and How to Unblock If you have blocking configured you can manually block a host You can also view a list of hosts that are being blocked Note Manual blocks in the CLI are actually changes to the configuration so they are permanent You c...

Page 273: ...ter general mode sensor config NetworkAccess general Step 5 Start the manual block for a host IP address sensor config NetworkAccess gen shun hosts ip address ip_address Note You must end the manual block in the CLI or it is permanent Step 6 To end the manual block sensor config NetworkAccess gen no shun hosts ip address ip_address Step 7 Exit general submode sensor config NetworkAccess gen exit s...

Page 274: ... NM CIDS slot The lack of an external console port means that the initial bootup configuration is possible only through the router When you issue the command service module ids sensor slot_number 0 session you create a console session with the NM CIDS in which you can issue any IDS configuration commands After completing work in the session and exiting the IDS CLI you are returned to Cisco IOS CLI...

Page 275: ...rface loopback 0 Step 4 Assign an IP address and netmask to the loopback interface Router config if ip address 10 16 0 0 255 255 0 0 Note You must assign an IP address to the NM CIDS s internal interface to session into the NM CIDS Choose a network that does not overlap with any networks assigned to the other interfaces in the router It does not have to be a real IP address because you will not be...

Page 276: ...t sessions between the router and the NM CIDS using one of the following The session command CTRL Shift 6 x and the disconnect command Telnet This section contains the following topics Using the Session Command page 10 80 Suspending a Session and Returning to the Router page 10 81 Closing an Open Session page 10 81 Using Telnet page 10 82 Using the Session Command Use the session command to establ...

Page 277: ...ession prompt to a router prompt and vice versa Step 2 Type the following at the prompt Router disconnect Step 3 Press Enter when prompted as follows Closing connection to 10 16 0 0 confirm Enter Note Telnet clients vary In some cases you may have to press CTRL 6 x The control character is specified as CTRL or ASCII value 30 hex 1E Caution Failing to close a session properly makes it possible for ...

Page 278: ...router Router disconnect Step 4 Press Enter to confirm the disconnection Router Closing connection to 10 16 0 0 confirm Enter Step 5 Exit the session Router exit Using Telnet You can also telnet directly into the router with the port number corresponding to the NM CIDS slot Use the address you established when configuring the loopback 0 interface in Configuring Cisco IDS Interfaces on the Router p...

Page 279: ...to do so can lead to the loss of data or the corruption of the hard disk drive reload Performs a graceful halt and reboot of the operating system on an NM CIDS Router service module ids sensor slot_number 0 reload reset Resets the hardware on the NM CIDS Typically this command is used to recover from a shutdown Router service module ids sensor slot_number 0 reset The following warning appears Rout...

Page 280: ...gured through the router CLI Cisco IOS To set up packet capture on the NM CIDS follow these steps Step 1 View your interface configuration Router show run Step 2 Identify the interfaces or subinterfaces that you want to monitor for example FastEthernet0 0 Note You can choose more than one interface or subinterface to monitor but you can only edit one interface at a time Step 3 Enter configuration ...

Page 281: ... page 10 19 for the procedure b Log in as cisco c View the interface group Router show interface group 0 d If the output shows the sensing interface is down repeat Steps 3 through 6 e Repeat Step c to see the counters gradually increasing This indicates that the NM CIDS is receiving network traffic Checking the Status of the Cisco IDS Software To check the status of the Cisco IDS software running ...

Page 282: ...IDS service module ids sensor slot_number 0 The slot number can vary but the port is always 0 These options are available reload reset session shutdown status The following Cisco IOS commands are supported on the NM CIDS Privileged mode EXEC Router service module ids sensor slot_number 0 reload Reloads the operating system on the NM CIDS Router service module ids sensor slot_number 0 reset Provide...

Page 283: ...ule monitoring You can enable IDS monitoring on a specified interface or subinterface Both inbound and outbound packets on the specified interface are forwarded for monitoring IDSM 2 Configuration Tasks Perform the following tasks to configure the IDSM 2 1 Initialize the IDSM 2 Run the setup command to initialize the IDSM 2 See Initializing the Sensor page 10 2 for more information 2 Configure the...

Page 284: ...o locate these documents 7 Perform miscellaneous tasks to keep your IDSM 2 running smoothly See Sensor Administrative Tasks page 10 24 and Miscellaneous Tasks page 10 98 for more information 8 Upgrade the IDS software with new signature updates and service packs See Obtaining Cisco IDS Software page 9 1 for more information 9 Reimage the application partition and the maintenance partition when nee...

Page 285: ...Step 1 Log in to the console Step 2 Enter privileged mode Console enable Step 3 Put the command and control port into the correct VLAN Console enable set vlan command_and_control_vlan_number module_slot_number command_and_control_port_number Example Console enable set vlan 147 8 2 Step 4 Verify that you have connectivity by sessioning into the IDSM 2 Console session slot module_number ping network...

Page 286: ...n analysis on the IDSM 2 through SPAN VACL capture or by using the mls ip ids command Port 1 is used as the TCP reset port port 2 is the command and control port and ports 7 and 8 are the monitoring ports You can configure one of the monitoring ports as a SPAN or VACL monitoring port This section contains the following topics Using SPAN for Capturing IDS Traffic page 10 90 Configuring VACLS to Cap...

Page 287: ...module source_port idsm_module port_number rx tx both filter vlans Note Use the filter keyword and variable to monitor traffic on specific VLANs on source trunk ports Step 4 Enable SPAN to the IDSM 2 from a VLAN Console enable set span vlan idsm_module port_number rx tx both Step 5 Disable all SPAN traffic to the IDSM 2 Console enable set span disable idsm_module port_number Note Refer to Catalyst...

Page 288: ...nt to disable the monitor session Router config no monitor session session_number Step 6 To filter the SPAN session so that only certain VLANs are seen from switch port trunks optional Router config monitor session session_number filter vlan_ID Step 7 Exit configuration mode Router config exit Step 8 To show current monitor sessions Router show monitor session session_number Note Refer to the Cata...

Page 289: ...re IDS traffic on VLANs follow these steps Step 1 Log in to the console Step 2 Enter privileged mode console enable Step 3 Set the VACL to capture traffic console enable set security acl ip acl name permit capture Step 4 Commit the VACL console enable commit security acl Step 5 Map the VACL to the VLANs console enable set security acl map acl name vlans Step 6 Add the IDSM 2 monitoring port port 7...

Page 290: ...p access list standard extended acl_name Create ACL entries through the permit and or deny statements Router config ext nacl Ext Access List configuration commands default Set a command to its defaults deny Specify packets to reject dynamic Specify a DYNAMIC list of PERMITs or DENYs evaluate Evaluate an access list exit Exit from access list configuration mode no Negate a command or set its defaul...

Page 291: ...he captured flagged traffic Router config intrusion detection module module_number data port data_port_number capture allowed vlan capture_vlans Step 9 Enable the capture function on the IDSM 2 Router config intrusion detection module module_number data port data_port_number capture Caution You should not configure an IDSM 2 data port as both a SPAN destination port and a capture port This example...

Page 292: ...e ACL are captured Those denied by the ACL are not captured The permit deny parameter does not affect whether a packet is forwarded to destination ports Packets coming into that router interface are checked against the IDS ACL to determine if they should be captured The mls ip ids command is applied as part of the MSFC configuration instead of the supervisor configuration The mls ip ids command on...

Page 293: ...ds command port 7 or 8 of the IDSM 2 must be a member of all VLANs to which those packets are routed Cisco IOS Software When you are using ports as router interfaces rather than switch ports there is no VLAN on which to apply a VACL You can use the mls ip ids command to designate which packets will be captured Packets that are permitted by the ACL will be captured Those denied by the ACL will not ...

Page 294: ...ig intrusion detection module 4 data port 1 capture Router config intrusion detection module 4 data port 2 capture Caution For the IDSM 2 to capture all packets marked by the mls ip ids command data port 1 or data port 2 of the IDSM 2 must be a member of all VLANs to which those packets are routed Miscellaneous Tasks This section contains procedures such as resetting the IDSM 2 and lists of Cataly...

Page 295: ... memory test in Catalyst software and Cisco IOS software This section contains the following topics Memory and Boot Time page 10 99 Catalyst Software page 10 99 Cisco IOS Software page 10 100 Memory and Boot Time Table 10 2 lists the memory and approximate boot time for a long memory test Catalyst Software You can enable a full memory test when you use the set boot device bootseq module_number mem...

Page 296: ...utput appears Device BOOT variable cf 1 FAST BOOT Enabled Step 3 Reset the IDSM 2 See Resetting the IDSM 2 page 10 101 for the procedure The full memory test runs Note A full memory test takes more time to complete than a partial memory test Cisco IOS Software You can enable a full memory test when you use the set boot device bootseq module_number mem test full command The long memory test takes a...

Page 297: ...emory test Resetting the IDSM 2 If for some reason you cannot communicate with the IDSM 2 through SSH Telnet or the switch session command you must reset the IDSM 2 from the switch console The reset process requires several minutes This section describes how to reset the IDSM 2 The section contains the following topics Catalyst Software page 10 101 Cisco IOS Software page 10 102 Catalyst Software ...

Page 298: ...D_OK Module 3 is online Console enable Caution If the IDSM 2 is removed from the switch chassis without first being shut down or the chassis loses power you may need to reset the IDSM 2 more than once If the IDSM 2 fails to respond after three reset attempts boot the maintenance partition and perform the instructions for restoring the application partition See Reimaging the IDSM 2 page 10 124 for ...

Page 299: ...sor Engine Commands page 10 103 Unsupported Supervisor Engine Commands page 10 105 Supported Supervisor Engine Commands The IDSM 2 also supports the following supervisor engine CLI commands which are described in more detail in the Catalyst 6500 Series Command References clear config module_number Clears the configuration on the supervisor engine that is associated with the specified IDSM 2 clear ...

Page 300: ...pture ports show config Displays the supervisor engine NVRAM configurations show log Displays the error logs for the specified IDSM 2 show mac module_number Displays the MAC counters for the specified IDSM 2 show module module_number With an IDSM 2 installed displays Intrusion Detection System Module under Module Type show port module_number Displays the port status for the specified IDSM 2 show p...

Page 301: ...e CLI commands are not supported by the IDSM 2 set module enable disable module_number set port broadcast set port channel set port cops set port disable set port enable set port flowcontrol set port gmrp set port gvrp set port host set port inlinepower set port jumbo set port membership set port negotiation set port protocol set port qos set port rsvp set port security set port speed set port tra...

Page 302: ... topics EXEC Commands page 10 106 Configuration Commands page 10 108 EXEC Commands The following commands are all performed in EXEC mode clock read calendar Updates the clock time to the calendar time clock set time date Sets the current time and date clock update calendar Updates the calendar time to the clock time hw module module slot_number reset Resets the IDSM 2 into the partition specified ...

Page 303: ...n module module_number data port data_port_number traffic Displays traffic statistics for the IDSM 2 data port traffic show intrusion detection module module_number management port state Displays the state of the IDSM 2 management port show intrusion detection module module_number management port traffic Displays traffic statistics for the IDSM 2 management port show ip access lists Displays the c...

Page 304: ...n detection module module_number management port access vlan access_vlan_number Configures the access vlan for the IDSM 2 command and control port intrusion detection module module_number data port data_port_number capture allowed vlan allowed_capture_vlan s Configures the VLAN s for VACL capture intrusion detection module module_number data port data_port_number capture Enables VACL capture for t...

Page 305: ...interface as a switch port switchport access vlan vlan Sets the access VLAN for the interface switchport capture Sets the interface as a capture port switchport mode access Sets the interface as an access port switchport mode trunk Sets the interface as a trunk port switchport trunk allowed vlan vlans Sets the allowed VLANs for trunk switchport trunk encapsulation dot1q Sets dot1q as the encapsula...

Page 306: ... page 10 9 for the procedure This section contains the following topics Reimaging the Appliance page 10 110 Reimaging the NM CIDS Application Partition page 10 119 Reimaging the IDSM 2 page 10 124 Reimaging the Appliance When you use the recover command you are booting to the recovery partition which automatically reimages the application partition on your appliance You can use the upgrade command...

Page 307: ...2 for the procedure for upgrading the recovery partition to the most recent version Note You can also use the recovery upgrade CD to reinstall both the recovery and application partitions See Using the Recovery Upgrade CD with the Appliance page 9 9 for the procedure To recover the application partition image follow these steps Step 1 Log in to the sensor CLI Step 2 Enter configuration mode sensor...

Page 308: ...This enables you to boot to the recovery partition and reimage the application partition Upgrading the Recovery Partition Image You can upgrade the image on the recovery partition with the most recent version so that it is ready if you need to recover the application partition on your appliance To upgrade the recovery partition image follow these steps Step 1 Obtain the recovery partition image fi...

Page 309: ...graded with the new image Installing the IDS 4215 System Image You can install the IDS 4215 system image by using the ROMMON on the appliance to TFTP the system image onto the compact flash device Note Other IDS appliances use the recovery upgrade CD rather than the system image Caution Before installing the system image you must first upgrade the IDS 4215 BIOS to version 5 1 7 and the ROMMON to v...

Page 310: ...4215 K9 sys 4 1 4 S91a img file to the TFTP root directory of a TFTP server that is accessible from your IDS 4215 The file is available for download at the following URL http www cisco com cgi bin tablebuild pl ids4 app recovr Make sure you can access the TFTP server location from the network connected to your IDS 4215 Ethernet port Step 2 Boot the appliance Step 3 Press CTRL R at the following pr...

Page 311: ... the text Using 1 i82557 PCI bus 0 dev 14 irq 11 MAC 0000 c0ff ee01 rommon interface port_number Note Ports 0 and 1 are labeled on the back of the chassis Step 6 Set an IP address for the local port on the IDS 4125 rommon ip_address ip_address Note Select an unused IP address on the sensor s local network that can access the TFTP server Step 7 Set the TFTP server IP address rommon server ip_addres...

Page 312: ...eboots several times during the reimaging process Do not remove power from the sensor during the update process or the upgrade can become corrupted Installing the IPS 4240 and IPS 4255 System Image You can install the IPS 4240 and IPS 4255 system image by using the ROMMON on the appliance to TFTP the system image onto the compact flash device Note Other IDS appliances use the recovery upgrade CD r...

Page 313: ...ep 3 Press Break or ESC at the following prompt while the system is booting Evaluating Run Options Note You have ten seconds to press Break or ESC The system enters ROMMON mode The rommon prompt appears The console displays information such as the following ROMMON Variable Settings ADDRESS 10 1 9 201 SERVER 10 1 8 1 GATEWAY 10 1 9 254 PORT Management0 0 VLAN untagged IMAGE IPS 4240 K9 sys 4 1 4 S9...

Page 314: ... Note Select an unused IP address on the sensor s local network that can access the TFTP server Step 6 Set the TFTP server IP address rommon server ip_address Step 7 Set the gateway IP address rommon gateway ip_address Step 8 Type set and press Enter to verify the network settings Step 9 Verify that you have access to the TFTP server by pinging it from your local defined Ethernet port using one of...

Page 315: ...etwork using a TFTP server To reimage the NM CIDS application partition follow these steps Step 1 Obtain the helper image file on Cisco com See Obtaining Cisco IDS Software page 9 1 for the procedure for accessing the Software Center on Cisco com a Locate a TFTP server on your network Remember the IP address of your TFTP server You will need it later to copy the software files b Put the IDS helper...

Page 316: ...nded session by pressing Enter After displaying its version the bootloader displays the following prompt for 15 seconds Please enter to change boot configuration If you type during the 15 second delay or there is no default boot device configured you enter the bootloader CLI Step 7 Session in to the NM CIDS ServicesEngine boot loader Step 8 Set up the bootloader network parameters Note You only ha...

Page 317: ...0 ROM address 0x 00000000 Ethernet addr 01 23 45 67 89 AB Me 10 1 2 3 Server 10 1 2 5 Gateway 10 1 2 254 Loading NM CIDS K9 helper 1 0 1 bin Note If you want to boot a helper image different from the one you configured as your default helper you can type its name here For example boot helper some_other_helper Note The bootloader brings up the external interface and locates the TFTP server host whi...

Page 318: ...7 Main menu 1 Download application image and write to HDD 2 Download bootloader and write to flash 3 Display software version on HDD 4 Display total RAM size 5 Change file transfer method currently secure shell Change file transfer method currently secure shell r Exit and reset Services Engine h Exit and shutdown Services Engine Selection 1234rh Step 10 Chose the transfer method a For SSH go to St...

Page 319: ...the server password user ip_address password ptable Disk restore was successful The operation was successful Writing kernel signature to boot flash device Read 174 bytes from vmlinuz 2 4 18 5 module u64md5 bflash write After bfwrite The operation was successful You are returned to the main menu with the Selection 1234rh prompt Continue with Step 15 Step 13 Set TFTP as the transfer method a Type 5 ...

Page 320: ... You must initialize your NM CIDS with the setup command See Initializing the Sensor page 10 2 Reimaging the IDSM 2 If your application partition becomes unusable you can reimage it from the maintenance partition After you reimage the application partition of the IDSM 2 you must initialize the IDSM 2 using the setup command See Initializing the Sensor page 10 2 for the procedure When there is a ne...

Page 321: ...s the Software Center on Cisco com Step 2 Log in to the switch CLI Step 3 Boot the IDSM 2 to the maintenance partition cat6k enable reset module_number cf 1 Step 4 Log in to the maintenance partition CLI login guest Password cisco Step 5 Reimage the application partition guest hostname localdomain upgrade ftp user ftp server IP directory path image file Step 6 Specify the FTP server password After...

Page 322: ...Center on Cisco com and copy it to an FTP server See Obtaining Cisco IDS Software page 9 1 for instructions on how to access the Software Center on Cisco com Step 2 Log in to the switch CLI Step 3 Boot the IDSM 2 to the maintenance partition cat6k hw module module module_number reset cf 1 Step 4 Session in to the maintenance partition CLI cat6k session slot slot_number processor 1 Step 5 Log in to...

Page 323: ...e and that the software version is correct and that the status is ok cat6k show module module_number Session in to the IDSM 2 application partition CLI cat6k session slot slot_number processor 1 Step 12 Initialize the IDSM 2 See Initializing the Sensor page 10 2 for the procedure Reimaging the Maintenance Partition This section contains the following topics Catalyst Software page 10 127 Cisco IOS ...

Page 324: ...he maintenance partition file is upgraded Cisco IOS Software To reimage the maintenance partition follow these steps Step 1 Obtain the maintenance partition file from Software Center on Cisco com and copy it to an SCP or FTP server See Obtaining Cisco IDS Software page 9 1 for instructions on how to access the Software Center on Cisco com Step 2 Log in to the switch CLI Step 3 Session in to the ap...

Page 325: ...tallation and Configuration Guide Version 4 1 78 15597 02 Chapter 10 Configuring the Sensor Using the CLI Reimaging Appliances and Modules Step 6 Specify the FTP server password Password You are prompted to continue Continue with upgrade Step 7 Type yes to continue ...

Page 326: ...Chapter 10 Configuring the Sensor Using the CLI Reimaging Appliances and Modules 10 130 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4 1 78 15597 02 ...

Page 327: ...rview page A 1 Summary of Applications page A 49 System Architectural Details page A 44 Summary of Applications page A 49 System Overview You can install Cisco IDS software on two platforms the appliances and the modules see Supported Sensors page 1 16 for a list of current appliances and modules This section contains the following topics Software Architecture Overview page A 2 Show Version Comman...

Page 328: ...essary packages from the OS disabling unused services restricting network access and removing access to the shell Figure A 1 illustrates the software architecture Figure A 1 System Design 119095 FTP SCP Server NTP Server MainApp CLI AuthenticationApp IDAPI Alarm Channel Sensor Syslog Sensor CT Source Master Blocking Sensor EventServer CT Server IDM Web Server IEV MDC Browsers SNMP Server Notificat...

Page 329: ...es PIX Firewall routers and switches to provide blocking capabilities when an alert event has occurred NAC Network Access Controller creates and applies Access Control Lists ACLs on the controlled network device or uses the shun command PIX Firewall to another RDEP server ctlTransSource TransactionSource Allows sensors to send control transactions This is used to enable the NAC s master blocking s...

Page 330: ... common API IDAPI Remote applications other sensors management applications and third party software communicate with sensors through the RDEP and Intrusion Detection Interchange and Operations Messages IDIOM protocols The sensor has the following partitions Application partition A full IDS system image Maintenance partition A special purpose IDS image used to reimage the application partition of ...

Page 331: ...0 10T11 01 13 0500 Running CLI 2003_Oct_10_11 16 Release 2003 10 10T11 01 13 0500 Upgrade History IDS K9 min 4 1 1 S47 12 00 00 UTC Thu Jun 30 2005 IDS K9 sp 4 1 3 S61 rpm pkg 14 14 55 UTC Fri Feb 20 2004 Recovery Partition Version 1 2 4 1 1 S47 User Interaction You can configure IDS through the CLI the IDM the IDS MC or another application using RDEP You can interact with IDS software in the foll...

Page 332: ...the IDIOM specification RDEP replaces postoffice protocol RDEP uses HTTP HTTPS protocol to deliver XML documents between the sensor and external systems postoffice operated by pushing alarms and queuing up to 1000 on each sensor The RDEP client pulls alerts from the sensor and there is less of a chance of missing alerts Version 4 x is now an open system Note Open refers to the fact that we provide...

Page 333: ... circular buffer EventStore replaces log files and log file maintenance no more sapd Supported Cisco management options are the CLI the IDM or IDS MC which replace CSPM and the UNIX Director The following reliability enhancements Alarms are not lost because of communication failures CLI configuration instead of native shell configuration decreases the possibility of misconfiguration The sensor has...

Page 334: ...nts of dynamic and static configurations 2 Write dynamic configuration data to system files to make sure the two representations of data are in sync for example the IP address in the dynamic configuration must match the system network files 3 Create the shared system components EventStore and IDAPI 4 Open status event subscription 5 Start the IDS applications the order is specified in the static c...

Page 335: ...TP Uses an NTP server to synchronize the sensor s clock Manual Used only on the appliance this mode relies on the sensor s system clock Switch Router Used only on the IDSM 2 and the NM CIDS The IDSM 2 uses switch control protocol to synchronize its clock with the switch supervisor s clock The NM CIDS uses router blade control protocol to synchronize its clock to the parent router s clock Note We r...

Page 336: ...se evStatus event subscription 7 Start the utility that waits for MainApp to exit before triggering the OS to shut down 8 Destruct shared system components EventStore and IDAPI 9 Exit MainApp 10 Reboot the operating system Note A system reboot is functionally the same as a system shutdown except the OS is triggered to reboot MainApp responds to the show version command by displaying the following ...

Page 337: ...processing L2 L3 L4 parser L2 L3 L4P Parses the L2 3 4 packet information and puts the required information into the IDS header If needed the IDS header of the packet is marked for reassembly by the fragment reassembly unit Fragment reassembly unit FRU Processes packets that are marked for it The FRU has a separate ring buffer for the reassembly process TCP stream reassembly unit SRU Determines if...

Page 338: ...henticating Users page A 12 Configuring Authentication on the Sensor page A 13 Managing TLS and SSH Trust Relationships page A 14 Authenticating Users When a user tries to access the sensor through a service such as the WebServer or the CLI the user s identity must be authenticated and the user s privileges must be established The service that is providing access to the user initiates an execAuthe...

Page 339: ...reated A user with administrative access to the sensor accesses the sensor through the CLI or an IDS manager by logging in to the sensor using the default administrative account cisco In the CLI the administrator is prompted to change the password IDS managers initiate a setEnableAuthenticationTokenStatus control transaction to change the account s password Through the CLI or an IDS manager the ad...

Page 340: ...aintain a list of trusted public keys to protect themselves from man in the middle attacks The exact procedure by which this trust is established varies depending on the protocol and client software In general the client displays a fingerprint of 16 or 20 bytes The human operator who is configuring the client to establish trust should use an out of band method to learn the server s key fingerprint...

Page 341: ... can increase the security of the trust relationship however these can lead to confusion For example an X 509 certificate includes a validity period during which the certificate can be trusted Typically this is a period of a number of years starting at the moment the certificate is created To ensure that an X 509 certificate is valid at the moment it is being used requires that the client system m...

Page 342: ...n page 10 31 for the procedure for displaying tech support information See Displaying and Clearing Events page 10 28 for the procedure for displaying events LogApp receives all syslog messages except cron messages that are at the level of informational and above info cron none and inserts them into the EventStore as evErrors with the error severity set to Warning LogApp and application logging are...

Page 343: ...rewall page A 25 Blocking with the Catalyst 6000 page A 27 About NAC The NAC application s main responsibility is to block events When it responds to a block it either interacts with the devices it is managing directly to enable the block or it sends a block request through the Control Transaction Server to a master blocking sensor The WebServer on the master blocking sensor receives the control t...

Page 344: ...application instance is allowed to run on a given sensor NAC initiates a block in response to one of the following An alert event generated from a signature that is configured with a block action A block configured manually through the CLI IDM or the IDS MC A block configured permanently against a host or network address 119097 IDAPI NAC Sensor Block Subscription Block Event EventStore Block CT Bl...

Page 345: ... 11 2 9 P or later running on the RSM Note You must have the RSM because blocking is performed on the RSM Catalyst 6000 with PFC installed running Catalyst software 5 3 or later Catalyst 6000 MSFC2 with Catalyst software 5 4 3 or later and Cisco IOS 12 1 2 E or later on the MSFC2 NAC Features NAC has the following features Communication through Telnet and SSH 1 5 with 3DES the default or DES encry...

Page 346: ... more information on master blocking sensors Specifying blocking interfaces on a network device You can specify the interface directions where blocking is performed in the NAC configuration for routers You can specify the interface where blocking is performed in the VACL configuration Note The PIX Firewall does not block based on interface or direction so this configuration is never specified for ...

Page 347: ...establish a communications session with a network device that uses AAA authentication and authorization including the use of remote TACACS servers Two types of blocking NAC supports host blocks and network blocks Host blocks are connection based or unconditional Network blocks are always unconditional See Connection Based and Unconditional Blocking page A 24 for more information NAT addressing NAC...

Page 348: ...ection NAC retrieves and caches the lists and merges them with the blocking Access Control Entries ACE whenever it updates the active ACL on the network device In most cases you will want to specify a preexisting ACL as the postblock ACL so that it does not prevent any blocks from taking effect ACLs work by matching a packet to the first ACE entry found If this first ACE entry permits the packet a...

Page 349: ... txt that is maintained by NAC When NAC starts this file is used to determine if any block updates should occur at the controlled network devices Any unexpired blocks found in the file are applied to the network devices at startup When NAC shuts down no special actions on the ACLs are taken even if outstanding blocks are in effect The nac shun txt file is accurate only if the system time is not ch...

Page 350: ...on based or unconditional Network blocks are always unconditional When a host block is received NAC checks for the connectionShun attribute on the host block If connectionShun is set to true NAC performs connection blocking Any host block can contain optional parameters such as destination IP address source port destination port and protocol For a connection block to take place at least the source...

Page 351: ...ontains the following topics The shun Command page A 25 The PIX Firewall and AAA page A 26 Address Translation and Blocking page A 26 The shun Command NAC performs blocks on the PIX Firewall using the shun command The shun command has the following formats To block an IP address shun srcip destip sport dport port To unblock an IP address no shun ip To clear all blocks clear shun To show active blo...

Page 352: ...sing AAA but without the TACACS server NAC uses the reserved username pix for communications with the PIX Firewall If the PIX Firewall uses a TACACS server for authentication you use a TACACS username In some PIX Firewall configurations that use AAA logins you are presented with 3 password prompts the initial PIX Firewall password the AAA password and the enable password NAC requires that the init...

Page 353: ...configuration for blocking with VACLs Caution When you configure NAC for the Catalyst 6000 do not specify a direction with the controlled interface The interface name is a VLAN number Preblock and postblock lists should be VACLs The following commands apply to the Catalyst 6000 VACLs To view an existing VACL show security acl info aclname To block an address address spec is the same as used by rou...

Page 354: ...ntication that must be presented with each request on that connection The transactionHandlerLoop method in the CtlTransSource serves as a proxy for remote control transaction When a local application initiates a remote control transaction IDAPI initially directs the transaction to TransactionSource The transactionHandlerLoop method is a loop that waits on remote control transactions that are direc...

Page 355: ...ionHandlerLoop continues to loop until it receives a control transaction that directs it to exit or until its exit event is signaled WebServer The WebServer provides configuration support for IDM It also provides IDS RDEP which enables the sensor to report security events receive IDIOM transactions and serve IP logs The WebServer supports HTTP 1 0 and 1 1 The communications with the WebServer ofte...

Page 356: ... can perform all functions on the sensor including the following Add users and assign passwords Enable and disable control of physical interfaces and interface groups Assign physical sensing interfaces to interface groups Modify the list of hosts allowed to connect to the sensor as configuring or viewing agents Modify sensor address configuration Tune signatures Assign virtual sensor configuration...

Page 357: ...e CLI shell It does not exist on the sensor by default You must create it so that it available for TAC to use for troubleshooting your sensor See Creating the Service Account page 10 12 for the procedure to create the service account Only one service account is allowed per sensor and only one account is allowed a service role When the service account s password is set or reset the root account s p...

Page 358: ...mplete token to view the valid tokens that complete the command Refer to the following examples to compare the two outputs sensor configure terminal Configure from the terminal sensor configure sensor config ip n name server nat sensor config ip n Note If you type a space between the incomplete token and the as in ip n the system returns the error Ambiguous command ip n Only commands available in ...

Page 359: ...ed display space To display the remaining output press the Spacebar to display the next page of output or press Enter to display the output one line at a time To clear the current line contents and return to a blank command line press the Control key Ctrl simultaneously with the c key Ctrl c or press the q key Keywords In general use the no form of a command to disable a feature or function Use th...

Page 360: ...isk The regular expressions defined in this section are similar to a subset of the POSIX Extended Regular Expression definitions In particular and expressions are not supported Also escaped expressions representing single characters are supported Beginning of the string The expression A matches an A only at the beginning of the string Immediately following the left bracket Excludes the remaining c...

Page 361: ...pecial xHH represents the character whose value is the same as the value represented by HH hexadecimal digits 0 9A Fa f The value must be non zero BEL is the same as x07 BS is x08 FF is x0C LF is x0A CR is x0D TAB is x09 and VT is x0B For any other character c c is the same a c The following string matches any number of asterisks To use multipliers with multiple character patterns you enclose the ...

Page 362: ... regular expression matches an a followed by any character followed by bc followed by any character followed by the first any character again followed by the second any character again For example the regular expression can match aZbcTZT The software remembers that the first character is Z and the second character is T and then uses Z and T again later in the regular expression EventStore This sec...

Page 363: ...nsumer Sufficient buffering depends on your requirements and the capabilities of the nodes in use The oldest events in the circular buffer are replaced by the newest events Table A 1 IDS Event Examples IDS Event Types Intrusion Event Priorities Start Time Stamp Value Stop Time Stamp Value Meaning status 0 Maximum value Get all status events that are stored error status 0 65743 Get all error and st...

Page 364: ...an application session logs and configuration data to or from an application All seven types of data are referred to collectively as IDS data The six event types intrusion error status control transaction log network access and debug have similar characteristics and are referred to collectively as IDS events IDS events are produced by the several different applications that make up the IDS and are...

Page 365: ... some stimulus The events are the data such as the alerts generated by sensorApp or errors generated by any application Events are stored in a local database known as the EventStore There are five types of events evAlert Alert event messages that report when a signature is triggered by network activity evStatus Status event messages that report the status and actions of the IDS applications evErro...

Page 366: ...ity informational originator hostId sensor appName sensorApp appInstanceId 3627 time 2003 10 16 16 50 11 2003 10 16 11 50 11 CDT interfaceGroup 0 vlan 0 signature sigId 1001 sigName Record Packet Rte subSigId 0 version S37 participants attack attacker proxy false addr locality OUT 4 1 1 2 victim addr locality OUT 10 2 1 2 alertDetails Traffic Source int0 Note The alertDetails field shows the speci...

Page 367: ...on file has been modified by a setConfig control transaction request ipLogAdded A new IP logging session has been requested This event message also contains the address being logged the time that it was initiated and the identifier for the newly created logging session ipLogCompleted An IP logging session has ended because of packet count or timeout exceeded The event message contains the log sess...

Page 368: ...riginator hostId firesafe appName login pam_unix appInstanceId 7475 time 2004 03 03 17 05 56 2004 03 03 17 05 56 UTC errorMessage name errSyslog session opened for user cisco by uid 0 Log Events Log events provide notification anytime control transactions are processed by sensor applications The following is an example of a log event evLogTransaction command getVersion eventId 1077226078696330135 ...

Page 369: ...bility to capture raw unaltered packets related to the participants of an event Information from the logs are used for confirmation damage assessment and forensic evidence The IP logging system allocates all of its storage at startup time This data store is then split into equal size pages When logs are written they are stored in the pages When all available pages are filled the oldest page is ove...

Page 370: ...to query the IP log system and get only packets from a specific time inside the log If you supply a time range you receive a single file made up of all internal blocks that contain the time range requested Further refinement of the log file must be done on a separate platform because filtering the packets puts an undue burden on the sensor platform There are many tools available that allow you to ...

Page 371: ...lients use IP log requests to retrieve IP log data from servers Transaction messages are used to configure and control IDS servers RDEP utilizes the industry standards HTTP TLS SSL and XML to provide a standardized interface between RDEP agents The RDEP protocol is a subset of the HTTP 1 1 protocol All RDEP messages are legal HTTP 1 1 messages RDEP uses HTTP s message formats and message exchange ...

Page 372: ...ctively local IDIOM messages Events and control transactions that are communicated between different hosts using the RDEP protocol are known as remote events and remote control transactions or collectively remote IDIOM messages IDAPI IDAPI is the interface through which all the applications communicate SensorApp captures and analyzes the network traffic on its interfaces When a signature is matche...

Page 373: ...tion mechanisms to guarantee atomic data accesses RDEP Remote applications can retrieve events from the sensor through RDEP The remote client sends an RDEP event request to the sensor s WebServer which passes it to the EventServer The EventServer queries the EventStore through IDAPI and then returns the result Figure A 5 on page A 47 shows remote applications retrieving events from the sensor thro...

Page 374: ...the result Figure A 6 shows remote applications sending commands to the sensor through RDEP Figure A 6 Sending Commands Through RDEP Sensor Directory Structure IDS 4 x has the following directory structure usr cids idsRoot Main installation directory usr cids idsRoot shared Stores files used during system recovery usr cids idsRoot var Stores files created dynamically while the sensor is running us...

Page 375: ...plication usr cids idsRoot bin cidcli Contains the CLI application usr cids idsRoot bin nac Contains the NAC application usr cids idsRoot bin logApp Contains the logger application usr cids idsRoot bin mainApp Contains the main application usr cids idsRoot bin sensorApp Contains the sensor application usr cids idsRoot bin falcondump Contains the application for getting packet dumps on the sensing ...

Page 376: ...d starts applications handles starting and stopping of applications and node reboots handles software upgrades NetworkAccessControllerApp NAC 3 A NAC is run on every sensor Each NAC subscribes to network access events from its local EventStore The NAC configuration contains a list of sensors and the network access devices that its local NAC controls If a NAC is configured to send network access ev...

Page 377: ... the response to the initiator IDS Device Manager IDM The WebServer servlet that provides an HTML IDS management interface WebServer Waits for remote HTTP client requests and calls the appropriate servlet application Syslog Monitoring Application Captures and analyzes syslog and SNMP events generating intrusion and network access events Alarm Channel Application Filters and correlates the alerts b...

Page 378: ...Appendix A Intrusion Detection System Architecture Summary of Applications A 52 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4 1 78 15597 02 ...

Page 379: ... Series Appliance page B 4 Troubleshooting the IDSM 2 page B 44 Gathering Information page B 52 Preventive Maintenance The following actions will help you maintain your sensor Create a service account You can use the service account when you need to work with the TAC to troubleshoot your sensor See Creating the Service Account page 10 12 for the procedure You should back up a good configuration If...

Page 380: ...nt configuration from the sensor to an FTP or SCP server any time a change has been made See Creating and Using a Backup Configuration File page 10 28 for the procedure Note You should note the specific software version for that configuration You can apply the copied configuration only to a sensor of the same version Note You also need the list of user IDs that have been used on that sensor The li...

Page 381: ...to the IDS software version it had when the configuration was last saved and copied See Obtaining Cisco IDS Software page 9 1 for more information on obtaining IDS software versions and how to install them Warning Trying to copy the saved configuration without getting the sensor back to the same IDS software version it had before the disaster can cause configuration errors 5 Copy the last saved co...

Page 382: ...e installed on your sensor to see if you are dealing with a known issue This section contains the following topics Communication page B 4 SensorApp and Alerting page B 11 Blocking page B 18 Logging page B 28 NTP page B 33 TCP Reset page B 37 Software Upgrade page B 39 Communication This section helps you troubleshoot communication problems with the 4200 series sensor This section contains the foll...

Page 383: ... Step 4 sensor ping 10 89 149 81 PING 10 89 149 81 10 89 149 81 from 10 89 149 110 56 84 bytes of data 64 bytes from 10 89 149 81 icmp_seq 1 ttl 254 time 0 273 ms 64 bytes from 10 89 149 81 icmp_seq 2 ttl 254 time 0 176 ms 64 bytes from 10 89 149 81 icmp_seq 3 ttl 254 time 0 178 ms 64 bytes from 10 89 149 81 icmp_seq 4 ttl 254 time 0 187 ms 10 89 149 81 ping statistics 4 packets transmitted 4 rece...

Page 384: ...ssList ipAddress 64 101 0 0 netmask 255 255 0 0 accessList ipAddress 10 89 149 31 netmask 255 255 255 255 accessList ipAddress 64 102 0 0 netmask 255 255 0 0 exit timeParams summerTimeParams active selection none exit ntpServers ipAddress 10 89 147 99 keyId 2 keyValue test exit exit service webServer general ports 443 exit exit The network configuration is correct Step 4 Verify that the sensor doe...

Page 385: ...149 31 netmask 255 255 255 255 accessList ipAddress 64 102 0 0 netmask 255 255 0 0 b If the sensor s access list is correct make sure the sensor s SSH and or Telnet and web server ports are open in the firewall sensor configure terminal sensor config service WebServer sensor config WebServer show settings general enable tls true defaulted ports 443 defaulted server id HTTP 1 1 compliant defaulted ...

Page 386: ...unning Logger 2003_Oct_10_11 16 Release 2003 10 10T11 01 13 0500 Running NetworkAccess 2003_Oct_10_11 16 Release 2003 10 10T11 01 13 0500 Running TransactionSource 2003_Oct_10_11 16 Release 2003 10 10T11 01 13 0500 Running WebServer 2003_Oct_10_11 16 Release 2003 10 10T11 01 13 0500 Running CLI 2003_Oct_10_11 16 Release 2003 10 10T11 01 13 0500 WebServer 2003_Oct_10_11 16 Release 2003 10 10T11 01 ...

Page 387: ...ease 2003 10 10T11 01 13 0500 Not Running CLI 2003_Oct_10_11 16 Release 2003 10 10T11 01 13 0500 Upgrade History IDS K9 min 4 1 1 S47 12 00 00 UTC Thu Jun 30 2005 IDS K9 sp 4 1 3 S61 rpm pkg 14 14 55 UTC Fri Feb 20 2004 Recovery Partition Version 1 2 4 1 1 S47 Step 3 If the Web server is not running follow these steps a Run diagnostics save the output and send the output file to the TAC See Displa...

Page 388: ...st ipAddress 64 101 0 0 netmask 255 255 0 0 accessList ipAddress 10 89 149 31 netmask 255 255 255 255 accessList ipAddress 64 102 0 0 netmask 255 255 0 0 Step 3 Verify that the client IP address is listed in the allowed networks If it is not add it sensor configure terminal sensor config service Host sensor config Host networkParams sensor config Host net accessList ipAddress value netmask value D...

Page 389: ...cabling is correct Refer to the chapter for your sensor in this hardware guide Step 4 Run the setup command to make sure the IP address is correct See Initializing the Sensor page 10 2 for the procedure SensorApp and Alerting This section helps you troubleshoot issues with SensorApp and alerting This section contains the following topics Sensing Process Not Running page B 11 Physical Connectivity ...

Page 390: ...or appName sensorApp appInstanceId 1045 time 2004 02 19 19 34 20 2004 02 19 19 34 20 UTC errorMessage name errUnclassified Generating new Analysis Engine configuration file Note hh mm ss month day year is the date and time of the last restart Step 4 Make sure you have the latest software updates sensor show version Upgrade History IDS K9 min 4 1 1 S47 12 00 00 UTC Thu Jun 30 2005 IDS K9 sp 4 1 3 S...

Page 391: ...e sensing port is connected properly on the appliance See the chapter on your appliance in the Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4 1 b Make sure the sensing port is connected to the correct SPAN or VACL capture port on the IDSM 2 See the chapter on the IDSM 2 in the Cisco Intrusion Detection System Appliance and Module Installation a...

Page 392: ... in to the CLI Step 2 Make sure the signature is enabled a Enter configuration mode sensor configure terminal b Enter virtual sensor mode sensor config service virtual sensor configuration virtualSensor c Make sure the signature is enabled sensor config vsc tune micro engines sensor config vsc virtualSensor atomic icmp sensor config vsc virtualSensor ATO sig sigid 2000 sensor config vsc virtualSen...

Page 393: ...pp appInstanceId 1102 time 2004 06 24 13 21 33 2004 06 24 13 21 33 EST interfaceGroup 0 vlan 0 signature sigId 7102 sigName Reply to Broadcast subSigId 0 version S37 participants attack attacker proxy false addr locality OUT 10 89 146 24 victim addr locality OUT 10 89 146 24 alertDetails Traffic Source int0 Sensor Not Seeing Packets If your sensor is not seeing any packets on the network you could...

Page 394: ...ensor config ifs e100 eth0 NIC Link is Up 100 Mbps Half duplex sensor config exit sensor config exit sensor show interfaces sensing Sensing int0 is up Hardware is eth0 TX Reset port MAC statistics from the Fast Ethernet Interface int0 Missed Packet Percentage 0 Link Status Up Total Packets Received 75077 Total Bytes Received 398 Total Receive Errors 0 Cleaning Up a Corrupted SensorApp Configuratio...

Page 395: ...l applications and reboot the node Continue with reset yes yes Request Succeeded sensor Running SensorApp in Single CPU Mode SensorApp can crash or consume the CPU when running on a dual CPU sensor with IP logging turned on for the stream based signatures You should change to single processor mode or turn off IP logging for the stream based signatures See CSCed32093 for the more information To cha...

Page 396: ... and generate a core file See the Partner Field 52563 for the procedure for checking the IDS 4250 XL for faulty memory Step 3 Display events since a specified time for a specified alert level sensor show events alert level hh mm month day year For example show events alert high 10 00 September 22 2002 displays all high severity events since 10 00 a m September 22 2002 Events from the specified tim...

Page 397: ...he following topics Verifying NAC is Running page B 19 Verifying NAC is Connecting page B 20 Device Access Issues page B 22 Verifying the Interfaces Directions on the Network Device page B 23 Enabling SSH Connections to the Network Device page B 24 Blocking Not Occurring for a Signature page B 25 Verifying the Master Blocking Sensor Configuration page B 26 Verifying NAC is Running To verify that N...

Page 398: ...t_10_11 16 Release 2003 10 10T11 01 13 0500 Running CLI 2003_Oct_10_11 16 Release 2003 10 10T11 01 13 0500 Upgrade History IDS K9 min 4 1 1 S47 12 00 00 UTC Thu Jun 30 2005 IDS K9 sp 4 1 3 S61 rpm pkg 14 14 55 UTC Fri Feb 20 2004 Recovery Partition Version 1 2 4 1 1 S47 Step 3 If NetworkAccess display Not Running NAC has failed You must contact TAC Verifying NAC is Connecting Step 1 Log in to the ...

Page 399: ...e sure you have the latest software updates sensor show version Upgrade History IDS K9 min 4 1 1 S47 12 00 00 UTC Thu Jun 30 2005 IDS K9 sp 4 1 3 S61 rpm pkg 14 14 55 UTC Fri Feb 20 2004 Recovery Partition Version 1 2 4 1 1 S47 If you do not have the latest software updates download them from Cisco com See Obtaining Cisco IDS Software page 9 1 for the procedure Step 5 Read the Readme that accompan...

Page 400: ...vices it is managing Make sure the you have the correct IP address and username and password for the managed devices and the correct interface direction configured To troubleshoot device access issues follow these steps Step 1 Log in to the CLI Step 2 Enter configuration mode sensor configure terminal Step 3 Enter service configuration mode for NetworkAccess sensor config service NetworkAccess Ste...

Page 401: ... on each network device is correct See Verifying the Interfaces Directions on the Network Device page B 23 for the procedure Step 7 Look for the ACL on the router sensor interface Ethernet0 ip address 172 16 171 28 255 255 255 192 ip access group IDS_ethernet0_in_0 in ip access list extended IDS_ethernet0_in_0d deny ip host 172 16 171 14 any permit ip any any Verifying the Interfaces Directions on...

Page 402: ...r config NetworkAccess gen exit sensor config NetworkAccess exit Apply Changes yes yes Step 6 Telnet to the router and verify that a deny entry for the blocked address exists in the router s ACL Refer to the router documentation for the procedure Step 7 Remove the manual block by repeating Steps 1 5 except in Step 4 place no in front of the command sensor config NetworkAccess gen no shun hosts ip ...

Page 403: ...low these steps Step 1 Log in to the CLI Step 2 Enter configuration mode sensor configure terminal Step 3 Enter virtual sensor mode sensor config service virtual sensor configuration virtualSensor Step 4 Make sure the EventAction is set to shunHost sensor config vsc tune micro engines sensor config vsc virtualSensor atomic icmp sensor config vsc virtualSensor ATO sig sigid 2000 sensor config vsc v...

Page 404: ...he NAC s statistics and verify that the MBS entries are in the statistics sensor show statistics networkAccess Current Configuration AllowSensorShun false ShunMaxEntries 250 MasterBlockingSensor SensorIp 10 89 149 46 SensorPort 443 UseTls 1 State ShunEnable true ShunnedAddr Host IP 122 122 122 44 ShunMinutes 60 MinutesRemaining 59 Step 2 If the MBS does not show up in the statistics you need to ad...

Page 405: ... yes sensor config exit sensor Step 4 Verify that the block shows up in the NAC s statistics sensor show statistics networkAccess Current Configuration AllowSensorShun false ShunMaxEntries 100 State ShunEnable true ShunnedAddr Host IP 10 16 0 0 ShunMinutes Step 5 Log in to the MBS host s CLI and using the show statistics networkAccess command verify that the block also shows up in the MBS NAC s st...

Page 406: ... may suggest that you turn on debug logging for troubleshooting purposes LogApp controls what log messages are generated by each application by controlling the logging severity for different logging zones By default debug logging is not turned on If you enable individual zone control each zone uses the level of logging that it is configured for Otherwise the same logging level is used for all zone...

Page 407: ...ity to debug severity debug Step 5 Save the file exit the vi editor and exit the service account Step 6 Log in to the CLI as administrator Step 7 Enter configuration mode sensor configure terminal Step 8 Enter service logger mode sensor config service logger Step 9 Enter master control submode sensor config Logger masterControl Step 10 Turn individual zone control on sensor config Logger mas indiv...

Page 408: ...y warning default debug zoneName MpInstaller default Cid severity warning default debug zoneName tls default Cid severity warning default debug See Zone Names page B 31 for a list of what each zone name refers to Step 13 To adjust the logging level for a particular zone sensor config Logger zoneControl zoneName csi sensor config Logger zon csi now appears as a zone name sensor config Logger show s...

Page 409: ...y the changes Apply Changes yes yes sensor config Zone Names Table B 1 lists the debug logger zone names Directing cidLog Messages to SysLog It might be useful to direct cidLog messages to syslog Table B 1 Debug Logger Zone Names Zone Name Description AuthenticationApp Authentication zone Cid General logging zone Cli CLI zone IdapiCtlTrans All control transactions zone IdsEventStore EventStore zon...

Page 410: ...is the default b Set drain main type syslog The following example shows the logging configuration file timemode local timemode utc logApp enabled true FIFO parameters fifoName logAppFifo fifoSizeInK 240 logApp zone and drain parameters zoneAndDrainName logApp fileName main log fileMaxSizeInK 500 zone Cid severity warning drain main zone IdsEventStore severity debug drain main drain main type syslo...

Page 411: ... that lets the sensor do this without authenticating If you have not correctly typed the NTP authentication key ID and values the sensor NTP updates still appear to be working However the long term updates from the NTP server will not occur if the authentication key ID and values are not correctly configured Also if you are trying to configure NTP on the sensor and receive the following error ther...

Page 412: ...server or the keys do not match Step 3 Make sure the sensor can contact the NTP server by running usr sbin ntptrace sensor usr sbin ntptrace server_ip_address Step 4 If this is the output the sensor can contact the NTP server but the key ID or value is most likely incorrect 10 89 147 99 stratum 6 offset 0 025372 synch distance 0 00003 Step 5 If this is the output there is most likely a network con...

Page 413: ...wing command to shut down the NTP daemon root sensor killall INT ntpd Step 4 To synchronize the sensor s time with the NTP server s if the NTP configuration is correct type the following command root sensor ntpdate u ntp_server_ip_address Step 5 Look for errors in the output If there are no errors you have encountered the NTP Reconfiguration defect See NTP Reconfiguration Defect page B 35 for more...

Page 414: ...e service account password bash 2 05a su root Password Step 3 Type the following command root sensor killall INT ntpd Step 4 Log out of the service account Step 5 Log in to the sensor CLI Step 6 Enter configuration mode sensor configure terminal Step 7 Enter service Host mode sensor config service Host Step 8 Enter time parameters submode sensor config Host timeParams Step 9 Set up NTP NTP server ...

Page 415: ...e B 37 Using the TCP Reset Interface page B 39 Reset Not Occurring for a Signature If you do not have the EventAction set to reset the TCP reset does not occur for a specific signature To troubleshoot a reset not occurring for a specific signature follow these steps Step 1 Log in to the CLI Step 2 Make sure the EventAction is set to reset a Enter configuration mode sensor configure terminal b Ente...

Page 416: ...sorApp appInstanceId 1004 signature sigId 20000 sigName STRING TCP subSigId 0 version Unknown addr locality OUT 172 16 171 19 port 32771 victim addr locality OUT 172 16 171 13 port 23 actions tcpResetSent true Step 4 Make sure the switch is allowing incoming TCP reset packet from the sensor Refer to your switch documentation for the procedure Step 5 Make sure the resets are being sent root tcpdump...

Page 417: ...nfigure the reset port to be in the same VLAN Note If the two XL ports are access ports for different VLANs you can only configure the reset port for one of these VLANs You can use dot1q trunk ports to overcome this limitation If the sensing ports are dot1q trunk ports multi VLAN the sensing ports and reset port all need to have the same native VLAN and the reset port needs to trunk all the VLANs ...

Page 418: ...ply and in Which Order You must have the correct service pack and minor major version of the software If you are having trouble with applying new software make sure that you are applying the proper updates in the proper order Signature updates require correct service packs Service packs require the correct minor version Minor versions require the correct major version Major versions require the pr...

Page 419: ...e Run tcpDump Create a service account Su to root and run tcpDump on the command and control interface to capture packets between the sensor and the FTP server See Creating the Service Account page 10 12 for the procedure Use the upgrade command to manually upgrade the sensor See Reimaging Appliances and Modules page 10 110 for the procedure Look at the tcpDump output for errors coming back from t...

Page 420: ...rsion page B 57 for the procedure Version 4 0 1 has a known problem with automatic update Upgrade manually to 4 1 1 before trying to configure and use automatic update Make sure the passwords configured for automatic update Make sure they match the same passwords used for manual update Make sure that the filenames in the FTP server are exactly what you see on Downloads on Cisco com This includes c...

Page 421: ...3 Updating a Sensor with the Update Stored on the Sensor You can store the update package in the var directory on the sensor and update the sensor from there if you need to To update the sensor with an update stored on the sensor follow these steps Step 1 Log in to the service account Step 2 Obtain the update package file from Cisco com Refer to Obtaining Cisco IDS Software page 9 1 for the proced...

Page 422: ...DSM 2 Does Not Come Online page B 48 Cannot Communicate With IDSM 2 Command and Control Port page B 49 Using the TCP Reset Interface page B 51 Connecting a Serial Cable to the IDSM 2 page B 51 Diagnosing IDSM 2 Problems Use the following list to diagnose IDSM 2 problems The ribbon cable between the IDSM 2 and the motherboard is loose During physical handling of the module the connector can come lo...

Page 423: ...crashes or takes 99 of the CPU when IP logging is enabled for stream based signatures 1300 series See CSCed32093 for the workaround The IDSM 2 appears to lock up and remote access is prohibited SSH Telnet IDM event server control transaction server IP log server This defect is related to using SWAP The IDSM 2 responds to pings Apply the 4 1 4 service pack to resolve this issue See CSCed54146 for m...

Page 424: ... Cisco IOS Software show vlan access map Cisco IOS Software show vlan filter Cisco IOS Software Status LED Off If the status LED is off on the IDSM 2 you need to turn power on to the module To determine status of the module follow these steps Step 1 Log in to the console Step 2 Verify that the IDSM 2 is online For Catalyst Software in enable mode console enable show module Mod Slot Ports Module Ty...

Page 425: ...7e 70 63 0 301 4B4LZ0XA 3 0 7 S82 9 00 03 fe aa c0 d8 to 00 03 fe aa c0 df 0 102 7 2 1 4 1 4 S91 Mod Sub Type Sub Model Sub Serial Sub Hw Sub Sw 1 L3 Switching Engine II WS F6K PFC2 SAD044302BP 1 0 9 IDS 2 accelerator board WS SVC IDSUPG 2 0 console enable For Cisco IOS software router show module Mod Ports Card Type Model Serial No 1 2 Catalyst 6000 supervisor 2 Active WS X6K SUP2 2GE SAD060300AR...

Page 426: ...pported 9 Pass router Note It is normal for the status to read other when the IDSM 2 is first installed After the IDSM 2 completes the diagnostics routines and comes online the status reads ok Allow up to 5 minutes for the IDSM 2 to come online Step 3 If the status does not read ok turn the module on router set module power up module_number Status LED On But IDSM 2 Does Not Come Online If the stat...

Page 427: ...operating system are ok router show test module_number Step 6 If the port status reads fail make sure the module is firmly connected in the switch Step 7 If the hdd status reads fail you must reimage the application partition See Reimaging Appliances and Modules page 10 110 for the procedure Cannot Communicate With IDSM 2 Command and Control Port If you cannot communicate with the IDSM 2 command a...

Page 428: ...s Port Status ErrDisable Reason Port ErrDisableTimeout Action on Timeout 9 2 connected Enable No Change Port Align Err FCS Err Xmit Err Rcv Err UnderSize 9 2 0 0 0 0 0 Port Single Col Multi Coll Late Coll Excess Col Carri Sen Runts Giants 9 2 0 0 0 0 0 0 0 Port Last Time Cleared 9 2 Mon Jul 19 2004 09 58 55 Idle Detection console enable For Cisco IOS software router show intrusion detection module...

Page 429: ...single VLAN you must configure the reset port to be in the same VLAN If the sensing ports are dot1q trunk ports multi VLAN the sensing ports and reset port all must have the same native VLAN and the reset port must trunk all the VLANs being trunked by both the sensing ports Connecting a Serial Cable to the IDSM 2 You can connect a serial cable directly to the serial console port on the IDSM 2 This...

Page 430: ...e show tech support command to gather all the sensor s information or you can use the other individual commands listed in this section for specific information This section contains the following topics show tech support Command page B 52 show version Command page B 56 show configuration more current config Command page B 60 show statistics Command page B 61 show interfaces Command page B 64 show ...

Page 431: ...pying the output to a remote system Note You can get the same information from IDS Device Manager by selecting Administration Support System Information Note Always run the show tech support command before contacting TAC Displaying Tech Support Information You can display system information on the screen or have it sent to a specific URL to use as a troubleshooting tool with TAC To display tech su...

Page 432: ...output in HTML format to a file follow these steps a Type the following command followed by a valid destination sensor show tech support destination url You can specify the following destination types ftp Destination URL for File Transfer Protocol FTP network server The syntax for this prefix is ftp username location relativeDirectory filename or ftp username location absoluteDirectory filename sc...

Page 433: ...ort was generated on Tues June 23 01 00 11 1994 Output from more current config service Authentication general methods method Local exit exit exit service Host networkParams ipAddress 1 1 1 1 netmask 255 255 255 0 defaultGateway 10 89 146 254 hostname sensor telnetOption enabled accessList ipAddress 10 0 0 0 netmask 255 0 0 0 accessList ipAddress 1 2 3 4 netmask 255 255 0 0 accessList ipAddress 64...

Page 434: ...rol zoneName Cli severity warning exit zoneControl zoneName ctlTransSource severity warning exit zoneControl zoneName IdapiCtlTrans severity warning exit zoneControl zoneName IdsEventStore severity warning exit zoneControl zoneName MpInstaller severity warning exit zoneControl zoneName tls severity warning exit exit show version Command The show version command is useful for establishing the gener...

Page 435: ...Displaying the Current Version You can display the IDS software version Use the show version command to display version information for the OS signature packages and IDS processes running on the system To display the version and configuration follow these steps Step 1 Log in to the CLI Step 2 View version information sensor show version The following examples show sample version output for the app...

Page 436: ... is displayed press the spacebar to see more information or Ctrl C to cancel the output and get back to the CLI prompt You can also disable the more prompt so that output is continuous by using the terminal length 0 command Sample version output for the NM CIDS Router show version Application Partition Cisco Systems Intrusion Detection Sensor Version 4 1 0 3 S42 0 3 OS Version 2 4 18 5 Platform NM...

Page 437: ...59 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4 1 78 15597 02 Appendix B Troubleshooting Gathering Information Upgrade History No upgrades installed ...

Page 438: ...r show configuration commands sensor more current config Configuration information similar to the following appears service Authentication general attemptLimit 0 methods method Local exit exit exit service Host networkParams ipAddress 10 89 147 31 netmask 255 255 255 128 defaultGateway 10 89 147 126 hostname sensor31 telnetOption disabled accessList ipAddress 10 0 0 0 netmask 255 0 0 0 accessList ...

Page 439: ...e selection none exit exit exit show statistics Command The show statistics command is useful for examining the state of the sensor s services This section contains the following topics show statistics Command page B 61 Displaying Statistics page B 62 show statistics Command Output page B 63 show statistics Command The show statistics command provides a snapshot of the current state of the sensor ...

Page 440: ...sor show statistics Authentication Display authentication statistics EventServer Display event server statistics EventStore Display event store statistics Host Display host statistics Logger Display logger statistics NetworkAccess Display network access controller statistics TransactionServer Display transaction server statistics TransactionSource Display transaction source statistics WebServer Di...

Page 441: ... 0 show statistics Command Output The following is an example of the show statistics command output for the EventStore service sensor show statistics EventStore Event store statistics General information about the event store The current number of open subscriptions 1 The number of events lost by subscriptions and queries 0 The number of queries issued 0 The number of times the event store circula...

Page 442: ... 0 Error Severity 0 Warning Severity 0 Timing Severity 0 Debug Severity 3 Unknown Severity 189 TOTAL 192 show interfaces Command The show interfaces command is useful for gathering information on the sensing and command and control interfaces This section contains the following topics show interfaces Command page B 64 show interfaces Command Output page B 65 show interfaces Command You can learn t...

Page 443: ...e sensor does not receive traffic Use the no shutdown command to enable the interface sensor configure terminal sensor config interface sensing int0 sensor config ifs no shutdown sensor config ifd exit sensor config exit sensor show interfaces command control command control is up Internet address is 10 89 146 110 subnet mask is 255 255 255 0 telnet is enabled Hardware is eth1 tx Network Statistic...

Page 444: ...6 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4 1 78 15597 02 show events Command You can use the show events command to view the alerts generated by SensorApp and errors generated by an application ...

Page 445: ...ocessed by each sensor application evShunRqst Block requests Events remain in the EventStore until they are overwritten by newer events show events Command The show events command is useful for troubleshooting event capture issues in which you are not seeing events in IDS Event Viewer or Security Monitor You can use the show events command to determine which events are being generated on the senso...

Page 446: ...time is entered the selected events are displayed beginning at the current time If no event types are entered all events are displayed Events are displayed as a live feed You can cancel the live feed by pressing Ctrl C Note The show events command waits until a specified event is available It continues to wait and display events until you exit by pressing Ctrl C To display and clear events follow ...

Page 447: ...e events from the event store sensor clear events Warning Executing this command will remove all events currently stored in the event store Continue with clear Step 6 Type yes to clear all events from the EventStore show events Command Output The following is an example of the show events command output sensor show events evAlert eventId 1080048367680474106 severity informational originator hostId...

Page 448: ...OUT 10 89 146 24 victim addr locality OUT 10 89 146 24 alertDetails Traffic Source int5 cidDump Script If you do not have access to IDM or the CLI you can run the underlying script cidDump from the service account by logging in as root and running usr cids idsRoot bin cidDump The cidDump file s path is usr cids idsRoot htdocs private cidDump html cidDump is a script that captures a large amount of...

Page 449: ...g a File to the Cisco FTP Site for the procedure Uploading and Accessing Files on the Cisco FTP Site You can upload large files for example cidDump html the show tech support command output and cores to the ftp sj server To upload and access files on the Cisco FTP site follow these steps Step 1 Log in to ftp sj cisco com as anonymous Step 2 Change to the incoming directory Step 3 Use the put comma...

Page 450: ...Appendix B Troubleshooting ...

Reviews:

No comments

Related manuals for IDS-4230-FE - Intrusion Detection Sys Fast Ethernet Sensor

BB-HGW700A - Network Camera Router

Brand: Panasonic Pages: 10

Brand: Farallon Pages: 26

Brand: Observint Pages: 11

Brand: Direct IP Pages: 76

Brand: Oracle Pages: 112

DG834GT - 108 Mbps Super G Wireless ADSL Router

Brand: NETGEAR Pages: 2

Brand: Waves Pages: 41

Brand: Jøtul Pages: 20

Brand: 4G Systems Pages: 2

Storage Networking (Unified Fabric Pilot)

Brand: Qlogic Pages: 76

Brand: MICROENER Pages: 24

i.LON SmartServer

Brand: Echelon Pages: 34

Emulation Memory Board R0E330850MSRC0

Brand: Renesas Pages: 4

Brand: Matrix Switch Corporation Pages: 48

Brand: Perle Pages: 4

Brand: ACTi Pages: 12

SmartRack SR42UBEXPKD

Brand: Tripp Lite Pages: 8

X570 AORUS ELITE WIFI

Brand: Gigabyte Pages: 48

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands